Preface 1

Introduction to the CPU 410 2

Configuration of the CPU
410 3
SIMATIC PROFIBUS DP 4
PROFINET IO 5
PCS 7 Process Control System
CPU 410 Process Automation I/O configuration variants 6
System and operating
states of the CPU 410 7
System Manual Link-up and update 8
Special functions of the
CPU 410 9
Time synchronization and
time stamping 10
Plant changes in RUN - CiR 11
Plant changes during
redundant operation - H- 12
CiR
Replacement of failed
components during 13
redundant operation

Synchronization modules 14
System expansion card 15
Technical data 16
Supplementary information 17
Characteristic values of
redundant automation A
systems
Function and
communication modules
that can be used in a B
redundant configuration
Connection examples for
redundant I/Os C
11/2022
A5E31622160-AE
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance
are required to ensure that the products operate safely and without any problems. The permissible ambient
conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG A5E31622160-AE Copyright © Siemens AG 2022.

Digital Industries Ⓟ 12/2022 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents

1 Preface ................................................................................................................................................. 11
1.1 Preface .............................................................................................................................. 11
1.2 Security information .......................................................................................................... 14
1.3 Documentation.................................................................................................................. 16
2 Introduction to the CPU 410 ................................................................................................................ 19
2.1 Area of application of the CPU 410 in SIMATIC PCS 7........................................................... 19
2.2 Possible applications .......................................................................................................... 21
2.3 The CPU 410 basic system for stand-alone operation .......................................................... 22
2.4 The basic system for redundant operation .......................................................................... 24
2.5 Rules for H station assembly............................................................................................... 26
2.6 I/O for the CPU 410 ............................................................................................................ 27
2.7 I/O configuration variants of the fault-tolerant system......................................................... 27
2.8 Configuration tools (STEP 7 HW Config, SIMATIC PCS 7) ...................................................... 28
2.9 The SIMATIC PCS 7 project.................................................................................................. 28
2.9.1 Scaling and licensing (scaling concept)............................................................................... 28
3 Configuration of the CPU 410 .............................................................................................................. 31
3.1 Operator controls and indicators on the CPU 410................................................................ 31
3.2 CPU 410 monitoring functions ........................................................................................... 35
3.3 Status and error displays .................................................................................................... 37
3.4 PROFIBUS DP interface (X1)................................................................................................ 41
3.5 PROFINET IO interfaces (X5, X8) ......................................................................................... 41
3.6 Summary of parameters for CPU 410.................................................................................. 44
4 PROFIBUS DP ........................................................................................................................................ 45
4.1 CPU 410 as PROFIBUS DP master ........................................................................................ 45
4.2 Diagnostics of the CPU 410 as PROFIBUS DP master ............................................................ 45
5 PROFINET IO......................................................................................................................................... 47
5.1 Introduction....................................................................................................................... 47
5.2 PROFINET IO systems ......................................................................................................... 48
5.3 Device replacement without exchangeable medium / ES..................................................... 49
6 I/O configuration variants ................................................................................................................... 51
6.1 Stand-alone operation ....................................................................................................... 51

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 3
Table of contents

6.2 Fail-safe operation ............................................................................................................. 54

6.3 Fault-tolerant automation systems (redundancy operation) ................................................ 57
6.3.1 Redundant SIMATIC automation systems ............................................................................ 57
6.3.2 Increase of plant availability, reaction to errors ................................................................... 59
6.4 Introduction to the I/O link to fault-tolerant system............................................................. 61
6.5 Using single-channel switched I/O ...................................................................................... 63
6.6 Versions of I/O connection to the PROFINET IO interface ..................................................... 69
6.6.1 Use of I/O connected to the PROFINET IO interface, system redundancy .............................. 69
6.6.2 Redundant I/O in an ET 200SP HA....................................................................................... 72
6.7 Connection of two-channel I/O to the PROFIBUS DP interface .............................................. 75
6.7.1 Connecting redundant I/O .................................................................................................. 75
6.7.2 Signal modules for redundancy .......................................................................................... 78
6.7.3 Evaluating the passivation status........................................................................................ 92
6.8 Media redundancy ............................................................................................................. 92
7 System and operating states of the CPU 410 ...................................................................................... 95
7.1 CPU 410 operating modes................................................................................................. 95
7.1.1 RUN mode ......................................................................................................................... 95
7.1.2 STOP mode ........................................................................................................................ 96
7.1.3 STARTUP mode .................................................................................................................. 97
7.1.4 HOLD mode ....................................................................................................................... 98
7.1.5 LINK-UP and UPDATE modes ............................................................................................... 98
7.1.6 ERROR-SEARCH mode......................................................................................................... 99
7.1.7 DEFECTIVE state............................................................................................................... 100
7.2 System states of the redundant CPU 410 .......................................................................... 100
7.2.1 Introduction..................................................................................................................... 100
7.2.2 The system states of the fault-tolerant system .................................................................. 104
7.2.3 Displaying and changing the system state of a fault-tolerant system ................................. 104
7.2.4 System status change from the STOP system state ............................................................ 105
7.2.5 System status change from the standalone mode system status ....................................... 105
7.2.6 System status change from the redundant system state.................................................... 106
7.2.7 System diagnostics of a fault-tolerant system ................................................................... 107
7.3 Self-test ........................................................................................................................... 109
7.4 Performing a memory reset.............................................................................................. 112
8 Link-up and update ............................................................................................................................ 113
8.1 Effects of link-up and updating ......................................................................................... 113
8.2 Link-up and update via an ES command ........................................................................... 114
8.3 Time monitoring .............................................................................................................. 114
8.3.1 Time response ................................................................................................................. 117
8.3.2 Determining the monitoring times ................................................................................... 118
8.3.3 Performance values for link-up and update ....................................................................... 124
8.3.4 Influences on time response............................................................................................. 124
8.4 Special features in link-up and update operations ............................................................. 125

CPU 410 Process Automation

4 System Manual, 11/2022, A5E31622160-AE
 Table of contents

9 Special functions of the CPU 410....................................................................................................... 127

9.1 Security functions of the CPU 410 .................................................................................... 127
9.2 Security levels.................................................................................................................. 128
9.3 Security event logging ..................................................................................................... 130
9.4 Field Interface Security..................................................................................................... 132
9.5 Access-protected blocks ................................................................................................... 133
9.6 Retentive load memory .................................................................................................... 134
9.7 Type update with interface change in RUN....................................................................... 135
9.8 Resetting the CPU 410 to delivery condition (reset to factory setting)................................ 136
9.9 Reset during operation .................................................................................................... 137
9.10 Response to fault detection .............................................................................................. 137
9.11 Reading service data ........................................................................................................ 139
9.12 Updating firmware in stand-alone operation..................................................................... 140
9.13 Updating firmware in redundant mode ............................................................................. 142
10 Time synchronization and time stamping ......................................................................................... 145
11 Plant changes in RUN - CiR................................................................................................................. 149
11.1 Motivation for CiR via PROFINET IO ................................................................................... 149
11.2 Permitted changes over PROFINET IO................................................................................ 150
11.3 Procedure for PROFINET IO ............................................................................................... 151
11.3.1 Overview ......................................................................................................................... 151
11.3.2 Add IO devices or I/O modules.......................................................................................... 153
11.3.3 Rebuild hardware when adding an IO device .................................................................... 153
11.3.4 Change process image partition assignment..................................................................... 154
11.3.5 Re-configuring existing I/O modules in IO devices ............................................................. 154
11.3.6 Replacing IO devices or I/O modules ................................................................................. 154
11.4 Re-configuring I/O modules and ports in IO devices........................................................... 155
11.4.1 Requirements for Reconfiguration .................................................................................... 155
11.4.2 I/O module response to re-configuration........................................................................... 155
11.4.3 CPU response during reconfiguration................................................................................ 156
11.4.4 Reconfiguration Procedure ............................................................................................... 157
11.4.4.1 Using a Previously Unused Channel .................................................................................. 157
11.4.4.2 Reconfiguring an already used channel............................................................................. 157
11.4.4.3 Delete an already used channel. ....................................................................................... 159
11.4.4.4 Change the update time................................................................................................... 159
11.5 Motivation for CiR on PROFIBUS DP................................................................................... 159
11.6 Permitted changes over PROFIBUS DP ............................................................................... 160
11.7 CiR objects and CiR modules for PROFIBUS DP .................................................................. 162
11.7.1 Basic Requirements .......................................................................................................... 162
11.7.2 Types of CiR Elements ...................................................................................................... 162
11.7.3 CiR Elements and I/O Address Areas.................................................................................. 163

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 5
Table of contents

11.8 Procedure for PROFIBUS DP .............................................................................................. 164

11.8.1 Basic Procedures in STOP Mode ........................................................................................ 164
11.8.1.1 Overview ......................................................................................................................... 164
11.8.1.2 Defining CiR Elements ...................................................................................................... 166
11.8.1.3 Deleting CiR Elements ...................................................................................................... 168
11.8.2 Basic Procedure in RUN Mode........................................................................................... 169
11.8.2.1 Overview ......................................................................................................................... 169
11.8.2.2 Adding devices or modules .............................................................................................. 170
11.8.2.3 Reconfiguring hardware when adding a device ................................................................. 170
11.8.2.4 change process image partition assignment ..................................................................... 171
11.8.2.5 reconfigure existing modules in ET200M / ET200iSP stations............................................. 171
11.8.2.6 Undo previous changes (Undo function):.......................................................................... 171
11.8.2.7 Replacing devices or modules........................................................................................... 172
11.8.2.8 Using CiR Elements in RUN Mode ..................................................................................... 172
11.8.2.9 Undoing Previous Changes............................................................................................... 175
11.9 Reconfigure existing modules in ET200M / ET200iSP stations ............................................ 176
11.9.1 Requirements for Reconfiguration .................................................................................... 176
11.9.2 Module Response During a Reconfiguration...................................................................... 177
11.9.3 CPU response during reconfiguration................................................................................ 177
11.9.4 Reconfiguration Procedure ............................................................................................... 179
11.9.4.1 Using a Previously Unused Channel .................................................................................. 179
11.9.4.2 Reconfiguring an already used channel............................................................................. 179
11.9.4.3 Delete an already used channel. ....................................................................................... 180
11.10 Notes on Reconfiguration in RUN Mode Depending on the I/O........................................... 181
11.10.1 Modules in IO devices of the type ET 200SP HA................................................................. 181
11.10.2 DP and PA devices ............................................................................................................ 181
11.10.3 Modules in modular devices of type ET 200M ................................................................... 184
11.10.4 Modules in modular devices of type ET 200iSP.................................................................. 185
11.11 Effects on the process when re-configuring in RUN............................................................ 185
11.11.1 Effects on Operating System Functions During the CiR Synchronization Time .................... 185
11.11.2 Behavior of the CPU after download of the configuration in RUN ....................................... 186
11.11.2.1 Overview ......................................................................................................................... 186
11.11.2.2 Error displays ................................................................................................................... 187
12 Plant changes during redundant operation - H-CiR ........................................................................... 189
12.1 The H-CiR wizard.............................................................................................................. 189
12.2 Replacing central components ......................................................................................... 190
12.3 Addition of interface modules .......................................................................................... 191
12.4 Motivation for H-CiR on PROFINET IO ................................................................................ 192
12.5 Permitted changes to PROFINET IO ................................................................................... 194
12.6 Motivation for H-CiR on PROFIBUS DP ............................................................................... 195
12.7 Permissible changes to PROFIBUS DP ................................................................................ 197
12.8 Adding components ........................................................................................................ 198
12.8.1 Adding components ........................................................................................................ 198
12.8.2 Modify hardware ............................................................................................................. 199
12.8.3 Change hardware configuration offline ............................................................................. 200
12.8.4 Opening the H-CiR wizard ................................................................................................ 200

CPU 410 Process Automation

6 System Manual, 11/2022, A5E31622160-AE
 Table of contents

12.8.5 Modify and download the user program ........................................................................... 201

12.8.6 Use of free channels on an existing module...................................................................... 202
12.9 Removal of components................................................................................................... 203
12.9.1 Removal of components................................................................................................... 203
12.9.2 Change hardware configuration offline ............................................................................. 203
12.9.3 Modify and download the user program ........................................................................... 205
12.9.4 Opening the H-CiR wizard ................................................................................................ 205
12.9.5 Modify hardware ............................................................................................................. 207
12.9.6 Removal of interface modules .......................................................................................... 208
12.10 Editing CPU parameters.................................................................................................... 209
12.10.1 Editing CPU parameters.................................................................................................... 209
12.10.2 Changing CPU parameters offline ..................................................................................... 210
12.10.3 Opening the H-CiR wizard ................................................................................................ 211
12.11 Re-parameterization of a module ..................................................................................... 212
12.11.1 Re-configuring a module/PDEV submodule ....................................................................... 212
12.11.2 Editing parameters offline ................................................................................................ 212
12.11.3 Opening the H-CiR wizard ................................................................................................ 213
13 Replacement of failed components during redundant operation..................................................... 215
13.1 Replacement of central components ................................................................................ 215
13.1.1 Replacement of a CPU during redundant operation........................................................... 215
13.1.2 Replacement of a power supply module ........................................................................... 217
13.1.3 Replacement of an input/output module or function module ............................................ 218
13.1.4 Replacement of a communication module........................................................................ 219
13.1.5 Replacement of synchronization module or fiber-optic cable ............................................. 220
13.1.6 Replacement of an IM 460 and IM 461 interface module .................................................. 222
13.2 Replacement of components of the distributed I/O on PROFINET IO................................... 222
13.2.1 Replacement of a PROFINET IO device .............................................................................. 222
13.2.2 Replacement of PROFINET IO cables ................................................................................. 223
13.3 Replacement of components of the distributed I/O on PROFIBUS DP .................................. 224
13.3.1 Replacement of a PROFIBUS DP master ............................................................................. 225
13.3.2 Replacement of a redundant PROFIBUS DP interface module............................................. 226
13.3.3 Replacement of a PROFIBUS DP device.............................................................................. 227
13.3.4 Replacement of PROFIBUS DP cables................................................................................. 228
14 Synchronization modules .................................................................................................................. 229
14.1 Synchronization modules ................................................................................................. 229
14.2 Synchronization modules for the CPU 410. ....................................................................... 229
14.3 Installation of fiber-optic cables ........................................................................................ 233
14.4 Selecting fiber-optic cables ............................................................................................... 235
15 System expansion card ..................................................................................................................... 241
15.1 Variants of the system expansion card .............................................................................. 241
16 Technical data.................................................................................................................................... 243
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0) ...................................... 243
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0).......................................... 254

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 7
Table of contents

16.3 Technical specifications of the system expansion card ....................................................... 264

17 Supplementary information .............................................................................................................. 283
17.1 Supplementary information on PROFIBUS DP.................................................................... 283
17.2 Supplementary information on diagnostics of the CPU 410 as PROFIBUS DP master........... 284
17.3 System status lists for PROFINET IO................................................................................... 286
17.4 Configuring with STEP 7 ................................................................................................... 288
17.4.1 Rules for arranging fault-tolerant station components ...................................................... 288
17.4.2 Configuring hardware ...................................................................................................... 289
17.4.3 Assigning parameters to modules in a fault-tolerant station .............................................. 290
17.4.4 Recommendations for setting CPU parameters, fixed settings............................................ 290
17.4.5 Networking configuration ................................................................................................ 291
17.5 The STEP 7 user program.................................................................................................. 292
17.5.1 The user program ............................................................................................................ 292
17.6 Programming device functions in STEP 7 .......................................................................... 293
17.7 Communication services .................................................................................................. 293
17.7.1 Overview of communication services ............................................................................... 293
17.7.2 PG communication .......................................................................................................... 295
17.7.3 OP communication .......................................................................................................... 295
17.7.4 S7 communication........................................................................................................... 295
17.7.5 S7 routing........................................................................................................................ 297
17.7.6 Data set routing ............................................................................................................... 300
17.7.7 SNMP network protocol.................................................................................................... 302
17.7.8 Open Communication Via Industrial Ethernet ................................................................... 303
17.8 Basics and terminology of fault-tolerant communication .................................................. 306
17.9 Usable networks .............................................................................................................. 310
17.10 Communication via S7 connections.................................................................................. 310
17.10.1 Communication via S7 connections - one-sided mode ...................................................... 312
17.10.2 Communication via redundant S7 connections ................................................................. 315
17.10.3 Communication via point-to-point CP on the ET 200M ...................................................... 316
17.10.4 Custom connection to single-channel systems .................................................................. 318
17.11 Communication via fault-tolerant S7 connections............................................................. 319
17.11.1 Communication between fault-tolerant systems ............................................................... 321
17.11.2 Communication between fault-tolerant systems and a fault-tolerant CPU.......................... 324
17.11.3 Communication between fault-tolerant systems and PCs .................................................. 325
17.12 Consistent data................................................................................................................ 327
17.12.1 Consistency of communication blocks and functions ........................................................ 327
17.12.2 Consistency rules for SFB 14 "GET" or read variable, and SFB 15 "PUT" or write variable...... 328
17.12.3 Consistent reading and writing of data from and to DP standard device/IO device.............. 329
17.13 Link-up and update sequence........................................................................................... 330
17.13.1 Link-up sequence ............................................................................................................. 334
17.13.2 Update sequence ............................................................................................................. 335
17.13.3 Switch to CPU with modified configuration ....................................................................... 338
17.13.4 Disabling of link-up and update ........................................................................................ 339
17.14 The user program ............................................................................................................ 340

CPU 410 Process Automation

8 System Manual, 11/2022, A5E31622160-AE
 Table of contents

17.15 Other options for connecting redundant I/Os .................................................................... 341

17.16 CPU 410 cycle and reaction times..................................................................................... 344
17.16.1 Cycle time........................................................................................................................ 344
17.16.2 Calculating the cycle time ................................................................................................ 346
17.16.3 Cycle load due to communication..................................................................................... 349
17.16.4 Response time ................................................................................................................. 351
17.16.5 Calculating cycle and response times................................................................................ 357
17.16.6 Examples of calculating the cycle and response times ....................................................... 358
17.16.7 Interrupt response time.................................................................................................... 361
17.16.8 Example of calculation of the interrupt response time....................................................... 363
17.16.9 Reproducibility of delay and watchdog interrupts ............................................................. 364
17.17 Runtimes of the FCs and FBs for redundant I/Os ................................................................ 364
A Characteristic values of redundant automation systems .................................................................. 367
A.1 Basic concepts ................................................................................................................. 367
A.2 Comparison of MTBF for selected configurations............................................................... 371
A.2.1 System configurations with redundant CPU 410 ............................................................... 371
A.2.2 System configurations with distributed I/Os ...................................................................... 372
A.2.3 Comparison of system configurations with standard and fault-tolerant communication..... 376
B Function and communication modules that can be used in a redundant configuration .................. 377
C Connection examples for redundant I/Os .......................................................................................... 379
C.1 MTA terminal modules (Marshalled Termination Assemblies) ............................................ 379
C.2 Interconnection of output modules .................................................................................. 379
C.3 8-channel HART analog input MTA.................................................................................... 381
C.4 8-channel HART analog output MTA ................................................................................. 382
C.5 SM 321; DI 16 x DC 24 V, 6ES7 321–1BH02–0AA0............................................................ 383
C.6 SM 321; DI 32 x DC 24 V, 6ES7 321–1BL00–0AA0 ............................................................ 384
C.7 SM 321; DI 16 x AC 120/230V, 6ES7 321–1FH00–0AA0.................................................... 385
C.8 SM 321; DI 8 x AC 120/230 V, 6ES7 321–1FF01–0AA0 ..................................................... 386
C.9 SM 321; DI 16 x DC 24V, 6ES7 321–7BH00–0AB0............................................................. 387
C.10 SM 321; DI 16 x DC 24V, 6ES7 321–7BH01–0AB0............................................................. 388
C.11 SM 326; DO 10 x DC 24V/2A, 6ES7 326–2BF01–0AB0 ...................................................... 389
C.12 SM 326; DI 8 x NAMUR, 6ES7 326–1RF00–0AB0............................................................... 390
C.13 SM 326; DI 24 x DC 24 V, 6ES7 326–1BK00–0AB0 ............................................................ 391
C.14 SM 421; DI 32 x UC 120 V, 6ES7 421–1EL00–0AA0 .......................................................... 392
C.15 SM 421; DI 16 x DC 24 V, 6ES7 421–7BH01–0AB0............................................................ 393
C.16 SM 421; DI 32 x DC 24 V, 6ES7 421–1BL00–0AB0 ............................................................ 394
C.17 SM 421; DI 32 x DC 24 V, 6ES7 421–1BL01–0AB0 ............................................................ 395
C.18 SM 322; DO 8 x DC 24 V/2 A, 6ES7 322–1BF01–0AA0 ...................................................... 396
C.19 SM 322; DO 32 x DC 24 V/0,5 A, 6ES7 322–1BL00–0AA0 ................................................. 397

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 9
Table of contents

C.20 SM 322; DO 8 x AC 230 V/2 A, 6ES7 322–1FF01–0AA0..................................................... 398

C.21 SM 322; DO 4 x DC 24 V/10 mA [EEx ib], 6ES7 322–5SD00–0AB0..................................... 399
C.22 SM 322; DO 4 x DC 15 V/20 mA [EEx ib], 6ES7 322–5RD00–0AB0..................................... 400
C.23 SM 322; DO 8 x DC 24 V/0.5 A, 6ES7 322–8BF00–0AB0.................................................... 401
C.24 SM 322; DO 16 x DC 24 V/0.5 A, 6ES7 322–8BH01–0AB0 ................................................. 402
C.25 SM 332; AO 8 x 12 Bit, 6ES7 332–5HF00–0AB0................................................................ 403
C.26 SM 332; AO 4 x 0/4...20 mA [EEx ib], 6ES7 332–5RD00–0AB0 .......................................... 404
C.27 SM 422; DO 16 x AC 120/230 V/2 A, 6ES7 422–1FH00–0AA0 ........................................... 405
C.28 SM 422; DO 32 x DC 24 V/0.5 A, 6ES7 422–7BL00–0AB0.................................................. 406
C.29 SM 331; AI 4 x 15 Bit [EEx ib]; 6ES7 331–7RD00–0AB0..................................................... 408
C.30 SM 331; AI 8 x 12 Bit, 6ES7 331–7KF02–0AB0 ................................................................. 409
C.31 SM 331; AI 8 x 16 Bit; 6ES7 331–7NF00–0AB0 ................................................................. 410
C.32 SM 331; AI 8 x 16 Bit; 6ES7 331–7NF10–0AB0 ................................................................. 411
C.33 AI 6xTC 16Bit iso, 6ES7331-7PE10-0AB0........................................................................... 412
C.34 SM331; AI 8 x 0/4...20mA HART, 6ES7 331-7TF01-0AB0 ................................................... 413
C.35 SM 332; AO 4 x 12 Bit; 6ES7 332–5HD01–0AB0 ............................................................... 415
C.36 SM332; AO 8 x 0/4...20mA HART, 6ES7 332-8TF01-0AB0 ................................................. 416
Index .................................................................................................................................................. 417

CPU 410 Process Automation

10 System Manual, 11/2022, A5E31622160-AE
Preface 1
1.1 Preface

Purpose of this manual

The information in this manual enables you to look up operator inputs, function descriptions and
technical specifications of the central processing units CPU 410-5H Process Automation and CPU
410E Process Automation.
For information on installing and wiring this and other modules in order to set up an
automation system, refer to Manual Automation System S7-400, Hardware and Installation.

Changes compared with the previous version

Changes compared with the previous version of the SIMATIC PCS 7 Process Control System CPU
410-5H Process Automation manual, Edition 05/2017 (A5E31622159-AC) are as follows:
• Security information updated
• Meaning for "Possible states of the LEDs LINK and RX/TX" updated
• Maximum data length adjusted for each DP station
• Article numbers for connecting I/O devices to the PROFIBUS DP interface extended
• Article numbers of usable DP/PA links for connecting PROFIBUS PA to a redundant system
extended
• Article numbers of usable Y-couplers for connecting a single-channel DP master system to a
redundant system extended
• Procedure for "Change process image partition assignment" updated
• Permitted configuration changes for PROFINET IO updated
• Note on changing the I/O or diagnostic address added.
• List of points to be observed for Cir updated with the ET200SP HA.
• Table in section "Communication via fault-tolerant S7 connections" updated.
• Graphics in the section "Characteristic values of redundant automation systems" updated.
• Table under "Centrally applicable FMs and CPs" in the section "Function and communication
modules that can be used in a redundant configuration" updated.
• PCS 7 System Expansion Card PO 500M added.
• Term "slave" updated to "device".
• Certificates updated.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 11
Preface
1.1 Preface

Scope of the manual

The manual is relevant to the following components:
• CPU 410-5H Process Automation; 6ES7410-5HX08-0AB0 firmware version V8.3 and higher
• CPU 410E Process Automation; 6ES7410-5HM08-0AB0 firmware version V8.3 and higher

Note
CPU 410-5H and CPU 410E
Except for different technical specifications and quantity frameworks, the CPU 410E behaves the
same as a CPU 410-5H. For this reason, the statements made in this manual about a CPU 410
apply to both the CPU 410-5H and the CPU 410E.

Basic knowledge required

This manual requires general knowledge of automation engineering.
Knowledge of the use of computers or PC-like tools such as programming devices with a
Windows operating system is also required. The SIMATIC PCS 7 readme includes information
on which operating system is suitable for your SIMATIC PCS 7 configuration. The CPU 410 is
configured using the SIMATIC PCS 7 software, and you should therefore be familiar with this
software.
In particular when operating a CPU 410 in potentially explosive atmospheres, please always
observe the information on the safety of electronic control systems provided in the appendix
to the Automation System S7-400, Hardware and Installation manual.

Approvals
For details on certifications and standards, refer to Manual S7-400 Automation System, Module
Data, Chapter 1.1, Standards and Certifications. Here you will also find the technical
specification for the entire S7-400.

NOTICE
Markings and approvals
In the documentation, you can find the markings and approvals which are generally possible or
planned in the system.
However, only the label or approval printed on the component is valid.

Online help
You will need the SIMATIC PCS 7 Programming Package V9.0 or higher to work with CPU 410.
In addition to the manual, you will find detailed support on how to use this software in the
software's integrated online help system.

CPU 410 Process Automation

12 System Manual, 11/2022, A5E31622160-AE
 Preface
1.1 Preface

The help system can be accessed using various interfaces:

• The Help menu contains several commands: Contents opens the Help index. You will find
help on fault-tolerant systems in Configuring fault-tolerant systems.
• Using Help provides detailed instructions on using the online help system.
• The context-sensitive help system provides information on the current context, for example,
on an open dialog or active window. You can call this help by clicking "Help" or using the F1
key.
• The status bar provides a further form of context-sensitive help. It shows a short description
of each menu command when you position the mouse pointer over a command.
• A short info text is also shown for the toolbar buttons when you hold the mouse pointer
briefly over a button.
If you prefer to read the information of the online help in printed form, you can print
individual topics, books or the entire help system.

Recycling and disposal

Because it is constructed from environmentally compatible materials, the CPU 410 can be
recycled. For ecologically compatible recycling and disposal of your old device, contact a
certificated disposal service for electronic scrap.

Additional support
If you have any questions relating to the products described in this manual, and do not find the
answers in this documentation, please contact your Siemens partner at our local offices.
You will find information on who to contact at:
Contact partners (https://www.siemens.com/automation/partner)
A guide to the technical documents for the various SIMATIC products and systems is available
at:
Documentation (https://new.siemens.com/global/en/products/automation/process-control/
simatic-pcs-7/technical-documentation.html)
You can find the online catalog and order system under:
Catalog (https://mall.industry.siemens.com/)

Functional Safety Services

Siemens Functional Safety Services is a comprehensive performance package that supports you
in risk assessment and verification all the way to plant commissioning and modernization. We
also offer consulting services for the application of fail-safe and fault-tolerant SIMATIC S7
automation systems.
Additional information is available at:
Functional Safety Services (https://www.siemens.com/processsafety)
Submit your requests to:
Mail Functional Safety Services (mailto:[email protected])

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 13
Preface
1.2 Security information

Training center
We offer a range of courses to help you to get started with the SIMATIC PCS 7 process control
system. Please contact your local training center or the central training center.
Training (https://www.sitrain-learning.siemens.com/)

Technical Support
For technical support of all Industry Automation products, fill in and submit the online Support
Request:
Support Request (https://support.industry.siemens.com/cs/ww/en/my)

Service & Support on the Internet

In addition to our documentation, we offer a comprehensive online knowledge base on the
Internet at:
Service and Support (https://support.industry.siemens.com/cs/ww/en/)
There you will find:
• The newsletter containing the latest information on your products.
• The latest documents via our search function in Service & Support.
• A forum for global information exchange by users and specialists.
• Your local Automation representative.
• Information on field service, repairs and spare parts. Much more can be found under
"Services".

1.2 Security information

Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected
to an enterprise network or the internet if and to the extent such a connection is necessary
and only when appropriate security measures (e.g. firewalls and/or network segmentation)
are in place.
For additional information on industrial security measures that may be implemented, please
visit
https://www.siemens.com/industrialsecurity (https://www.siemens.com/industrialsecurity).
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are

CPU 410 Process Automation

14 System Manual, 11/2022, A5E31622160-AE
 Preface
1.2 Security information

available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customer’s exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under
https://www.siemens.com/cert (https://www.siemens.com/industrialsecurity).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 15
Preface
1.3 Documentation

1.3 Documentation

User documentation
The table below provides an overview of the descriptions of the various components and options
in the S7-400 automation system.

Topic Documentation See also

Setting up an automation sys‐ S7-400, Hardware and Installa‐ S7-400 Automation System Hard‐
tem tion ware and Installation (https://
support.industry.siemens.com/cs/w
w/de/view/1117849)
Data of the standard modules S7-400 Module Data SIMATIC S7-400 S7-400 Automation
of an automation system System Module Data (https://
support.industry.siemens.com/cs/w
w/en/view/109781595)
IM 155-6 PN HA ET 200SP HA Distributed I/O Sys‐ SIMATIC ET 200SP HA Distributed I/O
tem System (https://
support.industry.siemens.com/cs/w
w/en/view/109798410)
IM 152 ET 200iSP Distributed I/O System SIMATIC Distributed I/O System ET
200iSP (https://
support.industry.siemens.com/cs/w
w/de/view/28930789/en)
IM 153-2 ET 200M Distributed I/O Device SIMATIC ET 200M Distributed I/O De‐
IM 153-4 PN vice, HART Analog Modules (https://
support.industry.siemens.com/cs/w
w/en/view/22063748)
IM 157 DP/PA Link and Y Link Bus Links SIMATIC Bus Links DP/PA Coupler, Ac‐
tive Field Distributors, DP/PA Link
and Y Link (https://
support.industry.siemens.com/cs/w
w/de/view/1142696)
IM 153-2 FF FF Link Bus Links SIMATIC Bus Links - FF Link Bus Link
(https://
support.industry.siemens.com/cs/w
w/de/view/47357205/en)
Compact FF Link Compact FF Link Bus Links SIMATIC Bus Link Compact FF Link
(https://
support.industry.siemens.com/cs/w
w/de/view/109739578/en)
Configuring, commissioning, PROFINET IO System Description PROFINET system description
and operation of a PROFINET (https://
IO system support.industry.siemens.com/cs/w
w/en/view/19292127)
Fail-safe systems S7 F/FH Systems SIMATIC Industrial Software S7 F/FH
Configuring and program‐ Systems - Configuring and Program‐
ming fail-safe systems ming (https://
Working with S7 F-Systems support.industry.siemens.com/cs/w
V 6.2 w/de/view/109742100/en)

CPU 410 Process Automation

16 System Manual, 11/2022, A5E31622160-AE
 Preface
1.3 Documentation

Topic Documentation See also

Solution concepts SIMATIC PCS 7 Technical Docu‐ SIMATIC PCS 7 Process Control Sys‐
Function mechanisms mentation tem (http://
Configurations of SIMATIC www.automation.siemenhttps://
PCS 7 support.industry.siemens.com/cs/w
w/en/view/59538371s.com/mcms/
industrial-automation-systems-
simatic/en/handbuchuebersicht/
tech-dok-pcs7/Seiten/Default.aspx)
Configuring hardware Configuring Hardware and Com‐ Configuring Hardware and Commu‐
munication Connections with nication Connections with STEP 7
STEP 7 (https://
support.industry.siemens.com/cs/us
/en/view/109751824)
System Modifications during Modifying the System during Op‐ Modifying the System during Oper‐
Stand-Alone Operation eration via CiR ation via CiR (https://
support.industry.siemens.com/cs/w
w/en/view/14044916)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 17
Preface
1.3 Documentation

CPU 410 Process Automation

18 System Manual, 11/2022, A5E31622160-AE
Introduction to the CPU 410 2
2.1 Area of application of the CPU 410 in SIMATIC PCS 7

Purpose of redundant automation systems

In practice, redundant automation systems are used to achieve fault-tolerant or fail-safe
systems.

5HGXQGDQWDXWRPDWLRQV\VWHPVIRUH[DPSOH

+LJKO\DYDLODEOHRRV\VWHPV )DLOVDIHRRV\VWHPV
REMHFWLYH5HGXFWLRQRIWKHOLNHOLKRRG REMHFWLYH3URWHFWLRQRIOLIHWKH
RISURGXFWLRQGRZQWLPHXVLQJ HQYLURQPHQWDQGFDSLWDOWKURXJK
SDUDOOHORSHUDWLRQRIWZRV\VWHPV UHOLDEOHVKXWGRZQWRDVDIHLGOH
VWDWH

Figure 2-1 Purpose of redundant automation systems

Please note the difference between fail-tolerant and fail-safe

systems. The AS 410 H is a fault-tolerance automation system. You may only use it for
controlling safety-related processes if you program and configure it in accordance with
the rules for F systems. You can find information on this in following manual: SIMATIC
Industrial Software S7 F/FH Systems (https://support.industry.siemens.com/cs/ww/en/view/
109773062)

Why use fault-tolerant automation systems?

The purpose of fault-tolerance automation systems is to reduce production downtime caused by
faults or by maintenance work.
The greater the costs of downtime, the more worthwhile a fault-tolerant system. The costs
of investing in a fault-tolerant system are generally higher, but are rapidly recovered by the
avoidance of production downtime.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 19
Introduction to the CPU 410
2.1 Area of application of the CPU 410 in SIMATIC PCS 7

SIMATIC PCS 7 and CPU 410-5H Process Automation

SIMATIC PCS 7 uses selected standard hardware and software components from the TIA building
block system for the process control system in the company-wide automation network called
Totally Integrated Automation. It offers an open basis for automation solutions with its
consistent data management, communication and configuration.
You can use SIMATIC PCS 7 to create customized and project-specific solutions tailored to
specific requirements. Further information about these customized solutions can be found in
the configuration manuals.
The CPU 410-5H Process Automation is a controller of the latest generation. This controller
is specifically designed for the SIMATIC PCS 7 control system. As with previous controllers of
the SIMATIC PCS 7 system, the CPU 410-5H Process Automation can be used in all Process
Automation industries. Highly flexible scalability based on SIMATIC PCS 7 process objects
makes it possible to cover the entire performance range from the smallest to the largest
controller in standard, fault-tolerant and fail-safe applications with just one hardware.
You must create a new configuration for use of a CPU 410-5H. The parameters of a CPU
410-5H are set to SIMATIC PCS 7 default values when a new configuration is created. Some
parameters that were previously freely assignable cannot be changed in the CPU 410-5H. You
can apply charts from existing SIMATIC PCS 7 projects.

The SIMATIC PCS 7 project

A SIMATIC PCS 7 project includes the following objects:
• Hardware configuration
• Blocks
• CFCs and SFCs
These objects are always present - regardless of the number of operator stations and
modules and their networking.

SIMATIC PCS 7 applications

You create a SIMATIC PCS 7 project on an engineering station (ES for short). A variety of
applications are available on the ES:
• SIMATIC Manager - the central application of SIMATIC PCS 7. From here, you can open all
other applications in which you need to make settings for the SIMATIC PCS 7 project. You will
set up your entire project from SIMATIC Manager.
• HW Config – configuration of all hardware of a system, e.g., CPUs, power supply,
communications processors.
• CFC editor and SFC editor - creation of continuous function charts (CFC) and sequential
control systems.
• SIMATIC PCS 7 OS in conjunction with various editors - Implementation of OS configuration
Every application has a graphic user interface for easy operation and clear representation of
your configuration data.

CPU 410 Process Automation

20 System Manual, 11/2022, A5E31622160-AE
 Introduction to the CPU 410
2.2 Possible applications

Important information on configuration

WARNING
Open equipment
Risk of death or serious injury.
S7–400 modules are classified as open equipment, meaning you must install the S7–400 in an
enclosure, cabinet, or switch room that can only be accessed by means of a key or tool. Only
instructed or authorized personnel are permitted to access these enclosures, cabinets, or
switch rooms.

Additional information
The components of the standard S7-400 system, e.g., power supplies, I/O modules, CPs, and
FMs, are also used in the high availability S7-400H automation system. For a detailed description
of all hardware components for S7-400, refer to Reference Manual S7-400 Automation System,
Module Data.
For the S7-400H high availability automation system, the same rules apply for planning
the user program and for using blocks as for a standard S7-400 system. Please observe
the descriptions in the Programming with STEP 7 manual and the System Software for
S7-300/400 System and Standard Functions reference manual.

See also
Summary of parameters for CPU 410 (Page 44)

2.2 Possible applications

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 21
Introduction to the CPU 410
2.3 The CPU 410 basic system for stand-alone operation

2.3 The CPU 410 basic system for stand-alone operation

Definition
Stand-alone operation refers to the use of a CPU 410 in a standard SIMATIC-400 station.

Note
Rack number "0" must be set on the CPU.

Hardware of the basic system

The basic system consists of the required hardware components of a controller. The following
figure shows the components in the configuration.
You can expand the basic system with standard S7-400 modules. There are limitations in the
case of function and communication modules. See Appendix Function and communication
modules that can be used in a redundant configuration (Page 377).

5DFN85 %DVLFV\VWHP

36 &38
Figure 2-2 Hardware of the S7-400H basic system

Central controller and expansion units

The rack containing the CPU is called the central controller (CC). The racks in the system that are
equipped with modules and connected to the CC are the expansion units (EU).

Power supply
For the power supply you need a power supply module from the standard S7-400 system
spectrum.
To increase availability of the power supply, you can also use two redundant power supplies.
In this case, you use the power supply modules PS 405 R / PS 407 R.
A combination of these can also be used in redundant configurations (PS 405 R with PS 407
R).

CPU 410 Process Automation

22 System Manual, 11/2022, A5E31622160-AE
 Introduction to the CPU 410
2.3 The CPU 410 basic system for stand-alone operation

Operation
You need a system expansion card for operation of a CPU 410. The system expansion card
specifies the maximum number of process objects that can be loaded to the CPU and saves the
license information in case of a system expansion. The system expansion card forms a hardware
unit with the CPU 410.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 23
Introduction to the CPU 410
2.4 The basic system for redundant operation

2.4 The basic system for redundant operation

Hardware of the basic system

The basic system consists of the hardware components required for a fault-tolerant controller.
The following figure shows the components in the configuration.
The basic system can be expanded with standard modules of the S7-400. There are
restrictions for the function modules and communication processors. See Appendix Function
and communication modules that can be used in a redundant configuration (Page 377).

85+UDFN ILEHURSWLFFDEOHV 6+EDVLFV\VWHP

5DFN 5DFN

V\QFKURQL]DWLRQPRGXOHV

V\VWHPH[SDQVLRQFDUGV
36 &38V
SIEMENS SIEMENS
31396338 XAB

31396338 XAB

653-2CA00-0XB0 653-2CA00-0XB0
SVP JM123456 SVP JM123456
X 2 3 4 5 X 2 3 4 5

SE PO 100 SE PO 100

Figure 2-3 Hardware of the S7-400H basic system

Central processing units

The two CPUs are the heart of the S7-400H. Use the switch on the rear of the CPU to set the rack
numbers. In the following sections, we will refer to the CPU in rack 0 as CPU 0, and to the CPU
in rack 1 as CPU 1.

Rack for S7-400H

The UR2-H rack supports the installation of two separate subsystems with nine slots each, and
is suitable for installation in 19" cabinets.
You can also set up the S7-400H in two separate racks. The racks UR1, UR2, and CR3 are
available for this purpose.

Power supply
You require a power supply module from the standard system range of the S7-400 for each of
the two subsystems of the S7-400H.
To increase availability of the power supply, you can also use two redundant power supplies
in each subsystem. In this case, you use the power supply modules PS 405 R / PS 407 R.
A combination (PS 405 R with PS 407 R) can also be used.

CPU 410 Process Automation

24 System Manual, 11/2022, A5E31622160-AE
 Introduction to the CPU 410
2.4 The basic system for redundant operation

Synchronization modules
The synchronization modules are used to link the two CPUs. They are installed in the CPUs and
interconnected by means of fiber-optic cables.
Two types of synchronization modules are available:
• Synchronization modules for synchronization cables up to 10 meters long
• Synchronization modules for synchronization cables up to 10 kilometers long
You must use 4 synchronization modules of the same type in a fault-tolerant
system. The manual with detailed descriptions of the synchronization modules
can be found in the manual Synchronization modules for S7-400H (https://
support.industry.siemens.com/cs/ww/en/).

Fiber-optic cable
The fiber-optic cables are used to interconnect the synchronization modules for the redundant
link between the two CPUs. They interconnect the upper and lower synchronization modules in
pairs.
You will find the specification of the fiber-optic cables you can use
in an S7-400H in the manual Synchronization modules for S7-400H (https://
support.industry.siemens.com/cs/ww/en/).

Operation
You need a system expansion card for operation of a CPU 410. The system expansion card
specifies the maximum number of process objects that can be loaded to the CPU and saves the
license information in case of a system expansion. The system expansion card forms a hardware
unit with the CPU 410. In redundant operation, each CPU 410 must have a system expansion
card with identical quantity framework and scope of functions.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 25
Introduction to the CPU 410
2.5 Rules for H station assembly

2.5 Rules for H station assembly

The following rules have to be complied with for a fault-tolerant station, in addition to the rules
that generally apply to the arrangement of modules in the S7-400:
• The CPUs have to be inserted in the same slots.
• Redundantly used external CP443-5DX DP master interfaces or communication modules
must be inserted in the same slots in each case.
• External DP master interface modules for redundant DP master systems may only be inserted
in central controllers and not in expansion units.
• Redundantly used CPUs must be identical, which means they must have the same article
number, product version and firmware version. It is not the marking on the front side that is
decisive for the product version, but the revision of the "Hardware" component ("Module
status" dialog mask) to be read using STEP 7.
• Redundantly used other modules must be identical, i.e. they must have the same article
number, product version and - if available - firmware version.
• Two CPU 410-5H must have system expansion cards with the same configuration size and the
same functional scope.

CPU 410 Process Automation

26 System Manual, 11/2022, A5E31622160-AE
 Introduction to the CPU 410
2.7 I/O configuration variants of the fault-tolerant system

2.6 I/O for the CPU 410

You can use SIMATIC S7 input/output modules with the CPU 410. The I/O modules can be used
in the following devices:
• Central controllers
• Expansion units
• Distributed via PROFIBUS DP
• Distributed via PROFINET IO
The function modules (FM) and communication modules (CP) that can be used with CPU
410 are listed in the appendix Function and communication modules that can be used in a
redundant configuration (Page 377).

2.7 I/O configuration variants of the fault-tolerant system

I/O configuration variants

The following configuration variants are available for the input/output modules:
• In stand-alone operation: one-sided configuration.
In the one-sided configuration, there is a single set of the input/output modules (single-
channel) that are addressed by the CPU.
• In redundant operation: Single-channel switched configuration with enhanced availability.
In the single-channel switched distributed configuration, there is a single set of the I/O
modules, but they can be addressed by both subsystems.
• In redundant operation: Dual-channel configuration with maximum availability.
In dual-channel switched configuration, there are two of each of the input/output modules
and the modules can be addressed by both subsystems.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 27
Introduction to the CPU 410
2.9 The SIMATIC PCS 7 project

2.8 Configuration tools (STEP 7 HW Config, SIMATIC PCS 7)

Like S7-400, CPU 410-5H Process Automation is configured with STEP 7 HW Config.
You can find information on limitations for configuring CPUs and the fault-tolerant system in
the STEP 7 HW Config online help.

Optional software
You can use all optional packages available in SIMATIC PCS 7.

2.9 The SIMATIC PCS 7 project

STEP 7
STEP 7 is the core component for configuring the SIMATIC PCS 7 process control system with the
engineering system.
STEP 7 supports the various tasks involved in creating a project with the following project
views:
• Component view (HW Config)
• Process object view
• Technological perspective
The hardware that you need in a SIMATIC project, such as automation systems,
communication components, and process I/O, is stored in an electronic catalog. You
configure this hardware and assign the hardware parameters with HW Config.
You can protect function blocks (FBs) and functions (FCs) against unauthorized access using
the S7 Block Privacy application. You can no longer edit protected blocks in STEP 7. Only the
interfaces of the blocks are then visible.
If you protect blocks with S7 Block Privacy, you may encounter longer download and startup
times.

2.9.1 Scaling and licensing (scaling concept)

License management
License objects are process objects (PO) and their associated runtime licenses (RT-PO). When a
SIMATIC PCS 7 application is created, the SIMATIC PCS 7 system determines the number of POs
that corresponds to the scope of that application.
For productive operation of the SIMATIC PCS 7 application, there must be enough runtime
licenses (AS RT POs) to cover the required number of POs. The system expansion card of the
associated CPU 410-5H must also have at least the same PO count.

CPU 410 Process Automation

28 System Manual, 11/2022, A5E31622160-AE
 Introduction to the CPU 410
2.9 The SIMATIC PCS 7 project

The CPU is scaled by means of the system expansion card, which means the system
expansion card determines the maximum quantity of POs. The CFC counts and manages
the POs used in the application. The number of POs that can be downloaded to the CPU is
limited to the maximum number of POs specified by the system expansion card.

Use of the system expansion card

The number of POs of a CPU 410 is stored on a system expansion card (SEC). You insert the SEC
in a slot on the back of the CPU before commissioning the CPU. The SEC is an essential part of the
CPU hardware. The CPU cannot be operated without an SEC. If no valid SEC is detected, the
corresponding CPU does not start up. A loss of synchronization is triggered in the fault-tolerant
system, in which a start-up block prevents automatic reconnection. You cannot operate two
CPUs 410 redundantly with two different SECs.

Expansion of a PCS 7 project

When you expand a SIMATIC PCS 7 project and load it to the CPU, the system checks whether the
project can run in the CPU with the current number of POs. If this is not the case, you have two
options to expand the number of POs:
• Replacing the system expansion card
• Online with CPU 410 expansion packs.
There are expansion packs with 100 POs and with 500 POs. These can also be combined.

Expanding the number of POs by replacing the SEC

To replace the system expansion card (SEC), you must remove the CPU. You must replace both
SECs for redundant operation. The new SECs must have the same number of POs.

Expanding the number of POs without replacing the SEC

You can expand the number of POs in four steps without replacing the SEC.
Step 1: Order the number CPU 410 expansion packs you need using the regular ordering
process. You can order expansions for 100 POs and 500 POs.
Step 2: Assign the CPU 410 expansion packs to the respective CPU.
Step 3: Activate the expansion.
Step 4: Transfer the release of the expansion to the CPU.
A detailed description of the procedure is available in the PCS 7 process control system,
Service support and diagnostics (V8.1) manual.

Note
This function can only be used to expand the number of POs. You cannot the reduce the number
of POs without replacing the SEC.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 29
Introduction to the CPU 410
2.9 The SIMATIC PCS 7 project

Expansion of the functionality of the CPU

You can activate support for redundant subsystems for the CPU:
• Step 1: Follow the standard ordering procedure to obtain the necessary license.
• Step 2: Assign the license to the relevant CPU.
• Step 3: Activate the expansion.
• Step 4: Transfer the activation of the expansion to the CPU.

CPU 410 Process Automation

30 System Manual, 11/2022, A5E31622160-AE
Configuration of the CPU 410 3
3.1 Operator controls and indicators on the CPU 410

Arrangement of the operator controls and indicators on the CPU 410

0RGXOHGHVLJQDWLRQSURGXFWYHUVLRQ
VKRUWDUWLFOHQXPEHUDQGILUPZDUH &38+

YHUVLRQ
X 2
3 4

+;$%
9

/('GLVSOD\V,17)(;7)5(') ,17)
(;7)
%86)%86)%86),)0) 5(')

,)0)0$,175816723 %86)
%86)
%86)
,)0)
,)0)
0$,17
581
/('GLVSOD\V06755$&.5$&. 6723

0675
5(6(7EXWWRQ 5$&.
5$&.
352),1(7,2LQWHUIDFH;
5(6 /,1./('
5;7;/('
352),%86'3LQWHUIDFH
/,1./('
PROFINET (LAN)
X5 P1 R / P2 R
0$&$'';;;;;;

5;7;/('
6HULDOQXPEHU
/,1.2./(' 0$&DGGUHVV
/,1.2./('
X1
DP
SVPS317696

Link1 OK

6\QFKURQL]DWLRQPRGXOHLQWHUIDFH
Link2 OK
0$&$'';;;;;;

IF1
352),1(7,2LQWHUIDFH;
6\QFKURQL]DWLRQPRGXOHLQWHUIDFH 0$&DGGUHVV
/,1./('
IF2

'DWDPDWUL[FRGH 5;7;/('
X8 P1 R / P2 R

/,1./('
5;7;/('

Figure 3-1 Arrangement of the operator controls and indicators on the CPU 410

LED displays
The following table gives an overview of the available LED displays.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 31
Configuration of the CPU 410
3.1 Operator controls and indicators on the CPU 410

Sections CPU 410 monitoring functions (Page 35) and Status and error displays
(Page 37) describe the states and errors/faults indicated by these LEDs.

Table 3-1 LED displays on the CPUs

LED display Color Meaning

Top bar
INTF red Internal error
EXTF red External error
REDF red Loss of redundancy/Redundancy fault
BUS1F red Bus fault at the PROFIBUS interface
BUS5F red Bus fault at the first PROFINET IO interface
BUS8F red Bus fault at the second PROFINET IO interface
IFM1F red Error in synchronization module 1
IFM2F red Error in synchronization module 2
MAINT yellow Maintenance request pending
RUN green RUN mode
STOP yellow STOP mode
Bottom bar
MSTR yellow CPU controls the process
RACK0 yellow CPU in rack 0
RACK1 yellow CPU in rack 1
For the interfaces
LINK green Connection at the PROFINET IO interface is active
RX/TX orange Receiving or sending data at the PROFINET IO interface.
LINK 1 OK green Connection via synchronization module 1 is active and OK
LINK 2 OK green Connection via synchronization module 2 is active and OK

Reset button
You operate the reset button in the following cases:
• You want to reset the CPU to the factory state, see section Resetting the CPU 410 to delivery
condition (reset to factory setting) (Page 136) 
• You want to reset the CPU during operation, see section Reset during operation (Page 137)
The reset button is on the front of the CPU directly below the LED strip. Press it with a
suitably thin round object.

Slot for synchronization modules

The synchronization modules for redundant operation are inserted in these slots. See
section Synchronization modules (Page 229).

PROFIBUS DP interface
You can connect the distributed I/O to the PROFIBUS DP interface.

CPU 410 Process Automation

32 System Manual, 11/2022, A5E31622160-AE
 Configuration of the CPU 410
3.1 Operator controls and indicators on the CPU 410

PROFINET IO interface
The PROFINET IO interfaces establish the connection to Industrial Ethernet. The PROFINET IO
interfaces also serve as the access point for the engineering system. The PROFINET IO interfaces
feature two switched ports with external connectors (RJ 45). You can find further information on
PROFINET IO in sections PROFINET IO systems (Page 48).
The meaning of the interface labels is as follows:

Label Meaning
X5 P1 R Interface X5, Port 1, ring port possible
X5 P2 R Interface X5, Port 2, ring port possible
X8 P1 R Interface X8, Port 1, ring port possible
X8 P2 R Interface X8, Port 2, ring port possible

When media redundancy is activated, the corresponding port is configured as a ring port.

NOTICE
Connecting only to Ethernet LAN
These interfaces only allow connection to an Ethernet LAN. You cannot connect them to the
public telecommunication network, for example.
You may only connect PROFINET IO-compliant network components to this interface.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 33
Configuration of the CPU 410
3.1 Operator controls and indicators on the CPU 410

Rear of the CPU 410

6ORWIRU
V\VWHPH[SDQVLRQFDUG

6ZLWFKIRUWKH
UDFNQXPEHU

Setting the rack number

Use the switch on the rear panel of the CPU to set the rack number. The switch has two positions:
1 (up) and 0 (down). One CPU is allocated rack number 0, and the partner CPU is assigned rack
number 1. The default setting of all CPUs is rack number 0.

Slot for system expansion card

The back of the CPU has a slot in which you insert the system expansion card (SEC) before
commissioning the CPU. The SEC contains information that specifies the performance class of
the CPU in terms of the amount of POs it supports. The SEC is an essential part of the CPU
hardware. The CPU cannot be operated without an SEC. If an SEC is not detected, the
corresponding CPU goes to STOP and requests a memory reset. "STOP by CPU memory
management" is also entered in the diagnostics buffer.
You need a small screwdriver to remove the SEC. Place the screwdriver at the top of the SEC slot
and lift out the SEC with the screwdriver.

CPU 410 Process Automation

34 System Manual, 11/2022, A5E31622160-AE
 Configuration of the CPU 410
3.2 CPU 410 monitoring functions

3.2 CPU 410 monitoring functions

Monitoring functions and error messages

The hardware of the CPU and operating system provide monitoring functions to ensure proper
operation and defined reactions to errors. Various errors may also trigger a reaction in the user
program.
The table below provides an overview of possible errors and their causes, and the
corresponding responses of the CPU.
Additional test and information functions are available in each CPU; they can be initiated in
STEP 7.

Type of error Cause of error Error LED

Access error Module failure (SM, FM, CP) EXTF
Time error • The user program execution time (OB 1 and all interrupts and INTF
error OBs) exceeds the specified maximum cycle time.
• OB request error
• Overflow of the start information buffer
• Time-of-day error interrupt
Power supply module(s) fault In the central or S7-400 expansion rack EXTF
(not power failure) • at least one backup battery of the power supply module is com‐
pletely discharged.
• the backup battery voltage is missing.
• the 24 V supply to the power supply module has failed.
Diagnostic interrupt An I/O module with interrupt capability reports a diagnostic interrupt EXTF
The synchronization module signals a diagnostic interrupt  
The LED EXTF lights up with the first incoming diagnostic interrupt
and goes out with the outgoing diagnostic interrupt.
Swapping interrupt Removing or inserting a module as well as inserting an incorrect EXTF
module type.
Removing a synchronization module.
Redundancy error • Loss of redundancy on the CPUs REDF
• Redundancy loss/ station failure of a switched DP station
• Failure of a DP master
• Redundancy loss/station failure of a switched IO device
CPU hardware fault • A memory error was detected and eliminated INTF
Program execution error • Priority class is called, but the corresponding OB is not available. INTF
• In the event of an SFB call: Missing or faulty instance DB EXTF
• Process image update error
Failure of a rack/station • Power failure in an S7-400 expansion unit EXTF
• Failure of a DP/PN segment BUSF for PN and DP
• Failure of a coupling segment: Missing or defective IM, interrup‐ REDF for redundant
ted cable segments

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 35
Configuration of the CPU 410
3.2 CPU 410 monitoring functions

Type of error Cause of error Error LED

Communication error Communication error: INTF
• Time synchronization
• Access to DB when exchanging data via communications function
blocks
Execution canceled The execution of a program block was canceled. Possible reasons for INTF
the cancellation are:
• Nesting depth of nesting levels too great
• Nesting depth of master control relay too great
• Nesting depth of synchronization errors too great
• Nesting depth of block call commands (U stack) too great
• Nesting depth of block call commands (B stack) too great
• Error during allocation of local data
Such errors cannot occur with blocks from a SIMATIC PCS 7 library.
Missing license for Runtime The Runtime software could not be completely licensed (internal er‐ INTF
software ror).
Programming error User program error: INTF
• BCD conversion error
• Range length error
• Range error
• Alignment error
• Write error
• Timer number error
• Counter number error
• Block number error
• Block not loaded
Such errors cannot occur with blocks from a SIMATIC PCS 7 library.
MC7 code error Error in the compiled user program, for example, illegal OP code or a INTF
jump beyond the block end
Such errors cannot occur with blocks from a SIMATIC PCS 7 library.

CPU 410 Process Automation

36 System Manual, 11/2022, A5E31622160-AE
 Configuration of the CPU 410
3.3 Status and error displays

3.3 Status and error displays

RUN and STOP LEDs

The RUN and STOP LEDs provide information about the CPU's currently active operating state.

Table 3-2 Possible states of the RUN and STOP LEDs

LED Meaning
RUN STOP  
Lit Dark CPU is in RUN state.
Dark Lit CPU is in STOP state. The user program is not being executed. Cold restart/restart is pos‐
sible.
Flashes Flashes The CPU has detected a serious error that is preventing startup. All other LEDs also flash at
2 Hz 2 Hz 2 Hz.
Flashes Lit HOLD status has been triggered by a test function.
0.5 Hz
Flashes Lit A cold restart/restart was initiated. The cold restart/warm start may take a minute or
2 Hz longer, depending on the length of the called OB. If, after this time, the CPU does not
change to RUN, there may be an error in the system configuration, for example.
Dark Flashes • A high-quality RAM test (self-test) is executed after POWER ON. The duration of the
2 Hz self-test is at least 7 minutes.
• CPU memory reset is active.
Dark Flashes The CPU requests a memory reset.
0.5 Hz
Flashes Flashes • Troubleshooting mode
0.5 Hz 0.5 Hz • Startup (POWER ON) of a CPU on which a large number of blocks is loaded. If encrypted
blocks are loaded, startup may take a longer time depending on the number of such
blocks.
This display also indicates that internal processes are running in the CPU, thereby pre‐
venting any operator input or access to the CPU.
Flashes Flashes The CPU has downloaded another program and is powering up after power on.
0.5 Hz 2 Hz Note that, if necessary, another program and a configuration may be present in the re‐
tentive load memory in the CPU. Ensure that this cannot pose a hazard if the CPU switches
automatically to RUN state. If you have no information about the content of the load
memory, set the CPU to delivery state before powering it up.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 37
Configuration of the CPU 410
3.3 Status and error displays

MSTR, RACK0, and RACK1 LEDs

The three LEDs MSTR, RACK0, and RACK1 provide information about the rack number set on the
CPU and show which CPU controls the switched I/O.

Table 3-3 Possible states of the MSTR, RACK0 and RACK1 LEDs

LED Meaning
MSTR RACK0 RACK1
Lit Irrelevant Irrelevant CPU controls switched I/O
Irrelevant Lit Dark CPU on rack number 0
Irrelevant Dark Lit CPU on rack number 1

INTF and EXTF LEDs

The two INTF and EXTF LEDs provide information about errors and other particular things that
happen during user program execution.

Table 3-4 Possible states of the INTF and EXTF LEDs

LED Meaning
INTF EXTF  
Lit Irrelevant An internal error was detected (programming, parameter assignment, or license
error).
Irrelevant Lit An external error has been detected (i.e. an error not caused by the CPU).

BUS1F, BUS5F, and BUS8F LEDs

The BUS1F, BUS5F and BUS8F LEDs indicate errors associated with the PROFIBUS DP interface
and the PROFINET IO interfaces.

Table 3-5 Possible states of the BUS1F, BUS5F, and BUS8F LEDs

LED Meaning
BUS1F BUS5F BUS8F
Lit Irrelevant Irrelevant An error was detected on the PROFIBUS DP interface X1.
Irrelevant Lit Irrelevant An error was detected on the first PROFINET IO interface X5.
A PROFINET IO system is configured but not connected.
Irrelevant Irrelevant Lit An error was detected on the second PROFINET IO interface X8.
A PROFINET IO system is configured but not connected.
Irrelevant Flashes Irrelevant One or more devices on the first PROFINET IO interface X5 is not responding.
Irrelevant Irrelevant Flashes One or more devices on the second PROFINET IO interface X8 is not responding.
Flashes Irrelevant Irrelevant One or more devices on the PROFIBUS DP interface X1 is not responding.

CPU 410 Process Automation

38 System Manual, 11/2022, A5E31622160-AE
 Configuration of the CPU 410
3.3 Status and error displays

IFM1F and IFM2F LEDs

The IFM1F and IFM2F LEDs indicate errors on the first or second synchronization module.

Table 3-6 Possible states of the IFM1F and IFM2F LEDs

LED Meaning
IFM1F IFM2F  
Lit Irrelevant An error was detected on synchronization module 1.
Irrelevant Lit An error was detected on synchronization module 2

LINK and RX/TX LEDs

The LINK and RX/TX LEDs indicate the current state of the PROFINET IO interfaces.

Table 3-7 Possible states of the LINK and RX/TX LEDs

LED Meaning
LINK RX/TX
Lit Irrelevant Connection at the PROFINET IO interface is active.
 
Irrelevant Flashes Receiving or sending data at the PROFINET IO interface.
If the transmission and reception frequency is high, the LED lights up continuously.

Note
The LINK and RX/TX LEDs are located directly next to the sockets of the PROFINET IO interfaces.
They are not labeled.

REDF LED
The REDF LED indicates specific system states and redundancy errors.

Table 3-8 Possible states of the REDF LED

REDF LED System state Basic requirements

Flashes Link-up -
0.5 Hz
Flashes Update -
2 Hz

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 39
Configuration of the CPU 410
3.3 Status and error displays

REDF LED System state Basic requirements

Dark Redundant (CPUs are redundant) No redundancy error
Lit Redundant (CPUs are redundant) There is an I/O redundancy error:
• Failure of a DP master, or partial or total failure of a DP
master system
• Failure of a PN IO subsystem
• Loss of redundancy at the DP device
• Loss of redundancy at the PN IO device
• Loss of redundancy at the DP device/device failure
• Loss of redundancy at the PN IO device/device failure

LEDs LINK1 OK and LINK2 OK

When commissioning the fault-tolerant system, you can use the LINK1 OK and LINK2 OK LEDs
to check the quality of the connection between the CPUs.

Table 3-9 Possible states of the LINK1 OK and LINK2 OK LEDs

LED LINKx OK Meaning

Lit The connection is OK
Flashes The connection is not reliable, and the signal is disrupted
Check the connectors and cables
Ensure that the fiber-optic cables are installed in accordance with the guidelines in the "Synchro‐
nization modules for S7-400H" manual.
Check whether the synchronization module works in another CPU.
Dark The connection is interrupted, or there is insufficient light intensity
Check the connectors and cables
Ensure that the fiber-optic cables are installed in accordance with the guidelines in the "Synchro‐
nization modules for S7-400H" manual.
Check whether the synchronization module works in another CPU.
If necessary, replace the synchronization module in the other CPU.

LED MAINT
This LED indicates that maintenance is required. Maintenance is required when there are
problems with the synchronization modules or if maintenance is demanded by one of the
PROFINET devices. For more information, refer to the STEP 7 Online Help.
The LED MAINT also displays an error during address assignment of the PROFINET interfaces
X5 or X8.

Diagnostics buffer
In STEP 7, you can select "PLC -> Module Information" to read the cause of an error from the
diagnostics buffer.

CPU 410 Process Automation

40 System Manual, 11/2022, A5E31622160-AE
 Configuration of the CPU 410
3.5 PROFINET IO interfaces (X5, X8)

3.4 PROFIBUS DP interface (X1)

Connectable devices
The PROFIBUS DP interface can be used to set up a PROFIBUS master system, or to connect
PROFIBUS I/O devices.
All DP devices that conform to the standard can be connected to the PROFIBUS DP interface.
You can connect PROFIBUS DP I/O to the PROFIBUS DP interface as redundant or single-
channel switched I/O.
In this case, the CPU is the DP master, which is connected to the passive device stations or, in
stand-alone operation, to other DP masters via the PROFIBUS DP fieldbus.
Some of the devices that can be connected draw 24 V from the interface for their power
supply. This voltage is provided as non-isolated voltage at the PROFIBUS DP interface.

Connectors
Use only PROFIBUS DP bus connectors or PROFIBUS cables for connecting devices to the
PROFIBUS DP interface (see installation manual).

Redundant operation
The PROFIBUS DP interfaces have the same baud rate and the same operating mode in
redundant operation.

3.5 PROFINET IO interfaces (X5, X8)

Assigning an IP address
You assign an IP address to an Ethernet interface in the CPU properties using HW Config.
Download the modified configuration to the CPU. The IP address is valid for the duration of the
project.
For technical reasons, the two interfaces X5/X8 must be located in different IP subnets.

Devices that can be connected via PROFINET IO (PN)

• SIMATIC PCS 7 ES/OS with Ethernet network card or CP16xx communications processor
• Active network components, e.g., Scalance X200
• S7-300/S7-400, e.g., CPU 417-5H or communication processor CP443-1
• PROFINET IO devices, e.g. ET 200SP HA or ET 200M

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 41
Configuration of the CPU 410
3.5 PROFINET IO interfaces (X5, X8)

Connectors
The PROFINET interfaces are implemented as Ethernet RJ45 interfaces. Always use RJ45
connectors to hook up devices to a PROFINET interface.

Properties of the PROFINET IO interfaces

Protocols and communication functions

PROFINET IO  
According to IEC 61784-2 Conformance Class A und B
Open block communication over • TCP
• UDP
• ISO-on-TCP
S7 communication Yes
PG functions Yes
Port statistics of PN IO devices (SNMP) Yes
Detection of the network topology (LLDP) Yes
Media redundancy (MRP) Yes
Time synchronization in NTP method as client Yes
Time synchronization in SIMATIC method Yes
Time synchronization in pTCP method Yes

You can find further information about the properties of the PROFINET IO interfaces in the
technical specifications of the CPUs in section Technical data (Page 243).

Connection per interface

Version 2 x RJ45
  Switch with 2 ports
Media Twisted pair Cat5
Transmission rate 10/100 Mbps
  Autosensing
Autocrossing
Autonegotiation

CPU 410 Process Automation

42 System Manual, 11/2022, A5E31622160-AE
 Configuration of the CPU 410
3.5 PROFINET IO interfaces (X5, X8)

Note
Networking of PROFINET IO components
The PROFINET IO interfaces of our devices are set to "automatic setting" (autonegotiation) by
default. Verify that all devices connected to the PROFINET IO interface of the CPU are also set to
the "Autonegotiation" mode. This is the default setting of standard PROFINET IO/Ethernet
components.
If you connect a device to a PROFINET IO interface of the CPU that does not support the
"automatic setting" (Autonegotiation) operating mode or you choose a setting other than the
"automatic setting" (Autonegotiation) for this device, note the following:
• PROFINET IO requires 100 Mbps full-duplex operation, which means if the PROFINET IO
interface of the CPU is used simultaneously for PROFINET IO communication and Ethernet
communication, operation of the PROFINET IO interface is permissible only in 100 Mbps full-
duplex mode.
• If an PROFINET IO interface of the CPU is used for Ethernet communication only, 100 Mbps
full-duplex mode is possible.
Background: If a switch that is permanently set to "10 Mbps half-duplex" is connected to an
interface of the CPU, the "Autonegotiation" setting forces the CPU to adapt itself to the settings
of the partner device, which means the communication operates de facto at "10 Mbps half-
duplex". This is permitted for an Ethernet communication. But because PROFINET IO demands
operation at 100 Mbps full-duplex, this would not be a long-term option to address IO devices.

Reference
• For details about PROFINET, refer to PROFINET System Description (https://
support.industry.siemens.com/cs/ww/en/view/19292127)
• For detailed information about Ethernet networks, network configuration and network
components refer to SIMATIC NET Manual: Twisted-Pair and Fiber-Optic Networks (https://
support.industry.siemens.com/cs/ww/en/view/8763736).
• For additional information about PROFINET IO, refer to: PROFINET (https://
www.profibus.com/)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 43
Configuration of the CPU 410
3.6 Summary of parameters for CPU 410

3.6 Summary of parameters for CPU 410

Default values
All parameters are set to factory defaults. These defaults are suitable for a wide range of
standard applications and can be used to operate the CPU 410 directly without having to make
any additional settings.
You can define the defaults using the "Configuring Hardware" tool in STEP 7.

Parameter blocks
The responses and properties of the CPU are defined in parameters. The CPU 410 has a defined
default setting. You can modify this default setting by editing the parameters in the hardware
configuration.
The list below provides an overview of the assignable system properties of the CPUs.
• General properties such as the CPU name
• Watchdog interrupts, e.g., priority, interval duration
• Diagnostics/clock, e.g., time-of-day synchronization
• Security levels
• H parameters, e.g., duration of a test cycle
• Startup, for example, times for completed message from modules and transfer of parameters
to modules

Parameter assignment tool

You can set the individual CPU parameters using "Configuring hardware" in STEP 7. For additional
information, see I/O configuration variants (Page 51).

Further settings
• The rack number of a CPU 410, 0 or 1
Use the selector switch on the rear panel of the CPU to change the rack number.
• The operating mode of a CPU 410, stand-alone operation or redundant operation
You set the operating mode by configuring a SIMATIC 400 station (stand-alone operation) or
a SIMATIC H station in HW Config.

CPU 410 Process Automation

44 System Manual, 11/2022, A5E31622160-AE
PROFIBUS DP 4
4.1 CPU 410 as PROFIBUS DP master

Startup of the DP master system

You use the following parameters to set startup monitoring of the DP master:
• Ready message from module
• Transfer of parameters to modules
This means that the DP devices must start up and be configured by the CPU (as DP master)
within the set time.

PROFIBUS address of the DP master

PROFIBUS addresses 0 to 126 are permissible.

Output and input data length

The maximum output or input data length you can use for each DP station is 244 bytes.

4.2 Diagnostics of the CPU 410 as PROFIBUS DP master

Diagnostics using LED displays

The following table explains the meaning of the BUS1F LED.

Table 4-1 Meaning of the "BUSF" LED of the CPU 410 as DP master

BUS1F Meaning Remedy

Off Configuration correct; -
all configured devices are addressable
Lit • Bus fault (physical fault) • Check whether the bus cable has shorted.
• DP interface fault • Analyze the diagnostic data. Reconfigure or correct the
• Different baud rates in multi-DP master oper‐ configuration.
ation (only in stand-alone operation)
Flashes • Station failure • Check whether the bus cable is connected to the CPU 410
• At least one of the assigned devices cannot be or the bus is interrupted.
addressed • Wait until the CPU 410 has started up. If the LED continues
to flash, check the DP devices. If possible, evaluate the
diagnostics of the DP devices via direct access over the bus.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 45
PROFIBUS DP
4.2 Diagnostics of the CPU 410 as PROFIBUS DP master

Diagnostic addresses for the DP master

You assign diagnostic addresses for PROFIBUS DP for the CPU 410.
When configuring the DP master, you specify a diagnostic address for the DP device in the
associated project of the DP master.
The DP master uses this diagnostic address to obtain information about the status of the DP
device or a bus interruption.

CPU 410 Process Automation

46 System Manual, 11/2022, A5E31622160-AE
PROFINET IO 5
5.1 Introduction

What is PROFINET IO?

PROFINET IO is the open, cross-vendor Industrial Ethernet standard for automation. It enables
continuous communication from the business management level down to the field level.
PROFINET IO is based on switched Ethernet with full duplex mode and a bandwidth of 100 Mbps.
With PROFINET IO a switching technology is implemented that allows all stations to access
the network at any time. As a result, the network can be utilized more efficiently through
simultaneous data transmission of multiple nodes. Simultaneous sending and receiving is
enabled through the full-duplex operation of Switched Ethernet.
In PROFINET IO communication, a portion of the transmission time is reserved for cyclic,
deterministic data transmission (real-time communication). This allows you to split the
communication cycle into a deterministic and an open part. Communication takes place
in real-time.

RT communication (real-time communication)

RT communication is the basic communication mechanism for PROFINET IO and is used during
device monitoring. The transmission of real-time data with PROFINET IO is based on the cyclic
data exchange with a provider-consumer model. To better scale the communication options and
therefor the determinism for PROFINET IO, real-time classes have been defined for data
exchange. These are unsynchronized and synchronized communication. The details are handled
independently in the field devices. Real-time automatically includes an increase in priority with
PROFINET compared to UDP/IP frames. This is necessary to prioritize the transmission of data in
the switches so that RT frames are not delayed by UDP/IP frames.

Documentation on the Internet

Comprehensive information about PROFINET (https://www.profibus.com/) is available on the
Internet.
Also observe the following documents:
• Installation guideline
• Assembly guideline
• PROFINET_Guideline_Assembly
Additional information on the use of PROFINET IO in automation engineering is available
at the following Internet address (https://new.siemens.com/global/en/products/automation/
industrial-communication/profinet.html).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 47
PROFINET IO
5.2 PROFINET IO systems

5.2 PROFINET IO systems

Functions of PROFINET IO
The following graphic shows the new functions in PROFINET IO:

3&

5RXWHU (6 (6

6ZLWFK

352),1(7,26\VWHP
ZLWKV\VWHPUHGXQGDQF\ 352),1(7,26\VWHP

6ZLWFK 6ZLWFK 6ZLWFK

+V\VWHP
Y
,(3%OLQN

2 3 1 6 10
10
(76
'3'HYLFH

&38
 4
31'3

(763+$
(763+$

(763+$ 5

9 7 8

2QHVLGHG,2 6\VWHPUHGXQGDQF\

The graphic shows Examples of connection paths

The connection of company You can access devices at the field level from PCs in your company network
network and field level • Example:
PC - Firewall - Switch 1 - Router - Switch 2 - Switch 3 - CPU 410 ①.
Connections between the You can also access one of the other areas of the Industrial Ethernet from an ES on the field level.
automation system and field Example:
level
• ES - Integrated switch 3 - Switch 2 - Switch 4 - CPU 410 ③.

CPU 410 Process Automation

48 System Manual, 11/2022, A5E31622160-AE
 PROFINET IO
5.3 Device replacement without exchangeable medium / ES

The graphic shows Examples of connection paths

The IO controller of CPU At this point, you see the IO features between the IO controller, intelligent device, and the
410 ① spans IO device(s) on Industrial Ethernet:
PROFINET IO system 1 and • The CPU 410 ① is the IO controller for the following components:
directly controls devices on
the Industrial Ethernet and – for the ET 200SP HA I/O device ⑤
PROFIBUS. – for switch 3
– for the I device CPU 317-2 PN/DP ④
– for the IE/PB link ⑥
• The IE/PB link is the master for the DP device ⑩ and represents it as a device ⑩ on PROFINET
IO.
The fault-tolerant system, The fault-tolerant system, consisting of CPU 410 ② + ③, spans the PROFINET IO controller
consisting of CPU 410 system 2 as IO controller. This IO controller operates IO devices in system redundancy as well as
② + ③, spans the PROFI‐ a one-sided IO device.
NET IO system 2 as IO con‐ Here, you can see that a fault-tolerant system can operate both system-redundant IO devices
troller. and one-sided IO devices:
This IO controller operates IO
• The fault-tolerant system with its two IO controllers in rack 0 and rack 1 provides the IO
devices in system redundan‐
cy as well as a one-sided IO controller for both system-redundant IO devices ET 200 ⑦ + ⑧ and for the one-sided IO
device. device ⑨.

Further information
You will find further information about PROFINET IO in the documents listed below:
• In manual PROFINET system description (https://support.industry.siemens.com/cs/ww/en/
view/19292127)
• In Programming Manual Migration from PROFIBUS DP to PROFINET IO (https://
support.industry.siemens.com/cs/ww/en/view/19289930)

5.3 Device replacement without exchangeable medium / ES

IO devices having this function can be replaced in a simple manner:
• No exchangeable medium with stored device name is required. The name that you assigned
for the IO device in HW Config applies.
• The PROFINET IO topology must be configured in HW Config for this.
• The "Support device replacement without exchangeable medium" option must be selected
on the interface of the IO controller.
• The device name does not have to be assigned with the ES.
The replacement IO device receives the device name from the IO controller. The IO controller
uses the configured topology and the relations determined by the IO devices. The configured
target topology must match the actual topology.
Before reusing IO devices that you already had in operation, reset these to factory settings.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 49
PROFINET IO
5.3 Device replacement without exchangeable medium / ES

Additional information
For additional information, refer to the STEP 7 Online Help and to the PROFINET System
Description (https://support.industry.siemens.com/cs/ww/en/view/19292127) manual.

CPU 410 Process Automation

50 System Manual, 11/2022, A5E31622160-AE
I/O configuration variants 6
6.1 Stand-alone operation

Overview
This section provides information needed for stand-alone operation of the CPU 410. You will
learn:
• how stand-alone operation is defined
• when stand-alone operation is required
• what you have to take into account for stand-alone operation
• how the fault tolerance-specific LEDs react in stand-alone operation
• how you configure a CPU 410 for stand-alone operation
• how you can expand a CPU 410 into a fault-tolerant system
• which system modifications are possible during stand-alone operation and which hardware
requirements must be met

Definition
Stand-alone operation is the use of a CPU 410 in a standard SIMATIC-400 station.

Reasons for stand-alone operation

• No requirements for increased availability
• Use of fault-tolerant communication connections
• Configuration of the S7-400F fail-safe automation system
Note
The self-test is an integral component of the F-concept of the CPU 410 and is also performed
in stand-alone operation.

What you must observe for stand-alone operation of a CPU 410

Observe the following for stand-alone operation of a CPU 410:
• No synchronization modules are permitted to be inserted in stand-alone operation of a CPU
410.
• The rack number must be set to "0".

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 51
I/O configuration variants
6.1 Stand-alone operation

Note the different procedures described below for any system change during operation:

Table 6-1 System modifications during operation

CPU 410 in stand-alone operation CPU 410 in redundant system state

As described in Plant changes in RUN - CiR (Page 149). As described in section Plant changes during redundant oper‐
ation - H-CiR (Page 189) for redundant operation.

Fault tolerance-specific LEDs

The REDF, IFM1F, IFM2F, MSTR, RACK0 and RACK1 LEDs show the reaction specified in the table
below in stand-alone operation.

LED Behavior
REDF Dark
IFM1F Dark
IFM2F Dark
MSTR Lit
RACK0 Lit
RACK1 Dark

Configuring stand-alone operation

Requirement: No synchronization module is permitted to be inserted in the CPU 410.
Procedure:
1. Insert the CPU 410 in a standard rack (Insert > Station > SIMATIC 400 Station in SIMATIC
Manager).
2. Configure the station with the CPU 410 corresponding to your hardware configuration.
3. Assign the parameters of the CPU 410. Use the default values, or customize the necessary
parameters.
4. Configure the necessary networks and connections. For stand-alone operation, you can also
configure "fault-tolerant S7 connections".
For help on procedure refer to the Help topics in SIMATIC Manager.

Expanding the configuration to a fault-tolerant system

Note
You can only expand your system to a fault-tolerant system if you have not assigned any odd
numbers to expansion units in stand-alone operation.

CPU 410 Process Automation

52 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.1 Stand-alone operation

If you later want to expand the CPU 410 to a fault-tolerant system, proceed as follows:
1. Open a new project and insert a fault-tolerant station.
2. Copy the entire rack from the standard SIMATIC-400 station and insert it twice into the fault-
tolerant station.
3. Insert the required subnets and IO devices.
4. Copy the DP devices from the old stand-alone operation project to the H-station as required.
5. Reconfigure the communication connections.
6. Carry out all changes required, such as the insertion of one-sided I/O.
For information on how to configure the project, refer to the online help.

Changing the operating mode of a CPU 410

To change the operating mode of a CPU 410, you proceed differently depending on which
operating mode you want to change to and which rack number was configured for the CPU:
Change from stand-alone to redundant operation, rack number 0
1. Insert the synchronization modules into the CPU.
2. Carry out a CPU memory reset or load a project to the CPU in which the CPU is configured for
redundant operation.
3. Insert the synchronization cables into the synchronization modules.
Change from stand-alone mode to redundant operation, rack number 1
1. Set rack number 1 on the CPU.
2. Install the CPU.
3. Carry out a CPU memory reset.
4. Insert the synchronization modules into the CPU.
5. Insert the synchronization cables into the synchronization modules.
Changing from redundant to stand-alone operation
1. Remove the CPU.
2. Remove the synchronization modules.
3. Set rack number 0 on the CPU.
4. Install the CPU.
5. Download a project to the CPU in which the CPU is configured for stand-alone operation.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 53
I/O configuration variants
6.2 Fail-safe operation

6.2 Fail-safe operation

Ensuring functional safety

A safety-related system encompasses sensors for signal acquisition, an evaluation unit for
processing the signals, and actuators for signal output.

Sensor Evaluation unit Actuator

Figure 6-1 Processing chain: acquire, process, output

All of the components contribute to the functional safety of the system, in order, when a
dangerous event occurs, to put the system into a safe state or to keep it in a safe state.

Safety of fail-safe SIMATIC Safety Integrated systems

For SIMATIC Safety Integrated systems, the evaluation unit consists, for example, of fail-safe
single-channel CPUs and fail-safe dual-channel I/O modules. The fail-safe communications
take place via the safety-related PROFIsafe profile.

Functions of a fail-safe CPU

A fail-safe CPU has the following functions:
• Comprehensive self-tests and self-diagnostics check the fail-safe state of the CPU.
• Simultaneous execution of standard and safety programs on one CPU. When there are
changes to the standard user program, there are no unwanted effects on the safety program.

S7 F/FH Systems
The S7 F Systems optional package adds security functions to the CPU 410.
The current TÜV certificates are available on the Internet: TÜV certificates (https://
support.industry.siemens.com/cs/ww/en/) under "Product Support".

Fail-safe I/O modules (F-modules)

F-modules have all of the required hardware and software components for safe processing
in accordance with the required safety class. This includes wire tests for short-circuit and
cross-circuit. You only program the user safety functions.
Safety-related input and output signals form the interface to the process. This enables, for
example, direct connection of single-channel and two-channel I/O signals from devices such
as EMERGENCY STOP buttons or light barriers.

Safety-related communication with PROFIsafe profile

PROFIsafe was the first communication standard according to the IEC 61508 safety standard
that permits both standard and safety-related communication on one bus line. This not only
results in an enormous savings potential with regard to cabling and part variety, but also the
advantage of retrofit ability.

CPU 410 Process Automation

54 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.2 Fail-safe operation

Safety- Safety-
Standard Standard
related data related data
data data

PROFIsafe PROFIsafe
layer Laler

Standard Standard Black

bus protocol bus protocol channel

- PROFIBUS DP
- PROFINET IO

PROFIBUS DP
or
PROFINET IO

Figure 6-2 Safety-related communication

Safety-related and standard data are transmitted with PROFIsafe over the same bus
line. Black channel means that collision-free communication via a bus system with media-
independent network components (also wireless) is possible.
PROFIsafe is an open solution for safety-related communication via standard fieldbuses.
Numerous manufacturers of safety components and end users of safety technology have
helped to develop this vendor-neutral and open standard for PROFIBUS International (PI).
The PROFIsafe profile supports safe communication for the open PROFIBUS and PROFINET
standard buses. An IE/PB Link ensures integrated, safety-related communication between
PROFIBUS DP and PROFINET IO.
PROFIsafe is is certified to IEC 61784-3 and meets the highest requirements for the
manufacturing and process industry.
PROFIBUS is the global standard for fieldbuses with approximately 13 million installed nodes.
Its market acceptance is so high because a large number of manufacturers offer many
products for PROFIBUS. With the PA transmission variant (IEC 1158-2), PROFIBUS extends the
unified system concept of distributed automation to the process world.
PROFINET IO is the innovative and open Industrial Ethernet standard for automation. It
enables fast reaction times and transmission of large data quantities.
PROFIsafe uses the PROFIBUS or PROFINET IO services for safe communication. A fail-safe
CPU 410 and the fail-safe I/O exchange both user data as well as status and control
information; no additional hardware is required for this.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 55
I/O configuration variants
6.2 Fail-safe operation

PROFIsafe takes the following measures to counteract the various possible errors when
transferring messages.

Table 6-2 Measures in PROFIsafe for error avoidance

Measure/ Consecutive number Time expectation Identifier for sender Data backup CRC
Error with acknowledg‐ and receiver
ment
Repetition ✓      
Loss ✓ ✓    
Insertion ✓ ✓ ✓  
Incorrect sequence ✓      
Data falsification       ✓
Delay   ✓    
Coupling of safety-rela‐   ✓ ✓ ✓
ted messages and stand‐
ard messages (masquer‐
ade)
FIFO errors (first-in-first-   ✓    
out data register for
maintaining the se‐
quence)

See also
S7 F Systems optional package (https://support.industry.siemens.com/cs/us/en/view/
109773062)

CPU 410 Process Automation

56 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.3 Fault-tolerant automation systems (redundancy operation)

6.3 Fault-tolerant automation systems (redundancy operation)

6.3.1 Redundant SIMATIC automation systems

Operating objectives of redundant automation systems

Redundant automation systems are used in practice with the aim of achieving a higher degree
of availability or fault tolerance.

5HGXQGDQWDXWRPDWLRQV\VWHPVHJ

)DXOWWROHUDQWRXWRIV\VWHPV )DLOVDIHRXWRIV\VWHPV
2EMHFWLYH5HGXFHGULVNRISURGXF 2EMHFWLYH3URWHFWOLIHWKH
WLRQORVVE\PHDQVRISDUDOOHO HQYLURQPHQWDQGLQYHVWPHQWVE\
RSHUDWLRQRIWZRV\VWHPV VDIHO\GLVFRQQHFWLQJWRDVHFXUH
RIISRVLWLRQ

Figure 6-3 Operating objectives of redundant automation systems

Note the difference between fault-tolerant and fail-safe systems.

The S7-400H is a fault-tolerant automation system. You may only use the S7-400H
to control safety-related processes if you have programmed it and assigned its
parameters in accordance with the rules for F-systems. You can find information
on this in following manual: SIMATIC Industrial Software S7 F/FH Systems (https://
support.industry.siemens.com/cs/ww/en/view/109773062)

Why fault-tolerant automation systems?

The purpose of using fault-tolerant automation systems is to reduce production downtimes,
regardless of whether the failures are caused by an error/fault or are due to maintenance work.
The higher the costs of production stops, the greater the need to use a fault-tolerant system.
The generally higher investment costs of fault-tolerant systems are soon recovered since
production stops are avoided.

Redundant I/O
Input/output modules are termed redundant when they exist twice and they are configured and
operated as redundant pairs. The use of redundant I/O provides the highest degree of
availability, because the system tolerates the failure of a CPU or of a signal module.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 57
I/O configuration variants
6.3 Fault-tolerant automation systems (redundancy operation)

Single-channel switched I/O

In single-channel switched configuration, there is one of each of the input/output modules. In
redundant operation, these modules can addressed by both subsystems. The single-channel
switched I/O configuration is recommended for system components which tolerate the failure
of individual modules.

See also
Connection of two-channel I/O to the PROFIBUS DP interface (Page 75)

CPU 410 Process Automation

58 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.3 Fault-tolerant automation systems (redundancy operation)

6.3.2 Increase of plant availability, reaction to errors

System-wide integration
The CPU 410 and all other SIMATIC components, such as the SIMATIC PCS 7 control system, are
matched to one another. The system-wide integration, ranging from the control room to the
sensors and actuators, is implemented as a matter of course and ensures maximum system
performance.

Graduated availability by duplicating components

The redundant structure of the S7-400H ensures requirements to reliability at all times. This
means: all essential components are duplicated.
This redundant structure includes the CPU, the power supply, and the hardware for linking
the two CPUs.
You yourself decide on any other components you want to duplicate to increase availability
depending on the specific process you are automating.

Redundancy nodes
Redundant nodes represent the fail safety of systems with redundant components. A redundant
node can be considered as independent when the failure of a component within the node does
not result in reliability constraints in other nodes or in the overall system.
The availability of the overall system can be illustrated simply in a block diagram. With
a 1-out-of-2 system, one component of the redundant node may fail without impairing
the operability of the overall system. The weakest link in the chain of redundant nodes
determines the availability of the overall system

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 59
I/O configuration variants
6.3 Fault-tolerant automation systems (redundancy operation)

No fault

5HGXQGDQW,2
)DXOWWROHUDQWV\VWHP (70

&3 &38 &3 %XV ,0 60

&3 &38 &3 %XV ,0 60

)DXOWWROHUDQWV\VWHP (763+$

&38 %XV ,0
60
60
&38 %XV ,0

6ZLWFKHG,2
)DXOWWROHUDQWV\VWHP (70

&3 &38 &3 %XV ,0

60
&3 &38 &3 %XV ,0

Figure 6-4 Example of redundancy in a network without error

With error/fault
The following figure shows how a component may fail without impairing the functionality of
the overall system.

5HGXQGDQW,2
)DXOWWROHUDQWV\VWHP (70

&3 &38 &3 %XV ,0 60

&3 &38 &3 %XV ,0 60

)DXOWWROHUDQWV\VWHP (763+$

&38 %XV ,0
60
60
&38 %XV ,0

6ZLWFKHG,2
)DXOWWROHUDQWV\VWHP (70

&3 &38 &3 %XV ,0

60
&3 &38 &3 %XV ,0

Figure 6-5 Example of redundancy in a 1-out-of-2 system with error

CPU 410 Process Automation

60 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.4 Introduction to the I/O link to fault-tolerant system

Failure of a redundant node (total failure)

The following figure shows that the overall system is no longer operable, because both
subunits have failed in a 1-out-of-2 redundancy node (total failure).

5HGXQGDQW,2
)DXOWWROHUDQWV\VWHP (70

&3 &38 &3 %XV ,0 60

&3 &38 &3 %XV ,0 60

)DXOWWROHUDQWV\VWHP (763+$

&38 %XV ,0
60
60
&38 %XV ,0

6ZLWFKHG,2
)DXOWWROHUDQWV\VWHP (70

&3 &38 &3 %XV ,0

60
&3 &38 &3 %XV ,0

Figure 6-6 Example of redundancy in a 1-out-of-2 system with total failure

6.4 Introduction to the I/O link to fault-tolerant system

I/O installation types

In addition to the power supply module and CPUs, which are always redundant, the operating
system supports the following I/O installation types. You specify the I/O installation types when
configuring in HW Config.

Configuration Availability
Fault-tolerant PROFINET IO (S2 with system redundancy) or Enhanced
switched I/O
Redundant PROFINET IO (R1 with system redundancy) or Enhanced
switched I/O
Redundant I/O High

Note
IO redundancy
The term IO redundancy is also used for the connection of a redundant I/O to PROFINET IO

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 61
I/O configuration variants
6.4 Introduction to the I/O link to fault-tolerant system

Addressing
If you are using an I/O in a system-redundant configuration, you always use the same address
when addressing the I/O.

CPU 410 Process Automation

62 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.5 Using single-channel switched I/O

6.5 Using single-channel switched I/O

What is single-channel switched I/O?

In single-channel switched configuration, there is one of each of the input/output modules.
In redundant operation, these can addressed by both subsystems.
In stand-alone operation, the master subsystem always addresses all switched I/O (in
contrast to one-sided I/O).
The single-channel switched I/O configuration is recommended for system components
which tolerate the failure of individual modules within the ET 200M, ET 200iSP or ET 200SP
HA.

Single-channel switched I/O configuration at the PROFIBUS DP interface

The installation with single-channel switched I/O is possible with the ET 200M distributed I/O
device with active backplane bus and redundant PROFIBUS DP device interface module and with
the ET 200iSP distributed I/O device.

(70

(7L63

Figure 6-7 Single-channel switched distributed I/O configuration at the PROFIBUS DP interface

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 63
I/O configuration variants
6.5 Using single-channel switched I/O

You can use the following interface modules for the I/O configuration at the PROFIBUS DP
interface:

Table 6-3 Interface modules for use of single-channel switched I/O configuration at the PROFIBUS
DP interface

Interface module Article No.

IM 152 for ET 200iSP 6ES7152-1AA00-0AB0
IM 153-2 for ET 200M 6ES7153-2BA82-0XB0
6ES7153-2BA02-0XB0
6ES7153-2BA10-0XB0
6ES7153-2BA70-0XB0

Each S7-400H subsystem is connected (via a DP master interface) to one of the two DP
device interfaces of the ET 200M.

Bus modules for hot swapping

You can use the following bus modules for hot swapping a variety of components:

Table 6-4 Bus modules for hot swapping

Bus module Article No.

BM PS/IM for load power supply and 6ES7195-7HA00-0XA0
IM 153
BM 2 x 40 for two modules with 40 6ES7195-7HB00-0XA0
mm width
BM 1 x 80 for a module with 80 mm 6ES7195-7HC00-0XA0
width
BM IM/IM for two IM 153-2/2 FO for 6ES7195-7HD10-0XA0
design of redundant systems

DP/PA link
The DP/PA link consists of one or two IM 153-2 interface modules, and one to five DP/PA couplers
that are either connected with one another via passive bus couplers or via bus modules.
The DP/PA link creates a gateway from a PROFIBUS DP master system to PROFIBUS PA. In this case
the two bus systems are non-interacting through the IM 153-2 both physically (galvanically) and
in terms of protocols and time.
PROFIBUS PA can be connected to a redundant system via a DP/PA link. The following IM 157
PA coupler is permissible: 6ES7157-0AC83-0XA0
You can use the following DP/PA links:

DP/PA link Article No.

ET 200M as DP/PA link with 6ES7153-2BA82-0XB0
6ES7153-2BA81-0XB0
6ES7153-2BA10-0XB0
6ES7153-2BA70-0XB0

CPU 410 Process Automation

64 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.5 Using single-channel switched I/O

Y-Link
The Y Link consists of two IM 153‑2 interface modules and one Y coupler that are connected with
one another by bus modules.
The Y Link creates a gateway from the redundant DP master system of an S7‑400H to a non-
redundant DP master system. This means that devices with only one PROFIBUS DP interface can
be connected to a S7-400H as switched I/Os.
A single-channel DP master system can be connected to a redundant system via a Y coupler.
The following IM 157 Y coupler is permissible: 6ES7197-1LB00 0XA0.
You can use the following Y-Links:

Y-Link Article No.

ET 200M as Y-Link with 6ES7153-2BA82-0XB0
6ES7153-2BA10-0XB0
6ES7153-2BA70-0XB0

FF Link
The FF Link bus link is a gateway between a PROFIBUS DP master system and a FOUNDATION
Fieldbus H1 segment and thus enables the integration of FF devices in SIMATIC PCS 7. The two
bus systems are uncoupled from each other by the IM 153-2 FF both physically (galvanically) and
with respect to protocol and time.
The FF Link bus link consists of one or two IM 153-2 FF interface modules and an FDC
157 field device coupler or a redundant FDC 157 coupler pair, which are connected to one
another via passive bus connectors or, in the case of the redundant installation, via bus
modules.
The Compact FF Link bus link consists of one or two IM 655-5 FF interface modules.

FF Link  
IM 153-2 6ES7153-2DA80-0XB0
FDC 157 6ES7157-0AC85-0XA0
Compact FF Link 6ES7655-5BA00-0AB0

Rule for PROFIBUS DP

A single-channel switched I/O configuration must always be symmetrical.
• This means the fault-tolerant CPU and other DP masters must be installed in the same slots
in both subsystems (for example slot 4 in both subsystems) or
• The DP devices must be connected to the same DP interface in both subsystems (for example,
to the PROFIBUS DP interfaces of both H-CPUs).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 65
I/O configuration variants
6.5 Using single-channel switched I/O

Single-channel switched I/O configuration at the PROFINET IO interface

The installation with single-channel switched I/O is possible with the ET 200M and ET 200SP HA
distributed I/O devices with active backplane bus and redundant PROFINET IO interface.

(70

(763+$

(763+$

Figure 6-8 Single-channel switched distributed I/O configuration at the PROFINET IO interface

Each subsystem of the S7-400H is connected (over a PROFINET IO interface) to the PROFINET
IO interface of the ET 200M or ET 200SP HA over one connection each. If the two PROFINET
IO interfaces are located on one IM, this is known as an S2 configuration. The S stands
for a single (single) IM and thus for only one PROFINET IO interface. If the PROFINET IO
interfaces are located on two different IMs, this is known as an R1 configuration The R stands

CPU 410 Process Automation

66 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.5 Using single-channel switched I/O

for redundant IMs and thus for two PROFINET IO interfaces. See Chapter Communication
services (Page 293).
You can use the following interface module for the I/O configuration at the PROFINET IO
interface:

Table 6-5 Interface module for use of single-channel switched I/O configuration at the PROFINET IO
interface

Interface module Article No.

IM 153-4 PN V4.0 and higher 6ES7153‑4BA00‑0XB0
IM 155-6 PN HA 6DL1155-6AU00-0PM0

Single-channel switched I/O and user program

In redundant operation, in principle any subsystem can access single-channel switched I/O. The
data is automatically transferred via the synchronization link and compared. An identical value
is available to the two subsystems at all times owing to the synchronized access.
If you have connected the I/O over two IMs, the CPU accesses the I/O over one IM. The active
IM is indicated by illumination of the ACT LED.
The path via the currently active DP interface or PROFINET IO interface is called the active
channel, while the path via the other interface is called the passive channel. The DP or PNIO
cycle is always active on both channels. However, only the input and output values of the
active channel are processed in the user program or output to the I/O. The same applies to
asynchronous activities, such as interrupt processing and the exchange of data records.

Failure of the single-channel switched I/O

The fault-tolerant system with single-channel switched I/O responds to errors as follows:
• The faulty I/O is no longer available if an input/output module or a connected device fails.
• In certain failure situations (for example, failure of a subsystem, a DP master system or a DP
device interface module IM153-2 DP), the single-channel switched I/O continues to be
available for the process.
This is achieved by a switchover between the active and passive channel. This switchover
takes place separately for each DP or PNIO station. A distinction is made between the
following two types of failure:
– Failures that affect only one station (for example, failure of the DP device interface
module of the currently active channel)
– Failures affecting all stations of a DP master system or PNIO system
These include removal of the connector at the DP master interface or PNIO interface,
shutdown of the DP master system (for example a RUN-STOP transition on a CP 443-5),
and short-circuits at the cable harness of a DP master system or PNIO system.
The following applies to each station affected by a failure: If both DP device interface
modules or PN IO connections are currently functional and the active channel fails, the
previously passive channel becomes the active channel. A redundancy loss is reported to the
user program when OB 70 starts (event W#16#73A3).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 67
I/O configuration variants
6.5 Using single-channel switched I/O

Once the problem is eliminated, redundancy is restored. This also starts OB 70 (event
W#16#72A3). In this situation, there is no changeover between the active and passive
channel.
If one channel has already failed, and the remaining (active) channel also fails, then there is
a complete station failure. This starts OB 86 (event W#16#39C4).
There is also complete station failure if an IM fails in an S2 configuration. This starts OB 86
(event W#16#39C4).

Note
If the external DP master interface module can detect failure of the entire DP master system (due
to a short-circuit, for example), it reports only this event ("Master system failure entering state"
W#16#39C3). The operating system no longer reports individual station failures. This feature
can be used to accelerate the changeover between the active and passive channel.

Duration of a changeover of the active channel

The maximum switchover time is
DP/PN error detection time + DP/PN switchover time + switchover time of the DP device
interface module/PNIO interface module
You can determine the first two values from the bus parameters of your DP master system or
PNIO system in STEP 7. You can determine the last value to be added from the manuals of the
DP device or PNIO interface modules involved.

Note
When using fail-safe modules, always set a monitoring time for each fail-safe module that is
longer than the changeover time of the active channel in the fault-tolerant system. If you ignore
this rule, you risk passivation of the fail-safe modules during the changeover of the active
channel.
You can use the Excel file "s7ftimea.xls" to calculate the monitoring and reaction times. The file
is available at the following address (https://support.industry.siemens.com/cs/ww/en/view/
22557362):

Note
Please note that the CPU can only detect a signal change if the signal duration is greater than the
specified changeover time.
When there is a changeover of the entire DP master system, the changeover time of the slowest
DP component applies to all DP components. A DP/PA link or Y-Link usually determines the
changeover time and the corresponding minimum signal duration. We therefore recommend
that you connect DP/PA and Y-Links to a separate DP master system.

CPU 410 Process Automation

68 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.6 Versions of I/O connection to the PROFINET IO interface

Changeover of the active channel during link-up and updating

During link-up and updating with master/standby changeover (see Link-up sequence
(Page 334)), a changeover between the active and passive channels occurs for all stations of the
switched I/O. At the same time OB 72 is called.

Bumpless changeover of the active channel

To prevent the I/O failing temporarily or outputting substitute values during the changeover
between the active and passive channel, the DP or PNIO stations of the switched I/O put their
outputs on hold until the changeover is completed and the new active channel has taken over.
To ensure that total failure of a DP or PNIO station is also detected during the changeover, the
changeover is monitored by both the various DP/PNIO stations and by the DP master system
or IO system.

System configuration and project engineering

You should allocate switched I/O with different changeover times to separate chains. This, for
example, simplifies the calculation of monitoring times.

See also
Time monitoring (Page 114)

6.6 Versions of I/O connection to the PROFINET IO interface

6.6.1 Use of I/O connected to the PROFINET IO interface, system redundancy

System redundancy
You can configure the PROFINET IO system redundancy with switched devices connected to an
IM. The configuring of the PROFINET I/O is comparable to the configuring of the PROFIBUS I/O.
You can connect a maximum of 256 IO devices to each of the two integrated PN/IO
interfaces. You can configure these as one-sided or switched devices as desired. The station
numbers are disjoint across both PN/IO interfaces and are between 1 and 256.

Note
The PROFINET IO device must support this function in order to be operated redundantly on the
fault-tolerant system. Two ports does not mean that two system connections can be created,
thereby achieving system redundancy.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 69
I/O configuration variants
6.6 Versions of I/O connection to the PROFINET IO interface

Configuration
The following figure shows various different configurations for connecting IO devices to the
fault-tolerant system.

$6+ $6+ $6+

1
+&L5SRVVLEOH 2 +&L5SRVVLEOH 3 +&L5SRVVLEOH

352),1(7VXEQHW 352),1(7VXEQHWV 352),1(7VXEQHWV

(763+$ (763+$ (763+$

(763+$ (763+$ (763+$

Figure 6-9 System redundancy

Configura‐ Properties
tion
① Switched I/O at the PROFINET IO
Each IO device is connected over one IM with two logic connections (system redundancy) to the two CPUs in the
fault-tolerant system.
This type of connection is also known as fault-tolerant PROFINET IO.
② and ③ Switched I/O at the redundant PROFINET IO
Each IO device is connected over two IMs to the two CPUs in the fault-tolerant system. Each IM is assigned to
one of the CPUs. The IM must support system redundancy.
This type of connection is also known as redundant PROFINET IO.
This allows independent redundant PROFINET networks to operate in the fault-tolerant system. At the same
time, the two IMs increase availability.
In ③, the connection to the CPU is also configured as a ring (redundant fault-tolerant PROFINET IO).

Note
Logical configuration and topology
The topology alone does not determine whether IO devices are configured at one side (assigned
to only one CPU in the fault-tolerant system) or in a system-redundant configuration. This is
specified in configuration. The IO devices in configuration ① can, for example, also be
configured on one side instead of in a system-redundant configuration.

Configuration with two IO devices with independent, system-redundant connection

This configuration has the following advantage: The complete system can continue operating
after a wire break, no matter where the wire break is located. One of the two communication
connections of the IO devices is always retained. The IO devices that are redundant up this point
continue operating as one-sided IO devices.

CPU 410 Process Automation

70 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.6 Versions of I/O connection to the PROFINET IO interface

Network addresses on the PROFINET IO subsystem

In a redundant configuration, the network addresses of the interface modules must be unique
across both PROFINET IO subsystems.
• In a ring structure, all network addresses must be within a PROFINET IO subsystem and you
must specify the MRP role for each node.
• In the case of system redundancy with two subnets, the two interface modules of a station
must be assigned to the following PROFINET IO subnet:
– Interface module in slot 0 of the IO device is assigned to rack 0 of the IO controller.
– Interface module in slot 1 of the IO device is assigned to rack 1 of the IO controller.

Commissioning of a system-redundant configuration

It is imperative that you assign unique names when commissioning.
When you change a project or download a new project, follow these steps:
1. Put the fault-tolerant system in STOP state on both ends
2. Perform a memory reset of the standby CPU
3. Download the new project to the master CPU
4. Start the Fault-tolerant system
Note
To edit the topology of a project, use the topology editor in HW Config.

S2 and R1 devices
S2 device: There is one IM connected to both CPUs.
R1 device: There are two IM (redundant). Each IM is connected to one CPU.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 71
I/O configuration variants
6.6 Versions of I/O connection to the PROFINET IO interface

Cabinet concept with switched I/O connected to PROFINET IO

The following figure shows the system-redundant connection of nine IO devices via three
switches. With this configuration, for example, IO devices can be arranged in multiple cabinets.

6ZLWFK

Figure 6-10 IO devices in multiple cabinets

6.6.2 Redundant I/O in an ET 200SP HA

Redundant I/O
To configure the redundant I/O connected to PROFINET IO, insert two I/O modules of the same
type next to each other in a special terminal block (TB45R...).
This terminal block connects the respective process signals of the two IO modules to a
common process terminal.
• There is less wiring work compared to connecting separate I/O modules, because the
interconnection of the process signals is integrated in the system.
• The redundant signal processing of the sensors and actuators on the module level increases
the availability of the system.
• In redundant operation, the switching characteristics of the output modules that can control
the actuator in parallel are improved.

CPU 410 Process Automation

72 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.6 Versions of I/O connection to the PROFINET IO interface

Application planning
Observe the following rules for configuring redundant I/O modules:
Hardware rule
• The I/O modules must be approved for redundant operation. You can find this information in
the manual for the respective module.
• Redundantly deployed I/O modules must be identical, i.e. they must have the same article
number, the same hardware version and the same firmware version.
Mounting rule
I/O modules of the same type are plugged in pairs next to each other in the same IO device.
• Both slots are located on the same support module.
• Both slots are located on the same terminal block (TB45R).

Note
Specific wiring
Always read the documentation of the I/O module used.

Configuring
• Configure redundancy for the I/O module.
The settings you make for an I/O module always apply to the module pair.

Configuration
The following figure shows an example for the connection of the sensors or actuators each with
two redundantly used input/output modules.

&RQILJXUDWLRQIRU,2UHGXQGDQF\

,2PRGXOHV

7HUPLQDOEORFN7%5

Sensor
(763+$

(763+$

Figure 6-11 S7-400 H-system with sensors and actuators on module pairs (redundant signal processing)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 73
I/O configuration variants
6.6 Versions of I/O connection to the PROFINET IO interface

Response to failure
The following applies when a I/O module or a channel of the two I/O modules fails (valid for input/
output and mixed modules):
• The inputs continue to be available in the system.
• The outputs are controlled in the system.

Connecting sensors/actuators
You can connect a sensor/actuator to two redundant input/output modules.
The failure of an input module does not result in the loss of sensor data. When an output
module fails, the connected actuator continues to be controlled.
In some cases, the hardware design requires the sensor also to be implemented redundantly,
for example for RTD thermal resistors. Sensors can be powered using suitable input modules.
The redundant signal processing of the sensors and actuators at the module level increases
the availability of the system. Firmware update and module replacement are possible during
operation.
In redundant operation, the switching characteristics of the output modules that can control
the actuator in parallel are improved. The modules can operate with twice the switching
current and power distribution between two output modules.
The figure below shows a configuration with one sensor and one actuator for a pair of
redundant I/O modules.

,2FRQWUROOHU
$6

352),1(7b,2
,QGXVWULDO(WKHUQHW

,2'HYLFH(763+$

Sensor

Actuator

Figure 6-12 AS 410 with redundant module pairs

CPU 410 Process Automation

74 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Maintenance and service

One of the following functions is possible in each case during operation:
• Firmware update
• Replacing a module

6.7 Connection of two-channel I/O to the PROFIBUS DP interface

6.7.1 Connecting redundant I/O

Redundant I/O in the switched DP device

To achieve this, the signal modules are installed in pairs in ET 200M distributed I/O devices with
active backplane bus.

5HGXQGDQWPRGXOHSDLU

Figure 6-13 Redundant I/O in the switched DP device

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 75
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Principle of channel group-specific redundancy

Channel errors due to discrepancy cause the passivation of the respective channel. Channel
errors due to diagnostic interrupts (OB82) cause the passivation of the channel group affected.
Depassivation depassivates all affected channels as well as the modules passivated due to
module errors. Channel group-specific passivation significantly increases availability in the
following situations:
• Relatively frequent encoder failures
• Repairs that take a long time
• Multiple channel errors on one module
Note
Channel and channel group
Depending on the module, a channel group contains a single channel, a group of several
channels, or all channels of the module. You can therefore operate all modules with
redundancy capability in channel group-specific redundancy mode.

You can find an up-to-date list of modules with redundancy capability in Signal modules for
redundancy (Page 78).

"Functional I/O redundancy" block library

The blocks you use for channel group-specific redundancy are located in the "Redundant IO CGP
V50" library.
The "Functional I/O redundancy" block libraries that support the redundant I/O each contain
the following blocks:
• FC 450 "RED_INIT": Initialization function
• FC 451 "RED_DEPA": Initiate depassivation
• FB 450 "RED_IN": Function block for reading redundant inputs
• FB 451 "RED_OUT": Function block for controlling redundant outputs
• FB 452 "RED_DIAG": Function block for diagnostics of redundant I/O
• FB 453 "RED_STATUS": Function block for redundancy status information
Configure the numbers of the management data blocks for the redundant I/O in HW Config
under "CPU properties -> Fault-tolerant parameters". Assign unassigned DB numbers for these
data blocks. The data blocks are created by FC 450 "RED_INIT" during CPU startup. The
default setting for the management data block numbers is 1 and 2. These data blocks are not
the instance data blocks of FB 450 "RED_IN" or FB 451 "RED_OUT".
You can open the libraries in the SIMATIC Manager with "File -> Open -> Libraries"
The relevant online help describes the functions and use of the blocks.

Using the blocks

Before using the blocks, configure the redundant modules as redundant in HW Config.

CPU 410 Process Automation

76 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

The OBs into which you need to link the various blocks are listed in the table below:

Block OB
FC 450 "RED_INIT" • OB 72 "CPU redundancy error" (only with fault-tolerant systems)
FC 450 is only processed after start event B#16#33:"Standby/master
switchover by operator"
• OB 80 "Timeout error" (only in single mode)
FC 450 is only executed after the start event "Resume RUN after
reconfiguring"
• OB 100 "Restart" (the administration DBs are recreated, see the on‐
line help)
• OB 102 "Cold restart"
FC 451 "RED_DEPA" If you call FC 451 in OB 83 while inserting modules or in OB 85 during
alarm output, depassivation is delayed by approximately 3 seconds.
In addition the FC 451 should be executed after the removal of the error
response as specific call in OB 1 and/or OB 30 to 38. The FC451 only
depassivates modules in the corresponding process image partition.
Depassivation is delayed by 10 s.
FB 450 "RED_IN" • OB 1 "Cyclic program"
• OB 30 to OB 38 "Watchdog interrupt"
FB 451 "RED_OUT" • OB 1 "Cyclic program"
• OB 30 to OB 38 "Watchdog interrupt"
FB 452 "RED_DIAG" • OB 72 "CPU redundancy error"
• OB 82 "Diagnostic interrupt"
• OB 83 "Remove/insert interrupt"
• OB 85 "Program execution error"
FB 453 "RED_STATUS" • OB 1 "Cyclic program" (fault-tolerant systems only)
• OB 30 to OB 38 "Watchdog interrupt"

To be able to address redundant modules using process image partitions in watchdog

interrupts, the relevant process image partition must be assigned to this pair of modules
and to the watchdog interrupt. Call FB 450 "RED_IN" in this watchdog interrupt before you
call the user program. Call FB 451 "RED_OUT" in this watchdog interrupt after you call the
user program.
The valid values that can be processed by the user program are always located at the lower
address of both redundant modules. This means that only the lower address can be used for
the application; the values of the higher address are not relevant for the application.

Note
Use of FB 450 "RED_IN" and 451 "RED_OUT" when using process image partitions
For each priority class used (OB 1, OB 30 ... OB 38), you must use a separate process image
partition.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 77
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

HW configuration and configuring the redundant I/O

Follow the steps below to use redundant I/O:
1. Insert all the modules you want to operate redundantly. Please also observe the default rules
for configuration detailed below.
2. Configure module redundancy in HW Config in the object properties of the relevant module.
Either search for a partner module for each module or use the default settings.
If the module is inserted in slot x of the device with a given DP address, the module inserted
in slot X of the device with the next Profibus address is suggested.
3. Enter the remaining redundancy parameters for the input modules.
Note
System modifications during operation are also supported with redundant I/O. You are not
permitted to change the parameter settings for a redundant module per SFC.

Note
Always switch off power to the station or rack before you remove a redundant digital input
module that does not support diagnostics functions and is not passivated. You might
otherwise passivate the wrong module. This procedure is necessary, for example, when
replacing the front connector of a redundant module.
Redundant modules must be in the process image of the inputs or outputs. Redundant
modules are always accessed using the process image.
If you use redundant modules, you need to make the following settings on the "Cycle/clock
memory" tab under "HW Config -> CPU 41x-H properties":
"OB 85 call on I/O area access error > Only incoming and outgoing errors"

6.7.2 Signal modules for redundancy

Signal modules as redundant I/O

You can use the signal modules listed below as redundant distributed I/O connected to PROFIBUS
DP. Please note the latest information on use of the modules in the SIMATIC PCS 7 readme.

Note
The statements on the individual signal modules in this section refer exclusively to their use in
redundant operation. Restrictions and special features listed here especially do not apply to the
use of the corresponding module in stand-alone operation.

Take into account that you can only use modules of the same product version and same
firmware version as redundant pairs.
A complete list of all modules approved for SIMATIC PCS 7 can be found in the area "Manuals
for the SIMATIC PCS 7 V9.X software" > "SIMATIC PCS 7 system documentation" > "Approved

CPU 410 Process Automation

78 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

modules V9.X" Technical documentation SIMATIC PCS 7 (https://new.siemens.com/global/en/

products/automation/process-control/simatic-pcs-7/technical-documentation.html).

Table 6-6 Signal modules for redundancy

Module Article No.

Redundant DI dual-channel
DI16xDC 24 V, interrupt 6ES7 321-7BH00-0AB0
DI16xDC 24 V 6ES7 321-7BH01-0AB0
In the event of an error on one channel, the entire group (2 channels) is passivated. When using the module with HF index, only
the faulty channel is passivated in the event of a channel error.
Use with non-redundant encoder
• This module supports the "wire break" diagnostic function. To implement this function, make sure that a total current
between 2.4 mA and 4.9 mA flows even at signal state "0" when you use an encoder that is evaluated at two inputs in
parallel.

You achieve this by connecting a resistor across the encoder. Its value depends on the type of switch and usually ranges
between 6800 and 8200 ohms for contacts.

For BEROS, calculate the resistance using the following formula:

(30 V / (4.9 mA - I_R_Bero) < R < (20 V / (2.4 mA - I_R_Bero)
DI16xDC 24 V 6ES7 321-1BH02-0AA0
In some system states, it is possible that an incorrect value of the first module is read in briefly when the front connector of the
second module is removed. This is prevented by using series diodes.
DI32xDC 24 V 6ES7 321-1BL00-0AA0
In some system states, it is possible that an incorrect value of the first module is read in briefly when the front connector of the
second module is removed. This is prevented by using series diodes.
DI 8xAC 120/230V 6ES7 321-1FF01-0AA0
DI 4xNamur [EEx ib] 6ES7 321-7RD00-0AB0
You cannot use the module in redundant operation for applications in hazardous areas.
Use with non-redundant encoder
• You can only connect 2-wire NAMUR encoders or contact makers.
• Equipotential bonding of the encoder circuit should always be at one point only (preferably encoder negative).
• When selecting encoders, compare their properties with the specified input characteristics. Remember that this function
must always be available, regardless of whether you are using one or two inputs.
DI 16xNamur 6ES7321-7TH00-0AB0
Use with non-redundant encoder
• Equipotential bonding of the encoder circuit should always be at one point only (preferably encoder negative).
• Operate the two redundant modules on a common load power supply.
• When selecting encoders, compare their properties with the specified input characteristics. Remember that this function
must always be available, regardless of whether you are using one or two inputs.
DI 24xDC 24 V 6ES7326-1BK01-0AB0
6ES7326-1BK02-0AB0
F module in standard mode
DI 8xNAMUR [EEx ib] 6ES7326-1RF00-0AB0
F module in standard mode
Redundant DO dual-channel

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 79
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Module Article No.

DO8xDC 24 V/0.5 A 6ES7322-8BF00-0AB0
Definite evaluation of the diagnostics information "P short-circuit" and "wire break" is not possible. Deselect these individually
in your configuration.
DO8xDC 24 V/2 A 6ES7322-1BF01-0AA0
DO32xDC 24 V/0.5 A 6ES7322-1BL00-0AA0
DO8xAC 120/230 V/2 A 6ES7322-1FF01-0AA0
DO 4x24 V/10 mA [EEx ib] 6ES7322-5SD00-0AB0
You cannot use the module in redundant operation for applications in hazardous areas.
DO 4x15 V/20 mA [EEx ib] 6ES7322-5RD00-0AB0
You cannot use the module in redundant operation for applications in hazardous areas.
DO 16xDC 24 V/0.5 A 6ES7322-8BH01-0AB0
• The equipotential bonding of the load circuit should always be at one point only (preferably load minus).
• Diagnostics of the channels is not possible.
DO 16xDC 24 V/0.5 A 6ES7322-8BH10-0AB0
• The equipotential bonding of the load circuit should always be at one point only (preferably load minus).
DO 10xDC 24 V/2 A 6ES7326-2BF00-0AB0
6ES7326-2BF01-0AB0
F module in standard mode
Redundant AI dual-channel
AI8x12Bit 6ES7331-7KF02-0AB0
Use in voltage measurement
• The "wire break" diagnostics function in HW Config must not be enabled either the modules are operated with transmitters
or when thermocouples are connected.
Use for indirect current measurement
• When determining the measuring error, observe the following: The total input resistance in measuring ranges > 2.5 V is
reduced from a nominal 100 kilohms to 50 kilohms when you operate two inputs connected in parallel.
• The "wire break" diagnostics function in HW Config must not be enabled either the modules are operated with transmitters
or when thermocouples are connected.
• Use a 50 ohm resistor (measuring range +/- 1 V) or 250 ohm resistor (measuring range 1 to 5 V) to map the current on a
voltage. The tolerance of the resistor must be added on to the module error.
• This module is not suitable for direct current measurement.
Use of redundant encoders:
• You can use a redundant encoder with the following voltage settings:
+/- 80 mV (only without wire break monitoring)
+/- 250 mV (only without wire break monitoring)
+/- 500 mV (wire break monitoring not configurable)
+/- 1 V (wire break monitoring not configurable)
+/- 2.5 V (wire break monitoring not configurable)
+/- 5 V (wire break monitoring not configurable)
+/- 10 V (wire break monitoring not configurable)
1...5 V (wire break monitoring not configurable)
AI 8x16Bit 6ES7 331-7NF00-0AB0

CPU 410 Process Automation

80 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Module Article No.

Use in voltage measurement
• The "wire break" diagnostics function in HW Config must not be enabled when the modules are operated with transmitters.
Use in indirect current measurement
• When using indirect current measurement, ensure a reliable connection between the sensor resistances and the actual
inputs, because a reliable wire break detection cannot be guaranteed in the case of a wire break of individual cables of this
connection.
• Use a 250 ohm resistor (measuring range 1 to 5 V) to map the current on a voltage.
Use in direct current measurement
• Suitable Zener diode: BZX85C8v2
• Circuit-specific additional error: If one module fails, the other may suddenly show an additional error of approx. 0.1%.
• Load capability of 4-wire transmitters: RB > 610 ohms
(determined for worst case: 1 input + 1 Zener diode at an S7 overload value of 24 mA to RB = (RE * Imax + Uz max) / Imax)
• Input voltage in the circuit when operating with a 2-wire transmitter: Ue-2w < 15 V
(determined for worst case: 1 input + 1 Zener diode at an S7 overload value of 24 mA to Ue-2w = RE * Imax + Uz max)
AI 8x16Bit 6ES7 331-7NF10-0AB0
Use in voltage measurement
• The "wire break" diagnostics function in HW Config must not be enabled either the modules are operated with transmitters
or when thermocouples are connected.
Use in indirect current measurement
• Use a 250 ohm resistor (measuring range 1 to 5 V) to map the current on a voltage.
Use in direct current measurement
• Suitable Zener diode: BZX85C8v2
• Load capability of 4-wire transmitters: RB > 610 ohms
(determined for worst case: 1 input + 1 Zener diode at an S7 overload value of 24 mA to RB = (RE * Imax + Uz max) / Imax)
• Input voltage in the circuit when operating with a 2-wire transmitter:
Ue-2w < 15 V (determined for worst case: 1 input + 1 Zener diode at an S7 overload value of 24 mA to Ue-2w = RE * Imax + Uz max)
AI 6xTC 16Bit iso 6ES7331-7PE10-0AB0
Notice: You may use this module only with redundant sensors.
You can use this module with Version 3.5 or higher of FB 450 "RED_IN" in the library "Redundant IO MGP" and Version 5.8 or
higher of FB 450 "RED_IN" in the library "Redundant IO CGP" V50.
Observe the following when measuring temperatures by means of thermocouples and assigned redundancy:
The value specified in "Redundancy" under "Tolerance window" is always based on 2765 °C. For example, a check is made for
a tolerance of 27 degrees when "1" is entered and 138 degrees when "5" is entered. 
A FW update is not possible in redundant operation
An online calibration is not possible in redundant operation.
Use in voltage measurement
• The "wire break" diagnostics function in HW Config must not be enabled when the modules are operated with thermo‐
couples.
Use in indirect current measurement
• Due to the maximum voltage range +/- 1 V, the indirect current measurement can be carried out exclusively via a 50 ohm
resistor. Mapping that conforms to the system is only possible for the area +/- 20 mA.
AI 4x15Bit [EEx ib] 6ES7331-7RD00-0AB0

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 81
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Module Article No.

You cannot use the module in redundant operation for applications in hazardous areas.
It is not suitable for indirect current measurement.
Use in direct current measurement
• Suitable Zener diode 6.2 V, for example BZX85C6v2
• Load capability of 4-wire transmitters: RB > 325 ohms
determined for worst case: 1 input + 1 Zener diode at an S7 overload value of 24 mA to RB = (RE * Imax + Uz max)/Imax
• Input voltage for 2-wire transmitters: Ue-2Dr < 8 V
calculated for worst case: 1 input + 1 Zener diode at an S7 overload value of 24 mA to Ue-2Dr = RE * Imax + Uz max
Note: You can only connect 2-wire transmitters with a 24 V external supply or 4-wire transmitters. The internal power supply
for transmitters cannot be used in the circuit because it outputs only 13 V, which means in the worst case it would supply only
5 V to the transmitter.
AI 8x0/4...20mA HART 6ES7 331-7TF01-0AB0
A FW update is not possible in redundant operation
An online calibration is not possible in redundant operation.
See Manual ET 200M Distributed I/O Device; HART Analog Modules manual
AI6x0/4...20mA HART 6ES7336-4GE00-0AB0
F module in standard mode  
AI 6x13Bit 6ES7 336-1HE00-0AB0
F module in standard mode
Redundant AO dual-channel
AO4x12 Bit 6ES7332-5HD01-0AB0
AO8x12 Bit 6ES7332-5HF00-0AB0
AO4x0/4...20 mA [EEx ib] 6ES7332-5RD00-0AB0
You cannot use the module in redundant operation for applications in hazardous areas.
AO 8x0/4...20mA HART 6ES7 332-8TF01-0AB0
A firmware update is not possible in redundant operation.
Online calibration is not possible in redundant operation.
See Manual ET 200M Distributed I/O Device; HART Analog Modules

Note
You need to install the F-ConfigurationPack for F modules.
The F ConfigurationPack can be downloaded free of charge from the Internet.
You can find it on the Customer Support site at Download of F Configuration Pack (https://
support.industry.siemens.com/cs/ww/en/view/15208817)

CPU 410 Process Automation

82 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Using digital input modules as redundant I/O

The following parameters were set to configure digital input modules for redundant operation:
• Discrepancy time (maximum permitted time in which the redundant input signals may
differ). The specified discrepancy time must be a multiple of the update time of the process
image and therefore also the basic conversion time of the channels.
When there is still a discrepancy in the input values after the configured discrepancy time has
expired, an error has occurred.
• Response to a discrepancy in the input values
First, the input signals of the paired redundant modules are checked for consistency. If the
values match, the uniform value is written to the lower memory area of the process input
image. If there is a discrepancy and it is the first, it is marked accordingly and the discrepancy
time is started.
During the discrepancy time, the most recent matching (non-discrepant) value is written to
the process image of the module with the lower address. This procedure is repeated until the
values once again match within the discrepancy time or until the discrepancy time of a bit
has expired.
If the discrepancy continues past the expiration of the configured discrepancy time, an error
has occurred.
The defective side is localized according to the following strategy:
1. During the discrepancy time, the most recent matching value is retained as the result.
2. Once the discrepancy time has expired, the following error message is displayed:
Error code 7960: "Redundant I/O: discrepancy time at digital input expired, error not yet
localized". Passivation is not performed and no entry is made in the static error image. Until
the next signal change occurs, the configured response is performed after the discrepancy
time expires.
3. If another signal change now occurs, the channel in which the signal change occurred is the
intact channel and the other channel is passivated.
Note
The time that the system actually needs to determine a discrepancy depends on various
factors: Bus runtimes, cycle times and call times of the user program, conversion times, etc.
For this reason, it is possible for redundant input signals to be different for longer than the
configured discrepancy time.

Modules with diagnostics capability are also passivated by calling OB 82.

MTA Terminal Modules

MTA terminal modules (Marshalled Termination Assemblies) can be used to connect field
devices, sensors and actuators to the I/O modules of the ET 200M remote I/O stations simply,
quickly and reliably. They can be used to significantly reduce the costs and required work for
cabling and commissioning, and prevent wiring errors.
The individual MTA terminal modules are each tailored to specific I/O modules from the
ET 200M range. MTA versions for standard I/O modules are also available, as for redundant
and safety-related I/O modules. The MTA terminal modules are connected to the I/O modules
using 3 m or 8 m long preassembled cables.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 83
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Details on combinable ET 200M modules and suitable connecting cables and on the current
MTA product range can be found at the following address: Update and expansion of the MTA
terminal modules (https://support.industry.siemens.com/cs/ww/en/view/29289048)

Using redundant digital input modules with non-redundant encoders

With non-redundant encoders, you use digital input modules in a 1-out-of-2 configuration:

Digital input modules

Figure 6-14 Fault-tolerant digital input module in 1-out-of-2 configuration with one encoder

The use of redundant digital input modules increases their availability.

Discrepancy analysis detects "Continuous 1" and "Continuous 0" errors of the digital input
modules. A "Continuous 1" error means the value 1 is applied permanently at the input; a
"Continuous 0" error means that the input is not energized. This can be caused, for example,
by a short-circuit to L+ or M.
The current flow over the chassis ground connection between the modules and the encoder
should be the minimum possible.
When connecting an encoder to several digital input modules, the redundant modules must
operate at the same reference potential.
If you want to replace a module during operation and are not using redundant encoders, you
will need to use decoupling diodes.
If you do not use terminal modules, see the interconnection examples in the Appendix
Connection examples for redundant I/Os (Page 379).

Note
Remember that the proximity switches (Beros) must provide the current for the channels of both
digital input modules. The technical specifications of the respective modules, however, specify
only the required current per input.

CPU 410 Process Automation

84 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Using redundant digital input modules with redundant encoders

With redundant encoders, you use digital input modules in a 1-out-of-2 configuration:

Digital input modules

Figure 6-15 Fault-tolerant digital input modules in 1-out-of-2 configuration with two encoders

The use of redundant encoders also increases their availability. A discrepancy analysis detects
all errors, except for the failure of a non-redundant load voltage supply. You can enhance
availability by installing redundant load power supplies.
You will find interconnection examples in Appendix Connection examples for redundant I/Os
(Page 379).

Redundant digital output modules

Fault-tolerant control of a final controlling element can be achieved by connecting two outputs
of two digital output modules or fail-safe digital output modules in parallel (1-out-of-2
configuration).

Interconnection using external diodes Interconnection without external diodes

Figure 6-16 Fault-tolerant digital output modules in 1-out-of-2 configuration

The digital output modules must be connected to a common load voltage supply.
If you do not use terminal modules, see the interconnection examples in the Appendix
Connection examples for redundant I/Os (Page 379).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 85
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Using analog input modules as redundant I/O

You specified the following parameters when you configured the analog input modules for
redundant operation:
• Tolerance window (configured as a percentage of the end value of the measuring range)
Two analog values are considered equal if they are within the tolerance window.
• Discrepancy time (maximum permitted time in which the redundant input signals can be
outside the tolerance window). The specified discrepancy time must be a multiple of the
update time of the process image and therefore also the basic conversion time of the
channels.
An error is generated when there is an input value discrepancy after the configured
discrepancy time has expired.
If you connect identical sensors to both analog input modules, the default value for the
discrepancy time is usually sufficient. If you use different sensors, in particular temperature
sensors, you will have to increase the discrepancy time.
• Applied value
The applied value represents the value of the two analog input values that is applied to the
user program.
The system verifies that the two read-in analog values are within the configured tolerance
window. If they are, the applied value is written to the lower data memory area of the
process input image. If there is a discrepancy and it is the first, it is marked accordingly and
the discrepancy time is started.
When the discrepancy time is running, the most recent valid value is written to the process
image of the module with the lower address and made available to the current process. If the
discrepancy time expires, the channel with the configured standard value is declared as valid
and the other channel is passivated. If the maximum value from both modules is configured
as the standard value, this value is then taken for further program execution and the other
channel is passivated. If the minimum value is set, this channel supplies the data to the
process and the channel with the maximum value is passivated. Whichever is the case, the
passivated channels are entered in the diagnostic buffer.
If the discrepancy is eliminated within the discrepancy time, analysis of the redundant input
signals is still carried out.

Note
The time that the system actually needs to determine a discrepancy depends on various factors:
Bus runtimes, cycle times and call times of the user program, conversion times, etc. For this
reason, it is possible for redundant input signals to be different for longer than the configured
discrepancy time.

Note
There is no discrepancy analysis when a channel reports an overflow with 16#7FFF or an
underflow with 16#8000. The relevant channel is passivated immediately.
You should therefore disable all unused inputs in HW Config using the "Measurement type"
parameter.

CPU 410 Process Automation

86 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Redundant analog input modules with non-redundant encoder

With non-redundant encoders, analog input modules are used in a 1-out-of-2 configuration:

Analog input modules Analog input modules Analog input modules

U I I

Voltage measurement Indirect current measurement Direct current measurement

Figure 6-17 Fault-tolerant analog input modules in 1-out-of-2 configuration with one encoder

Remember the following when connecting an encoder to multiple analog input modules:
• Connect the analog input modules in parallel for voltage sensors (left in figure).
• You can convert a current into voltage using an external load to be able to use voltage analog
input modules connected in parallel (center in the figure).
• 2-wire transmitters are powered externally to allow you to repair the module online.
The redundancy of the fail-safe analog input modules enhances their availability.
If you do not use terminal modules, see the interconnection examples in the Appendix
Connection examples for redundant I/Os (Page 379).

Redundant analog input modules for indirect current measurement

The following applies to the wiring of analog input modules:
• Suitable encoders for this circuit are active transmitters with voltage output and
thermocouples.
• The "wire break" diagnostics function in HW Config must not be enabled either the modules
are operated with transmitters or when thermocouples are connected.
• Suitable encoder types: active 4-wire and passive 2-wire transmitters with output ranges
+/-20 mA, 0 to 20 mA, and 4 to 20 mA. 2-wire transmitters are powered by an external
auxiliary voltage.
• Criteria for the selection of resistance and input voltage range are the measurement
accuracy, number format, maximum resolution and possible diagnostics.
• In addition to the options listed, other input resistance and voltage combinations according
to Ohm’s law are also possible. However, note that the number format, diagnostic capability
and resolution may then be lost. The measurement error also depends largely on the size of
the measure resistance of certain modules.
• Use a measure resistance with a tolerance of +/- 0.1% and TC 15 ppm.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 87
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Additional conditions for specific modules

AI 8x12 bit 6ES7 331-7K..02-0AB0
• Use a 50 ohm or 250 ohm resistor to map the current on a voltage:

Resistor 50 ohms 250 ohms

Current measuring range +/-20 mA +/-20 mA *) 4...20 mA
Input range to be assigned +/-1 V +/-5 V 1...5 V
Measuring range cube position "A" "B"
Resolution 12 bits + sign 12 bits + sign 12 bits
S7 number format x x
Circuit-specific measuring error - 0.5%
- 2 parallel inputs - 0.25%
- 1 input
"Wire break" diagnostics - - x *)
Load for 4-wire transmitters 50 ohms 250 ohms
Input voltage for 2-wire transmitters > 1.2 V >6V
*) The AI 8x12bit outputs diagnostic interrupt and measured value "7FFF" in the event of wire break.

The listed measuring error results solely from the interconnection of one or two voltage
inputs with a measure resistance. Allowance has neither been made here for the tolerance
nor for the basic/operational limits of the modules.
The measuring error for one or two inputs shows the difference in the measurement result
depending on whether two inputs or, in case of error, only one input acquires the current of
the transmitter.
AI 8x16 bit 6ES7 331-7NF00-0AB0
• Use a 250 ohm resistor to map the current on a voltage:

Resistor 250 ohms *)

Current measuring range +/-20 mA 4...20 mA
Input range to be assigned +/-5 V 1...5 V
Resolution 15 bits + sign 15 bits
S7 number format x
Circuit-specific measuring error -
- 2 parallel inputs -
- 1 input
"Wire break" diagnostics - x
Load for 4-wire transmitters 250 ohms
Input voltage for 2-wire transmitters >6V
*) It may be possible to use the freely connectible internal module 250 ohm resistors

CPU 410 Process Automation

88 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Redundant analog input modules for direct current measurement

The following applies to the wiring of analog input modules:
• Suitable encoder types: active 4-wire and passive 2-wire transmitters with output ranges
+/-20 mA, 0 to 20 mA, and 4 to 20 mA. 2-wire transmitters are powered by an external
auxiliary voltage.
• The "wire break" diagnostics function supports only the 4...20 mA input range. All other
unipolar or bipolar ranges are excluded in this case.
• Suitable diodes include the types of the BZX85 or 1N47..A series (1.3 W Zener diodes) with
the voltages specified for the modules. When selecting other elements, make sure that the
reverse current is as low as possible.
• A fundamental measuring error of max. 1 µA results from this type of circuit and the
specified diodes due to the reverse current. In the 20 mA range and at a resolution of 16 bits,
this value leads to an error of < 2 bits. Individual analog inputs in the circuit above lead to an
additional error, which may be listed in the constraints. The errors specified in the manual
must be added to these errors for all modules.
• The 4-wire transmitters used must be capable of driving the load resulting from the circuit
above. You will find details in the technical specifications of the individual modules.
• When connecting 2-wire transmitters, please note that the Zener diode circuit weighs heavily
in the power budget of the transmitter. The required input voltages are therefore included in
the technical specifications of the individual modules. Together with the inherent supply
specified on the transmitter data sheet, the minimum supply voltage is calculated to L+ > Ue-2w
+ UIS-TR

Redundant analog input modules with redundant encoders

With double-redundant encoders, it is better to use fail-safe analog input modules in a 1-out-of-2
configuration:

$QDORJLQSXWPRGXOH $QDORJLQSXWPRGXOH

Figure 6-18 Fault-tolerant analog input modules in 1-out-of-2 configuration with two encoders

The use of redundant encoders also increases their availability.

A discrepancy analysis also detects external errors, except for the failure of a non-redundant
load voltage supply.
You will find interconnection examples in Appendix Connection examples for redundant I/Os
(Page 379).
The general comments made at the beginning of this documentation apply.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 89
I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

Redundant analog output modules

You implement fault-tolerant control of a final controlling element by wiring two outputs of two
analog output modules in parallel (1-out-of-2 configuration)

Analog output modules

I
Actuator

Figure 6-19 Fault-tolerant analog output modules in 1-out-of-2 configuration

The following applies to the wiring of analog output modules:

• Wire the ground connections in a star structure to avoid output errors (limited common-
mode suppression of the analog output module).
If you do not use terminal modules, see the interconnection examples in the Appendix
Connection examples for redundant I/Os (Page 379)

Analog output signals

Only analog output modules with current outputs (0 to 20 mA, 4 to 20 mA) can be operated
redundantly.
The output value is divided by 2, and each of the two modules outputs half. If one of the
modules fails, the failure is detected and the remaining module outputs the full value. As a
result, the surge at the output module in the event of an error is not as high.

Note
The output value drops briefly to half, and after the reaction in the program it is returned to the
proper value. The duration of the output value drop is determined by the following time
intervals:
• Time interval between the initial occurrence of an interrupt and the interrupt report reaching
the CPU.
• Time interval until the next RED_OUT (FB 451) call.
• Time interval until the intact analog output module has doubled the output value.

In the case of passivation or a CPU STOP, redundant analog outputs output an assignable
minimum current of approximately 120-1000 μA per module (or 240-1000 μA for HART
analog output modules), i.e., a total of approximately 240-2000 µA (or 480-2000 μA for
HART analog output modules). Considering the tolerance, this means that the output value is
always positive.

CPU 410 Process Automation

90 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.7 Connection of two-channel I/O to the PROFIBUS DP interface

A configured substitute value of 0 mA will produce at least these output values. In a

redundant configuration of analog outputs, the substitute value of the current outputs is
automatically set permanently to "zero current and zero voltage". You can also specify a
configurable compensation current of 0-400 µA for an output range of 4-20 mA.
This means you have the option of matching the minimum/compensation current to the
connected I/O.
To minimize the error of the total current at the summing point in case of one-sided
passivation, the assigned compensation current is subtracted in this case from the current of
the depassivated (i.e., active) channel with a pre-set value of 4 mA (range +-20 µA).

Note
If both channels of a channel pair were passivated (e.g., by OB 85), the respective half of the
current value is still output to both storage locations in the process image of outputs. If one
channel is depassivated, then the full value is output on the available channel. If this is not
required, a substitute value must be written to the lower channels of both modules prior to
executing FB 451 "RED_OUT".

Depassivation of modules
Passivated modules are depassivated by the following events:
• When the fault-tolerant system starts up
• When the fault-tolerant system switched to "redundant" mode
• After system modifications during operation
• If you call FC 451 "RED_DEPA" and at least one redundant channel or module is passivated.
The depassivation is executed in FB 450 "RED IN" after one of these events has occurred.
Completion of the depassivation of all modules is logged in the diagnostics buffer.

Note
When a redundant module is assigned a process image partition and the corresponding OB is not
available on the CPU, the complete passivation process may take approximately 1 minute.

See also
S7-400H Systems Redundant I/O (https://support.industry.siemens.com/cs/ww/en/view/
9275191)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 91
I/O configuration variants
6.8 Media redundancy

6.7.3 Evaluating the passivation status

Procedure
First, determine the passivation status by evaluating the status byte in the status/control word
"FB_RED_IN.STATUS_CONTROL_W". If you see that one or more modules have been passivated,
determine the status of the respective module pairs in MODUL_STATUS_WORD.

Evaluating the passivation status using the status byte

The status word "FB_RED_IN.STATUS_CONTROL_W" is located in the instance DB of FB 450
"RED_IN". The status byte returns information on the status of the redundant I/Os. The
assignment of the status byte is described in the online help for the respective block library.

Evaluating the passivation status of individual module pairs by means of MODUL_STATUS_WORD

MODUL_STATUS_WORD is an output parameter of FB 453 and can be interconnected
accordingly. It returns information on the status of individual module pairs.
The assignment of the MODUL_STATUS_WORD status byte is described in the online help for
the respective function block library.

6.8 Media redundancy

Media redundancy is a function for ensuring network availability and thus contributes to
increasing the plant availability. Redundant transmission links in a ring topology ensure that an
alternative communication path is always available if a transmission link fails. Following a fault
in one transmission link, data traffic can resume over the alternative link after a maximum
reconfiguration time of 200 ms.
For the components involved, you can enable the media redundancy protocol (MRP) in HW
Config. The components (IO devices, switches) must support MRP. MRP is a component of the
PROFINET IO standardization according to IEC 61158.

Note
Support of PRP (Parallel Redundancy Protocol) or MRPD (Media Redundancy Protocol Domain)
does not equal MRP functionality or vice versa.

In the case of media redundancy with MRP, one device is specified as the media redundancy
manager (MRM) in HW Config. All other devices are redundancy clients.

CPU 410 Process Automation

92 System Manual, 11/2022, A5E31622160-AE
 I/O configuration variants
6.8 Media redundancy

Configuration
The following figure shows examples of the connection of IO devices to the PROFINET IO system:

$6 $6
1 &L5SRVVLEOH 2
+&L5SRVVLEOH

5HTXLUHGIRUPHGLD
UHGXQGDQF\
352),1(7VXEQHW 352),1(7VXEQHW

(763+$ (763+$

(763+$ (763+$

Configura‐ Properties
tion
① Media redundancy
Each node is connected to two other nodes in a ring configuration.
The IO controller must be configured as an MRP manager in HW Config.
The nodes connected to PROFINET IO must be assigned unique names.
② Media redundancy + system redundancy
The PROFINET IO system begins and ends at one IO controller each in this example.
Each node is connected to two other nodes in a ring configuration.
The MRP parameter assignment must be complete. If a PROFINET IO system is created at each PN IO connection
of the CPU, a newly inserted interface module is automatically connected to the PROFINET IO system of the CPU.
The nodes on the fieldbus (PROFINET IO) must be assigned unique names.

Installing a ring topology

To set up a ring topology with media redundancy, you must join both free ends of a line network
topology in the same device. You join the line topology to form a ring via two ports (ring ports,
port ID "R") of a device connected to the ring.
The data paths between the individual devices are automatically reconfigured if the ring is
interrupted at any point. The devices are available again after reconfiguration.

Note
The real-time communication is interrupted (station failure) when the reconfiguration time of
the ring exceeds the selected watchdog time of the IO devices. This applies to all IO devices
whose IO data is transmitted over a ring.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 93
I/O configuration variants
6.8 Media redundancy

Note
Before physically joining the ring together, download the configuration of your project to the
individual devices.

Topology
You can also combine media redundancy under PROFINET IO with other PROFINET IO functions.

Additional information
For additional information, refer to the STEP 7 Online Help and to Manual PROFINET System
Description (https://support.industry.siemens.com/cs/ww/en/view/19292127).

CPU 410 Process Automation

94 System Manual, 11/2022, A5E31622160-AE
System and operating states of the CPU 410 7
7.1 CPU 410 operating modes

7.1.1 RUN mode

Reaction of the CPU

If there is no startup problem or error and the CPU was able to switch to RUN, the CPU either
executes the user program or remains idle. The I/O can be accessed.
• You can read out programs from the CPU with the ES (CPU -> ES).
• You can transfer programs from the ES to the CPU (ES -> CPU).
The user program is executed by at least one CPU in the following system states:
• Stand-alone operation
• Single mode
• Link-up, update
• Redundant

Single mode, link-up, update

In the system states solo mode, link-up and update, the master CPU is in RUN and executes the
user program in stand-alone mode.

Redundant system mode

The master CPU and standby CPU are always in RUN when operating in the redundant system
state. Both CPUs execute the user program in synchronism, and perform mutual checks.
In redundant system mode it is not possible to test the user program with breakpoints.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 95
System and operating states of the CPU 410
7.1  CPU 410 operating modes

The redundant system state is only supported if the two CPUs have the same version and
firmware version. Redundancy will be lost if one of the errors listed in the following table
occurs.

Table 7-1 Causes of error leading to redundancy loss

Cause of error Reaction

Failure of one CPU Replacement of a CPU during redundant operation
(Page 215) 
Failure of the redundant link (synchronization mod‐ Replacement of synchronization module or fiber-
ule or fiber-optic cable) optic cable (Page 220) 
RAM comparison error ERROR-SEARCH mode (Page 99) 

Redundant use of modules

Redundantly used module pairs must be identical, i.e. the two modules that are redundant to
each other must have the same article number and the same product version/firmware version.

7.1.2 STOP mode

Reaction of the CPU

The CPU does not execute the user program. The output modules output 0 or - if configured - a
substitute value. The signals of the input modules are set to 0.
• You can read out programs from the CPU with the ES (CPU -> ES).
• You can transfer programs from the ES to the CPU (ES -> CPU).

Special features in redundant mode

When you download a configuration to one of the CPUs while both are in STOP operating state,
observe the points below:
• Start the CPU to which you downloaded the configuration first in order to set it up for master
mode.
• If the system start is requested by the ES, the CPU with the active connection is started first,
regardless of its master or reserve status. Then the second CPU starts up and will become the
standby CPU after link-up and update operations.
Note
A system startup may trigger a master–standby changeover.
A CPU 410 can only exit the STOP operating state with a loaded configuration.

CPU 410 Process Automation

96 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.1  CPU 410 operating modes

Memory reset
The memory reset function affects only the selected CPU. To reset both CPUs, you must reset one
and then the other.

7.1.3 STARTUP mode

Startup types
The CPU 410 distinguishes between two startup types: cold restart and warm restart.

Cold restart
• During a cold restart, all data (process image, bit memory, timers, counters and data blocks)
is reset to the start values stored in the program (load memory), regardless of whether they
were configured as retentive or non-retentive.
• The associated startup OB is OB 102
• Program execution is restarted from the beginning (OB 102 or OB 1).

Warm restart
• A warm restart resets the process image and the bit memories, timers, and counters.
All data blocks assigned the "Non Retain" attribute are reset to the start values from the load
memory.
The other data blocks retain their last valid value if buffering is active. If there is no
buffering, the values are reset to the start values from the load memory after power off/on.
• The associated startup OB is OB 100
• Program execution is restarted from the beginning (OB 100 or OB 1).

Special features in redundant mode

The special features described below apply to startup when you operate two CPUs 410
redundantly.

Startup processing by the master CPU

The startup system state is always processed by the master CPU in redundant mode.
During STARTUP, the master CPU compares the existing I/O configuration with the hardware
configuration that you created in STEP 7. If these are different, the system can only be started
up if "Startup when expected/actual configurations differ" was configured.
The master CPU checks and assigns parameters for the following:
• the switched I/O devices
• the one-sided I/O including CPs and FMs assigned to it

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 97
System and operating states of the CPU 410
7.1  CPU 410 operating modes

Startup of the standby CPU

The standby CPU startup routine does not call an OB 100 or OB 102.
The standby CPU checks and assigns parameters for the following:
• the one-sided I/O including CPs and FMs assigned to it

Special features at startup

During a Power On with battery backup of a CPU 410 with large configurations containing many
CPs and/or external DP masters, it may take up to 2 minutes until a requested warm restart is
executed. During this time, the LEDs on the CPU light up successively as follows:
1. All LEDs light up.
2. The STOP LED flashes as it does during a memory reset.
3. The RUN and STOP LEDs are flashing.
4. The RUN LED flashes briefly 2 to 3 times.
5. The STOP LED lights up.
6. The RUN LED starts flashing again.
This begins the start up.

Additional information
For detailed information on STARTUP operating state, refer to Manual Programming with STEP 7.

7.1.4 HOLD mode

The HOLD mode is for test purposes. You need to have set respective breakpoints in the user
program for this purpose. It can only be reached from the RUN mode.

Special features in redundant mode

A transition to HOLD is only available during STARTUP and in RUN in single mode. It is not possible
to set breakpoints when the fault-tolerant system is in redundant system mode. Link-up and
update operations are not available while the CPU is in HOLD mode; the standby CPU remains in
STOP which is logged in the diagnostics buffer.

7.1.5 LINK-UP and UPDATE modes

The master CPU checks and updates the memory content of the standby CPU before the fault-
tolerant system assumes redundant system mode. This is implemented in two successive
phases: link-up and update.
The master CPU is always in RUN mode and the reserve CPU is in LINK-UP or UPDATE mode
during the link-up and update phases.

CPU 410 Process Automation

98 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.1  CPU 410 operating modes

In addition to the link-up and update functions, which are carried out to establish redundant
system mode, the system also supports linking and updating in combination with master/
reserve changeover.
For detailed information on connect and updating, refer to section Link-up and update
(Page 113).

7.1.6 ERROR-SEARCH mode

The purpose of ERROR-SEARCH operating state is to find a faulty CPU. The standby CPU runs the
entire self-test; the master CPU remains in RUN. If a hardware fault is detected, the CPU switches
to DEFECTIVE mode. If no fault is detected the CPU is linked up again. The fault-tolerant system
switches back to the redundant system state.
No communication, for example through PG access, is possible with the CPU in
TROUBLESHOOTING mode. The ERROR-SEARCH operating state is indicated by the flashing
RUN and STOP LEDs, see Chapter Status and error displays (Page 37).

Note
If the master CPU changes to STOP during troubleshooting, the troubleshooting is continued on
the standby CPU. However, once troubleshooting is completed, the standby CPU does not start
up again.

The following events will trigger the ERROR-SEARCH operating state:

1. If there is a one-sided call of OB 121 in redundant operation (at only one CPU), a hardware
fault is assumed and that CPU switches to TROUBLESHOOTING mode. The other CPU
becomes master, if necessary, and continues running in solo operation.
2. If a checksum error occurs on only one CPU in redundant operation, that CPU switches to
ERROR-SEARCH operating state. The other CPU becomes master, if necessary, and continues
running in solo operation.
3. If a RAM/PAA comparison error occurs in redundant operation, the backup CPU switches to
TROUBLESHOOTING mode (default response) and the master CPU continues running in solo
mode.
A different response to a RAM/PAA comparison error can be configured (for example backup
CPU switches to STOP).
4. If a multiple-bit error occurs on a CPU in redundant operation, that CPU will switch to ERROR-
SEARCH operating state. The other CPU becomes master, if necessary, and continues running
in solo operation.
But: OB 84 is called if 2 or more single-bit errors occur on a CPU in redundant operation within
6 months. The CPU does not change to ERROR-SEARCH operating state.
5. If synchronization is lost during redundant operation, the standby CPU changes to ERROR-
SEARCH operating state. The other CPU remains master and continues running in solo
operation.
You can find additional information on the self-test in Self-test (Page 109). 

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 99
System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

7.1.7 DEFECTIVE state

If an error has occurred that cannot be automatically cleared by the operating system, the CPU
switches to the DEFECTIVE state and all LEDs flash.
The CPU switches to the DEFECTIVE state in the following cases:
• The user data is inconsistent.
• A reboot has already been carried out within the previous 24 hours.
• The event that led to the defect is preventing an automatic reboot.

CPU response following reboot

The CPU operating system tries to switch back to RUN by rebooting the CPU.
The CPU responds as follows to a reboot:
1. The CPU writes the cause of the error to the diagnostics buffer.
2. The CPU generates the current service data.
3. The CPU checks if a reboot is possible.
A reboot is not possible in the following cases:
– There is an inconsistency in the user data.
– A reboot has already been carried out within the previous 24 hours.
– The event that led to the defect is preventing an automatic reboot.
4. The CPU records the automatic reboot in the diagnostics buffers (event W#16#4309
"Memory reset launched automatically" or W#16#452B "CPU REBOOT for clearing data
inconsistency")
5. The CPU runs internal tests.
6. In a redundant system, the standby CPU links up to the master in operation.
7. In stand-alone operation and solo mode, the CPU load the backed up user program and
executes a warm restart

7.2 System states of the redundant CPU 410

7.2.1 Introduction
The S7-400H consists of two redundantly configured subsystems that are synchronized via fiber-
optic cables.
The two subsystems form a fault-tolerant automation system that operates with a dual-
channel (1-out-of-2) structure based on the "active redundancy" principle.

CPU 410 Process Automation

100 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

What does active redundancy mean?

Active redundancy means that all redundant resources are constantly in operation and
simultaneously involved in the execution of the control task.
For the S7-400H, this means that the user programs in both CPUs are identical and executed
synchronously by the two CPUs.

Convention
To identify the two subsystems, we use the traditional expressions of "master" and "standby" for
dual-channel fault-tolerant systems in this description. However, the standby runs event-
synchronized with the master at all times and not just when an error occurs.
The differentiation between the master and standby CPUs is primarily important for ensuring
reproducible fault responses. The standby goes into troubleshooting mode when RAM/PIQ
errors are detected, for example, while the master CPU remains in RUN.

Master-standby assignment
When the S7-400H is first switched on, the CPU that started up first becomes the master CPU, and
the other CPU becomes the standby CPU.
The preset master-standby assignment is retained when both CPUs power up simultaneously.
The master-standby assignment changes when:
1. The standby CPU starts up before the master CPU (interval of at least 3 s)
2. The master CPU fails or switches to STOP in the redundant system state
3. No error was found in ERROR-SEARCH operating state (see Chapter ERROR-SEARCH mode
(Page 99))
4. Programmed master-standby switchover with SFC 90 "H_CTRL"
5. The sequence of a system modification during operation
6. A firmware update in RUN mode
7. Switch to CPU with modified configuration
8. Switching to a CPU with modified operating system
9. Switching to a CPU using only one intact redundant link
10.Switching to a CPU with modified PO limit

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 101
System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

Synchronizing the subsystems

The master and standby CPUs are linked by fiber-optic cables. Both CPUs maintain event-
synchronous program execution via this connection.

Subsystem(CPU0) Subsystem(CPU1)

Synchronization

Figure 7-1 Synchronizing the subsystems

Synchronization is performed automatically by the operating system and has no effect on the
user program. You create your program in the same way as for standard S7-400 CPUs.

Event-driven synchronization procedure

The "event-driven synchronization" procedure patented by Siemens was used for the S7-400H.
Event-driven synchronization means that the master and standby always synchronize their
data when an event occurs which may lead to different internal states of the subsystems.
Such events include, for example, alarms or changes of data through communication
functions.

Continued bumpless operation even if redundancy of a CPU is lost

Event-driven synchronization ensures bumpless continuation of operation by the standby CPU
even if the master CPU fails. The inputs and outputs do not lose their values during the master-
standby switchover.

Self-test
Malfunctions or errors must be detected, localized and reported as quickly as possible. Extensive
self-test functions have therefore been implemented in the S7-400H that run automatically and
entirely in the background.
The following components and functions are tested:
• Coupling of the central controllers
• Processor
• Internal memory of the CPU
• I/O bus
If the self-test detects an error, the fault-tolerant system tries to eliminate it or to suppress its
effects.
A description of the self-test is available in Chapter Self-test (Page 109).

CPU 410 Process Automation

102 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

System operation without STOP

To best meet the requirements of the process industry for system operation without STOP,
SIMATIC PCS 7 intercepts as many possible STOP causes as possible. The CPU 410 was enhanced
such that it, as a redundant system, automatically achieves the RUN redundant operating state
over and over again if possible. A change in the operating mode is only possible through an
engineering system command. The diagnostic information always indicates the RUN switch
position.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 103
System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

7.2.2 The system states of the fault-tolerant system

The system states of the fault-tolerant system result from the operating states of the two CPUs.
The term "system state" is used as a simplified term which identifies the concurrent operating
states of the two CPUs.
Example: Instead of "the master CPU is in RUN and the standby CPU is in LINK-UP mode", we
use "the fault-tolerant system" is in the "link-up" system state.

Overview of system states

The table below provides an overview of the possible states of the fault-tolerant system.

Table 7-2 Overview of system states of the fault-tolerant system

System states of the fault-toler‐ Operating states of the two CPUs

ant system
  Master Standby
STOP STOP STOP, power off, DEFECTIVE
STARTUP STARTUP STOP, power off, DEFECTIVE, no syn‐
chronization
Single mode RUN STOP, ERROR-SEARCH, power off, DE‐
FECTIVE, no synchronization
Link-up RUN STARTUP, LINK-UP
Update RUN UPDATE
Redundant RUN RUN
HOLD HOLD STOP, ERROR-SEARCH, power off, DE‐
FECTIVE, no synchronization

7.2.3 Displaying and changing the system state of a fault-tolerant system

Procedure:
1. Select a CPU in SIMATIC Manager.
2. Select the menu command PLC > Diagnostics/Setting >Operating state.

Note
STOP is only possible with authorization in projects with password protection.

Result:
The "Operating state" dialog box shows the current system state of the fault-tolerant system and
the operating states of the individual central processing units.
The CPU that was selected in SIMATIC Manager when the menu command was executed is
the first one displayed in the table.

CPU 410 Process Automation

104 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

Changing the system state:

The options of changing the system state depend on the current system state of the fault-
tolerant system.

7.2.4 System status change from the STOP system state

Requirement
You have selected one of the two CPUs in SIMATIC Manager and opened the "Operating state"
dialog box using the PLC > Diagnostics/Setting > Operating state menu command.

Changing to redundant system mode (starting the fault-tolerant system)

1. Select the fault-tolerant system in the table.
2. Select the Restart button (warm restart).

Result:
The CPU displayed first in the table starts up as master CPU. Then the second CPU starts up and
will become the standby CPU after link-up and update operations.

Changing to standalone mode (starting only one CPU)

1. In the table, select the CPU you want to start up.
2. Select the Restart button (warm restart).

7.2.5 System status change from the standalone mode system status

Requirements:
• For CPU access protection with password: You have entered the CPU access password with
the menu command PLC > Access Rights > Setup in SIMATIC Manager.
• You have opened the "Operating state" dialog box using the PLC > Diagnostics/Setting >
Operating state menu command in SIMATIC Manager.
• The standby CPU is not in ERROR-SEARCH operating state.

Changing to redundant system state (starting the standby CPU)

1. In the table, select the CPU that is in STOP, or the fault-tolerant system.
2. Select the Restart button (warm restart).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 105
System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

Changing to system status STOP (stopping the running CPU)

1. In the table, select the CPU that is in RUN, or the fault-tolerant system.
2. Select the STOP button.

Note
Any set up access right is not canceled until you stop the SIMATIC Manager. You should reset the
access right once again to prevent unauthorized access. You reset the access right in the SIMATIC
Manager with the menu command PLC > Access Rights > Cancel.

7.2.6 System status change from the redundant system state

Requirement:
• For CPU access protection with password: You have entered the CPU access password with
the menu command PLC > Access Rights > Setup in SIMATIC Manager.
• You have opened the "Operating state" dialog box using the PLC > Diagnostics/Setting >
Operating state menu command in SIMATIC Manager.

Changing to STOP system state (stopping the fault-tolerant system)

1. Select the fault-tolerant system in the table.
2. Select the Stop button.

Result
Both CPUs switch to STOP.

Changing to standalone mode (stop of one CPU)

1. In the table, select the CPU that you want to stop.
2. Select the Stop button.

Result:
The selected CPU goes into the STOP state, while the other CPU remains in RUN state; the fault-
tolerant system continues operating in standalone mode.

Note
Any set up access right is not canceled until you stop the SIMATIC Manager. You should reset the
access right once again to prevent unauthorized access. You reset the access right in the SIMATIC
Manager with the menu command PLC > Access Rights > Cancel.

CPU 410 Process Automation

106 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

7.2.7 System diagnostics of a fault-tolerant system

The diagnose hardware function identifies the state of the entire fault-tolerant system.

Procedure:
1. Select the fault-tolerant station in SIMATIC Manager.
2. Select the menu command PLC > Diagnostics/Setting >Diagnose hardware.
3. In the "Select CPU" dialog, select the CPU and confirm with OK.

Result:
The operating state of the selected CPU can be identified based on the display of the selected CPU
in the "Diagnose hardware" dialog:

CPU icon Operating state of the respective CPU

Master CPU is in RUN operating state

Standby CPU is in RUN operating state

Master CPU is in STOP operating state

Standby CPU is in STOP operating state

Master CPU is in STARTUP operating state

Master CPU or a module whose parameters it assigned is faulty.

Standby CPU or a module whose parameters it assigned is faulty

Maintenance required on master CPU

Maintenance required on standby CPU

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 107
System and operating states of the CPU 410
7.2 System states of the redundant CPU 410

CPU icon Operating state of the respective CPU

Maintenance request on master CPU

Maintenance request on standby CPU

Note
The view is not updated automatically in the Online view. Use the F5 function key to view the
current operating state.

CPU 410 Process Automation

108 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.3 Self-test

7.3 Self-test

Processing the self-test

The CPU executes the complete self-test program after an unbuffered POWER ON, e.g., POWER
ON after initial insertion of the CPU or POWER ON without backup battery, and in the ERROR-
SEARCH operating state.
The duration of the self-test is approximately 7 minutes.
In a fault-tolerant system, if the CPU calls for a memory reset and a buffered Power Off/On is
then carried out, the CPU performs a self-test even though it was buffered.
In RUN the operating system splits the self-test routine into several small program sections
("test slices") which are processed in multiple successive cycles. The cyclic self-test is
organized to perform a single, complete pass in a certain time. This time interval is at least
90 minutes and can be extended in the configuration to reduce the impact of the self-test
on the runtime of the user program. However, it also extends the time interval in which a
possible error is detected.

Response to errors during the self-test

If the self-test returns an error, the following happens:

Table 7-3 Response to errors during the self-test

Type of error System response

Hardware fault The faulty CPU switches to DEFECTIVE state. Fault-tolerant sys‐
tem switches to stand-alone operation.
The cause of the error is written to the diagnostics buffer.
Hardware fault, which is signaled via a The CPU with the one-sided OB 121 switches to ERROR-SEARCH.
one-sided OB 121 call Fault-tolerant system switches to stand-alone operation (see
below).
RAM/PIQ comparison error The cause of the error is written to the diagnostics buffer.
The configured system or operating state is assumed (see be‐
low).
Checksum errors The response depends on the error situation (see below).
Multiple-bit errors The faulty CPU switches to ERROR-SEARCH operating state.

Hardware fault with one-sided OB 121 call

If a hardware fault occurs that triggers a one-sided OB 121 call and this fault occurs for the first
time since the last unbuffered POWER ON, the faulty CPU switches to ERROR SEARCH operating
state. The fault-tolerant system switches to stand-alone operation. The cause of the error is
written to the diagnostics buffer.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 109
System and operating states of the CPU 410
7.3 Self-test

RAM/PIQ comparison error

If the self-test detects a RAM/PIQ comparison error, the fault-tolerant system exits redundant
operating state and the standby CPU switches to ERROR SEARCH operating state (default
setting). The cause of the error is written to the diagnostics buffer.
The response to a recurring RAM/PIQ comparison error depends on whether the error recurs
in the first self-test cycle after troubleshooting or not until later.

Table 7-4 Response to a recurring comparison error

Comparison error recurs ... Reaction

in the first self-test cycle after troubleshooting Fault-tolerant system switches to stand-alone op‐
eration.
Standby CPU switches to ERROR SEARCH and then
remains in STOP.
after two or more self-test cycles after trouble‐ Fault-tolerant system switches to stand-alone op‐
shooting eration.
Standby CPU switches to ERROR SEARCH.

Checksum errors
When a checksum error occurs for the first time since the last POWER ON without battery backup,
the system reacts as follows:

Table 7-5 Reaction to checksum errors

Time of detection System response

During the startup test after The faulty CPU switches to DEFECTIVE state.
POWER ON Fault-tolerant system remains in stand-alone operation.
In the cyclic self-test The error is corrected. The CPU remains in STOP operating state or in solo
(STOP or solo operation) operation.
In the cyclic self-test The error is corrected. The faulty CPU switches to ERROR-SEARCH oper‐
(redundant system state) ating state.
Fault-tolerant system switches to stand-alone operation.
In the The faulty CPU switches to DEFECTIVE state.
ERROR-SEARCH operating
state

The cause of the error is written to the diagnostics buffer.

In an F-system, the F-program is already signaled at the first occurrence of a checksum error
in STOP operating state or in stand-alone operation that the self-test has detected an error.

CPU 410 Process Automation

110 System Manual, 11/2022, A5E31622160-AE
 System and operating states of the CPU 410
7.3 Self-test

Hardware fault with one-sided OB 121 call, checksum error, 2nd occurrence
The response of a CPU 410 to the second occurrence of hardware faults with one-sided OB 121
call and checksum errors is as shown in the following table for the various operating modes of
a CPU 410.

Table 7-6 Hardware fault with one-sided OB 121 call, checksum error, 2nd occurrence

Error CPU in stand-alone operation/single mode CPU in redundant operation

Hardware fault with one-si‐ OB 121 is executed The faulty CPU switches to ERROR-SEARCH op‐
ded OB 121 call erating state. The fault-tolerant system
switches to stand-alone operation.
Checksum error The CPU enters the DEFECTIVE state if two er‐ The CPU enters the DEFECTIVE state if a second
rors occur within two successive test cycles error triggered by the first error event occurs in
(You configure the length of the test cycle in ERROR-SEARCH mode.
HW Config)

If a second checksum error occurs in solo or stand-alone operation after twice the test cycle
time has expired, the CPU reacts as it did on the first occurrence of the error. If a second error
(hardware fault with one-sided OB 121 call, checksum error) occurs in redundant operation
after expiration of the troubleshooting operation, the CPU responds the same as to the first
occurrence of the error.

Multiple-bit errors
If a multiple-bit error is detected during redundant operation of a fault-tolerant system, the CPU
switches to ERROR-SEARCH operating state. When troubleshooting is finished, the CPU can be
linked up and updated again, and resume redundant operation. If there is no error on the CPU
410, it switches to RUN and becomes the master. The cause of the error is signaled by the call of
OB 84.
There are some rare cases in which multiple-bit and single-bit errors can occur due to very
challenging ambient conditions. If they occur only once, they do not interfere with the
hardware. If bit errors occur frequently, however, replace the hardware.

Single-bit errors
Single-bit errors are also detected and eliminated outside the self-test. After elimination of the
error, the CPU 410 calls OB 84.

Influencing the cyclic self-test

SFC 90 "H_CTRL" allows you to influence the scope and execution of the cyclic self-test. For
example, you can remove various test components from the overall test and re-introduce them.
In addition, you can explicitly call and process specific test components.
For detailed information on SFC 90 "H_CTRL", refer to Manual System Software for
S7-300/400, System and Standard Functions.

Note
In a fail-safe system, you are not allowed to disable and then re-enable the cyclic self-tests.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 111
System and operating states of the CPU 410
7.4 Performing a memory reset

7.4 Performing a memory reset

Memory reset process in the CPU

You can perform a memory reset of the CPU from the ES. During a memory reset, the following
process occurs on the CPU:
• The CPU deletes the entire user program in the main memory.
• The CPU deletes the user program from the load memory.
• The CPU deletes all counters, bit memories, and timers, but not the time of day.
• The CPU tests its hardware.
• The CPU sets its parameters to default settings.
The LEDs behave as following during the memory reset:
1. The STOP LED flashes for about 1-2 seconds at 2 Hz.
2. All LEDs light up for approximately 10 seconds.
3. The STOP LED flashes for approximately 30 seconds at 2 Hz.
4. The RUN LED and the STOP LED flash for approximately 2 seconds at 0.5 Hz.
This operation can also take a few seconds longer depending on the utilization level of the
memory.
5. The RUN LED and the STOP LED flash for approximately 2 seconds at 0.5 Hz.
If a large data volume is being deleted, the LEDs may flash longer.
6. The STOP LED lights up permanently.

Data retained after a memory reset...

The following values are retained after a memory reset:
• The content of the diagnostic buffer
• The baud rate of the DP interface
• The parameters of the PN interfaces
– Name (NameOfStation)
– IP address of CPU
– Subnet mask
– Static SNMP parameters
• The time of day
• The status and value of the operating hours counter

CPU 410 Process Automation

112 System Manual, 11/2022, A5E31622160-AE
Link-up and update 8
8.1 Effects of link-up and updating
The link-up and update operations are indicated by the REDF LED on both CPUs. During link-up,
the LEDs flash at a frequency of 0.5 Hz, and when updating at a frequency of 2 Hz.
Link-up and update have various effects on user program execution and on communication
functions.

Table 8-1 Properties of link-up and update functions

Process Link-up Update

Execution of the user pro‐ All priority classes (OBs) are pro‐ Processing of the priority classes is de‐
gram cessed. layed section by section. All requests
are caught up with after the update.
For details, refer to the sections below.
Deleting, loading, generat‐ Blocks cannot be deleted, loa‐ Blocks cannot be deleted, loaded, cre‐
ing, and compressing of ded, created or compressed. ated or compressed.
blocks When such actions are busy,
link-up and update operations
are inhibited.
Execution of communica‐ Communication functions are Execution of the functions is restricted
tion functions, ES operation executed. section by section and delayed. All the
delayed functions are caught up with
after the update.
For details, refer to the sections below.
CPU self-test Not performed Not performed
Testing and commissioning No testing and commissioning No testing and commissioning func‐
functions, such as "Monitor/ functions are possible. tions are possible.
modify tag", "Monitor (on/ When such actions are busy,
off)". link-up and update operations
are inhibited.
Handling of connections on All connections are retained; no All connections are retained; no new
the master CPU new connections can be made. connections can be made.
Interrupted connections are not re‐
stored until the update is completed
Handling of connections on All the connections are cancel‐ All connections are already down. Can‐
the reserve CPU led; no new connections can be cellation takes place during link-up.
made. Connections of the standby are not es‐
tablished until Redundant system
state.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 113
Link-up and update
8.3 Time monitoring

8.2 Link-up and update via an ES command

Which commands you can use on the programming device to initiate a link-up and update
operation is determined by the current conditions on the master and standby CPU. The following
table shows the possible PG commands for the link-up and update in various circumstances.

Table 8-2 PG commands for link-up and update

Link-up and up‐ Firmware version Available sync Hardware version Number of
date as PG com‐ on master and connections on master and POs on system
mand: standby CPU standby CPU expansion
cards
Restart of the stand‐ Are identical 2 Are identical Are identical
by
Switching to a part‐ Are identical 2 Are identical Are identical
ner CPU with modi‐
fied configuration
Switching to a part‐ Are different 2 Are identical Are identical
ner CPU with modi‐
fied operating sys‐
tem
Switching to a part‐ Are identical 2 Are different Are identical
ner CPU with modi‐
fied hardware prod‐
uct version
Switching to a part‐ Are identical 1 Are identical Are identical
ner CPU using only
one intact redun‐
dant link
Switching to a part‐ Are identical 2 Are identical Are different
ner CPU with modi‐
fied PO limit

8.3 Time monitoring

Program execution is interrupted for a certain time during updating. This section is relevant to
you if this period is critical in your process. If this is the case, configure one of the monitoring
times described below.
During updating, the fault-tolerant system monitors the cycle time extension,
communication delay and inhibit time for priority classes > 15 in order to ensure that
their configured maximum values are not exceeded, and that the configured minimum I/O
retention time is maintained.
You made allowances for the technological requirements in your configuration of monitoring
times.

CPU 410 Process Automation

114 System Manual, 11/2022, A5E31622160-AE
 Link-up and update
8.3 Time monitoring

The monitoring times are described in detail below.

• Maximum cycle time extension
– Cycle time extension: The time during the update in which neither OB 1 nor any other OBs
up to priority class 15 are executed. "Normal" cycle time monitoring is disabled within this
time span.
– Max. cycle time extension: The maximum permissible cycle time extension configured by
the user.
• Maximum communication delay
– Communication delay: The time span during the update during which no communication
functions are processed. Note: The master CPU, however, maintains all existing
communication links.
– Maximum communication delay: The maximum permissible communication delay
configured by the user.
• Maximum inhibit time for priority classes > 15
– Inhibit time for priority classes > 15: The time span during an update during which no OBs
(and thus no user program) are executed nor any I/O updates are implemented.
– Maximum inhibit time for priority classes > 15: The maximum permissible inhibit time for
priority classes > 15 configured by the user.
• Minimum I/O retention time:
This represents the interval between copying of the outputs from the master CPU to the
standby CPU, and the time of the master/standby changeover (time at which the previous
master CPU goes into STOP and the new master CPU goes into RUN). Both CPUs control the
outputs within this period, in order to prevent the I/O from going down when the system
performs an update with master/standby changeover.
The minimum I/O retention time is of particular importance when updating with master/
standby changeover.
The monitoring start times are indicated in the highlighted boxes in Figure 12-2. These
times expire when the system enters the redundant system mode or when there is a master/
standby changeover, i.e. on the transition of the new master to RUN when the update is
completed.
The figure below provides an overview of the relevant update times.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 115
Link-up and update
8.3 Time monitoring

Update:

t1 t2 t3 t4 t5
t

Minimum I/O retention time

Inhibit time for priority classes >15

Communication delay

Cycle time extension

t1: End of current OBs up to priority class 15

t2: Stop all communication functions
t3: End of watchdog interrupt OB with special handling
t4: End of copying of outputs to the standby CPU
t5: Redundant system status, or master/standby changeover

Figure 8-1 Meanings of the times relevant for updates

Response to time-outs
If one of the times monitored exceeds the configured maximum value, the following procedure
is started:
1. Cancel update
2. Fault-tolerant system remains in standalone mode, with the previous master CPU in RUN
3. Cause of cancelation is entered in diagnostic buffer
4. Call OB 72 (with corresponding start information)
The standby CPU then reevaluates its system data blocks.
Following this, after at least one minute, the CPU tries again to perform the link-up and
update. If still unsuccessful after a total of 10 retries, the CPU abandons the attempt. You
yourself will then need to start the link-up and update again.
A monitoring timeout can be caused by:
• High interrupt load (e.g. from I/O modules)
• High communication load causing prolonged execution times for active functions
• In the final update phase, the system needs to copy unusually large amounts of data to the
standby CPU.

CPU 410 Process Automation

116 System Manual, 11/2022, A5E31622160-AE
 Link-up and update
8.3 Time monitoring

8.3.1 Time response

Time response during link-up

The influence of link-up operations on your plant's control system should be kept to an absolute
minimum. The current load on your automation system is therefore a decisive factor in the
increase of link-up times. The time required for link-up is in particular determined by
• the communication load
• the cycle time
Link-up takes about 2 minutes for automation systems without load.
It can take more than one hour when there is a high load on your automation system.

Time response during updating

The transmission time during updating depends on the current changes of the process values
and the communication load.
As a simple approximation, we can interpret the maximum inhibit time to be configured for
priority classes > 15 as a function of the data volume in the work memory. The volume of
code in the work memory is irrelevant.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 117
Link-up and update
8.3 Time monitoring

8.3.2 Determining the monitoring times

Calculation using STEP 7 or formulas

STEP 7 automatically calculates the monitoring times listed below for each new configuration.
You can also calculate these times using the formulas and procedures described below. They are
equivalent to the formulas provided in STEP 7.
• Maximum cycle time extension
• Maximum communication delay
• Maximum inhibit time for priority classes
• Minimum I/O retention time
You can also start automatic calculation of monitoring times in HW Config in CPU Properties >
H Parameters.

Monitoring time accuracy

Note
The monitoring times determined by STEP 7 or by using formulas merely represent
recommended values.

These times are based on a fault-tolerant system with two communication peers and an
average communication load.
Your system profile may differ considerably from those scenarios, therefore the following
rules must be observed.
• A high communication load can significantly increase cycle time.
• Any modification of the system in operation may lead to a significant increase in cycle times.
• Any increase in the number of programs executed in priority classes > 15 (in particular
processing of communication blocks) increases the delay in communication and extends the
cycle time.
• You can even undercut the calculated monitoring times in small plants with high-
performance requirements.

Configuration of the monitoring times

When configuring monitoring times, always make allowances for the following dependencies;
conformity is checked by STEP 7:
Maximum cycle time extension
> maximum communication delay
> (maximum inhibit time for priority classes > 15)
> minimum I/O retention time
If you have configured different monitoring times in the CPUs and perform a link-up and
update operation with master/standby changeover, the system always applies the higher of
the two values.

CPU 410 Process Automation

118 System Manual, 11/2022, A5E31622160-AE
 Link-up and update
8.3 Time monitoring

Calculating the minimum I/O retention time (TPH)

The following applies to the calculation of the minimum I/O retention time:
• With central I/O: TPH = 30 ms
• For distributed I/O (PROFIBUS DP): TPH = 3 x TTRmax
Where TTRmax = maximum target rotation time
of all DP master systems of the fault-tolerant station
• For distributed I/O (PROFINET IO): TPH = Twd_max
with Twd_max = maximum cyclic interrupt time (product of WD factor and update time) of a
switched device in all IO subsystems of the fault-tolerant station
When using central and distributed I/O, the resultant minimum I/O retention time is:
TPH = MAX (30 ms, 3 x TTRmax , Twd_max)
The following figure shows the correlation between the minimum I/O retention time and the
maximum inhibit time for priority classes > 15.

Master copies
outputs: 50 ms
Maximum inhibit time for
Minimum I/O priority classes > 15
retention time

Figure 8-2 Correlation between the minimum I/O retention time and the maximum inhibit time for
priority classes > 15

Note the following condition:

50 ms + minimum I/O retention time ≤ 
(maximum inhibit time for priority classes > 15)
It follows that a high minimum I/O retention time can determine the maximum inhibit time
for priority classes > 15.

Calculating the maximum inhibit time for priority classes > 15 (TP15)

The maximum inhibit time for priority classes > 15 is determined by 4 main factors:
• As shown in Figure 12-2, all the contents of data blocks modified since last copied to the
standby CPU are once again transferred to the standby CPU on completion of the update. The
number and structure of the data blocks that you write in the high-priority priority classes
determines the duration of this operation and thus the maximum disabling time for priority
classes > 15. You receive a notice in the case of the remedies specified below.
• In the last phase of the update, all OBs are delayed or disabled. To prevent the maximum
disabling time for priority classes > 15 from being extended unnecessarily due to unfavorable
programming, you process the most time-critical I/O components in a selected cyclic
interrupt. This is particularly relevant in fail-safe user programs. You can define this cyclic
interrupt in your configuration. It is then executed again right after the start of the maximum
disabling time for priority classes > 15, provided you have assigned it a priority class > 15.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 119
Link-up and update
8.3 Time monitoring

• For connecting and updating with a master/reserve changeover (see section Link-up

sequence (Page 334)), the active communication channel must be changed over for the
switched DP devices and the switched IO devices after the update. This operation prolongs
the time within which valid values can neither be read nor output. How long this process
takes is determined by your hardware configuration.
• The technological conditions in your process also decide how long an I/O update can be
delayed. This is particularly important in time-monitored processes in fail-safe systems.
Note
For details, refer to Manual S7-400F and S7-400FH Automation Systems and Manual S7-300
Automation Systems, Fail-safe Signal Modules. This applies in particular to the internal
execution times of fail-safe modules.

1. Based on the bus parameters in STEP 7, determine the following for each DP master system:
– TTR for the DP master system
– DP changeover time (referred to below as TDP_UM)
2. From the STEP 7 configuration, determine the following for each IO subsystem:
– Maximum update time of the IO subsystem (referred to below as Tmax_Akt)
– PN changeover time (referred to below as TPN_UM)
3. Based on the technical specifications for the switched DP devices, determine the following for
the DP master system:
– Maximum switchover time for the active communication channel
(referred to below as TDEVICE_UM).
4. Based on the technical specifications of the switched PN devices, determine the following for
each IO subsystem:
– Maximum switchover time for the active communication channel (referred to below as
TDevice_UM ).
5. Based on the technological specifications of your system, determine the following:
– Maximum permissible time during which there is no update of your I/O modules (referred
to below as TPTO).
6. Based on your user program, determine the following:
– Cycle time of the highest-priority or selected (see above) cyclic interrupt (TWA)
– Execution time of your program in this cyclic interrupt (TPROG)
7. For each DP master system this results in:
TP15 (DP master system) = TPTO - (2 x TTR + TWA + TPROG + TDP_UM + TDEVICE_UM) [1]
8. For each IO subsystem, this results in:
TP15 (IO subsystem) = TPTO - (2 x Tmax_Akt + TWA + TPROG + TPN_UM + TDevice_UM) [1]
Note
If TP15(DP master system) < 0 or TP15(IO subsystem) < 0, stop the calculation here. Possible
remedies are shown below the following example calculation. Make appropriate changes
and then restart the calculation at 1.

CPU 410 Process Automation

120 System Manual, 11/2022, A5E31622160-AE
 Link-up and update
8.3 Time monitoring

9. Select the minimum value from all TP15 (DP master system, IO subsystem) values.
This time is referred to below as TP15_HW.
10.Determine the share of the maximum inhibit time for I/O classes > 15 that is required by the
minimum I/O retention time (TP15_OD):
TP15_OD = 50 ms + min. I/O retention time [2]
Note
If TP15_OD > TP15_HW, stop the calculation here. Possible remedies are shown below the following
example calculation. Make appropriate changes and then restart the calculation at 1.

11.Using the information in Chapter Performance values for link-up and update
(Page 124), calculate the share of the maximum inhibit time for priority classes > 15 that is
required by the user program (TP15_AWP).
Note
If TP15_AWP > TP15_HW, stop the calculation here. Possible remedies are shown below the
following example calculation. Make appropriate changes and then restart the calculation at
1.

12.The recommended value for the maximum inhibit time for priority classes > 15 is now
obtained from:
TP15 = MAX (TP15_AWP, TP15_OD) [3]

Example of the calculation of TP15

In the next steps, we take an existing system configuration and define the maximum permitted
time span of an update, during which the operating system does not execute any programs or
I/O updates.
There are two DP master systems and one IO subsystem: DP master system_1 is connected
via the DP interface of the CPU, and DP master system_2 is connected to the CPU via an
external DP master interface. The IO subsystem is connected via the integrated Ethernet
interface.
1. Based on the bus parameters in STEP 7:
TTR_1 = 25 ms
TTR_2 = 30 ms
TDP_UM_1 = 100 ms
TDP_UM_2 = 80 ms
2. Based on the configuration in STEP 7:
Tmax_Akt  = 8 ms
TPN_UM = 110 ms
3. Based on the technical specifications of the DP devices used:
TDEVICE_UM_1 = 30 ms
TDEVICE_UM_2 = 50 ms
4. Based on the technical specifications of the PN devices used:
TDevice_UM = 20 ms

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 121
Link-up and update
8.3 Time monitoring

5. Based on the technological settings of your system:

TPTO_1 = 1250 ms
TPTO_2 = 1200 ms
TPTO_PN = 1000 ms
6. Based on the user program:
TWA = 300 ms
TPROG = 50 ms
7. Based on the formula [1]:
TP15 (DP master system_1)
= 1250 ms - (2 x 25 ms + 300 ms + 50 ms + 100 ms + 30 ms) = 720 ms
TP15 (DP master system_2)
= 1200 ms - (2 x 30 ms + 300 ms + 50 ms + 80 ms + 50 ms) = 660 ms
8. Based on the formula [1]:
TP15 (IO subsystem)
= 1200 ms - (2 x 8 ms + 300 ms + 50 ms + 110 ms + 20 ms) = 704 ms
Check: Since TP15 > 0, continue with
1. TP15_HW = MIN (720 ms, 660 ms, 704 ms) = 660 ms
2. Based on the formula [2]:
TP15_OD = 50 ms + TPH = 50 ms + 90 ms = 140 ms
Check: Since TP15_OD = 140 ms < TP15_HW = 660 ms, continue with
1. Based on section Performance values for link-up and update (Page 124) with 170 KB of user
program data:
TP15_AWP = 194 ms
Check: Since TP15_AWP = 194 ms < TP15_HW = 660 ms, continue with
1. Based on formula [3], we obtain the recommended max. inhibit time for priority classes > 15:
TP15 = MAX (194 ms, 140 ms) 
TP15 = 194 ms
This means that by setting a maximum inhibit time of 194 ms for priority classes > 15 in
STEP 7, you ensure that any signal changes during the update are detected with a signal
duration of 1250 ms or 1200 ms.

Remedies if it is not possible to calculate TP15

If no recommendation results from calculating the maximum disabling time for priority
classes > 15, you can remedy this by taking various measures:
• Reduce the cyclic interrupt cycle of the configured cyclic interrupt.
• If TTR times are particularly high, distribute the devices across several DP master systems.
• Reduce the maximum update time of switched devices on the IO system, if possible.
• Increase the baud rate on the affected DP master systems.
• Configure the DP/PA links and Y links in separate DP master systems.
• If you have DP devices with significantly different switchover times and, thus, significantly
different TPTO values, distribute these devices across several DP master systems.

CPU 410 Process Automation

122 System Manual, 11/2022, A5E31622160-AE
 Link-up and update
8.3 Time monitoring

• If you do not expect any significant load caused by interrupts or parameter assignments in the
various DP master systems, you can also reduce the calculated TTR times by around 20% to
30%. However, this increases the risk of a station failure in the distributed I/O.
• Time TP15_AWP represents a guideline and depends on your program structure. You can reduce
this time, for example, through the following measures:
– Save data that changes often in different DBs than data that does not change as often.
– Specify a smaller DB sizes in the work memory.
If you reduce the time TP15_AWP without taking the measures described, you run the risk that
the update operation will be canceled due to a monitoring timeout.

Calculation of the maximum communication delay

Use the following formula:
Maximum communication delay = 
4 x (maximum inhibit time for priority classes > 15)
Decisive factors for determining this time are the process status and the communication load
in your system. This can be understood as the absolute load or as the load relative to the size
of your user program. You may have to adjust this time.

Calculation of the maximum cycle time extension

Use the following formula:
Maximum cycle time extension = 
10 x (maximum inhibit time for priority classes > 15)
Decisive factors for determining this time are the process status and the communication load
in your system. This can be understood as the absolute load or as the load relative to the size
of your user program. You may have to adjust this time.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 123
Link-up and update
8.3 Time monitoring

8.3.3 Performance values for link-up and update

User program share TP15_AWP of the maximum inhibit time for priority classes > 15
The user program share TP15_AWP of the maximum inhibit time for priority classes > 15 can be
calculated using the following formula:
TP15_AWP in ms = 0.7 x size of DBs in work memory in KB + 75
The table below shows the derived times for some typical values in work memory data.

Table 8-3 Typical values for the user program part

Work memory data TP15_AWP

500 KB 220 ms
1 MB 400 ms
2 MB 0.8 s
5 MB 1.8 s
10 MB 3.6 s

The following assumptions were made for this formula:

• 80% of the data blocks are modified prior to delaying the interrupts of priority classes > 15.
In particular for fail-safe systems, this calculated value must be more precise to avoid any
timeout of driver blocks (see section Determining the monitoring times (Page 118)).
• For active or queued communication functions, allowance is made for an update time of
approximately 100 ms per MB in the work memory occupied by data blocks.
Depending on the communication load of your automation system, you will need to add or
deduct a value when you set TP15_AWP.

8.3.4 Influences on time response

The period during which no I/O updates take place is primarily determined by the following
influencing factors:
• The number and size of data blocks modified during the update
• The number of instances of SFBs in S7 communication and of SFBs for generating block-
specific messages
• System modifications during operation
• Configuration of the distributed I/O with PROFIBUS DP (as the baud rate decreases and the
device count increases, the time required to update the I/O increases).
• Configuration of the distributed I/O with PROFINET IO (as the update time and device count
increase, the time required to update the I/O increases).
In the worst case, this period is extended by the following amounts:
• Maximum cyclic interrupt used
• Duration of all cyclic interrupt OBs
• Duration of high-priority interrupt OBs executed until the start of interrupt delays

CPU 410 Process Automation

124 System Manual, 11/2022, A5E31622160-AE
 Link-up and update
8.4 Special features in link-up and update operations

8.4 Special features in link-up and update operations

Requirement for input signals during the update

Any process signals read previously are retained and not included in the update. The CPU only
recognizes changes of process signals during the update if the changed signal state remains
after the update is completed.
The CPU does not detect pulses (signal transitions "0 → 1 → 0" or "1 → 0 →1") which are
generated during the update.
You should therefore ensure that the interval between two signal transitions (pulse period) is
always greater than the required update period.

Communication links and functions

Connections on the master CPU are not be shut down. However, associated communication jobs
are not executed during updates. They are queued for execution as soon as one of the following
cases occurs:
• The update is completed, and the system is in the redundant state.
• The update and master/standby changeover are completed, the system is in solo operation.
• The update was canceled (e.g., due to timeout), and the system has returned to solo
operation.
An initial call of communication blocks is not possible during the update.

Memory reset request on cancelation of link-up

If the link-up operation is canceled while the content of load memory is being copied from the
master to the standby CPU, the standby CPU requests a memory reset. This indicated in the
diagnostics buffer by event ID W#16#6523.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 125
Link-up and update
8.4 Special features in link-up and update operations

CPU 410 Process Automation

126 System Manual, 11/2022, A5E31622160-AE
Special functions of the CPU 410 9
9.1 Security functions of the CPU 410

Automation system protection

The CPU 410 has a range of functions with which you can protect your automation system.
• Signed firmware:
The firmware of the CPU 410 has a signature to detect manipulations on the CPU itself. If
firmware with errors in its signature is loaded, the CPU 410 rejects the firmware update.
• Protection level:
A number of different protection levels regulate access to the CPU. See Security levels
(Page 128)
• SysLogEvents:
Security-related changes to the CPU can be sent to one or more SIEM systems as SysLogEvent;
see Security event logging (Page 130)
• Field Interface Security:
If an interface of the CPU is only used for connecting field devices, access for other devices at
the interface can be prevented; see Field Interface Security (Page 132)
• Support of "Block Privacy":
Blocks can be encrypted with a password using the STEP 7 "Block Privacy". The CPU 410
supports this function and can therefore process protected blocks; see Access-protected
blocks (Page 133)
There are also additional products in the SIMATIC range for increasing the security of your
automation system. For connection to the plant bus or third-party systems, for example,
the CP443-1 Advanced can be used to protect communications connections in particular.
With a combination of different security measures such as firewall, NAT/NAPT router and VPN
(Virtual Private Network) over IPsec tunnel, the CP443-1 Advanced protects individual devices
or entire automation cells from unauthorized access.

Reference
You can find additional information about Industrial Security in the introduction in Security
information (Page 14).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 127
Special functions of the CPU 410
9.2 Security levels

9.2 Security levels

You can define a protection level for your project in order to prevent unauthorized access to the
CPU programs. The objective of these protection level settings is to grant a user access to
specific programming device functions which are not protected by password, and to allow that
user to execute those functions on the CPU.

Setting protection levels

You can set the CPU protection levels 1 to 3 in HW Config.
The following table shows the protection levels of a CPU.

Table 9-1 Protection levels of a CPU

CPU function Protection level 1 Protection level 2 Protection level 3

Display of list of blocks Access granted Access granted Access granted
Monitor variables Access granted Access granted Access granted
Module status STACKS Access granted Access granted Access granted
Operator control and monitoring functions Access granted Access granted Access granted
S7 communication Access granted Access granted Access granted
Read time of day Access granted Access granted Access granted
Set time of day Access granted Access granted Access granted
Block status Access granted Access granted Password required
Load in PG Access granted Access granted Password required
Controlling selection Access granted Password required Password required
Modify variable Access granted Password required Password required
Breakpoint Access granted Password required Password required
Clear breakpoint Access granted Password required Password required
Stop a CPU or the system Access granted *
Password required Password required
Load in CPU Access granted * Password required Password required
Delete blocks Access granted *
Password required Password required
Compress memory Access granted * Password required Password required
Memory reset Access granted *
Password required Password required
Firmware update Access granted *
Password required Password required
*
A password is required if the program has a safety program.

Note
Any set up access right is not canceled until you stop the SIMATIC Manager. You should reset the
access right once again to prevent unauthorized access. You reset the access right in the SIMATIC
Manager with the menu command PLC > Access Rights > Cancel.

CPU 410 Process Automation

128 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.2 Security levels

Setting the protection level with SFC 109 "PROTECT"

You can set the following protection levels on your CPU with SFC 109:
• SFC 109 call with MODE=0: Setting the protection level 1. If the password legitimization is
locked, the lock is canceled by calling SFC 109 with MODE=0.
• SFC 109 call with MODE=1: Setting of protection level 2 with password legitimization. This
means you can cancel the write protection set with SFC 109 if you know the valid password.
The SFC 109 call with MODE=1 overrides any existing lock of password legitimization.
• SFC 109 call with MODE=12: Setting of protection level 3 without password legitimization.
This means you cannot cancel the write and read protection set with SFC 109 even if you
know the valid password. If a legitimate connection exists when you call SFC-109 with
MODE=12, the SFC-109 call has no effect on this connection.

Note
Setting a lower protection level
You can use SFC 109 "PROTECT" to set a lower protection level than the one you configured with
HW Config.

NOTICE
Use SFC 109 only with existing protection level
Only use SFC 109 if you have configured protection levels in HW Config.

Additional aspects
• Both fault-tolerant CPUs of a fault-tolerant system can have different protection levels in
STOP.
• The protection level is transferred from the master to the standby during link-up/update
operations.
• The set protection levels of both fault-tolerant CPUs are retained if you make modifications
to the plant during operation.
• The protection level is transferred to the target CPU in the following cases:
– Switch to CPU with modified configuration
– Switching to a CPU with modified PO limit
– Switching to a CPU with modified operating system
– Switching to a CPU using only one intact redundant link

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 129
Special functions of the CPU 410
9.3 Security event logging

9.3 Security event logging

Security events
The CPU 410 supports security events according to IEC 62443-3-3. The security events can be
sent from the CPU in syslog frames to up to four external SIEM servers (Security Information and
Event Management). If an external SIEM server can be accessed, the CPU 410 stores up to 3200
events in the work memory. If more than 3200 security events occur, the oldest events are
overwritten.
You can store security events as a text file using Simatic Manager -> PLC -> Save Security
Events.

Parameter description
The entries in the saved text file are structured as follows:

CEF parameter Key name Meaning

CEF CEF  0
Manufacturer   Siemens AG
Device   e.g.: CPU 410-5H
Version   e.g.: V8.2.0
Event ID   Corresponds to Security Event ID (see below)
Event   Security Event
(textual name of the signature ID)
Priority   1: Alarm (A)
This situation requires immediate action.
3: Error (E)
Correctable error in general.
5: Note (N)
A situation has occurred that could require targeted action.
6: Information (I)
Message during runtime
Protection level protlevel Set protection level 0 or 1 to 3, CPU-specific
Start time start Time stamp for occurrence of the event
Format: MMM dd yyyy HH:mm:ss.SSS
Operating mode (optional) opmod Operating mode of the CPU (e.g. STOP)
Reason reason Byte-encoded origin of the event
(optional)

CPU 410 Process Automation

130 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.3 Security event logging

CEF parameter Key name Meaning

Connection parameters   The following parameters are summarized under the term "Connection pa‐
(optional) rameters":
• Connection_id, Session ID
• Protocol
• Application protocol
• Connection type
• Gateway session ID
• Source addresses
– Source IP address
– Source MAC address
– SourcePort
– Source tsap id
– Source subnet id
– Source Profibus address
– Source C-bus rack number
– Source C-bus slot number
• Destination addresses
– Destination IP address
– Destination MAC address
– Destination port
– Destination tsap id
– Destination subnet id
– Destination Profibus address
– Destination K bus rack number
– Destination C-bus slot number
Status (optional) status Contains the number of overwritten unsent security events

Note
You can request the details of specific encodings from Customer Support.

Events
The following table provides an overview of the individual events.

Security Event Security Event Severity meaning

event ID  
 
3 SE_NETWORK_SUCCESSFUL_LOGON Connection established with correct authentication
4 SE_NETWORK_UNSUCCESSFUL_LOGON Error occurred during logon.
Incorrect password or logon not currently possible (due to AaA)
5 SE_LOGOFF Cancel logon
11 SE_ACCESS_PWD_ENSABLED Password protection was set up

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 131
Special functions of the CPU 410
9.4 Field Interface Security

Security Event Security Event Severity meaning

event ID  
 
12 SE_ACCESS_PWD_DISABLED Password protection was revoked
13 SE_ACCESS_PWD_CHANGED Password has been changed.
20 SE_ACCESS_DENIED A connection setup from the outside is rejected because Field
Interface Security is activated for this interface
71 SE_SOFTWARE_INTEGRITY_CHECK_FAILED An attempt was made to install invalid firmware.
75 SE_SESSION_CLOSED Connection closed
94 SE_SECURITY_CONFIGURATION_CHANGED The CPU security settings have been changed.
95 SE_SESSION_ESTABLISHED Connection established
96 SE_CFG_DATA_CHANGED A configuration change was made
97 SE_USER_PROGRAM_CHANGED A PCS 7 user program change has been transferred
98 SE_OPMOD_CHANGED Operating state changed
99 SE_FIRMWARE_LOADED A firmware change has been downloaded.
100 SE_FIRMWARE_ACTIVATED The previously downloaded firmware change has been activa‐
ted.
101 SE_SYSTEMTIME_CHANGED The time of day has been reset.

Note
You can request the details of specific encodings from Customer Support.

Procedure
You can configure the sending of security events in HW Config as follows:
• Send Yes/No, common switch for all messages
• IP address of the SIEM server. You can specify two different IP addresses.
• The port number on the SIEM server
• You can assign a maximum of 4 IP addresses per station and assign all 4 IP addresses to one
interface (X5, X8).

9.4 Field Interface Security

Activating additional protection at the DP or PNIO interface

If want to prevent access to the CPU over the DP or PNIO interface, you can block that access.
To achieve the greatest possible protection from unauthorized access, you can disable all
functions that are not required for the actual automation task. For the IO interfaces (DP and
PN), this means that all incoming connection requests are rejected.
You can prevent an incoming connection attempt for each interface with the setting "Activate
additional protection at the interface (Field Interface Security)" in HW Config. This prevents

CPU 410 Process Automation

132 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.5 Access-protected blocks

any connections being established by external bus nodes. All requests are then rejected. The
connections required for IO operation are still established from the CPU

Features of disable
• If you have set a disable for a specific interface, connections that have already been
established passively over this interface will be terminated. This applies for all connection
types.
• If an incoming connection is rejected because a disable is set, a security event (SysLog) is
generated.
• A T_CONNECT for a passive connection (ISOonTCP or TCP) is canceled and an error output at
a disabled interface.
• The receipt of UDP message frames (TURCV, both active and passive) is not possible at a
blocked interface. TURCV is canceled and an error output.
• The disable applies irrespective of the CPU protective levels.
• For configured H connections with individual partial connections both over X5 and over X8,
the partial connections are terminated.

9.5 Access-protected blocks

S7-Block Privacy
The STEP 7 add-on package S7-Block Privacy can be used to protect the functions and function
blocks against unauthorized access.
Observe the following information when using S7-Block Privacy:
• S7-Block Privacy is operated by means of shortcut menus. To view a specific menu help, press
the "F1" function key.
• You can no longer edit protected blocks in STEP 7. Moreover, testing and commissioning
functions such as "Monitor blocks" or breakpoints are no longer available. Only the interfaces
of the protected block remain visible.
• Protected blocks can only be released again for editing if you have the correct key and the
corresponding decompilation information included in your package. Make sure that the key
is always kept in a safe place.
• If your project contains sources, you can use these to restore the protected blocks by means
of compilation. The S7-Block Privacy sources can be removed from the project.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 133
Special functions of the CPU 410
9.6 Retentive load memory

Note
Memory requirements
Each protected block with decompilation information occupies 232 additional bytes in load
memory.
Each protected block without decompilation information occupies 160 additional bytes in load
memory.

Note
Extended runtimes
The startup time of the CPU at power on, the loading time of blocks and the startup after a
system modification at runtime may be significantly prolonged.
To optimize additional time requirements, it is best practice to protect one large block instead of
many small blocks.

Additional information
For additional information, refer to "S7 block privacy" in the STEP 7 Online Help.

9.6 Retentive load memory

Retentivity of the user program

The load memory is retentive starting from Version 8.2. All blocks are available again after Power
On/Off even if you do not use a backup battery. With the CFC in SIMATIC PCS 7 V9.0 or higher, you
can additionally back up all contents of data blocks from the work memory. The data blocks in
the load memory are then overwritten with the current values from the work memory.
As a result, the user program is retained in the CPU after an unbuffered Power Off. Power
failures are ridden through. The user program, the configuration and the parameters set in
data blocks retain their state at the last backup.

Note
If you want to operate the CPU 410 without a backup battery, you must switch off the buffer
monitoring on the power supply. Otherwise, the CPU remains in STOP when powering up after
Power On and does not switch automatically to RUN.

Without a backup battery, the following data is not buffered:

• Diagnostic buffer
• Security event buffer
• Date and time
• Process image

CPU 410 Process Automation

134 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.7  Type update with interface change in RUN

• Data blocks that were not backed up to the load memory with CFC
• Data blocks created by the program (CREATE_DB instruction)
• Operating hours counter
• Bit memory
• Timers
• Counters

CAUTION
Caution when replacing a CPU
If you reuse a CPU that has previously been used at a different location, ensure that the contents
backed up in the load memory cannot pose a hazard at the new point of use.
Reset the CPU to factory settings if its previous use is unknown.

Buffering with a battery

If you are using one or two backup batteries in the power supply module and the power supply
module is switched off or the supply voltage in the CPU and configurable modules fails, the set
parameters and the memory content (RAM) will be buffered via the backplane bus as long as
there is still battery capacity.

9.7 Type update with interface change in RUN

Overview
The S7-410 automation system supports the type update with interface change in RUN.
Gives you the option to update the instances at block types after an interface change and
download the update to the PLC in RUN.
You will find more detailed information on this topic in the Process Control System PCS 7, CFC
for SIMATIC S7 manual.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 135
Special functions of the CPU 410
9.8 Resetting the CPU 410 to delivery condition (reset to factory setting)

9.8 Resetting the CPU 410 to delivery condition (reset to factory

setting)

CPU factory settings

A general memory reset is performed when you reset the CPU to its factory settings and the
properties of the CPU are set to the following values:

Table 9-2 CPU properties in the factory settings

Properties Value
Contents of the diagnostics buffer Empty
IP parameters None
SNMP parameters Default values
Operating hours counter 0 without battery backup
Contents of the load memory Empty

Procedure
Proceed as follows to reset a CPU to its factory settings:
1. Switch off the line voltage.
2. Switch on the line voltage while pressing and holding down the Reset button.
3. Wait until LED lamp image 1 from the subsequent overview is displayed. In this lamp pattern,
INTF flashes at 0.5 Hz. EXTF, BUSxF, MAINT, IFMxF, RUN, and STOP remain unlit.
4. Wait until LED lamp image 2 from the subsequent overview is displayed. In this LED pattern,
INTF is lit. EXTF, BUSxF, MAINT, IFMxF, RUN, and STOP remain unlit.
5. The CPU performs a memory reset and the STOP LED flashes at 2 Hz.
The CPU is now reset to its factory settings. It starts up and switches to STOP operating state
or links up. The event "Reset to factory setting" is entered in the diagnostics buffer.

LED patterns during CPU reset

While you are resetting the CPU to its factory settings, the LEDs light up consecutively in the
following LED patterns:

Table 9-3 LED patterns

LED LED pattern 1 LED pattern 2

INTF Flashes at 0.5 Hz Lit
EXTF Dark Dark
BUSxF Dark Dark
MAINT Dark Dark
IFMxF Dark Dark
RUN Dark Dark
STOP Dark Dark

CPU 410 Process Automation

136 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.10 Response to fault detection

9.9 Reset during operation

CPU operating state

The following procedure references the RED or RUN RED operating state.

Note
If you perform a reset to prevent a malfunction of the CPU, you should read out the diagnostics
buffer and the service data before the reset with the menu command "PLC -> Save service data".

Reset procedure during operation

Press and hold down the Reset button for 5 seconds. The CPU generates the current service data
and writes the event W#16#4308 ("Memory reset started by switch operation") to the
diagnostics buffer. The CPU then switches back to RUN.

Reset in stand-alone operation with restart

Note
During Power On with battery backup of a fault-tolerant system with large configurations, many
CPs and/or external DP masters, it may take up to 30 seconds until a requested restart is
executed. During this time, the LEDs on the CPU light up successively as follows:
1. All LEDs light up
2. The STOP LED flashes as it does during a memory reset
3. The RUN and STOP LEDs are flashing
4. The RUN LED flashes briefly 2 to 3 times
5. The STOP LED lights up
6. The RUN LED starts flashing again.
This begins the start up.

9.10 Response to fault detection

Response to fault detection

In order to ensure a high level of reliability, in particular, of the fault tolerant system, the CPU 410
has many self diagnostics. Faults can thus be detected and eliminated at an early stage. In the
rare instance that a fault occurs that cannot be eliminated by the firmware, the current service
data is saved internally for further evaluation by SIEMENS specialists. An automatic reboot is
then started. This behavior reduces the downtime of the CPU to a minimum. Access to the
process is restored as soon as possible.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 137
Special functions of the CPU 410
9.10 Response to fault detection

Automatic reboot in the event of a one-sided defect in the fault-tolerant system

The defective CPU performs the complete self-test. The other CPU remains in RUN. If a
hardware fault is detected, the CPU switches to DEFECTIVE operating state. If no fault is
detected, the CPU links up again. The H system switches back to the redundant system state.
You can use the "Save service data" function immediately afterwards to save the necessary
data during operation.

CPU 410 Process Automation

138 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.11 Reading service data

9.11 Reading service data

Application case
If you need to contact Customer Support due to a service event, the department may require
specific diagnostic information on the CPU status of your system. This information is stored in
the diagnostic buffer and in the service data.
Select the "PLC -> Save service data" command to read this information and save the data to
two files. You can then send these to Customer Support.
Note the following:
• If possible, read out the service data immediately after the CPU goes into STOP or
immediately after the synchronization of a fault-tolerant system has been lost.
• Always read out the service data of both CPUs in a fault-tolerant system.

Procedure
1. Select the "PLC > Save service data" command.
In the dialog box that opens up, select the file path and the file names.
2. Save the files.
3. Forward these files to Customer Support on request.

Note
Customer Support may also request a readout of the security events for diagnostic purposes in
the service case. You can store the security events as a text file with:
 >Simatic Manager - PLC - Save Security Events

See also Security event logging (Page 130)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 139
Special functions of the CPU 410
9.12 Updating firmware in stand-alone operation

9.12 Updating firmware in stand-alone operation

Basic procedure
To update the firmware of a CPU, you will receive several files (*.UPD) containing the current
firmware. You download these files to the CPU. You can update the firmware in a single work step
or you can first download it to the CPU and then activate it at a later time.

Requirement
The CPU whose firmware you want to update must be accessible online, e.g., via PROFIBUS or
Industrial Ethernet. The files containing the current firmware versions must be downloaded into
the programming device/PC file system. A folder may contain only the files of one firmware
version. If the CPU is protected with a password, you need the respective password for the
update.
Note any information posted in the firmware download area.

Note
Checking the firmware update files (*.UPD)
The CPU checks the firmware update files (*.UPD) during the update process. If an error is
detected, the old firmware remains active and the new firmware is rejected.

For CPU access protection with password: in SIMATIC Manager, select a CPU of the fault-
tolerant system, then select "PLC > Access Rights > Setup" from the menu. Enter the CPU
access password.

Firmware update in two stages

The advantage of updating the firmware in two stages is that the automation system only
switches to STOP during the actual activation of the new firmware. The firmware is loaded in
RUN. This allows you to carry out the longer process of loading the firmware beforehand in RUN
at a suitable time, and launch the quicker activation process later.
Proceed as follows to update the firmware of a CPU:
1. Open the station containing the CPU you want to update in HW Config.
2. Select the CPU.
3. Select the "PLC -> Update firmware" menu command.
4. In the "Update firmware" dialog, select the path to the firmware update files (*.UPD) using the
"Browse" button.
After you have selected a file, the information in the bottom boxes of the "Update firmware"
dialog box will indicate the modules for which the file is suitable and as of which firmware
version.
5. Select "Only load firmware".
The firmware will be loaded to the CPU.

CPU 410 Process Automation

140 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.12 Updating firmware in stand-alone operation

Proceed as follows to activate the loaded firmware at a later time:

1. Open the station containing the CPU you want to update in HW Config.
2. Select the CPU.
3. Select the "PLC -> Update firmware" menu command.
4. Select "Activate loaded firmware" and click "Execute".
5. Acknowledge the security prompt with "OK".
The firmware update will run automatically.
6. Acknowledge the final message with "Yes".
The CPU is now in RUN again.

Firmware update in one stage

Proceed as follows to update the firmware of a CPU:
1. Open the station containing the CPU you want to update in HW Config.
2. Select the CPU.
3. Select the "PLC -> Update Firmware" menu command.
4. In the "Update Firmware" dialog, select the path to the firmware update files (*.UPD) using
the "Browse" button.
After you have selected a file, the information in the bottom boxes of the "Update Firmware"
dialog box indicate the modules for which the file is suitable and from which firmware
version.
5. Select "Load and activate firmware" and click "Execute".
6. Acknowledge the security prompt with "OK".
The firmware update will run automatically.
7. Acknowledge the final message with "Yes".
The CPU is now in RUN again.

Values retained after a firmware update

The following values are retained after a firmware update:
• IP address of the CPU
• Device name (NameOfStation)
• Subnet mask
• Static SNMP parameters
• Contents of the load memory

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 141
Special functions of the CPU 410
9.13 Updating firmware in redundant mode

9.13 Updating firmware in redundant mode

Requirement
You are operating the CPU 410 in a fault-tolerant system. Both Sync links exist and are working.
There are no redundancy losses. The REDF LED is not lit and both CPUs are in redundant mode.
Note any information posted in the firmware download area.

Note
Checking the firmware update files (*.UPD)
The CPU checks the firmware update files (*.UPD) during the update process. If an error is
detected, the old firmware remains active and the new firmware is rejected.

For CPU access protection with password: in SIMATIC Manager, select a CPU of the fault-
tolerant system, then select "PLC > Access Rights > Setup" from the menu. Enter the CPU
access password.

Note
Redundancy error
There must not be a redundancy error, e.g. a faulty IM153-2, because the update may otherwise
lead to station failures.

Firmware update in two stages

The advantage of updating the firmware in two stages is that the fault-tolerant system only
operates in solo mode during the actual activation of the new firmware. The firmware is loaded
in redundant mode. This allows you to carry out the longer process of loading the firmware
beforehand in redundant mode at a suitable time, and launch the quicker activation process
later.
Proceed as follows to update the firmware of the CPUs of a fault-tolerant system in RUN:
1. Open the station containing the CPU you want to update in HW Config.
2. Select the CPU.
3. Select the "PLC -> Update firmware" menu command.
4. In the "Update firmware" dialog, select the path to the firmware update files (*.UPD) using the
"Browse" button.
After you have selected a file, the information in the bottom boxes of the "Update firmware"
dialog box will indicate the modules for which the file is suitable and as of which firmware
version.
5. Select "Only load firmware" and click "Execute".
The firmware will be loaded to both CPUs. Both CPUs remain in redundant mode. Loading can
take several minutes.

CPU 410 Process Automation

142 System Manual, 11/2022, A5E31622160-AE
 Special functions of the CPU 410
9.13 Updating firmware in redundant mode

Proceed as follows to activate the loaded firmware at a later time:

1. Open the station containing the CPU you want to update in HW Config.
2. Select the CPU.
3. Select the "PLC -> Update firmware" menu command.
4. Make sure that the same firmware version as the loaded firmware has been loaded to both
CPUs.
The version of the loaded firmware is displayed in the "Update firmware" dialog.
5. Select "Activate loaded firmware" and click "Execute".
The CPU in rack 1 is switched to STOP
The new firmware is activated in the CPU in rack 1
6. Click "Continue".
The system switches to the CPU with the new firmware.
The new firmware is activated in the CPU in rack 0.
The CPU in rack 0 is started.
The CPU in rack 0 is linked up and updated.
Both CPUs have updated firmware (operating system) and are in the redundant operating
state.

Firmware update in one stage

Proceed as follows to update the firmware of the CPUs of a fault-tolerant system in RUN:
1. For CPU access protection with password: Select a CPU of the fault-tolerant system in SIMATIC
Manager and select menu command
PLC > Access Authorization > Setup. Enter the CPU access password.
2. Select the CPU.
3. Open the station containing the CPU you want to update in HW Config.
4. Select the "PLC -> Update firmware" menu command.
5. In the "Update Firmware" dialog, select the path to the firmware update files (*.UPD) using
the "Browse" button.
After you have selected a file, the information in the bottom boxes of the "Update Firmware"
dialog box indicates the modules for which the file is suitable and as of which firmware
version.
6. Select "Load and activate firmware".
7. Click "Execute".
The CPU in rack 1 is switched to STOP.
The new firmware is loaded to and activated in the CPU in rack 1.
8. Click "Continue".
The system switches to the CPU with the new firmware.
The new firmware is loaded to and activated in the CPU in rack 0.
The CPU in rack 0 is started.
The CPU in rack 0 is linked up and updated.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 143
Special functions of the CPU 410
9.13 Updating firmware in redundant mode

Both CPUs have updated firmware (operating system) and are in redundant operating state.

Note
Only the third number of the firmware versions of the master and standby CPU may differ by 1.
You can only update to the newer version.
The constraints described in Chapter System and operating states of the CPU 410 (Page 95) also
apply to a firmware update in RUN.
Any set up access right is not canceled until you stop the SIMATIC Manager. You should reset the
access right once again to prevent unauthorized access. You reset the access right in the SIMATIC
Manager with the menu command PLC > Access Rights > Cancel.

Values retained after a firmware update

The following values are retained after a firmware update:
• IP address of the CPU
• Device name (NameOfStation)
• Subnet mask
• Static SNMP parameters
• Contents of the load memory

CPU 410 Process Automation

144 System Manual, 11/2022, A5E31622160-AE
Time synchronization and time stamping 10
Definition of time synchronization
Time synchronization refers to the process in which various S7 stations receive or retrieve their
local time from a central time source (central time transmitter/time server).
Time-of-day synchronization is required when the time sequence of events from different
stations is to be evaluated.

Interfaces
Time-of-day synchronization is possible across all interfaces of the CPU 410:
• PROFINET IO interface via Industrial Ethernet
Time-of-day synchronization in NTP mode; the CPU is the client.
Time-of-day synchronization using SIMATIC mode as master or device. The PTCP master is
also possible for synchronization of IO devices of type ET 200SP HA.
• Within the station (in the AS) using the S7-400 backplane bus
You can configure the CPU as time master or time client.
• PROFIBUS DP interface
You can configure the CPU as time master or time client.

Time-of-day synchronization via the PROFINET IO interface

With the PROFINET IO interface, time-of-day synchronization is possible using the NTP method
and the SIMATIC method. The CPU 410 is the client in this case.
You can configure up to four NTP servers. You can set an update interval of between
10 seconds and 1 day. An NTP request of the CPU 410 always occurs every 90 minutes
for times greater than 90 minutes.
If you synchronize the CPU 410 in NTP mode, you should use SICLOCK or an NTP server on
the OS.
Time-of-day synchronization is also possible via Ethernet MMS (Simatic mode on Ethernet) as
master or device. A combination of NTP and SIMATIC modes is also permitted here.

CPU 410 as time client

If the CPU 410 is a time client on the S7-400 backplane bus, the synchronization takes place via
the CP by a central clock connected to the LAN.
You can use a CP to forward the time to the S7-400 station. If the CP supports a direction
filter, the CP must be configured for time forwarding with the "from LAN to station" option.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 145
Time synchronization and time stamping

CPU 410 as time master

If you configure the CPU 410 as the time master, you must specify a synchronization interval. You
can select any interval between 1 s and 24 h.
Select a synchronization interval of 10 s if the CPU 410 is the time master on the S7-400
backplane bus.
The time master does not send time frames until you have set the time. You can set the time
as time client (NTP client/device) with Step 7 or an interface.

Definition of time stamping

Time stamping refers to the assignment of an event to its acquisition time. The more precise this
assignment is, the more precisely the acquisition time corresponds to the event.
For time stamping, the IO controller/DP master sends its time of day to the local IO
subsystem/DP line.
The IO device/DP device receives this time of day and uses this time information for time
stamping.
This time stamping is referred to as "high-precision time stamping" in the context of SIMATIC
PCS 7.
Example:
In the ET 200SP HA, signal changes can be acquired and time stamped with a precision of 1
ms.

Relationship between time synchronization and time stamping

To examine the chronological relationship between time stamped events from different S7
stations, the S7 stations must be time synchronized.
The synchronism among the individual systems is dependent on the selected time
synchronization method, the topology and the utilized interface in the S7 station. 

Precision
The precision of the time stamping is the maximum difference of the time stamps that result
from signals that were recorded simultaneously by digital input modules.
The precision depends on the hardware used and the configuration of the plant.

Resolution
The resolution is the smallest possible time difference between two different time stamps.

CPU 410 Process Automation

146 System Manual, 11/2022, A5E31622160-AE
 Time synchronization and time stamping

More information
You can find more information about time-of-day synchronization and time stamping with
SIMATIC PCS 7 in the following manuals:
• High-precision Time Stamping with ET 200SP HA
• High-precision Time Stamping (V9.0)
• Time-of-day Synchronization (V9.0)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 147
Time synchronization and time stamping

CPU 410 Process Automation

148 System Manual, 11/2022, A5E31622160-AE
Plant changes in RUN - CiR 11
11.1 Motivation for CiR via PROFINET IO
There are systems that may not be shut down during operation. This may be the case, for
example, due to the complexity of the automated process or the high costs associated with
restarting the system. However, a removal or rebuild may still be required.
Using CiR to make plant changes in RUN, certain configuration changes can be performed in
RUN. This interrupts processing for a maximum of 60 ms.

Note
The term "CiR" stands for "Configuration in RUN". The process for plant changes in RUN described
in this documentation is used. The requirements listed below must be met in this case.

Hardware requirements for PROFINET IO

The following hardware and firmware requirements must be met for plant changes in RUN using
CiR:
• Use of a CPU 410 in stand-alone operation, firmware version V8.2 or higher
• IO devices to which individual I/O modules are to be added or from which individual I/O
modules are to be removed must have CiR capability.
• Complete IO devices can be added or removed even if they do not have CiR capability.
• If you want to add I/O modules to an ET 200SP HA:
Use of the IM 155-6 HA requires free slots for I/O modules in the IO device.
Configure ET 200SP HA with slot covers for standby modules. You replace the slot covers
when you install I/O modules later.

Note
CiR-capable devices are marked in color in HW Config.

The following also applies to the IO controller:

• Your IO controller has CiR capability.
• If you are using different IO devices, the IO device on which you want to make configuration
changes must support plant changes during operation.

Configuration requirements for PROFINET IO

You need to select saving the data on the CPU for all components within the station for which
you can choose whether the configuration data is saved on the module itself or on the CPU.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 149
Plant changes in RUN - CiR
11.2 Permitted changes over PROFINET IO

Software requirements
To make a configuration change in RUN, the user program must meet the following requirement:
It must be written so that station failures or module faults, for example, do not result in a CPU
STOP.
The following OBs must be available in your CPU:
• Hardware interrupt OBs (OB 40 to OB 47)
• Cycle time error OB (OB 80)
• Diagnostic interrupt OB (OB 82)
• Pull/plug module interrupt OB (OB 83)
• Priority class error OB (OB 85)
• Rack failure OB (OB 86)
• I/O access error OB (OB 122)
Note
These requirements are always met with SIMATIC PCS 7.

11.2 Permitted changes over PROFINET IO

Permitted configuration changes for PROFINET IO

The process introduced here supports the following changes to your AS:
• Adding and removing an IO device.
The IO device does not need CiR capability for this step.
The station address in the PROFINET IO subsystem of an IO device that is removed in a CiR
operation must not be added back again in the same CiR operation.
Station addresses that are removed in a CiR operation may not be added again in the same
CiR operation.
• Adding and removing I/O modules in the IO device.
The device in question must have CiR capability for this step.
An I/O module that is removed with CiR must not be replaced with a different I/O module in
the same CiR step.
However, it is possible to remove I/O modules in a CiR operation and to add I/O modules at a
different location.
Addresses must not be changed in a CiR operation.
Addresses that are removed in a CiR operation may not be added again in the same CiR
operation.
• Changing parameters of the I/O modules.
The device in question must have CiR capability for this step.
• Changing properties of the ports (PEDV), e.g. topology, monitoring, etc.
You cannot reconfigure the local PDEV submodules of the IO controller.

CPU 410 Process Automation

150 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.3 Procedure for PROFINET IO

• Changing the update time

The IO device must have CiR capability.
• Changing process image partition assignment
Configuration changes in RUN are permitted for the interface module added in HW Config (in
HW Config: Properties of the interface module > "General" tab > "Short description" area >
"Configuration changes in RUN" entry

Rules for configuration changes

• You need at least two downloads to the CPU to replace an I/O module with an I/O module of a
different type for a configuration that already exists in the CPU:
– 1st CiR operation: The CPU receives the configuration that no longer contains the I/O
modules to be removed.
– 2nd CiR operation: The CPU receives the configuration with the newly added I/O modules.

Restriction
All changes that are not explicitly permitted above as part of plant changes in RUN, are not
permitted during operation and are not explained in more detail here.

Recommendations plant changes during operation using CiR

• Create a backup copy of your current plant configuration after every modification of the
configuration. Further processing of the project without loss of CiR capability is only possible
with this backup version.
• If possible, change the configuration in multiple steps and make only a few changes in each
step. In this way, you can keep track of the changes.

11.3 Procedure for PROFINET IO

11.3.1 Overview

Requirement
You need to load the hardware configuration from HW Config to the module in STOP

Note
You do not have to define CiR elements in PROFINET IO subsystems.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 151
Plant changes in RUN - CiR
11.3 Procedure for PROFINET IO

Procedure
The following basic operating steps are available in RUN mode:
• Add or remove IO devices or I/O modules
IO devices and I/O modules can be added and removed in the same step.
• Rebuild hardware when adding an IO device
• Change process image partition assignment
• Re-configure existing modules or I/O modules
• Undo previously made changes (Undo functionality)

Note
IO devices that are to be added or removed do not have to be CiR-capable.
Note that the neighborhood relation on the ports may not be change in RUN for non-CiR-capable
devices. In the properties of the device ports, a partner port may only be entered for "Topology"
if it is ensured that nothing will change from this relationship. Otherwise, you should select the
"Any partner" setting. Only then can you remove the neighbor in a CiR operation and add a new
neighbor in another CiR operation.
All other plant changes mentioned below require a CiR-capable IO device connected to the
PROFINET IO system.
Back up your current configuration after each download of the station configuration from HW
Config (regardless of the operating state of the CPU). This is the only way for you to ensure that
you can continue working with the backed up project in case of an error (loss of data) without
loss of the CiR capability.

Note
SFB 52; 53 and 81
If SFB 52, SFB 53 or SFB 81 is called during a CiR operation on the line, the call is acknowledged
with error code 0x80C3.

Different update times

Please note the following if you have set "automatic" for the update time for an IO device without
CiR capability:
If you have set "automatic" for the update time and the CPU outputs a consistency error
during the CiR consistency check because the update time has changed for a non-CiR-capable
IO device, you can check the original project to see update time was achieved and configure
that time as the fixed update time for that IO device.
On a CiR-capable IO device on which CiR is run, the update time after that CiR operation must
be at least 1 ms. This is checked by the CPU.

CPU 410 Process Automation

152 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.3 Procedure for PROFINET IO

11.3.2 Add IO devices or I/O modules

Procedure
Adding IO devices or I/O modules in RUN mode includes the following operating steps:
1. Expand and download the configuration with HW Config.
2. Rebuild the hardware.
3. Expand, test and download the user program.
You must adhere to this order of steps.

Rules for PROFINET IO

Within a PROFINET IO subsystem, you must assign an NoS (Name of Station) to an added IO
device.
You must set the NoS locally on the interface module of the IO device.
Recommendation:
Prior to local installation, configure the NoS of the interface modules in a separate network.
The NoS is enough for the IO controller that is to address the device. However, you must
make check that the IO device does not have an IPv4 address that is already assigned in the
system.

11.3.3 Rebuild hardware when adding an IO device

Procedure
If you are planning to add an IO device using CiR and the device does not support PROFINET LLDP
mode V2.3, check in HW Config to see which LLDP mode is set in the IO controller. You cannot
add the IO device using CiR if the option PROFINET LLDP mode V2.3 is set.
When adding an IO device to a PROFINET subsystem, make sure that no bus cables are
disconnected that could lead to device failure.
You can do this as follows:
• Install additional ports at the future installation sites in the PROFINET subsystem to be
expanded. Connect the new IO device to these ports if necessary.
• If permitted by the plant configuration, you can integrate switches in the PROFINET
subsystem. In this case, follow these steps when adding an IO device:
Connect the new IO device to previously unused ports of a switch. In doing so, observe the
applicable installation guidelines (see Installation manual: Automation System S7-400
Configuration and Use).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 153
Plant changes in RUN - CiR
11.3 Procedure for PROFINET IO

11.3.4 Change process image partition assignment

Procedure
You change the assignment of the process image partition of an existing module or a compact
device as follows:
1. Specify the new process image partition in the "Addresses" tab of the properties window of
the module or device.
2. Download the changed configuration with HW Config.

11.3.5 Re-configuring existing I/O modules in IO devices

Procedure
The procedure for using previously unused channels is described in the section Using a
Previously Unused Channel (Page 157).
The procedure for re-configuration of previously used channels of I/O modules is described
in the sections on re-configuration of a previously used channel or for removing a previously
used channel.

See also
Reconfiguring an already used channel. (Page 157)
Delete an already used channel. (Page 159)

11.3.6 Replacing IO devices or I/O modules

Procedure (replacing)
The replacement of an IO device with another IO device or an I/O module with another I/O
module is only possible in two separate CiR operations:
1. Remove IO device/module from the configuration and download the configuration
2. Add new IO device/module to the configuration and download the configuration

CPU 410 Process Automation

154 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.4 Re-configuring I/O modules and ports in IO devices

11.4 Re-configuring I/O modules and ports in IO devices

11.4.1 Requirements for Reconfiguration

Note
You can use previously unused channels as well as re-configure previously used channels.
You must not change the addresses of existing I/O modules using CiR.

Requirement for configuration

I/O modules and ports can only be re-configured if the relevant device is CiR-capable. If the
neighboring device is involved, this device must also be CiR-capable.

Hardware requirements
The I/O modules that can be re-configured in CPU RUN are listed in the info text in the "Catalog"
window.

11.4.2 I/O module response to re-configuration

Principle
The following three responses are possible during re-configuration of input modules:
• The channels that are not involved still provide the current process value.
• The channels that are not involved provide the last process value that was valid before the
parameter assignment.
• All channels return the value "0" (DI or DO I/O modules) or W#16#7FFF (AI or AO I/O modules).
Please refer to the technical specifications of the individual I/O modules for their responses.
Output modules behave as follows during re-configuration:
The channels that are not involved output the last output value that was valid before the
parameter assignment.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 155
Plant changes in RUN - CiR
11.4 Re-configuring I/O modules and ports in IO devices

11.4.3 CPU response during reconfiguration

Re-configuration sequence
Once you have made the parameter changes in HW Config and have downloaded them to the
CPU in RUN mode, the CPU runs the tests described in "Behavior of the CPU after download of the
configuration in RUN" and the status of the input and output values changes to "BAD". This
indicates that as of now the input or output data of the I/O modules in question may no longer
be correct. You may no longer call any functions that trigger jobs for sending data records to the
I/O modules involved, otherwise a conflict could occur between the data records sent by the
system and those sent by the user.
You may only access those values in the process image that belong to the process image
partition of the currently processed OB.
After transmission of the data records, the IO controller marks the I/O modules in the module
status data as follows:
• When the transmission was successful, as available.
• When the transmission was not successful, as unavailable.
An I/O access error occurs when the I/O module is accessed:
– During the update of the input process image, during transmission of the output process
image to the I/O module, or during direct access to the module. Depending on the type
of access, OB 85 or OB 122 is started.
– The input or output data of the I/O modules behaves in the same way as after a remove
module interrupt, which means it may not yet be correct (because the I/O module may not
yet have evaluated its data records).
However, the restriction that data record functions for the I/O modules can no longer be
active no longer applies.

Note
If the re-configuration of an I/O module involves disabling the diagnostic interrupt, for example,
the I/O module may still subsequently send an interrupt that it has already prepared.

Re-configuring a port (PDEV submodule)

Ports are re-configured in the same way to I/O modules.

Possible fault scenarios during re-configuring

The following error scenarios are possible:
• The I/O module receives the parameter data records but cannot evaluate them.
• Serious errors, in particular protocol errors, may cause the IO controller to completely
suspend the associated IO device, causing all I/O modules of this station to fail.

CPU 410 Process Automation

156 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.4 Re-configuring I/O modules and ports in IO devices

Dependency of re-configuration on CPU operating states

Re-configuration takes place after SDB evaluation (see Behavior of the CPU after download of the
configuration in RUN) in RUN mode. The INTF-LED is on during re-configuration.
The re-configuration process is interrupted during transition to the HOLD operating state. The
process is continued when the CPU changes to STOP or RUN. In STOP only the calls of OB83
are stopped.
Re-configuration is aborted if there is a power failure. Once power is restored, all existing IO
devices are re-configured.

OB calls in re-configuration
Once the CPU has run the tests described in "Behavior of the CPU after download of the
configuration in RUN", it starts OB 83 with the event W#16#335A. This means that as of now the
input or output data of the I/O modules in question may no longer be correct. You may no longer
call any SFCs that trigger new jobs for sending data records to the I/O modules involved,
otherwise a conflict could occur between the data records sent by the system and those sent by
the user.
Once the CPU has completed OB 83, it sends the parameter data records with each I/O
module involved receiving the total number of data records (regardless of how many data
records are affected by your change).
Another OB 83 start follows (start event W#16#325A if sending was successful or
W#16#395B if it was not). No other priority class is interrupted by this processing of OB 83.

11.4.4 Reconfiguration Procedure

11.4.4.1 Using a Previously Unused Channel

Procedure
1. Change the hardware configuration and download it to the CPU.
2. Save your project.
3. Make the change to the wiring.
4. Change the user program and download it to the CPU.

11.4.4.2 Reconfiguring an already used channel.

Introduction
The procedure depends on whether or not changes to the user program and the associated
hardware are necessary due to the re-configuration. The individual cases are described below.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 157
Plant changes in RUN - CiR
11.4 Re-configuring I/O modules and ports in IO devices

Procedure without change

The user program need not be changed as a result of re-configuration. This is the case, for
example, when you change an alarm limit or when you disable the diagnostic interrupt.
• Change the hardware configuration and download it to the CPU.

Procedure for changing the user program

The user program need not be changed as a result of the re-configuration. This is the case, for
example, when you change the measuring range for a channel of an analog input module and
when you compare the associated analog value with a constant in your program. The constant
must be adapted in this case.
1. Set the values of the channel being re-configured to simulation (in the associated driver).
2. Change the hardware configuration and download it to the CPU.
3. Save your project.
4. If necessary, adapt the user program to the changed channel and download it to the CPU.
Cancel the simulation for the re-configured channel (in the corresponding driver).

Procedure for changing the user program and the hardware

The user program and the hardware must be changed as a result of the re-configuration. This is
the case, for example, when you re-configure an input channel from "0 to 20 mA" to "0 to 10 V".
1. Set the values of the channel being re-configured to simulation (in the associated driver).
2. Change the associated hardware.
3. Change the hardware configuration and download it to the CPU.
4. Save your project.
5. If necessary, adapt the user program to the changed channel and download it to the CPU.
Cancel the simulation for the re-configured channel (in the corresponding driver).

Procedure for changing the address area of a HART I/O module

This is the case, for example, when you use IEEE values of a HART I/O module.
Follow these steps:
1. Set the values of the module being re-configured to simulation (in the associated driver).
2. Delete the module in the hardware configuration and download it to the CPU.
3. Insert the module once again and configure it for your configuration as needed.
4. Download the hardware configuration to the CPU.
5. Save your project.
6. If necessary, adapt the user program to the changed module and download it to the CPU.
7. Cancel the simulation for the re-configured module (at the associated driver).

CPU 410 Process Automation

158 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.5 Motivation for CiR on PROFIBUS DP

11.4.4.3 Delete an already used channel.

Procedure
Proceed as follows to remove a channel that has not been used:
1. Change the user program so that the channel to be removed is no longer evaluated, and
download it to the CPU.
2. Change the hardware configuration and download it to the CPU.
3. Save your project.
4. Change the corresponding hardware (remove sensor or actuator, etc.).

11.4.4.4 Change the update time

Procedure
You can change the update time of a CiR-capable device in RUN. To do so, change the update
time in HW Config and load the new configuration to the CPU.
You cannot change the send clock in RUN.

11.5 Motivation for CiR on PROFIBUS DP

There are plants that must not be shut down during operation. This may be the case, for
example, due to the complexity of the automated process or due to high restart costs.
Nevertheless, it may be necessary to expand or modify a configuration.
Using CiR to make plant changes in RUN, certain configuration changes can be performed in
RUN. In so doing, processing is stopped for a brief time interval. The upper limit of this time
interval is 60 ms. Process inputs retain their last value during this time.

Note
The term "CiR" stands for "Configuration in RUN". The process for plant changes in RUN is used
for the description in this documentation. The requirements listed below must be met in this
case.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 159
Plant changes in RUN - CiR
11.6 Permitted changes over PROFIBUS DP

Hardware requirements for PROFIBUS DP

The following hardware and firmware requirements must be met for plant changes in RUN using
CiR:
• If you want to make plant changes in RUN to a DP master system with external DP master (CP
443-5 extended), the external DP master must have at least firmware version V5.0.
• If you want to add modules to ET 200M: Use of the IM 153-2 as of MLFB
6ES7153-2BA00-0XB0 or of the IM 153-2FO as of MLFB 6ES7153‑2BB00-0XB0. You must
also configure the ET 200M with active bus elements and sufficient free space for the planned
expansion. You must not integrate the ET 200M as a DPV0 device (using a GSD file).
• If you want to add additional electronic modules to the ET 200iSP: Configure the ET 200iSP
with standby modules. You replace the standby modules when you install electronic
modules later.
• If you want to add entire stations: Stock the corresponding bus connectors, repeaters, etc.
• If you want to add PA devices (field devices): Use of the IM 157 as of MLFB
6ES7157-0AA82-0XA00 in the associated DP/PA link.
• Use of the CR2 rack is not permitted.

11.6 Permitted changes over PROFIBUS DP

Permitted configuration changes: Overview

The method presented here supports the following modifications in your automation system:
• Addition of modules for a modular DP device, provided you have not integrated it as a DPV0
device (using a GSD file).
• Reassignment of module parameters, e.g. selection of different alarm limits or use of
previously unused channels
• Replacement of standby modules with future electronic modules of the ET 200iSP
• Reassignment of parameters of ET 200iSP modules
• Addition of DP devices to an existing DP master system
• Addition of PA devices (field devices) to an existing PA master system
• Addition of DP/PA couplers downstream of an IM 157
• Addition of DP/PA links (including PA master systems) to an existing DP master system
• Assignment of added modules to a process image partition
• Modification of the process image partition assignment for existing modules or compact
devices

CPU 410 Process Automation

160 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.6 Permitted changes over PROFIBUS DP

• Reassignment of parameters of existing modules in DP stations (standard modules and fail-

safe signal modules in standard operation)
• Undoing of modifications (undo functionality): Added modules, DP devices and PA devices
(field devices) can be removed again.
Note
If want to add or remove devices or modules or make changes in the existing process image
partition assignment, this is possible on a maximum of four DP master systems.

All modifications that are not expressly permitted above are not permitted as part of a plant
change during operation and are not further discussed here. These include, for example,
• Change of CPU-properties.
• Change of properties of centrally inserted I/O modules.
• Change of properties of existing DP master systems including bus parameters.
• Change of the following parameters of a DP device: bus address, assignment of DP master,
parameter assignment data, diagnostic address.
• Reassignment of parameters of fail-safe signal modules in safety operation.
• Addition and removal of DP master systems.
• Removal of any modules from modular DP devices, compare to undoing of previously made
changes.
• Removal of any DP devices from an existing DP master system, compare to undoing of
previously made changes.

Recommendations for plant changes in RUN using CiR

Some tips are given below for Configuration in RUN.
• Create a backup copy of your current plant configuration after each configuration change.
Further processing of the project without loss of CiR capability is only possible with this
backup version.
• If possible, change the configuration in multiple steps and make only a few changes in each
step. This approach will help you to keep things under control.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 161
Plant changes in RUN - CiR
11.7 CiR objects and CiR modules for PROFIBUS DP

11.7 CiR objects and CiR modules for PROFIBUS DP

11.7.1 Basic Requirements

Overview
A system modification during operation using CiR is based on you having made master system-
specific arrangements during initial configuration for a later hardware expansion of your
automation system. You define suitable CiR elements that you can subsequently replace with
real objects (devices and/or modules) in RUN mode over time. You can then download a
configuration modified in this way to the CPU while the process is running.

Operating steps
Below you will find the operating steps that are required for a program and configuration change
as well as the associated system state in each case.

Step Action Operating mode System state

of the CPU
1 Configuring the current (real) hardware configuration of your STOP Offline configuration
system
2 Defining CiR elements STOP Offline configuration
3 Downloading the configuration STOP Commissioning
4 Converting the CiR elements into real objects as needed. RUN Continuous operation
System modifications are only possible on master systems
with a CiR object or on ET 200M stations with a CiR module.

If necessary, you repeat the CiR operation (operating step 4 in table above) several times in
succession. You then only have to ensure that you have an adequate number of devices and
I/O volume in reserve that you can perform all your system expansions.

11.7.2 Types of CiR Elements

Overview
The following CiR elements are available:

Component CiR element

Existing DP master system CiR object
Contains the number of additional DP devices and can be edited.
Existing PA master system CiR object
Contains the number of additional PA devices and can be edited.
Modular DP device of type ET 200M / ET CiR module
200iSP Contains the additional I/O volume and can be edited.

CPU 410 Process Automation

162 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.7 CiR objects and CiR modules for PROFIBUS DP

Note
STEP 7 takes into account both the configured devices and the CiR elements when calculating
the bus parameters. When CiR elements are converted into real devices and/or modules while
the CPU is in RUN, the bus parameters therefore remain unchanged.

You can add CiR elements either automatically or individually.

CiR objects
You specify the following properties for a CiR object:
• Number of devices that you are guaranteed to be able to add (default setting: 15 on DP
master system, 6 on PA master system)
• Number of input bytes and output bytes for future use (default setting: 1220 each on DP
master system, 80 each on PA master system). These relate to future user data addresses. You
can configure diagnostic addresses independent of this.

CiR modules
For the modular ET 200M / ET 200iSP I/O device, you define an additional I/O volume with the
help of a CiR module by specifying the total number of additional input bytes and output bytes.
These relate to future user data addresses. You can configure diagnostic addresses independent
of this.
The additional user data volume does not have to be used up completely at any given
time. However, the user data volume currently still available may never be exceeded. This is
ensured by STEP 7.

See also
Defining CiR Elements (Page 166)

11.7.3 CiR Elements and I/O Address Areas

CiR objects
The following rule applies to a DP master system: The number of configured real devices plus the
guaranteed number of devices of the CiR object on the associated DP master system must not
exceed the configuration limits of the associated DP master.
Compliance with this rule is monitored directly by HW Config during definition of the CiR
objects.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 163
Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

I/O volume available for future use for CiR objects and CiR modules
The following rules regarding the input and output bytes available for future use apply to each
DP master:

I/O Rule 1
Inputs The configured real user addresses for inputs plus the input bytes available for future
use must not exceed the configuration limits of the DP master.
Outputs The configured real user addresses for outputs plus the output bytes available for future
use must not exceed the configuration limits of the DP master.

Compliance with these rules is monitored by HW Config directly during definition of the CiR
elements of a DP master system.
To use the CiR elements as flexibly as possible, however, the following applies from the CPU
perspective:

I/O Rule 2
Inputs The configured real inputs plus the input bytes available for future use may exceed the
CPU configuration limits.
Outputs The configured real outputs plus the output bytes available for future use may exceed
the CPU configuration limits.

HW Config does not check whether the added devices and/or modules fit into the available
address space of the CPU until the CiR elements are used.

11.8 Procedure for PROFIBUS DP

11.8.1 Basic Procedures in STOP Mode

11.8.1.1 Overview

Note
Back up your current configuration after each download of the station configuration from HW
Config (regardless of the operating state of the CPU). This is the only way for you to ensure that
you can continue working with the backed up project in case of an error (loss of data) without
loss of the CiR capability.

Overview
The following basic operating steps are available in STOP state:
• Defining CiR elements
• Deleting CiR elements

CPU 410 Process Automation

164 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

• Editing CiR elements

• Downloading the configuration

Defining CiR elements

You can define CiR objects for previously configured DP and PA master systems and CiR modules
for modular DP devices of type ET 200M / ET 200iSP. For the exact procedure, see Defining CiR
elements.
The "Activate CiR capability" function is additionally available for DP master systems. If you
select this function, a CiR object is created on the selected DP master system and on each
CiR-capable lower-level PA master system. A CiR module is inserted on each CiR-capable
modular device of type ET 200M / ET 200iSP on the selected DP master system.

Note
The "Activate CiR capability" function is only possible on DP master systems on which a CiR object
is not yet defined.

Deleting CiR elements

You can delete CiR objects on DP and PA master systems or CiR modules on modular DP devices
of type ET 200M / ET 200iSP that you have defined previously in STOP mode.
If you want to delete all CiR elements in a DP master system, you can easily do this using the
"Deactivate CiR capability" function.

Note
The "Deactivate CiR capability" function is only possible for DP master systems on which a CiR
object is defined.

Downloading the configuration

After defining new CiR elements or redefining existing CiR elements, you download the
configuration with the CPU in STOP operating state.
A large number of modules can be used in the S7-410 automation system. To ensure that
none of the modules you are using will prevent a future CiR action, you must adhere to the
following procedure: Once you have downloaded the configuration in STOP operating state
of the CPU, immediately download it again to the CPU, but this time with the CPU in RUN
operating state. When this is done, STEP 7 and the CPU will check the CiR capability. With
older modules or modules from third-party manufacturers, this is not yet possible offline.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 165
Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

11.8.1.2 Defining CiR Elements

Adding CiR elements automatically

Note
The automatic addition of CiR elements is only possible if a CiR object is not yet present on the
selected DP master system.
The automatic addition of CiR elements is not available on DP master systems that are
downstream of an IM 157.

If you want to automatically add CiR elements in an existing DP master system, proceed as
follows:
1. Select the relevant DP master system in the upper part of the station window.
2. In the Edit menu, select the "Master System > Activate CiR capability" command.
STEP 7 then adds the following CiR elements on the selected DP master system:
– A CiR module on each CiR-capable modular device (if slots are still available).
This CiR module contains the number of input and output bytes needed for a reasonable
number to be available for later use on the modular device.
– A CiR object on each lower-level CiR-capable PA master system.
This CiR object contains 80 input bytes and 80 output bytes.
– A CiR object on the selected DP master system.
STEP 7 attempts to guarantee 15 devices for this CiR object and to provide it with 1220
input bytes and 1220 output bytes. If the largest address up to now on this master system
is greater than 110, correspondingly fewer devices can be guaranteed. If fewer than 1220
input bytes and 1220 output bytes are available, the number is reduced accordingly.
3. The default settings of the CiR objects are the same for all CPUs. For this reason, after
activation of CiR capability of a master system, you should check each associated CiR object
to determine whether the CiR synchronization time of the master system specified in the
properties window of the CiR object is compatible with the CiR synchronization time of the
CPU.

Adding a CiR object on the DP or PA master system

If you want to add a CiR object in a DP or PA master system, proceed as follows:
1. Select the relevant master system in the upper part of the station window.
2. Open the "Hardware catalog" window.

CPU 410 Process Automation

166 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

3. Using drag-and-drop, move the associated CiR object from the hardware catalog onto the
master system. The CiR object then appears in the upper part of the station window as a
placeholder device. The CiR object has the following default values:
– Number of guaranteed additional devices: 15 on DP master system, 6 on PA master system
– Maximum number of additional devices: 45 DP devices, 36 PA devices
– Number of input bytes: 1220 for a DP master system, 80 for a PA master system
– Number of output bytes: 1220 for a DP master system, 80 for a PA master system
4. The default settings of the CiR objects are the same for all CPUs. For this reason, after
definition of a CiR object, you should check whether the CiR synchronization time of the
associated master system specified in the properties window of the CiR object is compatible
with the CiR synchronization time of the CPU.
5. If you want to change the number of additional devices and/or the number of input and
output bytes, proceed as follows:
Open the properties window of the CiR object (double-click the CiR object or select CiR object,
right-click and select "Object properties ..." or select CiR object and "Edit > Object
properties ...").
You can change the guaranteed number of additional devices. The lower part of the station
window displays the resulting bus parameters: Target Rotation Time, Typical Target Rotation
Time and watchdog time.
You can also change the number of input bytes and output bytes. To do so, select the
"Advanced settings" check box.

Adding a CiR module in a modular device of type ET 200M / ET 200iSP

For a modular device, proceed as follows:
1. Select the relevant device in the upper part of the station window.
2. Open the "Hardware catalog" window.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 167
Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

3. Using drag-and-drop, move the CiR module from the hardware catalog onto the slot directly
after the last configured module of the DP device in the lower part of the station window. (If
you automatically add CiR elements, this rule is automatically taken into account.) The CiR
module then appears in the lower part of the station window as a placeholder module.
The number of input bytes and output bytes are displayed in the properties window of the CiR
module.
4. For ET 200M stations, this is determined as follows:
– Number of input bytes = Number of free slots * 16
In an ET 200M station that contains only a CiR module, this value is thus 128 (if the CiR
object on the DP master system still has a sufficient number of free input and output
bytes).
– Number of output bytes = Number of free slots * 16
In an ET 200M station that contains only a CiR module, this value is thus 128 (if the CiR
object on the DP master system still has a sufficient number of free input and output
bytes).

Note
For ET 200iSP, a maximum of 244 input bytes and output bytes are available. You can find the
input and output bytes of the individual electronic modules in the ET 200iSP manual.

Downloading the configuration

After defining the CiR elements you download them with the CPU in STOP operating state.
A large number of modules can be used in the S7-400 automation system. To ensure that
none of the modules you are using will prevent a future CiR action, you must adhere to the
following procedure: Once you have downloaded the configuration in STOP operating state
of the CPU, immediately download it again to the CPU, but this time with the CPU in RUN
operating state. When this is done, STEP 7 and the CPU will check the CiR capability. With
older modules or modules from third-party manufacturers, this is not yet possible offline.

11.8.1.3 Deleting CiR Elements

Deleting all CiR elements

Note
The deletion of all CiR elements is only possible if a CiR object is present on the selected DP
master system.
The deletion of all CiR elements is not available on DP master systems that are downstream of
an IM 157.

If you want to delete all CiR elements in an existing DP master system, proceed as follows:
1. Select the relevant DP master system in the upper part of the station window.
2. In the Edit menu, select the "Master System > Deactivate CiR capability" command.

CPU 410 Process Automation

168 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

STEP 7 then deletes

• all CiR objects in lower-level PA master systems
• all CiR modules in modular devices
• the CiR object on the selected DP master system

Deleting an individual CiR element

If you want to delete the CiR object in a PA master system or the CiR module in a modular DP
device of type ET 200M / ET 200iSP, proceed as follows:
1. Select the CiR element to be deleted.
2. Select the Delete command in the shortcut menu or Edit menu.
If a DP master system has no more CiR elements besides the CiR object on this DP master
system, you can delete this CiR object with the same procedure.

11.8.2 Basic Procedure in RUN Mode

11.8.2.1 Overview

Overview
The following basic operating steps are available in RUN:
• Adding devices or modules
• Reconfiguring hardware when adding a device
• Changing the process image partition assignment
• Reassigning parameters of existing modules in ET 200M/ET 200iSP stations
• Undoing previously made changes (Undo functionality)
• Replacing devices or modules

Note
All system modifications described below require a CiR object on the relevant DP master system.
This also applies to addition and removal of slots of a device.
Back up your current configuration after each download of the station configuration from HW
Config (regardless of the CPU mode). This is the only way to ensure that you can continue
working with the backed up project in the event of an error (loss of data) without losing CiR
capability.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 169
Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

11.8.2.2 Adding devices or modules

Procedure
The addition of devices or modules in RUN mode involves the following operating steps:
1. Expand and download the configuration with HW Config.
2. Reconfigure the hardware.
3. Expand, test and download the user program.
You must adhere to this order of steps.

Rules
You must comply with the following rules when adding components:
• Within a modular DP device of type ET 200M / ET 200iSP, you may add a CiR module only in
the slot directly after the last configured module. (This rule is observed automatically if you
add CiR elements automatically.)
• Within a master system, you must assign an added device with a PROFIBUS address that is
higher than the highest assigned so far.
• In the case of ET 200iSP, you can only ever add or remove one module per station and
download.

11.8.2.3 Reconfiguring hardware when adding a device

Procedure
1. Terminate both ends of PROFIBUS DP and PROFIBUS PA bus cables with active bus terminating
elements in order to ensure proper termination of the cables while you are reconfiguring the
hardware.
2. When adding a device to a master system, make sure that no bus cables become
disconnected.
– One method of achieving this is to provide and wire additional bus connectors at the
future mounting positions on the master systems to be expanded. Connect the new
device to these bus connectors, if necessary.
– Another method is to provide repeaters or diagnostic repeaters. In this case, follow these
steps when adding a device:
Turn off the repeater function.
Connect the new device on the previously unused end of the repeater. In doing so,
observe the applicable installation guidelines (see Installation manual: S7-400 and
M7-400 Programmable Controllers Hardware and Installation).
Turn on the repeater function again.

CPU 410 Process Automation

170 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

11.8.2.4 change process image partition assignment

Procedure
You change the assignment of the process image partition of an existing module or a compact
device as follows:
1. Specify the new process image partition in the "Addresses" tab of the properties window of
the module or device.
2. Download the changed configuration with HW Config.

11.8.2.5 reconfigure existing modules in ET200M / ET200iSP stations

Procedure
The procedure for using previously free channels is described under Using a Previously Unused
Channel.
The procedure for reconfiguring already used channels of ET200M / ET200iSP modules is
described under Reconfiguring a Previously Used Channel or under Removing a Previously
Used Channel.

See also
Delete an already used channel. (Page 180)
Reconfiguring an already used channel. (Page 179)

11.8.2.6 Undo previous changes (Undo function):

Procedure
Undoing changes in RUN involves the following operating steps:
1. Undo the changes previously made in the user program (when necessary).
2. Then download the user program.
3. Remove added devices and modules from the configuration.
4. Download this configuration in RUN.
5. Reconfigure the hardware, if necessary.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 171
Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

Rules
You must comply with the following rules when undoing changes:
• Within a modular DP device of type ET 200M / ET 200iSP, you may remove modules only from
the bottom up (i.e. starting with the highest slot number).
• When removing devices within a master system, you must start with the device with the
highest PROFIBUS address. Then, continue as necessary with devices with a lower address.
Note
You can use a single download operation to remove devices or modules that you have added
using multiple downloads.
By removing a device or module from a configuration, you increase the available I/O volume.
The guaranteed and maximum number of devices available for future use increases where
appropriate.

11.8.2.7 Replacing devices or modules

Principle
The following rules apply: Devices or modules can either be added or removed with the
download of a configuration.
Replacement of a device or module with another device or module, respectively, with a
single download operation is thus not supported.

11.8.2.8 Using CiR Elements in RUN Mode

Introduction
This section describes how to expand an existing configuration and then download it.

Note
If you perform impermissible operations when adding real devices or modules to the
configuration, you are first notified about this by an error message when downloading the
configuration.
You should check for CiR capability after each plant change ("Station > Check CiR Capability" or
the shortcut CTRL+ALT+F).

CPU 410 Process Automation

172 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

Adding a DP or PA device
Process as follows to add a DP or PA device:
1. Open the "Hardware catalog" window.
2. Using drag-and-drop, move the device to be added from the hardware catalog onto the
appropriate CiR object in the upper part of the station window.
The added device then appears in the upper part of the station window. The name of the
added device is displayed on an orange background to indicate that the device has been
created from a CiR object.
Note
When a device is added, STEP 7 updates the guaranteed and maximum number of devices
and the number of input and output bytes of the associated CiR object.
We recommend selecting the station number of the added DP device as follows:
Station number of the added DP device = highest station number of all previously configured
DP devices + 1
If you select a higher station number for the added DP device, the guaranteed and maximum
number of DP devices that can still be added may be reduced by more than 1 under certain
circumstances.
If you add a CiR-capable modular DP device of type ET 200M / ET 200iSP, it contains a CiR
module from the outset.

Adding modules to a modular device of type ET 200M / ET 200iSP

Proceed as follows to add components in the modular device ET 200M / ET 200iSP:
1. Open the "Hardware catalog" window.
2. Using drag-and-drop, move the module to be added onto the appropriate CiR module in the
bottom part of the station window.
The module added then appears in the bottom part of the station window in the position that
was occupied by the CiR module. The CiR module is moved down a slot.
Note
When you add a module to an ET 200M / ET 200iSP station, STEP 7 updates the number of
input and output bytes of the corresponding CiR module.

The following figure shows the HW Config view after a module is moved to the CiR module:

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 173
Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

CPU 410 Process Automation

174 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.8 Procedure for PROFIBUS DP

Loading the configuration in RUN

A modified configuration is loaded in RUN in the following two steps:
1. Check that the current configuration can be loaded ("Station > Check CiR Capability").
2. Download the configuration to the CPU ("PLC > Download to module ...").
Note
When the configuration is loaded to the CPU, the INTF LED goes and off again and the EXTF
LED comes on permanently. You cannot start added the real stations or modules until the
INTF LED has gone out. The EXTF LED then goes out again (see "Behavior of the CPU after
download of the configuration in RUN").

Back up your current configuration after each download of the station configuration from HW
Config (regardless of the CPU mode). This is the only way to ensure that you can continue
working with the backed up project in the event of an error (loss of data) without losing CiR
capability.

11.8.2.9 Undoing Previous Changes

Principle
You can undo configuration changes that you have made and downloaded to the CPU previously
by removing the devices or modules you added at that time.
The following rules apply:
• Remove devices or modules from no more than 4 DP master systems.
• When removing devices within a DP or PA master system, you must start with the device with
the highest PROFIBUS address among the devices to be removed. Then continue with the
device with the next lower PROFIBUS address.
• When removing modules within a modular DP device of type ET 200M / ET 200iSP, you must
start with the module with the highest slot number among the slots to be removed. In the HW
Config view, this is the module at the very bottom. STEP 7 offers the following support for this
step: The module that you can remove next is entered in the bottom part of the station
window in standard font; all other modules are shown in italics.
You then continue with the module with the next lower slot number.

Procedure
1. Select the object you want to remove.
2. Select the "Delete" command in the shortcut menu or in the "Edit" menu.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 175
Plant changes in RUN - CiR
11.9 Reconfigure existing modules in ET200M / ET200iSP stations

3. Repeat steps 1 and 2 for the remaining objects you want to remove.
4. Download the modified configuration to your CPU.
Note
When a device is deleted, STEP 7 updates the guaranteed and maximum number of devices
and the number of input and output bytes of the associated CiR object.
When you delete a module in a modular device of type ET 200M / ET 200iSP, STEP 7 updates
the number of input and output bytes of the associated CiR module.

11.9 Reconfigure existing modules in ET200M / ET200iSP stations

11.9.1 Requirements for Reconfiguration

Note
You can use previously unused channels as well as re-configure previously used channels.
The addresses of existing modules may not be changed using CiR.

Requirement for configuration

Re-configuration requires an existing CiR object in the respective DP master system.

Hardware requirements
The modules (signal modules and function modules) of the ET 200M / ET 200iSP that can be re-
configured in RUN mode of the CPU are listed in the info text in the "Hardware catalog" window.
The maximum number of modules that can be re-configured is 100.

CPU 410 Process Automation

176 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.9 Reconfigure existing modules in ET200M / ET200iSP stations

11.9.2 Module Response During a Reconfiguration

Principle
During reconfiguration the input modules can respond in one of the three following ways:
• Channels not affected will continue to return the actual process value.
• Channels not affected will return the process value which was valid prior to the
reconfiguration.
• All channels will return the value "0" (applies to digital modules and FMs) or W#16#7FFF
(applies to analog modules).
Please refer to the technical data of the specific modules for information on their response.
Output modules respond as follows during reconfiguration:
The respective channels output the initial value which was valid before the parameter
assignment.

11.9.3 CPU response during reconfiguration

Re-configuration sequence
Once you have made the parameter changes in HW Config and have downloaded them to the
CPU in RUN mode, the CPU runs the tests described in "Behavior of the CPU after download of the
configuration in RUN". The input and output values have the status "OK" after successful re-
configuration.
You may only access those values in the process image that belong to the process image
partition of the OB currently being processed.
If the data records were transferred successfully, the DP master marks the modules as
available in the module status data. If the transfer was unsuccessful, the modules are marked
as not available. In the latter case, an I/O access error occurs when the module is accessed
(when the process image input is updated, the process image output is transferred to the
module or the module is directly accessed; depending on the type of access, OB 85 or OB 122
is started).
The input or output data of the modules behaves in the same way as after an insert module
interrupt, which means it may not yet be correct (because the module may not yet have
evaluated its data records). However, the restriction that data record SFCs for the modules
may no longer be active no longer applies.

Note
If, for example, the re-configuration of a module consists of disabling the diagnostic interrupt,
the module may still subsequently send an interrupt that it had already prepared at that time.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 177
Plant changes in RUN - CiR
11.9 Reconfigure existing modules in ET200M / ET200iSP stations

Possible error scenarios during re-configuration

The following error scenarios are possible:
• The module receives the parameter data records but cannot evaluate them.
• Serious errors (in particular protocol errors on the DP bus) may cause the DP master to
completely suspend the associated DP device, causing all modules of this station to fail.

Re-configuration dependency on CPU modes

Re-configuration takes place after SDB evaluation (see Behavior of the CPU after download of the
configuration in RUN) in RUN mode. The INTF-LED is on during re-configuration.
The re-configuration operation is interrupted at the transition to HOLD mode. The process is
continued when the CPU changes to STOP or RUN. In STOP only the calls of OB83 are stopped.
Re-configuration is aborted if there is a power failure. Once power is restored, all existing DP
stations are re-configured.

Coordination between master systems

The sequence
• OB 83 start (start event W#16#3367)
• Data record transfer
• OB 83 start (start event W#16#3267 or 3968)
may run in parallel in the master systems involved.

OB calls during re-configuration

Once the CPU has run the tests described in section "Behavior of the CPU after download of the
configuration in RUN", it starts OB 80 with the event W#16#350A. It then starts OB 83 with the
start event W#16#3367. This means that as of now the input or output data of the I/O modules
involved may no longer be correct. You may now no longer call any SFCs that trigger new jobs
for sending data records to the modules involved (for example, SFC 57 "PARM_MOD"), since a
conflict may otherwise occur between the data records sent by the system and those sent by the
user.
Once the CPU has completed OB 83, it sends the parameter data records, with each module
involved receiving the total number of data records (regardless of how many data records are
affected by your change).
Another OB 83 start follows (start event W#16#3267 if sending was successful, W#16#3968
if it was not). No other priority class is interrupted by this processing of OB 83.

CPU 410 Process Automation

178 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.9 Reconfigure existing modules in ET200M / ET200iSP stations

11.9.4 Reconfiguration Procedure

11.9.4.1 Using a Previously Unused Channel

Procedure
1. Change the hardware configuration and download it to the CPU.
2. Save your project.
3. Make the change to the wiring.
4. Change the user program and download it to the CPU.

11.9.4.2 Reconfiguring an already used channel.

Introduction
The procedure depends on whether or not changes to the user program and the associated
hardware are necessary due to the re-parameterization. The individual cases are described
below.

Procedure without change

The user program need not be changed as a result of re-parameterization. This is the case, for
example, when you change an alarm limit or when you disable the diagnostic interrupt.
• Change the hardware configuration and download it to the CPU.

Procedure for changing the user program

The user program need not be changed as a result of the re-parameterization. This is the case,
for example, when you change the measuring range for a channel of an analog input module
and when you compare the associated analog value with a constant in your program. The
constant must be adapted in this case.
1. Set the values of the channel being re-configured to simulation (in the associated driver).
2. Change the hardware configuration and download it to the CPU.
3. Save your project.
4. If necessary, adapt the user program to the changed channel and download it to the CPU.
Cancel the simulation for the re-configured channel (in the corresponding driver).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 179
Plant changes in RUN - CiR
11.9 Reconfigure existing modules in ET200M / ET200iSP stations

Procedure for changing the user program and the hardware

The user program and the hardware must be changed as a result of the re-parameterization. This
is the case, for example, when you re-configure an input channel from "0 to 20 mA" to "0 to 10 V".
1. Set the values of the channel being re-configured to simulation (in the associated driver).
2. Change the associated hardware.
3. Change the hardware configuration and download it to the CPU.
4. Save your project.
5. If necessary, adapt the user program to the changed channel and download it to the CPU.
Cancel the simulation for the re-configured channel (in the corresponding driver).

Procedure for changing the address area of the ET 200iSP electronic module
This is the case, for example, when you use IEEE values of a HART electronic module.
Follow these steps:
1. Set the values of the module being re-configured to simulation (in the associated driver).
2. Delete the module in the hardware configuration and download it to the CPU.
3. Insert the module once again and configure it for your configuration as needed.
4. Download the hardware configuration to the CPU.
5. Save your project.
6. If necessary, adapt the user program to the changed module and download it to the CPU.
7. Cancel the simulation for the re-configured module (at the associated driver).

11.9.4.3 Delete an already used channel.

Procedure
You do not need to change the hardware configuration if you no longer need a channel
previously used.
1. Change the user program so that the channel to be removed is no longer evaluated, and
download it to the CPU.
2. Change the hardware configuration and download it to the CPU.
3. Save your project.
4. Change the corresponding hardware (remove sensor or actuator, etc.).

CPU 410 Process Automation

180 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.10 Notes on Reconfiguration in RUN Mode Depending on the I/O

11.10 Notes on Reconfiguration in RUN Mode Depending on the I/O

11.10.1 Modules in IO devices of the type ET 200SP HA

Principle
If you are planning plant changes in RUN using CiR, pay attention to the following information
even during the planning phase of the ET 200SP HA stations:
• Select permitted CiR configurations for integration of the IO devices in the PROFINET
subsystem.
• Insert a sufficient number of slot covers for additional I/O modules in the IO device.
• If the total user data of the inputs and outputs exceeds 1000 bytes, the ET 200SP HA loses the
CiR capability.

Rules for plant changes during operation

• You may only add I/O modules directly behind the last existing I/O module or remove them
starting at the end of the existing I/O modules. A gap is not permitted in either case.
• You need at least two downloads to the CPU to replace an I/O module with an I/O module of a
different type for a configuration that already exists in the CPU:
– 1st download: The CPU receives the configuration that no longer contains the I/O modules
that are going to be removed.
– 2nd download: The CPU receives the configuration with the newly added I/O modules.

11.10.2 DP and PA devices

Principle
If you are planning system modifications during operation using CiR, you must ensure the
following when planning the system:
• For DP master systems, provide a sufficient number of branching points for spur lines or
isolating points (spur lines are not permitted when using a transmission rate of 12 Mbaud).
• You must configure ET 200M stations and DP/PA links with active backplane bus. Fit all the
bus modules required if possible, since bus modules must not be inserted or removed during
operation.
• You must fit all the terminal modules required for the ET 200iSP. Then fit all terminal modules
assigned to the reserve area with reserve modules.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 181
Plant changes in RUN - CiR
11.10 Notes on Reconfiguration in RUN Mode Depending on the I/O

• Terminate both ends of PROFIBUS DP and PROFIBUS PA bus cables with active bus terminating
elements in order to ensure proper termination of the cables while you are reconfiguring the
system.
• PROFIBUS PA bus systems should be configured with components from the SpliTConnect
product range so that disconnection of cables is not required.

Rules for the CiR operation

The station number you assign to a newly added DP device must be higher than the station
number of all previously configured DP devices.
Because the sum of the station number of the added DP device and the number of devices
that can still be added cannot exceed 125, we recommend selecting the station number of
the added DP device as follows:
Station number of the added DP device = highest station number of all previously configured
devices + 1
If you select a higher station number for the added DP device, the guaranteed and maximum
number of DP devices that can still be added may be reduced by more than 1 under certain
circumstances. The following example will illustrate this:
The highest station number of all previously configured devices is 115. The maximum
number of devices that can still be added is 10. If you assign the station number 118 to
the added device, the maximum number of devices that can still be added is then 7.

Addition of a PA device (field device) to an existing PA master system

PROFIBUS: DP master system

DP/PA link
DP/
IM PA-
157 Coup-
ler

PROFIBUS:
PA master system

PA-Device (field device)

PA-Device (field device)

Add

When configuring, the addition of a PA device after an existing DP/PA link is equivalent to the
addition of a module in a modular device.

CPU 410 Process Automation

182 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.10 Notes on Reconfiguration in RUN Mode Depending on the I/O

Addition of a DP/PA coupler with associated PA devices to an existing PA master system

PROFIBUS: DP master system

DP/PA link
DP/ DP/
IM PA- PA-
157 Coup- Coup-
ler ler

PROFIBUS:
PA master
system

PA-Device (field device)

Full configuration

PA-Device (field device)

The addition of a DP/PA coupler with associated PA devices after an existing DP/PA link is
equivalent to the addition of multiple PA devices (field devices) to an existing PA master
system.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 183
Plant changes in RUN - CiR
11.10 Notes on Reconfiguration in RUN Mode Depending on the I/O

Addition of a DP/PA link with PA master system

PROFIBUS: DP master system

DP/PA link

DP/
IM PA-
157 Coup-
ler

PA-Device (field device)

PA-Device (field device)

DP/PA link

DP/ DP/
IM PA- PA-
157 Coup- Coup-
ler ler

PA-Device (field device)

PA-Device (field device)

The addition of a DP/PA link with its associated PA master system is equivalent to the addition
of a DP device to an existing DP master system.

11.10.3 Modules in modular devices of type ET 200M

Principle
When you are planning systems during operation via CiR, you must observe the following
already at the planning stages:
• Install the ET 200M station with an active backplane bus.
• Always try to equip the station with the maximum number of bus modules, as you can not
insert or remove a bus module during runtime.

CPU 410 Process Automation

184 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.11 Effects on the process when re-configuring in RUN

Rules for System Modification During Runtime

• You may only add or remove modules immediately after the last existing module. Always
avoid gaps between modules.
• In order to replace a module with a module of a different type in an existing CPU
configuration, you must perform at least two downloads to the CPU: First, download the CPU
configuration that no longer contains the modules you are going to remove. Secondly,
download the configuration that contains the new modules.

11.10.4 Modules in modular devices of type ET 200iSP

Principle
When you are planning systems during operation via CiR, you must observe the following
already at the planning stages of the ET200iSP stations:
• Install the ET200iSP station completely with terminal modules and end module.
• Equip the ET200iSP from the interface module, starting with the necessary electronics
modules. Equip the remaining slots right up to the end module with the reserve modules.

Rules for System Modification During Runtime

Replace the reserve modules with the intended electronics modules. Start with the first reserve
module that is located on the lowest slot (right next to the last electronics module). In doing so
a gap may appear in each case, i.e. always replace just one reserve module with the electronics
module.

11.11 Effects on the process when re-configuring in RUN

11.11.1 Effects on Operating System Functions During the CiR Synchronization Time

Principle

Operating system function Effects

Process image update Locked.
The process image input and process image output are held at
their last value.
User program processing All priority classes are locked, which means no OBs are pro‐
cessed. However, all outputs are kept at their current value.
Any existing interrupt requirements are retained.
Currently occurring interrupts are only received by the CPU
once the SDB evaluation is complete.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 185
Plant changes in RUN - CiR
11.11 Effects on the process when re-configuring in RUN

Operating system function Effects

Time system The timers continue running.
The cycles for time-of-day interrupt, cyclic interrupt and time-
delay interrupt continue running but the interrupts themselves
are locked. They are only received after the SDB evaluation.
This means, for example, that only one interrupt can be added
for each cyclic interrupt.
Programming device operation Only the STOP command can be operated from the program‐
ming device.
This means data record jobs are not possible.
External SSL information Information functions are processed with a time delay.

11.11.2 Behavior of the CPU after download of the configuration in RUN

11.11.2.1 Overview

Sequence after download of the configuration in RUN

Once a modified configuration has been downloaded, CPU first checks whether your changes are
admissible. If they are, it evaluates the relevant system data.
This evaluation affects operating system functions such as process image updates and user
program processing. The details of these effects are set out below.
The fixed time for interpretation of system data by the CPU is referred to below as CiR
synchronization time.
The CPU enters the event W#16#4318 in the diagnostic buffer at the start and the event
W#16#4319 in the diagnostic buffer at the end of system data evaluation.

Note
If a Power Off occurs or the CPU switches to STOP during system data evaluation, only a warm
restart or cold restart is then possible.

The CPU then starts OB 80 with the event W#16#350A and enters the duration of evaluation
in the OB start information. This allows you to use this time in the control algorithms in your
cyclic interrupt OBs, for example.

Note
Always make sure that OB 80 has been loaded to your CPU. Otherwise, the CPU will switch to
STOP when an OB 80 start event occurs.

CPU 410 Process Automation

186 System Manual, 11/2022, A5E31622160-AE
 Plant changes in RUN - CiR
11.11 Effects on the process when re-configuring in RUN

11.11.2.2 Error displays

LED displays in re-configuration

At the start of the admissibility check until the end of the configuration data evaluation, the INTF
LED lights up. It continues to light up if modules are re-configured.
After completion of the CiR operation, a difference exists between the expected and actual
configuration (expected configuration has been changed once you have downloaded a
configuration modification to the controller) and the EXTF LED lights up. If you have added
devices during the configuration modification, the BUS1F or BUS2F LED flashes in addition. If
you have carried out the associated hardware changes, the EXTF, the BUS1F and the BUS2F
LEDs are dark again.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 187
Plant changes in RUN - CiR
11.11 Effects on the process when re-configuring in RUN

CPU 410 Process Automation

188 System Manual, 11/2022, A5E31622160-AE
Plant changes during redundant operation - H-CiR 12
12.1 The H-CiR wizard
The H-CiR wizard helps you with plant changes during redundant operation. It allows you to
download a modified configuration without interrupting operation.

Note
Using the H-CiR wizard
Use the H-CiR wizard for H-CiR operations. This minimizes the risk of inconsistencies and avoids
bumps during a plant change.

You access the H-CiR wizard in HW Config.

Proceed as follows:
1. Carry out the required changes/additions and update the configuration in HW Config
accordingly.
2. Click "Download to module" in HW Config.
3. Select "Download station configuration in RUN mode".
4. Select one of the redundant CPUs.
5. Select "Automatically continue".
This runs the first steps in the plant change process automatically.
6. Click "Continue".
– The CPU is selected
– The standby CPU may be switched to RUN by a warm restart.
– The required system data blocks are generated.
– The selected CPU is switched to RUN.
– The new hardware configuration is downloaded to the CPU.
7. Click "Continue".
– The system switches to the CPU with the modified configuration.
– The current standby CPU is switched to RUN.
8. Close the dialog box.

Note
Keep changes to a manageable level and do not make changes to multiple interfaces at the same
time.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 189
Plant changes during redundant operation - H-CiR
12.2 Replacing central components

12.2 Replacing central components

Which central components can be modified?

The following changes can be made to the hardware configuration during operation:
• Changing certain CPU parameters
• Re-configuring a module
• Assigning a module to another process image partition
• Upgrading the CPU version
• Upgrading to a higher product version or a current version of components used such as
external DP interface modules.
• Adding or removing modules in the CPU or expansion units (for example one-sided I/O
module).
Note
IM 460, IM 461 and CP 443-5 Extended
You can only add or remove the IM 460 and IM 461 interface modules, the external CP 443-5
Extended DP master interface module or the relevant connecting cables when the system is
de-energized.

Note
Signal modules in the CPU with substitute value capability
For signal modules with substitute value capability in a CPU, the minimum I/O hold time is
ineffective following a plant change. There is always a gap of 3 to 50 ms.

For all changes, please observe the rules for the assembly of an H station.

Changes to the hardware configuration

With a few exceptions, all elements of the configuration can be modified during operation.
Configuration changes will usually also affect the user program.
The following must not be changed by means of system modifications during runtime:
• Certain CPU parameters (for details, please refer to the relevant sections)
• The transmission rate (baud rate) of redundant DP master systems
• S7 and S7 H connections

Note
For a switched I/O: complete all changes to one of the redundant DP master systems or IO
controllers before you make changes to the second DP master system or IO controller.

CPU 410 Process Automation

190 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.3 Addition of interface modules

12.3 Addition of interface modules

You can only add the IM 460 and IM 461 interface modules, the external CP 443-5 Extended DP
master interface module or the relevant connecting cables when the system is de-energized.
De-energized means that the power supply for an entire subsystem must be switched off.
This is only possible without affecting the process if the subsystem in question is in STOP.

Procedure
1. Carry out the required changes/additions and update the configuration in HW Config
accordingly.
2. Click "Download to module" in HW Config.
3. Select "Download station configuration in RUN mode".
4. Select one of the redundant CPUs.
5. Select "Automatically continue".
The initial processing steps of the plant change are
performed automatically.
6. Click "Continue".
– The CPU is selected
– The standby CPU may be switched to RUN by a warm restart.
– The required system data blocks are generated.
– The selected CPU is switched to RUN.
– The new hardware configuration is downloaded to the CPU.
7. End the H-CiR wizard.
As you can only add the IM 460 and IM 461 interface modules, the external CP 443-5
Extended DP master interface module and the relevant connecting cables when the system
is de-energized, you can no longer use the H-CiR wizard from this point.
8. Proceed as follows if you want to expand the subsystem of what has been the standby CPU:
– Switch off the power supply to the standby subsystem.
– Insert the new IM460 in the CPU and establish the link to a new expansion unit
or
– Add a new expansion unit to an existing line
or
– Plug in the new external DP master interface and establish a new DP master system.
– Switch the power supply to the standby subsystem back on.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 191
Plant changes during redundant operation - H-CiR
12.4 Motivation for H-CiR on PROFINET IO

9. Switch to CPU with modified configuration.

– In SIMATIC Manager, select a CPU of the fault-tolerant system, then select "PLC > Mode"
from the menu.
– In the "Mode" dialog box, click "Switch to..."
– In the "Switch" dialog box, select "with modified configuration" and click on the "Switch"
button.
– Confirm the security prompt with "OK".
10.Proceed as follows if you want to expand the subsystem of the original master CPU (now in
STOP):
– Switch off the power supply to the standby subsystem.
– Insert the new IM460 in the CPU and establish the link to a new expansion unit
or
– Add a new expansion unit to an existing line
or
– Plug in the new external DP master interface and establish a new DP master system.
– Switch the power supply to the standby subsystem back on.
11.Transition to the redundant system state.
– In SIMATIC Manager, select a CPU of the fault-tolerant system, then select "PLC > Mode"
from the menu.
– In the "Mode" dialog box, select the standby CPU and click "Warm restart".
12.Change and download the user program (see Modify and download the user program
(Page 201))

12.4 Motivation for H-CiR on PROFINET IO

When it is possible to perform plant changes in process mode / RUN during redundant operation,
this enables a high availability of the plant.
The H-CiR procedure relies on already defined and implemented procedures of fault-tolerant
systems.
• From the perspective of the CPU, H-CiR adds the following functions to commissioning:
– Change of user programs in RUN mode
– Control of operating state transitions (startup, switchover, stop)
– FW update with the logical update method
• From the perspective of STEP 7, H-CiR adds the following functions to commissioning:
– Control of operating state transitions (switchover with "Start with...")

CPU 410 Process Automation

192 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.4 Motivation for H-CiR on PROFINET IO

System modifications during redundant operation - H-CiR for PN/IO

The table below shows the options of the distributed I/O for plant changes during redundant
operation:

H-CiR operation Basic support S1 configu‐ S2 configu‐ S2 configu‐ R1 configu‐ R1 configu‐

ration ration ration ration ration
Device not Device CIR- Device not Device CIR-
CIR-capa‐ capable CIR-capa‐ capable
ble ble
Add IO controller Yes No No No No No
Remove IO controller Yes No No No No No
Replace IO controller No No No No No No
Add IO device Yes Yes Yes Yes Yes Yes
Remove IO device Yes Yes Yes Yes Yes Yes
Replace IO device No No No No No No
Add PDEV submodule No No No No No No
Remove PDEV submodule No No No No No No
Replace PDEV submodule No No No No No No
Add submodule Yes No No Yes No Yes
Remove submodule Yes No No Yes No Yes
Replace submodule No No No No No No
Re-configure PDEV submodule Yes No No Yes No Yes
Re-configure submodule Yes No No Yes No Yes

Scope of validity
You can modify a plant during operation using H-CiR in plant units with distributed I/O. The
configuration in the figure below is one example. For the sake of clarity, it only includes one
PN/IO subsystem. These limitations do not exist in reality.
H-CiR assumes the following configuration:

6+ 6+

352),1(7

(763+$ (763+$

Figure 12-1 IO system with S2 devices

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 193
Plant changes during redundant operation - H-CiR
12.5 Permitted changes to PROFINET IO

Requirements
• Fault-tolerant system as 1oo2 system
• Redundant PNIO subsystems
• Connection of two switched IO devices with CiR capability that operate simple I/O
The following boundary conditions apply:
• A CPU operates no PNIO subsystems, one PNIO subsystem or multiple PNIO subsystems over
integrated interfaces to which no IO devices, one IO device or multiple IO devices are
connected

Synchronization link
For all hardware changes, make sure that the redundant controller is linked correctly.

12.5 Permitted changes to PROFINET IO

Plant changes during redundant operation - H-CiR for PN/IO

The list below shows the options of the distributed I/O for plant changes during redundant
operation:

Component Adding Removing Re-configuring

IO device X X  
I/O module in an IO device with CiR capability X X  
Parameters of I/O modules in an IO device with CiR ca‐ - - Possible
pability
Free channel in existing I/O module in an IO device with - - Possible
CiR capability
Port in an IO device with CiR capability - - Possible

Permitted configuration changes for PROFINET IO

The process introduced here supports the following changes to your AS:
• Adding and removing one-sided devices (only user-data-free switches).
• Adding and removing IO systems.
• Adding or removing an IO device.
The IO device does not need CiR capability for this step.
The station address in the PROFINET IO subsystem of an IO device that is removed in a H-CiR
operation must not be added back again in the same H-CiR operation.
Station addresses must not be changed.

CPU 410 Process Automation

194 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.6 Motivation for H-CiR on PROFIBUS DP

• Adding and removing I/O modules in the CiR-capable IO device.

An I/O module that is removed with H-CiR must not be replaced with a different I/O module
in the same H-CiR step.
However, it is possible to remove I/O modules in a H-CiR operation and to add I/O modules at a
different location.
• Changing parameters of I/O modules in the CiR-capable IO device.
• Changing parameters of the ports (PDEV submodules) or the interface, for example the
update time.
The device in question must have CiR capability for this step.
IO addresses that are removed in a H-CiR operation may not be added again in the same
H-CiR operation.

Restriction
All changes that are not explicitly permitted above as part of plant changes in RUN, are not
permitted during operation and are not explained in more detail here. These include, for
example,
• Change of CPU-properties.
• Change of properties of existing PROFINET IO subsystems.
• Change of the diagnostic address.
• Change of the following parameters of an IO device:
– Station address in the PROFINET IO subsystem
– Assignment to the IO controller

12.6 Motivation for H-CiR on PROFIBUS DP

In addition to the options described in Replacement of failed components during redundant
operation (Page 215) for replacing failed components in RUN, you can also make plant changes
with CPU 410 in redundant mode without interrupting the program that is running.
The procedure and scope depend on the operating mode of the CPU.
The procedures described below for making changes during operation are each created in
such a way that they start from the redundant system state (see Chapter The system states

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 195
Plant changes during redundant operation - H-CiR
12.6 Motivation for H-CiR on PROFIBUS DP

of the fault-tolerant system (Page 104)) and have as their objective a return to redundant
system state.

Note
Keep strictly to the rules described in this section with regard to modifications of the system in
runtime. If you contravene one or more rules, the response of the fault-tolerant system can
result in its availability being restricted or even failure of the entire automation system.
Only perform a system modification during operation if there is no redundancy error, i.e. if the
REDF LED is not lit. The automation system may otherwise fail.
The cause of a redundancy error is listed in the diagnostics buffer.

Safety-related components are not taken into account in this description.

Requirements
For switched I/O to be expanded during operation, the following points must be taken into
account already at the system planning stage:
• In both cables of a redundant DP master system, sufficient numbers of branching points are
to be provided for spur lines or isolating points (spur lines are not permitted for transmission
rates of 12 Mbps). These branching points can be spaced or implemented at any points that
can be accessed easily.
• Both cables must be uniquely identified so that the line which is currently active is not
accidentally cut off. This identification should be visible not only at the end points of a line,
but also at each possible new connection point. Different colored cables are especially
suitable for this.
• Modular DP device stations (ET 200M), DP/PA links and Y links must always be configured
with an active backplane bus and fitted with all the bus modules required wherever possible,
because the bus modules cannot be inserted and removed during operation.
• For the ET 200iSP, the configuration of the terminal modules should have sufficient reserves
and be fitted with unconfigured reserve modules.
• Always terminate both ends of PROFIBUS DP and PROFIBUS PA bus cables using active bus
terminating elements in order to ensure proper termination of the cables while you are
reconfiguring the system.
• PROFIBUS PA bus systems should be built up using components from the SpliTConnect
product range (see interactive catalog CA01) so that separation of the lines is not required.

Modifications to the user program and the connection configuration

The modifications to the user program and connection configuration can be loaded into the
target system in redundant system state.

CPU 410 Process Automation

196 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.7 Permissible changes to PROFIBUS DP

12.7 Permissible changes to PROFIBUS DP

How is hardware modified?

If the hardware components involved are suitable for removal or insertion under voltage, the
hardware reconfiguration can be carried out in the redundant system state. However, the H-
system must be temporarily switched to solo mode since downloading a modified hardware
configuration in redundant system state would cause the H-system to stop. In solo operation,
the process is then controlled by only one CPU while the desired configuration changes are made
to the other CPU.

Note
You can either remove or add modules during a hardware change. If you want to alter your fault-
tolerant system by removing some modules and adding others, you will need to make two
hardware changes.
If the I/O or diagnostic address of a device/module is to be changed, first remove the device/
module and then insert the device/module again with a new I/O or diagnostic address. This
means that two consecutive hardware changes need to be performed.

Synchronization link
For all hardware changes, make sure that the redundant controller is linked correctly.

Which distributed components can be modified?

The following changes can be made to the hardware configuration during operation:
• Adding or removing components of the distributed I/O such as
– DP devices with redundant interface module (e.g. ET 200M, ET 200iSP, DP/PA-Link or Y-
Link)
– One-sided DP devices (in any DP master system)
– Modules in modular DP devices (ET 200M and ET 200iSP)
– DP/PA couplers
– PA devices
• Upgrading to a higher product version or a current version of components used such as DP-
IMs.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 197
Plant changes during redundant operation - H-CiR
12.8 Adding components

Special features
When you use an IM 153-2, active bus modules can only be plugged in if the power supply is off.

Note
When using redundant I/O that you have implemented as one-sided I/O at the user level, you
must take the following into consideration:
During the connection and update following a system modification, the I/O of the previous
master CPU may be deleted from the process image for a short time before the (modified) I/O of
the "new" master CPU has been fully entered in the process image.
During the first update of the process image after a system modification, you may (incorrectly)
have the impression that the redundant I/O has failed completely or that a redundant I/O exists.
Correct evaluation of the redundancy status is therefore not possible until the process image has
been fully updated.
This does not apply to modules that have been enabled for redundant operation.

Preparations
To minimize the time during which the fault-tolerant system has to run in solo mode, please note
the following before starting a hardware change:
Modules which are plugged but not configured yet do not have any unwanted influence on
the process.

See also
Rules for H station assembly (Page 26)
Other options for connecting redundant I/Os (Page 341)
Connection of two-channel I/O to the PROFIBUS DP interface (Page 75)

12.8 Adding components

12.8.1 Adding components

The same procedure applies for adding components, irrespective of whether the distributed I/O
is connected over PROFIBUS DP or over PROFINET IO.

Initial situation
You have ensured that the CPU parameters (for example the monitoring times) are compatible
with the planned new program. You may first need to modify the CPU parameters (see Editing
CPU parameters (Page 209)).
The fault-tolerant system is operating in the redundant system state.

CPU 410 Process Automation

198 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.8 Adding components

Procedure
If you are planning to add an IO device using an H-CiR operation and the device does not support
PROFINET LLDP mode V2.3, make sure that "Force IEC V2.2 LLDP mode" is enabled from the
outset for the IO controller. Otherwise, you cannot add the IO device using H-CiR.
You can check which PROFINET LLDP mode supports an IO device and which PROFINET LLDP
mode is active for the IO controller in HW Config.
Follow the steps below to add hardware components to an H-system in SIMATIC PCS 7.
Details of each step are described in a subsection.

Step Action See section

1 Modify hardware Modify hardware (Page 199) 
2 Change hardware configuration offline Change hardware configuration offline (Page 200) 
3 Load configuration Opening the H-CiR wizard (Page 200)

Exceptions
This overall sequence for system modification does not apply in the following cases:
• For use of free channels on an existing module
• For adding interface modules

12.8.2 Modify hardware

Initial situation
The fault-tolerant system is operating in the redundant system state.

Procedure
1. Add the new components to the system.
– Insert new modules in existing modular DP stations
– Add new DP stations to existing DP master systems.
– Insert new I/O modules in existing IO devices.
– Add new IO devices to existing IO controllers.
2. Connect the required sensors and actuators to the new components.

Result
Inserting modules and I/O modules that are not yet configured does not affect the application.
The same applies if you add DP stations or IO devices.
The fault-tolerant system continues to operate in the redundant system state.
New components are not yet addressed.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 199
Plant changes during redundant operation - H-CiR
12.8 Adding components

12.8.3 Change hardware configuration offline

Starting situation
The fault-tolerant system is operating in redundant system mode.

Procedure
1. Perform all the modifications to the hardware configuration relating to the added hardware
offline. Assign appropriate icons to the new channels to be used.
2. Compile the new hardware configuration, but do not load it into the target system just yet.

Result
The modified hardware configuration is in the PG/ES. The target system continues operation
with the old configuration in redundant system mode.

Configuring connections
The interconnections with added CPs must be configured on both connection partners after you
complete the HW modification.

12.8.4 Opening the H-CiR wizard

The next steps, except for changing and loading the user program, are performed by the H-CiR
wizard.

Reaction of the I/O to the new master CPU

While the previous master CPU is still in STOP, the I/O reacts to the new master CPU as follows:

Type of I/O Switched I/O

Added I/O modules Configured and updated by the CPU.
I/O modules still available Continues working without interruption.
Added DP stations Like added I/O modules (see above)
1)
CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding
values).

CPU 410 Process Automation

200 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.8 Adding components

Reaction of the I/O to entering redundant mode

The fault-tolerant system is in redundant mode with the new configuration. The I/O reacts as
follows:

Type of I/O Switched I/O

Added I/O modules Updated by the CPU.
I/O modules still available Continue working without interruption.
1) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding
values).

Reaction to exceeding the monitoring times

When one of the monitored timers exceeds the configured maximum value, the update is
aborted and no master switchover is performed. The H system remains in solo mode with the
previous master CPU and attempts to later perform the master switchover under certain
conditions. For details, refer to the section Time monitoring (Page 114).

12.8.5 Modify and download the user program

Starting situation
The H system is operating with the new hardware configuration in redundant system state.

Procedure
1. Adapt the program to the new hardware configuration. You can add the following
components:
– CFC and SFC charts
– Blocks in existing charts
– Connections and parameter settings
2. Configure the added channel drivers and connect them to the newly assigned symbols (see
section Change hardware configuration offline (Page 200)).
3. In SIMATIC Manager, select the charts folder and choose the "Options > Charts > Generate
Module Drivers" menu command.
4. Compile only the modifications in the charts and download them to the target system.
5. Configure the interconnections for the new CPs on both communication partners and
download them to the target system.

Result
The H system operates all plant hardware with the new user program in redundant system state.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 201
Plant changes during redundant operation - H-CiR
12.8 Adding components

12.8.6 Use of free channels on an existing module

The use of previously free channels of an I/O module depends mainly on the fact if the module
can be configured or not.

Non-configurable modules
Free channels can be switched and used in the user program at any time in case of non-
configurable modules.

Configurable modules
The hardware configuration first has to be matched to the used sensors or actuators for
configurable modules. This step usually requires a new configuration of the entire module in
most cases.
This means an uninterrupted operation of the respective modules is no longer possible:
• One-sided output modules briefly output 0 during this time (instead of the configured
substitute or hold values).
• Modules in switched DP stations are not reconfigured when you switch over to the CPU with
the modified configuration.
Proceed as follows to change the channel use:
• First, the affected module is completely removed from the hardware configuration and the
user program. But it can remain inserted in the DP station. The module drivers must not be
removed.
• After this, the module with the modified use is added again to the hardware configuration
and the user program.
Note
Between these two switchover actions, affected modules are not accessed; affected output
modules have a value of 0. The signals of the previously used channels of the modules retain
their values.
If this behavior is unacceptable for the process to be controlled, there is no other way to use
previously free channels. In this case you must install additional modules to expand the
system.

CPU 410 Process Automation

202 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.9 Removal of components

12.9 Removal of components

12.9.1 Removal of components

Initial situation
You have ensured that the CPU parameters (for example, the monitoring times) are compatible
with the planned new program. You may first need to modify the CPU parameters (see Editing
CPU parameters (Page 209)).
The modules to be removed and their connected sensors and actuators are no longer of
any significance to the process being controlled. The fault-tolerant system is operating in the
redundant system state.

Procedure
Follow the steps below to remove hardware components from a fault-tolerant system in SIMATIC
PCS 7. Details of each step are described in a subsection.

Step Action See section

1 Change hardware configuration offline Change hardware configuration offline (Page 203) 
2 Modify and download the user program Modify and download the user program (Page 205)
3 Open the H-CiR wizard Opening the H-CiR wizard (Page 205) 
4 Modify hardware AUTOHOTSPOT 

Exceptions
This procedure for plant changes does not apply for removing interface modules.

12.9.2 Change hardware configuration offline

Starting situation
The fault-tolerant system is operating in the redundant system state.

Procedure
1. Perform offline only the configuration modifications relating to the hardware being removed.
As you do, delete the icons to the channels that are no longer used.
2. Compile the new hardware configuration but do not yet download it to the PLC.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 203
Plant changes during redundant operation - H-CiR
12.9 Removal of components

Result
The modified hardware configuration is available in the PG/ES. The target system continues
operation with the old configuration in redundant system mode.

CPU 410 Process Automation

204 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.9 Removal of components

12.9.3 Modify and download the user program

Starting situation
The fault-tolerant system is operating in redundant system mode.

CAUTION
The following program modifications are not possible in redundant system mode and result in
the system mode Stop (both CPUs in STOP mode):
• Structural modifications to an FB interface or the FB instance data.
• Structural modifications to global DBs.
• Compression of the CFC user program.
Before the entire program is recompiled and reloaded due to such modifications the parameter
values must be read back into the CFC, otherwise the modifications to the block parameters
could be lost. You will find more detailed information on this topic in the CFC for S7, Continuous
Function Chart manual.

Procedure
1. Edit only the program elements related to the hardware removal. You can delete the
following components:
– CFCs and SFCs
– Blocks in existing charts
– Channel drivers, interconnections and parameter settings
2. In SIMATIC Manager, select the charts folder and choose the "Options > Charts > Generate
Module Drivers" menu command.
This removes the driver blocks that are no longer required.
3. Compile only the modifications in the charts and download them to the target system.
Note
Until an FC is called the first time, the value of its output is undefined. This must be taken into
account in the interconnection of the FC outputs.

Result
The fault-tolerant system continues to operate in redundant system mode. The modified user
program will no longer attempt to access the hardware being removed.

12.9.4 Opening the H-CiR wizard

The next steps, except for the conversion of the hardware, are performed by the H-CiR wizard.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 205
Plant changes during redundant operation - H-CiR
12.9 Removal of components

Reaction of the I/O to the new master CPU

While the previous master CPU is still in STOP, the I/O reacts to the new master CPU as follows:

Type of I/O One-sided I/O of the pre‐ One-sided I/O of the new Switched I/O
vious master CPU master CPU
The I/O modules to No longer accessed by the CPU.
be removed1) Driver blocks are no longer available.
I/O modules still No longer accessed by the Newly configured2) and Continue working with‐
available CPU. updated by the CPU. out interruption.
Output modules have the
configured substitute or
holding values.
The DP stations to like I/O modules to be removed (see above)
be removed
1) No longer included in the hardware configuration, but still plugged
2) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding
values).

Reaction of the I/O to entering redundant mode

The fault-tolerant system is in redundant mode with the new configuration. The I/O reacts as
follows:

Type of I/O One-sided I/O of the re‐ One-sided I/O of the mas‐ Switched I/O
serve CPU ter CPU
The I/O modules to No longer accessed by the CPU.
be removed1) Driver blocks are no longer available.
I/O modules still Newly configured2) and Continue working without interruption.
available updated by the CPU.
The DP stations to like I/O modules to be removed (see above)
be removed
1) No longer included in the hardware configuration, but still plugged
2) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding
values).

Reaction to exceeding the monitoring times

When one of the monitored timers exceeds the configured maximum value, the update is
aborted and no master switchover is performed. The H system remains in solo mode with the
previous master CPU and attempts to later perform the master switchover under certain
conditions. For details, refer to the section Time monitoring (Page 114).

CPU 410 Process Automation

206 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.9 Removal of components

12.9.5 Modify hardware

Starting situation
The fault-tolerant system is operating with the new hardware configuration in the redundant
system state.

Procedure
1. Disconnect all the sensors and actuators from the components you want to remove.
2. Unplug modules of the one-sided I/Os that are no longer required from the racks.
3. Unplug components that are no longer required from the modular DP stations or IO devices.
4. Remove DP stations that are no longer required from the DP master systems, or IO devices
that are not required from the IO systems.
Note
With switched I/O: Complete all changes to one line of the redundant DP master system or IO
controller before you make changes to the second line.

Result
Unplugging modules and I/O modules that have been removed from the configuration does not
affect the user program. The same applies if you remove DP stations or IO devices.
The fault-tolerant system continues to operate in the redundant system state.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 207
Plant changes during redundant operation - H-CiR
12.9 Removal of components

12.9.6 Removal of interface modules

Always switch off the power before you remove the IM460 and IM461 interface modules,
external CP 443-5 Extended DP master interface module, and their connecting cables.
Always switch off power to an entire subsystem. To ensure that this does not influence the
process, always set the subsystem to STOP before you do so.

Procedure
1. Carry out the required changes/additions and update the configuration in HW Config
accordingly.
2. Click "Download to module" in HW Config.
3. Select "Download station configuration in RUN mode".
4. Select one of the redundant CPUs.
5. Select "Automatically continue".
The initial processing steps of the plant change are
performed automatically.
6. Click "Continue".
– The CPU is selected
– The standby CPU may be switched to RUN by a warm restart.
– The required system data blocks are generated.
– The selected CPU is switched to RUN.
– The new hardware configuration is downloaded to the CPU.
7. End the H-CiR wizard.
As you can only add the IM 460 and IM 461 interface modules, the external CP 443-5
Extended DP master interface module and the relevant connecting cables when the system
is de-energized, you can no longer use the H-CiR wizard from this point.
8. Follow the steps below to remove an interface module from the subsystem of the standby
CPU:
– Switch off the power supply of the standby subsystem.
– Remove an IM460 from the central unit.
or
– Remove an expansion unit from an existing line.
or
– Remove an external DP master interface module.
– Switch on the power supply of the standby subsystem again.

CPU 410 Process Automation

208 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.10 Editing CPU parameters

9. Switch to CPU with modified configuration.

– In SIMATIC Manager, select a CPU of the fault-tolerant system, then select "PLC > Mode"
from the menu.
– In the "Mode" dialog box, click "Switch to..."
– In the "Switch" dialog box, select "with modified configuration" and click on the "Switch"
button.
– Confirm the security prompt with "OK".
10.Proceed as follows to remove an interface module from the subsystem of the original master
CPU (currently in STOP mode):
– Switch off the power supply of the standby subsystem.
– Remove an IM460 from the central unit.
or
– Remove an expansion unit from an existing line.
or
– Remove an external DP master interface module.
– Switch on the power supply of the standby subsystem again.
11.Transition to the redundant system state.
– In SIMATIC Manager, select a CPU of the fault-tolerant system, then select "PLC > Mode"
from the menu.
– In the "Mode" dialog box, select the standby CPU and click "Warm restart".
12.Change and download the user program (see Modify and download the user program
(Page 205))

12.10 Editing CPU parameters

12.10.1 Editing CPU parameters

Only certain CPU parameters (object properties) can be edited in operation. These are
highlighted in the screen forms by blue text (if you have set blue as the color for dialog box text
on the Windows Control Panel, the editable parameters are indicated in black characters).

Note
If you edit any protected parameters, the system will reject any attempt to changeover to the CPU
containing those modified parameters. The event W#16#5966 is written to the diagnostic
buffer. and you will then have to restore the wrongly changed parameters in the parameter
configuration to their last valid values.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 209
Plant changes during redundant operation - H-CiR
12.10 Editing CPU parameters

Table 12-1 Modifiable CPU parameters

Tab Editable parameter

Startup Monitoring time for signaling readiness by modules
  Monitoring time for transferring parameters to modules
Cycle/clock memory Cycle load due to communication
Memory Local data for the individual priority classes
Time-of-day interrupts (for each time-of- "Active" check box
day interrupt OB)
  "Execution" list box
  Starting date
  Time
Cyclic interrupt (for each cyclic interrupt Execution
OB)
  Phase offset
Diagnostics/clock Correction factor
Security Security level and password
H parameter Test cycle time
  Maximum cycle time extension
  Maximum communication delay
  Maximum inhibit time for priority classes > 15
  Minimum I/O retention time

The selected new values should match both the currently loaded and the planned new user
program.

Initial situation
The fault-tolerant system is operating in redundant system mode.

Procedure
To edit the CPU parameters of a fault-tolerant system, follow the steps outlined below. Details
of each step are described in a subsection.

Step Action See section

1 Editing CPU parameters offline Changing CPU parameters offline (Page 210) 
2 Open the H-CiR wizard Opening the H-CiR wizard (Page 211) 

12.10.2 Changing CPU parameters offline

Initial situation
The fault-tolerant system is operating in redundant system mode.

CPU 410 Process Automation

210 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.10 Editing CPU parameters

Procedure
1. Edit the relevant CPU properties offline in HW Config.
2. Compile the new hardware configuration but do not yet download it.

Result
The changed hardware configuration is on the programming device / ES. The target system
continues operation with the old configuration in redundant system mode.

12.10.3 Opening the H-CiR wizard

Reaction of the I/O to the new master CPU

While the previous master CPU is still in STOP, the I/O reacts to the new master CPU as follows:

Type of I/O One-sided I/O of the previous One-sided I/O of the new mas‐ Switched I/O
master CPU ter CPU
I/O modules No longer accessed by the CPU. Newly configured1) and updated Continue working without inter‐
Output modules have the con‐ by the CPU. ruption.
figured substitute or holding val‐
ues.
1) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding values).

Reaction of the I/O to entering redundant mode

The fault-tolerant system is in redundant mode with the new configuration. The I/O reacts as
follows:

Type of I/O One-sided I/O of the reserve One-sided I/O of the master Switched I/O
CPU CPU
I/O modules Newly configured1) and updated Continue working without interruption.
by the CPU.
1) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding values).

Reaction to exceeding the monitoring times

When one of the monitored timers exceeds the configured maximum value, the update is
aborted and no master switchover is performed. The H system remains in solo mode with the
previous master CPU and attempts to later perform the master switchover under certain
conditions. For details, refer to the section Time monitoring (Page 114).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 211
Plant changes during redundant operation - H-CiR
12.11 Re-parameterization of a module

12.11 Re-parameterization of a module

12.11.1 Re-configuring a module/PDEV submodule

Refer to the information text in the "Hardware Catalog" window to determine which modules
(signal modules and function modules) can be reconfigured during ongoing operation. The IO
device must have CiR capability. The specific reactions of individual modules are described in the
respective technical documentation.
PDEV submodules are interface and ports. Neighborhood relations, for example, can be
reconfigured on the ports. The IO device must have CiR capability for this.

Note
If you edit any protected parameters, the system will reject any attempt to changeover to the CPU
containing those modified parameters. In this case, the event W#16#5966 is entered in the
diagnostic buffer for PROFIBUS DP and the events W#16#3x5A and W#16#3x5AB for PROFINET
IO. and you will then have to restore the wrongly changed parameters in the parameter
configuration to their last valid values.

The selected new values must match the current and the planned user program.

Initial situation
The fault-tolerant system is operating in the redundant system state.

Procedure
Follow the steps below to change the parameters of modules or PDEV submodules in a fault-
tolerant system. Details of each step are described in a subsection.

Step Action See section

1 Editing parameters offline Editing parameters offline (Page 212) 
2 Open the H-CiR wizard Opening the H-CiR wizard (Page 213)

12.11.2 Editing parameters offline

Starting situation
The fault-tolerant system is operating in redundant system mode.

Procedure
1. Edit the module parameters offline in HW Config.
2. Compile the new hardware configuration, but do not load it into the target system just yet.

CPU 410 Process Automation

212 System Manual, 11/2022, A5E31622160-AE
 Plant changes during redundant operation - H-CiR
12.11 Re-parameterization of a module

Result
The modified hardware configuration is in the PG/ES. The target system continues operation
with the old configuration in redundant system mode.

12.11.3 Opening the H-CiR wizard

The H-CiR wizard takes over the next step.

Reaction of the I/O to the new master CPU

While the previous master CPU is still in STOP, the I/O reacts to the new master CPU as follows:

Type of I/O One-sided I/O of the previous One-sided I/O of the new mas‐ Switched I/O
master CPU ter CPU
I/O modules No longer accessed by the CPU. Newly configured1) and updated Continue working without inter‐
Output modules have the con‐ by the CPU. ruption.
figured substitute or holding val‐
ues.
1) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding values).

Reaction of the I/O to entering redundant mode

The fault-tolerant system is in redundant mode with the new configuration. The I/O reacts as
follows:

Type of I/O One-sided I/O of the reserve One-sided I/O of the master Switched I/O
CPU CPU
I/O modules Newly configured1) and updated Continue working without interruption.
by the CPU.
1) CPUs are also first reset. Output modules briefly have 0 (instead of the configured substitute or holding values).

Reaction to exceeding the monitoring times

When one of the monitored timers exceeds the configured maximum value, the update is
aborted and no master switchover is performed. The H system remains in solo mode with the
previous master CPU and attempts to later perform the master switchover under certain
conditions. For details, refer to the section Time monitoring (Page 114).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 213
Plant changes during redundant operation - H-CiR
12.11 Re-parameterization of a module

CPU 410 Process Automation

214 System Manual, 11/2022, A5E31622160-AE
Replacement of failed components during
redundant operation 13
Note
Components in redundant mode
Only components with the same product version, the same article number and the same version
can be operated redundantly.
If a component is no longer available as spare part, you must replace both components so that
this condition is met once again.

13.1 Replacement of central components

13.1.1 Replacement of a CPU during redundant operation

Starting situation for replacement of the CPU

Failure How does the system react?

The S7-400H is in redundant system mode and • The partner CPU switches to single mode.
a CPU fails. • The partner CPU reports the event in the diag‐
nostic buffer and in OB 72.

Requirements for replacement

The module replacement described below is possible only if the "new" CPU
• has the same operating system version as the failed CPU and
• if it is equipped with the same system expansion card as the failed CPU.

Note
New CPUs are always shipped with the latest operating system version. If this differs from the
version of the operating system of the remaining CPU, you will have to equip the new CPU with
the same version of the operating system. Download the required operating system via HW
Config with "PLC -> Update Firmware", see chapter Updating firmware in stand-alone operation
(Page 140).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 215
Replacement of failed components during redundant operation
13.1 Replacement of central components

CAUTION
Caution when replacing a CPU
If you reuse a CPU that has previously been used at a different location, ensure that the contents
backed up in the load memory cannot pose a hazard at the new point of use. Reset the CPU to
factory settings if its previous use is unknown.
See Resetting the CPU 410 to delivery condition (reset to factory setting) (Page 136)

Procedure

Note
Replacing an SEC
You can replace an SEC by following the same procedure as described above. Here you do not
replace the CPU in step 2, but replace the SEC with an SEC of the same size and then reinstall the
CPU.

Follow the steps below to replace a CPU:

Step What to do? How does the system react?

1 Turn off the power supply module. • The entire subsystem is switched off (sys‐
tem operates in single mode).
2 Replace the CPU. Make sure the rack number is –
set correctly on the CPU.
3 Insert the synchronization modules. –
4 Plug in the fiber-optic cable connections of the –
synchronization modules.
5 Switch the power supply module on again. • CPU runs the self-tests and changes to
STOP.
6 Perform a CPU memory reset on the replaced –
CPU.
7 Start the replaced CPU (for example, STOP-RUN • The CPU performs an automatic LINK-UP
or Start using the PG). and UPDATE.
• The CPU changes to RUN and operates as
the standby CPU.

CPU 410 Process Automation

216 System Manual, 11/2022, A5E31622160-AE
 Replacement of failed components during redundant operation
13.1 Replacement of central components

CAUTION
Wiring synchronization modules crosswise
If you wire synchronization modules crosswise, i.e. the IF1 interface of the first CPU with the IF2
interface of the second CPU and vice versa, the two CPUs take over the master role and the
system will now function properly. The LEDs IFM 1 and IFM 2 are lit on both CPUs.
Make sure that you connect the IF1 interface of the first CPU with the IF1 interface of the second
CPU and the IF2 interface of the first CPU with the IF2 interface of the second CPU when you
replace the CPU. Mark the fiber-optic cables before the replacement, if necessary.

13.1.2 Replacement of a power supply module

Starting situation
Both CPUs are in RUN.

Failure How does the system react?

The S7-400H is in redundant system mode and a • The partner CPU switches to single mode.
power supply module fails. • The partner CPU reports the event in the diag‐
nostic buffer and in OB 72.

Procedure
Proceed as follows to replace a power supply module in the central rack:

Step What to do? How does the system react?

1 Turn off the power supply (24 V DC for PS 405 • The entire subsystem is switched off (sys‐
or 120/230 V AC for PS 407). tem operates in single mode).
2 Replace the module. –
3 Switch the power supply module on again. • The CPU executes the self-tests.
• The CPU performs an automatic LINK-UP
and UPDATE.
• The CPU changes to RUN (redundant sys‐
tem mode) and operates as reserve CPU.

Note
Redundant power supply
If you use a redundant power supply with two PS 407 10A R or PS 405 10A R, two power supply
modules are assigned to one fault-tolerant CPU. The associated CPU continues to run if one of
the redundant power supply modules fails. The defective part can be replaced during operation.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 217
Replacement of failed components during redundant operation
13.1 Replacement of central components

Other power supply modules

If the failure concerns a power supply module outside the central rack (e.g. in the expansion rack
or in the I/O device), the failure is reported as a rack failure (central) or station failure (remote).
In this case, simply switch off the power supply to the power supply module concerned.

13.1.3 Replacement of an input/output module or function module

Starting situation

Failure How does the system react?

The CPU 410-5H is in redundant system mode and • Both CPUs report the event in the diagnostic
an input/output or function module fails. buffer and via appropriate OBs.

Procedure

CAUTION
Note the different procedures.
Minor injury or damage to equipment is possible.
The procedure for replacing and input/output or function module differs for modules of the
S7-300 and S7-400.
Use the correct procedure when replacing a module. The correct procedure is described below
for the S7-300 in Chapter Replacement of components of the distributed I/O on PROFIBUS DP
(Page 224).

To replace signal and function modules of an S7-400, perform the following steps:

Step What to do? How does the system react?

1 Disconnect the module from its peripheral  
power supply, if necessary.
2 Disconnect the front connector and wiring. • If the affected module can generate diag‐
nostic interrupts and if diagnostic inter‐
rupts are enabled as per configuration, a
diagnostic interrupt is generated.
• Call OB 122 if you are accessing the mod‐
ule by direct access
• Call OB 85 if you are accessing the mod‐
ule using the process image
3 Remove the failed module (in RUN mode). • Both CPUs generate a remove/insert
interrupt and enter the event in the diag‐
nostic buffer and the system status list.

CPU 410 Process Automation

218 System Manual, 11/2022, A5E31622160-AE
 Replacement of failed components during redundant operation
13.1 Replacement of central components

Step What to do? How does the system react?

4 Insert the new module. • Both CPUs generate a remove/insert
interrupt and enter the event in the diag‐
nostic buffer and the system status list.
• Parameters are assigned automatically to
the module by the CPU concerned and
the module is addressed again.
5 Plug the front connector into the new mod‐ • If the affected module can generate diag‐
ule. nostic interrupts and if diagnostic inter‐
rupts are enabled as per configuration, a
diagnostic interrupt is generated.

13.1.4 Replacement of a communication module

This section describes the failure and replacement of communication modules for PROFIBUS and
Industrial Ethernet.
The failure and replacement of communication modules for PROFIBUS DP is detailed in
Replacement of a PROFIBUS DP master (Page 225).

Starting situation

Failure How does the system react?

The S7-400H is in redundant system mode and a • Both CPUs report the event in the diagnostic
communication module fails. buffer and via appropriate OBs.
• In communication via standard connections:
Connection failed
• In communication via redundant connections:
Communication is maintained without inter‐
ruption over an alternate channel.

Procedure
Proceed as follows to replace a communication module for PROFIBUS or Industrial Ethernet:

Step What has to be done? How does the system react?

1 Remove the module. • Both CPUs process the swapping interrupt
OB 83 synchronized with each other.
2 Insert the new module. • Both CPUs process the swapping interrupt
OB 83 synchronized with each other.
• The module is automatically configured by
the appropriate CPU.
3 Turn the module back on. • The module resumes communication (sys‐
tem establishes communication connec‐
tion automatically).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 219
Replacement of failed components during redundant operation
13.1 Replacement of central components

13.1.5 Replacement of synchronization module or fiber-optic cable

In this section, you will see three different error scenarios:
• Failure of a synchronization module or fiber-optic cable
• Successive failure of both synchronization modules or fiber-optic cables
• Simultaneous failure of both fiber-optic cables
The CPU indicates by means of LEDs and diagnostics whether the lower or upper redundant
link has failed. After the defective parts (fiber-optic cable or synchronization module) have
been replaced, LEDs IFM1F and IFM2F must go out.
If one of the IFM LEDs continues to be lit even after you have replaced the relevant
synchronization modules, the synchronization cables and even the standby CPU, there is
an error in the master CPU. In this case, you can, however, switch to the standby CPU by
selecting the "via only one intact redundancy link" option in the "Switch" STEP 7 dialog box.

Initial situation

Failure How does the system react?

Failure of a fiber-optic cable or synchronization • Master CPU reports the event in the diagnostic
module: buffer and through OB 72 or OB 82.
The S7-400H is in the redundant system state and a • The standby CPU switches to ERROR-SEARCH
fiber-optic cable or synchronization module fails. operating state for a few minutes. If the error is
eliminated during this time, the standby CPU
switches to redundant system mode, otherwise
it switches to STOP.
• One of the two LEDs Link1 OK or Link2 OK is lit
One of the two LEDs IFM1F or IFM2F is lit

Procedure
Follow the steps below to replace a fiber-optic cable:

Step Action How does the system react?

1 Look for the cause of the error along the path -
for which the IFMxF LEDs are lit on both CPUs:
IFM1F: Upper sync modules in CPU rack 0 or
rack 1 or corresponding synchronization cable.
IFM2F: Lower sync modules in CPU rack 0 or
rack 1 or corresponding synchronization cable.
First, check the fiber-optic cable.
2 If the fiber-optic cable is defective, replace it. The IFMxF LEDs on both CPUs go out.

CPU 410 Process Automation

220 System Manual, 11/2022, A5E31622160-AE
 Replacement of failed components during redundant operation
13.1 Replacement of central components

Follow the steps below to replace a synchronization module:

Step Action How does the system react?

1 Replace the synchronization module on the -
CPU on which the LED Linkx-OK is still lit.
2 Plug in the fiber-optic cable connections of the • The LEDs IFMxF go out.
synchronization modules. If the LED should not go out, you must
replace the synchronization module on
the other CPU.
• Both CPUs report the event in the diag‐
nostic buffer
3 Start the standby CPU The system status now changes to Redun‐
dant mode.

Initial situation

Failure How does the system react?

Simultaneous failure of both fiber-optic cables • Both CPUs report the event in the diagnostic
The S7-400H is in the redundant system state buffer and via OB 72.
and both fiber-optic cables fail. • Both CPUs become master CPU and remain in
RUN.
• The LEDs IFM1F and IFM2F are lit on both CPUs.

Procedure
The described double fault results in loss of redundancy and partial or complete failure of
switched DP or PN I/O. In this event proceed as follows:

Step Action How does the system react?

1 Switch off one subsystem. -
2 Replace the faulty components. -
3 Turn the subsystem back on. • LEDs IFM1F and IFMF2F go off. The LED
MSTR of the switched on subsystem goes
out.
4 Start the CPU. • The CPU performs an automatic LINK-UP
and UPDATE.
• The CPU switches to RUN (redundant sys‐
tem state) and operates as standby CPU.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 221
Replacement of failed components during redundant operation
13.2 Replacement of components of the distributed I/O on PROFINET IO

13.1.6 Replacement of an IM 460 and IM 461 interface module

Starting situation

Failure How does the system react?

The S7-400H is in redundant system mode and an • The connected expansion unit is turned off.
interface module fails. • Both CPUs report the event in the diagnostic
buffer and via OB 86.

Procedure
Follow the steps below to replace an interface module:

Step What has to be done? How does the system react?

1 Turn off the power supply of the central rack. • The partner CPU switches to single mode.
2 Turn off the power supply of the expansion –
unit in which you want to replace the inter‐
face module.
3 Remove the interface module. –
4 Insert the new interface module and turn the –
power supply of the expansion unit back on.
5 Switch the power supply of the central unit • The CPU performs an automatic LINK-UP
back on and start the CPU. and UPDATE.
• The CPU changes to RUN and operates as
the reserve CPU.

13.2 Replacement of components of the distributed I/O on PROFINET

IO

13.2.1 Replacement of a PROFINET IO device

Starting situation

Failure How does the system react?

The S7-400H is in the redundant system state and Both CPUs signal the event in the diagnostics buffer
an IO device fails. and via a corresponding OB.

CPU 410 Process Automation

222 System Manual, 11/2022, A5E31622160-AE
 Replacement of failed components during redundant operation
13.2 Replacement of components of the distributed I/O on PROFINET IO

Procedure
Proceed as follows to change an IO device:

Step What to do? How does the system react?

1 Switch off the power supply to the IO device. OB 86 and OB85 are called, the LED REDF
lights up, the corresponding LED BUSxF flash‐
es.
2 Unplug the connected RJ45 connector. -
3 Change the IO device. -
4 Plug the RJ45 connector back in and switch • The CPUs process the rack failure OB 86
the power supply back on. synchronously (outgoing event)
• The IO device can be addressed by the
corresponding IO system.

13.2.2 Replacement of PROFINET IO cables

Starting situation

Failure How does the system react?

The S7-400H is in the redundant system state and • With one-sided I/O:
there is a fault in the PROFINET IO cable. The rack failure OB (OB 86) is launched (incom‐
ing event). The IO controller can no longer ad‐
dress connected IO devices
(station failure).
The LED BUS5F lF or BUS8F IF is flashing
• With switched I/O:
The I/O redundancy error OB (OB 70) is
launched (incoming event).
The LED BUS5F lF or BUS8F IF and the LED REDF
are flashing.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 223
Replacement of failed components during redundant operation
13.3 Replacement of components of the distributed I/O on PROFIBUS DP

Replacement procedure
Proceed as follows to change PROFINET IO cables:

Step What to do? How does the system react?

1 Check the wiring and identify the faulty -
PROFINET IO cable.
2 Replace the defective cable. CPUs process error OBs synchronously
• With one-sided I/O:
Rack failure OB 86 (outgoing event)
IO devices can be addressed through the IO
controller.
• With switched I/O:
I/O redundancy error OB 70 (outgoing event).
IO devices can be addressed through both IO
controllers.

13.3 Replacement of components of the distributed I/O on PROFIBUS

DP

Which components can be replaced?

The following components of the distributed I/Os can be replaced during operation:
• PROFIBUS DP master
• PROFIBUS DP interface module (IM 153-2 or IM 157)
• PROFIBUS DP device
• PROFIBUS DP cable
• Input/output or function modules in a distributed station

Replacement of signal and function modules

CAUTION
Note different procedure
Minor injury or damage to equipment is possible.
The procedure for replacing an input/output module or function module differs for modules of
the S7-300 and S7-400.
Use the correct procedure when replacing a module. The correct procedure is described below
for the S7-400 in Chapter Replacement of an input/output module or function module
(Page 218).

CPU 410 Process Automation

224 System Manual, 11/2022, A5E31622160-AE
 Replacement of failed components during redundant operation
13.3 Replacement of components of the distributed I/O on PROFIBUS DP

To replace signal and function modules of an S7-300, perform the following steps:

Step What to do? How does the system react?

1 Disconnect the module from its load current supply.
2 Remove the failed module (in RUN mode). • Both CPUs generate a remove/insert
interrupt and enter the event in the diagnostic buf‐
fer and the system status list.
3 Disconnect the front connector and wiring. -
4 Plug the front connector into the new module. -
5 Insert the new module. • Both CPUs generate a remove/insert
interrupt and enter the event in the diagnostic buf‐
fer and the system status list.
• Parameters are assigned automatically to the mod‐
ule by the CPU concerned and the module is ad‐
dressed again.

13.3.1 Replacement of a PROFIBUS DP master

Starting situation

Failure How does the system react?

The S7-400H is in the redundant system state and • With single-channel one-sided I/O:
a DP master module fails. DP master can no longer process connected DP
devices.
• With switched I/O:
DP devices are addressed via the DP master of
the partner.

Procedure
Proceed as follows to change a PROFIBUS DP master:

Step What to do? How does the system react?

1 Turn off the power supply of the central rack. The fault-tolerant system switches to solo
mode.
2 Unplug the PROFIBUS DP cable for the DP -
master module in question.
3 Replace the module. -
4 Plug the PROFIBUS DP cable back in. -
5 Turn on the power supply of the central rack. • The CPU performs an automatic LINK-UP
and UPDATE.
• The CPU switches to RUN and operates as
standby CPU.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 225
Replacement of failed components during redundant operation
13.3 Replacement of components of the distributed I/O on PROFIBUS DP

Exchanging a CP 443-5 in case of spare part requirement

If a CP 443-5 is replaced by a successor module with a new article number, both modules must
always be replaced in the case of redundantly used components.
The new modules must be identical, which means they must have the same article number,
product version and firmware version.

Procedure

Step What to do? How does the system react?

1 Stop the standby CPU The fault-tolerant system switches to solo mode.
2 Turn off the power supply of the central rack. -
3 Unplug the PROFIBUS DP cable for the DP master mod‐ -
ule in question.
4 Replace the module. -
5 Plug the PROFIBUS DP cable back in. -
6 Turn on the power supply of the central rack. _
7 Switch to the CPU with the modified configuration. The standby CPU links up, is updated and becomes the
master. The CPU that was master switches to STOP and
the fault-tolerance system operates with the new hard‐
ware in solo mode.
8 Turn off the power supply of the second central rack. -
9 Unplug the PROFIBUS DP cable for the second DP mas‐ -
ter module.
10 Replace the module. -
11 Plug the PROFIBUS DP cable back in. -
12 Turn on the power supply of the second central rack -
again.
13 Perform a "Warm restart". The CPU executes a LINK-UP and UPDATE and operates
as standby CPU.

13.3.2 Replacement of a redundant PROFIBUS DP interface module

Starting situation

Failure How does the system react?

The S7-400H is in redundant system mode and a Both CPUs report the event in the diagnostic buffer
PROFIBUS DP interface module (IM 153–2, IM 157) and via OB 70.
fails.

CPU 410 Process Automation

226 System Manual, 11/2022, A5E31622160-AE
 Replacement of failed components during redundant operation
13.3 Replacement of components of the distributed I/O on PROFIBUS DP

Replacement procedure
Proceed as follows to replace the PROFIBUS DP interface module:

Step What has to be done? How does the system react?

1 Turn off the supply for the affected DP inter‐ –
face module.
2 Remove the bus connector. –
3 Insert the new PROFIBUS DP interface mod‐ –
ule and turn the power supply back on.
4 Plug the bus connector back in. • The CPUs process the I/O redundancy er‐
ror OB 70 (outgoing event) synchronized
with each other.
• Redundant access to the station by the
system is now possible again.

13.3.3 Replacement of a PROFIBUS DP device

Starting situation

Failure How does the system react?

The S7-400H is in redundant system state and a DP Both CPUs signal the event in the diagnostics buffer
device fails. and via a corresponding OB 86.

Procedure
Follow the steps below to replace a DP device:

Step What to do? How does the system react?

1 Switch off the power supply to the DP device. With one-sided I/O: OB 86 and OB85 are
called for access errors during the PA update.
With switched I/O: OB70 is called (incoming
event), the LED REDF lights up.
2 Remove the bus connector. –
3 Replace the DP device. –
4 Plug the bus connector back in and turn the • The CPUs process the rack failure OB 86
power supply back on. synchronously (outgoing event).
• With switched I/O: OB70 is called (outgo‐
ing event), the LED REDF goes out.
• The DP device can be addressed by the
respective DP master system.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 227
Replacement of failed components during redundant operation
13.3 Replacement of components of the distributed I/O on PROFIBUS DP

13.3.4 Replacement of PROFIBUS DP cables

Starting situation

Failure How does the system react?

The S7-400H is in redundant system mode and the • With single-channel one-sided I/O:
PROFIBUS DP cable is defective. Rack failure OB (OB 86) is started (incoming
event). DP master can no longer process con‐
nected DP devices
(station failure).
The LED BUS1F flashes.
• With switched I/O:
I/O redundancy error OB (OB 70) is started (in‐
coming event). DP devices are addressed via the
DP master of the partner.
The LED BUS1F and the LED REDF are flashing.

Replacement procedure
Proceed as follows to replace PROFIBUS DP cables:

Step What to do? How does the system react?

1 Check the cabling and localize the inter‐ –
rupted PROFIBUS DP cable.
2 Replace the defective cable. The CPUs process the error OBs synchronized
with each other
• With one-sided I/O:
Rack failure OB 86 (outgoing event)
The LED BUS1F goes out.
DP devices can be addressed via the DP mas‐
ter system.
• With switched I/O:
I/O redundancy error OB 70 (outgoing event).
DP devices can be addressed via both DP mas‐
ter systems.
The LED BUS1F and the LED REDF go out.

CPU 410 Process Automation

228 System Manual, 11/2022, A5E31622160-AE
Synchronization modules 14
14.1 Synchronization modules
You can obtain information on the synchronization provided in the Service und Support Portal
in the manual Synchronization modules for S7-400H (https://
support.industry.siemens.com/cs/ww/en/).

14.2 Synchronization modules for the CPU 410.

Function of the synchronization modules

Synchronization modules are used synchronization link between two redundant CPU 410-5H.
You require two synchronization modules per CPU, connected in pairs by fiber-optic cable.
The system supports hot-swapping of synchronization modules, and so allows you to
influence the repair response of the fault-tolerant systems and to control the failure of the
redundant connection without stopping the plant.
The diagnostics process for synchronization modules is based in parts on the maintenance
concept familiar from PROFINET IO. As of firmware version 8.1 of the CPU, maintenance
required is no longer reported.
If you remove a synchronization module in redundant system mode, there is a loss
of synchronization. The standby CPU switches to ERROR-SEARCH operating state for a
few minutes. If the new synchronization module is inserted and the redundant link is
reestablished during this time, the standby CPU then switches to redundant system mode;
otherwise it switches to STOP.
Once you have inserted the new synchronization module and reestablished the redundant
link, you must restart the standby CPU, if necessary.

Distance between the S7–400H CPUs

The following types of synchronization modules are available:

Article No. Maximum distance between the CPUs

6ES7 960–1AA06–0XA0 10 m
6ES7 960-1AA08-0XA0 10 m, use up to 70°C possible
6ES7 960–1AB06–0XA0 10 km

The synchronization set with article number 6ES7 656-7XX30-0XE0 includes 4

synchronization modules 6ES7 960–1AA06–0XA0 (10m) and 2 fiber-optic cables each 1m
long.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 229
Synchronization modules
14.2 Synchronization modules for the CPU 410.

Long synchronization cables may increase cycle times. This extension can have the factor 2 -
5 with a cable length of 10 km.

Note
You must use 4 synchronization modules of the same type in a fault-tolerant system.

Mechanical configuration

Figure 14-1 Synchronization modules 6ES7 960-1AA08-0XA0 and 6ES7 960-1Ax06-0xA0

CAUTION
Risk of injury.
The synchronization module is equipped with a laser system and is classified as a "CLASS 1
LASER PRODUCT" according to IEC 60825–1.
Avoid direct contact with the laser beam. Do not open the housing. Always observe the
information provided in this manual, and keep the manual to hand as a reference.

CLASS 1 LASER PRODUCT

LASER KLASSE 1 PRODUKT
TO EN 60825

OB 82
In redundant mode, the operating system of the CPU calls OB82 in case of a Snyc link fault.

CPU 410 Process Automation

230 System Manual, 11/2022, A5E31622160-AE
 Synchronization modules
14.2 Synchronization modules for the CPU 410.

You can display the following channel-specific diagnostic data in the Module state tab dialog
for the selected synchronization module:
• Overtemperature
The synchronization module is too hot.
• Fiber-optic error
The sender of the electro-optical component has reached the end of its service life.
• Violation of lower limit
The sent or received optical performance is low or too low.
• Violation of upper limit
The sent or received optical performance is high or too high.
• Functional error of the network component
The quality of the redundancy link between the CPUs (transmission distance including
synchronization modules and fiber-optic cables) is reduced so that transmission errors are
occurring frequently.
In redundant mode the OB82 is also called at Power Off/On or at a firmware update of the
partner CPU. This does not indicate any problem with the synchronization link but is instead
due to the fact that the synchronization modules are not emitting any light at this moment.

Fiber-optic interfaces of unused modules

Fiber-optic interfaces of unused modules must be blanked off during storage to protect the
optical equipment. The plugs are in the synchronization module when shipped.

NOTICE
Reduced optical performance due to dirt
Even small amounts of dirt in a fiber-optic interface adversely affect the quality of the signal
transmission. This can lead to synchronization losses during operation.
Protect the fiber-optic interfaces against dirt during storage and installation of the
synchronization modules.

Wiring and inserting the synchronization module

1. Remove the dummy plug of the synchronization module.
2. Fold back the clip completely against the synchronization module.
3. Insert the synchronization module into the IF1 interface of the first fault-tolerant CPU until
it snaps into place.
4. Insert the end of the fiber-optic cable into the synchronization module until it snaps into
place.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 231
Synchronization modules
14.2 Synchronization modules for the CPU 410.

5. Repeat steps 1 to 4 for the second synchronization module.

6. Repeat the process for the second fault-tolerant CPU.
Connect the IF1 interface of the first CPU with the IF1 interface of the second CPU and the IF2
interface of the first CPU with the IF2 interface of the second CPU.
Note
Wiring synchronization modules crosswise
If you wire synchronization modules crosswise, i.e. the IF1 interface of the first CPU with the
IF2 interface of the second CPU and vice versa, the two CPUs take over the master role and
the system will now function properly. The LEDs IFM 1 and IFM 2 are lit on both CPUs.
Make sure that you connect the IF1 interface of the first CPU with the IF1 interface of the
second CPU and the IF2 interface of the first CPU with the IF2 interface of the second CPU.

Removing the synchronization module

1. Slightly press the release of the fiber-optic cable and remove it from the synchronization
module.
2. Fold the clip of the synchronization module to the front and remove the synchronization
module from the fault-tolerant CPU interface.
3. Place the dummy plug on the synchronization module.
4. Repeat this procedure for all interfaces and both fault-tolerant CPUs.

Technical specifications

Technical specifications 6ES7 960–1AA06–0XA0 6ES7 960–1AB06–0XA0

Maximum distance between the CPUs 10 m 10 km
Supply voltage 3.3 V, supplied by the CPU 3.3 V, supplied by the CPU
Current consumption 220 mA 240 mA
Power loss 0.77 W 0.83 W
Wavelength of the optical 850 nm 1310 nm
transceivers
Maximal permitted attenuation of the 7.5 dB 9.5 dB
fiber-optic cable
Maximum permitted difference in ca‐ 9m 50 m
ble lengths
Dimensions W x H x D (mm) 13 x 14 x 58 13 x 14 x 58
Weight 0.014 kg 0.014 kg

CPU 410 Process Automation

232 System Manual, 11/2022, A5E31622160-AE
 Synchronization modules
14.3 Installation of fiber-optic cables

14.3 Installation of fiber-optic cables

Introduction
Fiber-optic cables may only be installed by trained and qualified personnel. Always observe the
applicable rules and statutory regulations. The installation must be carried out with meticulous
care, because faulty installations represent the most common source of error. Causes are:
• Kinking of the fiber-optic cable due to an insufficient bending radius.
• Crushing of the cable as a result of excess forces caused by persons treading on the cable, or
by pinching, or by the load of other heavy cables.
• Overstretching due to high tensile forces.
• Damage on sharp edges etc.

Permitted bending radius for prefabricated cables

The following bending radii must not be undershot when installing the cables (6ES7960–
1AA04–5xA0) prefabricated by SIEMENS.
• During installation: 88 mm (repeated)
• After installation: 59 mm (one-time)

Permitted bending radii for prefabricated cables

When you install self-assembled cables make sure to comply with the bending radii specified by
the manufacturer. Note that approx. 50 mm of space is available for the connector and the fiber-
optic cable under the front cover of the CPU and that no tight bending radius of a fiber-optic cable
is therefore possible in the proximity of the connector.

Points to observe when installing the fiber-optic cables for the S7-400H synchronization link
Always route the two fiber-optic cables separately. This increases availability and protects the
fiber-optic cables from potential double errors caused, for example, by interrupting both cables
at the same time.
Always make sure the fiber-optic cables are connected to both CPUs before switching on the
power supply or the system, otherwise the CPUs may process the user program as the master
CPU.
If you are using fiber-optic cables that were not stored with blanking plugs at the connectors,
note the following:
Clean the connectors, especially the optical surfaces, with a soft, clean and lint-free cloth
before you use them.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 233
Synchronization modules
14.3 Installation of fiber-optic cables

Local quality assurance

Check the points outlined below before you install the fiber-optic cables:
• Does the delivered package contain the correct fiber-optic cables?
• Any visible transport damage to the product?
• Have you organized a suitable intermediate on-site storage for the fiber-optic cables?
• Does the category of the cables match the connecting components?
Check the attenuation of the fiber-optic cables after installation.

Storage of the fiber-optic cables

if you do not install the fiber-optic cable immediately after you received the package, it is
advisable to store it in a dry location where it is protected from mechanical and thermal
influences. Observe the permitted storage temperatures specified in the data sheet of the fiber-
optic cable. You should not remove the fiber-optic cables from the original packaging until you
are going to install them.

NOTICE
Reduced optical performance due to dirt
Even slight amounts of dirt at the end of a fiber-optic cable will adversely affect its optical
performance and thus the quality of the signal transmission. This can lead to synchronization
losses during operation. Protect the ends of the fiber-optic cables against dirt during storing
and installation. If the ends of the fiber-optic cable are covered when delivered, do not remove
these covers.

Open installation, wall breakthroughs, cable ducts:

Note the points outlined below when you install fiber-optic cables:
• The fiber-optic cables may be installed in open locations, provided you can safely exclude any
damage in those areas (vertical risers, connecting shafts, telecommunications switchboard
rooms, etc.).
• Fiber-optic cables should be mounted on mounting rails (cable trays, wire mesh ducts) using
cable ties. Take care not to crush the cable when you fasten it (see Pressure).
• Always deburr or round the edges of the breakthrough before you install the fiber-optic cable,
in order to prevent damage to the sheathing when you pull in and fasten the cable.
• The bending radii must not be smaller than the value specified in the manufacturer's data
sheet.
• The branching radii of the cable ducts must correspond to the specified bending radius of the
fiber-optic cable.

CPU 410 Process Automation

234 System Manual, 11/2022, A5E31622160-AE
 Synchronization modules
14.4 Selecting fiber-optic cables

Cable pull-in
Note the points below when pulling-in fiber-optic cables:
• Always observe the information on pull forces in the data sheet of the corresponding fiber-
optic cable.
• Do not reel off any greater lengths when you pull in the cables.
• Install the fiber-optic cable directly from the cable drum wherever possible.
• Do not spool the fiber-optic cable sideways off the drum flange (risk of twisting).
• You should use a cable pulling sleeve to pull in the fiber-optic cable.
• Always observe the specified bending radii.
• Do not use any grease or oil-based lubricants.
You may use the lubricants listed below to support the pulling-in of fiber-optic cables.
– Yellow compound (Wire-Pulling, lubricant from Klein Tools; 51000)
– Soft soap
– Dishwashing liquid
– Talcum powder
– Detergent

Pressure
Do not exert any pressure on the cable, for example, by the inappropriate use of clamps (cable
quick-mount) or cable ties. Your installation should also prevent anyone from stepping onto the
cable.

Influence of heat
Fiber-optic cables are highly sensitive to direct heat, which means the cables must not be worked
on using hot-air guns or gas burners as used in heat-shrink tubing technology.

14.4 Selecting fiber-optic cables

Check or make allowance for the following conditions and situations when selecting a suitable
fiber-optic cable:
• Required cable lengths
• Indoor or outdoor installation
• Any particular protection against mechanical stress required?
• Any particular protection against rodents required?
• Can an outside cable be routed directly underground?
• Does the fiber-optic cable need to be water-proof?
• Which temperatures influence the installed fiber-optic cable?

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 235
Synchronization modules
14.4 Selecting fiber-optic cables

Cable length up to 10 m
The synchronization module 6ES7 960–1AA06–0XA0 can be operated in pairs with fiber-optic
cables up to a length of 10 m.
Select cables with the following specification for lengths up to 10 m:
• Multimode fiber 50/125 µ or 62.5/125 µ
• Patch cable for indoor applications
• 2 x duplex cables per fault-tolerant system, cross-over
• Connector type LC–LC
Such cables are available in the following length as accessories for fault-tolerant systems:

Table 14-1 Accessory fiber-optic cable

Length Article No.

1m 6ES7960–1AA04–5AA0
2m 6ES7960–1AA04–5BA0
10 m 6ES7960–1AA04–5KA0

Cable length up to 10 km
The synchronization module 6ES7 960-1AB06-0XA0 can be operated in pairs with fiber-optic
cables up to a length of 10 km.
The following rules apply:
• Make sure of adequate strain relief on the modules if you use fiber-optic cables longer than
10 m.
• Keep to the specified environmental conditions of the fiber-optic cables used (bending radii,
pressure, temperature...)
• Observe the technical specifications of the fiber-optic cable (attenuation, bandwidth...)
Fiber-optic cables with lengths above 10 m usually have to be custom-made. First, select the
following specification:
• Single-mode fiber (mono-mode fiber) 9/125 µ
In exceptional situations, you may also use the lengths up to 10 m available as accessories for
short distances when testing and commissioning. However, only the use of specified cables
with single-mode fibers is allowed for continuous operation.
Note
Cable up to 10 m length on the synchronization module 6ES7 960-1AB06-0XA0
Cables up to a length of 10 m are available on order as accessories. If you use one of these
cables on the synchronization module 6ES7 960-1AB06-0XA0 , you may see the error
message "Optical performance too high" at the call of OB 82.

CPU 410 Process Automation

236 System Manual, 11/2022, A5E31622160-AE
 Synchronization modules
14.4 Selecting fiber-optic cables

The table below shows the further specifications, based on your application:

Table 14-2 Specification of fiber-optic cables for indoor applications

Cabling Components required Specification

The entire cabling is routed Patch cables 2 x duplex cables per system
within a building Connector type LC–LC
No cable junction is required Crossed cores
between the indoor and out‐
Further specifications you may need to observe
door area
for your plant, e.g.:
The necessary cable length is
UL approval
available in one piece. There
is no need to connect several Halogen-free materials
cable segments by means of Assembled patch cable Multicore cables, 4 cores per system
distribution boxes. Connector type LC–LC
Convenient and complete in‐ Crossed cores
stallation using patch cables
Further specifications you may need to observe
for your plant, e.g.:
UL approval
Halogen-free materials
The entire cabling is routed including patch cables for indoor applica‐ 1 cable with 4 cores per fault-tolerant system
within a building tions as required Both interfaces in one cable
No cable junction is required 1 or 2 cables with several shared cores
between the indoor and out‐
Separate installation of the interfaces in order to
door area
increase availability (reduction of common cause
The necessary cable length is factor)
available in one piece. There
Connector type ST or SC, for example, to match
is no need to connect several
other components; see below
cable segments by means of
distribution boxes. Further specifications you may need to observe
for your plant:
Convenient and complete in‐
stallation using patch cables UL approval
Halogen-free materials
Avoid splicing cables in the field. Use prefabrica‐
ted cables with pulling protection/aids in whip‐
lash or breakout design, including measuring log.
Patch cable for indoor applications Connector type LC on ST or SC, for example, to
match other components
Installation using distribu‐ One distribution/junction box per branch Connector type ST or SC, for example, to match
tion boxes, see Fig. 12-2 Installation and patch cables are connected other components
via the distribution box. Either ST or SC
plug-in connections can be used, for exam‐
ple. Check the cross-over installation when
you wire the CPUs.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 237
Synchronization modules
14.4 Selecting fiber-optic cables

Table 14-3 Specification of fiber-optic cables for outdoor applications

Cabling Components required Specification

A cable junction is required be‐ • Installation cables for Installation cables for outdoor applications
tween the indoor and outdoor outdoor applications • 1 cable with 4 cores per fault-tolerant system
area Both interfaces in one cable
see Figure 12-2
• 1 or 2 cables with several shared cores
Separate installation of the interfaces in order to
increase availability (reduction of common cause
factor)
• Connector type ST or SC, for example, to match oth‐
er components; see below
Further specifications you may need to observe for your
plant:
• UL approval
• Halogen-free materials
Further specifications you may need to observe for your
plant:
• Protection against increased mechanical stress
• Protection against rodents
• Water-proofing
• Suitable for direct underground installation
• Suitable for the given temperature ranges
Avoid splicing cables in the field. Use prefabricated ca‐
bles with pulling protection/aids in whiplash design,
including measuring log.
• including patch cables for in‐ • 1 cable with 4 cores per fault-tolerant system
door applications as required Both interfaces in one cable
• 1 or 2 cables with several shared cores
Separate installation of the interfaces in order to
increase availability (reduction of common cause
factor)
• Connector type ST or SC, for example, to match oth‐
er components; see below
Further specifications you may need to observe for your
plant:
• UL approval
• Halogen-free materials
Avoid splicing cables in the field. Use prefabricated ca‐
bles with pulling protection/aids in whiplash or break‐
out design, including measuring log.
• Patch cable for indoor applica‐ • Connector type LC on ST or SC, for example, to
tions match other components

CPU 410 Process Automation

238 System Manual, 11/2022, A5E31622160-AE
 Synchronization modules
14.4 Selecting fiber-optic cables

Cabling Components required Specification

A cable junction is required be‐ • One distribution/junction box • Connector type ST or SC, for example, to match oth‐
tween the indoor and outdoor per branch er components
area
Installation and patch cables are
see Figure 12-2 connected via the distribution box.
Either ST or SC plug-in connections
can be used, for example
Check the cross-over installation
when you wire the CPUs.

&38LQUDFN &38LQUDFN

$GGLWLRQDOGLVWULEXWLRQER[HVLI
QHFHVVDU\HJZLWK6&RU67
FRXSOLQJVWRVHWXSWKHHQWLUH
OHQJWKRIWKHFRQQHFWLRQIURP
LQGLYLGXDOSLHFHV

'LVWULEXWLRQER[
'LVWULEXWLRQER[
HJZLWK6&RU PD[NP HJZLWK6&RU
67FRXSOLQJV LQVWDOODWLRQFDEOHV 67FRXSOLQJV
LQGRRURXWGRRU
3DWFKFDEOH 3DWFKFDEOH
'XSOH[HJ 'XSOH[HJ
/&6&67 /&6&67
Figure 14-2 Fiber-optic cables, installation using distribution boxes

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 239
Synchronization modules
14.4 Selecting fiber-optic cables

CPU 410 Process Automation

240 System Manual, 11/2022, A5E31622160-AE
System expansion card 15
15.1 Variants of the system expansion card

Use of the system expansion card

The system expansion card (SEC) is inserted in a slot at the back of the CPU.
The SEC is used to scale the CPU 410 to correspond the maximum loadable process objects.
More detailed information about the scaling concept can be found in the section Scaling and
licensing (scaling concept) (Page 28).
Operation of the CPU is not possible without an SEC. If no valid SEC is detected, the
corresponding CPU does not start up.
If an error occurs in redundant mode during access to the SEC of a CPU, this triggers a loss of
synchronization and a startup block prevents another automatic link-up. You cannot operate
two CPUs 410 redundantly with two different SECs.
System Expansion Card for CPU 410-5H
SECs with the following number of PO are available for the CPU 410-5H:
• 0
You must store the required number of POs on this SEC before the first use.
• 100
• 500
• 800
• 1000
• 1600
• 2k+ (unlimited)
System Expansion Card for CPU 410E
An SEC with the following number of PO is available for the CPU 410E:
• 200
• 500

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 241
System expansion card
15.1 Variants of the system expansion card

31396338 XAB SIEMENS

653-2CA00-0XB0
SVP JM123456
X 2 3 4 5

SE PO 100

Figure 15-1 SEC

Increasing number of PO/enabling R1 redundancy

You can increase the number of POs in a CPU 410-5H without changing the SEC.
You can find information on how to increase the number of POs in PCS 7 process control system,
service support and diagnostics (V8.1 or higher)
The procedure for increasing the number of PO also applies for transferring the license key for
R1 redundancy of a distributed I/O.

CPU 410 Process Automation

242 System Manual, 11/2022, A5E31622160-AE
Technical data 16
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

General information  
Product type designation CPU 410-5H
HW functional status 2
Firmware version V8.2
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Product function  
• SysLog Yes; via TCP; up to 4 receivers can be parameter‐
ized; buffer capacity max. 3 200 entries
• Field interface security Yes
Engineering with  
• Programming package SIMATIC PCS 7 V9.0 or higher
CiR - Configuration in RUN  
CiR synchronization time, basic load 60 ms
CiR synchronization time, time per I/O byte 0 µs
Input current  
from backplane bus 5 V DC, typ. 2 A
from backplane bus 5 V DC, max. 2.4 A
from backplane bus 24 V DC, max. 150 mA; DP interface
from interface 5 V DC, max. 90 mA; At the DP interface
Power loss  
Power loss, typ. 10 W
Processor  
CPU speed 450 MHz; Multi-processor system
Memory  
PCS 7 process objects 100 ... approx. 2 600, adjustable with System Ex‐
pansion Card
Work memory  
• integrated 32 Mbyte; max., dependent on the System Expan‐
sion Card used
• integrated (for program) Dependent on the System Expansion Card used
• integrated (for data) Dependent on the System Expansion Card used
• expandable Dependent on the System Expansion Card used
Load memory  
• integrated RAM, max. 48 Mbyte
• expandable RAM No
Backup  

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 243
Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

• with battery Yes; all data
• without battery Yes; Program and data of the load memory
Battery  
Backup battery  
• Backup current, typ. 370 µA; Valid up to 40°C
• Backup current, max. 2.1 mA
• Backup time, max. Dealt with in the module data manual with the sec‐
ondary conditions and the factors of influence
• Feeding of external backup voltage to CPU No
CPU processing times  
for bit operations, typ. 7.5 ns
for word operations, typ. 7.5 ns
for fixed point arithmetic, typ. 7.5 ns
for floating point arithmetic, typ. 15 ns
average processing time of PCS 7 typicals 110 µs; with APL Typicals
Process tasks, max. 9; Individually adjustable from 10 ms to 5 s
CPU-blocks  
DB  
• Number, max. 16 000; Number range: 1 to 16 000 (= Instances)
• Size, max. 64 kbyte; Dependent on the System Expansion
Card used
FB  
• Number, max. 8 000; Number range: 0 to 7999
• Size, max. 64 kbyte
FC  
• Number, max. 8 000; Number range: 0 to 7999
• Size, max. 64 kbyte
OB  
• Number, max. see instruction list
• Size, max. 64 kbyte
• Number of free cycle OBs 1; OB 1
• Number of time alarm OBs 8; OB 10-17
• Number of delay alarm OBs 4; OB 20-23
• Number of cyclic interrupt OBs 9; OB 30-38 (= Process Tasks)
• Number of process alarm OBs 8; OB 40-47
• Number of DPV1 alarm OBs 3; OB 55-57
• Number of startup OBs 2; OB 100, 102
• Number of asynchronous error OBs 9; OB 80-88
• Number of synchronous error OBs 2; OB 121, 122
Nesting depth  
• per priority class 24
• additional within an error OB 2
Counters, timers and their retentivity  

CPU 410 Process Automation

244 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

IEC counter  
• present Yes
• Type SFB
• Number Unlimited (limited only by RAM capacity)
IEC timer  
• present Yes
• Type SFB
• Number Unlimited (limited only by RAM capacity)
Data areas and their retentivity  
Retentive data area (incl. timers, counters, Total working and load memory (with backup bat‐
flags), max. tery)
Flag  
• Size, max. 16 384 byte
• Retentivity available Yes
• Number of clock memories 8; in 1 memory byte
Local data  
• adjustable, max. 64 kbyte
Address area  
I/O address area  
• Inputs 16 kbyte; max., dependent on the System Expan‐
sion Card used
• Outputs 16 kbyte; max., dependent on the System Expan‐
sion Card used
Process image  
• Inputs, default 16 kbyte; not changeable
• Outputs, default 16 kbyte; not changeable
• consistent data, max. 244 byte
• Access to consistent data in process image Yes
Subprocess images  
• Number of subprocess images, max. 15
Hardware configuration  
Number of expansion units, max. 21; S7-400 expansion devices
connectable OPs 119
Multicomputing No
Interface modules  
• Number of connectable IMs (total), max. 6
• Number of connectable IM 460s, max. 6
• Number of connectable IM 463s, max. 4; Single mode only
Number of DP masters  
• integrated 1
• via CP 10; CP 443-5 Extended
Number of IO Controllers  
• integrated 2

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 245
Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

• via CP 0
Number of operable FMs and CPs (recommen‐  
ded)
• PROFIBUS and Ethernet CPs 11; Of which max. 10 CP as DP master
Slots  
• required slots 2
Time of day  
Clock  
• Hardware clock (real-time) Yes
• retentive and synchronizable Yes
• Resolution 1 ms
• Deviation per day (buffered), max. 1.7 s; Power off
• Deviation per day (unbuffered), max. 8.6 s; Power on
Operating hours counter  
• Number 16
• Number/Number range 0 to 15
• Range of values SFCs 2, 3 and 4: 0 to 32767 hours SFC 101: 0 to
2^31 - 1 hours
• Granularity 1 h
• retentive Yes
Clock synchronization  
• supported Yes
• to DP, master Yes
• to DP, slave Yes
• in AS, master Yes
• in AS, slave Yes
• on Ethernet via NTP Possible as client and master/slave via SIMATIC
process
Interfaces  
Number of PROFINET interfaces 2
Number of RS 485 interfaces 1; PROFIBUS DP
Number of other interfaces 2; 2x synchronization
1. Interface  
Interface type RS 485 / PROFIBUS
Isolated Yes
Number of connections 16
Interface types  
• Output current of the interface, max. 150 mA
Protocols  
• PROFIBUS DP master Yes
• PROFIBUS DP slave No
PROFIBUS DP master  
• Number of connections, max. 16

CPU 410 Process Automation

246 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

• Transmission rate, max. 12 Mbit/s
• Number of DP slaves, max. 96
• Number of slots per interface, max. 1 632
Services  
– PG/OP communication Yes
– Routing Yes; S7 routing
– Global data communication No
– S7 basic communication No
– S7 communication Yes
– S7 communication, as client Yes
– S7 communication, as server Yes
– Equidistance No
– Isochronous mode No
– SYNC/FREEZE No
– Activation/deactivation of DP slaves Yes; Approved for stand-alone operation only, not
in conjunction with CiR (Configuration in Run)
– Direct data exchange (slave-to-slave com‐ No
munication)
– DPV1 Yes
Address area  
– Inputs, max. 6 kbyte
– Outputs, max. 6 kbyte
User data per DP slave  
– User data per DP slave, max. 244 byte
– Inputs, max. 244 byte
– Outputs, max. 244 byte
– Slots, max. 244
– per slot, max. 128 byte
2. Interface  
Interface type PROFINET
Isolated Yes
automatic detection of transmission rate Yes; Autosensing
Autonegotiation Yes
Autocrossing Yes
System redundancy Yes
Redundant subnetworks Yes
Change of IP address at runtime, supported No
Number of connections 120
Interface types  
• Number of ports 2
• integrated switch Yes
Protocols  
• PROFINET IO Controller Yes

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 247
Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

• PROFINET IO Device No
• PROFINET CBA No
• Open IE communication Yes
• Web server No
• Media redundancy Yes
PROFINET IO Controller  
• Transmission rate, max. 100 Mbit/s
Services  
– PG/OP communication Yes
– S7 communication Yes
– Shared device No; however, usable as part of S7
– Prioritized startup No
– Number of connectable IO Devices, max. 250
– Number of connectable IO Devices for RT, 250
max.
– of which in line, max. 250
– Activation/deactivation of IO Devices Yes; Approved for stand-alone operation only, not
in conjunction with CiR (Configuration in Run)
– IO Devices changing during operation No
(partner ports), supported
– Device replacement without swap medi‐ Yes
um
– Send cycles 250 µs, 500 µs, 1 ms, 2 ms, 4 ms
– Updating time 250 µs to 512 ms, minimum value depends on the
number of configured user data and the configured
single or redundant mode
Address area  
– Inputs, max. 8 kbyte
– Outputs, max. 8 kbyte
– User data consistency, max. 1 024 byte
Open IE communication  
• Number of connections, max. 118
• Local port numbers used at the system end 0, 20, 21, 25, 102, 135, 161, 34962, 34963,
34964, 65532, 65533, 65534, 65535
• Keep-alive function, supported Yes
3. Interface  
Interface type PROFINET
Isolated Yes
automatic detection of transmission rate Yes; Autosensing
Autonegotiation Yes
Autocrossing Yes
System redundancy Yes
Redundant subnetworks Yes
Number of connections 120

CPU 410 Process Automation

248 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

Interface types  
• Number of ports 2
• integrated switch Yes
Protocols  
• PROFINET IO Controller Yes
• PROFINET IO Device No
• PROFINET CBA No
• Open IE communication Yes
• Web server No
• Media redundancy Yes
PROFINET IO Controller  
• Transmission rate, max. 100 Mbit/s
Services  
– PG/OP communication Yes
– S7 communication Yes
– Shared device No; however, usable as part of S7
– Prioritized startup No
– Number of connectable IO Devices, max. 250
– Number of connectable IO Devices for RT, 250
max.
– of which in line, max. 250
– Activation/deactivation of IO Devices Yes; Approved for stand-alone operation only, not
in conjunction with CiR (Configuration in Run)
– IO Devices changing during operation No
(partner ports), supported
– Device replacement without swap medi‐ Yes
um
– Send cycles 250 µs, 500 µs, 1 ms, 2 ms, 4 ms
– Updating time 250 µs to 512 ms, minimum value depends on the
number of configured user data and the configured
single or redundant mode
Address area  
– Inputs, max. 8 kbyte
– Outputs, max. 8 kbyte
– User data consistency, max. 1 024 byte
Open IE communication  
• Number of connections, max. 118
• Local port numbers used at the system end 0, 20, 21, 25, 102, 135, 161, 34962, 34963,
34964, 65532, 65533, 65534, 65535
• Keep-alive function, supported Yes
4. Interface  
Interface type Pluggable synchronization submodule (FO)
Plug-in interface modules Synchronization module 6ES7960-1AA06-0XA0,
6ES7960-1AB06-0XA0 or 6ES7960-1AA08-0XA0

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 249
Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

5. Interface  
Interface type Pluggable synchronization submodule (FO)
Plug-in interface modules Synchronization module 6ES7960-1AA06-0XA0,
6ES7960-1AB06-0XA0 or 6ES7960-1AA08-0XA0
Protocols  
Supports protocol for PROFINET IO Yes
PROFINET CBA No
PROFIsafe Yes
PROFIBUS Yes
AS-Interface Yes; Via add-on
Redundancy mode  
Media redundancy  
– Switchover time on line break, typ. < 200 ms
– Number of stations in the ring, max. 50
SIMATIC communication  
• S7 routing Yes
Open IE communication  
• TCP/IP Yes; via integrated PROFINET interface and loada‐
ble FBs
– Number of connections, max. 118
– Data length, max. 32 kbyte
– several passive connections per port, sup‐ Yes
ported
• ISO-on-TCP (RFC1006) Yes; Via integrated PROFINET interface or CP 443-1
and loadable FBs
– Number of connections, max. 118
– Data length, max. 32 kbyte; 1 452 bytes via CP 443-1 Adv.
• UDP Yes; via integrated PROFINET interface and loada‐
ble FBs
– Number of connections, max. 118
– Data length, max. 1 472 byte
Further protocols  
• Foundation Fieldbus Yes; via DP/FF Link
• MODBUS Yes; Via add-on
communication functions / header  
PG/OP communication Yes
• Number of connectable OPs without mes‐ 119
sage processing
• Number of connectable OPs with message 119; When using Alarm_S/SQ and Alarm_D/DQ
processing
Data record routing Yes
S7 communication  
• supported Yes
• as server Yes

CPU 410 Process Automation

250 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

• as client Yes
• User data per job, max. 64 kbyte
• User data per job (of which consistent), max. 462 byte; 1 variable
S5 compatible communication  
• supported Yes; via CP and FC AG_SEND and FC AG_RECV
• User data per job, max. 8 kbyte
• User data per job (of which consistent), max. 240 byte
• Number of simultaneous AG-SEND/AG-RECV 64/64
orders per CPU, max.
Standard communication (FMS)  
• supported Yes; Via CP and loadable FB
Number of connections  
• overall 120
• usable for PG communication  
– reserved for PG communication 1
• usable for OP communication  
– reserved for OP communication 1
S7 message functions  
Number of login stations for message functions, 119; max. 119 with Alarm_S/SQ and Alarm_D/DQ
max. (OPs); max. 16 with Alarm_8, Alarm_8P, Notify and
Notify_8 (e.g. WinCC)
Program alarms Yes
Process diagnostic messages Yes
simultaneously active Alarm-S blocks, max. 1 000; Simultaneously active alarm_S/SQ blocks or
alarm_D/DQ blocks
Alarm 8-blocks Yes
• Number of instances for alarm 8 and S7 com‐ 10 000
munication blocks, max.
Process control messages Yes
Number of archives that can log on simultane‐ 64
ously (SFB 37 AR_SEND)
Test commissioning functions  
Status block Yes
Single step Yes
Number of breakpoints 4
Status/control  
• Status/control variable Yes
• Variables Inputs/outputs, memory bits, DBs, distributed I/Os,
timers, counters
• Number of variables, max. 70
Diagnostic buffer  
• present Yes
• Number of entries, max. 3 200
Service data  

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 251
Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

• can be read out Yes
Standards, approvals, certificates  
CE mark Yes
UKCA mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
configuration / header  
configuration / programming / header  
• Command set see instruction list
• Nesting levels 7
• Access to consistent data in process image Yes
• System functions (SFC) see instruction list
• System function blocks (SFB) see instruction list
Programming language  
– SCL Yes
– CFC Yes
configuration / programming / number of simul‐  
taneously active SFC / header
– RD_REC 8; SFC 59; per interface
– WR_REC 8; SFC 58; per interface
– WR_PARM 8; SFC 55; per interface
– PARM_MOD 1; SFC 57; per interface
– WR_DPARM 2; SFC 56; per interface
– DPNRM_DG 8; SFC 13; per interface
– RDSYSST 8; SFC 51
– DP_TOPOL 1; SFC 103; per interface
configuration / programming / number of simul‐  
taneously active SFB / header
– RDREC 8; SFB 52; per interface, but not more than 32
across all external interfaces
– WRREC 8; SFB 53; per interface, but not more than 32
across all external interfaces

CPU 410 Process Automation

252 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.1 Technical specifications of CPU 410-5H; (6ES7410-5HX08-0AB0)

Article number 6ES7410-5HX08-0AB0

Know-how protection  
• User program protection/password protec‐ Yes
tion
• Block encryption Yes; With S7 block Privacy
Dimensions  
Width 50 mm
Height 290 mm
Depth 219 mm
Weights  
Weight, approx. 1.1 kg

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 253
Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

General information  
Product type designation CPU 410E
HW functional status 1
Firmware version V8.2
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Product function  
• SysLog Yes; via TCP; up to 4 receivers can be parameter‐
ized; buffer capacity max. 3 200 entries
• Field interface security Yes
Engineering with  
• Programming package SIMATIC PCS 7 V9.0 or higher
CiR - Configuration in RUN  
CiR synchronization time, basic load 60 ms
CiR synchronization time, time per I/O byte 0 µs
Input current  
from backplane bus 5 V DC, typ. 2 A
from backplane bus 5 V DC, max. 2.4 A
from backplane bus 24 V DC, max. 150 mA; DP interface
from interface 5 V DC, max. 90 mA; At the DP interface
Power loss  
Power loss, typ. 10 W
Processor  
CPU speed 450 MHz; Multi-processor system
Memory  
PCS 7 process objects 200; max.
Work memory  
• integrated 4 Mbyte
• integrated (for program) 4 Mbyte; max.
• integrated (for data) 4 Mbyte; max.
• expandable No
Load memory  
• integrated RAM, max. 48 Mbyte
• expandable RAM No
Backup  
• with battery Yes; all data
• without battery Yes; Program and data of the load memory
Battery  
Backup battery  
• Backup current, typ. 370 µA; Valid up to 40°C
• Backup current, max. 2.1 mA

CPU 410 Process Automation

254 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

• Backup time, max. Dealt with in the module data manual with the sec‐
ondary conditions and the factors of influence
• Feeding of external backup voltage to CPU No
CPU processing times  
average processing time of PCS 7 typicals 110 µs; with APL Typicals
Process tasks, max. 9; Individually adjustable from 10 ms to 5 s
CPU-blocks  
DB  
• Number, max. 16 000; Number range: 1 to 16 000 (= Instances)
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
FB  
• Number, max. 8 000; Number range: 0 to 7999
• Size, max. 64 kbyte
FC  
• Number, max. 8 000; Number range: 0 to 7999
• Size, max. 64 kbyte
OB  
• Number, max. see instruction list
• Size, max. 64 kbyte
• Number of free cycle OBs 1; OB 1
• Number of time alarm OBs 8; OB 10-17
• Number of delay alarm OBs 4; OB 20-23
• Number of cyclic interrupt OBs 9; OB 30-38 (= Process Tasks)
• Number of process alarm OBs 8; OB 40-47
• Number of DPV1 alarm OBs 3; OB 55-57
• Number of startup OBs 2; OB 100, 102
• Number of asynchronous error OBs 9; OB 80-88
• Number of synchronous error OBs 2; OB 121, 122
Nesting depth  
• per priority class 24
• additional within an error OB 2
Counters, timers and their retentivity  
IEC counter  
• present Yes
• Type SFB
• Number Unlimited (limited only by RAM capacity)
IEC timer  
• present Yes
• Type SFB
• Number Unlimited (limited only by RAM capacity)
Data areas and their retentivity  

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 255
Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

Retentive data area (incl. timers, counters, Total working and load memory (with backup bat‐
flags), max. tery)
Flag  
• Size, max. 16 384 byte
• Retentivity available Yes
• Number of clock memories 8; in 1 memory byte
Local data  
• adjustable, max. 64 kbyte
Address area  
I/O address area  
• Inputs 2 048 byte; max. 1 536 bytes for inputs or outputs
per interface
• Outputs 2 048 byte; max. 1 536 bytes for inputs or outputs
per interface
Process image  
• Inputs, default 2 048 byte; not changeable
• Outputs, default 2 048 byte; not changeable
• consistent data, max. 244 byte
• Access to consistent data in process image Yes
Subprocess images  
• Number of subprocess images, max. 15
Hardware configuration  
connectable OPs 119
Multicomputing No
Number of DP masters  
• integrated 1
• via CP 4; CP 443-5 Extended
Number of IO Controllers  
• integrated 2
• via CP 0
Number of operable FMs and CPs (recommen‐  
ded)
• CP, LAN 4
• PROFIBUS and Ethernet CPs 4
Slots  
• required slots 2
Time of day  
Clock  
• Hardware clock (real-time) Yes
• retentive and synchronizable Yes
• Resolution 1 ms
• Deviation per day (buffered), max. 1.7 s; Power off
• Deviation per day (unbuffered), max. 8.6 s; Power on

CPU 410 Process Automation

256 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

Operating hours counter  
• Number 16
• Number/Number range 0 to 15
• Range of values SFCs 2, 3 and 4: 0 to 32767 hours SFC 101: 0 to
2^31 - 1 hours
• Granularity 1 h
• retentive Yes
Clock synchronization  
• supported Yes
• to DP, master Yes
• to DP, slave Yes
• in AS, master Yes
• in AS, slave Yes
• on Ethernet via NTP Possible as client and master/slave via SIMATIC
process
Interfaces  
Number of PROFINET interfaces 2
Number of RS 485 interfaces 1; PROFIBUS DP
Number of other interfaces 2; 2x synchronization
1. Interface  
Interface type RS 485 / PROFIBUS
Isolated Yes
Number of connections 16
Number of connection resources 16
Interface types  
• Output current of the interface, max. 150 mA
Protocols  
• PROFIBUS DP master Yes
• PROFIBUS DP slave No
PROFIBUS DP master  
• Number of connections, max. 16
• Transmission rate, max. 12 Mbit/s
• Number of DP slaves, max. 96
• Number of slots per interface, max. 1 632
Services  
– PG/OP communication Yes
– Routing Yes; S7 routing
– Global data communication No
– S7 basic communication No
– S7 communication Yes
– S7 communication, as client Yes
– S7 communication, as server Yes
– Equidistance No

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 257
Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

– Isochronous mode No
– SYNC/FREEZE No
– Activation/deactivation of DP slaves Yes; Approved for stand-alone operation only, not
in conjunction with CiR (Configuration in Run)
– Direct data exchange (slave-to-slave com‐ No
munication)
– DPV1 Yes
Address area  
– Inputs, max. 1 536 byte
– Outputs, max. 1 536 byte
User data per DP slave  
– User data per DP slave, max. 244 byte
– Inputs, max. 244 byte
– Outputs, max. 244 byte
– Slots, max. 244
– per slot, max. 128 byte
2. Interface  
Interface type PROFINET
Isolated Yes
automatic detection of transmission rate Yes; Autosensing
Autonegotiation Yes
Autocrossing Yes
System redundancy Yes
Redundant subnetworks Yes
Change of IP address at runtime, supported No
Number of connections 120
Number of connection resources 120
Interface types  
• Number of ports 2
• integrated switch Yes
Protocols  
• PROFINET IO Controller Yes
• PROFINET IO Device No
• PROFINET CBA No
• Open IE communication Yes
• Web server No
• Media redundancy Yes
PROFINET IO Controller  
• Transmission rate, max. 100 Mbit/s
Services  
– PG/OP communication Yes
– S7 communication Yes
– Shared device No; however, usable as part of S7

CPU 410 Process Automation

258 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

– Prioritized startup No
– Number of connectable IO Devices, max. 250
– Number of connectable IO Devices for RT, 250
max.
– of which in line, max. 250
– Activation/deactivation of IO Devices Yes; Approved for stand-alone operation only, not
in conjunction with CiR (Configuration in Run)
– IO Devices changing during operation No
(partner ports), supported
– Device replacement without swap medi‐ Yes
um
– Send cycles 250 µs, 500 µs, 1 ms, 2 ms, 4 ms
– Updating time 250 µs to 512 ms, minimum value depends on the
number of configured user data and the configured
single or redundant mode
Address area  
– Inputs, max. 1 536 byte
– Outputs, max. 1 536 byte
– User data consistency, max. 1 024 byte
Open IE communication  
• Number of connections, max. 118
• Local port numbers used at the system end 0, 20, 21, 25, 102, 135, 161, 34962, 34963,
34964, 65532, 65533, 65534, 65535
• Keep-alive function, supported Yes
3. Interface  
Interface type PROFINET
Isolated Yes
automatic detection of transmission rate Yes; Autosensing
Autonegotiation Yes
Autocrossing Yes
System redundancy Yes
Redundant subnetworks Yes
Number of connections 120
Number of connection resources 120
Interface types  
• Number of ports 2
• integrated switch Yes
Protocols  
• PROFINET IO Controller Yes
• PROFINET IO Device No
• PROFINET CBA No
• Open IE communication Yes
• Web server No
• Media redundancy Yes

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 259
Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

PROFINET IO Controller  
• Transmission rate, max. 100 Mbit/s
Services  
– PG/OP communication Yes
– S7 communication Yes
– Shared device No; however, usable as part of S7
– Prioritized startup No
– Number of connectable IO Devices, max. 250
– Number of connectable IO Devices for RT, 250
max.
– of which in line, max. 250
– Activation/deactivation of IO Devices Yes; Approved for stand-alone operation only, not
in conjunction with CiR (Configuration in Run)
– IO Devices changing during operation No
(partner ports), supported
– Device replacement without swap medi‐ Yes
um
– Send cycles 250 µs, 500 µs, 1 ms, 2 ms, 4 ms
– Updating time 250 µs to 512 ms, minimum value depends on the
number of configured user data and the configured
single or redundant mode
Address area  
– Inputs, max. 1 536 byte
– Outputs, max. 1 536 byte
– User data consistency, max. 1 024 byte
Open IE communication  
• Number of connections, max. 118
• Local port numbers used at the system end 0, 20, 21, 25, 102, 135, 161, 34962, 34963,
34964, 65532, 65533, 65534, 65535
• Keep-alive function, supported Yes
4. Interface  
Interface type Pluggable synchronization submodule (FO)
5. Interface  
Interface type Pluggable synchronization submodule (FO)
Plug-in interface modules Synchronization module 6ES7960-1AA06-0XA0,
6ES7960-1AB06-0XA0 or 6ES7960-1AA08-0XA0
Protocols  
Supports protocol for PROFINET IO Yes
PROFINET CBA No
PROFIsafe Yes
PROFIBUS Yes
AS-Interface Yes; Via add-on
Redundancy mode  
Media redundancy  

CPU 410 Process Automation

260 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

– Switchover time on line break, typ. < 200 ms
– Number of stations in the ring, max. 50
SIMATIC communication  
• S7 routing Yes
Open IE communication  
• TCP/IP Yes; via integrated PROFINET interface and loada‐
ble FBs
– Number of connections, max. 118
– Data length, max. 32 kbyte
– several passive connections per port, sup‐ Yes
ported
• ISO-on-TCP (RFC1006) Yes; Via integrated PROFINET interface or CP 443-1
and loadable FBs
– Number of connections, max. 118
– Data length, max. 32 kbyte; 1 452 bytes via CP 443-1 Adv.
• UDP Yes; via integrated PROFINET interface and loada‐
ble FBs
– Number of connections, max. 118
– Data length, max. 1 472 byte
Further protocols  
• Foundation Fieldbus Yes; via DP/FF Link
• MODBUS Yes; Via add-on
communication functions / header  
PG/OP communication Yes
• Number of connectable OPs without mes‐ 119
sage processing
• Number of connectable OPs with message 119; When using Alarm_S/SQ and Alarm_D/DQ
processing
Data record routing Yes
S7 communication  
• supported Yes
• as server Yes
• as client Yes
• User data per job, max. 64 kbyte
• User data per job (of which consistent), max. 462 byte; 1 variable
S5 compatible communication  
• supported Yes; via CP and FC AG_SEND and FC AG_RECV
• User data per job, max. 8 kbyte
• User data per job (of which consistent), max. 240 byte
• Number of simultaneous AG-SEND/AG-RECV 64/64
orders per CPU, max.
Standard communication (FMS)  
• supported Yes; Via CP and loadable FB

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 261
Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

Number of connections  
• overall 120
• usable for PG communication  
– reserved for PG communication 1
• usable for OP communication  
– reserved for OP communication 1
S7 message functions  
Number of login stations for message functions, 119; max. 119 with Alarm_S/SQ and Alarm_D/DQ
max. (OPs); max. 16 with Alarm_8, Alarm_8P, Notify and
Notify_8 (e.g. WinCC)
Program alarms Yes
Process diagnostic messages Yes
simultaneously active Alarm-S blocks, max. 1 000; Simultaneously active alarm_S/SQ blocks or
alarm_D/DQ blocks
Alarm 8-blocks Yes
• Number of instances for alarm 8 and S7 com‐ 10 000
munication blocks, max.
Process control messages Yes
Number of archives that can log on simultane‐ 64
ously (SFB 37 AR_SEND)
Test commissioning functions  
Status block Yes
Single step Yes
Number of breakpoints 4
Status/control  
• Status/control variable Yes
• Variables Inputs/outputs, memory bits, DBs, distributed I/Os,
timers, counters
• Number of variables, max. 70
Diagnostic buffer  
• present Yes
• Number of entries, max. 3 200
Service data  
• can be read out Yes
Standards, approvals, certificates  
CE mark Yes
UKCA mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes

CPU 410 Process Automation

262 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.2 Technical specifications of CPU 410E (6ES7410-5HM08-0AB0)

Article number 6ES7410-5HM08-0AB0

CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
configuration / header  
configuration / programming / header  
• Command set see instruction list
• Nesting levels 7
• Access to consistent data in process image Yes
• System functions (SFC) see instruction list
• System function blocks (SFB) see instruction list
Programming language  
– SCL Yes
– CFC Yes
Know-how protection  
• User program protection/password protec‐ Yes
tion
• Block encryption Yes; With S7 block Privacy
Dimensions  
Width 50 mm
Height 290 mm
Depth 219 mm
Weights  
Weight, approx. 1.1 kg

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 263
Technical data
16.3 Technical specifications of the system expansion card

16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 0

Article number 6ES7653-2CH00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 0
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 0; PO for CPU 410-5H; expandable by means of CPU
410 Expansion Pack PO 100 or PO 500
Work memory  
• integrated CPU cannot be used without expansion
• expandable Yes, by means of CPU 410 Expansion Pack PO 100
or PO 500
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm

CPU 410 Process Automation

264 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

Article number 6ES7653-2CH00-0XB0

Weights  
Weight, approx. 20 g

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 265
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 100

Article number 6ES7653-2CA00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 100
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 100; PO for CPU 410-5H; expandable by means of
CPU 410 Expansion Pack PO 100 or PO 500
Work memory  
• integrated Use of max. 2.2 MB work memory in the CPU
410-5H
• expandable Yes, by means of CPU 410 Expansion Pack PO 100
or PO 500
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm

CPU 410 Process Automation

266 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

Article number 6ES7653-2CA00-0XB0

Weights  
Weight, approx. 20 g

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 267
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 200M

Article number 6ES7653-2CB00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 200M
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 200; PO for CPU 410E
Work memory  
• integrated Use of max. 4.2 MB work memory in the CPU 410E
• expandable No
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 2 048 bytes in the CPU 410E
• Outputs Use of 2 048 bytes in the CPU 410E
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm
Weights  
Weight, approx. 20 g

CPU 410 Process Automation

268 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 269
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 500

Article number 6ES7653-2CC00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 500
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 500; PO for CPU 410-5H; expandable by means of
CPU 410 Expansion Pack PO 100 or PO 500
Work memory  
• integrated Use of max. 10 MB work memory in the CPU 410-5H
• expandable Yes, by means of CPU 410 Expansion Pack PO 100
or PO 500
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm
Weights  
Weight, approx. 20 g

CPU 410 Process Automation

270 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 271
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 500M

Article number 6ES7653-2CD00-0XB0

General information  
Product type designation PCS 7 system expansion card PO 500M
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 500; PO for CPU 410E
Work memory  
• integrated Use of max. 4.2 MB work memory in the CPU 410E
• expandable No
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 2 048 bytes in the CPU 410E
• Outputs Use of 2 048 bytes in the CPU 410E
Process image  
• Inputs, default Total peripheral address range, cannot be changed
• Outputs, default Total peripheral address range, cannot be changed
Digital channels  
• Inputs 16 384; max.
– of which central 16 384; max.
• Outputs 16 384; max.
– of which central 16 384; max.
Analog channels  
• Inputs 1 024; max.
– of which central 1 024; max.
• Outputs 1 024; max.
– of which central 1 024; max.
Standards, approvals, certificates  
CE mark Yes
UKCA mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes

CPU 410 Process Automation

272 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

Article number 6ES7653-2CD00-0XB0

CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
configuration / header  
Configuration software  
• STEP 7 No
configuration / programming / header  
Programming language  
– LAD No
– FBD No
– STL No
– SCL Yes
– CFC Yes
– GRAPH No
– HiGraph® No
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm
Weights  
Weight, approx. 20 g

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 273
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 800E

Article number 6ES7653-2CP00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 800E
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 800; PO for CPU 410-5H; expandable by means of
CPU 410 Expansion Pack PO 100 or PO 500
Work memory  
• integrated Use of max. 15.9 MB work memory in the CPU
410-5H
• expandable Yes, by means of CPU 410 Expansion Pack PO 100
or PO 500
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm

CPU 410 Process Automation

274 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

Article number 6ES7653-2CP00-0XB0

Weights  
Weight, approx. 20 g

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 275
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 1000

Article number 6ES7653-2CE00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 1000
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 1 000; PO for CPU 410-5H; expandable by means of
CPU 410 Expansion Pack PO 100 or PO 500
Work memory  
• integrated Use of max. 19.8 MB work memory in the CPU
410-5H
• expandable Yes, by means of CPU 410 Expansion Pack PO 100
or PO 500
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm

CPU 410 Process Automation

276 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

Article number 6ES7653-2CE00-0XB0

Weights  
Weight, approx. 20 g

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 277
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 1600

Article number 6ES7653-2CF00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 1600
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects 1 600; PO for CPU 410-5H; expandable by means of
CPU 410 Expansion Pack PO 100 or PO 500
Work memory  
• integrated Use of max. 31.5 MB work memory in the CPU
410-5H
• expandable Yes, by means of CPU 410 Expansion Pack PO 100
or PO 500
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm

CPU 410 Process Automation

278 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

Article number 6ES7653-2CF00-0XB0

Weights  
Weight, approx. 20 g

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 279
Technical data
16.3 Technical specifications of the system expansion card

PCS7 System Expansion Card PO 2k+

Article number 6ES7653-2CG00-0XB0

General information  
Product type designation PCS 7 System Expansion Card PO 2k+
HW functional status 3
Firmware version V2.0
Design of PLC basic unit With Conformal Coating (ISA-S71.04 severity level
G1; G2; G3) and operating temperature to 70 °C
Memory  
PCS 7 process objects approx. 2 600 POs for CPU 410-5H
Work memory  
• integrated Use of max. 32 MB work memory in the CPU 410-5H
• expandable No
CPU-blocks  
DB  
• Size, max. 64 kbyte; the total size of all data blocks generated
with the SFC 22 (CREATE_DB) is limited to 256 KB
Address area  
I/O address area  
• Inputs Use of 16 KB in the CPU 410-5H
• Outputs Use of 16 KB in the CPU 410-5H
Standards, approvals, certificates  
CE mark Yes
CSA approval Yes
UL approval Yes
cULus Yes
FM approval Yes
RCM (formerly C-TICK) Yes
KC approval Yes
EAC (formerly Gost-R) Yes
CCC Yes
Use in hazardous areas  
• ATEX ATEX II 3G Ex ec IIC T4 Gc
Ambient conditions  
Ambient temperature during operation  
• min. 0 °C
• max. 70 °C
Dimensions  
Width 8 mm
Height 16 mm
Depth 25 mm
Weights  
Weight, approx. 20 g

CPU 410 Process Automation

280 System Manual, 11/2022, A5E31622160-AE
 Technical data
16.3 Technical specifications of the system expansion card

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 281
Technical data
16.3 Technical specifications of the system expansion card

CPU 410 Process Automation

282 System Manual, 11/2022, A5E31622160-AE
Supplementary information 17
17.1 Supplementary information on PROFIBUS DP

Monitor/Modify, programming via PROFIBUS

You can use the PROFIBUS DP interface to program the CPU or execute the programming device
functions Monitor and Modify.

Note
The "Programming" or "Monitor/Modify" applications prolong the DP cycle if executed via the
PROFIBUS DP interface.

Determining the bus topology in a DP master system using SFC 103 "DP_TOPOL"
The diagnostic repeater is available to improve the ability to locate faulty modules or an
interruption on the DP cable when failures occur in ongoing operation. This module is a device
that determines the topology of a DP line and identifies errors on that basis.
You use SFC 103 "DP_TOPOL" to trigger the identification of the bus topology of a DP master
system by the diagnostic repeater. For information on SFC 103, refer to the related online
help and to Manual System and Standard Functions. The diagnostic repeater is described in
the Diagnostic Repeater for PROFIBUS DP manual, article number 6ES7972-0AB00-8BA0.

Adding modules with ET 200M at a later time

If you want to add modules with the ET 200M while using IM 153-2, MLFB 6ES7
153-2BA00-0XB0 or higher, or an IM 153-2FO, MLFB 6ES7 153-2BB00-0XB0 or higher, note the
following: You must configure the ET 200M with active backplane bus with free space for the
planned expansion.
Include the ET 200M so that it complies with IEC 61158.

Adding modules with ET 200iSP at a later time

If you want to add modules to the ET 200iSP, the configuration of the terminal modules should
have sufficient reserves and be fitted with unconfigured reserve modules from the outset.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 283
Supplementary information
17.2 Supplementary information on diagnostics of the CPU 410 as PROFIBUS DP master

17.2 Supplementary information on diagnostics of the CPU 410 as

PROFIBUS DP master

Reading the diagnostics data with STEP 7

Table 17-1 Reading the diagnostics data with STEP 7

DP master Block or tab in Application See ...

STEP 7
CPU 41x Tab "DP device diag‐ Display device diagnostics as See "Hardware diagnostics" in
nostics" plain text in the STEP 7 user in‐ the STEP 7 online help and in
terface Manual Configuring Hardware
and Communication Connec‐
tions with STEP 7
SFC 13 "DPNRM_DG" Read out device diagnostics See reference manual System
i.e. store in data area of user and Standard Functions
program ; for other devices, see their de‐
It is possible that the busy bit scription
will not be set to "0" if an error
occurs while SFC 13 is being pro‐
cessed. You should therefore
check the RET_VAL parameter
after every execution of SFC 13.
SFC 59 "RD_REC" Read data records of S7 diagnos‐ See System and Standard Func‐
tics (store in the data area of the tions reference manual
user program)
SFC 51 "RDSYSST" Read SSL partial lists. In the di‐
agnostic interrupt with SSL ID
W#16#00B3, call SFC 51 and
read out SSL of device CPU.
  SFB 52 "RDREC" For DPV1 devices
Read the data records of S7 di‐
agnostics, i.e., store in the data
area of the user program
  SFB 54 "RALRM" For DPV1 devices:
Read interrupt information with‐
in the associated interrupt OB

CPU 410 Process Automation

284 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.2 Supplementary information on diagnostics of the CPU 410 as PROFIBUS DP master

Evaluating diagnostics data in the user program

The figure below shows how to evaluate the diagnostics data in the user program.

'LDJQRVWLFVHYHQW

2%LVFDOOHG

5HDG2%B0'/B$''5DQG )RUGLDJQRVWLFVRIWKHDIIHFWHG
2%B,2B)/$* ,'RI,2PRGXOH FRPSRQHQW&DOO6)%LQ'39
HQYLURQPHQW

6HW0RGH 

%LWRI2%B,2B)ODJDVELWLQ
'LDJQRVWLFGDWDDUHHQWHUHGLQWKH
2%B0'/B$''5HQWHUUHVXOW
7,1)2DQG$,1)2SDUDPHWHUV
'LDJQRVWLFDGGUHVV
2%B0'/B$''5 ಯ

)RUGLDJQRVWLFVRIWKHHQWLUH'3 )RUGLDJQRVWLFVRIWKHDIIHFWHGPRGXOHV
VODYH&DOO6)& &DOO6)&
 
,QWKH/$''5SDUDPHWHUHQWHU ,QWKH/$''5SDUDPHWHUHQWHUGLDJQRVWLF
GLDJQRVWLFDGGUHVV2%B0'B$''5  DGGUHVV2%B0'/B$''5 ,QWKH6=/B,'
SDUDPHWHUHQWHUWKH,':%
 GLDJQRVWLFGDWDRIDPRGXOH

Figure 17-1 Diagnostics with CPU 410

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 285
Supplementary information
17.3 System status lists for PROFINET IO

Event detection
The following table shows how the CPU 41xH as DP master detects operating state changes of
a DP device or interruptions of the data transfer.

Table 17-2 Event detection of the CPU 41xH as a DP master

Event What happens in the DP master?

Bus interruption due to short-circuit or • Call of OB 86 with message Station failure as incoming event; diagnostic ad‐
disconnection of the connector dress of the DP device that has been assigned to the DP master
• With I/O access: Call of OB 122, I/O area access error
DP device: RUN → STOP • Call of OB 82 with message Faulty module as incoming event; diagnostic ad‐
dress of the DP device that has been assigned to the DP master; variable
OB82_MDL_STOP=1
DP device: STOP → RUN • Call of OB 82 with message Module ok as outgoing event; diagnostic address of
the DP device that has been assigned to the DP master; variable
OB82_MDL_STOP=0

Evaluation in the user program

The following table shows how you can evaluate, for example, RUN–STOP transitions of the DP
device in the DP master. Also refer to the previous table.

In the DP master In the DP device (CPU 41x)

• Example of diagnostic addresses: • Example of diagnostic addresses:
Master diagnostics address=1023 Device diagnostic address=422
Device diagnostic address in the master Master diagnostics address=irrelevant
system=1022
The CPU calls OB 82 with the following information, for example: CPU: RUN → STOP
• OB 82_MDL_ADDR:=1022 CPU generates a DP device diagnostic message frame
• OB82_EV_CLASS:=B#16#39
As incoming event
• OB82_MDL_DEFECT:=module error
The CPU diagnostic buffer also contains this information.
Also program SFC 13 "DPNRM_DG" in the user program for reading out
DP device diagnostics data.
Use SFB 54 in the DPV1 environment. It outputs the full interrupt in‐
formation.

17.3 System status lists for PROFINET IO

Introduction
The CPU makes certain information available and stores this information in the "System status
list".

CPU 410 Process Automation

286 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.3 System status lists for PROFINET IO

The system status list describes the current status of the automation system. It provides an
overview of the configuration, the current parameter assignment, the current statuses and
sequences in the CPU, and the assigned modules.
The system status list data can only be read, but not be changed. The system status list is a
virtual list that is compiled only on request.
From a system status list you receive the following information about the PROFINET IO
system:
• System data
• Module status information in the CPU
• Diagnostic data from a module
• Diagnostics buffer

Compatibility of system status lists

System status lists are available for PROFINET IO that support PROFINET IO configuration sizes
and can also be used for PROFIBUS.
You can use a previously known PROFIBUS system status list that is also supported by
PROFINET IO as usual. If you use a system status list in PROFINET IO that PROFINET IO does
not support, an error code is returned in RET_VAL (8083: Index wrong or not permitted).

Comparison of the system status lists of PROFINET IO and PROFIBUS DP

Table 17-3 Comparison of the system status lists of PROFINET IO and PROFIBUS DP

SSL-ID PROFINET IO PROFIBUS DP Applicability

W#16#0C75 Yes, parameter adr1 Yes  Communication status between the H-sys‐
changed  tem and switched DP device/PN device
W#16#0C91 Yes, internal interface Yes, internal interface Module status information of a module in
Parameter adr1/adr2 and No, external interface a central configuration or at an integrated
set/actual type identifier DP or PROFIBUS interface, or at an integra‐
changed ted DP interface using the logical address
No, external interface of the module.
W#16#4C91 No No, internal interface Module status information of a module at‐
Yes, external interface tached to an external DP or PROFIBUS in‐
terface using the start address.
W#16#0D91 Yes Yes Module status information of all modules
Parameter adr1 changed in the specified rack/station
No, external interface
W#16#xy92 No Yes Rack/station status information
Replacement: SSL-ID Replace this system status list with the sys‐
W#16#0x94 tem status list with ID W#16#xy94 in PRO‐
FIBUS DP, as well.
W#16#0x94 Yes, internal interface Yes, internal interface Rack/station status information
No, external interface No, external interface

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 287
Supplementary information
17.4 Configuring with STEP 7

SSL-ID PROFINET IO PROFIBUS DP Applicability

W#16#0C96 Yes, internal interface Yes, internal interface Module status information of a submod‐
No, external interface No, external interface ule using the logical address of this sub‐
module
W#16#0591 Yes Yes Module status information on the interfa‐
Parameter adr1 changed ces of a module
W#16#0696 Yes, internal interface No Module status information of all submod‐
No, external interface ules on an internal interface of a module
using the logical address of the module,
not possible for submodule 0 (= module)

Detailed information
For detailed descriptions of the individual system status lists, refer to Manual System Software
for S7-300/400 System and Standard Functions.

17.4 Configuring with STEP 7

17.4.1 Rules for arranging fault-tolerant station components

The are additional rules for a fault-tolerant station, in addition to the rules that generally apply
to the arrangement of modules in the S7-400:
• Insert the CPUs into the same slots.
• Redundantly used external DP master interfaces or communication modules must be
inserted in the same slots in each case.
• Insert an external DP master interface for redundant DP master systems only in the central
controllers and not in the expansion units.
• Redundantly used CPUs must be identical, which means they must have the same article
number, product version and firmware version. It is not the marking on the front side that is
decisive for the product version, but the revision of the "Hardware" component ("Module
status" dialog mask) to be read using STEP 7.
• Redundantly used other modules must be identical, which means they must have the same
article number, product version and - if available - firmware version.

Layout rules
• If there are not enough slots in the central controllers, you can increase the configuration of
an H system with expansion units.
• A fault-tolerant station may contain up to 20 expansion units.
• Assign racks with even numbers only to central controller 0, and racks with odd numbers only
to central controller 1.
• FMs and CPs can be operated only in racks 0 through 6.

CPU 410 Process Automation

288 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.4 Configuring with STEP 7

• Pay attention to the rack numbers for operation of CPs for fault-tolerant communication in
expansion units:
The numbers must be directly sequential and begin with the even number, e.g., rack
numbers 2 and 3, but not rack numbers 3 and 4.
• A rack number is also assigned for DP master no. 9 onwards if the central controller contains
DP master modules. The number of possible expansion units is reduced as a result.
Compliance with the rules is monitored automatically by STEP 7 and considered accordingly
during configuration.

Additional I/O expansion

For use of distributed I/O, you can connect a DP master system in each of the two subsystems.
Connect a DP master system to the integrated interface of the CPU and others via external DP
master systems.

Note
PROFIBUS DP and PROFINET together
You can use both PROFINET IO devices and PROFIBUS DP stations on a CPU 410.

Note
Fail-safe signal modules
If you want to operate fail-safe modules redundantly on the PNIO interface, you need the S7 F
Systems optional package V6.1 SP1 or higher.

17.4.2 Configuring hardware

You can use the SIMATIC PCS 7 wizard to create AS bundle configurations.
Another way of achieving a redundant hardware configuration is to initially assemble one
rack with all components to be implemented redundantly and to assign parameters to
them. The entire rack must then be copied and inserted. You adjust the network parameters
appropriately in the subsequent dialogs.

Specific aspects of the hardware configuration display

The redundant DP master system and PN/IO system are displayed by two lines close together to
make them easy to identify.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 289
Supplementary information
17.4 Configuring with STEP 7

17.4.3 Assigning parameters to modules in a fault-tolerant station

Procedure
Assign all parameters of the redundant components identically, with the exception of
communication addresses.

The special case of CPUs

You can only set the CPU0 parameters (CPU on rack 0). Any values that you specify are
automatically allocated to CPU1 (CPU on rack 1). You can set the following values for CPU1:
• Parameters of the DP interface (X1)
• Addresses of sync modules
• Parameters of the PROFINET IO interfaces

17.4.4 Recommendations for setting CPU parameters, fixed settings

Monitoring time for transferring parameters to modules

You specify this monitoring time on the "Startup" tab. It depends on the configuration of the
fault-tolerant station. If the monitoring time is too short, the CPU enters the W#16#6547 event
in the diagnostics buffer.
For some devices (e.g. IM 153-2), these parameters are packed into system data blocks. The
transmission time of the parameters depends on the following factors:
• Baud rate of the bus system (high baud rate => short transmission time)
• Size of the parameters and the system data blocks (large parameter length => long
transmission time)
• Load on the bus system (many devices => slow transmission rate);
Note: The bus load is at its peak during restart of the DP master, for example, following Power
OFF/ON
Recommended setting (default setting of the CPU 410): 600 corresponds to 60 s.

Note
The fault-tolerant-specific CPU parameters, and thus also the monitoring times, are calculated
automatically. The work memory allocation of all data blocks is based on a CPU-specific default
value. If your fault-tolerant system does not link up, check the data memory allocation (HW
Config > CPU Properties > H Parameters > Work memory used for all data blocks).

See also
Service and Support (https://support.industry.siemens.com/cs/ww/en/)

CPU 410 Process Automation

290 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.4 Configuring with STEP 7

17.4.5 Networking configuration

The fault-tolerant S7 connection is a separate connection type of the "Configure Networks"
application. It permits that the following communication peers can communicate with each
other:
• S7–400 fault-tolerant station (with 2 fault-tolerant CPUs)->S7–400 fault-tolerant station
(with 2 fault-tolerant CPUs)
• S7–400 station (with 1 fault-tolerant CPU)->S7–400 fault-tolerant station (with 2 fault-
tolerant CPUs)
• S7–400 station (with 1 fault-tolerant CPU)->S7–400 station (with 1 fault-tolerant CPU)
• SIMATIC PC stations > S7–400 fault-tolerant station (with 2 fault-tolerant CPUs)
When this connection type is configured, the application automatically determines the
number of possible subconnections:
• If two independent but identical subnets are available and they are suitable for a fault-
tolerant S7 connection, two subconnections are used. In practice, they are usually electrical
networks, one network connection in each subnet:

• If only one subnet is available, four subconnectors are used for a connection between two
fault-tolerant stations. All network connections are located in this subnet:

Only the integrated PROFINET IO interfaces or only the CPs are used for subconnections
within a fault-tolerant S7 connection. But multiple fault-tolerant stations in one subnet may
have different interfaces; they only have to be identical within the station.

Downloading the network configuration into a fault-tolerant station

The complete network configuration can be downloaded into the fault-tolerant station in one
operation. The same requirements that apply for downloads into standard stations must be met.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 291
Supplementary information
17.5 The STEP 7 user program

17.5 The STEP 7 user program

17.5.1 The user program

The rules of developing and programming the user program for the standard S7-400 system also
apply to the S7-400H.
In terms of user program execution, the S7-400H behaves in exactly the same manner
as a standard system. The integral synchronization functions of the operating system are
executed automatically in the background. You do not need to consider these functions in
your user program.
In redundant operation, the user programs are stored identically on both CPUs and are
executed in event-synchronous mode.
However, we offer you several specific blocks for optimizing your user program, e.g. in order
to improve its response to the extension of cycle times due to updates.

Specific blocks for S7–400H

In addition to the blocks supported both in the S7-400 and S7-400H systems, the S7-400H
software provides further blocks which you can use to influence the redundancy functions.
You can react to redundancy errors of the S7-400H using the following organization blocks:
• OB 70, I/O redundancy errors
• OB 72, CPU redundancy errors
SFC 90 "H_CTRL" can be used to influence fault-tolerant systems as follows:
• You can disable interfacing in the master CPU.
• You can disable updating in the master CPU.
• You can remove, resume or immediately start a test component of the cyclic self-test.
Note
Required OBs
Always download these error OBs to the S7-400H CPU: OB 70, OB 72, OB 80, OB 82, OB 83,
OB 85, OB 86, OB 87, OB 88, OB 121 and OB 122. If you do not download these OBs, the fault-
tolerant system goes into STOP when an error occurs.

Additional information
For detailed information on programming the blocks listed above, refer to the Programming
with STEP 7 manual, and to the System Software for S7-300/400; System and Standard
Functions Reference Manual.

CPU 410 Process Automation

292 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

17.6 Programming device functions in STEP 7

Display in SIMATIC Manager

In order to do justice to the special features of a fault-tolerant station, the way in which the
system is visualized and edited in SIMATIC Manager differs from that of a S7-400 standard station
as follows:
• In the offline view, the S7 program appears only under CPU0 of the fault-tolerant station. No
S7 program is visible under CPU1.
• In the online view, the S7 program appears under both CPUs and can be selected in both
locations.

Communication functions
For programming device (PG) functions that establish online connections (e.g., downloading
charts), one of the two CPUs has to be selected even if the function affects the entire system over
the redundant link.
• Data which is modified in one of the central processing units in redundant operation affect
the other CPUs over the redundant link.
• Data which is modified when there is no redundant link (i.e. in single mode) initially affects
only the processed CPU. The blocks are applied by the master CPU to the reserve CPU during
the next link-up and update. Exception: No new blocks are applied after changing the
configuration. Loading the blocks is then the responsibility of the user.

17.7 Communication services

17.7.1 Overview of communication services

Overview

Table 17-4 Communication services of the CPUs

Communication service Functionality Allocation of S7 connection Via DP Via

resources PN/IE
PG communication Commissioning, testing, diagnostics Yes Yes Yes
OP communication Operator control and monitoring Yes Yes Yes
S7 communication Data exchange via configured connec‐ Yes Yes Yes
tions
Routing of PG functions For example, testing, diagnostics be‐ Yes Yes Yes
yond network boundaries
PROFIBUS DP Data exchange between master and de‐ No Yes No
vice

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 293
Supplementary information
17.7 Communication services

Communication service Functionality Allocation of S7 connection Via DP Via

resources PN/IE
PROFINET IO Data exchange between I/O controllers No No Yes
and I/O devices
SNMP Standard protocol for network diagnos‐ No No Yes
(Simple Network Management tics and parameter assignment
Protocol)
Open communication over Data exchange over Industrial Ethernet Yes No Yes
TCP/IP with TCP/IP protocol (with loadable FBs)
Open communication over ISO Data exchange over Industrial Ethernet Yes No Yes
on TCP with ISO on TCP protocol (with loadable
FBs)
Open communication over Data exchange over Industrial Ethernet Yes No Yes
UDP with UDP protocol (with loadable FBs)
Data record routing For example, parameter assignment and Yes Yes Yes
diagnostics of field devices on PROFIBUS
DP with PDM.

Note
Communication via an PNIO interface
If you want to use an PNIO interface of the module for communication in system operation, you
must also network this in Step 7 / HW Config / NetPro.

Availability of connection resources

Table 17-5 Availability of connection resources

CPU Total number of Can be used for S7- Reserved from the total number for
connection resources H connections PG communication OP communication
CPU 410-5H 120 62 1 1

Free S7 connections can be used for any of the above communication services.

Note
Communication service via the PROFIBUS DP interface
A fixed default timeout of 40 s is specified for communication services using S7 connection
resources. If you operate those communication services via a PROFIBUS DP interface at a low
baud rate, operation in configurations with a Ttr (Target Rotation Time) < 20 s is ensured.

CPU 410 Process Automation

294 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

17.7.2 PG communication

Properties
Programming device communication is used to exchange data between engineering stations
(PG, PC, for example) and SIMATIC modules which are capable of communication. This service
is available via PROFIBUS and Industrial Ethernet subnets. Routing between subnets is also
supported.
You can use the programming device communication for the following actions:
• Loading programs and configuration data
• Performing tests
• Evaluating diagnostic information
These functions are integrated in the operating system of SIMATIC S7 modules.
A CPU can maintain several simultaneous online connections to one or multiple
programming devices.

17.7.3 OP communication

Properties
OP communication is used to exchange data between HMI stations, such as WinCC, OP, TP and
SIMATIC modules which are capable of communication. This service is available via PROFIBUS
and Industrial Ethernet subnets.
You can use the OP communication for operator control, monitoring and alarms. These
functions are integrated in the operating system of SIMATIC S7 modules. A CPU can maintain
several simultaneous connections to one or several OPs.

17.7.4 S7 communication

Properties
A CPU can always act as a server or client in S7 Communication. A connection is configured
permanently. The following connections are possible:
• One-sided configured connections (for PUT/GET only)
• Two-side configured connections (for USEND, URCV, BSEND, BRCV, PUT, GET)
You can use the S7 communication via integrated PROFIBUS DP or PROFINET IO interfaces. If
required, S7 communication can be used via additional communication processors: CP 443-1
for Industrial Ethernet or CP 443-5 for PROFIBUS.
The S7-400 features integrated S7 communication services that allow the user program
in the controller to initiate reading and writing of data. The S7 communication functions

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 295
Supplementary information
17.7 Communication services

are called in the user program using SFBs. These functions are independent of specific
networks, allowing you to program S7 communication via PROFINET, Industrial Ethernet, or
PROFIBUS.
S7 communication services provide the following options:
• During system configuration, you configure the connections used by the S7 communication.
These connections remain configured until you download a new configuration.
• You can establish several connections to the same partner. The number of communication
partners accessible at any time is restricted to the number of connection resources available.
• You can configure fault-tolerant S7 connections using the integrated PROFINET IO interface.
Note
Downloading the connection configuration during operation
When you load a modified connection configuration during operation, connections which
have been set up which are not affected by changes in the connection configuration may also
be aborted.

S7 communication allows you to transfer a block of up to 64 Kbytes per call to the SFB. An
S7-400 transfers a maximum of 4 tags per block call.

SFBs for S7 Communication

The following SFBs are integrated in the operating system of the S7-400 CPUs:

Table 17-6 SFBs for S7 Communication

Block Block name Brief description

SFB 8 USEND Send data to a remote partner SFB of type "URCV"
SFB 9 URCV Receive asynchronous data from a remote partner SFB of type "USEND"
SFB 12 BSEND Send data to a remote partner SFB of type "BRCV"
SFB 13 BRCV Receive data from a remote partner SFB of type "BSEND"
With this data transfer, a larger amount of data can be transported between the com‐
munication partners than is possible with all other communications SFBs for the con‐
figured S7 connections.
SFB 14 GET Read data from a remote CPU
SFB 15 PUT Write data to a remote CPU
SFB 16 PRINT Send data via a CP 441 to a printer
SFB 19 START Carry out a reboot (warm restart) or cold restart in a remote station
SFB 20 STOP Set a remote station to STOP operating state
SFB 22 STATUS Query the device status of a remote partner
SFB 23 USTATUS Uncoordinated receiving of a remote device status

Integration into STEP 7

S7 communication offers communication functions through configured S7 connections. You
use STEP 7 to configure the connections.
S7 connections with an S7-400 are established when the connection data is downloaded.

CPU 410 Process Automation

296 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

17.7.5 S7 routing

Properties
You can access your S7 stations beyond subnet boundaries using the programming device / PC.
You can use them for the following actions:
• Downloading user programs
• Downloading a hardware configurations
• Performing test and diagnostic functions

Requirements
• The network configuration does not exceed project limits.
• The modules have loaded the configuration data containing the latest "knowledge" of the
entire network configuration of the project.
Reason: All modules connected to the network gateway must receive routing information
which defines the paths to other subnets.
• In your network configuration, the PG/PC you want to use to set up a connection via gateway
must be assigned to the network to which it is physically connected.
• The CPU must be configured as the master.

S7 routing gateways: PN - DP
Gateways between subnets are routed in a SIMATIC station that is equipped with interfaces to
the respective subnets. The following figure shows CPU 1 (DP master) acting as router for
subnets 1 and 2.

'3PDVWHU '3VODYH

3*

6XEQHWHJ352),%86'3

6XEQHWHJ352),1(7,2

Figure 17-2 S7 routing

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 297
Supplementary information
17.7 Communication services

S7 routing gateways: PROFINET IO - DP - PROFINET IO

The following figure shows the access from PROFINET IO to PROFIBUS to PROFINET IO. CPU 1 is
the router between subnet 1 and subnet 2; CPU 2 is the router between subnet 2 and subnet 3.

&38 &38 &38

352),1(7,2 '3 31'3 352),1(7,2 352),1(7,2

0DVWHU VODYHDFWLYH

6XEQHW352),1(7,2

6XEQHW352),%86

6XEQHW352),1(7,2

3* 

Figure 17-3 S7 routing gateways: PROFINET IO - DP - PROFINET IO

S7 routing: TeleService application example

The following figure shows an application example of the remote maintenance of an S7 station
using a PG. The connection to other subnets is set up via modem.
The bottom of the figure shows how this can be configured in STEP 7.

CPU 410 Process Automation

298 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

'3PDVWHU '3VODYH
5HDOFRQILJXUDWLRQ

3*

7HOH6HUYLFH
6XEQHW
$GDSWHU
HJ352),%86'3
0RGHP 0RGHP
6XEQHW
HJ352),1(7,2

&RQILJXUDWLRQLQ67(3
'3PDVWHU '3VODYH

3*

6XEQHW
HJ352),%86'3

6XEQHW
HJ352),1(7,2
Figure 17-4 S7 routing: TeleService application example

Reference
• Further information on configuration with STEP 7 can be found in Manual Configuring
hardware and communication connections with STEP 7 (https://
support.industry.siemens.com/cs/us/en/view/109751824).
• More basic information is available in Manual Communication with SIMATIC (https://
support.industry.siemens.com/cs/ww/en/view/1254686).
• For more information about the TeleService adapter, refer to Manual TS Adapter (https://
support.industry.siemens.com/cs/ww/en/view/20983182)

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 299
Supplementary information
17.7 Communication services

See also
Instructions List (https://support.industry.siemens.com/cs/ww/en/view/44395684)
System and standard functions (https://support.industry.siemens.com/cs/ww/en/view/
44240604)

17.7.6 Data set routing

Routing and data set routing

Routing is the transfer of data beyond network boundaries. You can send information from a
transmitter to a receiver across several networks.
Data set routing is an expansion of S7 routing and is used, for example, in SIMATIC PDM. The data
sent through data record routing include the parameter assignments of the participating
communication devices and device-specific information (for example, setpoint values, limit
values, etc.). The structure of the destination address for data set routing depends on the data
content, in other words, it is determined by the device for which the data is intended.
The field device itself does not have to support data set routing, since these devices do not
forward the received information.

CPU 410 Process Automation

300 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

Data set routing

The following figure shows the engineering station accessing a variety of field devices. The
engineering station is connected to the CPU via Industrial Ethernet in this scenario. The CPU
communicates with the field devices via the PROFIBUS.

(QJLQHHULQJ6WDWLRQ
ZLWK6,0$7,&3'0

,QGXVWULDO(WKHUQHW

352),%86'3

(70 '33$OLQN (7L63

P$ 352),%863$
+$57

6,02&2'(

Figure 17-5 Data set routing

See also
For more information on SIMATIC PDM, refer to Manual The Process Device Manager.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 301
Supplementary information
17.7 Communication services

17.7.7 SNMP network protocol

Properties
SNMP (Simple Network Management Protocol) is the standardized protocol for diagnostics of
the Ethernet network infrastructure. In the office setting and in automation engineering,
devices from many different manufacturers support SNMP on the Ethernet. SNMP-based
applications can be operated on the same network in parallel to applications with PROFINET IO.
Configuration of the SNMP OPC server is integrated in the STEP 7 Hardware Configuration
application. Already configured S7 modules from the STEP 7 project can be transferred
directly. As an alternative to STEP 7, you can also perform the configuration with the NCM PC
(included on the SIMATIC NET CD). All Ethernet devices can be detected by means of their IP
address and/or the SNMP protocol (SNMP V1) and transferred to the configuration.
Use the profile MIB_II_V10.
SNMP-based applications can be operated on the same network parallel to applications with
PROFINET IO.

Note
MAC addresses
During SNMP diagnostics, the following MAC addresses are shown for the ifPhysAddress
parameter:
Interface 1 (PN interface) = MAC address (specified on the front panel of the CPU)
Interface 2 (port 1) = MAC address + 1
Interface 3 (port 2) = MAC address + 2

Diagnostics with SNMP OPC Server in SIMATIC NET

The SNMP OPC server software enables diagnostics and parameter assignment of any SNMP
devices. The OPC server uses the SNMP protocol to perform data exchange with SNMP devices.
All information can be integrated in OPC-compatible systems, such as the WinCC HMI system.
This enables process and network diagnostics to be combined in the HMI system.

Reference
For further information on the SNMP communication service and diagnostics with SNMP, refer
to the PROFINET System Description.

CPU 410 Process Automation

302 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

17.7.8 Open Communication Via Industrial Ethernet

Functionality
The following services are available for open IE communication:
• Connection-oriented protocols:
Prior to data transmission connection-oriented protocols establish a logical connection to the
communication partner and close this again, if necessary, after transmission is complete.
Connection-oriented protocols are used when security is especially important in data
transmission. A physical cable can generally accommodate several logical connections. The
maximum job length is 32 KB.
The following connection-oriented protocols are supported for the FBs for open IE
communication:
– TCP to RFC 793
– ISO on TCP according to RFC 1006
Note
ISOonTCP
For data communication with third-party systems via RFC1006, the connection partner
must adhere to the maximum TPDU size (TPDU = Transfer Protocol Data Unit) negotiated
in the ISOonTCP connection establishment.

• Connectionless protocols:
Connectionless protocols operate without a logical connection. There is also no establishing
or terminating a connection to remote partner. Connectionless protocols transfer the data
unacknowledged and thus unsecured to the remote partner. The maximum message frame
length is 1472 bytes.
The following connectionless protocols are supported for the FBs for open communication
via Industrial Ethernet:
– UDP according to RFC 768
The single-cast method is supported.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 303
Supplementary information
17.7 Communication services

How to use open IE communication

You can exchange data with other communication partners via the user program. The following
FBs and UDTs are available for this in the "Standard Library" of STEP 7 under "Communication
Blocks".
• Connection-oriented protocols: TCP, ISO on TCP
– FB 63 "TSEND" for sending data
– FB 64 "TRCV" for receiving data
– FB 65 "TCON", for connection setup
– FB 66 "TDISCON", for disconnecting
– UDT 65 "TCON_PAR" with the data structure for the configuration of the connection
• Connectionless protocol: UDP
– FB 67 "TUSEND" for sending data
– FB 68 "TURCV" for receiving data
– FB 65 "TCON" for setting up the local communication access point
– FB 66 "TDISCON" for resolving the local communication access point
– UDT 65 "TCON_PAR" with the data structure for configuring the local communication
access point
– UDT 66 "TCON_ADR" with the data structure of the addressing parameters of the remote
partner

Data blocks for parameter assignment

• Data blocks for parameter assignment of communication connections for TCP and ISO on TCP
In order to assign parameters for the communication connections for TCP and ISO on TCP, you
must create a DB that contains the data structure from UDT 65 "TCON_PAR". This data
structure contains all parameters you need to set up the connection. For each connection you
need this type of data structure, which you can also group within a global data range.
Connection parameter CONNECT of FB 65 "TCON" reports the address of the corresponding
connection description to the user program (for example, P#DB100.DBX0.0 byte 64).
• Data blocks for the configuration the local UDP communication access point
To assign parameters to the local communication access point, create a DB containing the
data structure from the UDT 65 "TCON_PAR". This data structure contains the necessary
parameters you need to set up the connection between the user program and the
communication layer of the operating system. You also need UDT 66 "TCON_ADDR" for UDP.
You can also store this UDT in the DB .
The CONNECT parameter of the FB 65 "TCON" contains a reference to the address of the
corresponding connection description (for example, P#DB100.DBX0.0 Byte 64).

CPU 410 Process Automation

304 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.7 Communication services

Job lengths and parameters for the different types of connection

Table 17-7 Job lengths and "local_device_id" parameter

Protocol type CPU 410-5H CPU 410-5H with CP 443-1

TCP 32 KB -
ISO on TCP 32 KB 1452 bytes
UDP 1472 bytes -
"local_device_id" parameter for the connection description
Dev. ID 16#5 for CPU 0, interface x5 16#0 for CPU 0
16#15 for CPU1, interface x5 16#10 for CPU1
16#8 for CPU 0, interface x8
16#18 for CPU1, interface x8

Establishing a communication connection

• Use with TCP and ISO on TCP
Both communication partners call FB 65 "TCON" to establish the connection. In the
configuration, you specify which communication partner activates the connection, and
which one responds to the request with a passive connection. To determine the number of
possible connections, refer to your CPU's technical specifications.
The CPU automatically monitors and holds the active connection.
If the connection is broken, for example by line interruption or by the remote communication
partner, the active partner tries to reestablish the connection.
If a subsystem of a fault-tolerance system is switched to STOP, the system retains the
connections through the CPU switched to STOP and establishes them again after link-up.
You do not have to call FB 65 "TCON" again.
When FB 66 "TDISCON" is called or the CPU is in STOP operating state, an existing connection
will be terminated. To reestablish the connection you must call FB65 "TCON" again.
• Use with UDP
Both communication partners call FB 65 "TCON" to set up their local communication access
point. This establishes a connection between the user program and operating system's
communication layer. No connection is established to the remote partner.
The local access point is used to send and receive UDP message frames.

Terminating a communication connection

• Use with TCP and ISO on TCP
FB 66 "TDISCON" disconnects the communication connection between the CPU and a
communication partner.
• Use with UDP
FB 66 "TDISCON" disconnects the local communication access point. This means that the
connection between the user program and communication layer of the operating system is
terminated.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 305
Supplementary information
17.8 Basics and terminology of fault-tolerant communication

Options for terminating the communication connection

The following events are available for terminating communication connections:
• You program the termination of the communication connection with FB 66 "TDISCON".
• The CPU state changes from RUN to STOP.
• At POWER OFF / POWER ON

Response in the fault-tolerance system

All connections are terminated when the entire fault-tolerance system switches to STOP. If one
CPU in the system is stopped, that CPU's connections are canceled but retained by the fault-
tolerant system. Connection establishment with FB 66 "TDISCON" for connections available in
the system runs asynchronously to program processing (status 7001,7002..7002, 0).

Connection diagnostics
In Step 7, you can read detailed information on the configured connections by selecting "Module
state -> Communication -> Open communication over Industrial Ethernet".

Reference
For detailed information on the blocks described above, refer to the STEP 7 Online Help.

17.8 Basics and terminology of fault-tolerant communication

Overview
When more stringent requirements for overall plant availability exist, it is necessary to increase
the reliability of the communication, i.e., by configuring the communication redundantly as
well.
Below you will find an overview of the fundamentals and basic concepts which you ought to
know with regard to using fault-tolerant communications.

Redundant communication system

The availability of the communication system can be increased by duplicating subcomponents,
duplicating all bus components, or using a fiber-optic ring.
Monitoring and synchronization mechanisms ensure that standby components take over
communication if one components fails.
A redundant communication system is required for the user of fault-tolerant S7 connections.

Fault-tolerant communication
Fault-tolerant communication is the use of S7 communication SFBs over fault-tolerance S7
connections.

CPU 410 Process Automation

306 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.8 Basics and terminology of fault-tolerant communication

A fault-tolerant S7 connection consists of at least two and a maximum of four partial

connections depending on networking. Two partial connections are established for fault-
tolerant communication; the two others are configuration standbys.
Fault-tolerant S7 connections require a redundant communication system.

Redundancy nodes
Redundancy nodes represent extreme reliability of communication between two fault-tolerant
systems. A system with multi-channel components is represented by redundancy nodes.
Redundancy nodes are independent when the failure of a component within the node does not
result in any reliability impairment in other nodes.
Even with fault-tolerant communication, only single errors/faults can be tolerated. If more
than one error occurs between two communication end points, communication can no
longer be guaranteed.

Connection (S7 connection)

A connection represents the logical assignment of two communication peers for executing a
communication service. Every connection has two end points containing the information
required for addressing the communication peer as well as other attributes for establishing the
connection.
An S7 connection is the communication connection between two standard CPUs or between
a standard CPU and a CPU of a fault-tolerant system.
Unlike a fault-tolerant S7 connection, which contains at least two partial connections, an S7
connection does only consist of one connection. If that connection fails, communication is
terminated.

S7 connection

CPU 0
CPU
CPU 1

Figure 17-6 Example of an S7 connection

Note
"Connection" in this manual refers in general to a "configured S7 connection". For other types of
connection, refer to Manuals SIMATIC NET NCM S7 for PROFIBUS and SIMATIC NET NCM S7 for
Industrial Ethernet.

Fault-tolerant S7 connections
The requirement for higher availability with communication components (for example CPs and
buses) means that redundant communication connections are necessary between the systems
involved.
Unlike an S7 connection, a fault-tolerant S7 connection consists of at least two subordinate
partial connections. For the user program, configuration and connection diagnostics, a

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 307
Supplementary information
17.8 Basics and terminology of fault-tolerant communication

fault-tolerant S7 connection and its subordinate partial connections are represented by

precisely one ID (like an S7 connection). Depending on the configuration, it can consist
of a maximum of four subconnections. To maintain communication in the event of an
error, two of the four subconnections are always connected (active) at any given time. The
number of subconnections depends on the possible alternative paths (see figure below) and
is determined automatically. Within an S7-H connection, only subconnections over CP or over
the integrated CPU interface are used in the configuration.
The following examples and the possible configurations in STEP 7 are based on a
maximum of two subnets and a maximum of 4 CPs in the redundant fault-tolerant system.
Configurations with a higher number of CPs or networks are not supported in STEP 7.

CPU 410 Process Automation

308 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.8 Basics and terminology of fault-tolerant communication

5HGXQGDQWFRQQHFWLRQ

&38D &3D %XV &3E &38E

&38D &3D %XV &3E &38E

5HVXOWLQJVXEFRQQHFWLRQV
&38D!&38E&38D!&38E

)DXOWWROHUDQWV\VWHPD )DXOWWROHUDQWV\VWHPE

&38 &3 &38 &3

D D E E

%XV
%XV

&38D &3D &3E &38E

/$1UHG

&38D &3D &3E &38E

5HVXOWLQJVXEFRQQHFWLRQV
&38D!&38E&38D!&38E&38D!&38E&38D!&38E

)DXOWWROHUDQWV\VWHPD )DXOWWROHUDQWV\VWHPE

&38 &3 &38 &3

D D E E

260 260 260 260

6\VWHPEXVDVGXSOH[ILEHURSWLFULQJ

Figure 17-7 Example that shows that the number of resulting partial connections depends on the
configuration

If the active subconnection fails, the already established second subconnection automatically
takes over communication.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 309
Supplementary information
17.10 Communication via S7 connections

Resource requirements for fault-tolerant S7 connections

The H-CPU enables the operation of 62 (see Technical specifications) fault-tolerant S7
connections. Each connection needs a connection resource on the CPU; subconnections do not
need any additional connection resources. On the CP, on the other hand, each subconnection
needs a connection resource.

Note
If you have configured multiple fault-tolerant S7 connections for an H station, it may take a
considerable time for them to be established. If the configured maximum communication delay
was set too short, link-up and updating is canceled and the redundant system state is no longer
achieved (see Chapter Time monitoring (Page 114)).

17.9 Usable networks

Your choice of the physical transmission medium depends on the required expansion, targeted
fault tolerance, and transfer rate. The following bus systems are used for communication with
fault-tolerant systems:
• Industrial Ethernet
• PROFIBUS
Additional information on the networks that can be used is available in the relevant SIMATIC
NET documentation on PROFIBUS and Ethernet.

17.10 Communication via S7 connections

Communication with standard systems

There is no fault-tolerant communication between a fault-tolerant system and a standard CPU.
The following examples illustrate the actual availability of the communicating systems.

Configuration
S7 connections are configured in STEP 7.

Programming
If S7 communication is used on a fault-tolerant system, all communication functions can be
used for this.
The communication SFBs are used in STEP 7 to program communication.

CPU 410 Process Automation

310 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.10 Communication via S7 connections

Note
The START and STOP communication functions act on exactly one CPU or on all CPUs of the fault-
tolerant system. More detailed information is available in Reference Manual System Software for
S7-300/400 System and Standard Functions.

Note
Downloading the connection configuration during operation
If you download a connection configuration during operation, established connections may be
terminated.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 311
Supplementary information
17.10 Communication via S7 connections

17.10.1 Communication via S7 connections - one-sided mode

Availability
Availability for communication between a fault-tolerant system and a standard system is also
increased by using a redundant plant bus instead of a single bus (see figure below).

)DXOWWROHUDQWV\VWHP 6WDQGDUGV\VWHP

&38 &3 &38 &3

&3
D D E E
D

%XV

)DXOWWROHUDQWV\VWHP
&RQQHFWLRQ
%ORFNGLDJUDP
6WDQGDUGV\VWHP
&38D &3D
%XV &3E &38E

&38D &3D

&RQQHFWLRQ

Figure 17-8 Example of linking standard and fault-tolerant systems in a simple bus system

With this configuration and redundant operation, the fault-tolerant system is connected to
the standard system via bus1. This applies no matter which CPU is the master CPU.
For linked fault-tolerant and standard systems, the availability of communication cannot be
improved by means of a dual electrical bus system. To be able to use the second bus system
as redundancy, a second S7 connection must be used and managed accordingly in the user
program (see next figure).

CPU 410 Process Automation

312 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.10 Communication via S7 connections

)DXOWWROHUDQWV\VWHP 6WDQGDUGV\VWHP

&38 &3 &38 &3 &3

D D E E E

%XV
%XV

)DXOWWROHUDQWV\VWHP
&RQQHFWLRQ
%ORFNGLDJUDP

&38D &3D %XV &3E 6WDQGDUGV\VWHP

&38E
&38D &3D %XV &3E

&RQQHFWLRQ

Figure 17-9 Example of linking standard and fault-tolerant systems in a redundant bus system

If the plant bus is configured as a duplex fiber-optic ring, the communication of the systems
involved is maintained if a break of the two-fiber fiber-optic cable occurs. The systems then
communicate as if they were connected to a bus system (linear structure); see following
figure.

+V\VWHP 6WDQGDUGV\VWHP

&38 &3 &38 &3 3ODQWEXVDVRSWLFDO

D D E E WZRILEHUULQJ

260 260 260

&RQQHFWLRQ
+V\VWHP
260 6WDQGDUGV\VWHP
&38D &3D EXV
260
%ORFNGLDJUDP EXV &3E &38E
&38D &3D 260
EXV

&RQQHFWLRQ

Figure 17-10 Example of linking of standard and fault-tolerant systems in a redundant ring

Response to failure
Duplex fiber-optic ring and bus system
S7 connections are used here in which the connection ends on the CPU of the subsystem,
here CPUa1. For this reason, an error in the fault-tolerant system, e.g., CPUa1 or CPa1, as

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 313
Supplementary information
17.10 Communication via S7 connections

well as an error in system b, e.g., CP b, will result in a total failure of the communication
between the two systems involved. This can be seen in the preceding figures.
There are no bus system-specific differences in the response to failure.

Linking standard and fault-tolerant systems

Driver block "S7H4_BSR": You can link a fault-tolerant system to an S7-400 / S7-300 using the
"S7H4_BSR" driver block. For more information, contact Siemens by e–mail:
function.blocks.industry @siemens.com
Alternative: SFB 15 "PUT" and SFB 14 "GET" in the fault-tolerant system: As an alternative,
use two SFB 15 "PUT" blocks over two standard connections. First call the first block. If there
was no error message when the block executed, the transmission is considered to have been
successful. If there was an error message, the data transmission is repeated via the second
block. If a connection cancelation is detected later, the data is also transferred again to
exclude possible information losses. You can use the same method with an SFB 14 "GET".
If possible, use the mechanisms of S7 communication for communication.

CPU 410 Process Automation

314 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.10 Communication via S7 connections

17.10.2 Communication via redundant S7 connections

Availability
Availability compared to using a single bus (see figure below) can be enhanced by using a
redundant system bus and two separate CPs in a standard system.

)DXOWWROHUDQWV\VWHP 6WDQGDUGV\VWHP

&38 &3 &38 &3

&3
D D E E
D

%XV

)DXOWWROHUDQWV\VWHP
&RQQHFWLRQ
%ORFNGLDJUDP
6WDQGDUGV\VWHP
&38D &3D
%XV &3E &38E

&38D &3D

&RQQHFWLRQ

Figure 17-11 Example of linking standard and fault-tolerant systems in a single bus system

Redundant communication can also be operated with standard connections. For this
two separate S7 connections must be configured in the program in order to implement
connection redundancy. In the user program, both connections require the implementation
of monitoring functions in order to allow the detection of failures and to change over to the
standby connection.
The following figure shows such a configuration.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 315
Supplementary information
17.10 Communication via S7 connections

Fault-tolerant Standard system

CPU CP CPU CP CP
a1 a1 b1 b1 b2

Bus 1
Bus 2

Fault-tolerant

Block diagram
CPUa1 CPa1 Bus 1 CPb1 Standard system

CPUb1
CPUa2 CPa2 CPb2
Bus 2

Figure 17-12 Example of redundancy with fault-tolerant systems and a redundant bus system with
redundant standard connections

Response to failure
Double errors in the fault-tolerant system (i.e., CPUa1 and CPa 2) or in the standard system (CPb1
and CPb2), and single errors in the standard system (CPUb1) lead to a total failure of
communication between the systems involved (see previous figure).

17.10.3 Communication via point-to-point CP on the ET 200M

Connection via ET 200M

Links from fault-tolerant systems to single-channel systems are often possible only by way of
point-to-point connections, as many systems offer no other connection options.
In order to make the data of a single-channel system available to CPUs of the fault-tolerant
system as well, the point-to-point CP, i.e., CP 341, must be installed in a distributed rack
along with two IM 153-2 modules.

CPU 410 Process Automation

316 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.10 Communication via S7 connections

Configuring connections
Redundant connections between the point-to-point CP and the fault-tolerant system are not
necessary.

+V\VWHPD 6LQJOHFKDQQHOWKLUGSDUW\V\VWHP
&3
&38
 &38 &3
D
([W

&3
 [ ,0
3W3

5HGXQGDQF\EORFN (70
GLDJUDP +V\VWHPD

&38D ,0D 6LQJOHFKDQQHOWKLUGSDUW\V\VWHP

&3 3W3 &DEOH &3 3W3 &38

&38D ,0D

Figure 17-13 Example of connecting a fault-tolerant system to a single-channel third-party system

via switched PROFIBUS DP

)DXOWWROHUDQWV\VWHPD 6LQJOHFKDQQHOWKLUGSDUW\V\VWHP
&3 &3
&38 &38
 3W3
D
([W

&3
 [ ,0 3W3

5HGXQGDQF\EORFN (70
GLDJUDP
)DXOWWROHUDQWV\VWHPD 6\VWHPUHGXQGDQF\
31,2 6LQJOHFKDQQHOWKLUGSDUW\V\VWHP
&38D

,0 &3 3W3 &DEOH &3 3W3 &38

&38D
31,2
Figure 17-14 Example of connecting a fault-tolerant system to a single-channel third-party system
via PROFINET IO with system redundancy

Response to failure
Double errors in the fault-tolerant system (i.e., CPUa1 and IM 153) and a single fault in the third-
party system lead to a total failure of communication between the systems involved. This can be
seen in the previous figure.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 317
Supplementary information
17.10 Communication via S7 connections

The point-to-point CP can also be inserted centrally in "Fault-tolerant system a". However,
in this configuration even the failure of the CPU, for example, will cause a total failure of
communication.

17.10.4 Custom connection to single-channel systems

Connection via PC as gateway

Fault-tolerant systems and single-channel systems can also be via a gateway (no connection
redundancy). The gateway is connected to the system bus by one or two CPs, depending on
availability requirements. Fault-tolerant connections can be configured between the gateway
and the fault-tolerant systems. The gateway allows you to link any type of single-channel system
(e.g., TCP/IP with a manufacturer-specific protocol).
A user-programmed software instance in the gateway implements the single-channel
transition to the fault-tolerant systems, and so allows any single-channel systems to be linked
to a fault-tolerant system.

Configuring connections
Redundant connections between the gateway CP and the single-channel system are not
required.
The gateway CP is located on a PC system which has fault-tolerant connections to the
fault-tolerant system.
To configure fault-tolerant S7 connections between fault-tolerant system A and the gateway,
you first need to install S7-REDCONNECT on the gateway. The functions for preparing data for
their transfer via the single-channel link must be implemented in the user program.
For additional information, refer to the "Industrial Communications IK10" Catalog.

+V\VWHPD 3&DVJDWHZD\ 6LQJOHFKDQQHOV\VWHP

&38 &3 &3 &3

&38 &3
D D  

6LQJOHFKDQQHOOLQN
260 260
3ODQWEXVDVRSWLFDO
WZRILEHUULQJ

5HGXQGDQF\EORFNGLDJUDP

+V\VWHPD

260 3&DVJDWHZD\ 6LQJOHFKDQQHOV\VWHP

&38D &3D
&3 *DWHZD\ &3 &DEOH &3 &38
&38D &3D 260

Figure 17-15 Example of linking a fault-tolerant system to a single-channel third-party system

CPU 410 Process Automation

318 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.11 Communication via fault-tolerant S7 connections

17.11 Communication via fault-tolerant S7 connections

Availability of communicating systems

Fault-tolerant communication expands the overall SIMATIC system by additional, redundant
communication components such as CPs and bus cables. To illustrate the actual availability of
communicating systems when using an optical or electrical network, a description is given
below of the possibilities for communication redundancy.

Requirement
The essential requirement for the configuration of fault-tolerant connections with STEP 7 is a
configured hardware installation.
The hardware configuration in both subsystems of a fault-tolerant system must be identical.
This applies in particular to the slots.
Depending on the network used, CPs can be used for fault-tolerant and fail-safe
communication, see Appendix Function and communication modules that can be used in
a redundant configuration (Page 377) 
Industrial Ethernet with ISO protocol or PROFIBUS without distributed I/O and ISO on TCP
is supported. Fault-tolerant S7 connections via Industrial Ethernet with ISO on TCP are
supported by the integrated PN interfaces and corresponding CPs. You require a suitable
CP for fault-tolerant S7 connections via Industrial Ethernet with ISO protocol or via PROFIBUS.
These connections are not possible via the internal PROFIBUS-DP interface.
Only Industrial Ethernet is supported for connecting to PC stations using fault-tolerant S7
connections. To be able to use fault-tolerant S7 connections between a fault-tolerant system
and a PC, you must install the "S7-REDCONNECT" software package on the PC. The software
is part of the SIMATIC Net CD. As of version 8.1.1, communication over ISO-on-TCP is also
supported. Please refer to the product information on the SIMATIC NET PC software to learn
more about the CPs you can use at the PC end.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 319
Supplementary information
17.11 Communication via fault-tolerant S7 connections

Communication combinations
The following table shows the possible combinations of fault-tolerant connections via Industrial
Ethernet.

Local connec‐ Local network con‐ Used net‐ Remote   Remote connec‐  
tion nection work protocol network connection tion
end point end point
CPU 410 CPU-PN interface TCP CPU-PN interface TCP CPU 410 S7 fault tol‐
CP443-1 (EX30) TCP CPU-PN interface TCP CPU 41xH erant con‐
CP443-1 (EX30) TCP CP443-1 (EX30) TCP V6/CPU 410 nection via
CPU 41xH V4.5 ISOonTCP
and higher/CPU
410
CPU 410 CP443-1 (EX30) ISO CP443-1 ISO CPU 41xH /CPU S7 fault tol‐
410 erant con‐
nection via
ISO
PC station PC station with Simat‐ TCP CPU-PN interface TCP CPU 41xH S7 fault tol‐
with Simatic ic Net CD TCP CP443-1 (EX30) TCP V6/CPU 410 erant con‐
Net CD CP1613/1623/1628, CPU 41xH V4.5 nection via
V8.1.1 or higher and higher/CPU ISOonTCP
410
PC station for example CP1623 ISO CP443-1 ISO CPU 41xH /CPU S7 fault tol‐
with Simatic with Simatic Net, 410 erant con‐
Net CD V8.1.2 or higher nection via
ISO
PC station for example CP1623 ISO CP443-1 ISO CPU 41xH /CPU S7 fault tol‐
with Simatic with Simatic Net up 410 erant con‐
Net CD to V7.x nection via
ISO

Configuration
The availability of the system, including the communication, is set during configuration. Refer
to the STEP 7 documentation to find out how to configure connections.
Only S7 communication is used for fault-tolerant S7 connections. To set this up, open the
"New Connection" dialog box, then select "S7 Connection Fault-Tolerant" as the type.
The number of required redundant subconnections is determined by STEP 7 as a function of
the redundancy nodes. Up to four redundant connections can be generated, if supported by
the network. Higher redundancy cannot be achieved even by using more CPs.
In the "Properties - Connection" dialog box you can also modify specific properties of a
fault-tolerant connection if necessary. When using more than one CP, you can also route
the connections in this dialog box. This may be practical, because by default all connections
are routed initially through the first CP. If all the connections are busy there, any further
connections are routed via the second CP, etc.
You have to extend the monitoring time of the connection when you use long
synchronization cables.

CPU 410 Process Automation

320 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.11 Communication via fault-tolerant S7 connections

Example: If you are operating 5 fault-tolerant S7 connections with a monitoring time of

500 ms and short synchronization cables up to 10 m and you want to change these to long
synchronization cables with a length of 10 km, you must increase the monitoring time to
1000 ms.
To ensure CIR capability of the fault tolerant system, you must activate the "Save connections
prior to loading" option in Step 7 NetPro.

Programming
Fault-tolerant communication is supported on the fault-tolerant CPU and is implemented using
S7 communication.
This is possible only within an S7 project/multiproject.
You program the fault-tolerant communication with STEP 7 using communication SFBs.
These communication blocks can be used to transmit data over subnets (Industrial
Ethernet, PROFIBUS). The communication SFBs integrated in the operating system enable
an acknowledged data transmission. In addition to data transfer, you can also use other
communication functions for controlling and monitoring the communication peer.
User programs written for S7 connections can also be used for fault-tolerant S7 connections
without program modification. Cable and connection redundancy has no effect on the user
program.

Note
For information on programming the communication, refer to the STEP 7 documentation
(e.g., Programming with STEP 7).
The START and STOP communication functions act on exactly one CPU or on all CPUs of
the fault-tolerant system (for more details refer to Reference Manual System Software for
S7-300/400, System and Standard Functions).
Disruptions of a subconnection while communication jobs are active over fault-tolerant S7
connections can extend the runtime of these jobs.

Note
Downloading the connection configuration during operation
If you download a connection configuration during operation, established connections may be
terminated.

17.11.1 Communication between fault-tolerant systems

Availability
The easiest way to increase the availability between linked systems is to use a redundant plant
bus. This is set up with a duplex fiber-optic ring or a dual electrical bus system. The connected
nodes may consist of simple standard components.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 321
Supplementary information
17.11 Communication via fault-tolerant S7 connections

Availability can best be enhanced using a duplex fiber-optic ring. If a break of the two-
fiber fiber-optic cable occurs, communication is maintained between the systems involved.
The systems then communicate as if they were connected to a bus system (line). A ring
topology basically contains two redundant components and automatically forms a 1-out-of-2
redundancy node. The fiber-optic network can also be set up in star topology as redundant
bus.
If one electrical cable segment fails, communication between the participating systems is
also upheld (1-out-of-2 redundancy).
The following examples illustrate the differences between a duplex fiber-optic ring and a dual
electrical bus system.

Note
The number of connection resources required on the CPs depends on the network used.
If you implement a duplex fiber-optic ring (see figure below), two connection resources are
required per CP. In contrast, only one connection resource is required per CP if a double
electrical network (see figure after next) is used.

+V\VWHPD +V\VWHPE
3ODQWEXVDVRSWLFDO
&38 &3 &38 &3 WZRILEHUULQJ
D D E E

260 260 260 260

+V\VWHPD
+V\VWHPE
260
&38D &3D EXVD &3E &38E
5HGXQGDQF\EORFN
GLDJUDP
&38D &3D 260 &3E &38E
EXVE

RXWRIUHGXQ
GDQF\
Figure 17-16 Example of redundancy with fault-tolerant system and redundant ring

Configuration view ≠ Physical view

CPU 410 Process Automation

322 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.11 Communication via fault-tolerant S7 connections

Fault-tolerant system a Fault-tolerant system b

CPU CP CPU CP
a1 a1 b1 b1
Bus 1
Bus 2

Redundancy block diagram

Fault-tolerant system a Fault-tolerant system b

CPUa1 CPa1 Bus 1 CPb1 CPUb1

CPUa2 CPa2 Bus 2 CPb2 CPUb2

Figure 17-17 Example of redundancy with fault-tolerant system and redundant bus system

Configuration view = Physical view

Fault-tolerant system a Fault-tolerant system b

CPU CP CP CPU CP CP
a1 CPU a11CPa12CP b1CPU b11CP
b12CP
a1 a21 a22 a1 b21 b22
Bus
Bus

Fault-tolerant system a Fault-tolerant system b

CPa11 CPb11
CPUa1 Bus 1 CPUb1
Redundancy block
diagram CPa12 CPb12

CPa21 CPb21
CPUa2 Bus 2 CPUb2
CPa22 CPb22

Figure 17-18 Example of fault-tolerant system with additional CP redundancy

Configuration view = Physical view

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 323
Supplementary information
17.11 Communication via fault-tolerant S7 connections

You decide during configuration if the additional CPs are used to increase resources or
availability. This configuration is typically used to increase availability.

Note
Internal and external interface
Communication between fault-tolerant systems can be either via internal interfaces or via
external interfaces (CP).
The partial connections of an S7 H connection cannot be configured over an external and
internal interface

Response to failure
With a duplex optic-fiber ring, only a double error within a fault-tolerant system, e.g., CPUa1 and
CPa2 in one system, leads to total failure of communication between the systems involved (see
Figure 11-14).
If a double error, e.g., CPUa1 and CPb2, occurs in the first case of a redundant electrical
bus system (see Figure 11-15), this results in a total failure of communication between the
systems involved.
In the case of a redundant electrical bus system with CP redundancy (see Figure 11-16), only
a double error within a fault-tolerant system, e.g., CPUa1 and CPa2, or a triple error, e.g.,
CPUa1, CPa22, and bus2, will result in a total failure of communication between the systems
involved.

Fault-tolerant S7 connections
Any disruption of subconnections while communication jobs are active over fault-tolerant S7
connections leads to extended delay times.

17.11.2 Communication between fault-tolerant systems and a fault-tolerant CPU

Availability
Availability can be enhanced by using a redundant plant bus and by using a fault-tolerant CPU
in a standard system.
If the communication peer is a fault-tolerant CPU, redundant connections can also be
configured, in contrast to systems with a standard CPU.

CPU 410 Process Automation

324 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.11 Communication via fault-tolerant S7 connections

Note
Fault-tolerant connections use two connection resources on CP b1 for the redundant
connections. One connection resource each is occupied on CP a1 and CP a2 respectively. In this
case, the use of further CPs in the standard system only serves to increase the resources.

+V\VWHPD 6WDQGDUGV\VWHPZLWK+&38

&38 &3 &38 &3 3ODQWEXVDVRSWLFDO

D D E E WZRILEHUULQJ

260 260 260

+V\VWHPD
6WDQGDUGV\VWHPZLWK+&38

&38D &3D %XVD

5HGXQGDQF\EORFN
GLDJUDP &3E &38E
&38D &3D %XVE

Figure 17-19 Example of redundancy with fault-tolerant system and fault-tolerant CPU

Response to failure
Double errors in the fault-tolerant system, i.e., CPUa1 and CPa2, or single errors in the standard
system, i.e., CPUb1, lead to a total failure of communication between the systems involved. This
can be seen in the previous figure.

17.11.3 Communication between fault-tolerant systems and PCs

Availability
PCs are not fault-tolerant due to their hardware and software characteristics. The availability of
a PC (OS) system and its data management is ensured by means of suitable software such as
WinCC Redundancy.
Communication takes place via fault-tolerant S7 connections.
The "S7-REDCONNECT" software package is required for fault-tolerant communication on a
PC. S7-REDCONNECT is used to connect a PC to a redundant bus system using one or two
CPs. The second CP is merely used to redundantly connect the PC to the bus system and does
not increase the availability of the PC. Always use the latest version of this software.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 325
Supplementary information
17.11 Communication via fault-tolerant S7 connections

Only Industrial Ethernet is supported for connecting PC systems. The SIMATIC Net software
V 8.1.2 is required for connection via ISOonTCP. This corresponds to the configuration TCP/
RFC1006 at the PC end.

Note
The PROFINET IO MRP (Media Redundancy Protocol) for PROFINET IO ring topologies is not
supported by SIMATIC NET PC modules. Plant buses as duplex fiber-optic rings cannot be
operated with MRP.

Configuring connections
The PC must be engineered and configured as a SIMATIC PC station. Additional configuration of
fault-tolerant communication is not necessary at the PC end. The connection configuration is
uploaded from the STEP 7 project to the PC station.
You can find out how to use STEP 7 to integrate fault-tolerant S7 communication for a PC into
your OS system in the WinCC documentation.

)DXOWWROHUDQWV\VWHPD 3&
&38 &3 :LQ&& &3 6\VWHPEXVDVRSWLFDO
D D 6HUYHU  WZRILEHUULQJ

260 260 260

)DXOWWROHUDQWV\VWHPD

&38D &3D %XVD

5HGXQGDQF\಻EORFN &3 3&

GLDJUDP
&38D &3D %XVE

RIUHGXQGDQF\
Figure 17-20 Example of redundancy with fault-tolerant system and redundant bus system

CPU 410 Process Automation

326 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.12 Consistent data

)DXOWWROHUDQWV\VWHPD 3&

&38 &3 :LQ&& &3 &3

D D 6HUYHU   6\VWHPEXVDVRSWLFDO
WZRILEHUULQJ

260 260 260 260

)DXOWWROHUDQWV\VWHPD

&38D &3D %XVD

&3
5HGXQGDQF\಻EORFN 3&
GLDJUDP &3
&38D &3D %XVE

RIUHGXQGDQF\
Figure 17-21 Example of redundancy with a fault-tolerant system, redundant bus system and
redundant connection to the PC.

Response to failure
Double errors in the fault-tolerant system, e.g., CPUa1 and CPa2, or failure of the PC station
result in a total failure of communication between the systems involved; see previous figures.

PC/PG as Engineering System (ES)

To be able to use a PC as Engineering System, you need to configure it under its name as a PC
station in HW Config. The ES is assigned to a CPU and is capable of executing STEP 7 functions
on that CPU.
If this CPU fails, communication between the ES and the fault-tolerant system is no longer
possible.

17.12 Consistent data

17.12.1 Consistency of communication blocks and functions

On the S7-400H, communication jobs are not processed in the cycle control point but rather in
fixed time slices during the program cycle.
The byte, word and double word data formats can always be processed consistently in the
system, in other words, the transmission or processing of 1 byte, 1 word = 2 bytes or 1
double word = 4 bytes cannot be interrupted.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 327
Supplementary information
17.12 Consistent data

If the user program calls communication blocks, such as SFB 12 "BSEND" and SFB 13 "BRCV",
which are only used in pairs and access shared data, access to this data area can be
coordinated by the user by means of the "DONE" parameter, for example. The consistency
of data transmitted locally with these communication blocks can thus be ensured in the user
program.
In contrast, S7 communication functions do not require a block such as SFB 14 "GET", SFB
15 "PUT", in the user program of the target device. Here, you must make allowance for the
volume of consistent data in the programming phase.

Access to work memory of the CPU

The communication functions of the operating system access the CPU's work memory in fixed
block lengths. Blocks for S7-400H CPUs have a variable length of up to 472 bytes.
This ensures that the interrupt response time is not prolonged due to communication load.
Because this access is performed asynchronously to the user program, you cannot transmit
an unlimited number of bytes of consistent data.
The rules to ensure data consistency are described below.

17.12.2 Consistency rules for SFB 14 "GET" or read variable, and SFB 15 "PUT" or
write variable

SFB 14
The data are received consistently if you observe the following points:
Evaluate the entire, currently used part of the receive area RD_i before you activate a new
request.

SFB 15
When a send operation is initiated (rising edge at REQ), the data to be sent from the send areas
SD_i are copied from the user program. You can write new data to these areas after the block call
command without corrupting the current send data.

Note
Completion of transfer
The send operation is not completed until the status parameter DONE assumes value 1.

CPU 410 Process Automation

328 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.12 Consistent data

17.12.3 Consistent reading and writing of data from and to DP standard device/IO
device

Reading data consistently from a DP standard device with SFC 14 "DPRD_DAT"

With SFC 14 "DPRD_DAT", "read consistent data of a DP-normdevice", you read out the data of a
DP standard device or IO device consistently.
if no error occurred during the data transmission, the data read is entered into the
destination area defined by RECORD.
The destination area must have the same length as the one you have configured for the
selected module with STEP 7.
By calling SFC 14 you can only access the data of one module/DP identifier at the configured
start address.
For information on SFC 14, refer to the corresponding online help and to Manual "System
and Standard Functions".

Note
Evaluate the entire currently used part of the receive area RD_i before you activate a new job.

Writing data consistently to a DP standard device with SFC 15 "DPWR_DAT"

With SFC 15 "DPWR_DAT", "write consistent data to a DP-normdevice", you transfer the data in
RECORD to the addressed DP standard device or IO device consistently.
The source area must have the same length as the one you configured for the selected
module with STEP 7.
For information on SFC 15, refer to the corresponding online help and Manual "System and
Standard Functions".

Note
When a send operation is activated (positive edge at REQ), the data to be transmitted from the
send areas SD_i is copied from the user program. You can write new data to these areas after the
block call command without corrupting the current send data.

Upper limits for transmission of consistent user data on a DP device

The PROFIBUS DP standard defines upper limits for the transfer of consistent user data on a DP
device. For this reason, a maximum of 64 words = 128 bytes of user data can be transferred
consistently in one block in a DP standard device.
You can define the length of the consistent area in your configuration. In the special
identification format (SIF), you can define a maximum length of consistent data of 64 words
= 128 bytes: 128 bytes for inputs and 128 bytes for outputs. A greater length is not possible.
This upper limit applies only to pure user data. Diagnostics and parameter data are grouped
to form complete data records, and are thus always transferred consistently.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 329
Supplementary information
17.13 Link-up and update sequence

In the general identification format (GIF), you can define a maximum length of consistent
data of 16 words = 32 bytes; 32 bytes for inputs, and 32 bytes for outputs. A greater length is
not possible.
Note also in this regard that a CPU 41x must be configurable in general as a DP device on an
external master (connection via GSD) using the general identification format. For this reason,
the maximum size of the transfer memory of a CPU 41x as DP device for PROFIBUS DP is 16
words = 32 bytes.

Note
The PROFIBUS DP standard defines upper limits for the transfer of consistent user data. Common
DP standard devices adhere to these upper limits. Older CPUs (<1999) had CPU-specific
restrictions in terms of the transmission of consistent user data. For these CPUs, you can find the
maximum length of data that can be consistently read from or written to a DP standard device
in their technical specifications under keyword "DP master – User data per DP device". The
specified length value of newer CPUs surpasses the data length that a DP standard device
provides or accepts.

Upper limits of the length of consistent user data transmitted to an IO Device

The length of consistent user data that you can transmit to an IO device is limited to 1025 bytes
(= 1024 bytes user data + 1 byte secondary value). Irrespective of whether you can transmit
more than 1024 bytes to an IO device, the transmission of consistent data is still limited to 1024
bytes.
When operating in PN-IO mode, the length of data transmission via CP 443-1 is limited to
240 bytes.

17.13 Link-up and update sequence

There are two types of link-up and update operation:
• Within a "normal" link-up and update operation, the fault-tolerant system will change over
from solo operation to redundant system state. The two CPUs then process the same
program synchronously.
• When a link up and update operation takes place with master/standby changeover, the
second CPU with modified components can assume control over the process. Either the
hardware configuration or the operating system may have been modified.
In order to return to redundant system state, a "normal" link-up and update operation must
be performed subsequently.

How to start the link-up and update operation?

Initial situation: Solo operation, i.e., only one of the CPUs of a fault-tolerant system connected
via fiber-optic cables is in RUN operating state.

CPU 410 Process Automation

330 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.13 Link-up and update sequence

You can initiate the link-up and update operation for achieving the redundant system state as
follows:
• POWER ON the standby if prior to POWER OFF the CPU was not in STOP operating state.
• Operator input on the PG/ES.
You can only start a link-up and update operation with master/standby changeover by
an operator input on the PG/ES.

Note
If a link-up and update operation is interrupted on the standby CPU (for example due to POWER
OFF, STOP), this may cause data inconsistency and lead to a memory reset request on this CPU.
The link-up and update functions are possible again after a memory reset on the standby.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 331
Supplementary information
17.13 Link-up and update sequence

Flow chart of the link-up and update operation

The figure below outlines the general sequence of the link-up and update. In the initial situation,
the master is in solo operation. In the figure, CPU 0 is assumed to be the master CPU.

0DVWHU&38&38 6WDQGE\&38&38

581 /LQNXS5(')/('VIODVKDW+] 6723

6WDQGE\UHTXHVWV/,1.83

'HOHWLQJORDGLQJJHQHUDWLQJDQG 'HOHWLQJORDGLQJJHQHUDWLQJDQG
FRPSUHVVLQJRIEORFNVQRORQJHU FRPSUHVVLQJRIEORFNVQRORQJHU
SRVVLEOH7HVWDQGFRPPLVVLRQLQJ SRVVLEOH7HVWDQGFRPPLVVLRQLQJ
IXQFWLRQVQRORQJHUDYDLODEOH IXQFWLRQVQRORQJHUDYDLODEOH

&RPSDULVRQRIRSHUDWLQJV\VWHPYHUVLRQDQGQXPEHURI32VRQ6(&

&RS\ORDGPHPRU\FRQWHQW 
&RS\XVHUSURJUDPEORFNVRIWKHZRUNPHPRU\ 

$OOFRQQHFWLRQVDUHWHUPLQDWHG

$FFHSWDQFHRI'3VODYHV
$FFHSWDQFHRIWKH,2GHYLFHV

$FFHSWDQFHRIWKHFRQQHFWLRQ

8SGDWHVHHQH[WILJXUH

/LIWUHVWULFWLRQVH[HFXWHGHOD\HG /LIWUHVWULFWLRQVH[HFXWHGHOD\HG
SURFHVVLQJ SURFHVVLQJ

6\VWHPVWDWHUHGXQGDQWRUPDVWHUVWDQGE\VZLWFKRYHUZLWK6723RI
QHZVWDQGE\

Figure 17-22 Sequence of link-up and update

*) If the "Switchover to CPU with modified configuration" option is set, the content of the
load memory is not copied; what is copied from the user program blocks of the work
memory (OBs, FCs, FBs, DBs, SDBs) of the master CPU is listed in Chapter Switch to CPU with
modified configuration (Page 338) 

CPU 410 Process Automation

332 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.13 Link-up and update sequence

0DVWHU&38&38 6WDQGE\&38&38

8SGDWH5(')/('VIODVKDW+] 6723
581

6WDWXVPHVVDJH8SGDWHWRDOOORJJHGRQ
SDUWQHUV

1HJDWLYHDFNQRZOHGJHPHQWRIDV\QFKUR
QRXV6)&VDQG6)%VIRUGDWDUHFRUGV 

0HVVDJHVDUHGHOD\HG 

$OO2%VXSWRSULRULW\FODVVLQFO2%
ZLOOEHGHOD\HG

6WDUWRIPRQLWRULQJWKHPD[LPXPF\FOH
WLPHH[WHQVLRQ

0DVWHUFRSLHVFRQWHQWVRIWKHPRGLILHGGDWDEORFNV

&XUUHQWFRPPXQLFDWLRQUHTXHVWVDUH
GHOD\HGRUQHZRQHVDUHUHMHFWHG 

6WDUWRIPRQLWRULQJPD[LPXPFRPPXQL
FDWLRQGHOD\

2%VRISULRULW\FODVVHV!DUHGHOD\HG
ZLWKWKHH[FHSWLRQRIWKHZDWFKGRJLQWHUUXSW
2%ZLWKVSHFLDOKDQGOLQJ

([HFXWLRQRIWKHZDWFKGRJLQWHUUXSW2%
ZLWKVSHFLDOKDQGOLQJDVUHTXLUHG

6WDUWRIPRQLWRULQJWKHPD[LPXP
WLPHRILQKLELWLRQRISULRULW\FODVVHV!

0DVWHUFRSLHVRXWSXWV

6WDUWRIPLQLPXP,2UHWHQWLRQWLPH 7KHRXWSXWVZLOOEHHQDEOHG

0DVWHUFRSLHVWKHFRQWHQWVRIWKHGDWDEORFNVZKLFK 5HGXQGDQW
KDYHEHHQPRGLILHGVLQFHWKH\ZHUHODVWFRSLHG RSHUDWLRQRU
FKDQJHRI
PDVWHUVKLS
0DVWHUFRSLHVWLPHUVFRXQWHUVPHPRU\
PDUNHUVLQSXWVDQGWKHGLDJQRVWLFVEXIIHU

)RUGHWDLOVRQWKHUHOHYDQW6)&V6)%VDQGFRPPXQLFDWLRQIXQFWLRQVUHIHU
WRWKHQH[WFKDSWHUV

Figure 17-23 Update sequence

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 333
Supplementary information
17.13 Link-up and update sequence

Minimum duration of input signals during update

Program execution is stopped for a certain time during the update (the sections below describe
this in greater detail). To ensure that the CPU can reliably detect changes to input signals during
the update, the following condition must be satisfied:
Minimum signal duration > 2 × time required for I/O update (DP and PNIO only)
+ call interval of the priority class
+ execution time for the program of the priority class
+ update time
+ execution time for programs of higher-priority classes
Example:
Minimum signal duration of an input signal that is evaluated in a priority class > 15 (e.g.,
OB 40).

([HFXWLRQWLPHIRUSURJUDPRI
ZLWK'3DQG31,2RQO\,2 SULRULW\FODVVHJ2%
XSGDWHWLPHZRUVWFDVH[ UXQWLPH

&DOOLQWHUYDORI 8SGDWHWLPHPVPV ([HFXWLRQWLPHRI

SULRULW\FODVVHJ SHU.%IRUPRGLILHGGDWD KLJKHUSULRULW\
2% EORFNV FODVVHV

0LQLPXPVLJQDOGXUDWLRQ

Figure 17-24 Example of minimum signal duration of an input signal during the update

17.13.1 Link-up sequence

For the link-up sequence, you need to decide whether to carry out a master/standby changeover,
or whether the redundant system state is to be achieved after that.

Link-up with the objective of achieving the redundant system state

To exclude differences in the two subsystems, the master and the standby CPU run the following
comparisons.
The following are compared:
1. Consistency of the memory configuration
2. Consistency of the operating system version
3. Consistency of the contents in load memory
If 1. or 2. are inconsistent, the standby CPU switches to STOP and outputs an error message.
If 3. is inconsistent, the user program in the load memory in RAM is copied from the master
CPU to the standby CPU.

CPU 410 Process Automation

334 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.13 Link-up and update sequence

Link-up with master/standby changeover

In STEP 7 you can select one of the following options:
• "Switch to CPU with modified configuration"
• "Switchover to CPU with modified operating system"
• "Switchover to CPU with modified hardware version"
• "Switchover to CPU via only one intact redundant link"
• "Switching to a CPU with modified PO limit"
Switch to CPU with modified configuration
You may have modified the following elements on the standby CPU:
• The hardware configuration
No blocks are transferred from the master to the standby during the link-up. The exact
circumstances are described in Chapter Switch to CPU with modified configuration (Page 338).
For information on steps required in the scenarios mentioned above, refer to section
Replacement of failed components during redundant operation (Page 215).

Note
Even though you have not modified the hardware configuration on the standby CPU, there is
nevertheless a master/standby changeover and the previous master CPU switches to STOP.

17.13.2 Update sequence

What happens during updating?

The execution of communication functions and OBs is restricted section by section during
updating. Likewise, all the dynamic data (content of the data blocks, timers, counters, and bit
memories) are transferred to the standby CPU.
Update procedure:
1. Until the update is completed, all asynchronous SFCs and SFBs which access data records of
I/O modules (SFCs 13, 51, 52, 53, 55 to 59, SFB 52 and 53) are acknowledged as "negative"
with the return values W#16#80C3 (SFCs 13, 55 to 59, SFB 52 and 53) or W#16#8085
(SFC 51). When these values are returned, the jobs should be repeated by the user program.
2. Message functions are delayed until the update is completed (see list below).
3. The execution of OB 1 and of all OBs up to priority class 15 is delayed.
In the case of cyclic interrupts, the generation of new OB requests is disabled, so no new
cyclic interrupts are stored and as a result no new request errors occur.
The system waits until the update is completed, and then generates and processes a
maximum of one request per cyclic interrupt OB. The time stamp of delayed cyclic interrupts
cannot be evaluated.
4. Transfer of all data block contents modified since link-up.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 335
Supplementary information
17.13 Link-up and update sequence

5. The following communication jobs are acknowledged negatively:

– Reading/writing of data records using HMI functions
– Reading diagnostic information using STEP 7
– Disabling and enabling messages
– Logon and logoff for messages
– Acknowledgement of messages
6. Initial calls of communication functions are acknowledged negatively. These calls
manipulate the work memory, see also System Software for S7-300/400, System and
Standard Functions. All remaining communication functions are executed with delay, after
the update is completed.
7. The system disables the generation of new OB requests for all OBs of priority class > 15, so
new interrupts are not saved and as a result do not generate any request errors.
Queued interrupts are not requested again and processed until the update is completed. The
time stamp of delayed interrupts cannot be evaluated.
The user program is no longer processed and there are no more I/O updates.
8. Generating the start event for the cyclic interrupt OB with special handling.
Note
The cyclic interrupt OB with special handling is particularly important in situations where you
need to address certain modules or program parts within a specific time. This is a typical
scenario in fail-safe systems. For details, refer to the S7-400F and S7-400FH Automation
Systems and S7-300 Automation Systems, Fail-safe Signal Modules manuals.
To prevent an extension of the special cyclic interrupt, the cyclic alarm OB with special
handling must be assigned top priority.

9. Transfer of outputs and of all data block contents modified again. Transfer of timers,
counters, bit memories, and inputs. Transfer of the diagnostic buffer.
During this data synchronization, the system interrupts the clock pulse for cyclic interrupts,
time-delay interrupts and S7 timers. This results in the loss of any synchronism between
cyclic and time-of-day interrupts.
10.Cancel all restrictions. Delayed interrupts and communication functions are executed. All
OBs are executed again.
A constant bus cycle time compared with previous calls can no longer be guaranteed for
delayed cyclic interrupt OBs.
Note
Process interrupts and diagnostic interrupts are stored by the I/O devices. Such interrupt
requests issued by distributed I/O modules are executed when the block is re-enabled. Any
such requests by central I/O modules can only be executed provided the same interrupt
request did not occur repeatedly while the status was disabled.

If the PG/ES requested a master/standby changeover, the previous standby CPU assumes
master mode and the previous master CPU goes into STOP when the update is completed.
Both CPUs will otherwise go into RUN (redundant system mode) and execute the user
program in synchronism.

CPU 410 Process Automation

336 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.13 Link-up and update sequence

When there is a master/standby changeover, in the first cycle after the update OB 1 is
assigned a separate identifier (see System Software for S7-300/400, System and Standard
Functions Reference Manual). For information on other aspects resulting from modifying the
configuration, refer to section Switch to CPU with modified configuration (Page 338).

Delayed message functions

The listed SFCs, SFBs and operating system services trigger the output of messages to all logged-
on partners. These functions are delayed after the start of the update:
• SFC 17 "ALARM_SQ", SFC 18 "ALARM_S", SFC 107 "ALARM_DQ", SFC 108 "ALARM_D"
• SFC 52 "WR_USMSG"
• SFB 31 "NOTIFY_8P", SFB 33 "ALARM", SFB 34 "ALARM_8", SFB 35 "ALARM_8P", SFB 36
"NOTIFY", SFB 37 "AR_SEND"
• Process control alarms
• System diagnostics messages
From this time on, any requests to enable and disable messages by SFC 9 "EN_MSG" and SFC
10 "DIS_MSG" are rejected with a negative return value.

Communication functions and resulting jobs

After it has received one of the jobs specified below, the CPU must in turn generate
communication jobs and output them to other modules. These include, for example, jobs for
reading or writing parameterization data records from/to distributed I/O modules. These jobs are
rejected until the update is completed.
• Reading/writing of data records using HMI functions
• Reading data records using SSL information
• Disabling and enabling messages
• Logon and logoff for messages
• Acknowledgement of messages
Note
The last three of the functions listed are registered by a WinCC system, and automatically
repeated when the update is completed.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 337
Supplementary information
17.13 Link-up and update sequence

17.13.3 Switch to CPU with modified configuration

Switch to CPU with modified configuration

You may have modified the hardware configuration on the standby CPU. The necessary steps are
described in Section Replacement of failed components during redundant operation (Page 215).

Note
Even though you have not modified the hardware configuration on the standby CPU, there is
nevertheless a master/standby changeover and the former master CPU switches to STOP.

When you initiate the link-up and update operation from STEP 7 with the "Switch to CPU with
modified configuration" option, the system reacts as follows with respect to handling of the
memory contents.

Load memory
The contents of the load memory are not copied from the master to the standby CPU.

Work memory
The following components are transferred from the work memory of the master CPU to the
standby CPU:
• Contents of all data blocks assigned the same interface time stamp in both load memories
and whose attributes "read only" and "unlinked" are not set.
• Data blocks generated in the master CPU by SFCs.
The DBs generated in the standby CPU by means of SFC are deleted.
If a data block with the same number is also contained in the load memory of the standby
CPU, the link-up operation is cancelled with an entry in the diagnostics buffer.
• Process images, timers, counters, and bit memories
The status of SFB instances of S7 communication contained in modified data blocks is
restored to the status prior to their initial call.

CPU 410 Process Automation

338 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.13 Link-up and update sequence

17.13.4 Disabling of link-up and update

Link-up and update entails a cycle time extension. This includes a period during which no I/O
updates are performed; see Chapter Time monitoring (Page 114). You must pay special
attention to this if you are using distributed I/O and a master/standby changeover occurs after
the update (thus, when the configuration is modified during operation).

CAUTION
Always perform link-up and update operations when the process is not in a critical state.

You can set specific start times for link-up and update operations at SFC 90 "H_CTRL". For
detailed information on this SFC, refer to Manual System Software for S7-300/400, System
and Standard Functions.

Note
If the process tolerates cycle time extensions at any time, you do not need to call SFC 90
"H_CTRL".
The CPU does not perform a self-test during link-up and updating. If you use a fail-safe user
program, you should avoid any excessive delay for the update operation. For more details, refer
to Manual S7-400F and S7-400FH Automation Systems.

Example of a time-critical process

A slide block with a 50 mm cam moves on an axis at a constant velocity v = 10 km/h = 2.78 m/
s = 2.78 mm/ms. A switch is located on the axis. So the switch is actuated by the cam for the
duration of ∆t = 18 ms.
For the CPU to detect the actuation of the switch, the inhibit time for priority classes > 15 (see
below for definition) must be significantly below 18 ms.
With respect to maximum inhibit times for operations of priority class > 15, STEP 7 only
supports settings of 0 ms or between 100 and 60000 ms, so you need to work around this by
taking one of the following measures:
• Shift the start time of link-up and updating to a time at which the process state is non-critical .
Use SFC 90 "H_CTRL" to set this time (see above).
• Use a considerably longer cam and/or substantially reduce the approach velocity of the slide
block to the switch.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 339
Supplementary information
17.14 The user program

17.14 The user program

The rules of developing and programming the user program for the standard S7-400 system also
apply to the S7-400H.
In terms of user program execution, the S7-400H behaves in the same manner as a standard
system. The synchronization functions are integrated in the operating system and are
executed automatically in the background. You do not need to consider these functions in
your user program.
In redundant operation, the user programs are stored identically on both CPUs and are
executed in event-synchronous mode.
However, we offer you several specific blocks for optimizing your user program, e.g., in order
to improve its response to the extension of cycle times due to updates.

Specific blocks for S7–400H

In addition to the blocks that can be used both in S7-400 and in S7-400H, there are additional
blocks for S7-400H. You can use these blocks to influence redundancy functions.
You can react to redundancy errors of the S7-400H using the following organization blocks:
• OB 70, I/O redundancy errors
• OB 72, CPU redundancy errors
SFC 90 "H_CTRL" can be used to influence fault-tolerant systems as follows:
• You can disable interfacing in the master CPU.
• You can disable updating in the master CPU.
• You can remove, resume or immediately start a test component of the cyclic self-test.
• You can execute a programmed master-standby changeover. The following changeovers are
possible:
– The current standby CPU becomes the master CPU.
– The CPU in rack 0 becomes a master CPU.
– The CPU in rack 1 becomes a master CPU.

Additional information
For detailed information on programming the blocks described above, refer to the STEP 7 Online
Help.

CPU 410 Process Automation

340 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.15 Other options for connecting redundant I/Os

17.15 Other options for connecting redundant I/Os

Redundant I/O at user level

If you cannot use the redundant I/O supported by the system (Chapter Connection of two-
channel I/O to the PROFIBUS DP interface (Page 75)), for example, because the module to be
used redundantly is not in the list of supported components, you can also implement the use of
redundant I/O at the user level.

Configurations
The following redundant I/O configurations are supported:
1. Redundant configuration with one-sided central and/or distributed I/O.
For this purpose, one signal module each is inserted into the CPU 0 and CPU 1 subsystems.
2. Redundant configuration with switched I/O
One signal module each is inserted into two ET 200M distributed I/O devices with active
backplane bus.

5HGXQGDQWRQHVLGHG,2

5HGXQGDQWVZLWFKHG,2

Figure 17-25 Redundant one-sided and switched I/O

Note
When using redundant I/O, you may need to add time to the calculated monitoring times; see
Chapter Determining the monitoring times (Page 118) 

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 341
Supplementary information
17.15 Other options for connecting redundant I/Os

Hardware configuration and project engineering of the redundant I/O

Strategy recommended for use of redundant I/O:
1. Use the I/O as follows:
– in a one-sided configuration, one signal module in each subsystem
– in a switched configuration, one signal module each in two ET 200M distributed I/O
devices.
2. Wire the I/O in such a way that it can be addressed by both subsystems.
3. Configure the signal modules so that they have different logical addresses.
Note
It is not advisable to configure the input and output modules with the same logical addresses.
Otherwise, in addition to the logical address, you will also need to query the type (input or
output) of the defective module in OB 122.
The user program must update the process image for redundant one-sided output modules
even in solo operation (e.g., direct accesses). If you use process image partitions, the user
program must update them (SFC 27 "UPDAT_PO") in OB 72 (recovery of redundancy). The
system would otherwise first output old values to the single-channel one-sided output
modules of the standby CPU on the transition to redundant system state.

Redundant I/O in the user program

The sample program below shows the use of two redundant digital input modules:
• Module A in rack 0 with logical start address 8 and
• module B in rack 1 with logical start address 12.
One of the two modules is read in OB 1 by direct access. For the following it is generally
assumed that the module in question is A (value of variable MODA is TRUE). If no error
occurred, processing continues with the value read.
If an I/O area access error has occurred, module B is read by direct access ("second try" in OB
1). If no error occurred, processing of module B continues with the value read. However, if an
error has also occurred here, both modules are currently defective, and operation continues
with a substitute value.
The sample program is based on the fact that following an access error on module A and its
replacement, module B is always processed first in OB 1. Module A is not processed first again
in OB 1 until an access error occurs on module B.

Note
The MODA and IOAE_BIT variables must also be valid outside OB 1 and OB 122. The ATTEMPT2
variable, however, is used only in OB 1.

CPU 410 Process Automation

342 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.15 Other options for connecting redundant I/Os

Retry: =False

Read module
Yes A first? No

Access to Access to
module A module B

b Do not read b Do not read

module A first any module B first any
I/O access I/O access
more in future more in future
error? error?
Retry: =TRUE Retry: =TRUE
Yes Yes

No No
Retry = Retry =
TRUE? TRUE?
No No

Yes Yes

Use value of Use value of

Use substitute
module A module B
value

Figure 17-26 Flow chart for OB 1

Monitoring times during link-up and update

Note
If you have made I/O modules redundant and have taken account of this in your program, you
may need to add an overhead to the calculated monitoring times so that no bumps occur at
output modules (in HW Config -> Properties CPU -> H Parameter).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 343
Supplementary information
17.16 CPU 410 cycle and reaction times

An overhead is only required if you operate modules from the following table as redundant
modules.

Table 17-8 For the monitoring times with redundant I/O

Module type Overhead in ms

ET200M: Standard output modules 2
ET200M: HART output modules 10
ET200M: F-output modules 50

Follow the steps below:

• Calculate the overhead from the table. If you use several module types from the table
redundantly, apply the largest overhead.
• Add this to all of the monitoring times calculated so far.

17.16 CPU 410 cycle and reaction times

17.16.1 Cycle time

This chapter describes the decisive factors in the cycle time, and how to calculate it.

Definition of cycle time

The cycle time represents the time that the operating system needs to execute a program, that
is, one OB 1 cycle, including all program sections and system activities interrupting this cycle.
This time is monitored. The CPU 410-5H has a fixed cycle monitoring of 6 seconds.

Time slice model

Cyclic program processing, and therefore also user program processing, is based on time slices.
To demonstrate the processes, let us presume a global time slice length of exactly 1 ms.

Process image
During cyclic program execution, the CPU requires a consistent image of the process signals. To
ensure this, the process signals are read/written prior to program execution. During the
subsequent program execution, the CPU does not access the signal modules directly when
addressing the input (I) and output (O) address areas. It accesses the CPU's system memory area
containing the image of the inputs and outputs.

CPU 410 Process Automation

344 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

Sequence of cyclic program processing

The table below shows the various phases in cyclic program execution.

Table 17-9 Cyclic program processing

Step Sequence
1 The operating system initiates the scan cycle monitoring time.
2 The CPU copies the values from the process output images to the output modules.
3 The CPU reads the status of inputs of the input modules, and then updates the process
image of the inputs.
4 The CPU processes the user program in time slices and executes the instructions specified
in the program.
5 At the end of a cycle, the operating system executes pending tasks, e.g., loading and
deleting of blocks.
6 Finally, on expiration of any given minimum cycle time, the CPU returns to the start of the
cycle and restarts cycle monitoring.

Elements of the cycle time

PIO: Process image of outputs

PII: Process image of the inputs
SCC: SScan cycle checkpoint
OS: Operating system

PIO
Time slices (1 ms each)

PII

User program

SCC (OS)

Time slice (1 ms)

Operating system

User program

Communication

Figure 17-27 Elements and composition of the cycle time

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 345
Supplementary information
17.16 CPU 410 cycle and reaction times

17.16.2 Calculating the cycle time

Extending the cycle time

The cycle time of a user program is extended by the factors outlined below:
• Time-based interrupt processing
• Hardware interrupt processing (see also Chapter Interrupt response time (Page 361))
• Diagnostics and error processing (see also Chapter Example of calculation of the interrupt
response time (Page 363))
• Communication via the integrated PROFINET IO interface and CPs connected by means of the
communication bus
(e.g.: Ethernet, Profibus, DP) as a factor in communication load
• Special functions such as monitoring and modifying variables
or the block status
• Transfer and deletion of blocks, compressing of the user program memory
• Runtime of signals using the synchronization cable

Influencing factors
The table below shows the factors influencing the cycle time.

Table 17-10 Factors influencing cycle time

Factors Remark
Transfer time for the process out‐ See tables from 19-3 onwards
put image (POI) and process input
image (PII)
User program execution time This value is calculated based on the execution times of the various
statements (see the S7-400 statement list).
Operating system execution time See Table 19-7
at the cycle control point
Extension of cycle time due to com‐ You configure the maximum permitted communication load on the
munication load cycle as a percentage in STEP 7 (Manual Programming with STEP 7).
See Chapter Cycle load due to communication (Page 349).
Load on cycle times due to inter‐ Interrupt requests can always stop user program execution. See
rupts Table 19-8

Process image update

The table below shows the time a CPU requires to update the process image (process image
transfer time). The specified times only represent "ideal values", and may be extended
accordingly by any interrupts or communication of the CPU.
Calculation of the transfer time for process image update:
K+ portion in the central controller (from row A in the following table)
+ portion in the expansion device with local connection (from row B)

CPU 410 Process Automation

346 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

+ portion in the expansion device with remote connection (from row C)

+ portion via integrated DP interface (from row D1)
+ portion via external DP interface (from row D2)
portion of consistent data via integrated DP interface (from row E1)
+ portion of consistent data via external DP interface (from row E2)
+ portion in PN/IO area for the integrated PROFINET IO interface (from row F)
+ portion for each submodule with 32 byte of consistent data for the integrated PROFINET IO
interface (from row G)
= Transfer time for process image update
The tables below show the various portions of the transfer time for a process image update
(process image transfer time). The specified times only represent "ideal values", and may be
extended accordingly by any interrupts or communication of the CPU.

Table 17-11 Portion of the process image transfer time, CPU 410-5H

  Portions CPU 410-5H CPU 410-5H

stand-alone mode redundant
K Base load 2 µs 3 µs
A *)
In the central controller
Read/write byte/word/double word 7.3 µs 15 µs
B *) In the expansion unit with local link
Read/write byte/word/double word 20 µs 26 µs
C *)**)
In the expansion unit with remote link
Read/write byte/word/double word 45 µs 50 µs
D1 In the DP area for the integrated DP interface
Read byte/word/double word 0.4 µs 10 µs
D2 ***) In the DP area for the external DP interfaces
Read/write byte/word/double word 5 µs 15 µs
E1 Consistent data in the process image for the integrated DP in‐
terface
Read/write data 8 µs 30 µs
E2 Consistent data in the process image for the external DP inter‐
face (CP 443–5 extended)
Read 80 µs 100 µs
write 60 µs 70 µs
F In the PNIO area for the integrated PROFINET IO interface 2 µs 15 µs
Read/write for each byte/word/double word
G Per submodule with 32 bytes of consistent data for the integra‐ 8 µs 30 µs
ted PROFINET IO interface
*)
In the case of I/O inserted into the central controller or expansion device,
the specified value includes the execution time for the I/O module
The module data is updated with the minimum number of accesses.
(example: 8 bytes result in 2 double word accesses; 16 bytes in 4 double word accesses.)
**)
Measured with IM460-3 and IM461-3 at a link length of 100 m
***)
Measured with modules with 1 byte of user data, e.g., DI 16.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 347
Supplementary information
17.16 CPU 410 cycle and reaction times

Extending the cycle time

The calculated cycle time of a S7-400H CPU must be multiplied by a CPU-specific factor. The table
below lists these factors:

Table 17-12 Extending the cycle time

Startup CPU 410-5H stand-alone mode CPU 410-5H redundant

Factor 1.05 1.2

Long synchronization cables may increase cycle times. This extension can have the factor 2 -
5 with a cable length of 10 km.

Operating system execution time at the cycle control point

The table below shows the operating system execution time at the cycle checkpoint of the CPUs.

Table 17-13 Operating system execution time at the cycle control point

Sequence CPU 410-5H stand-alone mode CPU 410-5H redundant

Cycle control at the SCCP 25 - 330 µs 120 - 600 µs
∅ 30 µs ∅ 135 µs

Extended cycle time due to nested interrupts

Table 17-14 Extended cycle time due to nested interrupts

CPU Hardware Diagnostic Time-of- Delay interrupt Cyclic Program‐ I/O Asyn‐
interrupt interrupt day in‐ inter‐ ming error access er‐ chro‐
terrupt rupt ror nous
error
CPU 410-5H 75 µs 40 µs 50 µs 40 µs 40 µs 20 µs 20 µs 55 µs
stand-alone
mode
CPU 410-5H re‐ 180 µs 70 µs 200 µs 120 µs 120 µs 90 µs 45 µs 130 µs
dundant

The program runtime at interrupt level must be added to this time extension.
If several interrupts are nested, their times must be added together.

CPU 410 Process Automation

348 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

17.16.3 Cycle load due to communication

The operating system of the CPU provides the configured percentage of the overall CPU
processing capacity to the communication on a continuous basis (time slice technique). If this
processing capacity is not required for communication, it is made available to the other
processing.
In the hardware configuration you can specify a communication load value between 5% and
50%. The default value is 20%.
The parameter represents the share of the cycle load in the internal copy jobs created at the
communication end. Communication at the interfaces is not affected.
This percentage is to be interpreted as a mean value, i.e., within one time slice, the
communication portion may be significantly greater than 20%. On the other hand,
communication load in the next time slice is very small or not present.
The formula below describes the influence of communication load on the cycle time:

Actual cycle 100

= Cycle time x
time 100 - "Configured communication load in %"

Round the result up to the next highest

integer !
Figure 17-28 Formula: Influence of communication load

Data consistency
The user program is interrupted to process communications. This interruption can be triggered
after any command. These communication jobs may lead to a change in user data. As a result,
data consistency cannot be ensured over several accesses.
How to ensure data consistency in operations comprising more than one command is described
in Chapter "Consistent data".

Time slice (1 ms)

Interruption of the user
program

User program
Configurable portion between
5% and 50%
Communication

Figure 17-29 Distribution of a time slice

The operating system takes a certain portion of the remaining time slice for internal tasks.
This portion is included in the factor defined in the tables starting at 16-3.

Example: 20% communication load

In the hardware configuration you have set a communication load of 20%.
The calculated cycle time is 10 ms.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 349
Supplementary information
17.16 CPU 410 cycle and reaction times

This means that a setting of 20% communication load allocates an average of 200 µs to
communication and 800 µs to the user program in each time slice. So the CPU requires
10 ms / 800 µs = 13 time slices to execute one cycle. This means the physical cycle time
is equivalent to 13 times 1-ms time slice = 13 ms, if the CPU fully utilizes the configured
communication load.
That is to say, 20% communication does not extend the cycle by a linear amount of 2 ms, but
by 3 ms.

Example: 50% communication load

You configured a communication load of 50% in the hardware configuration.
The calculated cycle time is 10 ms.
This means that 500 µs remain in each time slice for the cycle. Therefore, the CPU requires 10
ms / 500 µs = 20 time slices to execute one cycle. This means the physical cycle time is 20 ms
if the CPU fully utilizes the configured communication load.
So a setting of 50% communication load allocates 500 µs to communication and 500 µs to
the user program in each time slice. Therefore, the CPU requires 10 ms / 500 µs = 20 time
slices to execute one cycle. This means the physical cycle time is equivalent to 20 times 1-ms
time slice = 20 ms, if the CPU fully utilizes the configured communication load.
This means that 50% communication does not extend the cycle by a linear amount of 5 ms,
but by 10 ms (= doubling the calculated cycle time).

Dependency of the actual cycle time on communication load

The figure below describes the non-linear dependency of the actual cycle time on
communication load. In our example we have chosen a cycle time of 10 ms.

Cycle time
30 ms
You can set a communication load
within this range
25 ms

20 ms

15 ms

10 ms

5 ms
0% 5% 10% 20% 30% 40% 50% 60%
Communication load

Figure 17-30 Dependency of the cycle time on communication load

CPU 410 Process Automation

350 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

Further effects on the actual cycle time

Seen statistically, the extension of cycle times due to communication load leads to more
asynchronous events occurring within an OB 1 cycle, for example interrupts. This further
extends the OB 1 cycle. How much it is extended depends on the number of events per OB 1 cycle
and the time required for processing these events.

Remarks
• Change the value of the "communication load" parameter to check the effects on the cycle
time during system runtime.
• Always take the communication load into account when you set the maximum cycle time,
otherwise you risk timeouts.

17.16.4 Response time

Definition of response time

The response time is the time from detecting an input signal to changing the output signal
associated with it.

Fluctuation range
The actual response time lies between the shortest and the longest response time. You must
always assume the longest response time when configuring your system.
The shortest and longest response times are analyzed below so that you can gain an
impression of the variation of the response time.

Factors
The response time depends on the cycle time and the following factors:
• Delay of the inputs and outputs
• Additional DP cycle times on the PROFIBUS DP network
• Execution in the user program

Delay of inputs/outputs
Make allowances for the following module-specific delay times:
• For digital inputs: the input delay time
• For interrupt-capable digital inputs: the input delay time + internal preparation time
• For digital outputs: negligible delay times

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 351
Supplementary information
17.16 CPU 410 cycle and reaction times

• For relay outputs: Typical delay times of 10 to 20 ms.

The delay of the relay outputs is dependent on the
temperature and voltage, among other things.
• For analog inputs: cycle time for analog input
• For analog outputs: response time at analog outputs
For information on delay times, refer to the technical specifications of the signal modules.

DP cycle times on the PROFIBUS DP network

If you configured your PROFIBUS DP network in STEP 7, STEP 7 calculates the typical DP cycle
time to be expected. You can then view the DP cycle time of your configuration on the PG in the
bus parameters section.
The figure below provides an overview of the DP cycle time. In this example, we assume that
each DP device has 4 bytes of data on average.

%XVUXQWLPH PV

PV

%DXGUDWH0ESV
PV

PV

PV

PV

%DXGUDWH0ESV
PV

PV

0LQ
GHYLFHLQWHUYDO
       1XPEHURI'3GHYLFHV

Figure 17-31 DP cycle times on the PROFIBUS DP network

If you operate a PROFIBUS DP network with multiple masters, you must take the DP cycle
time into account for each master, i.e. perform and add the calculation for each master
separately.

CPU 410 Process Automation

352 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

Shortest response time

The figure below shows the conditions under which the shortest response time is achieved.

6&&26

,QSXWGHOD\

3$$
,PPHGLDWHO\EHIRUHWKH3,,LVUHDGWKHVWDWHRIWKHUHVSHFWLYH
LQSXWFKDQJHV7KHFKDQJHLQLQSXWVLJQDOLVWKHUHIRUHDOVR
3$( LQFOXGHGLQWKH3,,
5H
DF 8VHU
SURJUDP 7KHFKDQJHLQLQSXWVLJQDOLVSURFHVVHGKHUHE\WKHXVHU
WLRQ SURJUDP
WLPH
6&&26
7KHXVHUSURJUDPUHDFWLRQWRWKHFKDQJHLQLQSXWVLJQDOLV
WUDQVIHUUHGWRWKHRXWSXWVKHUH

3$$

2XWSXWGHOD\

Figure 17-32 Shortest response time

Calculation
The (shortest) response time is calculated as follows:
• 1 x process image transfer time of the inputs +
• 1 x process image transfer time of the outputs +
• 1 x program processing time +
• 1 x operating system processing time at the SCCP +
• Delay of the inputs and outputs
The result is equivalent to the sum of the cycle time plus the I/O delay times.

Note
If the CPU and signal module are not in the central controller, you must add twice the runtime
of the DP device frame (including processing in the DP master).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 353
Supplementary information
17.16 CPU 410 cycle and reaction times

Longest response time

The figure below shows the conditions under which the longest response time is achieved.

6&&26

,QSXWGHOD\
'3F\FOHWLPHRQWKH352),%86b'3
3$$
$VWKH3,,LVEHLQJUHDGLQWKHVWDWHRIWKHUHVSHFWLYH
3$( LQSXWFKDQJHV7KHFKDQJHLQLQSXWVLJQDOLVWKHUHIRUH
LJQRUHGLQWKH3,,
8VHU
SURJUDP

6&&26
5H
DF
WLRQ
WLPH 3$$
7KHFKDQJHLQLQSXWVLJQDOLVLQFOXGHGLQWKH3,,KHUH

3$(
7KHFKDQJHLQLQSXWVLJQDOLVSURFHVVHGKHUHE\WKH
8VHU XVHUSURJUDP
SURJUDP
7KHXVHUSURJUDPUHDFWLRQWRWKHFKDQJHLQLQSXW
6&&26 VLJQDOLVWUDQVIHUUHGWRWKHRXWSXWVKHUH

3$$ 2XWSXWGHOD\
'3F\FOHWLPHRQWKH352),%86b'3
Figure 17-33 Longest response time

Calculation
The (longest) response time is calculated as follows:
• 2 x process image transfer time of the inputs +
• 2 x process image transfer time of the outputs +
• 2 x operating system processing time +
• 2 x program processing time +
• 2 x runtime of the DP device frame (including processing in the DP master) +
• Delay of the inputs and outputs
This is equivalent to the sum of twice the cycle time and the delay in the inputs and outputs
plus twice the DP cycle time.

CPU 410 Process Automation

354 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

Processing direct I/O access

You can achieve faster response times by directly accessing the I/O in your user program, e.g.,
with the following instructions:
• L PIB
• T PQW
However, note that any I/O access requires a synchronization of the two units and thus
extends the cycle time.

Reducing the response time

This reduces the maximum response time to:
• Delay of the inputs and outputs
• Runtime of the user program (can be interrupted by higher-priority interrupt processing)
• Runtime of direct access
• 2x bus runtime of DP
The following table lists the execution times of direct access by the CPU to I/O modules. The
specified times are pure CPU processing times and do not include the processing times of the
signal modules.

Table 17-15 Direct access of the CPUs to I/O modules in the central controller

Access type CPU 410-5H CPU 410-5H

stand-alone mode redundant
Read byte 2.2 µs 11.0 µs
Read word 3.7 µs 11.1 µs
Read double word 6.8 µs 14.2 µs
Write byte 2.2 µs 10.8 µs
Write word 3.8 µs 11.2 µs
Write double word 7.0 µs 14.4 µs

Table 17-16 Direct access of the CPUs to I/O modules in the expansion unit with local link

Access type CPU 410-5H CPU 410-5H

stand-alone mode redundant
Read byte 5.5 µs 13.0 µs
Read word 10.5 µs 17.9 µs
Read double word 19.9 µs 27.4 µs
Write byte 5.3 µs 12.7 µs
Write word 10.2 µs 17.6 µs
Write double word 19.8 µs 27.3 µs

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 355
Supplementary information
17.16 CPU 410 cycle and reaction times

Table 17-17 Direct access of the CPUs to I/O modules in the expansion unit with remote link, setting 100 m

Access type CPU 410-5H CPU 410-5H

stand-alone mode redundant
Read byte 11.3 µs 16.6 µs
Read word 22.8 µs 28.1 µs
Read double word 44.1 µs 49.8 µs
Write byte 10.8 µs 16.2 µs
Write word 21.9 µs 27.3 µs
Write double word 44.0 µs 49.4 ms

Note
You can also achieve fast response times by using hardware interrupts; see section Interrupt
response time (Page 361).

CPU 410 Process Automation

356 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

17.16.5 Calculating cycle and response times

Cycle time
1. Determine the user program runtime with the help of the instruction list.
2. Calculate and add the process image transfer time. You will find guide values for this in the
tables starting at 16-3.
3. Add the processing time at the scan cycle checkpoint. You will find guide values for this in
Table 16-8.
4. Multiply the calculated value by the factor in Table 16-7.
The final result is the cycle time.

Extension of the cycle time due to communication and interrupts

1. Multiply the result by the following factor:
100 / (100 – "configured communication load in %")
2. Using the instruction list, calculate the runtime of the program elements processing the
interrupts. To do so, add the relevant value from Table 16-9.
Multiply this value by the factor from step 4.
Add this value to the theoretical cycle time as often as the interrupt is triggered or is expected
to be triggered during the cycle time.
The result is an approximated actual cycle time. Note down the result.

Table 17-18 Example of calculating the response time

Shortest response time Longest response time

3. Next, calculate the delays in the inputs and out‐ 3. Multiply the actual cycle time by factor 2.
puts and, if applicable, the cycle times on the PRO‐
FIBUS DP network.
  4. Next, calculate the delays in the inputs and out‐
puts and the DP cycle times on the PROFIBUS DP
network.
4. The result you obtain is the shortest response 5. The result you obtain is the longest response
time. time.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 357
Supplementary information
17.16 CPU 410 cycle and reaction times

17.16.6 Examples of calculating the cycle and response times

Example I
You have installed an S7-400 with the following modules in the central controller:
• a CPU 410–5H in redundant mode
• 2 digital input modules SM 421; DI 32xDC 24 V (each with 4 bytes in the PI)
• 2 digital output modules SM 422; DO 32xDC 24 V/0.5 (each with 4 bytes in the PI)

User program
According to the instruction list, the user program runtime is 15 ms.

Calculating the cycle time

The cycle time for the example results from the following times:
• As the CPU-specific factor is 1.2, the user program execution time is:
approx. 18.0 ms
• Process image transfer time (4 double-word accesses)
Process image: 9 µs + 4 ×25 µs = approx. 0.109 ms
• OS execution time at the scan cycle checkpoint:
approx. 0.31 ms
The total of the listed times is equivalent to the cycle time:
Cycle time = 18.0 ms + 0.109 ms + 0.31 ms = 18.419 ms.

Calculation of the actual cycle time

• Allowance for communication load (default value: 20%):
18.419 ms * 100 / (100–20) = 23.024 ms.
• There is no interrupt processing.
So the actual, cycle time is approx. 23 ms.

Calculating the longest response time

• Longest response time
23.024 ms * 2 = 46.048 ms.
• The delay of the inputs and outputs is negligible.
• All the components are plugged into the central controller; DP cycle times do not therefore
have to be taken into account.
• There is no interrupt processing.
So the longest, rounded up response time is = 46.1 ms.

CPU 410 Process Automation

358 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

Example II
You have installed an S7-400 with the following modules:
• a CPU 410–5H in redundant mode
• 4 digital input modules SM 421; DI 32×DC 24 V (each with 4 bytes in the PI)
• 3 digital output modules SM 422; DO 16xDC 24 V /2 (each with 2 bytes in the PI)
• 2 analog input modules SM 431; AI 8x13 bit (not in the PI)
• 2 analog output modules SM 432; AO 8x13 bit (not in the PI)

CPU parameters
The CPU parameters were assigned as follows:
• Cycle load due to communication: 40%

User program
According to the instruction list, the user program runtime is 10.0 ms.

Calculating the cycle time

The theoretical cycle time for the example is derived from the following times:
• As the CPU-specific factor is 1.2, the user program execution time is:
approx. 12.0 ms
• Process image transfer time (4 x double-word access and 3 x word access)
Process image: 9 µs + 7 ×25 µs = approx. 0.184 ms
• Operating system runtime at scan cycle checkpoint:
approx. 0.31 ms
The total of the listed times is equivalent to the cycle time:
Cycle time = 12.0 ms + 0.184 ms + 0.31 ms = 12.494 ms.

Calculation of the actual cycle time

• Allowance for communication load:
12.494 ms * 100 / (100–40) = 20.823 ms.
• A time-of-day interrupt with a runtime of 0.5 ms is triggered every 100 ms.
The interrupt can be triggered a maximum of one time during a cycle:
0.5 ms + 0.490 ms (from table 16-9) = 0.99 ms.
Allowing for communication load:
0.99 ms * 100 / (100–40) = 1.65 ms.
• 20.823 ms + 1.65 ms = 22.473 ms.
Taking into account the time slices, the actual rounded up cycle time is 22.5 ms.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 359
Supplementary information
17.16 CPU 410 cycle and reaction times

Calculating the longest response time

• Longest response time
22.5 ms * 2 = 45 ms.
• Delay of inputs and outputs
– The maximum input delay of the digital input module SM 421; DI 32×DC 24 V is 4.8 ms
per channel
– The output delay of the digital output module SM 422; DO 16×DC 24 V/2A is negligible.
– An interference frequency suppression of 50 Hz was assigned for the analog input module
SM 431; AI 8×13Bit. The result is a conversion time of 25 ms per channel. As 8 channels
are active, a cycle time of the analog input module of 200 ms results.
– Analog output module SM 432; AO 8×13Bit was assigned for measuring range 0 ... 10 V.
This results in a conversion time of 0.3 ms per channel. Since 8 channels are active, the
result is a cycle time of 2.4 ms. The transient time for a resistive load of 0.1 ms must be
added to this. The result is an analog output response time of 2.5 ms.
• All components are installed in the central controller, so DP cycle times can be ignored.
• Case 1: The system sets an output channel of the digital output module after a digital input
signal is read in. The result is as follows:
Response time = 45 ms + 4.8 ms = 49.8 ms.
• Case 2: The system reads in and outputs an analog value. The result is as follows:
Response time = 45 ms + 200 ms + 2.5 ms = 247.5 ms.

CPU 410 Process Automation

360 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

17.16.7 Interrupt response time

Definition of interrupt response time

The interrupt response time is the time from the first occurrence of an interrupt signal to the call
of the first instruction in the interrupt OB.
General rule: Higher priority interrupts are handled first. This means the interrupt response
time is increased by the program execution time of the higher-priority interrupt OBs, and by
previous interrupt OBs of the same priority which have not yet been processed (queue).
Note that any update of the standby CPU extends the interrupt response time.

Calculating the interrupt response time

Minimum interrupt response time of the CPU
+ minimum interrupt response time of the
signal modules
+ cycle time on PROFIBUS DP or PROFINET IO
= Shortest interrupt response time
Minimum interrupt response time of the CPU
+ maximum interrupt response time of the
signal modules
+ 2 * cycle time on PROFIBUS DP or PROFINET IO
= Longest interrupt response time

Hardware and diagnostic interrupt response times of the CPUs

Table 17-19 Hardware and interrupt response times; maximum interrupt response time without
communication

CPU Hardware interrupt response Diagnostic interrupt response

times times
  min. max. min. max.
CPU 410-5H stand-alone mode 60 µs 90 µs 60 µs 90 µs
CPU 410-5H redundant 140 µs 310 µs 120 µs 250 µs

Increasing the maximum interrupt response time with communication

The maximum interrupt response time is extended when the communication functions are
active. The additional time is calculated using the following formula:
CPU 410-5H tv = 100 µs + 1000 µs × n%, significant extension possible
where n = cycle load due to communication

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 361
Supplementary information
17.16 CPU 410 cycle and reaction times

Signal modules
The hardware interrupt response time of signal modules is made up as follows:
• Digital input modules
Hardware interrupt response time = internal interrupt processing time + input delay
You will find these times in the data sheet for the respective digital input module.
• Analog input modules
Hardware interrupt response time = internal interrupt processing time + conversion time
The internal interrupt processing time for analog input modules can be neglected. The
conversion times can be found in the data sheet for the individual analog input modules.
The diagnostic interrupt response time of the signal modules is the time from detection of
a diagnostic event by the signal module to the triggering of the diagnostic interrupt by the
signal module. This short time can be neglected.

Hardware interrupt processing

Hardware interrupt processing begins when the hardware interrupt OB 4x is called. Higher-
priority interrupts stop hardware interrupt processing. Direct access to I/O modules is executed
during the execution time of the operation. After the hardware interrupt has been processed,
the system either resumes cyclic program processing, or calls and processes interrupt OBs of the
same or lower priority.

CPU 410 Process Automation

362 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.16 CPU 410 cycle and reaction times

17.16.8 Example of calculation of the interrupt response time

Elements of the interrupt response time

As a reminder: The hardware interrupt response time is made up of the following:
• Hardware interrupt response time of the CPU
• Hardware interrupt response time of the signal module
• 2 × DP cycle time on PROFIBUS DP

Example
You have installed a CPU 410-5H and four digital modules in the central controller. One digital
input module is the SM 421; DI 16×UC 24/60 V; with hardware and diagnostic interrupts. You
have enabled only the hardware interrupt in your CPU and SM parameter assignment. You
decided not to use time-driven processing, diagnostics or error handling. You have assigned an
input delay of 0.5 ms for the digital input modules. No activities are required at the scan cycle
checkpoint. You have set the communication load of the cycle as 20%.

Calculation
In this example, the hardware interrupt response time is based on following time factors:
• Process interrupt response time of CPU 410-5H: Approx. 0.3 ms (mean value in
redundant operation)
• Extension due to communication according to the description in Chapter Interrupt response
time (Page 361):
100 µs + 1000 µs × 20% = 300 µs = 0.3 ms
• Hardware interrupt response time of SM 421; DI 16×UC 24/60 V:
– Internal interrupt processing time: 0.5 ms
– Input delay: 0.5 ms
• The DP cycle time on the PROFIBUS DP is irrelevant, because the signal modules are installed
in the central controller.
The hardware interrupt response time is equivalent to the sum of the listed time factors:
Hardware interrupt response time = 0.3 ms + 0.3 ms + 0.5 ms + 0.5 ms = approx. 1.6 ms.
This calculated hardware interrupt response time is the time between detection of a signal at
the digital input and the call of the first instruction in OB 4x.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 363
Supplementary information
17.17 Runtimes of the FCs and FBs for redundant I/Os

17.16.9 Reproducibility of delay and watchdog interrupts

Definition of "reproducibility"
Time-delay interrupt:
The period that expires between the call of the first operation in the interrupt OB and the
programmed time of interrupt.
Cyclic interrupt:
The fluctuation range of the interval between two successive calls, measured between the
respective initial operations of the interrupt OB.

Reproducibility
The following table contains the reproducibility of time-delay and cyclic interrupts of the CPUs.

Table 17-20 Reproducibility of time-delay and cyclic interrupts of the CPUs

Module Reproducibility
Time-delay interrupt Cyclic interrupt
CPU 410-5H stand-alone mode ± 120 µs ± 160 µs
CPU 410-5H redundant ± 200 µs ± 180 µs

These times only apply if the interrupt can actually be executed at this time and if it is not
delayed, for example, by higher-priority interrupts or queued interrupts of equal priority.

17.17 Runtimes of the FCs and FBs for redundant I/Os

Table 17-21 Runtimes of the blocks for redundant I/Os

Block Runtime in stand-alone/single mode Runtime in redundant mode

FC 450 RED_INIT 2 ms + 300 µs / configured module pairs -
Specifications are based on The specification for a module pair is a mean
the startup value. The runtime may be < 300 µs for a few
modules. For a large number of redundant
modules the value may be > 300 µs.
FC 451 RED_DEPA 160 µs 360 µs

CPU 410 Process Automation

364 System Manual, 11/2022, A5E31622160-AE
 Supplementary information
17.17 Runtimes of the FCs and FBs for redundant I/Os

Block Runtime in stand-alone/single mode Runtime in redundant mode

FB 450 RED_IN 750 μs + 60 μs / module pair of the current TPA 1000 μs + 70 μs / module pair of the current TPA
Called from the correspond‐ The specification for a module pair is a mean The specification for a module pair is a mean
ing sequence level. value. value.
The runtime may be additionally increased if The runtime may be additionally increased if
discrepancies occur resulting in passivation discrepancies occur resulting in passivation
and logging to the diagnostic buffer. and logging to the diagnostic buffer.
The runtime may also be increased by a depas‐ The runtime may also be increased by a depas‐
sivation carried out at the individual sequence sivation carried out at the individual sequence
levels of FB RED_IN. Depending on the number levels of FB RED_IN. Depending on the number
of modules in the sequence level, the depassi‐ of modules in the sequence level, the depassi‐
vation may increase the runtime of the FB vation may increase the runtime of the FB
RED_IN by 0.4 ... 8 ms. RED_IN by 0.4 ... 8 ms.
An 8 ms increase can be expected in redundant An 8 ms increase can be expected in redundant
operation of modules totaling more than 370 operation of modules totaling more than 370
pairs of modules at a sequence level. pairs of modules at a sequence level.
FB 451 RED_OUT 650 μs + 2 μs / module pair of the current TPA 860 μs + 2 μs / module pair of the current TPA
Called from the correspond‐ The specification for a module pair is a mean The specification for a module pair is a mean
ing sequence level. value. The runtime may be < 2 µs for a few value. The runtime may be < 2 µs for a few
modules. For a large number of redundant modules. For a large number of redundant
modules the value may be > 2 µs. modules the value may be > 2 µs.
FB 452 RED_DIAG Called in OB 72: 160 µs Called in OB 72: 360 µs
Called in OB 82, 83, 85: Called in OB 82, 83, 85:
250 µs + 5 µs / configured module pairs 430 μs (basic load) + 6 μs / configured module
Under extreme conditions the runtime of FB pairs
RED_DIAG is increased up to 1.5 ms. . Under extreme conditions the runtime of FB
This is the case when the working DB is 60 KB or RED_DIAG is increased up to 1.5 ms. .
larger and if there are interrupt trigger address‐ This is the case when the working DB is 60 KB or
es that do not belong to the redundant I/O. larger and if there are interrupt trigger address‐
es that do not belong to the redundant I/O.
FB 453 RED_STATUS 160 μs 4 μs/ configured module pairs * number 350 μs + 5 μs / configured module pairs * num‐
of module pairs) ber of module pairs)
The runtime depends on the random position The runtime depends on the random position
of the module being searched for in the work‐ of the module being searched for in the work‐
ing DB. ing DB.
When a module address is not redundant, the When a module address is not redundant, the
entire working DB is searched. This results in entire working DB is searched. This results in
the longest runtime of FB RED_STATUS. the longest runtime of FB RED_STATUS.
The number of module pairs is based either on The number of module pairs is based either on
all inputs (DI/AI) or all outputs (DO/AO). all inputs (DI/AI) or all outputs (DO/AO).

Note
These are guide values, not absolute values. The actual value may deviate from these
specifications in some cases. This overview is intended as a guide and should help you estimate
how use of the Redundant IO CGP V52 library may change the cycle time.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 365
Supplementary information
17.17 Runtimes of the FCs and FBs for redundant I/Os

CPU 410 Process Automation

366 System Manual, 11/2022, A5E31622160-AE
Characteristic values of redundant automation
systems A
This appendix provides a brief introduction to the characteristic values of redundant automation
systems, and shows the practical effects of redundant configurations, based on a selection of
configurations.
You will find an overview of the MTBF of various SIMATIC products in the SIMATIC FAQs
in the following entry: Mean Time Between Failures (MTBF) list for SIMATIC Products (https://
support.industry.siemens.com/cs/ww/en/view/16818490)

A.1 Basic concepts

The quantitative assessment of redundant automation systems is usually based on their
reliability and availability parameters. These are described in detail below.

Reliability
Reliability refers to the capability of technical equipment to fulfill its function during its operating
period. This is usually no longer the case if any of its components fails.
So a commonly used measure for reliability is the MTBF (Mean Time Between Failure). This
can be analyzed statistically based on the parameters of running systems, or by calculating
the failure rates of the components used.

Reliability of modules
The reliability of SIMATIC components is extremely high as a consequence of extensive quality
assurance measures in design and production.

Reliability of automation systems

The use of redundant modules considerably prolongs the MTBF of a system. The combination of
integrated high-quality self-tests and error detection mechanisms of the S7-400H CPUs allows
the detection and localization of virtually all errors.
The MTBF of an S7-400H is determined by the MDT (Mean Down Time) of a system unit. This
time is derived in essence from the error detection time plus the time required to repair or
replace defective modules.
In addition to other measures, a CPU provides a self-test function with an adjustable test
cycle time. The default test cycle time is 90 minutes. This time has an influence on the error
detection time. The repair time usually required for a modular system such as the S7-400H is
4 hours.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 367
Characteristic values of redundant automation systems
A.1 Basic concepts

Mean Down Time (MDT)

The MDT of a system is determined by the times outlined below:
• Time required to detect an error
• Time required to find the cause of an error
• Time required for troubleshooting and to restart the system
The system MDT is calculated based on the MDT of the individual system components. The
structure in which the components make up the system also forms part of the calculation.
Correlation between MDT and MTBF: MDT << MTBF
The MDT value is of the highest significance for the quality of system maintenance. The most
important factors are:
• Qualified personnel
• Efficient logistics
• High-performance tools for diagnostics and error recognition
• A sound repair strategy
The figure below shows the dependency of the MDT on the times and factors mentioned
above.

MDT

Detect error Troubleshooting Starting the system

Find cause

Qualified personnel

Diagnostics Repair strategy

Logistics

Figure A-1 MDT

The figure below shows the parameters included in the calculation of the MTBF of a system.

CPU 410 Process Automation

368 System Manual, 11/2022, A5E31622160-AE
 Characteristic values of redundant automation systems
A.1 Basic concepts

([SHULHQFH

(UURUPRGHO

6\VWHPHUURU

0'7&&)'&
07%)RIWKH
&RPSRQHQW V\VWHP
FKDUDFWHULVWLFV

0DUNRYPRGHO

0LQLPDO&XW6HW0&6

0&6FODVV

Figure A-2 MTBF

Requirements
This analysis assumes the following conditions:
• The failure rate of all components and all calculations is based on an average temperature of
40 °C.
• The system installation and configuration is free of errors.
• All replacement parts are available locally, in order to prevent extended repair times due to
missing spare parts. This keeps the component MDT down to a minimum.
• The MDT of individual components is 4 h. The system's MDT is calculated based on the MDT
of the individual components plus the system structure.
• The MTBF of the components meets the following standards:
– SN 29500
This standard is compliant with MIL–HDBK 217–F.
– IEC 60050
– IEC 61709
• The calculations are made using the diagnostic coverage of each component.
• A CCF factor between 0.2% and 2% is assumed, depending on the system configuration.

Common Cause Failure (CCF)

The Common Cause Failure (CCF) is an error which is caused by one or more events which also
lead to an error state on two or more separate channels or components in a system. A CCF leads
to a system failure.
The CCF may be caused by one of the following factors:
• Temperature
• Humidity

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 369
Characteristic values of redundant automation systems
A.1 Basic concepts

• Corrosion
• Vibration and shock
• Electromagnetic interference
• Electrostatic discharge
• RF interference
• Unexpected sequence of events
• Operating errors
The CCF factor defines the ratio between the probability of the occurrence of a CCF and the
probability of the occurrence of any other error.
Typical CCF factors range from 2% to 0.2% in a system with identical components, and
between 1% and 0.1% in a system containing different components.
Within the range stipulated in IEC 61508, a CCF factor between 0.02% and 5% is used to
calculate the MTBF.

CCF, affects both

Error on channel 1 channels Error on channel 2

Figure A-3 Common Cause Failure (CCF)

Reliability of an S7-400H
The use of redundant modules prolongs the system MTBF by a large factor. The integrated high-
grade self-test and the test/message functions of the S7-400H CPUs enable the detection and
localization of virtually all errors. The calculated diagnostic coverage is around 90%.
The reliability in stand-alone mode is described by the corresponding failure rate. The failure
rate for all S7 components is calculated according to the SN29500 standard.
The reliability in redundant mode is described by the failure rate of the components involved.
This is termed "MTBF" below. Those combinations of failed components which cause a
system failure are described and calculated using Markov models. Calculations of the system
MTBF take account of the diagnostic coverage and the common cause factor.

Availability
Availability is the probability that a system is operable at a given point of time. This can be
enhanced by means of redundancy, for example by using redundant I/O modules or multiple
encoders at the same sampling point. Redundant components are arranged such that system
operability is not affected by the failure of a single component. Here, again, an important
element of availability is a detailed diagnostics display.

CPU 410 Process Automation

370 System Manual, 11/2022, A5E31622160-AE
 Characteristic values of redundant automation systems
A.2 Comparison of MTBF for selected configurations

The availability of a system is expressed as a percentage. It is defined by the mean time

between failure (MTBF) and the mean time to repair MTTR (MDT). The availability of a
two-channel (1-out-of-2) fault-tolerant system can be calculated using the following formula:

MTBF 1v2
V= 100%
MTBF1v2 + MDT

MTBF MDT MTBF Time

Figure A-4 Availability

A.2 Comparison of MTBF for selected configurations

The following sections compare systems with a centralized and distributed I/Os.
The following framework conditions are set for the calculation.
• MDT (Mean Down Time) 4 hours
• Ambient temperature 40 degrees
• Buffer voltage is safeguarded

A.2.1 System configurations with redundant CPU 410

The following system with one CPU (e.g., CPU 410-5H PN/DP) in stand-alone operation serves as
the basis for calculating a reference factor that defines the multiple of the system MTBF of other
systems with centralized I/O compared with the base line.

Fault-tolerant CPU in stand-alone operation

Fault-tolerant CPU 410-5H in stand-alone mode Factor

1

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 371
Characteristic values of redundant automation systems
A.2 Comparison of MTBF for selected configurations

Redundant CPUs in different racks

Redundant CPU 410-5H in divided rack, CCF = 2% Factor

approx. 15

Redundant CPU 410-5H in two separate racks, CCF = 1 % Factor

approx. 20

A.2.2 System configurations with distributed I/Os

The system with two fault-tolerant CPUs 410-5H and one-sided I/Os described below is taken as
a basis for calculating a reference factor which specifies the multiple of the availability of the
other systems with distributed I/Os compared with the base line.

Redundant CPUs with single-channel one-sided or switched I/O

One-sided distributed I/O Base line

1

CPU 410 Process Automation

372 System Manual, 11/2022, A5E31622160-AE
 Characteristic values of redundant automation systems
A.2 Comparison of MTBF for selected configurations

Switched distributed I/O, PROFIBUS DP, CCF = 2 % Factor

approx. 15

Switched distributed I/O, PROFINET, CCF = 2 % Factor

b[ILEHURSWLFFDEOHV approx. 10
36$

36$
&38+

&38+

352),1(7

(70
,0

The estimate applies if the process allows for any device to fail.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 373
Characteristic values of redundant automation systems
A.2 Comparison of MTBF for selected configurations

Redundant CPUs with redundant I/O

The comparison only took account of the I/O modules.

Single-channel one-sided I/O MTBF factor

1
(70

Redundant I/O MTBF factor

See following table

Table A-1 MTBF factors of the redundant I/O

Module MLFB MTBF factor

CCF = 1%
Digital input modules, distributed
DI 24xDC24V 6ES7 326–1BK02–0AB0 approx. 5
DI 8xNAMUR [EEx ib] 6ES7 326-1RF00-0AB0 approx. 5
DI16xDC24V, Alarm 6ES7 321–7BH01–0AB0 approx. 4
Analog input modules, distributed
AI 6x13Bit 6ES7 336-1HE00-0AB0 approx. 5
AI8x12Bit 6ES7 331-7KF02-0AB0 approx. 5
Digital output modules, distributed
DO 10xDC24V/2A 6ES7 326–2BF01–0AB0 approx. 5
DO8xDC24V/2A 6ES7 322-1BF01-0AA0 approx. 3
DO32xDC24V/0.5A 6ES7 322–1BL00–0AA0 approx. 3

CPU 410 Process Automation

374 System Manual, 11/2022, A5E31622160-AE
 Characteristic values of redundant automation systems
A.2 Comparison of MTBF for selected configurations

Summary
Several thousand redundant automation systems are in use in different configurations in
manufacturing and process automation. To calculate the MTBF, we assumed an average
configuration.
Based on experience in the field, an assumption of MTBF of 3000 years is 95% reliable.
The system MTBF value calculated is about 230 years for a system configuration with
redundant CPU 410-5H.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 375
Characteristic values of redundant automation systems
A.2 Comparison of MTBF for selected configurations

A.2.3 Comparison of system configurations with standard and fault-tolerant

communication
The next section shows a comparison between standard and fault-tolerant communication for a
configuration consisting of a fault-tolerant system, a fault-tolerant CPU operating in stand-alone
mode, and a single-channel OS.
The comparison only took account of the CP and cable communication components.

Systems with standard and fault-tolerant communication

Standard communication Base line

26VLQJOHXVHU $6+6,6 $66,6 1

Fault-tolerant communication Factor

26VLQJOHXVHU $6+6,6 $66,6 Approx. 80

CPU 410 Process Automation

376 System Manual, 11/2022, A5E31622160-AE
Function and communication modules that can be
used in a redundant configuration B
A complete list of all modules approved for SIMATIC PCS 7 can be found under "Manuals for the
SIMATIC PCS 7 V9.X software" > "SIMATIC PCS 7 system documentation" > "Approved modules
V9.X" at the following address: SIMATIC PCS 7 technical documentation (https://
new.siemens.com/global/en/products/automation/process-control/simatic-pcs-7/technical-
documentation.html)
In redundant configuration you can use the following function modules (FM) and
communication processors (CP) with a CPU 410-5H.

Note
There may be further restriction for individual modules. Refer to the information in the
corresponding product information and FAQ, or in SIMATIC NET News.

FMs and CPs which can be used centrally

Module Article No. Release One-sided Redundant

Communication module 6GK7 443–1EX30–0XE0 As of product version 1 Yes Yes
CP443-1 (Industrial Ethernet ISO and As of firmware V3.0
TCP/IP, 2-port switch)
Without PROFINET IO and PROFINET
CBA
Communication module CP443-1 Ad‐ 6GK7 443–1GX30–0XE0 As of product version 1 Yes Yes
vanced3) (Industrial Ethernet ISO and As of firmware V3.0
TCP/IP, 4-port switch, Gigabit port)
Communication processor 6GK7 443-5DX04-0XE0 As of product version 1 Yes Yes
CP 443-5 Extended (PROFIBUS As of firmware V6.0
DPV1) 1) 2) 6GK7 443-5DX05-0XE0 As of product version 1 Yes Yes
As of firmware V7.1
1)
Only these modules should be used as external master interfaces on the PROFIBUS DP.
2)
These modules support DPV1 as external DP master interface module (complying with IEC
61158/EN 50170).
3)
Do not use this CP directly on the Internet. If you want to connect the system to the
Internet, you need to install appropriate protection devices in front of the CP, for example, a
SCALANCE SC with firewall. Also read the information in the Industry Online Support on the
Internet (https://support.industry.siemens.com/cs/us/en/view/109799025).

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 377
Function and communication modules that can be used in a redundant configuration

FMs and CPs usable for distributed switched use

Module Article No. Release

Communication processor CP 341-1    
(point-to-point link)
  6ES7 341-1AH01-0AE0 As of product version 1
6ES7 341-1BH01-0AE0 As of firmware V1.0.0
6ES7 341-1CH01-0AE0
  6ES7 341-1AH02-0AE0 As of product version 1
6ES7 341-1BH02-0AE0 As of firmware V2.0.0
6ES7 341-1CH02-0AE0
Communication processor CP 342-2 6GK7 342-2AH01-0XA0 As of product version 1
(ASI bus interface module) As of firmware V1.10
Communication processor CP 343-2 6GK7 343-2AH00-0XA0 As of product version 2
(ASI bus interface module) As of firmware V2.03
Counter module FM 350-2 6ES7 350-2AH00-0AE0 As of product version 2
Control module FM 355 C 6ES7 355-0VH10-0AE0 As of product version 4
Control module FM 355 S 6ES7 355-1VH10-0AE0 As of product version 3

Note
One-sided or switched function modules and communication processors are not synchronized
in the fault-tolerant system if they exist in pairs.

CPU 410 Process Automation

378 System Manual, 11/2022, A5E31622160-AE
Connection examples for redundant I/Os C
C.1 MTA terminal modules (Marshalled Termination Assemblies)

MTA Terminal Modules

MTA terminal modules (Marshalled Termination Assemblies) can be used to connect field
devices, sensors and actuators to the I/O modules of the ET 200M remote I/O stations simply,
quickly and reliably. They can be used to significantly reduce the costs and required work for
cabling and commissioning, and prevent wiring errors.
The individual MTA terminal modules are each tailored to specific I/O modules from the
ET 200M range. MTA versions for standard I/O modules are also available, as for redundant
and safety-related I/O modules. The MTA terminal modules are connected to the I/O modules
using 3 m or 8 m long preassembled cables.
Details on combinable ET 200M modules and suitable connection cables as well as the
current MTA product range are available at this address: Update and expansion of the MTA
terminal modules (https://support.industry.siemens.com/cs/ww/en/view/29289048)

C.2 Interconnection of output modules

Interconnection of digital output modules using external diodes <-> without external diodes
The table below lists the redundant digital output modules which in redundant operation you
should interconnect using external diodes:

Table C-1 Interconnecting digital output modules with/without diodes

Module with diodes without diodes

6ES7 326–2BF01–0AB0 X X
6ES7 322–1BL00–0AA0 X -
6ES7 322-1BF01-0AA0 X -
6ES7 322-8BF00-0AB0 X X
6ES7 322–1FF01–0AA0 - X
6ES7 322-8BH01-0AB0 - X
6ES7 322-8BH10-0AB0 - X
6ES7 322-5RD00-0AB0 X -
6ES7 322-5SD00-0AB0 X -

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 379
Connection examples for redundant I/Os
C.2 Interconnection of output modules

Information on connecting digital output modules via diodes

• Suitable diodes are diodes with U_r >=200 V and I_F >= 1 A (e.g., types from the series
1N4003 ... 1N4007).
• It is advisable to separate the ground of the module and the ground of the load. There must
be equipotential bonding between both.

Information on connecting analog output modules via diodes

• Suitable diodes are diodes with U_r >=200 V and I_F >= 1 A (e.g., types from the series
1N4003 ... 1N4007).
• A separate load supply is advisable. There must be equipotential bonding between both load
supplies.

CPU 410 Process Automation

380 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.3 8-channel HART analog input MTA

C.3 8-channel HART analog input MTA

The following figure shows the connection of an encoder to two SM 331; AI 8 x 0/4...20mA HART
via an 8-channel HART analog input MTA.

02'8/(
+$,07$
60
07$
$O[P$+$57
&$%/(
3:5 /
:,5(  ,[ 0
75$16'8&(5
 ,[
6+! 0[
0[

&855(17
/,0,7,1*
&,5&8,7 02'8/(
)255('81'$1&<
:,5(
60
:,5(
07$ $O[P$+$57
&$%/(
0$ /

0% 0

9 9
0[
/%
0[
/$

Figure C-1 Interconnection example for SM 331, Al 8 x 0/4...20mA HART

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 381
Connection examples for redundant I/Os
C.4 8-channel HART analog output MTA

C.4 8-channel HART analog output MTA

The following figure shows the connection of an encoder to two redundant SM 322; AI 8 x
0/4...20mA HART via an 8-channel HART analog output MTA.

02'8/(
+$207$
60
07$
$2[P$+$57
&$%/(
/
0

P$ &+[
&+[
/2$'
&+[ &+[

6+[
02'8/(
)255('81'$1&<

07$ 60
&$%/( $2[P$+$57
0$ /
0% 0
9 9
&+[
/%
/$
&+[

Figure C-2 Interconnection example for SM 322, Al 8 x 0/4...20mA HART

CPU 410 Process Automation

382 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.5 SM 321; DI 16 x DC 24 V, 6ES7 321–1BH02–0AA0

C.5 SM 321; DI 16 x DC 24 V, 6ES7 321–1BH02–0AA0

The diagram below shows the connection of two redundant encoders to two SM 321; DI 16 x DC
24 V. The encoders are connected to channel 0.


 1







 










 1











 










9



Figure C-3 Example of an interconnection with SM 321; DI 16 x DC 24 V

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 383
Connection examples for redundant I/Os
C.6 SM 321; DI 32 x DC 24 V, 6ES7 321–1BL00–0AA0

C.6 SM 321; DI 32 x DC 24 V, 6ES7 321–1BL00–0AA0

The diagram below shows the connection of two redundant encoder pairs to two redundant SM
321; DI 32 x DC 24 V. The encoders are connected to channel 0 and channel 16 respectively.

 
 
 

 

 
 
 
 
 
 
 
 
 
 

 

 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
  

 
 
 
 
 
 
 
 
9  
9
 
 
Figure C-4 Example of an interconnection with SM 321; DI 32 x DC 24 V

CPU 410 Process Automation

384 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.7 SM 321; DI 16 x AC 120/230V, 6ES7 321–1FH00–0AA0

C.7 SM 321; DI 16 x AC 120/230V, 6ES7 321–1FH00–0AA0

The diagram below shows the connection of two redundant encoders to two SM 321; DI 16 x AC
120/230 V. The encoders are connected to channel 0.

1 1N
2
3
4
5
6
7
8
9
10
120/230V
11
12
13
14
15
16
17
18
19
20

1 1N
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Figure C-5 Example of an interconnection with SM 321; DI 16 x AC 120/230 V

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 385
Connection examples for redundant I/Os
C.8 SM 321; DI 8 x AC 120/230 V, 6ES7 321–1FF01–0AA0

C.8 SM 321; DI 8 x AC 120/230 V, 6ES7 321–1FF01–0AA0

The diagram below shows the connection of two redundant encoders to two SM 321; DI 8 AC
120/230 V. The encoders are connected to channel 0.

1 1N
2
3
4
5
6
7
8
9
10
11 120/230V
12
13
14
15
16
17
18
19
20

1 1N
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Figure C-6 Example of an interconnection with SM 321; DI 8 x AC 120/230 V

CPU 410 Process Automation

386 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.9 SM 321; DI 16 x DC 24V, 6ES7 321–7BH00–0AB0

C.9 SM 321; DI 16 x DC 24V, 6ES7 321–7BH00–0AB0

The diagram below shows the connection of two redundant encoder pairs to two SM 321; DI 16
x DC 24V. The encoders are connected to channels 0 and 8.



 &+






  9V


 9V
 &+










 &+








 9V

 9V
 &+








0 
9 
Figure C-7 Example of an interconnection with SM 321; DI 16 x DC 24V

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 387
Connection examples for redundant I/Os
C.10 SM 321; DI 16 x DC 24V, 6ES7 321–7BH01–0AB0

C.10 SM 321; DI 16 x DC 24V, 6ES7 321–7BH01–0AB0

The diagram below shows the connection of two redundant encoder pairs to two SM 321; DI 16
x DC 24V. The encoders are connected to channels 0 and 8.

1
2
3 CH0
4
5
6
7
8
9
10 Vs
11 Vs
12
13 CH8
14
15
16
17
18
19
20

1
2 CH0
3
4
5
6
7
8
9
10 Vs
11 Vs
12
13 CH8
14
15
16
17
18
19
M 20
24V

Figure C-8 Example of an interconnection with SM 321; DI 16 x DC 24V

CPU 410 Process Automation

388 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.11 SM 326; DO 10 x DC 24V/2A, 6ES7 326–2BF01–0AB0

C.11 SM 326; DO 10 x DC 24V/2A, 6ES7 326–2BF01–0AB0

The diagram below shows the connection of an actuator to two redundant SM 326; DO 10 x DC
24V/2A. The actuator is connected to channel 1.

21 24V
1
2 22
3 23
4 24
5 25
6 26
7 27
8 28
9 29
10 30
11 31
12 32
13 33
14 34
15 35
16 36
17 37
24V 18 38 24V
19 39
20 40

1 21 24V
2 22
3 23
4 24
5 25
6 26
7 27
8 28
9 29
10 30

11 31
12 32
13 33
14 34
15 35
16 36
17 37
24V 18 38 24V
19 39
20 40

Figure C-9 Example of an interconnection with SM 326; DO 10 x DC 24V/2A

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 389
Connection examples for redundant I/Os
C.12 SM 326; DI 8 x NAMUR, 6ES7 326–1RF00–0AB0

C.12 SM 326; DI 8 x NAMUR, 6ES7 326–1RF00–0AB0

The diagram below shows the connection of two redundant encoders to two redundant SM 326;
DI 8 x NAMUR . The encoders are connected to channel 4.

  9
 
 

 

 
 
 
 
 
 
 
 
 
 

 

 
 
 
 
 
 
 
  9
 
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Figure C-10 Example of an interconnection with SM 326; DI 8 x NAMUR

CPU 410 Process Automation

390 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.13 SM 326; DI 24 x DC 24 V, 6ES7 326–1BK00–0AB0

C.13 SM 326; DI 24 x DC 24 V, 6ES7 326–1BK00–0AB0

The diagram below shows the connection of one encoder to two redundant SM 326; DI 24 x DC
24 V. The encoder is connected to channel 13.

24V 1 24V
21
2 22
3 23
4 24
5 25
6 26
7 27
8 28
9 29
10 30
11 31
12 32
13 33
14 34
15 35
16 36
17 37
18 38
19 39
20 40

24V 1 21 24V
2 22
3 23
4 24
5 25
6 26
7 27
8 28
9 29
10 30

11 31
12 32
13 33
14 34
15 35
16 36
17 37
18 38
19 39
20 40

Figure C-11 Example of an interconnection with SM 326; DI 24 x DC 24 V

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 391
Connection examples for redundant I/Os
C.14 SM 421; DI 32 x UC 120 V, 6ES7 421–1EL00–0AA0

C.14 SM 421; DI 32 x UC 120 V, 6ES7 421–1EL00–0AA0

The diagram below shows the connection of a redundant encoder to two SM 421; DI 32 x UC 120
V. The encoder is connected to channel 0.

1 ----
2 ----
3
4 o ---- 0
5 o ---- 1
6 o ---- 2
7 o ---- 3
8 o ---- 4
9 o ---- 5
10 o ---- 6
11 o ---- 7
12
13 ---- 1N
14
15 o ---- 0
16 o ---- 1
17 o ---- 2
18 o ---- 3
19 o ---- 4
120 VUC 20 o ---- 5
21 o ---- 6
22 o ---- 7
23
24 ---- 2N
25
26
27 o ---- 0
28 o ---- 1
29 o ---- 2
1 ---- 30 o ---- 3
2 ---- 31 o ---- 4
3 32 o ---- 5
4 o ---- 0
o ---- 1 33 o ---- 6
5 34 o ---- 7
6 o ---- 2
o ---- 3 35
7 36 ---- 3N
8 o ---- 4
o ---- 5 37
9 38
10 o ---- 6
o ---- 7 39 o ---- 0
11 40 o ---- 1
12 41 o ---- 2
13 ---- 1N 42 o ---- 3
14 43 o ---- 4
15 o ---- 0 44 o ---- 5
16 o ---- 1 45 o ---- 6
17 o ---- 2 46 o ---- 7
18 o ---- 3 47
19 o ---- 4 48 ---- 4N
20 o ---- 5
21 o ---- 6
22 o ---- 7
23
24 ---- 2N
25
26
27 o ---- 0
28 o ---- 1
29 o ---- 2
30 o ---- 3
31 o ---- 4
32 o ---- 5
33 o ---- 6
34 o ---- 7
35
36 ---- 3N
37
38
39 o ---- 0
40 o ---- 1
41 o ---- 2
42 o ---- 3
43 o ---- 4
44 o ---- 5
45 o ---- 6
46 o ---- 7
47
48 ---- 4N

Figure C-12 Example of an interconnection with SM 421; DI 32 x UC 120 V

CPU 410 Process Automation

392 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.15 SM 421; DI 16 x DC 24 V, 6ES7 421–7BH01–0AB0

C.15 SM 421; DI 16 x DC 24 V, 6ES7 421–7BH01–0AB0

The diagram below shows the connection of two redundant encoders pairs to two
SM 421; D1 16 x 24 V. The encoders are connected to channel 0 and 8.



 R
 R

 R
















 R
 R
 R
 R
 R
 R


















 R
 R


 R
 R
 R

















 R
 R
 R
 R
 R
 R















 9


 R
 R

Figure C-13 Example of an interconnection with SM 421; DI 16 x 24 V

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 393
Connection examples for redundant I/Os
C.16 SM 421; DI 32 x DC 24 V, 6ES7 421–1BL00–0AB0

C.16 SM 421; DI 32 x DC 24 V, 6ES7 421–1BL00–0AB0

The diagram below shows the connection of two redundant encoders to two
SM 421; D1 32 x 24 V. The encoders are connected to channel 0.


 R

 R











































 R


 R
 R









































9


 R

Figure C-14 Example of an interconnection with SM 421; DI 32 x 24 V

CPU 410 Process Automation

394 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.17 SM 421; DI 32 x DC 24 V, 6ES7 421–1BL01–0AB0

C.17 SM 421; DI 32 x DC 24 V, 6ES7 421–1BL01–0AB0

The diagram below shows the connection of two redundant encoders to two
SM 421; D1 32 x 24 V. The encoders are connected to channel 0.




 R











































 R



 R









































9


 R

Figure C-15 Example of an interconnection with SM 421; DI 32 x 24 V

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 395
Connection examples for redundant I/Os
C.18 SM 322; DO 8 x DC 24 V/2 A, 6ES7 322–1BF01–0AA0

C.18 SM 322; DO 8 x DC 24 V/2 A, 6ES7 322–1BF01–0AA0

The diagram below shows the connection of an actuator to two redundant SM 322; DO 8 x DC
24 V. The actuator is connected to channel 0.
Types with U_r >=200 V and I_F >= 2 A are suitable as diodes

/ 

















0 


























































9 
0 



Figure C-16 Example of an interconnection with SM 322; DO 8 x DC 24 V/2 A

CPU 410 Process Automation

396 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.19 SM 322; DO 32 x DC 24 V/0,5 A, 6ES7 322–1BL00–0AA0

C.19 SM 322; DO 32 x DC 24 V/0,5 A, 6ES7 322–1BL00–0AA0

The diagram below shows the connection of an actuator to two redundant SM 322; DO 32 x DC
24 V. The actuator is connected to channel 1.
Suitable diodes are, for example, those of the series 1N4003 ... 1N4007, or any other diode
with U_r >=200 V and I_F >= 1 A

1 L+ 1 21
2 22
e.g 1 N 4003
3 23

4 24

5 25

6 26

7 27
8 28
9 29
1M 10 30

11 31
12 32

13 33

14 34

15 35

16 36

17 37
18 38
19 39

20 40

1 L+ 1 21
2 22
e.g 1 N 4003
3 23
4 24

5 25
6 26
7 27
8 28

24V 9 29
1M
10 30

11 31
12 32

13 33
14 34

15 35
16 36
17 37
18 38
19 39
20 40

Figure C-17 Example of an interconnection with SM 322; DO 32 x DC 24 V/0.5 A

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 397
Connection examples for redundant I/Os
C.20 SM 322; DO 8 x AC 230 V/2 A, 6ES7 322–1FF01–0AA0

C.20 SM 322; DO 8 x AC 230 V/2 A, 6ES7 322–1FF01–0AA0

The diagram below shows the connection of an actuator to two SM 322; DO 8 x AC 230 V/2 A.
The actuator is connected to channel 0.

1 1L
2
1N
3

5
6

7
8
9

10

11
12

13

14
120/230V
15
16

17
18
19

20

1 1L
2
1N
3

5
6

7
8
9

10

11
12

13

14

15
16

17
18
19

20

Figure C-18 Example of an interconnection with SM 322; DO 8 x AC 230 V/2 A

CPU 410 Process Automation

398 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.21 SM 322; DO 4 x DC 24 V/10 mA [EEx ib], 6ES7 322–5SD00–0AB0

C.21 SM 322; DO 4 x DC 24 V/10 mA [EEx ib], 6ES7 322–5SD00–0AB0

The diagram below shows the connection of an actuator to two SM 322; DO 16 x DC 24 V/10 mA
[EEx ib]. The actuator is connected to channel 0. Suitable diodes are, for example, those of the
series 1N4003 ... 1N4007, or any other diode with U_r >=200 V and I_F >= 1 A

1 1L
2 1N
3
e.g 1 N 4003
4

5
6

7
8
9

10

11
12

13

14

15
16

17
18
19

20

1
2

5
6

7
8
9

10
e.g 1 N 4003

11
12

13

14

15
16

17
18
19 24 V
20

Figure C-19 Example of an interconnection with SM 322; DO 16 x DC 24 V/10 mA [EEx ib]

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 399
Connection examples for redundant I/Os
C.22 SM 322; DO 4 x DC 15 V/20 mA [EEx ib], 6ES7 322–5RD00–0AB0

C.22 SM 322; DO 4 x DC 15 V/20 mA [EEx ib], 6ES7 322–5RD00–0AB0

The diagram below shows the connection of an actuator to two SM 322; DO 16 x DC 15 V/20 mA
[EEx ib]. The actuator is connected to channel 0. Suitable diodes are, for example, those of the
series 1N4003 ... 1N4007, or any other diode with U_r >=200 V and I_F >= 1 A

 /

 1


 1IRUH[DPSOH






















































1IRUH[DPSOH

















 9




Figure C-20 Example of an interconnection with SM 322; DO 16 x DC 15 V/20 mA [EEx ib]

CPU 410 Process Automation

400 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.23 SM 322; DO 8 x DC 24 V/0.5 A, 6ES7 322–8BF00–0AB0

C.23 SM 322; DO 8 x DC 24 V/0.5 A, 6ES7 322–8BF00–0AB0

The diagram below shows the connection of an actuator to two redundant
SM 322; DO 8 x DC 24 V/0.5 A. The actuator is connected to channel 0.

1 L+ 1
2

8
9

10

11
12

13

14

15

16

17
18
19
1M 20

1
2

7
8
9

10

11
12

13

14

15

16

17
18
24 V 19
1M 20

Figure C-21 Example of an interconnection with SM 322; DO 8 x DC 24 V/0.5 A

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 401
Connection examples for redundant I/Os
C.24 SM 322; DO 16 x DC 24 V/0.5 A, 6ES7 322–8BH01–0AB0

C.24 SM 322; DO 16 x DC 24 V/0.5 A, 6ES7 322–8BH01–0AB0

The diagram below shows the connection of an actuator to two redundant SM 322; DO 16 x DC
24 V/0.5 A. The actuator is connected to channel 8.

/   /

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0   0
 
/   /
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  0
0  
 

/   /

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0 

 0

 
/  /

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
9   9
0  
  0
 

Figure C-22 Example of an interconnection with SM 322; DO 16 x DC 24 V/0.5 A

CPU 410 Process Automation

402 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.25 SM 332; AO 8 x 12 Bit, 6ES7 332–5HF00–0AB0

C.25 SM 332; AO 8 x 12 Bit, 6ES7 332–5HF00–0AB0

The diagram below shows the connection of two actuators to two redundant SM 332; AO 8 x 12
Bit. The actuators are connected to channels 0 and 4. Suitable diodes are, for example, those of
the series 1N4003 ... 1N4007, or any other diode with U_r >=200 V and I_F >= 1 A

 
/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0  
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
9  
0  
 

Figure C-23 Example of an interconnection with SM 332, AO 8 x 12 Bit

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 403
Connection examples for redundant I/Os
C.26 SM 332; AO 4 x 0/4...20 mA [EEx ib], 6ES7 332–5RD00–0AB0

C.26 SM 332; AO 4 x 0/4...20 mA [EEx ib], 6ES7 332–5RD00–0AB0

The diagram below shows the connection of an actuator to two SM 332; AO 4 x 0/4...20 mA [EEx
ib]. The actuator is connected to channel 0.
Suitable diodes are, for example, types from the series 1N4003 ... 1N4007 or any other diode
with U_r >=200 V and I_F >= 1 A

1 1L
2 1N
3

5
6

7
8
9

10

11
12

13

14

15
16

17
18
19

20

1
2

5
6

7
8
9

10

11
12

13

14

15

16

17
18
19
24V
20

Figure C-24 Example of an interconnection with SM 332; AO 4 x 0/4...20 mA [EEx ib]

CPU 410 Process Automation

404 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.27 SM 422; DO 16 x AC 120/230 V/2 A, 6ES7 422–1FH00–0AA0

C.27 SM 422; DO 16 x AC 120/230 V/2 A, 6ES7 422–1FH00–0AA0

The diagram below shows the connection of an actuator to two
SM 422; DO 16 x 120/230 V/2 A. The actuator is connected to channel 0.

1 ----
2 ----
3
4 o ---- 0
5
6 o ---- 1
7
8 o ---- 2
9
10 o ---- 3
11 ---- 1L
12 ----
13 ---- 1N
14 ----
15 o ---- 4
16
17 o ---- 5
18
19 o ---- 6
20
110/220 V 21 o ---- 7
22 ---- 2l
23 ----
24 ---- 2N
25 ----
26 ----
27 o ---- 0
28
29 o ---- 1
1 ---- 30
2 ---- 31 o ---- 2
3 32
4 o ---- 0
33 o ---- 3
5 34 ---- 3L
6 o ---- 1
35 ----
7 36 ---- 3N
8 o ---- 2
37 ----
9 38 ----
10 o ---- 3
39 o ---- 4
11 ---- 1L
40
12 ---- 41 o ---- 5
13 ---- 1N 42
14 ---- 43 o ---- 6
15 o ---- 4 44
16 45 o ---- 7
17 o ---- 5 46 ---- 4L
18 47 ----
19 o ---- 6 48 ---- 4N
20
21 o ---- 7
22 ---- 2l
23 ----
24 ---- 2N
25 ----
26 ----
27 o ---- 0
28
29 o ---- 1
30
31 o ---- 2
32
33 o ---- 3
34 ---- 3L
35 ----
36 ---- 3N
37 ----
38 ----
39 o ---- 4
40
41 o ---- 5
42
43 o ---- 6
44
45 o ---- 7
46 ---- 4L
47 ----
48 ---- 4N

Figure C-25 Example of an interconnection with SM 422; DO 16 x 120/230 V/2 A

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 405
Connection examples for redundant I/Os
C.28 SM 422; DO 32 x DC 24 V/0.5 A, 6ES7 422–7BL00–0AB0

C.28 SM 422; DO 32 x DC 24 V/0.5 A, 6ES7 422–7BL00–0AB0

The diagram below shows the connection of an actuator to two SM 422; DO 32 x 24 V/0.5 A. The
actuator is connected to channel 0. Suitable diodes are, for example, those of the series
1N4003 ... 1N4007, or any other diode with U_r >=200 V and I_F >= 1 A

CPU 410 Process Automation

406 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.28 SM 422; DO 32 x DC 24 V/0.5 A, 6ES7 422–7BL00–0AB0

1
2
3 o
4 o
5
6
7 e.g 1 N 4003
8
9
10
11
12 o
13 o
14 o
15
16
17
18
19
20
21
22
23 o
24 o
25 o
26 o
27
28
29
30
31
32
33
34 o
35
36 o
37 o
38 o
39
40
41
42
43
44
45
46
47 o
48 o
1
2
3 o
4 o
5
6
7 e.g 1 N 4003
8
9
10
11
12 o
13 o
14 o
15
16
17
18
19
20
21
22
23 o
24 o
25 o
26 o
27
28
29
30
31
32
33
34
35 o
36 o
37 o
38
39 o
40
41
42
43
44 24V
45
46 o
47 o
48

Figure C-26 Example of an interconnection with SM 422; DO 32 x DC 24 V/0.5 A

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 407
Connection examples for redundant I/Os
C.29 SM 331; AI 4 x 15 Bit [EEx ib]; 6ES7 331–7RD00–0AB0

C.29 SM 331; AI 4 x 15 Bit [EEx ib]; 6ES7 331–7RD00–0AB0

The diagram below shows the connection of a 2-wire transmitter to two SM 331; AI 4 x 15 Bit
[EEx ib]. The transmitter is connected to channel 1. Suitable Zener diode: BZX85C6v2.


 ZLUH
WUDQVGXFHU



 P$













 0











 









 9


Figure C-27 Example of an interconnection with SM 331, AI 4 x 15 Bit [EEx ib]

CPU 410 Process Automation

408 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.30 SM 331; AI 8 x 12 Bit, 6ES7 331–7KF02–0AB0

C.30 SM 331; AI 8 x 12 Bit, 6ES7 331–7KF02–0AB0

The diagram below shows the connection of a transmitter to two SM 331; AI 8 x 12 Bit. The
transmitter is connected to channel 0.


/


















0



/




7UDQVGXFHU

 9












 9


Figure C-28 Example of an interconnection with SM 331; AI 8 x 12 Bit

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 409
Connection examples for redundant I/Os
C.31 SM 331; AI 8 x 16 Bit; 6ES7 331–7NF00–0AB0

C.31 SM 331; AI 8 x 16 Bit; 6ES7 331–7NF00–0AB0

The figure below shows the connection of a transmitter to two redundant SM 331; AI 8 x 16 Bit.
The transmitter is connected to channel 0 and 7 respectively.

 
 
 
 
 
 
 
 
 
 
 
 
  7UDQVGXFHU
  9
  9
9
 
 
 
 
 

 
 
 
 
 
 
 
 
  ZLUHWUDQVGXFHU
 
8+
 
 
 
˖
 
 
 
8+
 
 
 
 

Figure C-29 Example of an interconnection with SM 331; AI 8 x 16 Bit

CPU 410 Process Automation

410 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.32 SM 331; AI 8 x 16 Bit; 6ES7 331–7NF10–0AB0

C.32 SM 331; AI 8 x 16 Bit; 6ES7 331–7NF10–0AB0

The figure below shows the connection of a transmitter to two redundant SM 331; AI 8 x 16 Bit.
The transmitter is connected to channel 0 and 3 respectively.

 
 
 
 
 
 
 
 
ZLUHWUDQVGXFHU  
8+  
 
 
˖   7UDQVGXFHU
 
9
  9
8+   9
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 9

 

Figure C-30 Example of an interconnection with SM 331; AI 8 x 16 Bit

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 411
Connection examples for redundant I/Os
C.33 AI 6xTC 16Bit iso, 6ES7331-7PE10-0AB0

C.33 AI 6xTC 16Bit iso, 6ES7331-7PE10-0AB0

The figure below shows the connection of a thermocouple to two redundant SM 331 AI 6xTC
16Bit iso.

 
 
 
 
 
 
 
  7F
 
 
 
 
  7F
 
 
 
 
 
 
 

 
 
 
9
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

Figure C-31 Example of an interconnection AI 6xTC 16Bit iso

CPU 410 Process Automation

412 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.34 SM331; AI 8 x 0/4...20mA HART, 6ES7 331-7TF01-0AB0

C.34 SM331; AI 8 x 0/4...20mA HART, 6ES7 331-7TF01-0AB0

The diagram below shows the connection of a 4-wire transmitter to two redundant SM 331; AI
8 x 0/4...20mA HART.

/

0[

9
0[

ZLUH
WUDQVGXFHU
8+

0
8+

/

0[

9
0[

%=;&9
IRUH[DPSOH

Figure C-32 Interconnection example 1 SM 331; AI 8 x 0/4...20mA HART

The diagram below shows the connection of a 2-wire transmitter to two redundant SM 331;
AI 8 x 0/4...20mA HART.

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 413
Connection examples for redundant I/Os
C.34 SM331; AI 8 x 0/4...20mA HART, 6ES7 331-7TF01-0AB0

/

/
ZLUH
0[ WUDQVGXFHU

9
0[

/

0[

9
0[

%=;&9
IRUH[DPSOH

Figure C-33 Interconnection example 2 SM 331; AI 8 x 0/4...20mA HART

CPU 410 Process Automation

414 System Manual, 11/2022, A5E31622160-AE
 Connection examples for redundant I/Os
C.35 SM 332; AO 4 x 12 Bit; 6ES7 332–5HD01–0AB0

C.35 SM 332; AO 4 x 12 Bit; 6ES7 332–5HD01–0AB0

The diagram below shows the connection of an actuator to two
SM 332; AO 4 x 12 Bit. The actuator is connected to channel 0. Suitable diodes are, for example,
those of the series 1N4003 ... 1N4007, or any other diode with U_r >=200 V and I_F >= 1 A

 /


















0


 /






0DQD











 9
0


Figure C-34 Example of an interconnection with SM 332, AO 4 x 12 Bit

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 415
Connection examples for redundant I/Os
C.36 SM332; AO 8 x 0/4...20mA HART, 6ES7 332-8TF01-0AB0

C.36 SM332; AO 8 x 0/4...20mA HART, 6ES7 332-8TF01-0AB0

The diagram below shows the connection of an actuator to two SM 332; AO 8 x 0/4...20 mA
HART.

/

&K[

&K[

/

&K[

&K[

9
0

Figure C-35 Interconnection example 3 SM 332; AO 8 x 0/4...20mA HART

CPU 410 Process Automation

416 System Manual, 11/2022, A5E31622160-AE
Index
Communication
CPU services, 293
A Open IE communication, 303
S7 communication, 295
A&D Technical Support, 14
Communication blocks
Analog output signals, 90
Consistency, 327
Applied value, 86
Communication functions, 337
Availability
Communication processors, 377
Definition, 370
Communication services
I/O, 61
Overview, 293
of systems, 59
S7 communication, 296
Communication via MPI and communication bus
Cycle load, 346
B Comparison error, 110
Basic knowledge Components
required, 12 Basic system, 22, 24
Basic system, 22, 24 Duplicating, 59
Behavior of the CPU, 156, 157, 177, 178, 185, 186 Connecting with diodes, 380
after download of the configuration in RUN, 186 Connection
during re-configuration, 178 Fault-tolerant S7, 307
during re-configuring, 156 S7, 307
Effects on the operating system functions, 185 Consistent data
Block type Accessing work memory, 328
Update with S7-410 AS, 135 Continued bumpless operation, 102
Bus connectors, 41 CPU
PROFIBUS DP interface, 41 Resetting to the factory settings, 136
Bus interrupt, 286 CPU 410
Bus topology, 283 DP master:diagnostics with LEDs, 45
BUS1F, 38 I/O, 27
BUS5F, 38 Operator controls and display elements, 31
BUS8F, 38 Parameter, 44
BUSF, 45 CPU 410-5H
Configuration and programming, 28
CPU redundancy errors, 292, 340
C Cycle control
Execution time, 348
CC, 22
Cycle load
Central controller (CC), 22
Communication via MPI and communication
Central processing unit, 22, 24
bus, 346
Central system clock, 145
Cycle time, 344
Checksum errors, 110
Elements, 345
CiR, 149, 151, 160, 161
Extending, 346
CiR element, 162
Cyclic self-test, 111
CiR elements, 162, 164
I/O address areas, 163
Types, 162
CiR module, 162, 163
D
CiR object, 162, 163 Defining CiR elements, 165, 166
CiR synchronization time, 186 Exact procedure, 166
Cold restart, 97 Overview, 165

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 417
Index

Deleting CiR elements, 165, 168 Fault-tolerant connections

Exact procedure, 168 Configuration, 320
Overview, 165 Programming, 310, 321
Diagnostic addresses, 46 FB 450 RED_IN, 76
Diagnostic addresses for PROFIBUS, 46 FB 451 RED_OUT, 76
Diagnostics FB 452 RED_DIAG, 76
Evaluating, 285 FB 453 RED_STATUS, 76
Diagnostics buffer, 40 FC 450 RED_INIT, 76
Digital output FC 451 RED_DEPA, 76
Fault-tolerant, 85, 90 Fiber-optic cable, 25
Direct current measurement, 89 Cable pull-in, 235
Direct I/O access, 355 Installation, 233
Discrepancy Replacement, 220, 221
Digital input modules, 83 Selection, 235
Discrepancy time, 83, 86 Storage, 234
Documentation, 16 Function modules, 377
DP interface, 41 Functional I/O redundancy, 76
DP master
Diagnostics using LEDs, 45
DP master system G
Startup, 45
Gateway, 297

E H
Encoders
Hardware
Double redundant, 85
Components, 22, 24
Error LEDs, 38
Hardware interrupt processing, 362
CPU 410, 39
Hardware interrupt response time
Error messages, 35
of signal modules, 362
EU, 22
of the CPU, 361
Execution time
Hardware requirements, 160
Cycle control, 348
H-CiR, 93
Operating system, 348
HOLD, 98
Process image update, 346
Hotline, 14
User program, 346
External diodes, 379
EXTF, 38
I
I/O, 27
F Switched, 58, 63
I/O redundancy, 74
Factory settings, 136
I/O redundancy errors, 292, 340
fail-safe, 19
IE communication, 304
Fail-safe, 57
Data blocks, 304
Failure of a redundancy node, 61
IFM1F, 39
Failure of components
IFM2F, 39
of distributed I/Os, 224
Indirect current measurement, 87
fault-tolerant, 19
Initial configuration, 162
Fault-tolerant, 57
Installation types
Fault-tolerant communication, 306
I/O, 61
Interface
PROFINET, 33

CPU 410 Process Automation

418 System Manual, 11/2022, A5E31622160-AE
 Index

INTF, 38 Memory reset, 97

IO Sequence, 112
Redundant, 72 Message functions, 337
IO redundancy, (Redundant I/O) Minimum I/O retention time
IP address Calculation, 119
Assigning, 41 Definition, 115
Monitoring functions, 35
Monitoring times, 115
L Accuracy, 118
Configuration, 118
LED
MRP (Media Redundancy Protocol), 92
BUSF, 45
MSTR, 38
LED displays, 31
MTBF, 367, 371
LINK, 39
Multiple-bit errors, 111
LINK1 OK, 40
LINK2 OK, 40
Link-up, 113, 114, 117, 330, 334, 339, 343
Flow chart, 332
N
Monitoring times, 343 Network configuration, 291
Sequence, 334 Network functions
Time response, 117 S7 communication, 296
LINK-UP, 98 Networking configuration, 291
Link-up and update Non-redundant encoders, 84, 87
Disabling, 339
Effects, 113
Sequence, 330 O
Starting, 330
OB 121, 109
Link-up with master/standby changeover, 335
Online help, 12
Link-up, update, 95
Operating mode
Load memory, 338
Changing, 53
Loss of redundancy, 102
Operating objectives, 57
Operating state changes, 286
Operating states
M LINK-UP, 98
MAINT, 40 STARTUP, 97
Manual System, 104
Purpose, 11 UPDATE, 98
Scope of validity, 12 Operating system
Master CPU, 101 Execution time, 348
Master-standby assignment, 101 Optional software, 28
Maximum communication delay Organization blocks, 292, 340
Calculation, 123 Overview
Definition, 115 PROFINET IO functions, 48
Maximum cycle time extension
Calculation, 123
Definition, 115 P
Maximum inhibit time for priority classes > 15
Parameter, 44
Calculation, 119
Parameter assignment tool, 44
Definition, 115
Parameter block, 44
MDT, 367
PG functions, 293
Media redundancy protocol (MRP), 92
Plant changes via CiR, 152
Overview, 152

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 419
Index

Plant changes with CiR, 169 Redundant encoders, 85

Overview, 169 Analog input modules, 89
Power supply, 22, 24 Redundant I/O, 57, 72
Precision Analog input modules, 86
Time stamping, 145 Configuration, 78
Process image update Digital input modules, 83
Execution time, 346 Digital output modules, 85
PROFIBUS address, 45 in the switched DP device, 75
PROFIBUS DP Redundant system mode, 95
System status list, 287 Reliability, 367
PROFIBUS DP interface, 32 Removing a channel previously used, 159, 180
PROFINET, 41, 47 Replacement during operation
Device replacement without removable of distributed I/Os, 224
medium, 49 Requirements, 149, 150
Media redundancy, 92 Response time
PROFINET interface, 33 Calculation of the, 353, 354
PROFINET interfaces Elements, 351
Properties, 42 Longest, 354
PROFINET IO Reducing, 355
Overview of functions, 48 Shortest, 353
System status list, 287 Response to time-outs, 116
Protection level, 128 Routing, 297
Setting, 128 Rules for assembly, 26, 288
purpose, 19 RUN, 37
RX/TX, 39

R
Rack, 24
S
RACK0, 38 S7 communication, 295
RACK1, 38 Description, 296
RAM/PIQ comparison error, 110 S7 connections
Reading data consistently from a DP standard configured, 321
device, 329 of the CPU 410-5H, 294
Recommendations, 151, 161 S7 routing
Reconfiguring, 177 Access to stations on other subnets, 297
Requirements, 177 Application example, 298
Re-configuring, 155, 156, 157, 159, 177, 179, 180 Gateway, 297
a previously used channel, 157, 179 Requirements, 297
Behavior of the CPU, 156, 177 S7-400H
Removing a channel previously used, 159, 180 Blocks, 292, 340
Requirements, 155 Documentation, 16
using a previously unused channel, 157, 179 User program, 292, 340
Re-configuring a previously used channel, 157, 179 S7-410 AS
REDF, 39 Update block type in RUN, 135
Redundancy S7-REDCONNECT, 318, 319
Active, 101 Save service data, 139
Redundancy nodes, 59, 307 Scope of validity
Redundant analog output modules, 90 of the manual, 12
redundant automation systems, 19 Self-test, 102, 109
Redundant automation systems, 57 Services
Redundant communication system, 306 S7 communication, 296
SFB 14, 328

CPU 410 Process Automation

420 System Manual, 11/2022, A5E31622160-AE
 Index

SFB 15, 328 Status displays

SFBs CPU 410, 37
S7 communication, 296 Status word, 92
SFC 109 PROTECT, 129 STOP, 37
SFC 14 DPRD_DAT, 329 Subconnection
SFC 15 DPWR_DAT, 329 Active, 309
Signal modules for redundancy, 78 Switch to CPU with modified configuration, 338
SIMATIC Manager, 293 Synchronization, 102
Simple Network Management Protocol, 302 Event-driven, 102
Single mode, 95 Synchronization module
Single-bit errors, 111 Function, 229
Single-channel switched I/O, 58, 63 Replacement, 220, 221
Failure, 67 Synchronization modules, 25
Slot for synchronization modules, 32 Technical specifications, 232
SM 321; DI 16 x AC 120/230 V System design, 184, 185
Example of an interconnection, 385 ET200iSP Stations, 185
SM 321; DI 16 x DC 24 V ET200M Stations, 184
Example of an interconnection, 383 System planning, 181
SM 321; DI 32 x DC 24 V DP and PA devices, 181
Example of an interconnection, 384 ET 200M stations, 181
SM 321; DI 8 x AC 120/230 V System states, 104
Example of an interconnection, 386 System status list
SM 322; DO 32 x DC 24 V Compatibility, 287
Example of an interconnection, 397
SM 322; DO 8 x DC 24 V
Example of an interconnection, 396 T
SM 422; DO 16 x 120/230 V/2 A
Technical Support, 14
Example of an interconnection, 405
Time information
SNMP, 302
Synchronized, 145
Software requirements, 150
Time monitoring, 114
SSL
Time response, 124
W#16#0696, 288
Time stamp, 145
W#16#0A91, 288
Time stamping
W#16#0C75, 287
Functionality, 145
W#16#0C91, 287
Precision, 145
W#16#0C96, 288
Requirements, 145
W#16#0x94, 287
Resolution, 145
W#16#4C91, 287
Using, 145
W#16#xy92, 287
Time synchronization, 145
Stand-alone operation
Time-of-day stamping (1 ms), 145
Configuring, 52
Time-out, 116
Definition, 51
Tolerance window, 86
Points to note, 51
Tools, 28
to a fault-tolerant system, 52
Standby CPU, 101
Startup, 98
Startup
U
DP master system, 45 Undo function, 175
Startup processing, 97 Undoing changes, 175
Startup time monitoring, 45 Update, 113, 114, 117, 330, 339, 343
Startup types, 97 Block types in multiproject with S7-410 AS, 135
Status byte, 92 Minimum input signal duration, 334

CPU 410 Process Automation

System Manual, 11/2022, A5E31622160-AE 421
Index

Monitoring times, 343
Sequence, 335
Time response, 117
UPDATE, 98
Usable CPs, 319
User program, 292, 340
User program execution time, 346
Using
Time stamping, 145
Using a previously unused channel, 157, 179
Using CiR elements in RUN, 172

W
Warm restart, 97, (Warm restart)
Work memory, 338
Writing data consistently to a DP standard
device, 329

CPU 410 Process Automation

422 System Manual, 11/2022, A5E31622160-AE