Professional Documents
Culture Documents
GMP Simatic Wincc Flex2007 en
GMP Simatic Wincc Flex2007 en
simatic hmi
s
Introduction, Table of Contents Configuring in a GMP Environment
1 2 3 4 5 6 7 8 9
SIMATIC WinCC flexible 2007 GMP Engineering Manual Guidelines for Implementing Automation Projects in a GMP Environment
Requirements of Computer Systems in a GMP Environment System Specification System Installation Project settings Creating Application Software Support During Qualification Operation, Maintenance and Servicing System Updates and Migration Index
04/2008
A5E02147610-01
Safety Guidelines
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring to property damage only have no safety alert symbol. The notices shown below are graded according to the degree of danger.
! ! !
Danger
indicates that death or severe personal injury will result if proper precautions are not taken.
Warning
indicates that death or severe personal injury may result if proper precautions are not taken.
Caution
with a safety alert symbol indicates that minor personal injury can result if proper precautions are not taken.
Caution
without a safety alert symbol indicates that property damage can result if proper precautions are not taken.
Notice
indicates that an unintended result or situation can occur if the corresponding notice is not taken into account. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.
Qualified Personnel
The device/system may only be set up and used in conjunction with this documentation. Commissioning and operation of a device/system may only be performed by qualified personnel. Within the context of the safety notices in this documentation qualified persons are defined as persons who are authorized to commission, ground and label devices, systems and circuits in accordance with established safety practices and standards.
Prescribed Usage
Note the following:
Warning
This device and its components may only be used for the applications described in the catalog or the technical description, and only in connection with devices or components from other manufacturers which have been approved or recommended by Siemens. Correct, reliable operation of the product requires proper transport, storage, positioning and assembly as well as careful operation and maintenance.
Trademarks
All names identified by are registered trademarks of the Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.
Siemens AG Industry Automation Postfach 4848 90026 NRNBERG GERMANY A5E02147610-01 04/2008 Copyright Siemens AG 2008 Technical data subject to change
Introduction
Purpose of this manual
This manual describes what is required from the pharmaceutical, regulatory viewpoint for Good Manufacturing Practice (GMP environment), of the computer system, the software and the procedure for configuring SIMATIC WinCC flexible. Practical examples are used to explain the relationship between requirements and implementation.
Intended audience
This manual is intended for all plant operators (users), those responsible for control system designs for specific industries, project managers and engineers, servicing and maintenance personnel who use the process control technology in the GMP environment. It describes solutions for implementing automation plans with SIMATIC WinCC flexible in situations where the principles of GMP are mandatory.
Disclaimer of liability
This manual is a guideline for system users and engineers for integrating SIMATIC WinCC flexible HMI systems in the GMP environment as it relates to validation while taking 21 CFR Part 11 into account. We have checked that the contents of this document correspond to the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. The information in this document is checked regularly for system changes or changes to the regulations of the various organizations and necessary corrections will be included in subsequent issues. We welcome any suggestions for improvement and ask that they be sent to the A&D Competence Center Pharma in Karlsruhe (Germany).
Introduction
Conventions
The following conventions are used in this manual. Procedures that include numerous tasks are presented in tables and numbered in the order they should be carried out. Operating instructions involving only a few steps are indicated by a bullet point (). References to other manuals are shown in bold italic.
Introduction
Additional support
Please contact your local Siemens representative if you have any queries about the products described in this manual. You will find information on who to contact at: http://www.siemens.com/automation/partner A signpost to the documentation of the various SIMATIC products and systems is available at: http://www.siemens.de/simatic-tech-doku-portal You will find the online catalog and order system at: http://mall.automation.siemens.com/ If you have questions on the manual, please contact the Competence Center Pharma: E-mail: Fax: pharma.aud@siemens.com + 49 721 595 6930
Additional information about the products, systems and services from Siemens for the pharmaceutical industry can be found at: http://www.siemens.com/pharma
Training Center
We offer courses to help get you started with the SIMATIC WinCC flexible HMI system. Please contact your regional training center or the central training center in 90327 Nuremberg, Germany. Phone: Internet: + 49 911 895 3200. http://www.sitrain.com
Introduction
Technical Support
You can reach the Technical Support for all Industry Automation products Via the Web formula for the Support Request http://www.siemens.com/automation/support-request Phone: Fax: + 49 180 5050 222 + 49 180 5050 223
Additional information about our Technical Support can be found on the Internet pages http://www.siemens.com/automation/service
Table of Contents
Introduction Table of Contents 1 Configuring in a GMP Environment 1.1 1.2 1.3 1.4 2 2.1 2.2 2.3 2.3.1 2.3.2 2.4 2.4.1 2.4.2 2.4.3 2.5 2.5.1 2.5.2 2.5.3 2.6 2.6.1 2.6.2 2.6.3 2.7 2.8 2.9 2.10 2.10.1 2.10.2 2.10.3 2.10.4 2.11 2.11.1 2.11.2 2.12 2.13 3 7 11
Life Cycle Model ................................................................................................ 11 Regulations, Guidelines and Recommendations .............................................. 16 Responsibilities.................................................................................................. 18 Approval and Change Procedure ...................................................................... 18 19 Hardware Categorization ................................................................................... 19 Software Categorization .................................................................................... 20 Configuration Management ............................................................................... 20 Configuration Identification ................................................................................ 21 Configuration Control......................................................................................... 21 Software Creation .............................................................................................. 22 Using typicals for programming ......................................................................... 22 Identifying software modules/typicals ................................................................ 22 Changing software modules/typicals ................................................................. 22 Access Protection and User Administration ...................................................... 23 Applying access protection to a system ............................................................ 23 Requirements of user IDs and passwords......................................................... 24 Smart cards and biometric systems .................................................................. 24 Electronic Signatures......................................................................................... 25 Conventional electronic signatures.................................................................... 25 Electronic signatures based on biometrics ........................................................ 26 Security measures for user IDs / password....................................................... 26 Audit Trail........................................................................................................... 27 Time Synchronization ........................................................................................ 27 Archiving Data ................................................................................................... 28 Reporting Batch Data ........................................................................................ 29 Components of batch documentation................................................................ 29 Components of the manufacturing log............................................................... 29 The uses of electronic batch data...................................................................... 30 Requirements of electronic records................................................................... 30 Data Backup ...................................................................................................... 31 Backup of application software.......................................................................... 31 Backup of process data ..................................................................................... 33 Retrieving Archived Data ................................................................................... 33 Use of Third-Party Components ........................................................................ 34
Table of Contents
System Specification 3.1 3.1.1 3.1.2 3.2 3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.4 3.4.1 3.5 3.6 3.6.1 3.6.2 3.6.3
35
Specification of Visualization Hardware ............................................................ 36 Selecting hardware components ....................................................................... 36 Hardware specification ...................................................................................... 37 System and Network Security ........................................................................... 38 Specification of Basic Software ......................................................................... 38 Access protection and user administration........................................................ 38 Engineering........................................................................................................ 39 Runtime software............................................................................................... 39 Interfacing to higher-level IT systems................................................................ 40 SIMATIC Additional Software ............................................................................ 41 WinCC Premium add-ons .................................................................................. 41 Application Software Specifications................................................................... 41 Utilities and Drivers............................................................................................ 42 Printers / printer drivers ..................................................................................... 42 Antivirus tools .................................................................................................... 42 Image & Partition Creator .................................................................................. 42 43 Installing the Operating System......................................................................... 43 Installing the System Software .......................................................................... 43 Installing SIMATIC WinCC flexible .................................................................... 43 Installing the SIMATIC WinCC flexible options ................................................. 44 Installing utilities and drivers.............................................................................. 44 Setting up User Administration .......................................................................... 45 Local User Administration.................................................................................. 45 Centralized user administration ......................................................................... 45 Setting up user groups in WinCC flexible .......................................................... 46 Setting up users in WinCC flexible .................................................................... 47 Security settings with local user administration ................................................. 49 Security settings with centralized user administration....................................... 51 Access Protection with SIMATIC Logon............................................................ 52 User management in Windows.......................................................................... 52 Security settings in Windows............................................................................. 54 Configuration of SIMATIC Logon....................................................................... 56 59 Project Manager ................................................................................................ 59 Multilingual Projects........................................................................................... 60 SIMATIC NET Settings ...................................................................................... 60 Time Synchronization ........................................................................................ 61 Set time.............................................................................................................. 61 Transferring the CPU system time to the HMI device ....................................... 62 Transferring the HMI device system time to the CPU ....................................... 64 Synchronization of the SIMATIC Logon server ................................................. 65 Support for Configuration Management ............................................................ 66 Defining configuration elements ........................................................................ 66 Versioning of configuration elements ................................................................ 67 Versioning the application software................................................................... 67
System Installation 4.1 4.2 4.2.1 4.2.2 4.2.3 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.4 4.4.1 4.4.2 4.4.3
Project settings 5.1 5.2 5.3 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.5 5.5.1 5.5.2 5.5.3
Table of Contents
Creating Application Software 6.1 6.2 6.3 6.4 6.4.1 6.4.2 6.5 6.6 6.7 6.7.1 6.7.2 6.7.3 6.7.4 6.8 6.8.1 6.8.2 6.9 6.9.1 6.9.2 6.9.3 6.10 6.10.1 6.10.2 6.10.3 6.10.4 6.11 6.12 6.13
71
Creating Process Screens ................................................................................. 72 Setting Access Protection for an Object ............................................................ 75 Creating VB Scripts ........................................................................................... 76 Setting up the Audit Trail ................................................................................... 77 Generating audit trail entries ............................................................................. 79 Display of the audit trail ..................................................................................... 81 Electronic Signature........................................................................................... 82 Recipe Management with the Recipe Option .................................................... 83 Recording and Archiving Data Electronically..................................................... 86 Setting up data and alarm logs.......................................................................... 86 Archiving data logs, alarm logs and audit trails ................................................. 88 Restricting access to the network drive ............................................................. 90 Batch-oriented data recording ........................................................................... 93 Reporting ........................................................................................................... 96 Standard reporting ............................................................................................. 96 Batch-based reporting ....................................................................................... 99 Backups of System / Application Software ...................................................... 104 Backing up application software from the engineering system ....................... 104 Backing up the operating system and SIMATIC WinCC flexible ..................... 105 Backing up the operating system and the application software of an HMI device (panel).................................................................................. 106 Interfacing to SIMATIC WinCC........................................................................ 107 Centralized user administration ....................................................................... 107 Central audit trail for multiple WinCC flexible systems.................................... 107 Central process value archiving and central alarm management ................... 108 Central recipe control and recipe management .............................................. 109 Interfacing SIMATIC S7 ................................................................................... 111 WinCC flexible Integrated in STEP 7............................................................... 112 Uninterruptible Power Supply .......................................................................... 117 121 Qualification Planning ...................................................................................... 122 Qualification of the Visualization Hardware ..................................................... 123 Qualification of the Visualization Software ...................................................... 125 Software categorization according to the GAMP guide................................... 125 Qualification of standard software ................................................................... 125 Qualification of the Application Software ......................................................... 129 Checking the Configuration: Versioning and Archiving Projects ..................... 131 Tracking Configuration Changes ..................................................................... 133 135 Diagnostics of Communication Connections ................................................... 135 Operational Change Control............................................................................ 135 Restoring the System ...................................................................................... 137 139 Updates, Service Packs and Hotfixes ............................................................. 139 Migration of the Application Software .............................................................. 140 Index-1
Support During Qualification 7.1 7.2 7.3 7.3.1 7.3.2 7.3.3 7.4 7.5
Index
Table of Contents
10
1.1
PQ VR
URS
PQ
FS
IQ
DS
FAT
Module Development
Application Development
Module Testing
System Build
Te sti ng /
SAT
Traceability Matrix
OQ
if ec Sp ica tio n
11
Validation Plan
The Validation Plan (VP) specifies the overall strategy and specifies the parties responsible for the validation of a system in its operational environment [PDA, GAMP 4]. In the case of complex plants (for example a production line with multiple processes and automation systems), a further distinction can be made between a higher-level master document (Validation Master Plan, also referred to as VMP or MVP) and VPs valid only for individual plants and systems. See also GAMP 4, Appendix M1 "Guideline for Validation Planning".
Qualification Plan
In contrast to the Validation Plan, a Qualification Plan (QP) describes the qualification activities in detail. It defines the tests to be performed and indicates the dependencies. The Qualification Plan follows a Validation Plan. Due to the similar contents of both documents, it is possible to combine the QP and the QPP.
12
Specification
The specification phase starts with the creation of the User Requirements Specification (URS). As a rule, the URS is created by the user and describes the requirements which the system has to meet. Once the URS has been created, a Functional Specification (FS) is created, usually by the supplier. The FS specifies the requirements defined in the URS more precisely at the functional level. The subsequent Design Specification (DS) contains detailed requirements related to building the system. The functional and design specifications both form the basis for later qualification and validation tests. The following issues also have to be addressed during the function and design specification phases: Software structure Programming standards Naming conventions File naming convention
13
See also GAMP 4, Appendix D3 "Example Procedure for the Production of a Hardware Design Specification" and Appendix D4 "Example Procedure for the Production of Software Design Specifications and Software Module Design Specifications".
System Build
The system is implemented in accordance with the Design Specification during the system build phase. Along with the procedures defined in the QPP and additional guidelines (coding standards, naming conventions, and data backups, for example), change management also plays an important role and is intended to allow changes to and deviations from the original specifications to be tracked. See also GAMP 4, Appendix M8 "Guideline for Project Change Control" and Appendix M10 "Guideline for Document Management".
FAT
Once the system build phase is complete, a Factory Acceptance Test (FAT) is often carried out on the supplier premises and documented. This allows any programming errors to be identified and remedied prior to delivery. The aim of the FAT is for the customer to accept the system for delivery in its tested state.
SAT
The Site Acceptance Test (SAT) demonstrates that a computer system works within its target operating environment with interfaces to the instrumentation and plant sections according to the specification. Depending on the project, the SAT can be combined with commissioning, the IQ and/or OQ.
14
Qualification Report
The Qualification Report (QR) summarizes the results of the tests performed, based on the Qualification Plan, and confirms that the qualification phases have been completed successfully.
Validation Report
The validation report (VR) sums up the results of the individual validation steps and confirms the validated status of the system. The creation of both the Validation Plan and the Validation Report is the responsibility of the customer.
15
1.2
Author / Title organization US FDA US FDA Electronic records; electronic signatures Current good manufacturing practice in manufacturing, processing, packing, or holding of drugs; general Current good manufacturing practice for finished pharmaceuticals Computerised Systems
Where applicable
Law, regulation
US FDA
European Commission Directorate General III European Commission Directorate General III ISPE
Guideline
Europe
Guideline
Europe
GAMP 4
GAMP 4 Guide for Guide Validation of Automated Systems Validation of Process Control Systems Operation and Maintenance of Validated Systems
Worldwide
ISPE NAMUR
Note This manual is based on the requirements of GAMP 4 and US 21 CFR Part 11.
16
NAMUR Recommendations
NAMUR recommendations are field reports compiled by the "User Association of Process Control Technology in Chemical and Pharmaceutical Industries" for their members to use on an optional basis. They should not be viewed as standards or guidelines. The NAMUR recommendations below are of particular interest for the configuration and use of computer systems in a GMP environment: NE 71 "Operation and Maintenance of Validated Systems"
17
1.3
Responsibilities
Responsibilities for the activities included in the individual life cycle phases must be defined when configuring computer systems in a GMP environment and creating relevant specifications. Since this definition is usually specific for customers and projects and requires a contractual agreement, we recommend that the definition is integrated into the quality and project plan, see also GAMP 4 Appendix M6.
1.4
18
2.1
Hardware Categorization
According to GAMP 4 Appendix M4, hardware components are divided into two hardware categories. The hardware categories are listed below:
19
2.2
Software Categorization
According to the GAMP Guide for Validation of Automated Systems, the software components of a system are assigned to various software categories. This ranges from commercially available software packages that simply need to be installed or configured to freely programmed software. When commercially available software packages are used, the name and version must be described and checked in a documented test. Customer requirements (such as access protection, alarms or calculations) must be specified and also tested in documented tests. Project-specific configurations of configurable software must be additionally specified and then tested in documented tests. When software was developed especially for one customer, a detailed software specification must be created; functional tests of the software but also structural software tests (code reviews) should be performed. The effort involved in testing software in the higher categories is considerably greater than for software in the lower categories. Time and effort spent on testing can be reduced by using as much standardized software as possible.
2.3
Configuration Management
GAMP 4 defines configuration management as the activity necessary to precisely define an automated system at any point during its life cycle, from initial development right through to decommissioning of the system. Configuration management involves using administrative and technical procedures in order to: Identify and define basic system components and to specify them in general Control changes to and approvals of elements Record and document element statuses and modifications Ensure elements are complete, consistent, and correct Check storage, handling, and delivery of elements
Configuration management comprises the following activities: Configuration identification (what is to be kept under control) Configuration control (how the control is performed) Configuration status report (how the control is documented) Configuration evaluation (how the check is verified)
20
2.3.1
Configuration Identification
Version and change management is only practical in an appropriate configuration environment.Siemens therefore identifies every software and hardware package using a unique product code (machine-readable product code - MLFB) and version identifier. For the application software, the parts of a computer system that are subject to configuration management shuold be clearly specified. The system should be divided into configuration elements to this end. These configuration elements should be defined at an early stage of system creation to ensure that a complete list of these elements can be created and maintained. Applicationspecific elements should have a unique ID (name or identification number). The amount of detail required when defining elements is determined by the requirements of the system and the supplier who is developing the application.
2.3.2
Configuration Control
The maintenance of configuration elements must be checked at regular intervals, for example in reviews. Particular attention must be paid to change control and the associated version control. Archiving and release of individual configuration items should also be taken into account.
Versioning
To ensure correct change management, the configuration elements must be versioned. The version must be updated each time a change is made.
Change Control
Suitable control mechanisms must be in place during configuration in order to ensure that changes are documented and transparency achieved. The control mechanisms can be described by means of SOPs and should cover the following: Software versioning Specifications such as programming guidelines, naming conventions, etc. Safeguarding of the traceability of changes to program codes Unique identification of software and all components contained within
21
2.4
Software Creation
Certain guidelines should be followed during software creation, which are then documented in the quality and project plan (GEP idea). Software creation guidelines can be found in the GAMP Guide as well as the relevant standards and recommendations.
2.4.1
2.4.2
2.4.3
22
2.5
The system owner or an employee (administrator) nominated by the user controls the assignment and management of access rights to ensure that access is suitably restricted.
2.5.1
23
2.5.2
To comply with the Windows guidelines for password complexity, at least three of the criteria listed should be used in the password in addition to the minimum length.
2.5.3
24
2.6
Electronic Signatures
An electronic signature is computer-generated information that acts as a legally binding equivalent of a handwritten signature. Regulations concerning the use of electronic signatures are defined, for example, in US FDA 21 CFR Part 11. Electronic signatures are of practical relevance, for example, when entering data and intervening manually during runtime, approving process actions and data reports, and changing recipes. Each electronic signature must be assigned uniquely to one person and must not be used by any other person. Electronic signatures can be biometrically based or the system can be set up without biometric features. Note The regulations contained in 21 CFR Part 11, published by the FDA, must be satisfied in the manufacture of all pharmaceutical products and medical devices intended for the US market.
2.6.1
25
2.6.2
2.6.3
26
2.7
Audit Trail
The audit trail is a system control mechanism that ensures that data entries or modifications can be traced. A secure audit trail is particularly important when GMP-relevant electronic records are created, modified or deleted. In this case, the audit trail must document all the changes or actions made along with the date and time. Typical contents of an audit trail must be recorded and describe the procedures "who changed what and when" (old value/new value). The audit trail records themselves must be archived for a defined period according to the stipulations of the specification documents. There must be adequate hard disk space to allow the entire Audit Trail to be stored until the next transfer to an external data medium. The systems used must ensure adequate data security (for example redundant systems, standby systems, mirrored hard disks based on RAID 1).
2.8
Time Synchronization
A uniform time reference (including a time zone reference) must be guaranteed within a system, to be able to assign an unequivocal time stamp for archiving messages, alarms etc. Time synchronization is especially important for archiving data and analyzing problems in a system. UTC (Universal Time Coordinated, defined in ISO 8601) is recommended as the time base for saving data.
27
2.9
Archiving Data
Electronic archiving refers to the permanent safekeeping of a computer system electronic data and records in long-term storage. 1 The customer is responsible for defining procedures and controls relating to the safekeeping of electronic data. Based on predicate rules (EC GMP Guide, 21 CFR Part 210, 21 CFR Part 211, etc.), the customer must decide how electronic data will be stored and, in particular, which data will be involved. This decision must be founded on a sound and documented risk assessment, which also takes the relevance of the electronic data over the time period it is to be archived into account. The customer should define the following requirements 2: Whether any archiving is even required for the application in question (backup/restore functionality could deviate from the archive functionality) Required archiving duration for the relevant data, based on legal and commercial requirements An archiving procedure that ensures that data covering the entire storage period can be read back and that allows simple migration of data formats
Process values (often in the form of trends), messages (alarms, warnings, etc.), audit trails, and, where necessary, other data can be logged for SIMATIC systems. The memory space on a system's data carriers is restricted. Data can be swapped out to external data carriers at regular intervals in order to free up space on these system data carriers. If logged data is migrated or converted, the integrity of that data must be safeguarded throughout the entire conversion process. 3
"Good Practice and Compliance for Electronic Records and Signatures. Part 1, Good Electronic Records Management". ISPE/PDA 2001. "Good Practice and Compliance for Electronic Records and Signatures. Part 3, Models for Systems Implementation and Evolution". PDA 2004. "Good Practice and Compliance for Electronic Records and Signatures. Part 3, Models for Systems Implementation and Evolution". PDA 2004.
28
2.10
2.10.1
The manufacturing log (or packaging log) has a central significance here as defined below: The manufacturing log is always both product-related and batch-related. It is always based on the relevant parts of the valid manufacturing formula and processing instructions. It records all measurement and control procedures relevant to the process as actual values. It compares these with the specified set point values
2.10.2
29
2.10.3
2.10.4
30
2.11
Data Backup
In contrast to the archiving of electronic data, data backups are used to create backup copies that allow the system to be restored if the original data or entire system is lost. 4 The backup procedure must include the periodic backup of volatile information to avoid total loss of data due to defective system components or inadvertent deletion of data. Backup procedures must be tested to ensure that data is saved correctly. Backup records should be labeled clearly and intelligibly and dated. 5 Data backups are created on external data carriers. The data carrier used should comply with the recommendations of the device manufacturer. When backing up electronic data, a distinction is made between software backups (for example application software, partition images) and logged data backups. Here, particular attention is paid to the storage of data backup media (storage of the copy and original in different locations, protection from magnetic fields, and elementary damage).
2.11.1
"Good Practice and Compliance for Electronic Records and Signatures. Part 1, Good Electronic Records Management". ISPE/PDA 2001. "Electronic Records and Electronic Signatures Compliance Assessment". Chris Reid & Barbara Mullendore, PDA 2001.
31
32
2.11.2
2.12
33
2.13
34
System Specification
During the specification phase for a computer system, the system to be set up and its functionality are defined in as much detail as is required for building the system. This also includes the selection of products, product versions/options, and system configurations. In the following schematic, the label on the left shows the phase of the specification.
Te st
/Q ua lifi ca ti
on Sp o ati ific ec n
35
System Specification
3.1
3.1.1
36
System Specification
Note Although it is technically possible to access several automation stations with the same address with the Mobile Panel 277 by changing the connections, you should nevertheless always assign different addresses to the automation stations to prevent incorrect addressing.
Note Technical details about the panels and the panel PCs are listed in the current SIMATIC HMI ST80 catalog or can be viewed using the link https://mall.automation.siemens.com and HMI Selection Help under Product Configurators.
3.1.2
Hardware specification
The Hardware Design Specification (acronym: HDS) describes the hardware architecture and configuration. The HDS should, for example define the points listed below. This specification is used later as a test basis for the IQ and OQ. Hardware overview diagram PC components and/or operator panels Network structure and IT infrastructure (for example domain server)
Other hardware specifications are also relevant to the visualization system, for example those of the automation system with CPUs, I/O cards, field devices etc. The HDS can be formulated as part of the Functional Specification or in a separate document. Note The information in the hardware overview plan and the naming of the hardware components must be unique, in other words, the name of each hardware component may only occur once in the automation system.
Note Recommendations relating to the required content can be found in GAMP 4, Appendix D3.
37
System Specification
3.2
3.3
3.3.1
38
System Specification
3.3.2
Engineering
The WinCC flexible engineering software is offered matched to the hardware in various versions reflecting performance levels. The SIMATIC WinCC flexible Standard engineering software can be used for panels of the 270 / 370 series and the SIMATIC WinCC flexible Advanced engineering software can be used for panels of the 270 / 370 series and for panel PCs or standard PCs.
3.3.3
Runtime software
The basic software for runtime operation is not required for panels because it is already available on them. Panel PCs and standard PCs require the installation of the licensed SIMATIC WinCC flexible Runtime (RT) software package, which is available with varying a number of Power Tags (external tags).
Audit trail
The licensed WinCC flexible /Audit option is tailored to the requirements of FDA 21 CFR Part 11. Using this option, operator interventions in the ongoing process can be recorded in an audit trail in WinCC flexible along with a time stamp and comment. Another feature is the assignment of electronic signatures that can be configured for important operator interventions.
Recipe management
The recipe management function is integrated in WinCC flexible. A recipe can be created from several data records. The number of configurable recipes and data records depends on the performance level of the employed panel. The WinCC flexible /Recipes option requires a license in combination with the WinCC flexible RT software (for panel PCs, for example).
39
System Specification
Data archiving
The data archiving management functionality is integrated in WinCC flexible. Tags, alarm logs and audit trails can be archived. The number of logs and entries depends on the performance level of the employed panel. On a panel, the logged data can be stored either on a memory card or on a network drive when available. The size of the log depends on the available storage capacity. The WinCC flexible /Archives option requires a license in combination with the WinCC flexible RT software (for panel PCs, for example).
Reporting
With WinCC flexible, individual alarms can be logged line-by-line and alarm logs, recipe data and current process values can be output as reports.
3.3.4
40
System Specification
3.4
3.4.1
3.5
provided that these have not already been adequately defined in the FS. Note Additional information relating to the required content is available in GAMP 4, Appendix D4.
41
System Specification
3.6
3.6.1
3.6.2
Antivirus tools
The use of virus scanners on panel PCs and standard PCs in process mode with WinCC flexible is permitted. For more information about selecting and configuring virus scanners and updating them, refer to the WinCC flexible readme files. If virus scanners are used, the following settings should be observed: The real-time search is one of the most important functions. It is sufficient, however, to only check incoming data traffic. The time-controlled search must be deactivated, as it significantly limits system performance in process mode. A manual search should not be executed in process mode. It can be performed at regular intervals, e.g. during maintenance cycles.
3.6.3
42
4
4.1
System Installation
Installing the Operating System
The SIMATIC panels and SIMATIC panel PCs differ in regard to the software installation for HMI devices.
SIMATIC panels
SIMATIC panels are preinstalled with the MS Windows CE operating system. Note If the installed MS Windows CE version of the SIMATIC panel does not correspond to the version required by the WinCC flexible system software, WinCC flexible provides images for upgrading the firmware. For more information, refer to the WinCC flexible Information System > Transfer of Operating Systems.
4.2
4.2.1
43
System Installation
You can also integrate WinCC flexible in STEP 7 at a later point in time. The project created with the engineering software is compiled and transferred to the panel. The project can then be started for runtime operation. No additional runtime software is required for the panel. Panel PCs or standard PCs used as HMI stations require the installation of the WinCC flexible RT software and a license key to run a configured WinCC flexible project.
4.2.2
License key for WinCC flexible option / ChangeControl Logs Recipes Audit OPC server
License keys for panels are transferred to the panel via the Engineering System. The procedure is described in the WinCC flexible Information System.
4.2.3
With panel PCs and standard PCs, it is advisable to use the standard printer drivers integrated in the operating system because these drivers have been tested (including continuous duty tests).
44
System Installation
4.3
4.3.1
4.3.2
45
System Installation
Note When using centralized user administration, it is advisable to set up local users to allow emergency operation. See below for more detailed information.
4.3.3
46
System Installation
This configuration takes place for both a local and a centralized user administration. Note Point to note when using centralized user administration: Remember that the user groups created in WinCC flexible have the same names as the user groups in the Windows operating system of the computer configured as the logon computer in SIMATIC Logon (for example domain).
4.3.4
47
System Installation
Only emergency users are created directly in the WinCC flexible user administration. These are required if the Ethernet connection to the logon computer is interrupted at the time of logon. The settings in the WinCC flexible Runtime security settings only apply to the emergency user.
Note A user logged on centrally can control the process even when the Ethernet connection is interrupted, when necessary also with electronic signature. SIMATIC Logon checks the logon via Ethernet connection.
48
System Installation
The schematic shows an example of user administration on a panel with centralized user administration. The user Paul Smith is created temporarily on the panel and is assigned to the Tablettier_Operator user group.
If the Ethernet connection is interrupted, the emergency users can log on using the local user administration. Note To distinguish between a central logon and an emergency logon, emergency users should only be created in the local user administration. This ensures that these users are available only in an emergency situation.
4.3.5
49
System Installation
Functions for password security: At least one special character At least one number Password length
For detailed information, refer to the WinCC flexible Information System under Working with WinCC flexible > User administration > Elements and basic settings > Runtime security settings. To administer the local users and to change passwords, the User view object is integrated in a process picture. Changes made while the process is running take effect immediately. Note Changes to the user administration are performed offline in the engineering system and are therefore not automatically updated. To prevent passwords and user settings on the local HMI device from being overwritten when new settings are transferred, deselect the Overwrite password list check box.
50
System Installation
4.3.6
Note The User view object that can be integrated in a process screen shows the user logged on centrally via SIMATIC Logon during runtime. Here, users can change their passwords. The new password is checked to make sure that it meets the set Windows security policy on the logon computer. Changing the password on the logon computer is organized by SIMATIC Logon. Changes made while the process is running take effect immediately. Password changes are recorded both in the audit trail and in the SIMATIC Logon Eventlog Viewer.
51
System Installation
4.4
4.4.1
Windows domains
If a domain server is used in the working environment, the advantages of the group and user management can be used in conjunction with SIMATIC Logon. The central administration of groups and users on the domain server allows all computers that belong to the domain access to the groups and users. To increase availability, domains can be set up with several domain servers.
Windows workgroup
If a computer is a member of a Windows workgroup, the computer acting as server of the workgroup must be specified. All user data are created and managed on this server. From here, they are made available to the other computers in the system. When selecting the server, a panel PC with WinCC flexible Runtime can, for example, be considered if the operating system requirements for SIMATIC Logon are met. To improve performance, however, the choice is often a separate computer that is used only for user administration. On the panel, the user ID and password (here: password) are entered. The user can only be assigned to one user group. Emergency users can be set up locally for emergency operation.
52
System Installation
The following schematic shows an example of the assignment of users to user groups.
After logging in during runtime, the operator has precisely the rights required to operate the plant as assigned to the relevant user group in WinCC flexible.
53
System Installation
4.4.2
Password policies
For the monitoring mechanisms of the password policies of Windows, the previously specified settings (URS, FS or DS) must be made. The following security settings of the password policies are relevant and must be configured in the operating system. Guideline Enforce password history Description of the security setting Specifies the number of unique new passwords that must be used for a user account before an old password can be used again.
Password must meet When it is activated, the password must contain at least complexity three of the four following categories: requirements. 1. A-Z uppercase letters 2. a-z lowercase letters 3. 0-9 numeric characters 4. !,$,%, etc. special characters Minimum password length Maximum password age Minimum password age Specifies the minimum number of characters a password must contain. Specifies the maximum time that a password may be used before it must be changed. Specifies the minimum time that a password must be used.
The following screenshot shows the Password policies dialog box. The settings shown are examples.
54
System Installation
Account lockout threshold Specifies the number of failed attempted logons before the user account is locked out. Account lockout duration Specifies how long an account remains locked out before the lockout is canceled automatically. If the value 0 is set, the account remains locked out until it is unlocked by the administrator. This is the recommended setting. Specifies how long it takes in minutes before the account lockout counter is reset following failed logon attempts.
The following screenshot shows the Account lockout policies dialog box.
Audit policies
The following settings must be made in the audit policies of Windows to generate a recording (Audit Trail) of attempted logons. The monitored events are stored in the event viewer in the security log and are available for investigation. Guideline Audit logon attempts Audit account management Audit logon events Audit policy change Description of the security setting Specifies whether or not the instance of a user logging on to a computer is audited. Specifies whether or not the individual events of account management are audited (creating or changing a user account, changing or setting passwords). Determines whether each instance of a user should be audited when logging on or off on a computer. Determines whether to audit every incidence of a change to user rights assignment policies, audit policies, or trust policies
55
System Installation
Computer management is opened with the following menu command: Start > Settings > Control Panel > Administrative Tools > Local Security Settings.
Note To monitor the logon activity, the required settings must be made in the audit policy of the local policies of Windows.
Note After installing Windows, default parameters are set for the password policy, account lockout policy, and audit policy. The settings must be checked and adapted to the requirements of the current project.
Further information
Additional information on setting up Windows workgroups and Windows domains can be found in the operating system help of Microsoft Windows or in the appropriate Windows manual.
4.4.3
56
System Installation
If this option is not selected, the time stamp is shown in the local computer time. 3. Activation of a default user in a default group to be logged on after the user logoff (either by the user or automatically by the system). 4. Reminder of a password change with the number of days before expiration Note The default group and a default user functionalities and the password change in the future are not supported in WinCC flexible.
In the Working environment tab, the user specifies whether the information relating to groups and users relates to a Windows domain or a Windows workgroup server. The name of the domain or workgroup server must be entered.
57
System Installation
In the Logon device tab, the user specifies whether the logon is via the keyboard, smart card or other procedure such as biometric user identification, for example by fingerprint. At the same time, the screen keypad can be enabled for the logon.
In the Automatic logoff tab, the user specifies whether automatic logoff is used.
Note The "Use SIMATIC Logon automatic logoff" functionality is implemented for WinCC flexible by setting a time period for the Admin user. This means that the user logged on centrally is logged off when the period expires. The period expires when there is no operator activity. If a logoff time with the value 0 is entered for the Admin default user, the user is not automatically logged off.
58
Project settings
User interfaces in the form of interactive, graphical process screens are created with the WinCC flexible engineering software for operator control and monitoring of machines and plants. Alarms and meaningful alarm texts indicate the operational and error states of the production process. Process-relevant data are recorded in data logs and visualized with trend graphics. Access to the process is organized with user groups and users in the user administration. Special editors are available for the different configuration tasks.
5.1
Project Manager
All configuration information is saved in a project directory assigned to the project. The configuration depends on the type of HMI device specified when the project is created. Functions supported by the HMI device are offered for the configuration. Multiple HMI devices and even different device types can be configure in a project. This has the advantage of allowing multiple HMI devices that are employed for plant operation to be managed in a single project. The integrated copy function enables you to duplicate the configuration for an HMI device and transfer it to other HMI devices. Functions that are not supported by another device type are hidden and listed in the output window. We recommend you begin configuration with the HMI device that requires the least amount of work. This will reduce the error rate and the work needed for configuration and validation.
59
Project settings
5.2
Multilingual Projects
WinCC flexible supports the creation of multilingual projects. The configured texts in process screens, recipes, alarms, etc. are centrally collected for all HMI devices in the Project Texts editor. A separate column is created for each project language. The export/import function enables you to export the texts for translation in the form of an Excel table and then import them back into the project. The integrated system dictionary provides additional support for configuring multilingual projects. It contains a variety of the terms used in automation in several languages. A custom dictionary can be maintained to ensure a uniform vocabulary within the project.
Note WinCC flexible provides an on-screen keyboard, which is displayed for text input on touch panels. The keyboard layout corresponds to the language of the installed operating system.
5.3
60
Project settings
5.4
Time Synchronization
All time synchronization activities depend on the requirements of the project. The requirements of time synchronization must be described in the specification. A uniform time reference must be guaranteed when archiving data and analyzing problems in a plant. Time synchronization to a standard time is desirable, but not mandatory. Direct time synchronization between WinCC flexible and the automation system is not available. Instead, the time can either be set on the automation system or on the HMI device. "Set time-of-day", however, does not have the same level of accuracy as time synchronization since message frames and script runtimes are included. The time master must be defined within the system.
5.4.1
Set time
Setting the time of day is performed via an area pointer in WinCC flexible. Area pointers are parameter fields from which WinCC flexible RT obtains information about the location and size of data areas in the PLC. During communication, the PLC and the HMI device alternately access these data areas for read and write operations. The PLC and the HMI device trigger defined interactions based on the evaluation of stored data. The area pointers reside in PLC memory. Their addresses are configured in the "Area pointers" dialog of the "Connections" editor. Note The procedure for setting the time of day between a panel and STEP 7 is documented in detail in entry ID 24104104 (http://support.automation.siemens.com/). This entry describes setting the time of day from the automation system to the panel and vice versa in detail.
61
Project settings
5.4.2
The system time of the controller is transferred to the defined tag of the type DATE_AND_TIME in a one second cycle. This can be achieved by transferring the OB start time.
62
Project settings
63
Project settings
5.4.3
You will find additional information on setting the time in the SIMATIC S7 GMP Engineering manual.
64
Project settings
5.4.4
65
Project settings
5.5
5.5.1
66
Project settings
5.5.2
The change is described in greater detail in the relevant change request. Note Section 5.5.2 includes examples of how individual software elements can be versioned. For additional information on monitoring the configuration in WinCC flexible, refer to Section 2.3 and for general information on this topic to GAMP 4, Section 7.11.7 and the corresponding appendix M9. The procedure for changes made to a plant in runtime must always be coordinated with the plant user, see Section 8.2.
5.5.3
67
Project settings
Note The Change Control options includes a change control that records every change in the configuration with time stamp, user and object-dependent configuration differences.
Versioning VB scripts
WinCC flexible provides predefined system functions for common configuration tasks. These can be used to perform many tasks in Runtime without needing any programming skills. Runtime scripting can be used to solve more complex problems. Runtime scripting is a programming interface with which parts of the project data can be accessed in runtime, for example, to make application-specific evaluations. It is advisable to maintain a history in the scripts indicating any changes made. The history can be entered in the script as a comment before the code or in Properties > Comment.
68
Project settings
The screenshot shows the history as a comment before the start of the code.
The screenshot shows the history in the comment box for the script. The version ID must be kept up-to-date as specified in the SOP for configuration management.
Versioning reports
A static text box for the manual entry of a version number can be inserted either in the report header or footer. The version ID must be kept up-to-date as specified in the SOP for configuration management. The following screenshot shows an example of the footer of a report layout with version ID.
69
Project settings
70
Te st
/Q ua lifi ca ti
on Sp o ati ific ec n
71
6.1
Graphics
The Graphics area in the toolbox contains a comprehensive collection of graphics and symbols for graphically editing screens. Graphic objects such as machines and plant components, measuring equipment, operator control elements and buildings are thematically organized. The library objects can be inserted in a screen with drag-and-drop and adapted as required.
Screen navigation
Configuration of screen navigation for selecting screens is necessary in projects consisting of multiple screens. Various methods can be used for this. Screen selection via function keys, if they are available on the HMI device Creation of buttons for screen selection (in the template, for example) Using the WinCC flexible screen navigation with a navigation bar
Hierarchical screen navigation is created in the form of a tree in the WinCC flexible screen navigation. Navigation is performed with the integrated, configurable navigation bar.
72
Once the individual objects are assembled in groups, only the object properties and events used for the dynamic characteristics of the faceplate are specified in a configuration dialog as an interface to the process.
73
The figure shows the objects in the faceplate on the right and the interface of faceplate configured for the specific application on the left. The colored connection lines indicate the object properties and events that form the interface to the outside for the dynamic characteristics. VB scripts, which are executed solely in the faceplate, can also be programmed. Faceplates are given dynamic characteristics using structures that assemble several tags of differing type. Structures can be configured both internally and in connection with the SIMATIC S7 300/400 automation system. The "Motor" structure was created as an example in the faceplate configuration dialog in the figure above.
This structure contains the structure elements, temperature, speed, motor on etc. A tag of the type "Motor" is created for each relevant motor with the menu command Communication > Tags. The structure elements are connected directly to the externally oriented object properties in the configuration dialog for the faceplate. When the faceplate is inserted in a process screen, the corresponding tag of the "Motor" type is specified and the motor name is adapted.
74
6.2
75
Care must be taken to ensure that access protection is configured for all objects requiring an electronic signature.
As a result of this configuration, the logon dialog is displayed automatically if no user is logged on. A change can be made in the I/O box only when a user with appropriate permissions is logged on.
6.3
Creating VB Scripts
WinCC flexible provides predefined system functions for typical configuration tasks. The system functions (the setting of a bit, for example) can be linked to a screen object in a function list without requiring advanced programming skills. You can use VB scripts to solve more complex tasks. For example, the predefined system functions can be used in a script together with instructions and conditions in a code based on Visual Basic Script. Access to the WinCC flexible object model is available using scripts. Writing VB scripts offers numerous possibilities for implementing application-specific functionality. Note Selections of the predefined system functions as well as the permitted set of commands depend on the HMI device employed.
VB scripts are programs written by the user that belong to the Category 5 software. This type of software is developed to meet customer-specific demands not covered by standard functions. The procedure for creating Category 5 software is as follows: 1. Creation of a functional description for the software 2. Specification of the function blocks used 3. Specification of the inputs and outputs used 4. Specification of the block for operator control and monitoring Note The creation of custom software (GAMP Category 5) should be kept to a minimum since it increases the effort needed for testing and validation considerably.
76
6.4
Project setting
When a project is created, Regulated project is selected centrally in the GMP settings.
Audit trail
The audit trail is configured as a log in the Archive editor and GMP-relevant activities are recorded in runtime.
77
The audit trail is always a file in CSV format with a checksum. The checksum is generated with an integrated algorithm and ensures that any manipulation can be detected. The file name and storage location are defined during configuration. If there is not enough space at the storage location, suitable actions an be configured under the events. For more detailed information on configuring the audit trail, refer to the WinCC flexible Information System > Options > Audit. The following entries are automatically saved in the audit trail: Runtime sequence Runtime start / stop, project information, failure of the USP when the uninterruptible power supply option is used (see also section 6.13) User administration User logon/logoff, failed logon attempts, etc. Alarm system Alarms requiring acknowledgment, acknowledgment attempts Archiving operations Starting, stopping, opening, closing of a log, etc. Change values of GMP-relevant tags by the user For GMP-relevant recipes Creating, changing, saving, loading data records, etc. Certain system functions A list of the GMP-relevant system functions is available in the WinCC flexible Information System > Options > Audit > Working with Audit > Logging system functions
Additional information is available in the WinCC flexible Information System under Options > Audit > Basic principles > Logging concept of the audit trail. Note The Force function must be deactivated in the GMP environment so that all operator actions can be recorded in the audit trail. We recommend evaluating the events Little free space and Little free space, critical and configuring a reaction in the function list. (for example, generating a notification message, moving the logs to a network drive) If no storage space is available, GMP-relevant actions can no longer be performed.
78
6.4.1
79
The acknowledgement type and comment properties can be configured. The description is stored in a text that comments the operator action. This text is always entered in the audit trail. The complete entry in the audit trail depends on the rest of the configuration. See also the section Electronic signature The system function can be integrated in an application-specific script, for example to form a variable description of the performed action. The following figure shows a script that executes the "NotifyUserAction" system function and specifies the "Batch started" text in the description in connection with the batch name that is read from the "BatchName" tag.
Note Once again, care must be taken that the control of the object (here a button) is protected by operator permissions. This means that a logon is forced if no user is logged on and only a user with suitable rights can provide the electronic signature.
Recipe configuration
When the Recipe option is used in connection with the Audit option, GMP settings can be configured in the properties for the recipes. Details are described in the section 6.6 "Recipe Management with the Recipe ".
When the check boxes are activated, the following actions made to the recipe are commented with entries in the audit trail. Creating, changing and saving recipe data records Downloading/uploading a data record from/to the controller Electronic signature for transferring recipe data Electronic signature for saving recipe data
80
6.4.2
The audit trail file is opened during process operation to record the relevant entries. To be viewed with the Audit Viewer, the file must be closed, copied or moved to another directory and then opened again. System functions are available for this action that can, for example, be linked to a button. While the file is closed to allow it to be copied, no GMP-relevant operator activity is possible on the panel. The moved file can then be opened with the Audit Viewer. The checksum generated for each entry by an integrated algorithm is evaluated for this. The green indicator in the "Data Validity Indicator" area shows that the file has not been manipulated. The indicator is red if manipulation has occurred. To avoid manipulation of the audit trail files, the Windows directory can be protected from unauthorized access using Windows tools; see also Section 6.7.3 "Restricting access to the network drive". Additional details about the Audit Viewer are documented in the WinCC flexible Information System and in the help system for the Audit Viewer. The checksum can also be verified with the HMIChecklogIntegrity.exe application that is available in the WinCC flexible 2007 Runtime folder after the WinCC flexible system software has been installed. The WinCC flexible Information System > Getting Started > Getting Started Options > Using Audit > Evaluating Audit Trails with DOS Program describes how to launch the HMIChecklogIntegrity.exe application.
81
6.5
Electronic Signature
The electronic signature is set in the GMP settings for the tag. If there the value of the tag is changed during operation, a dialog box opens in which the password of the logged-on user is queried. If a "mandatory comment" is selected, a comment must be entered in addition to the electronic signature when a tag value is changed.
Note Operator input to an object that causes a change in a GMP-relevant tag value must be protected using operator permission. This ensures that only a user with suitable permissions can perform the action.
The following screenshot shows a section of the audit trail with an entry for electronic signature.
The "NotifyUserAction" system function is another way of generating an audit trail. The selection made for the confirmation type is "Electronic signature". This means that when the system function executes, the dialog shown above is also displayed for the entry of a password. See also section 6.4.1 "Generating audit trail entries".
82
6.6
The recipes along with the corresponding recipe entries are created and managed in the "Recipes" editor. The number of recipes is based on the HMI device type. The following alternative methods are used to generate the data records: Recipe data is entered in the engineering system and transferred with the complete project data Recipe data is entered during ongoing operation Records are read in ongoing operation following the teach-in mode on a machine Recipe data is imported from a CSV file
The method selected for creating the data records depends on the conditions of the production plant. For production plants operating in an environment requiring GMP, the GMP settings can be set during the configuration of the recipes in the WinCC flexible system software, see also Section 6.4.1 "Generating audit trail entries". Either a separate recipe screen can be configured or the "recipe view" object can be integrated in a process screen to process or display the recipe data on the panel or in WinCC flexible RT. These two variants are presented below:
83
Recipe view
The recipe view is integrated as an object in a process screen. There are numerous options for configuring the display window and window characteristics in the object properties. To use the recipe view to simply display data, the operation during ongoing operation can be disabled and the status bar and buttons can be hidden. A recipe view action in ongoing operation generates entries in the audit trail when the GMP settings have been selected as described above and the Audit option is enabled. The following data are saved in the audit trail: Time stamp User ID Recipe name Record name Performed action User comment
Note Data changed in a data record are not entered in the audit trail with the old value and new value. To nevertheless log changes to a record in the audit trail, value changes can be made in IO fields configured in the recipe screen in addition to the recipe view object. When GMP-relevance is selected for the process tags linked to the IO fields, all changes are commented in the audit trail with old value and new value. The transfer of the IO field data to a data record is controlled with the "Synchronize" button in the recipe view. This can prevent the tag values from being directly written to the controller. The transfer to the PLC is performed separately with the Transfer button and must be confirmed with an electronic signature when the GMP property is set. The transfer is recorded in the audit trail with a time stamp, user ID, recipe and record name as well as a comment by the user.
84
Recipe screen
The recipe values are entered via I/O fields. GMP-relevance is selected for the linked process tags. (See also section 6.4.1) This causes each changed value to be recorded in the audit trail with the old value, new value, time stamp and user. The organization of the data records, such as Create new, Delete, Save, Transfer to automation system as well as Log, is performed via buttons. For this, either the system functions for recipe management integrated in WinCC flexible are called or customized application-specific scripts are attached in the button properties.
The version, user, date and time of the change and release of the recipe, etc., can be included as additional parameters. The boxes for displaying these parameters should be set up so that they cannot be written by direct input (read-only attribute). The parameters should be supplied with values only from scripts. This means, for example, the version can be incremented by a user-defined algorithm.
85
6.7
6.7.1
Data logs
Data logs are used to acquire production-relevant, continuous process values. The data log stores the contents of selected tags with time stamps in a defined cycle. The configuration is performed with the following tasks: Creating and configuring one or more data logs Specification of general settings such as name, log size, storage location etc. (see also Section 6.7.2 "Archiving data logs, alarm logs and audit trails")
Configure the data log All tags in the project are created with Communication > Tags object. The data log and the archiving cycling are specified for the tags that are to be archived.
The archived values can be visualized, for example with trend graphics in the process screens.
86
Alarm logs
Alarms are configured to detect events and states that occur in the process. WinCC flexible also generates system events for displaying specific system states of the HMI device or PLC. The following alarm types can be selected when configuring alarms: Discrete alarm type An alarm is triggered by the PLC due to a bit change in a tag. The time stamp of the alarm is set by the HMI device. Analog alarm type The HMI device monitors the limits of a tag and triggers an alarm if a tag violates a high or low limit. The time stamp of the alarm is set by the HMI device. Alarm number type The PLC transfers an alarm number (and any associated alarm text) to display an alarm. This requires that alarms are configured in STEP 7 in the ALARM_S/SQ/D/DQ alarm block. The time stamp of the message is set by the PLC.
Notes on the time stamping With the discrete alarm and analog alarm types, the acquisition cycle, bus runtime and processing time are contained in the time stamp. Messages are lost if they are shorter than the acquisition cycle. With the alarm number type, the time stamp is recorded by the PLC when the alarm occurs and is passed to the HMI device. With the alarm number type, the SFCs Alarm_S/SQ and Alarm_D/DQ are used on the SIMATIC S7 controller. Refer to the relevant CPU manuals and the block descriptions in the SIMATIC STEP 7 online help for information on restrictions relating to the system resources for simultaneously pending alarms. The following configuration steps are required to set up alarm logs: Create and configure one or more alarm logs Make general settings such as the name, size of the log, storage location, etc.; see also Section 6.7.2 "Local data archiving. Log the alarms of an alarm class An alarm log can be assigned to each alarm class A detailed description of the configuration of alarm logs is available in the WinCC flexible Information System under Working with alarms > Alarm logging.
Note Protect the network drive shared for data backup by assigning access authorizations (see Section 6.7.3).
87
6.7.2
The size of the data or alarm log depends on the length of individual entries and the number of entries. This is set by the number of data records. The storage capacity of the storage location (such as a CF card) must be taken into consideration when configuring the number of log entries. The logs can be saved in a CSV file on panels. On PCs, data and alarm logs can also be saved in database format (ODBC). The audit trail is configured as an endless log and is always written to a file in CSV format. A minimum amount of free disk space is defined as the limit for the storage location (memory card or network drive). If the available space falls below this limit, a configured function list can be executed (see section 6.5 "Electronic Signature). Note A plant-specific archiving concept (URS, FS) must be developed for plants operating in an environment requiring GMP.
We recommend logging data locally on a memory card and then backing it up at regular intervals to a network drive (see also section 6.7.3).
88
Before being transferred, the logs are closed and then opened again when the transfer is completed. Any log events that occur in the meantime are buffered. Detailed information is available in the WinCC flexible Information System. The access protection for the folder in which the CSV files are stored is configured under Properties > Security Settings for the folder in the Windows Explorer, see also Section 6.7.3. Data saved as a database can be read again with a database system via an ODBC driver. The access protection is regulated in the respective database system.
Backing up logs
A network drive in a local network can be specified for data backup of locally stored data and alarm logs as well as the audit trail. The panel is connected to a network via Ethernet for this. The steps necessary for establishing a network connection are described in detail in entry ID 13336639 (http://support.automation.siemens.com/). The next Section 6.7.3 describes how the directories on the network drive are protected against unauthorized access.
89
6.7.3
A new user group, such as "Panel", is created on the PC on which the shared network drive is located. (In Windows XP under Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Groups)
90
A new user is created with the panel name under Users. This is added to the newly created user group.
The access protection for the folder is set in the Security tab of the shared network drives properties. The Panel group requires Full access for HMI device "mp1" to be able to create the CSV files in the folders.
91
Users assigned to the "User group have read-only and no write access.
With these settings, only the "Panel" user group has write access for the folder.
92
Note The security settings do not have to be set directly on the network drive. If the log data is stored in a subfolder of the network drive, only the security settings for this subfolder need to be set.
Note The security settings shown were made with the NTFS file system in the Windows XP Professional operating system.
6.7.4
93
Only completed batches can be archived. A batch has the status closed, when: The batch was completed manually or automatically. The batch was aborted, locked or reported as completed.
Automatic export of a batch is performed only once. By selecting the check box "Close and log batch automatically" in the Project Settings > Defaults dialog, no changes or additions can be made in the batch data following the automatic export.
For export in HTML format or XML format, subsequent manipulation of the records can be prevented by assigning appropriate rights to the drive (read-only). PM-QUALITY checks if the completed batch is ready for export in the current acquisition cycle. The records must first be exported to a local hard disk. Transferring the batch data to an external drive, for example to the long-term archive server, can be configured with "Following action".
94
The Export View tool is used to view batch data in the database format. The tool is included in the PM-QUALITY package.
The batch is selected in the batch selection dialog and the view is started on screen using a button in the toolbar.
95
6.8
6.8.1
Reporting
Standard reporting
In WinCC flexible, alarms can be output as reports on a printer. Recipes entered in the WinCC flexible recipe system can also be output as a report on a printer. To print out reports, layouts with suitable contents are configured in the Reports editor. The following data can be documented: Alarms immediately when they occur Alarms from the alarm buffer Alarms from the alarm log Recipes
The options for data output depend on the performance of the HMI device and the licensing in PC RT.
Reports editor
The Reports editor is divided into different areas. This division allows reports to be created with a cover sheet, back sheet, header and footers as well as one or more sheets of data. Numerous objects are available to design a report, for example static objects such as texts and graphic elements and dynamic objects such as I/O boxes that allow current tag contents to be documented at the time of printing. The documentation of alarms and recipes is handled using special objects. For more detailed information on designing reports, refer to the WinCC flexible Information System under Working with WinCC flexible > Working with reports.
Alarm logging
To report alarms, the Print alarms object is inserted in a report page. The object properties define which alarms are reported.
96
Either alarm events or alarm log can be selected as the source for alarms. If alarm events is selected, the alarms from the alarm buffer are reported. If alarm log is selected, the alarms are printed from the assigned alarm log. This is available only for panels that have the alarm logging function. It is also possible to make the selection according to alarm classes. To be able to assign alarms to a specific production sequence, a variable output range can be specified. The start and end of the range are transferred in tags of the type date / time.
Recipe output
To document recipes created in the WinCC flexible recipe system, the Recipe view object is inserted from the toolbox window in a report page. The display options are set in the object properties.
When selecting the recipe, the user can decide whether to print a specific recipe or all recipes. At the same time, a specific data record of a selected recipe can be output.
Report output
The configured reports can be output event-driven or cyclically. An event-controlled display is, for example, linked to an operator input object in a process screen.
97
It is possible to select not only time cycles but also the alarm buffer overflow event in the scheduler as the criterion for printout. If a critical status occurs in the fill-level of the alarm buffer, the alarm buffer can be printed out and then deleted with the system function DeleteAlarmBuffer in the toolbar.
98
6.8.2
Batch-based reporting
The WinCC add-on PM-QUALITY can be used for batch-oriented reporting. The recording of the production-relevant records begins with the Batch start signal and ends with the Batch end signal. The records are assigned to a specific batch. The name of the batch can be configured and it can be called back up again with the batch name. The report layouts for printing the batch data can be customized in the Report Editor application.
Static objects for report designs and dynamic objects for displaying the batch data are listed in the highlighted area at the lower left. The dynamic objects are configured for the specific plant beforehand in the Topology Manager application. The dynamic objects include batch header data, phase sections, snapshots, alarm events, audit trail entries, tag logging values, etc. A tabular horizontal or vertical display style can be selected. Tag logging values are shown in the form of trend curves. This involves defining trend templates in which the values and the form of the trend graphic are specified. You can also display comparable trends with values from different batches.
99
The PM-SERVER application functions as the interface between WinCC flexible and PM-QUALITY. It is contained in the PM-QUALITY program package. An OPC station, in which the tags from the WinCC flexible project are imported, is configured in PM-SERVER for exchanging tags. The PM-SERVER can also import records from multiple HMI devices with different WinCC flexible projects.
Text import stations, which organize the import of the CSV files at the end of the batch, are always created in the PM-SERVER to acquire alarms and audit trail entries. A variety of alarm logs are created in the PM-SERVER. The entries of the CSV files are archived as alarms in these logs.
100
The tag values read into the PM-SERVER and the configured alarm logs are further processed in the PM-QUALITY application and put together according to the requirements of the batch-based reporting.
Note You can find detailed descriptions about the configuration in the online help for PM-SERVER and PM-QUALITY.
101
VB scripts can be inserted into the report layout to release batches per electronic signature. Input boxes are then displayed in the batch report in which the user name, user ID and a comment can be entered.
Either the configurations in PM-SERVER or the Windows user management (when the SIMATIC Logon software is used) can be used to verify the user name, user ID and password.
102
The Release report button adds the electronic signature to the report data as a snapshot and the status is set from draft to original.
103
6.9
6.9.1
Note Projects which are a component part of a SIMATIC STEP 7 project cannot be moved or copied in Windows Explorer in order to ensure data consistency. Instead, the project is handled and saved with the tools of the SIMATIC Manager. The Version Trail software can also be used to back up a SIMATIC STEP 7 project with an integrated WinCC flexible project. Version Trail backs up the project data structured under main and sub version as a compressed file. For more detailed information, refer to the GMP manual for SIMATIC STEP 7.
104
6.9.2
Note An image can only be copied back to a PC with identical hardware. The hardware configuration of the PC should therefore be adequately documented. Images of individual partitions cannot be exchanged between PCs because various settings, for example in the registry, differ from PC to PC.
105
6.9.3
Backing up the operating system and the application software of an HMI device (panel)
The ProSave application is available for backing up the project and operating system data on an HMI device (panel). ProSave is included in the WinCC flexible system software package. The application is integrated in the WinCC flexible engineering system. This allows you to quickly perform commissioning again, for example, after replacing a HMI device.
Backup
A backup from the panel to a *.psb file in the specified destination directory is generated with the menu command Project > Transfer > Backup. For detailed information on the backup procedure, refer to the WinCC Information System under Utilities for service and development > ProSave > Data backup. Note License keys on the panel are not backed up. The license keys must be saved beforehand using the Automation License Manager application.
106
6.10
6.10.1
6.10.2
107
6.10.3
Further information on configuring PM-OPEN IMPORT is available in the online help of the WinCC Premium add-ons.
108
6.10.4
To achieve a cost-effective solution for both simple and more complex tasks, PMCONTROL is available in the "Compact", "Standard" and "Professional" variants.
PM-CONTROL supports the requirements of the FDA in article 21 CFR Part 11. Operator input in the recipe system, for example creating, modifying, deleting recipes can be protected from unauthorized access using different authorizations. After they have been created, recipes require an electronic signature before they can be released for production. The recipe data is recorded in an Audit Trail from the point in time at which it is created. Every recipe change is recorded along with time stamp, user ID, old value and new value. The implemented rollback function allows an older recipe version to be restored. The Audit Trail can be printed out or exported to an XML file.
109
Only fully signed recipes can be included in an order by the order control. Each scheduled order, in turn, has an electronic signature. During processing, only data from signed orders can be loaded on the automation system. The processing of the orders is started, either automatically when requested by the automation level or manually with the required user rights. PM-CONTROL is installed on a computer with a Windows operating system. This can, for example, be the WinCC flexible computer or a panel PC with a full operating system. The structure of PM-CONTROL allows central recipe data storage and order control for several WinCC flexible systems. Tags are connected to panels using OPC XML and to WinCC flexible RT using OPC DA. To display recipe data and job management, PM-CONTROL provides ActiveX controls that can be integrated in a process screen in WinCC flexible RT. Additional information on configuring PM-CONTROL is available in the online help of the WinCC Premium add-ons.
110
6.11
Interfacing SIMATIC S7
A physical connection is first required for the data communication between WinCC flexible and the automation systems. A communication connection suitable for the hardware being used is created in SIMATIC WinCC flexible under Communication > Connection.
Numerous drivers are listed for selection in the Communication driver column. The SIMATIC S7 300/400 driver is used in the figure above. The tags are created with Communication > Tags. Internal tags without process connection and external tags with process connection can be configured for an existing connection. The tags form the data interface between the automation system and WinCC flexible project. All editors configured in WinCC flexible read/write values of the tags.
111
6.12
Integration procedure
You can integrate WinCC flexible in STEP 7 in a variety of ways and means. Installation sequence When the STEP 7 basic system is already installed on the system, the "WinCC flexible Engineering System" software package is installed automatically with the support for integration. The "Integration in STEP 7" option must be enabled for a customized installation. With this variant, WinCC flexible is launched from the SIMATIC Manager to configure the operator control and monitoring system. Subsequent integration WinCC flexible projects can also be integrated in a STEP 7 project at a later point in time. To do this, select the File > Integrate in STEP 7 menu in WinCC flexible. Existing STEP 7 projects can be selected for integration. When the integration is completed, the WinCC flexible project is processed through the SIMATIC Manager.
112
113
The Tags object is shown under the Communication object for the HMI device in the SIMATIC Manager. Double-clicking on the Tags object in the right-hand window starts the WinCC flexible Engineering System and opens the tag table. The tags for operator control and monitoring are created there. The connection to the symbol table of the SIMATIC Manager is made in the Symbol column. Doubleclicking on the Symbol column opens the connection to the SIMATIC Manager. You can navigate to the Symbols table or to the DB data blocks in the tree. The content of the selected block or the symbol table for selecting the address are listed in the right area.
114
Tags in WinCC flexible assigned to a structure (e.g. Motor) under the data type are mapped to the corresponding data area in a data block. The offset to configured tags is derived from the structure definition. These tags can be linked to a faceplate, for example. Note You cannot connect to a structure (instance of a UDT) in a STEP 7 data block.
Individual elements in a structure required as tags in the screens are entered as individual tags in the tag table.
115
NetPro shows the stations and HMI devices with modules and interfaces that are specified in the hardware configuration of the STEP 7 project. The hardware configuration is performed in the HW Config editor. Note When a WinCC flexible project is later integrated in a STEP 7 project, the hardware configuration for the HMI device must be checked and may have to be adapted.
More detailed information on the topic of integrating WinCC flexible is documented in the WinCC flexible Information System.
116
6.13
The power consumption of the systems to be buffered determine the size of the UPS. Another selection criterion is the priority of the systems. Systems with high priority are: Programmable controller WinCC flexible HMIs
Field devices, which usually have relatively high power consumption, can be included in the buffering, depending on the performance capacity of the UPS. This should be based on the process category and selected in consultation with the system user. In any case, it is important to include the systems for logging records in the buffering. The time at which the power failure occurred should also be recorded.
117
The automation system must be programmed so that the system is brought to a safe state after a specified buffer time in the event of a power failure. Due to varying requirements of individual devices, three classes have been established for the UPS context. These have been specified by the International Engineering Consortium (IEC) under the product standard IEC 62040-3 by the European Union under EN 50091-3:
The simplest and least expensive UPS systems (according to IEC 62040-3.2.20 of UPS class 3) are standby or offline UPS systems. They only protect against power failure and transient voltage fluctuations and peaks. They do not compensate for undervoltage or overvoltage. Offline UPS systems automatically switch to battery mode when undervoltage or overvoltage occurs.
Network-interactive UPS
Network-interactive UPS systems (according to IEC 62040-3.2.18 of class 2) operate in a similar way to standby UPS systems. They protect against power failure and transient voltage peaks and can continually compensate for voltage fluctuations using filters.
118
Online UPS
Double conversion or online UPS systems (according to IEC 62040-3.2.16 of Class 1) are considered real power generators that continuously generate their own line voltage. This means connected consumers are continuously supplied with line voltage without restrictions. The battery is charged at the same time. Note Siemens provides SITOP UPS for an uninterruptible power supply. A description of the quality requirement of the UPS can be found in entry ID 17241008. See also (http://support.automation.siemens.com/).
119
120
Te st
/Q ua lifi ca ti
on Sp o ati ific ec n
121
7.1
Qualification Planning
In defining a project life cycle, various test phases are specified. Therefore, basic qualification activities are defined at a very early stage of the project and fleshed out in detail during the subsequent specification phases. The following details are defined at the outset of the project: Parties responsible for planning and performing tests and approving their results Scope of tests in relation to the individual test phases Test environment (test structure, simulation)
Note The work involved in testing should reflect not only the results of the risk analysis, but also the complexity of the component to be tested.
The individual tests are planned in detail at the same time as the system specifications (FS, DS) are compiled. The following are defined: Procedures for the individual tests Test methods, e.g. structural (code review) or functional (black box test)
122
7.2
Note The PC passport is written manually. Some PC manufacturers provide a utility for automatic detection of the hardware information. The PC passport can be printed and used to verify the qualification (IQ/OQ) of the installed PC hardware. Visual inspection can be carried out at the same time.
123
The network configuration can be displayed with Control Panel > Network.
124
7.3
7.3.1
7.3.2
Note Screenshots and printouts from tools such as those described below can be used to verify the qualification (IQ/OQ) and to document that the requirements defined in the specification have been met.
125
Operating system
Panel: (Windows CE operating system and WinCC flexible RT software are installed) The installed software can be verified by operating system functions. The information can be found in Control Panel > System. The version of the operating system is displayed here.
PC: Operating system SIMATIC WinCC flexible PC RT software SIMATIC WinCC add-ons (for example PM-QUALITY, PM-CONTROL) Standard libraries
The installed software can be verified by operating system functions. The information can be found in Control Panel > Add or Remove Programs. All installed software components are displayed here. A screenshot can be printed and used for the qualification (IQ/OQ).
126
Information about the installed software and the products, options, etc., can also be called up from the WinCC flexible Engineering System. To do this, select the menu command Options > Version Management > Installed Software in WinCC flexible.
127
128
7.3.3
129
130
7.4
A new project version is saved on the trunk when the current version is the highest one on the trunk. A new version is saved on a new branch when the current project version is not the highest one on the trunk or branch. To create a new project version, the project from which the new version is to be created must be open. The new version states are stored under the object Version Management > Project Versions. Note We recommend only the trunk for versioning with the ChangeControl option to ensure you are always working with the latest version of the project. The comments for the version projects should be as descriptive as possible to help you later assign the version projects to the corresponding automation stations. For example, the comments can contain information about the reason for the logging. It makes sense to increment versions only for specific events or major changes (e.g. FAT, SAT).
131
132
7.5
The change log displays configuration changes made in the project. It records who changes specific objects and object properties, the time changes are made and supplements this information with automatic comments. Double-click Version Management > Change Log in the project window to open the change log. Note To open the change log of an older project version, first open the required project version in version management.
You can enable and disable the change log with the menu command Options > Version Management.
133
134
8
8.1
A system event consists of a number and the event text. The event text can also include system tags that specify the cause of the error messages in greater detail. Device-specific HMI system events are listed in the manual of the relevant HMI device. The system events that can be generated and a description of the possible causes are listed in the WinCC flexible Information System under Working with WinCC flexible > Reference > System alarms.
8.2
135
The following sections describe how to make changes to a WinCC project during operation based on examples.
4. Implementation of software change based on the new version The Change Control option records changes in the engineering in a change log. Versions of the project software are also managed.
136
8.3
The system is restored using the saved data. The backed up data (medium) and all the materials needed for the restoration (basic system, loading software, documentation) must be saved at the defined point. There must be a Disaster Recovery Plan which must be checked on a regular basis.
137
Note For Windows CE devices, a backup/restore can be performed by backing up the data directly from the device to an external storage medium, such as a CF card. For additional information, refer to the appropriate device manuals.
138
9
9.1
In considering possible influences, the following may be relevant: Process screens / objects / alarm system and process value logging in function and display Interfaces Effects during download System performance Documentation (specifications) Qualification tests to be repeated or performed for the first time
Note The SIMATIC Customer Support at http://support.automation.siemens.com provides support for software updates and project migration.
139
9.2
The validation effort is decided in consultation with the plant operator. When migrating internally within SIMATIC, possible checkpoints are mainly the activities required for migration of the project data and the new functions available in WinCC flexible. A customized migration strategy is designed, taking the necessary qualification measures into account and based on the relevant general conditions, such as the basis which is already installed and on which the migration is to take place, defined plant stoppages (usually as brief as possible), etc.
140
Index
A
Access security ............................................... 75 Access security ................................... 23, 45, 52 Access security ............................................... 90 Account Lockout Policies ................................ 55 Alarm logs ....................................................... 87 Application software backup ................... 31, 104 Archiving ................................................. 28, 131 Audit trail ............................................. 27, 39, 77 Audit trail - setting up ...................................... 77 FDA 21 CFR Part 11 .......................................16 Functional Specification...................................13
G
GAMP........................................................16, 17 GAMP Good Practice Guide............................17 GMP requirements ..........................................19 Graphics ..........................................................72
H
Hardware categorization..................................19
B
Backing up - operating system and SIMATIC WinCC flexible .......................................... 105 Backing up logs............................................... 89 Backing up process data................................. 33 Backup............................................................ 31 Batch data....................................................... 29 Batch documentation ...................................... 29 Biometric systems........................................... 24
I
Interfacing SIMATIC S7................................. 111 Interfacing to higher-level IT systems ..............40
L
Life cycle model...............................................11 Local data logging ...........................................89 Logon monitoring.............................................55
C
Change control.......................... 21, 39, 133, 135 Configuration control....................................... 21 Configuration identification.............................. 21 Configuration Management..................... 20, 131 Creating process screens ............................... 72 Creating scripts ............................................... 76
M
Maintenance.................................................. 135 Manufacturing log ............................................29 Migration........................................................ 140 Multilingual projects .........................................60
N
NAMUR ...........................................................17 NotifyUserAction system function....................79
D
Data logging.................................................... 40 Data logs......................................................... 86 Design Specification ....................................... 14
P
Panel PCs .......................................................43 Panels .............................................................43 Password................................................... 24, 26 Password Policies ...........................................54 PM-Quality................................................. 93, 99 Printer driver....................................................42 Project Manager ..............................................59 Project settings................................................59
E
Electronic signature ........................................ 25 Engineering..................................................... 39 EU GMP Guide ......................................... 16, 17
F
Faceplates in conjunction with structure tags . 73 FAT ................................................................. 14 FDA................................................................. 16
Index-1
Index
Q
Qualification .................................................... 15 Qualification of the visualization hardware.... 123 Qualification of the visualization software ..... 125 Qualification plan ............................................ 12 Qualification report.......................................... 15 Quality and project plan ............................ 13, 18
Software categorization ........................... 20, 125 Specification .............................................. 13, 35 Symbol library, project library, global library ....72 System creation...............................................14
T
Third-party components...................................34 Time synchronization................................. 27, 61 Typicals ...........................................................22
R
Recipe configuration ....................................... 80 Recipe management....................................... 39 Recipe screen ................................................. 85 Recipe view .................................................... 84 Reporting .................................................. 29, 40 Retrieving archived data ................................. 33 Runtime software ............................................ 39
U
Uninterruptible power supply ......................... 117 Updates, service packs, hotfixes ................... 139 User administration ................................... 23, 45 User groups.....................................................46 User ID ...................................................... 24, 26 User Requirements Specification ....................13
S
SAT................................................................. 14 Screen navigation ........................................... 72 Security Settings ................................. 49, 51, 54 Setting up data and alarm logs ....................... 86 SIMATIC NET ................................................. 60 Smart card ...................................................... 24
V
Validation plan.................................................12 Validation report ..............................................15 Versioning ................................................. 21, 39 Versioning - Project ....................................... 131
Index-2
A5E02147610-01
Siemens Aktiengesellschaft Automation and Drives Competence Center Pharmaceuticals 76181 KARLSRUHE GERMANY pharma.aud@siemens.com www.siemens.com/simatic-wincc-flexible