Vous êtes sur la page 1sur 226

s

Introduction, Contents

SIMATIC WinCC V6.2


GMP-Engineering Manual

Prerequisites for Configuring


Computer Systems in a GMP
Environment

Requirements of Computer
Systems in a GMP Environment

System Specification

Project Settings and Definitions

4
5

Creating the Application


Software

Support for Qualification


Systems productive mode

7
8

System Software Updates and


Migration

System Installation

Guidelines for Implementing


Automation Projects in a GMP
Environment

Additional Harware/Software
Components
Index

01/2008
A5E01100604-02

10

Safety-Related Notices
Notices that you should observe to ensure your own personal safety and to avoid damage to property
and equipment can be found in the relevant technical manuals. The safety of pharmaceutical products
of prime importance to the pharmacist must be evaluated by the pharmaceutical company itself. This
document provides information on this topic.

Qualified Personnel
Only qualified personnel should be allowed to install and work on this equipment. Qualified persons
are defined as persons who are authorized to commission, to ground, and to tag circuits, equipment,
and systems in accordance with established safety practices and standards.

Siemens AG
Industry Sector
Industry Automation
D- 76181 KARLSRUHE
GERMANY

A5E01100604-02
01/2008

Copyright Siemens AG 2008


Technical data subject to change

Introduction
Purpose of this manual
This manual describes what is required from the pharmaceutical, regulatory
viewpoint for Good Manufacturing Practice (GMP environment), of the computer
system, the software and the procedure for configuring SIMATIC WinCC. The
relationship between the requirements and system build is explained based on
practical examples.

Intended audience
This manual is intended for all plant operators, those responsible for control system
designs for specific industries, project managers and programmers, servicing and
maintenance personnel who use the process control technology in the GMP
environment. It describes solutions for implementing automation projects with
SIMATIC WinCC in situations where the principles of GMP are mandatory.

Required basic knowledge


Basic knowledge of SIMATIC WinCC is required to understand this manual.
Knowledge of GMP as practiced in the pharmaceutical industry is also an
advantage.

Disclaimer
This manual contains instructions for system users and programmers for
integrating SIMATIC WinCC into the GMP environment. It covers validation and
takes into account special aspects such as the requirements of FDA 21 CFR
Part 11.
We have checked that the contents of this document correspond to the hardware
and software described. Nevertheless, as deviations cannot be precluded entirely,
we cannot guarantee complete accuracy of the information contained herein. The
information in this document is checked regularly for system changes or changes
to the regulations of the various organizations and necessary corrections will be
included in subsequent issues. We welcome any suggestions for improvement and
ask that they be sent to the A&D Competence Center Pharma in Karlsruhe
(Germany).

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

iii

Introduction

Validity of the manual


The information in this manual applies to SIMATIC WinCC V6.2. The components
investigated are SIMATIC WinCC (CS/RT) in conjunction with the WinCC Central
Archive Server (CAS), SIMATIC Logon V1.3 SP1 and higher, SIMATIC Version
Trail, WinCC Audit, WebNavigator, DataMonitor options and the WinCC premium
add-ons PM-CONTROL and PM-QUALITY. Refer to the CD-ROM catalog CA01 for
information about the exact compatibility of WinCC V6.2 with the individual
components. The CD-ROM catalog is available online at:
www.siemens.com/automation/ca01. A list relating to the compatibility of the
various product versions can be accessed under entry ID 21927773
(http://support.automation.siemens.com).
Suppliers should be contacted directly regarding compatibility between premium
add-ons and SIMATIC WinCC (contact via
http://www.automation.siemens.com/hmi/html_76/products/software/wincc_addons
/index.htm).

Position in the information landscape


The system documentation of the SIMATIC WinCC V6.2 operator control and
monitoring system is an integral part of the SIMATIC WinCC system software. It is
available to every user as online help (HTML help) or as electronic documentation
in Acrobat Reader format (PDF):

SIMATIC WinCC V6.2 electronic manuals


You can find the electronic manuals on the CD-ROM as the
SIMATIC HMI Document Collection.

Structure of the manual


This manual supplements the existing SIMATIC WinCC manuals. The guidelines
are not only useful during configuration; they also provide an overview of the
requirements for configuration and what is expected of computer systems in a
GMP environment.
The rules and guidelines, recommendations and mandatory specifications are
explained, that represent the basis for configuration of computer systems.
All the necessary functions and requirements for hardware and software
components are also described, which should make the selection of components
easier.
The use of the hardware and software and how they are configured or
programmed to meet the requirements is explained using examples. More detailed
explanations can be found in the standard documentation.
In the appendix of this manual, you will find an index listing all the important terms.

iv

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Introduction

Conventions
The following conventions are used in this manual.
Activities involving several steps are numbered in the order in which the activities
should be performed.
Procedures involving only a few steps are indicated by a bullet ().
References to other manuals are shown in bold italic.
Menu commands are shown in bold face.

Additional support
If, once you have read the manual, you have any questions about the products
described in it, please contact your local Siemens representative.
You will find information on who to contact at:
http://www.siemens.com/automation/partner
You will find a guide to the technical documentation we offer for individual SIMATIC
products and systems at:
http://www.siemens.de/simatic-tech-doku-portal
The online catalog and ordering system are available at:
http://mall.automation.siemens.com/
If you have questions on the manual, please contact the A&D Competence Center
Pharma:
E-mail:

pharma.aud@siemens.com

Fax:

+49 721 595 6930

Additional information about the products, systems and services from Siemens for
the pharmaceutical industry can be found at:
http://www.siemens.com/pharma

Training centers
Siemens offers a number of training courses to familiarize you with the SIMATIC
WinCC operator control and monitoring system. Please contact your regional
training center or the central training center in D90327 Nuremberg, Germany.
Phone:
+49 (911) 895-3200.
Internet: http://www.sitrain.com

Technical support
You can reach the technical support for all A&D products

Using the Support Request form on the web:


http://www.siemens.de/automation/support-request

Phone:

+ 49 180 5050 222

Fax:

+ 49 180 5050 223

You can find additional information about our technical support online at
http://www.siemens.de/automation/service

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Introduction

Online service & support


In addition to our pool of documentation, we offer you a comprehensive online
knowledge base.
http://www.siemens.com/automation/service&support
There you can find:

vi

The Newsletter, which provides the latest information on your products

The right documents for you, using our Service & Support search engine

A forum where users and experts from all over the world exchange
experiences

Your local Automation & Drives representative

Information about on-site services, repairs, spare parts. Much more can be
found on our "Services" pages.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Table of Contents
Introduction

iii

Table of Contents

vii

11

Prerequisites for configuring computer systems in the GMP environment

1.1
1.2
1.3
1.4
1.5
2

Life cycle model


Regulations and Guidelines
Responsibilities
Approval and change procedure
Software categorization of control systems
Requirements of computer systems in a GMP environment

2.1
2.2
2.3
2.3.1
2.3.2
2.3.2.1
2.3.2.2
2.4
2.4.1
2.4.2
2.4.3
2.5
2.5.1
2.5.2
2.5.3
2.6
2.6.1
2.6.2
2.6.3
2.7
2.8
2.9
2.10
2.10.1
2.10.2
2.10.3
2.10.4
2.11
2.11.1
2.11.2
2.12
2.13

Hardware categorization
Software categorization
Configuration management
Configuration Identification
Configuration control
Versioning
Change control
Software creation
Use of typicals for programming
Identifying software modules/typicals
Changing software modules/typicals
Access protection and user management
Applying access protection to a system
User ID and password requirements
Case sensitivity Smart Cards and Biometric Systems
Electronic signatures
Conventional electronic signatures
Electronic signatures based on biometrics
Security measures for user IDs/Passwords
Audit trail
Time synchronization
Archiving Data
Batch reporting
Components of batch documentation
Components of the manufacturing Log
The uses of electronic batch data
Requirements of electronic records
Data backup
Application software
Process data
Retrieving archived data
Use of third-party components

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

12
17
19
20
21
23
24
25
27
28
28
28
28
29
29
29
29
30
30
31
31
32
32
33
33
34
35
36
37
37
37
38
38
39
40
41
42
43

vii

Table of Contents

System specification

3.1
3.1.1
3.1.2
3.1.3
3.2
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.5.1
3.3.5.2
3.3.5.3
3.3.5.4
3.3.6
3.3.7
3.3.8
3.3.9
3.3.9.1
3.3.9.2
3.3.9.3
3.3.10
3.3.11
3.4
3.4.1
3.4.2
3.4.3
4
4.1
4.2
4.3
4.4
4.5
4.6
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.7
4.8
4.9
5
5.1
5.2
5.3
5.4
5.5
5.5.1
5.5.2
5.6
viii

45

Specification of system hardware


System structure
Hardware specification
Selecting the hardware components
System network security
Application software specification
Operating system
Access protection and user management
Electronic signature
Audit Trail
Engineering software
Tag management
WinCC configuration tool
Change control
Project version control
Online archiving
Long-term archiving
Reporting
Add-on software packages
Availability
Batch control
Batch-oriented reporting
Interfaces to process data
Software components, manufacturing execution systems (MES)
Utilities and drivers
Print drivers
Virus scanners
Image & partition creator

System installation

47
47
47
48
49
51
52
53
53
54
55
55
56
56
57
58
59
60
60
61
61
63
65
67
68
68
68
68
69

Installation of the operating system


Installation of SIMATIC WinCC
Installation and configuration of SIMATIC Security Control
Installing the SIMATIC WinCC options
Installing utilities and drivers
Setting up user management
Function principle of access protection
User management in Windows
Security settings in Windows
Configuring SIMATIC Logon
Configuring the user administrator
Setting up SIMATIC Logon for the Audit option
Setting up SIMATIC Logon for PM-QUALITY / PM-CONTROL
Setting up a long-term archive server
Installing the Central Archive Server
Security vulnerability in configuration
Project settings and definitions
Startup behavior
Diagnostics for communication connections
System information channel
Object-oriented configuration
Creating process pictures
Symbol library
Project library
Project functions in the form of VB / C scripts

70
71
73
74
75
76
77
78
79
84
87
88
89
90
91
92
95
95
97
98
100
106
107
108
109

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Table of Contents

5.7
5.8
5.9
5.9.1
5.9.2
5.9.3
5.9.4
5.10
5.10.1
5.10.2
5.10.3
5.10.3.1
5.10.3.2
5.10.3.3
5.10.3.4
6

SIMATIC NET settings


Redundancy configuration
Time synchronization
Concepts for time synchronization
Example configuration in WinCC
Central Archive Server (CAS) time synchronization
Time stamping
Support for configuration management
Definition of configuration elements
Versioning the configuration elements
Versioning the application software
General information about versioning
Versioning pictures in Graphics Designer
Versioning VB / C scripts
Versioning reports

Creating the application software

6.1
6.2
6.3
6.4
6.5
6.5.1
6.5.2
6.6
6.7
6.8
6.8.1
6.8.2
6.8.2.1
6.8.2.2
6.8.2.3
6.8.2.4
6.8.2.5
6.8.3
6.9
6.9.1
6.9.1.1
6.9.1.2
6.9.1.3
6.9.2
6.10
6.11
6.11.1
6.11.2
6.11.3
6.11.4
6.12
6.13
6.13.1
6.13.2
6.13.3
6.13.4
6.14
6.15
6.16

Introduction
Creating overview pictures
Creating operator input messages
Electronic signature
Audit trail
WinCC Audit
Audit trail via WinCC Alarm Logging
Archiving data: Setting up process value archives
Setting up user archives
Long-term archiving
Long-term archiving in SIMATIC WinCC
Long-term archiving with SIMATIC Central Archive Server
Method 152
Configuring the Central Archive Server
Archiving and transfer to the CAS
Retrieving archived data
Data displays
Batch-oriented long-term archiving with PM-QUALITY
Reporting
Reporting with WinCC Report Designer
Page layout editor
Print jobs
Logging the Audit Trail entries from WinCC Audit
Batch-oriented reporting with PM-QUALITY
Lifebeat monitoring
Data communication with the plant management level
Data communication with the connectivity pack
Data communication with the connectivity station
Data communication with Industrial Data Bridge
Data communication via the ODK programming interface
Creating C and VB scripts
Connecting to a Web client
Configuring web access on the WinCC server for process operator input
Setting up operator permissions on the WinCC server
Remote access via the network
Configuring web access on the WinCC server to display data
Connecting SIMATIC WinCC flexible
Connecting SIMATIC S7
Connecting third-party components

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

110
111
114
115
116
119
119
121
121
121
121
122
123
125
127
129
129
130
132
135
138
138
143
148
149
150
150
152
154
160
160
161
161
164
164
165
168
169
174
177
178
178
178
179
179
180
181
181
184
185
185
190
191
193

ix

Table of Contents

7
7.1
7.2
7.3
7.4
7.4.1
7.4.2
7.4.3
7.5
7.6
7.7
8
8.1
8.2
9

Support for qualification

195

Introduction
Planning qualification
Qualification of the system hardware
Qualification of automation software
Software categorization according to GAMP Guide
Qualification of standard software
Qualification of application software
Configuration control: Versioning and archiving projects
Tracking configuration changes
Backing up the operating system and SIMATIC WinCC
Systems productive mode

195
196
197
199
199
200
202
203
207
209
211

Operational Change Control


System recovery
System software updates and migration

211
212
215

9.1
9.2

Updates, service packs and hot fixes


Migration of the application software

215
216

10

Additional hardware/software components

217

10.1
10.1.1
10.1.2
Index

Uninterruptible power supply


Configuration of uninterruptible power supplies
UPS configuration over digital inputs

217
219
221
Index-1

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Prerequisites for configuring computer


systems in the GMP environment
The availability of approved specifications, such as User Requirements
Specification and Functional Specification, is a prerequisite for the configuration of
computer systems in the GMP environment. Requirements contained in standards,
recommendations, and guidelines must be observed when creating these
specifications. This chapter deals with the most important of these sets of
regulations and various specifications (URS, FS, DS).

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

11

Prerequisites for configuring computer systems in the GMP environment

1.1

Life cycle model


A central component of Good Engineering Practice (GEP) is the application of a
recognized project methodology, based on a defined life cycle. The aim is to
deliver a solution that meets the relevant requirements and is also cost-effective.
The figure below shows the development life cycle model used in this manual
(known as the life cycle model for short). It is based on the recommendations of the
latest GAMP Guide for Validation of Automated Systems. It begins with the
planning phase of a project and ends with the start of pharmaceutical production
following completion of qualification and validation.
Once production has started, the system life cycle continues until the product is
taken out of service.

VP

PQ
VR

Development Life Cycle of


Automated Production Plant / Equipment
Development Life Cycle of
Computer System

QPP
QP

QR

PQ

Traceability
Matrix
IQ

ica

if
ec
Sp

FS

tio

SAT

n
DS

FAT

Module
Development

Qu
ali
fic
ati
on

OQ

Te
sti
ng
/

URS

Application
Development

Module
Testing

System Build

12

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Prerequisites for configuring computer systems in the GMP environment

Legend for the life cycle model


Abbreviation

Description

VP

Validation Plan

QP

Qualification Plan

QPP

Quality and Project Plan

URS

User Requirements Specification

FS

Functional Specification

DR

Design Specification

FAT

Factory Acceptance Test

SAT

Site Acceptance Test

IQ

Installation Qualification

OQ

Operational Qualification

PQ

Performance Qualification

VR

Validation Report

QR

Qualification Report

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

13

Prerequisites for configuring computer systems in the GMP environment

Validation plan
The validation plan (VP) specifies the overall strategy and specifies the parties
responsible for the validation of a system in its operational environment [PDA,
GAMP4].

In the case of complex plants (for example a production line with several
process cells and computer systems), there may also be a master validation
plan (MVP) as well as VPs valid only for specific process cells and systems.

See also GAMP 4, Appendix M1 "Guideline for Validation Planning".

Quality and project plan


The quality and project plan (QPP) defines the scope of and procedures relating to
project and quality management, with document and change control procedures,
for example, being specified. The life cycle is defined in such a way in the QPP that
it not only includes project phases which are relevant for validation, but also other
organizational relationships (e.g. different time schedules from the various
sections, for example).
Due to their similar structures and contents, a combination of the QPP and QP is
possible.

See also GAMP 4, Appendix M6 "Guideline for Quality and Project


Planning".

Qualification plan
In contrast to the validation plan, a qualification plan (QP) describes the
qualification activities in detail. It defines the tests to be performed and indicates
the dependencies.
The qualification plan follows a validation plan. Due to the similar contents of both
documents, it is possible to combine the QP and the QPP.

Specification
The specification phase starts with the creation of the URS. As a rule, the URS is
created by the user and describes the requirements which the system has to meet.
Once the URS has been created, an FS is created, usually by the supplier. The FS
describes the requirements defined in the URS more precisely on a functional
level. The subsequent DS contains detailed requirements as regards system build.

14

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Prerequisites for configuring computer systems in the GMP environment

The function and design specifications both form the basis for later qualification
and validation tests. The following issues also have to be addressed during the
function and design specification phases:

Software structure

Programming standards

Naming conventions

File naming convention

User requirements specification (URS)


The URS describes the requirements the system has to meet from the user's point
of view. The URS is generally created by the system user possibly with the support
of the system supplier.
It is the basis of all subsequent specifications.

See also GAMP4, Appendix D1 "Example Procedure for the Production of a


URS".

Functional specification (FS)


As a rule, the FS is created by the system supplier, occasionally in collaboration
with the end user. It describes in detail the functions of the system, based on the
URS. The approved FS is the basis for creating detailed specifications.

See also GAMP4, Appendix D2 "Example Procedure for the Production of a


FS".

Design specification (DS)


The design specification is usually created by the system supplier. It is based on
the FS and expands this with detailed descriptions, for example, of the hardware
and software to be used, process tag lists, etc.

See also GAMP4, Appendix D3 "Example Procedure for the Production of a


Hardware Design Specification" and GAMP4, Appendix D4 " Example
Procedure for the Production of Software Design Specifications and Software
Module Design Specifications".

System Build
The system is implemented in accordance with the design specification during the
system build stage. Along with the procedures defined in the QPP and additional
guidelines (coding standards, naming conventions, and data backups, for
example), change management, which aims to enable changes to and deviations
from the original specifications to be traced, plays an important role.
See also GAMP 4, Appendix M8 "Guideline for Project Change Control" and
GAMP 4, Appendix M10 "Guideline for Document Management".

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

15

Prerequisites for configuring computer systems in the GMP environment

FAT
Once the system build steps have been completed, a factory acceptance test
(FAT) is often carried out on the supplier's premises and documented, enabling
any programming errors to be identified and remedied prior to delivery.
The aim of the FAT is for the customer to accept the system for delivery in its
tested state.

SAT
The site acceptance test (SAT) shows that an computer system works within its
target operating environment with interfaces to the instrumentation and plant
sections according to the specification. Depending on the project, the SAT can be
combined with commissioning (and therefore with the IQ or OQ).

Test phase / qualification


The FAT is followed by technical commissioning (commissioning phase). This
involves installing the system at the system operator's premises along with the
application software created, followed by technical commissioning, testing, and
qualification.
The commissioning and qualification phases can follow on from one another or can
be combined. To save time and money, it is recommended that commissioning and
qualification activities are coordinated.
The test planning should therefore be created in good time so that it is possible to
check whether or not tests undertaken beforehand during FAT or SAT need to be
repeated during qualification. In this case, the documented FAT / SAT tests
become part of the qualification documentation.
When test documents are created, tests and acceptance criteria must be clearly
described.

Qualification report
The qualification report (QR) summarizes the results of the tests performed, based
on the qualification plan, and confirms that the qualification phases have been
completed successfully.

Validation report
The validation report (VR) sums up the results of the individual validation steps and
confirms the validated status of the system. The creation of both the validation plan
and the validation report is the responsibility of the customer.

16

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Prerequisites for configuring computer systems in the GMP environment

1.2

Regulations and Guidelines


The recommendations and guidelines of various organizations have to be taken
into account when configuring computer systems requiring validation in the GMP
environment. These are usually based on general guidelines, such as Code of
Federal Regulations Title 21 (21 CFR) of the US Food and Drug Administration
(FDA) or the EU GMP Guide Annex 11.

Ordinance /
policy

Author/orga Title
nization

21 CFR Part 11

US FDA

21 CFR Part 210 US FDA

Ordinances / Scope
recommendat
ion

Electronic records,
electronic signature
Current good
manufacturing practice
in manufacturing,
processing, packing, or Ordinance
holding of drugs; general

Manufacturers
and importers of
pharmaceutical
products for the
US market

21 CFR Part 211 US FDA

Current good
manufacturing practice
for finished
pharmaceuticals

Annex 11 of the
EU-GMP Guide

European
Commission
Directorate
General III

Computerized Systems

Policy

Europe

Annex 18 of the
EU-GMP Guide

European
Commission
Directorate
General III

Good Manufacturing
Practice for Active
Pharmaceutical
Ingredients

Policy

Europe

GAMP 4

ISPE

GAMP 4 Guide for


Validation of Automated
Systems

Policy

Worldwide

GAMP Good
Practice Guide

ISPE

Validation of Process
Control Systems

Recommendati Worldwide
on

NAMUR
Recommendatio
n NE 71

NAMUR

Operation and
Maintenance of
Validated Systems

Recommendati Europe
on

Note
This manual is based on the requirements of GAMP 4 and US 21 CFR Part 11.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

17

Prerequisites for configuring computer systems in the GMP environment

Code of Federal Regulations Title 21 (21 CFR), Food and Drugs


Code of Federal Regulations Title 21 is comprised of different Parts, such as Parts
11, 210, and 211. Part 11 is of particular significance for computerized systems
(and is known as 21 CFR Part 11). This Part deals with electronic records and
electronic signatures.

Annex 11 of the EU-GMP Guide


Annex 11 of the EU-GMP Guide contains 19 points which describe the
configuration requirements, operation, and change control of computer systems in
the GMP environment. An interpretation of Annex 11 can be found in the GAMP
4 Guide for Validation of Automated Systems in the form of an APV (International
Association for Pharmaceutical Technology) guideline.

Annex 18 of the EU-GMP Guide


Annex 18 of the EU GMP Guide deals with good manufacturing practice (GMP) for
active pharmaceutical ingredients. It is designed to be used as a GMP guide when
manufacturing active pharmaceutical ingredients in the context of a suitable quality
management system. Section 5 of Annex 18 deals with process equipment and its
use.

GAMP Guide for Validation of Automated Systems "GAMP 4"


The GAMP (Good Automated Manufacturing Practice) Guide for Validation of
Automated Systems was compiled to be used as a recommendation for suppliers
and a guide for the users of computer systems in the pharmaceutical
manufacturing industry. The current version "GAMP 4" was published in
December 2001.

NAMUR recommendations
NAMUR recommendations are reports of the experience that were produced by the
"Process Control Systems Special Interest Group of the Chemical and
Pharmaceutical Industry" for optional use by its members. They should not be
viewed as standards or guidelines. The NAMUR recommendations below are of
particular interest for the configuration and use of computer systems in the GMP
environment:

18

NE 71 "Operation and Maintenance of Validated Systems"

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Prerequisites for configuring computer systems in the GMP environment

1.3

Responsibilities
Responsibilities for the activities included in the individual life cycle stages must be
defined when configuring computer systems in the GMP environment and creating
corresponding specifications. As this definition is usually laid down on a customerand project-specific basis and requires a contractual agreement, it is
recommended that the definition is integrated into the quality and project plan. See
also GAMP 4, Appendix M2.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

19

Prerequisites for configuring computer systems in the GMP environment

1.4

Approval and change procedure


When new systems requiring validation are set up or when existing systems
requiring validation are changed, the top priority is to achieve or retain validated
status.

Setting up new systems


If a new system is set up, document approval and the transitions between life cycle
stages are defined prior to commencement of the project. This is usually carried
out in conjunction with the definition of responsibilities contained in the quality and
project plan. A life cycle like the one described in Chapter 1.1 "Life cycle model" is
used.

Changing validated systems


Changes to an existing, validated system are regulated as per the company's
change control procedures. Before any changes are carried out they must be
described, potential consequences must be identified, and associated steps
(performing tests, updating as-built documentation, for example) must be defined.
Once final approval has been received, the planned change is carried out, as are
the defined steps.
If comprehensive changes are needed, a life cycle similar to the one shown in this
manual may be used if required.

20

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Prerequisites for configuring computer systems in the GMP environment

1.5

Software categorization of control systems


As described in Chapter 2.2 "Software categorization" and chapter 7.4.1 "Software
categorization according to GAMP Guide", a system's software can be classified
into five software categories in accordance with the GAMP 4 Guide for Validation
of Automated Systems. The software categories have a considerable effect on the
amount of work required during the test and qualification stage and must be
determined during the specification stage for the software used.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

21

Prerequisites for configuring computer systems in the GMP environment

22

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a


GMP environment
This chapter describes the essential requirements which a computer system must
meet in the GMP environment in terms of using computer systems. These
requirements must be defined in the specification and implemented during
configuration. In general, proof of who has changed or performed what and when
they have done it must always be recorded (the "why" is optional). The
requirements of this task are implemented in various functions and described in the
following chapters.
The following graphic shows the life cycle model. The requirements focused on in
this chapter can be assigned to the Specification area in the graphic.

VP

PQ
VR

Development Life Cycle of


Automated Production Plant / Equipment
Development Life Cycle of
Computer System

QPP
QP

QR

PQ

Traceability
Matrix
IQ

ica

if
ec
Sp

FS

tio

SAT

n
DS

FAT

Module
Development

Qu
ali
fic
ati
on

OQ

Te
sti
ng
/

URS

Application
Development

Module
Testing

System Build

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

23

Requirements of computer systems in a GMP environment

2.1

Hardware categorization
A system's hardware components are assigned to one of two hardware categories
in accordance with the GAMP 4 Guide, Appendix M4. The hardware categories
are listed below:

Category 1, standard hardware


Category 1, standard hardware includes established, commercially-available
hardware components. This type of hardware is also subject to the relevant quality
and testing mechanisms.
The hardware is accepted and documented by means of an IQ test.

Category 2, customized hardware


The functionality of such hardware must be specified, then checked and
documented in detail by means of appropriate, documented tests.

24

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.2

Software categorization
According to the GAMP Guide for Validation of Automated Systems, the
software components of a system are assigned to one of five software categories.
The five GAMP software categories are listed below:

Category 1, operating systems


Category 1, operating systems, covers established commercially available
operating systems. These are not subject to validation themselves, the name and
version of the operating system must, however, be documented and verified during
installation qualification (IQ).

Category 2, firmware
Category 2 includes the firmware, for example in field instruments or compact
controllers, whose configuration has been adapted to e.g. the on-site conditions.
Here too, the name and version of the firmware must be documented, along with
its configuration, and checked in the context of an installation qualification (IQ). The
device functionality must be checked by means of an operational qualification
(OQ).

Category 3, standard software products


Category 3 includes commercially-available standard software packages, as well
as standard solutions for particular processes. Configuration of these software
packages should be restricted to the adaptation of the runtime environment (e.g.
network and printer connections) and the configuration of process parameters. The
name and version of the standard software package must be documented and
checked in the course of installation qualification (IQ). Customer requirements
(such as access protection, interrupts, alarms, or calculations) must be
documented and checked in the context of an operational qualification (OQ).

Category 4, configurable software products


Category 4 includes configurable software packages, which facilitate specific
business and manufacturing processes. Standard software modules need to be
configured for such packages. These software packages should only be
considered to be Category 4 if they are well known and fully developed, otherwise
Category 5 would be more suitable. If critical and/or complex applications are
involved, a supplier audit is usually carried out.
The name, version, and configuration must be documented and checked as part of
an installation qualification (IQ). The functions of the software packages must be
checked against the user requirements in an operating qualification (OQ). The
validation plan must take the life cycle model and an assessment of suppliers and
software packages into account.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

25

Requirements of computer systems in a GMP environment

Category 5, customized software


Category 5 includes customized software, which has been developed in order to
meet the specific needs of the customer.
A supplier audit is usually required in order to verify that suitable quality systems
were used to check the development and subsequent maintenance of the software.
Otherwise, suppliers must use the GAMP 4 Guide as a basis for their own
development life cycles.
Once again, the name, version, and configuration must be documented and
checked as part of an installation qualification (IQ). A detailed software
specification must be created and the function of the software verified in an
operational qualification (OQ). The validation plan should define a complete life
cycle for validation.
The amount of test work involved is considerably greater if software of higher
categories is used, as opposed to software of lower categories.
The amount of validation and testing work can be reduced by making use of
standardized software wherever possible.

26

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.3

Configuration management
The GAMP 4 Guide defines configuration management as the process which
needs to be followed in order to precisely define an automated system at any point
during its life cycle, from initial development right through to decommissioning of
the system.
Configuration management involves using administrative and technical procedures
in order to:

Identify and define basic system components and to specify them in general

Control changes to and approvals of elements

Record and document element statuses and modifications

Ensure elements are complete, consistent, and correct

Control the storage, treatment, and delivery of elements.

Configuration management comprises the following activities:

Configuration identification (what is to be kept under control)

Configuration control (how the control is performed)

Configuration status report (how the control is documented)

Configuration evaluation (how the control is verified)

This chapter deals with configuration identification and configuration control.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

27

Requirements of computer systems in a GMP environment

2.3.1

Configuration Identification
Version and change management is only practicable with a suitable configuration
environment. Siemens therefore identifies every software and hardware package
using a unique product label (Machine-Readable Product Code - MLFB) and
version identifier. For the application software, the parts of an automated system
that are subject to configuration management must be clearly specified. The
system must be divided into configuration elements to this end. These must be
defined at an early stage of system build to ensure that a complete list of
configuration elements can be created and maintained. Application-specific
elements should have a unique ID (name or identification number). The amount of
detail required when defining elements is determined by the requirements of the
system and the supplier who is developing the application.

2.3.2

Configuration control
The maintenance of configuration elements must be checked at regular intervals
by means of reviews, for example. Here, particular attention must be paid to the
change control and the related versioning. Archiving and release of individual
configuration items should also be taken into account.

2.3.2.1

Versioning
To ensure correct change management, the configuration elements must be
versioned. The version must be updated each time a change is made.

2.3.2.2

Change control
Suitable control mechanisms must be in place during configuration in order to
ensure that changes are documented and transparency achieved. The control
mechanisms can be described by means of SOPs and must cover the following:

28

Software versioning

Specifications such as programming guidelines, naming conventions, etc.

Safeguarding of the traceability of changes to program codes

Unique identification of software and all components contained within

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.4

Software creation
Certain guidelines must be followed during software creation, which must be
documented in the quality and project plan (GEP idea). Software creation
guidelines can be taken from the GAMP 4 Guide for Validation of Automated
Systems and from relevant standards and recommendations.

2.4.1

Use of typicals for programming


As shown in Chapter 2.2 "Software categorization", the amount of validation work
required increases enormously as you go up through the GAMP software
categories. While the validation of category 1 software only calls for the software
name and version to be checked, category 5 software validation requires the entire
range of functions to be checked and a supplier audit to be performed.
To keep validation work to a minimum, preference should be given to standardized
function blocks during configuration (products, standard company components,
standard project components). Customer-tailored typicals are created from
standard function blocks and tested according to design specifications.

2.4.2

Identifying software modules/typicals


During software creation the individual software modules must be assigned a
unique name, a version, and a short description of the module. If changes are
made to software modules, this must be reflected in the module ID.

2.4.3

Changing software modules/typicals


If changes are made to software modules, this must be noted in the corresponding
module ID. As well as incrementing the version identifier, the date of the change
and the name of the change initiator must also be included in the software
module's ID. If required, the software modules to be changed must be indicated by
means of a comment and a reference to the corresponding change request/order.
See also Chapter 8.1 "Operational ".

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

29

Requirements of computer systems in a GMP environment

2.5

Access protection and user management


To ensure that computer systems in the GMP environment are secure, such
systems must be equipped with an access-control system. Access-control systems
can not only deny or permit users access to certain rooms, but can also protect
systems against unauthorized access. Users are put into groups which are in turn
used to manage user rights. Individual users can be granted access authorization
in various ways:

A combination of unique user ID and password - a description of the


configuration can be found in Chapter 2.5.2 "User ID and password
requirements ".

Chip cards together with a password

Biometric systems

The system owner or an employee (administrator) nominated by the end user


controls the assignment and management of user authorizations to ensure that
access is suitably protected.

2.5.1

Applying access protection to a system


In general, actions which can be executed on an computer system must be
protected. Depending on his or her particular field of activities, a user can be
assigned various rights. Access to user administration should only be given to the
system owner or to specified employees. Recorded electronic data must still be
protected against unauthorized access.
An automatic logout function must be installed on the system. The logout time
should be agreed and defined with the operator and noted in the FS.

30

Note
Please note that only authorized persons must be able to access PCs and the
system. This can be ensured by using appropriate measures such as mechanical
locks and hardware and software for remote access.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.5.2

User ID and password requirements


User ID:
The user ID for a system must be of a minimum length defined by the customer
and be unique within the system.
Password:
A password should usually be a combination of numeric and alphanumeric
characters. When defining passwords, the minimum number of characters and the
expiry period for the password should be defined. Generally, the password
structure is defined on a customer-specific basis. The configuration is described in
the Chapter 4.6 "Setting up user management".
Password structure criteria:

Minimum password length

Use of numeric and alphanumeric characters

Use of uppercase and lowercase letters

Use of numerals (0-9)

Use of special characters

In order to comply with the Windows guidelines for password complexity, at least
three of the criteria listed must be taken into account in the password alongside the
minimum length.

2.5.3

Case sensitivity Smart Cards and Biometric Systems


Apart from the traditional methods of identification with a user ID and password,
users can also identify themselves with smart cards along with a password/PIN or
with biometric systems, such as fingerprint scanners.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

31

Requirements of computer systems in a GMP environment

2.6

Electronic signatures
Electronic signatures are computer-generated character strings, which act as
legally binding equivalents to handwritten signatures.
Regulations concerning the use of electronic signatures are defined in US FDA 21
CFR Part 11, for example.
Electronic signatures are of practical relevance when it comes to manual data input
and operator intervention during runtime, approving process actions and data
reports, and changing recipes, for example.
Each electronic signature must be assigned uniquely to one person and must not
be used by any other person.
It must be possible for a pharmaceutical company to confirm to the authorities that
an electronic signature represents the legal equivalent of a handwritten signature.
Electronic signatures can be biometrically based or the system can be set up
without biometric features.

2.6.1

Note
The regulations found in 21 CFR Part 11, published by the FDA, must be satisfied
in the manufacture of all pharmaceutical products and medical devices intended
for the US market.

Conventional electronic signatures


If electronic signatures are used that are not based on biometrics, they must be
created so that persons executing signatures must identify themselves using at
least two identifying components. This also applies in all cases in which a smart
card replaces one of the two identification components.
These identifying components, can, for example, consist of a user ID and a
password. The identification components must be assigned uniquely and must only
be used by the actual owner of the signature.
When owners of signatures want to use their electronic signatures, they must
identify themselves with at least two identification components. The exception to
this rule is when the owner executes several electronic signatures during one
uninterrupted session. In this case, persons executing signatures need to identify
themselves with both identification components only when applying the first
signature. For the second and subsequent signatures, one unique identification
component (password) is then adequate identification.

32

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.6.2

Electronic signatures based on biometrics


An electronic signature based on biometrics must be created in such a way that it
can only be used by one person. If the person making the signature does so using
biometric methods, one identification component is adequate.
Possible biometric recognition systems include systems for scanning a fingerprint
or the iris of the eye.
Note
The use of biometric systems is currently considered a secure identification
method. Nevertheless, there are reservations about the use of biometric
identification characteristics in the pharmaceutical industry (e.g. poor face
recognition due to protective clothing covering the face, no fingerprint scans with
gloves, the expense involved and the reaction times of retina scans).

2.6.3

Security measures for user IDs/Passwords


The following points must be observed in order to safeguard the security of
electronic signatures where user IDs and passwords are used:

Uniqueness of user ID and password

Monitored output of user IDs

Permissions retracted if user IDs/passwords are lost or found to be insecure or


compromised

Security precautions used to prevent the unauthorized use of user


IDs/passwords or to report any misuse

Personnel trained and provided with proof of such training

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

33

Requirements of computer systems in a GMP environment

2.7

Audit trail
The Audit Trail is a control mechanism of the system that allows all data entered or
modified to be traced back to the original data. A secure Audit trail is particularly
important as regards the creation, modification, or deletion of GMP-relevant
electronic records.
In this case, the Audit Trail must archive and document all changes or actions
performed, together with the corresponding date and time. The typical content of
an Audit Trail must be specified and must cover "who" has changed "what" and
"when" (old value/new value).
The archiving period must correspond to the period stipulated in the specification.
There must be adequate hard disk space to allow the entire Audit Trail to be stored
until the next transfer to an external data medium.
Systems which provide adequate data security must be used (e.g. redundant
systems, standby systems, mirrored hard disks based on RAID 1).

34

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.8

Time synchronization
A consistent time reference (including a time zone reference) must be guaranteed
within a system, in order to be able to assign a unique time stamp for archiving
messages, alarms, etc.
Time synchronization is especially important for archiving data and analysis of
faults. UTC (Universal Time Coordinated, defined in ISO 8601) is recommended for
the time base for saving data. The time can be displayed in local time with a note
regarding summer / winter time.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

35

Requirements of computer systems in a GMP environment

2.9

Archiving Data
Archiving means the permanent storage of electronic data and records of a
computer system in a long-term storage system. 1
The customer is responsible for the definition and checks involved in storing
electronic data.
Based on the predicate rules (GMP Guide, 21 CFR Part 210, 21 CFR Part 211,
etc.), the customer must decide how electronic data will be retained and, in
particular, which data will be affected by this procedure. This decision should be
based on a justified and documented risk assessment that takes into account the
significance of the electronic records over the archiving period.
The customer should define the following requirements 2:

Whether any archiving is even required for the application in question


(backup/restore function may be kept separate from the archive function)

Required archiving duration for the relevant data types, based on legal and
commercial requirements

An archiving procedure; the restoration capability, data format, practicality, life


of the media and the platform
If electronic storage is selected, the electronic data can be stored in a standard
format such as PDF, XML, SGML, etc.

A procedure for recording metadata used to correctly interpret saved data

Demonstration of ongoing controls on the contiguous recording of electronic


data and of the authenticity of electronic signatures

Process values (often in the form of trends), alarms (interrupts, warnings, etc.),
Audit Trails, and, under certain circumstances, other batch data can be archived
for SIMATIC systems.
The memory space on a system's data carriers is restricted. Data can be swapped
out to external data carriers at regular intervals in order to free up space on these
system data carriers.
When migrating or converting the archived data, the integrity of the data must be
assured over the entire conversion process. 3

"Good Practice and Compliance for Electronic Records and Signatures. Part 1, Good
Electronic Records Management". ISPE/PDA 2001.

"Good Practice and Compliance for Electronic Records and Signatures. Part 3,
Models for Systems Implementation and Evolution". PDA 2004.

"Good Practice and Compliance for Electronic Records and Signatures. Part 3,
Models for Systems Implementation and Evolution". PDA 2004.

36

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.10

Batch reporting
When producing pharmaceuticals and medical equipment, batch documentation
takes on a special significance. For a pharmaceutical manufacturer, methodically
created batch documentation is often the only documented evidence within the
framework of product liability.

2.10.1

Components of batch documentation


The components of batch documentation are as follows:

Manufacturing formula / processing instructions and manufacturing log

Packaging instructions and packaging log (from a pharmaceutical point of view,


the packaging of the finished medicinal product is part of the manufacturing
process)

Test instructions and test log (relating to quality checks, e.g. example analysis)

The manufacturing log (or packaging log) has a central significance here and this is
defined below:

2.10.2

The manufacturing log is always both product-related and batch-related

It is always based on the relevant parts of the valid manufacturing formula and
processing instructions

It records all measurement and control procedures relevant to the process as


actual values

It compares these with the specified desired values

Components of the manufacturing Log


Mandatory parts of the manufacturing log include:

Name of the product and number of the produced batch

Date and time of commencement, significant interim stages and completion of


production

Name of the person responsible for each stage of production

Initials of the operator involved in all significant production steps and, when
applicable, the person checking the operations (double-check when weighing
materials, for example)

The batch number and / or the analytical control number and the actual
quantities of all constituent materials

All relevant processing steps, any unusual events and the major equipment
used

Recordings of in-process controls, including initials of the person performing


them and the results obtained

The yields of the relevant interim stages

Information on special problems, including details of any deviation from the


manufacturing formula and processing instructions and the signature of the
person who authorized the deviation.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

37

Requirements of computer systems in a GMP environment

2.10.3

The uses of electronic batch data


Since the term "electronic batch record" (acronym: EBR) is not clearly defined in
this context, there are two ways of using electronic records in the documentation of
pharmaceutical production:
1. The electronic records form part of the batch documentation or
2. The entire manufacturing log is created electronically.
Since all the requirements listed above must be met by an electronic
manufacturing log and data from different systems (for example, PCS, laboratory
data, remarks by operators) also often needs to be integrated, the situation is often
as in case 1. In other words, the data is used as part of the batch documentation,
often in conjunction with data from other systems and records on paper.

2.10.4

Requirements of electronic records


When electronic records are used as part of the batch documentation or even as
the manufacturing log itself, the following additional requirements apply (see also
EU GMP Guide, Section 4.9; 21 CFR Part 11 Electronic Records, Electronic
Signatures):

38

The initials and signatures required by the regulations must be implemented as


electronic signatures

"Relevant" production steps / processes, "significant" interim stages and


"major" equipment must be defined in advance by the person responsible from
a pharmaceutical perspective; this definition is often process-specific

The system must be validated

Only authorized persons should be able to enter or change data (access


protection)

Changes to data or deletions must be recorded (Audit Trail)

The electronic records must be protected by back-up copies

If an electronic manufacturing log is used, its structure and contents must


match the structure and contents of the manufacturing formula / processing
instructions. As an alternative, the manufacturing instructions and log can also
be combined in one document

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.11

Data backup
In contrast to the archiving of electronic data, data backups are used to create
backup copies which allow the system to be restored if the original data or entire
system is lost. 4
The backup procedure must cover the periodic backup of volatile information to
avoid total loss of data due to defective system components or inadvertent deletion
of data. Backup procedures must be tested to ensure that data is saved correctly.
Backup records should be labeled clearly and intelligibly and dated. 5
Data backups are created on external data carriers. The data carrier used should
comply with the recommendations of the device manufacturer.
When backing up electronic data, a distinction is made between software backups
(for example application software, partition images) and archive data backups.
Here, particular attention is paid to the storage of data backup media (storage of
the copy and original in different locations, protection from magnetic fields, and
elementary damage).

"Good Practice and Compliance for Electronic Records and Signatures. Part 1, Good
Electronic Records Management". ISPE/PDA 2001.

"Electronic Records and Electronic Signatures Assessment". Chris Reid & Barbara
Mullendore, PDA 2001.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

39

Requirements of computer systems in a GMP environment

2.11.1

Application software
Software backups have to be created following every software change on a system
and must document the system's last valid software version. If parts of the software
are modified, it is sufficient to only back up the modified part of the application
software. Complete software backups still have to be created at regular intervals,
however. If software backups are to be created as part of a software change on an
existing system or a system reinstallation, they must be created once the
installation has been performed. During the course of the project the software
version must be backed up and documented at defined milestones, such as at the
end of the FAT (i.e. prior to delivery of the system), once the installation
qualification (IQ) has been completed, prior to the tests involved in the operational
qualification (OQ), and, of course, when the system is handed over to the operator.
Software versions must also be retained in the form of software backups at regular
intervals during the creation of new software versions.
Software backups of the application software and configuration parameters must
be created.

Labeling software backups


According to the GAMP 4 Guide for Validation of Automated Systems, the
following information about software backups must be provided, both on the label
of the backup medium and in a separate log:

40

Creation date

System name

Software or version name

Serial number of backup

Reason for the software backup

Date of first use

Date of backup

Date and signature of the person performing the backup

Identity of the user

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

Retaining software backups


At least the two most recent software backups must be retained. For reasons of
safety, these should be stored at a different location from the system (according to
the recommendations of the BSI (German authority responsible for security in
information technology), for example in a fire compartment separate from the
system).
A suitable backup strategy must be defined, based on the frequency with which
changes are made to the software.
The data carrier's shelf life must be defined (based on manufacturer documentation
or on publications issued by the Bundesamt fr Sicherheit in der
Informationstechnologie, the German Federal Office for Information Security) and
the software backup must be appropriately migrated by copying it to a new data
carrier, for example, before this period expires.

2.11.2

Process data
The data stored in computer systems, such as trends, measured values, or
interrupts, should be backed up to external data carriers at regular intervals. This
will minimize the risk of data being lost should a fault occur.

Labeling data backups


According to the GAMP 4 Guide for Validation of Automated Systems, data
backups should be documented either on the label of the backup itself or in a
separate report containing the following information:

System designations

Software / data designation

Version and/or software/firmware build number, if available

Creation date

Date of first usage

Consecutive number

Date of the data backup

Reason for the data backup

Identity of the user

Retention of data backups


The same guidelines apply as in the chapter with the same name in Chapter 2.11.1
"Application software".
Since process data, in contrast to software, is not normally stored in "overlapping"
versions, suitable measures must be taken to ensure data integrity.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

41

Requirements of computer systems in a GMP environment

2.12

Retrieving archived data


Backed up data must be retrievable at all times. Following system updates, care
must be taken that the data transferred to archive prior to the update remains
compatible.

42

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Requirements of computer systems in a GMP environment

2.13

Use of third-party components


If third-party components (hardware and software) specifically tailored to individual
customers are used, a supplier audit must be performed in order to check the
supplier and their quality management system. It must be confirmed that such
hardware components are compatible.
Compatibility must also be confirmed when standard hardware and software
components provided by other manufacturers are used.
Note
The GAMP 4 Guide in Appendix M2 contains a considerable amount of
information on auditing a product supplier.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

43

Requirements of computer systems in a GMP environment

44

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification
This chapter focuses on the selection criteria for the hardware and software. The
activities for the selection of the products, product variants and system
constellations are performed in the specification phase of a computer system. This
is demonstrated in the following life cycle model by the marking in the left area.
VP

PQ
VR

Development Life Cycle of


Automated Production Plant / Equipment
Development Life Cycle of
Computer System

QPP
QP

QR

PQ

Traceability
Matrix
IQ

ica

if
ec
Sp

FS

tio

SAT

n
DS

FAT

Module
Development

Qu
ali
fic
ati
on

OQ

Te
sti
ng
/

URS

Application
Development

Module
Testing

System Build

Two specifications stages usually precede a detailed specification of the computer


system which is defined in the Design Specification (DS):

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

45

System specification

User Requirements Specification (URS)


Note
Information relating to the requirements of a user requirements specification can
be found in GAMP 4, Appendix D1.

Functional Specification (FS)


Note
Information relating to the requirements of a functional specification can be found
in GAMP 4, Appendix D2.

46

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

3.1

Specification of system hardware

3.1.1

System structure
The SCADA system SIMATIC WinCC is intended for all branches and can be
adapted flexibly to specific customer requirements for a production plant.
With SIMATIC WinCC, you can implement a variety of different system
configurations from single-user systems to multiple-user systems with a
client/server structure.
With a single-user system, the entire operator control and monitoring of a
production process can be handled on one PC.
A multiple-user system consists of operator stations (WinCC clients) and one or
more WinCC servers that supply the WinCC clients with data.
Availability can be increased by setting up redundant systems.
To connect to the underlying automation level, for example, SIMATIC S7-300 / S7400 or systems from other vendors, bus systems such as MPI, PROFIBUS or
Industrial Ethernet can be used. The choice of bus system depends on the number
of linked partners and the environmental conditions for data communication.
Note
The individual components can be selected from the current SIMATIC HMI
catalog ST 80 to suit the specification of the production plant.

3.1.2

Hardware specification
The Hardware Design Specification (HDS for short) describes the hardwares
architecture and configuration. The following aspects should be defined at this
point. This will serve as the checking basis for IQ and OQ later on.

Hardware overview diagram

Network topology

PC components for server and client

Automation system with CPUs, I/O cards, etc.

Field devices

The HDS can be recorded in the Functional Specification or in a separate


document.

Note
The defaults in the hardware overview diagram and the names of the hardware
components must be unique. The designation for each hardware component may
only occur once in the computer system.

Note
More information relating to the requirements can be found in GAMP 4,
Appendix D3.
Guidelines for Implementing Automation Projects in a GMP Environment
A5E01100604-02

47

System specification

3.1.3

Selecting the hardware components


The SIMATIC WinCC software can be installed on any standard PC that meets the
minimum requirements for the hardware and software configuration.
For production plants in a GMP environment (for example, in food and beverages
or pharmaceutical industry) Siemens has developed particularly rugged panel PCs
with touch screens and stainless steel fronts specially for installation on the shop
floor. The SIMATIC WinCC software is available in conjunction with a Panel PC as
a complete HMI system.
As an alternative to the Panel PC, the use of LCD monitors of the type SIMATIC
Flat Panel is recommended. The monitors are rugged and designed for industry
and they are intended for use directly on the machine separate from the PC. They
are available both with and without control elements.
Using hard disks with a RAID system prevents data from being lost when a hard
disk fails. In a RAID system (RAID = Redundant Array of Independent Disks) e.g.
RAID 1 or RAID 5, the data are saved redundantly on several hard disks.
A particularly high level of availability is achieved with the WinCC server's
redundant structure. All hardware components such as PC, screen, operator
controls are set up in duplicate. If one system fails, the other automatically
assumes functionality.
Details of the minimum requirements for the hardware and software configuration
for the SIMATIC WinCC software and suitability of the recommended hardware for
industrial use can be found in the current SIMATIC HMI catalog ST 80.
Note
We recommend using the approved hardware from the current SIMATIC HMI
catalog ST80 since this has been checked by Siemens in system tests.
When PCs are installed in switching cabinets, make sure that suitable hardware
components are used, for example remote kits.
SIMATIC PCs are available with the operating systems approved for WinCC.

48

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

3.2

System network security


In modern SCADA systems, the boundaries between the office world and that of
automation are increasingly disappearing. Automation solutions with connected
WEB clients, MES connections, custom-made office networks and their office
applications are growing in importance. In order to satisfy these demands and
ensure as high a level of system security as possible, the planning and structure of
networked WinCC automation solutions are key.
Note
The Siemens manual "SIMATIC WinCC Security Concept" contains
recommendations and information on planning and setting up networks.

Scope for improving system security


SIMATIC WinCC offers several ways of improving system security. These include:

SIMATIC Security Control (SSC)

SIMATIC NET SCALANCE S

SIMATIC Security Control


The SIMATIC Security Control application checks the settings in the MS Windows
operating system in terms of the requirements for the SIMATIC software installed.
Registry keys and DCOM settings are evaluated and exceptions put forward for the
Windows firewall. The settings needed are undertaken automatically in the
Windows operating system by clicking on the "Accept" button. Documentation of
the settings can be printed or saved in XML format.
SIMATIC Security Control is included in the scope of delivery for SIMATIC WinCC
software.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

49

System specification

SIMATIC NET SCALANCE S


SCALANCE S security modules are at the heart of Siemens' ground-breaking
security concept for protecting networks and data. The SCALANCE S protection
function checks all data traffic to and from the cell.
With a combination of different security measures such as firewall, NAT/NAPT
routers and VPN (Virtual Private Network) over IPsec tunnels, the SCALANCE S
devices protect individual devices or even entire automation cells from:

Data espionage

Data manipulation

Unauthorized access

Note
SCALANCE-S technology offers various applications. More information can be
found in the manuals of the SCALANCE family.

50

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

3.3

Application software specification


The Software Design Specification (SDS) describes the softwares architecture and
configuration. Not only does this include a description of the application software
but also a definition of the standard software components used in the system, by
e.g. stating the designation, version number, etc. This description is used as a
reference for subsequent tests (FAT, SAT, IQ, OQ).
This chapter introduces standard software components of SIMATIC WinCC and
options/add-on packages to meet the "Requirements of computer systems in a
GMP environment" as described in Chapter 2.
The following list shows an overview of the software components covered by this
manual.

Basic WinCC software that is already contained in the WinCC system software
Designation

Short description

Alarm logging

Message archiving

Basic process
control

Overview diagram and screen navigation,

Configuration tool

WinCC configuration using MS Excel

Graphics designer

Editor for producing graphics

Project duplicator

WinCC tool for copying/duplicating a WinCC


project

Redundancy

Redundant WinCC server

Report designer

Creation of reports

Security control

DCOM and firewall settings

Tag logging

Process value archiving

User administrator

User management in WinCC

User archive

Production of user archives

Tag management

Tag management

WinCC server

For the server in a server/client structure

License in addition
to WinCC license

time synchronization

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

51

System specification

Options / add-on software packages


Designation

Short description

License

Central archive
server

Central data archiving

DataMonitor

View of data via the web

PM-CONTROL

Recipe data management and order planning

PM-QUALITY

Batch-oriented data archiving and reporting

SIMATIC Manager
STEP 7

Configuration tool for S7 automation systems

SIMATIC Logon

Central user administration

SIMATIC PC/PG
image & partition
creator

Hard disks, production of images

Version trail

Project versioning in conjunction with


SIMATIC STEP 7

WebNavigator

View of data and operation of the WinCC


project via the web

WinCC audit

Central Audit Trail for recording operator


actions during operations and changes in the
project configuration

3.3.1

Operating system
In principle, the latest information relating to the operating system and WinCC
installation can be found in the "Installation Notes" manual that is supplied with the
software package. The Read me first menu item on the WinCC Installation DVD
should also be observed along with the Installation Notes and Release Notes
sections.

52

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

3.3.2

Access protection and user management


Access protection for SIMATIC WinCC system components and the WinCC
premium add-ons is implemented with the SIMATIC Logon software. SIMATIC
Logon is a user management system based on Windows mechanisms that can be
used both in workgroup and in a Windows domain. The use of SIMATIC Logon
meets the requirements of the FDA regulation 21 CFR Part 11 for "Electronic
Records and Electronic Signatures" regarding access control.

SIMATIC Logon
The user logs on to the system using SIMATIC Logon. The logout, user change
and password change functions are available to a logged-on user. SIMATIC Logon
should be installed on all SCADA systems (WinCC server and WinCC client).

User administrator
The permissions for controlling the process are configured in WinCC User
Administrator. Controlling the process is divided into individual operator control
functions that can be enabled for selected user groups. To be able to use these
functions, the user must be a member of the appropriate user group. At runtime,
the User Administrator checks the operator permissions in WinCC and SIMATIC
Logon checks the authorizations.

3.3.3

Electronic signature
An electronic signature is implemented in SIMATIC WinCC in conjunction with the
SIMATIC Logon software. SIMATIC Logon provides the interface that can be
addressed in WinCC using script functions for checking the user ID and password.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

53

System specification

3.3.4

Audit Trail

WinCC Audit
For production plants operated in a GMP environment, in 21 CFR Part 11, the FDA
specifies the recording of changes to electronically managed records relevant for
GMP including the time stamp, user ID, old value and new value in the form of an
Audit Trail. The WinCC Audit option was developed for this functionality in
SIMATIC WinCC. The option represents the various requirements that arise from
the system architecture of WinCC as client/server system, as multiproject, etc., in
terms of the Audit Trail. WinCC Audit allows the user to implement one central
Audit Trail over several server/client systems and several WinCC projects.
Furthermore, WinCC Audit not only records the operator responses during runtime,
but also changes in the engineering phase.

WinCC Audit is sub-divided into the following software packages:

54

WinCC Audit RC for configuration of the Audit Trail for operator responses
during runtime and for engineering changes and recording the Audit Trail
during operations

WinCC ChangeControl RC is for configuration of the Audit Trail for changes


during configuration, that have been carried out e.g. on an approved product
version (see also chapter 3.3.5.3 "Change control")

WinCC Audit RT is for recording the Audit Trail per station (server or client
needed).
Guidelines for Implementing Automation Projects in a GMP Environment
A5E01100604-02

System specification

The following operations are recorded during runtime:

All kinds of operator input during operations, such as login/logout, changes to


I/O fields, dragging slider objects, selections in check boxes and text lists, etc.

All changes in the User Archives

Operations in external programs

The Audit Trail can be visualized with an Audit Viewer. A large number of standard
and customized filters can be set in the Audit Viewer to specifically select or
display the corresponding Audit Trail information. The Audit Trail information can
also be exported or even printed out. The Audit Viewer is included in the scope of
supply for the product.
The Audit Trail is stored in an SQL database. The WinCC Audit Trail database can
be configured such that the Audit Trail of one or more WinCC stations or of one or
more WinCC projects is recorded. It is also possible to store the Audit Trail
database on a local computer or on a computer in the network.
WinCC Audit works together with the SIMATIC Logon software to provide access
protection (see also chapter 4.6.6 "Setting up SIMATIC Logon for the Audit
option).

3.3.5

Engineering software
SIMATIC WinCC is a modular system. Its basic components are the Configuration
Software (CS) and Runtime Software (RT) Both software components are included
in the full WinCC package (RC). The selection of the full package depends on the
number of power tags (external tags) required to interface with the automation
level.
The Configuration Software (CS) contains all the basic functions for engineering
SIMATIC WinCC. The central component is the WinCC editor in which editors can
be opened for configuring the various functions. Some functions that are
recommended for a GMP environment are pointed out below.

3.3.5.1

Tag management

Tag management with Totally Integrated Automation


In a complete automation solution from Siemens (HMI system and SIMATIC S7
automation system), the variables (tags) can be imported from the SIMATIC
Manager into the tag management of WinCC. The variables are created and
managed centrally in the SIMATIC Manager. This ensures consistency within the
project. This reduces the effort involved in validating software (also see "GMP
Engineering Manual SIMATIC Step7", chapter 4.4.2 "Integrated system").

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

55

System specification

3.3.5.2

WinCC configuration tool


The configuration tool provides the option for configuring mass data with the
Microsoft Excel standard software. This means that the editing options of Microsoft
Excel such as automatic repetition of items can be used. The data is transferred to
the active WinCC project in a download procedure. The configuration tool allows
you to configure data from the tag management, alarm logging, tag logging and the
text library. Data from projects that already exist, for example, can be used again.
The WinCC configuration can be output as an overview and used for qualification.
The use of the configuration tool therefore reduces the work required for
engineering and qualifying the software.

3.3.5.3

Change control

WinCC Audit ChangeControl


WinCC projects that have already reached a completed version accepted by the
customer can be monitored for subsequent configuration changes by WinCC Audit
RC or WinCC ChangeControl. This gives operators a complete understanding of
when configuration changes were carried out after the accepted project status.
WinCC Audit distinguishes between changes:

that are transferred into the WinCC database, for example adaptations to
the tag management, in Alarm Logging, in Tag Logging, etc.,

and changes that are carried out to WinCC configuration files, for example
in plant pictures, reports, scripts or even customer documents. These
changes are recorded by the document check.

and records them in the Audit Trail.


The following documents are managed by document management:

Graphics screens (.PDL)

C & VBS project functions (.FCT, .BMO)

C & VBS global actions (.PAS, .BAC)

Report layouts (.RPL)

User documents

If one individual document is to be changed, it must be checked out, changed and


then checked back in via document management. A copy of the document is
produced before it is checked out. This is saved as a version in the database (see
also diagram of WinCC Audit function overview in chapter 3.3.4 "Audit Trail"). This
means that corresponding versions of the document can be reproduced at any
time. It is essential that a comment is entered for each change to document the
change undertaken. We would recommend entering a reference to the change
request. In the Audit Trail, the file check out and check in is recorded with the time
stamp, WinCC project name, file name, user ID and any comment that may have
been entered. When checking in, the document control assigns documents write
protection to protect them from changes.

56

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

Note
When changes are made to documents, document control makes it possible to
recognize that a document has been changed; details of the change are, however,
not recorded and should be described in comments.
Systems must be in place to ensure that the files write protection cannot be
altered manually in Windows Explorer.

The various versions of the documents can be displayed in a history view.


The rollback function allows an older document version to be restored. The
indicators used to distinguish versions are the time stamp and comments made
when the document was checked in.

3.3.5.4

Project version control

SIMATIC Version Trail


SIMATIC Version Trail is a software option for versioning libraries, projects and
multiprojects that can be used universally in the context of Totally Integrated
Automation with SIMATIC.
With SIMATIC Version Trail, project data, in other words complete multiprojects,
single projects or libraries can be archived at a specified time and the data can be
assigned a version ID. Project data that has already been versioned can also be
reread and used again.
SIMATIC Version Trail also handles the entire management of the version history.
This means, for example, that once a version has been completed, it can no longer
be modified. The version ID is issued by the system following certain adjustable
guidelines. Versions are always incremented by one digit (without gaps) and there
can only be one valid version of a project under a single name in the version
history.
Note
SIMATIC Logon is needed for SIMATIC Version Trail.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

57

System specification

WinCC Audit Project Versioning


The WinCC Audit RC and WinCC Audit ChangeControl options include the Project
Versioning functionality. This allows versions of complete WinCC projects to be
easily created in the form of one zip file. Data from linked WinCC premium addons, such as PM-QUALITY, are also included. The manually issued version ID is
included in the name of the version created. An overview shows all versions along
with the time stamps that have been produced for a WinCC project. If necessary,
older project statuses can be recovered.

3.3.6

Online archiving
The runtime software (RT) is used to control and monitor the production process.
This is possible in single-user or multiple-user (client-server structure) system
configuration.
The following sections discuss the basic functions of the runtime software for
recording and displaying runtime data.

Alarm Logging
The entire message system is configured in Alarm Logging. This includes
preparation, display, acknowledgment and archiving of messages. Alarm events
from the process, from the automation system and from the WinCC system can be
processed in the message system.
In production plants in a GMP environment, Alarm Logging can also be used for an
Audit Trail. Operator input in process pictures (for example changing an I/O value
or clicking a button) trigger an operator input message that is entered in Alarm
Logging with its time stamp, user ID, old value, and new value,
To display messages during operation, the ActiveX Alarm control is linked into the
process picture. At the same time, the message view is configured. The display of
different message views is achieved by multiple linking of the Alarm Control and
setting the appropriate message filters.
Messages are logged manually or automatically. Print jobs set up in the Report
Designer control the logging.
Note
The Alarm Hiding functionality can be used to prevent selected messages from
being displayed. This is used in for example start-up phases when there are huge
numbers of messages to ensure that the less important ones are not displayed.
Despite this, the messages are recorded in the WinCC Alarm Logging. More
information on this can be found in the WinCC Information System.
Use of this functionality is the responsibility of the system operator and should
therefore be coordinated with him.

Tag Logging
Archiving of process values is configured in the Tag Logging editor. Selected
process values are recorded in definable acquisition cycles and stored in process
value or compressed archives.

58

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

The recorded process values are stored in the archive database. Once the
database reaches a defined database size or a specified interval has elapsed, the
archive database is transferred to external storage. Long-term archiving is also an
option (see chapter 6.8 "Long-term archiving").
During operation, current or previously archived process values can be displayed
as trends or tables. To achieve this, the relevant ActiveX Control (Online Trend
Control, Online Table Control) is linked into a process picture.
The report of the archived process values is configured in the Report Designer.

3.3.7

Long-term archiving
Long-term archiving of process values and messages can be set up using a longterm archive server or using the WinCC Central Archive Server (CAS) option. Both
concepts are introduced below.

WinCC long-term archive server


Both in WinCC Tag Logging and in WinCC Alarm Logging, there are options for
long-term archiving. Apart from the archive size and segment change, the
configuration for transfer to another computer can also be set.
The WinCC DataMonitor option is used to view the data.
The contents of the archive files can also be reproduced in WinCC runtime using
the WinCC standard tools (Alarm Control and/or Table Control). To do this, the
archive files must be reloaded on the WinCC computer and linked to the WinCC
project.

WinCC Central Archive Server (CAS)


The process values and messages of up to 11 WinCC single-user systems, WinCC
servers and even redundant WinCC pairs of servers can be saved on one Central
Archive Server (WinCC CAS). The data are transferred to the CAS using the
backup configuration. Compared with a long-term archive server, the key benefit of
the Central Archive Server is easy access to transferred data. The saved process
values and messages are depicted in the WinCC Online Trend Control or WinCC
Alarm Control in process pictures as they usually would be in operation. Depending
on the time setting range selected, data are read from the WinCC runtime
database or the CAS and shown in the controls. The system automatically handles
transparent access in the background.
Another benefit is the Store & Forward principle. The long-term archive server
rejects archive data if the backup path and alternative backup path cannot be
reached. In contrast, data security is provided in the CAS. If the CAS computer is
unobtainable, the completed archives remain on the WinCC servers and are
transferred later on when the link to the CAS is reactivated.
Furthermore, the CAS only archives those archive tags that are labeled as of longterm relevance in WinCC Tag Logging.
Defined interfaces provide direct access to archived process values and
messages. This means that important production data is available throughout the
company.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

59

System specification

The WinCC DataMonitor option can be used as an analysis tool. The WinCC
Connectivity Pack option can be used to run data analyses, for example with the
assistance of the OLE DB interface.
The CAS and WinCC server and multiclients are configured on a separate
engineering station in the SIMATIC NCM PC Manager or in the SIMATIC Manager.
With WinCC version 6.2 SP2 and higher, the CAS can also be set up redundantly.

Batch-oriented long-term archiving with PM-QUALITY


PM-QUALITY is a software package for batch-oriented acquisition of production
data such as process values and messages.
The process values can either be taken from WinCC Tag Logging or recorded in a
separate tag logging function, grouped according to the various acquisition cycles.
Event-driven process values or those dependent on a trigger (for example
setpoints/actual values) are read in as snapshots. Alarm events and Audit Trail
entries are taken from WinCC Alarm Logging.
It is possible to configure automatic export of the batch data on completion of the
batch. This can be in database format, in HTML format and/or in XML format. Each
export can be activated separately. The export cycle is set in minutes and the
destination for data storage must be set (for example any computer in the
network).
The PM-QUALITY application Export View can be used to view the batch data
exported in database format.

3.3.8

Reporting

Report designer
The SIMATIC WinCC Report Designer is used both for documentation of the
WinCC configuration and for logging the runtime data.
The configuration data can be documented for the WinCC Explorer and every
configured editor, for example Tag Logging, Alarm Logging, etc. The preconfigured print jobs and report layouts ship with SIMATIC WinCC. The
preconfigured report layouts can be opened with the page layout editor of the
Report Designer and modified as necessary.
For runtime logging (for example, messages from Alarm Logging or process values
from Tag Logging), there are preconfigured report layouts and print jobs that ship
with the product. The user defines which runtime data will be logged in the preconfigured layouts. To define the contents, the layout is opened in the page layout
editor of the Report Designer and edited as required.
The WinCC runtime components, for example Alarm Logging, use pre-configured
print jobs. The output options, scope and layout of these print jobs can be modified.
It is also possible to create application-specific print jobs.

3.3.9

Add-on software packages


To enhance the functionality of SIMATIC WinCC, WinCC options and WinCC
premium add-ons are available as supplementary software products.

60

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

The software packages presented below are particularly relevant for process
visualization / automation in a GMP environment.

3.3.9.1

Availability

Redundant WinCC server


Two networked WinCC servers can be run in parallel to increase availability. The
redundancy is configured using the WinCC Redundancy option. Each WinCC
server has its own process driver connection and has its own databases. During
operation, both servers function in parallel and independently of one another and
are available to the operator. Process values and messages are sent to each
redundant server and processed there. Internal tags, internal messages (e.g.
message acknowledgement) and user archives are calibrated directly online.
During operation, the servers monitor one another. In the event of a fault, the
server running in parallel assumes complete SCADA functionality. If necessary,
any connected clients are automatically switched over. Once the down server is
repaired, an automatic archive calibration is run in the background. Any gaps that
have occurred in the tag, message and user archives are filled and internal tags
calibrated.

3.3.9.2

Batch control

PM-CONTROL
PM-CONTROL is a batch-oriented parameter control for recipe/product data
management. The integrated order control allows flexible handling of production
orders in which the recipe, production location, scalable production quantity and
the time of production can be specified.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

61

System specification

The software package is divided into three applications:

Topology manager for mapping the process cell topology, creating the required
parameters and configuring the interface to the automation level.

Recipe system for creating and managing recipes / products

Order planning and order control, assignment and management of production


orders

To achieve a cost-effective solution for both simple and more complex tasks, PMCONTROL is available in the "Compact", "Standard" and "Professional" variants.

In the Topology Manager, user rights are specified for certain user groups. User
access is checked by SIMATIC Logon.
In the recipe system, the recipes are signed with an electronic signature after they
have been created. After each recipe change, a new signature is necessary. In the
Topology Manager configuration, it is possible to decide whether the full signature
for a recipe requires one electronic signature or two electronic signatures from
different users.
The recipe data is recorded in an Audit Trail from the point in time at which it is
created. Every recipe change is recorded along with time stamp, user ID, old value
and new value. The implemented rollback function allows an older recipe version to
be restored. The Audit Trail can be printed out or exported to an XML file.
Only fully signed recipes can be included in an order by the order control. Each
scheduled order, in turn, has an electronic signature. During processing, only data
from signed orders can be loaded on the computer system.
The processing of the orders is started, either automatically when requested by the
automation level or manually with the required user rights.

62

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

Recipes and processed orders remain in the database until a configurable


retention period elapses. Recipes and orders can be printed out or exported to a
CSV file.
The recipe system and order control can also be operated without electronic
signatures but with the Audit Trail function.
PM-CONTROL can be used both in a WinCC single-user system and in a WinCC
multi-user system.

When using PM-CONTROL in conjunction with redundant WinCC servers, the


function can be installed on one of the WinCC servers or on a remote computer
(e.g. WinCC Client). In the latter case, PM-CONTROL always communicates with
the WinCC master

User archive
With the user archive option, recipe data or machine data records can for example
be saved in the form of database tables.
To obtain an overview of the created data records in an archive, the ActiveX
control WinCC User Archive Table Element is inserted in a WinCC picture with
read access. Detailed information about the User Archive option can be found in
WinCC Information System > Options > User Archives.
Automatic versioning of the data records is not supported with the User Archive
option. Versioning must be implemented during configuration. The User Archive
can be exported manually in CSV format.
Note
Operator input in the User Archive is recorded by WinCC Audit.

3.3.9.3

Batch-oriented reporting

PM-QUALITY
The data recorded in PM-QUALITY can be displayed in trends (process values),
printed as reports on a printer or exported as an HTML file, XML file or in database
Guidelines for Implementing Automation Projects in a GMP Environment
A5E01100604-02

63

System specification

format. It is also possible to configure the export of batch data for long-term
archiving on a different computer (see chapter 6.9.2 "Batch-oriented long-term
archiving with PM-QUALITY").
The software package includes the following applications:

Topology Manager for mapping the plant topology and specifying the
production data to be acquired

Report Editor for creating the report layout for the acquired data and displaying
batch logs on the screen

Data Logging, a runtime component for acquisition of the data

Data View / Export View and various ActiveX Controls for displaying batch data

Data Center, for compiling the batch data (only in the redundant version)

Apart from the automatic acquisition of the configured batch data, manually
entered values, for example laboratory values can be added to a batch report later.
If the batch report is transferred to the archive automatically due to the set export
option, no more changes can be made to the report if the "Complete automatically"
option is set.
It is also possible to use a script in WinCC to configure an electronic signature of
the batch reports by the logged-on user and with it the manual assignment of the
batch status (released / locked).
PM-QUALITY can be used both in a WinCC single-user system and in a WinCC
multi-user system.
For use in redundant systems, PM-QUALITY is also available with the PMQUALITY Data Center option. This application merges the recorded batch data
from two runtime databases in an export database. The Data Center can be
installed separately from PM-QUALITY on any computer in the network.

64

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

3.3.10

Interfaces to process data

Web navigator
The WinCC Web Navigator option is used to set up remote access to the WinCC
project via Microsoft Internet Explorer. The name of the WinCC server is entered in
the address bar to view the process pictures. A logon dialog automatically appears
and a user with the necessary rights must authenticate himself here using his
password. The details are checked by SIMATIC Logon. Operator input in the
process pictures, for example changing I/O fields, is subject to access protection
that is defined in the WinCC project under Editor User Administrator.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

65

System specification

WinCC DataMonitor
WinCC DataMonitor is a pure display and evaluation system for process data from
WinCC, data from the WinCC long-term archive server and data from the WinCC
Central Archive Server (CAS). WinCC DataMonitor provides a number of analysis
tools for interactive data display and for analysis of current process values and
historical data:

Excel Workbooks allows the integration of current and historical messages and
process values from WinCC in MS Excel and therefore supports online
analysis.

Published Reports for time- and event-controlled production of reports as Excel


or PDF files

Trends & Alarms is used to display and analyze historical data from WinCC
runtime / the central archive server or from WinCC long-term servers. The data
can be displayed in tables or in trends.

Process Screens are simply used for monitoring and navigating using WinCC
process pictures with MS Internet Explorer (view only client).

Webcenter supports the distribution of system data online

Connectivity pack
The connectivity pack provides interfaces for access to archive data and messages
in WinCC. WinCC provides access to the following process data:

Alarms and events (messages), OPC A&E, read and write (acknowledgments
only) access

Process value archives (trends), OPC HDA, read-only access

Process tags (states), OPC DA, read and write access, ships with WinCC
system software

All archive data, WinCC OLE DB, read-only access

The connectivity pack provides standardized access with OPC and OLE DB from
computer systems at enterprise and management levels to computer systems at
the process level.

66

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System specification

3.3.11

Software components, manufacturing execution systems (MES)

SIMATIC IT
With its numerous components, SIMATIC IT forms an MES (Manufacturing
Execution System) following the ISA 95 standard.
SIMATIC IT is used to optimize the interaction of planning, development, and
procurement within the framework of manufacturing processes.
The main elements of SIMATIC IT are:

SIMATIC IT Framework (plant modeling)

SIMATIC IT Components (specific functionality)

SIMATIC IT Framework connects the automation level to the operational


management and production control levels, as well as to the company
management and planning levels.

SIMATIC IT Framework is the cross-industry integration and coordination platform


for operating processes, data, and functions. It not only offers basic functions for
internal processes, user management etc. but also the ability to model plants and
production. SIMATIC IT Framework is capable of integrating SIMATIC IT
components and existing and heterogeneous IT products.
Examples of SIMATIC IT Components include:

Production Suite (basic MES functions such as material management,


production order management etc.)

SIMATIC IT Historian (plant performance analysis and long-term archiving)

SIMATIC IT Unilab (LIMS - laboratory information management system)

SIMATIC IT Interspec (product specification management system).

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

67

System specification

3.4

Utilities and drivers

3.4.1

Print drivers
It is advisable to use the print drivers integrated in the operating system that have
been approved for use with SIMATIC WinCC. If external drivers are used, there
can be no guarantee that the system will operate problem-free.

3.4.2

Virus scanners
The use of virus scanners during operation is permitted. More information about
selecting and configuring virus scanners and updating them can be found in the
WinCC Readme files.

3.4.3

Image & partition creator


The SIMATIC PC/PG Image & Partition Creator enables the data content of hard
disks on SIMATIC PCs to be backed up. Comparable software is available on the
market for PCs from other manufacturers. Backing up system and application
software makes it possible to restore the system quickly. Backed up contents of
hard disks can be copied back to devices with an identical configuration. This
simplifies replacement of computers or expansion of systems.
Apart from creating hard disk images, the Image & Partition Creator can also be
used to create, modify, and delete hard disk partitions.

68

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation
The WinCC system software is available as a complete package (engineering und
runtime software) or as a runtime package on CD. The software is licensed using
license keys graduated according to the number of power tags (external tags) for
interfacing to the automation level.
In a multi-user system with server/client structure, the system software with the
required number of power tags and the server option is installed on the WinCC
server. With a basic configuration, the smallest RT license is adequate for clients.
Prior to installation on a PC, the specified hardware requirements and approved
operating systems as listed in the WinCC Installation Notes must be checked.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

69

System installation

4.1

Installation of the operating system


For detailed information on the hardware requirements and the Windows operating
systems, refer to the WinCC Information System, the documentation for the
SIMATIC WinCC system software.
By selecting the entry "Read this first" in the start menu of the WinCC CD, you
open the WinCC Information System.
You will find information on the operating systems, language variants, service
packs, settings, security guidelines, networks, redundant systems, etc. in the
"Release Notes" and "Installation Notes" sections.

Note
When issuing the computer name, WinCC project name and names for tags and
objects, the list of "Impermissible characters" in WinCC must be noted. This list is
stored in the WinCC Information System under Working with WinCC > Working
with projects > Annex > Impermissible characters.
The computer name must comply with the WinCC naming convention before the
MS SQL server is installed. The computer name cannot be changed later on. This
requires the MS SQL server and WinCC system to be fully reinstalled.

70

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

4.2

Installation of SIMATIC WinCC


The procedure for installing the WinCC system software is described in detail in the
WinCC Information System in the chapter "Installation Notes". The "Release
Notes" section with important up-to-date information should also be read.

Note
WinCC is basically approved for operation in a domain or workgroup. Domaingroup policies and domain restrictions can hinder the installation. In this case,
remove the computer from the domain prior to installation. After the installation,
the computer can be returned to the domain if the group policies and restrictions
do not prevent operation of the WinCC software.
Before the WinCC system software is installed on the PC, setup checks whether
certain system requirements are met.

Operating system

User permissions

Security policies

Graphic resolution

Internet Explorer

The following is required for installation:

MS Message Queuing that is included as an option in the operating system


software.

SQL Server that ships on a separate CD along with the SIMATIC WinCC
system software.

Once all the requirements have been met, the installation of SIMATIC WinCC
is started. Follow the instructions of the setup.

The setup types typical installation, minimum installation and user-defined


installation are available.
In a user-defined installation, additional WinCC functions can be selected or
deselected compared with the functions of a typical installation. The Basic Process
Control and AS/OS Engineering Mapper functions must be selected separately.
The WinCC Server, Redundancy and User Archive options are also on the WinCC
DVD, but require their own separate license.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

71

System installation

WinCC functions / options can be installed at any time.


In a multi-user system or in a redundant system, the WinCC system software is
installed on each separate computer. Information on setting up multi-user systems
can be found in the WinCC Information System.
Note
For straightforward SCADA stations, install RT (runtime) only and not RC
(configuration system).

72

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

4.3

Installation and configuration of SIMATIC Security


Control
SIMATIC Security Control is started automatically after the WinCC installation and
has a dialog that indicates the proposed settings. The settings are either
undertaken directly in the operating system using the Accept button or are saved
using the Save button and undertaken by an authorized person later on.
If the computer is part of another workgroup or domain, the application has to be
run again. The application is called up using Start > Programs > SIMATIC >
SimaticSecurityControl. Selecting Accepted Settings displays all the settings in
place. Selecting All Settings determines the settings required again and permits
transfer into the Windows operating system.
SIMATIC Security Control is started again automatically if further settings are
needed in the Windows operating system once WinCC options have been installed
(e.g. after installing the WebNavigator option).
The settings are documented in XML format.

Note
The proposed settings must be accepted in order for the SIMATIC WinCC system
software to function properly.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

73

System installation

4.4

Installing the SIMATIC WinCC options


Further WinCC options and WinCC premium add-ons are installed only after the
WinCC software has been installed.
Note
During installation care must be taken to make sure that the versions of the
software products match up. For more information, refer to the release notes in
the relevant documentation.

74

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

4.5

Installing utilities and drivers

Print drivers
It is advisable to use the printer drivers integrated in the operating system that
have been approved for use. If external drivers are used, there can be no
guarantee that the system will operate problem-free.

Virus scanners
The use of virus scanners during operation is permitted.
The following settings should be observed when using virus scanners:

The real-time search is one of the most important functions. However,


investigating incoming data traffic is sufficient.

The time-controlled search must be deactivated because this greatly limits


system performance in process mode.

The manual search should not be run during process mode. It can be run
at regular intervals, for example at maintenance intervals.

Descriptions of such definitions should be recorded in an SOP.


For more information on the use of virus scanners, refer to the WinCC "Release
Notes" and in the WinCC Online Help in the path Working with WinCC > Setting
for Runtime > External applications.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

75

System installation

4.6

Setting up user management


A crucial requirement for the pharmaceutical environment is access protection on
the system (see 21 CFR Part 11 and Annex 11 of the EU GMP Guide in
Chapter 1.2 Regulations and Guidelines as well as Chapter 2 Requirements of
computer systems in a GMP environment). This includes control of the process
within the SIMATIC WinCC system and certain options and premium add-ons.
The WinCC SIMATIC Logon option is based on Windows user management.
SIMATIC WinCC and the WinCC premium add-ons work with SIMATIC Logon to
provide access protection.

Note
The structure of the access protection must be specified at the start of
configuration.
All the permissions for working with the visualization user interface (faceplates,
input boxes, buttons etc.) must be set up according to the specifications in the
URS and the FS.

Note
The access security all the monitoring mechanisms (password age, password
length, password generation, password lockout threshold etc.) must be configured
and set in Windows. The operating system user should also only have power user
or user permissions and should not have administrator privileges. This ensures
that only WinCC has access to the database. This means that access by the
operating system to the SQL database is impossible.

76

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

The following order must be adhered to:

Setup of access protection in Windows (setting up of user groups and users)

Installation and setup of the WinCC SIMATIC Logon option

Setup of the access protection in SIMATIC WinCC > User Administrator

The individual applications can then be configured in any order:

4.6.1

Assignment of permissions in the visualization user interface (picture window,


input boxes, buttons)

Setting up access protection for the Audit option

Setup of access protection in PM-CONTROL or PM-QUALITY if the WinCC


premium add-ons are used

Function principle of access protection


The mechanisms of Windows user management are used to administer operating
system users and WinCC runtime.
Normally, at least two users are created in a WinCC system. Firstly there is the
operating system user who coordinates SIMATIC WinCC runtime software, and
secondly there is the SIMATIC WinCC runtime user who controls and monitors the
process.

Operating system users


Activities and permissions of operating system users:

Changing application software to an active (during operation) state under


SIMATIC WinCC (server, clients). In this state, the applications must have at
least power user permissions under Windows so that the applications have
read and write permissions for drives, folders, databases, etc.

Making changes to the engineering system, shutting down WinCC runtime,


access to all drives, creating, changing and deleting folders and setting up new
users.

Note
When the Windows audit policies are activated (see chapter 4.6.3 "Security
settings in Windows"), actions made by an operating system user in the operating
system are recorded.

SIMATIC WinCC runtime users


During operation the activities and permissions of SIMATIC WinCC runtime users
include operating the process, checking processes, writing and changing recipes,
creating batches, etc.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

77

System installation

4.6.2

User management in Windows


Since the user management of SIMATIC Logon is based on the mechanisms of the
Windows operating system, there are two options are available for user
management in Windows:

In a domain

In a workgroup

Windows domains
Within a domain, the AGLP strategy (Access Global Local Permission)
recommended by Microsoft for the management of resource access over trusted
relationships in Windows) is used; in other words, if users of a domain with the
same tasks are added to a global group, they are also added to a local group and
then adopt the necessary permissions. If a domain server is used in the working
environment, the advantages of the group and user management can be used in
conjunction with SIMATIC Logon. The central administration of groups and users
on the domain server allows all computers that belong to the domain access to the
groups and users. To increase availability, domains can be set up with several
domain servers.

Windows workgroup
Within a workgroup, local users with the same tasks should be added to a local
group and the required permissions assigned to the group.
If a computer is a member of a Windows workgroup, the computer acting as server
of the workgroup must be specified. All user data are created and managed on this
server. From here, they are made available to the other computers in the system.
The WinCC server can be included in the server selection, however for
performance reasons a separate computer is often selected and used only for
managing users.
In the login selection box, the local computer or a domain can be selected. This
displays all groups of this server. Administration of the groups and users of the
computers belonging to the workgroup is not necessary. A redundant configuration
is not possible in this case. Emergency operation is possible using the local user
management.
SIMATIC WinCC supports the Windows permissions model. When SIMATIC
WinCC is installed, the following local groups are set up:

SIMATIC HMI

SIMATIC HMI CS

SIMATIC HMI VIEWER

SIMATIC WinCC manages the security settings and share rights automatically. To
create and start a WinCC project, a user requires the administrator or power user
status and must be a member of the SIMATIC HMI user group. The access rights
within the WinCC project are checked by User Administrator.

78

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

You will find more information in the SIMATIC WinCC Installation Notes and
"WinCC Security Concept" Manual, Chapter 4 "User and Access Management in
WinCC and Integration into Windows Management".

4.6.3

Note
The Windows domain must be used when there are several servers or redundant
servers to make sure that users can continue to input data or log on if a domain
server fails.

Security settings in Windows


In Windows user management, users and groups are configured as specified in the
URS or FS. Assigning a logon for the relevant tasks on WinCC PCs achieves the
following:

When logging onto Windows, each user is assigned exactly the permissions
required to perform the particular task. For example, in order to work on the
WinCC project, the user must be a member of the local group Power User and
SIMATIC HMI.

When logging in during runtime, the operator is given exactly those rights
required to operate the plant as defined in the UserAdministrator.

This completely separates computer access permissions, e.g., Windows users,


from plant authorizations (plant operators). This is supported by the SIMATIC
permissions model, although this requires that user authorizations are
administered by the user in separate configuration dialog boxes.
The following screenshot shows the Windows Local Users and Groups dialog box
in which the users and groups are defined.
Computer management is opened with Start menu > Control Panel >
Administrative Tools (in the Windows XP operating system). After selecting
Computer Management > Groups, all the groups created in the operating system
are displayed.

Additional information

WinCC Information System, section Working with WinCC > Setting Up User
Administration > WinCC Options for the User Administrator > Option
SIMATIC Logon

Permissions management in Windows SIMATIC HMI, Process Visualization


System WinCC V6, Security Concept WinCC, Chapter 4 "User and Access
Management in WinCC and Integration into Windows Management".

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

79

System installation

Security settings of password policies


For the monitoring mechanisms of the password policies of Windows, the
previously specified settings (URS, FS or DS) must be made. The following
security settings of the password policies are relevant and must be configured in
the operating system.
Policy
Enforce password
history

Description of the security setting


Specifies the number of unique, new passwords that must
be used before an old password can be used for the user
account.

Password must meet When it is activated, the password must contain at least
complexity
three of the four following categories:
requirements
1. A-Z uppercase letters
2. a-z lowercase letters
3. 0-9 numerical characters
4. !,$,% etc. special characters
Minimum password
length

Specifies the minimum number of characters a password


must contain

Maximum password
age

Specifies the maximum time that a password may be used


before it is changed.

Minimum password
age

Specifies the minimum time that a password must be


used.

The following screenshot shows the Password Policy dialog box. The settings
shown are examples:
Computer management is opened with the following menu command: Start >
Settings > Control Panel > Administrative Tools > Security Settings.

80

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

Security mechanisms for account lockout policies


For the monitoring mechanisms of the account lockout policy of Windows, the
settings as specified in the URS or FS must be made. The following security
settings in the account lockout policies are relevant and must be configured.
Policy

Description of the security setting

Account lockout threshold Specifies the number of failed attempted logons


before the user account is locked out.
Account lockout duration

Specifies how long an account remains locked out


before the lockout is canceled automatically. If the
value 0 is set, the account remains locked out until
it is unlocked by the administrator. This is the
recommended setting.

Reset account lockout


counter after

Specifies how long it takes in minutes before the


account lockout counter is reset following failed
logon attempts.

The following screenshot shows the Account Lockout Policy dialog box.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

81

System installation

Security settings for audit policies


The following settings must be made in the audit policies of Windows to generate a
recording (Audit Trail) of attempted logons. The monitored events are stored in the
event viewer in the security log and are available for investigation.
Policy

Description of the security setting

Audit logon attempts

Specifies whether the instance of a user logging onto a


computer is monitored.

Audit account
management

Determines whether to audit each event of account


management (creating or changing a user account,
changing or setting passwords)

Audit logon events

Determines whether each instance of a user should be


audited when logging on or off on a computer.

Audit policy change

Determines whether to audit every incidence of a


change to user rights assignment policies, audit policies,
or trust policies

Computer management is opened with the following menu command: Start >
Settings > Control Panel > Administrative Tools > Local Security Settings.

Note
To monitor the logon activity, the required settings must be made in the audit
policy of the local policies of Windows.

82

Note
After installing Windows, default parameters are set for the password policy,
account lockout policy and audit policy. The settings must be checked and
adapted to the requirements of the current project.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

Additional information

Additional information on setting up Windows workgroups and Windows


domains can be found in the operating system help of Microsoft Windows or in
the appropriate Windows manual.

On setting up user administration, refer to the WinCC Information System,


Section "Working with WinCC".

On permissions management in Windows SIMATIC HMI, Process Visualization


System WinCC V6, Security Concept WinCC, Chapter 4 "User and Access
Management in WinCC and Integration into Windows Management".

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

83

System installation

4.6.4

Configuring SIMATIC Logon


To operate correctly, the following settings must be made for SIMATIC Logon:

To configure SIMATIC Logon, a Windows group with the name


"Logon_Administrator" must be created. All users assigned to this group have
permissions to configure SIMATIC Logon.

The full name of every user must be entered in "Local Users and Groups" in
Windows Computer Management. This name is used by the application for
display in SIMATIC WinCC after logging on.

The basic settings for configuring SIMATIC Logon are made in the Configure
SIMATIC Logon dialog.
The relevant language is set in the General tab. It is also possible to define
whether a default user is logged on after a user has logged off (by the user or
automatically by the system). It is also possible to set the number of days after
which a user is reminded that a password change is necessary.

Note
In contrast to all other users, the "Default user" must not be created as a Windows
user. The "Default user" is a member of the "Default group" and
"Emergency_operator" groups. Which rights these groups have is specified in the
WinCC User Administrator (server/client).

In the Working environment tab, the user specifies whether the information
relating to groups and users relates to a Windows domain or a Windows workgroup
server. The name of the domain or workgroup server must be entered.

84

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

In the Logon device tab, the user specifies whether the logon is via the keyboard,
smart card or other procedure such as biometric user identification, for example by
fingerprint.

In the Automatic logoff tab, the user specifies whether automatic logoff is used. If
this is selected, the delay before a user is automatically logged off must also be
specified.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

85

System installation

If automatic logoff is enabled, the user is logged off automatically if there is no


activity within the specified time. Prior to the logoff, a dialog indicates that the
automatic logoff will take place. This avoids accidental logging off.

Note
Activating a screensaver is not permitted in conjunction with SIMATIC Logon.

Note
To allow operator input during operation, user groups are configured in the WinCC
User Administrator.

86

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

4.6.5

Configuring the user administrator


The assignment of Windows groups to WinCC user groups is based on names. For
example, the "Operator" Windows group will be assigned to a group of the same
name "Operator" set up in the WinCC User Administrator. The Operator group is
assigned the rights necessary for operator control in the WinCC system. The
following procedure must be adhered to:

Open WinCC project.

Open User Administrator using WinCC Explorer.

Create group(s).

Assign permissions for each group.

The check box for enabling SIMATIC Logon must also be selected in the User
Administrator of the WinCC project.

Note
In conjunction with SIMATIC Logon, it is not permitted to configure a time for an
automatic logoff in the User Administrator. An automatic logoff is configured only
in SIMATIC Logon.
See Chapter 4.6.4 "Configuring SIMATIC Logon"

Note
The configuration and assignment of user permissions is described in detail in the
WinCC Information System in the section Working with WinCC > Setup of a
User Administration.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

87

System installation

4.6.6

Setting up SIMATIC Logon for the Audit option


If the SIMATIC Logon software is used, this should be set in WinCC Audit. To do
this, the following dialog is opened in the WinCC Audit configuration editor via the
menu Options > Options.

The operating permissions in WinCC Audit are governed via the Audit Admin and
AuditDocControl user groups. The help system for WinCC Audit provides detailed
information.

88

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

4.6.7

Setting up SIMATIC Logon for PM-QUALITY / PM-CONTROL


Use of the SIMATIC Logon software for user management is activated for PMQUALITY and PM-CONTROL in the PM-SERVER. The PM-SERVER software is
automatically installed with PM-QUALITY and/or PM-CONTROL and serves as a
data server.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

89

System installation

4.7

Setting up a long-term archive server


A separate computer should be set up in the network for long-term archiving. The
MS SQL server and file server setup are installed from the WinCC-DVD. Both are
included in the SIMATIC WinCC system software. The backup configuration of
Alarm Logging and Tag Logging is configured such that the archive files are saved
on this computer (also see Chapter 3.3.7 "Long-term archiving").

90

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

4.8

Installing the Central Archive Server


The Central Archive Server is installed on a separate computer on which no other
programs should be used.
Note
The paths defined when installing the CAS cannot be changed at a later date.

The CAS is configured via the CAS engineering station. See Chapter 6.8.2.2
"Configuring the Central Archive Server".

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

91

System installation

4.9

Security vulnerability in configuration

Disabling the Windows level during operation


Since access to the Windows operating system level should be avoided for security
reasons, additional configuration settings are necessary. These settings avoid
unauthorized access from the process mode of SIMATIC WinCC to sensitive data
of the operating system.

Note
Access to the operating system level should only be permitted for administrators
or maintenance personnel.

Disabling the user interface


Access to the operating system during process mode is configured in the WinCC
project in the computer properties. All key shortcuts are disabled as shown below.

The Keep the taskbar on top of other windows setting must also be disabled in
Windows.

92

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System installation

It is important to ensure that operations can only be deactivated with suitable


operator permissions. After disabling and restarting, the operating system level can
be accessed.
For more detailed information on security of data and the system, refer to the
WinCC Information System, Installation Notes section.

Preventing access to the Windows level


Ensure that no objects that permit access to the Windows file system or exe.
programs are used on the user interface. This risk exists with for example OLE
objects, Internet links, online help system, etc.

Security with configuration settings in WINDOWS


Any HOT KEY assignments must also be disabled. HOT KEYs are often used, for
example, to influence the properties of the graphics card. By changing the graphic
card properties, it is also possible to reach the operating system user interface.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

93

System installation

94

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions


The SIMATIC WinCC system software allows flexible configuration of process
control and monitoring. The configuration is fully customized. In WinCC a large
proportion of the application software is configured. Additional functionality can be
added using scripts.
This chapter includes basic settings and procedures for configuring a WinCC
project in a GMP context, all of which contribute to meeting the GMP requirements
for validating a system.

5.1

Startup behavior
Once the configuration of a WinCC project has been customized, only the runtime
component of WinCC is used for operator control and monitoring and for data
archiving. To prevent unauthorized access to the system, the computer can be
configured so that WinCC Runtime is activated automatically when the computer
starts up.
When the operating system starts, one user who is a member of the SIMATIC HMI
user group must be logged on automatically. This procedure is described on the
Customer Support Internet page under Entry ID 15390777
(http://support.automation.siemens.com/).
The WinCC project to be opened when the computer starts up is specified in the
"AutoStart Configuration" WinCC program. An alternative / redundant project can
also be specified. If the "Activate project at startup" check box is selected, the
WinCC project is activated immediately during operation. Clicking the "Add to
AutoStart" button enters the settings in the computer autostart and these go into
effect the next time the computer is started.
The "AutoStart Configuration" dialog is opened with Start >Programs > SIMATIC
> WinCC > Autostart.

Additional settings for the startup characteristics are made in the WinCC project.
To do this, open the properties of the Computer object from the shortcut menu.
Guidelines for Implementing Automation Projects in a GMP Environment
A5E01100604-02

95

Project settings and definitions

Those WinCC components that were configured and must therefore be active
during operation (for example Tag Logging, Alarm Logging, etc.) are activated in
the "Startup" tab.
Other applications that are required to be active on the computer during process
mode can be included in the list with the Add button as can be seen in the
Additional Tasks/Applications box.

96

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.2

Diagnostics for communication connections


WinCC provides the channel diagnostics application for monitoring communication
connections to the lower-level controllers. The application can be integrated in a
WinCC picture (e.g. diagnostics picture) via Start > SIMATIC > WinCC > Tools >
Channel Diagnosis or as ActiveX Control. The status of the channels that support
diagnostics is displayed in a window. Information on the start / end of the
connection, version ID and error messages with time stamp are automatically
recorded in a log file. This represents evidence of the quality of the communication
connections provided by the system.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

97

Project settings and definitions

5.3

System information channel


The system information channel is used to evaluate system information such as
drive capacity, CPU load, server monitoring by a client, date, time and much more.
The system information channel is configured as a separate connection. The
relevant system function is linked to a system tag for display / evaluation.
In a GMP environment, it is often necessary to archive large amounts of data. By
configuring the system information channel, the capacity of the hard disk can be
monitored. If a definable limit value is exceeded, a reaction can be configured, for
example a message in Alarm Logging.

98

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

The example shows how a system tag is set up to evaluate the hard disk capacity.
The display of the relevant system tag could, for example, be configured in a
diagnostics picture along with the ActiveX control Channel Diagnosis.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

99

Project settings and definitions

5.4

Object-oriented configuration
By using picture windows (for example for controlling process units such as valves,
drives or similar) and user objects (for example for uniform visualization of objects)
in WinCC, the configuration can be created object-oriented. The objects (picture
window, user blocks) are created once for the various use cases. The design and
control philosophy must be discussed with the customer, described in a
specification and approved by the customer. The individual objects are then put
through a function test and qualified. When configuring the process pictures,
copies (user objects) or instances (picture windows) of the qualified objects are
used.

User objects
A user object is an object whose graphic representation and dynamic
characteristics are tailored to the requirements of the system. The object properties
and the events that cause a dynamic response in the object are specified
individually in a configuration dialog. Structure tags are recommended for the
dynamic response of the user objects (see structure tag below).
User objects are either entered in the project library or collected together in a
standard picture.
The procedure for creating user objects is described in detail in the WinCC
Information System.
Note
When a user object is duplicated, a copy is made. If a user object is changed, for
example by adding an object property, all the linked user objects must be updated
manually.

100

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

Picture windows
The picture window smart object allows a picture to be called within a picture. This
functionality is used, for example, to call a window for controlling a process unit
(valve, drive). Such an operator control picture is configured once for a particular
function and then opened as an instance in a picture window. When the picture is
called, a tag prefix is transferred (see structure tag below).

The example shows the properties of a picture window. The picture name, tag
prefix and title properties were configured.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

101

Project settings and definitions

Structure tag
Structure tags are used to make picture windows and user objects dynamic. A
structure type is defined for a process unit, for example a motor, and contains all
tag types for the motor as structure elements.
The example shows a simplified form.

102

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

A new tag of the data type "Motor" is created in the WinCC tag management for the
corresponding communication connection. The addressing is configured
accordingly.
In integrated mode, tag management is adopted from the SIMATIC Manager. The
address is thereby assigned automatically.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

103

Project settings and definitions

Based on the example, the following tags will be created for the communication
connection:

The tag name is made up of the structure instance, for example the name of the
motor, and the structure elements of the structure type separated by a period. The
structure instance is transferred to the picture window as the tag prefix property
(see example of picture window above).

104

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

The individual structure elements are linked to the relevant object properties to
allow a dynamic response in the picture that is called in a picture window to control
the motor.

By linking the structure elements, the picture is dynamically updated once. When
the picture is called, only the tag prefix is transferred.
The procedure with user objects is similar. The structure elements are attached to
the configured, user-defined object properties. To link to the tag instance, the
dynamic Wizard "Change user object link" is used that is integrated in the WinCC
Graphics Designer.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

105

Project settings and definitions

5.5

Creating process pictures


The WinCC Graphics Designer editor is a combination of graphics program and
process visualization tool. A series of utilities support both graphic creation and
dynamization of the plant flowcharts.
To allow flexible graphic design, standard objects (graphic elements, static text),
smart objects (bars, windows, etc.) and Windows objects (buttons, check boxes,
sliders, etc.) are available in an object palette.

106

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

The following refers to a few tools and functions used to reduce the
validation work required for an computer system in the GMP environment.

5.5.1

Symbol library
The integrated global library contains numerous pre-configured graphic objects.
Graphic objects such as machines and plant components, measuring equipment,
operator control elements and buildings are thematically organized. The library
objects can be inserted with drag-and-drop and adapted as required.
Note
To keep the work for qualifying process pictures to a minimum, it is advisable to
use standard symbols from the symbol library.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

107

Project settings and definitions

5.5.2

Project library
The project library can be used to store objects developed and defined by the user
that can then be included in multiple process pictures. User-defined objects that
have been tested and qualified individually are stored in the project library and are
then available as a project standard for multiple use.
Note
The project library is part of the WinCC project and is located in the subdirectory
"\library". To allow its use in other WinCC projects, the library.pxl file must be
copied to the corresponding folder of the destination project.

108

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.6

Project functions in the form of VB / C scripts


Functions required more than once in the WinCC project should be configured in
the Global Script editor. The function code is created once either in VB script or C
script and then tested and qualified. The function is then available throughout the
entire project. The function call is simply programmed in the property for the picture
object.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

109

Project settings and definitions

5.7

SIMATIC NET settings


SIMATIC NET is used for industrial communication. SIMATIC NET supplies the
communication drivers for interfacing WinCC to the automation level over
PROFIBUS or Industrial Ethernet. Up to 8 industrial Ethernet connections are
included in WinCC. The appropriate license must be bought for more connections.
For more detailed information, refer to the WinCC Information System >
Installation Notes > Scope of Delivery.

110

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.8

Redundancy configuration
The redundancy option is included in the WinCC system software, but has to be
licensed separately on each computer. To install, the WinCC Setup is started, the
Customized selection chosen and the Redundancy option selected.
The configuration dialog is opened using the Redundancy entry in WinCC Explorer.

This is where the computer name of the redundant partner server is stated,
settings for data calibration are made and the connections to the redundant partner
configured. Data calibration in redundancy mode is selected for the corresponding
user archive in the User Archive tab.
With WinCC V6.2 and higher a second computer link is needed between the
servers.
Data calibration in redundancy mode is approved by selecting the Activate
redundancy check box.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

111

Project settings and definitions

Synchronization of the internal tags must be configured separately for each tag.
The Tag synchronization check box in tag management is activated for this
purpose in the properties dialog for tags.

Once redundancy has been configured and the corresponding internal tags have
been synchronized, the Project Duplicator (Start > Programs > SIMATIC > Tools
> Project Duplicator) is used to create the WinCC project for the redundant
partner server and this is copied onto the computer. The computer name and
standard master settings are adjusted automatically.
The WinCC project is first activated on the standard master, then on the redundant
partner server. The value of the internal binary tags @RM-Master is 1 on the
master server and 0 on the partner server.

112

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

Interaction with PM-QUALITY


The PM-QUALITY Professional with Data Center variant ensures that batch data is
recorded in full in a redundant WinCC system.
This variant is needed for every redundant WinCC server. The PM-QUALITY
server is installed on every WinCC server. This means that the batch data are
archived in parallel on every WinCC server. Once a batch has been completed and
released, the Data Center application merges the batch data recorded from two
PM-QUALITY runtime databases into one export database. If one WinCC server is
not available, the Data Center only becomes active when both WinCC servers are
again operating. The Data Center can be installed separately from the PMQUALITY servers on any computer in the network. The export databases are
stored on this computer. The data can be viewed using the PM-QUALITY client.

Interaction with WinCC Audit


In order to record the Audit Trail entries in a redundant system, the Audit Trail
database can be stored on one of the redundant WinCC servers or set up on a
computer in the network. If the WinCC server with the Audit Trail database fails, the
records are buffered on the redundant partner server and added to the Audit Trail
database once the down WinCC server is up and running again.
When configuring WinCC Audit for a redundant system ensure that the this
database receives audits from SEVERAL projects setting is selected when
creating the database. This also has to be done if the database is stored locally on
one of the redundant servers. This setting means that the partner server can
access the WinCC Audit database and buffering is undertaken correctly.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

113

Project settings and definitions

5.9

Time synchronization
In SIMATIC WinCC, the time transmitted on the bus as default is the standard
world time UTC (Universal Time Coordinated). This corresponds to Greenwich
Mean Time.
The time stamps are generated in UTC and stored in the archive of the WinCC
server. During operation, the process data stored in the archive (messages and
trends) are displayed with the timebase configured in the Properties dialog of the
ActiveX control. This allows a system configuration in WinCC over different time
zones.

Activating time synchronization in WinCC means that an active time master


handles the synchronization of all servers, operator stations, automation systems
(AS) and the engineering station. To ensure that times match, all the stations
belonging to the WinCC system must be synchronized to allow chronological
processing (archiving trends, messages, redundancy synchronization of servers).

Note
The activation of time synchronization is necessary in plants in which GMP is
mandatory.

114

Note
Time synchronization must also be activated on the engineering stations
otherwise problems could arise when downloading changes.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.9.1

Concepts for time synchronization


The configuration of the time synchronization must be carefully planned. Every
time synchronization activity in the project is subject to the requirements. The
requirements of time synchronization must be described in the functional
specification. The following sections introduce concepts in time synchronization.

Time synchronization in a Windows workgroup


The time in a workgroup should be synchronized via the WinCC server. The time of
the WinCC server can also be synchronized using a time master such as SICLOCK
(More information can be found online at http://siemens-edm.de/siclock.0.html).

Time synchronization in a Windows domain


If the computer system is operated in a Windows domain, the domain must act as
time master. The time of the domain server can also be synchronized using a time
master such as SICLOCK.
If the time is inaccurate, this can lead to clients being rejected in the domain. This
would mean that operator input in process mode at these clients is no longer
possible.
If a time difference of five minutes is exceeded between the domain and clients,
the operating system assumes that an attacker has decrypted the logon and is
attempting to take over the session. This is prevented by denying the client logon
to the domain.

Note
The time on the clients in the domain is synchronized using Microsoft system
services.

Additional information
Procedures for configuring time synchronization can be found in the following
documents:

WinCC Information System > Options > Options for Process Control
>Time Synchronization

WinCC Information System > Release Notes > Process Control Options >
Time Synchronization

SIMATIC HMI manual, Process Visualization System WinCC V6.0 SP4,


Security Concept WinCC, Chapter 5 "Planning Time Synchronization".

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

115

Project settings and definitions

5.9.2

Example configuration in WinCC


Time synchronization in a WinCC system configuration can be configured using the
DCF77 client tool. This tool is located under the smart tools on the WinCC DVD. A
detailed description of the configuration procedure can be found under entry ID
775131 (http://support.automation.siemens.com) and for redundant WinCC servers
under entry ID 622814.
Alternatively time synchronization can be configured using the Time
Synchronization editor. This editor is part of the WinCC Basic Process Control
option (see chapter 6.2 "Creating overview pictures").

116

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

Client/server
1. Time synchronization over the plant bus (WinCC server is time master).
By selecting the Synchronization via System Bus (Master, Slave) check
box, the access point for time synchronization can be defined. The WinCC
server is also declared as time master.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

117

Project settings and definitions

2. Time synchronization of the clients


Selecting the Synchronization via Terminal Bus (Slave) check box, specifies
that the client is synchronized over the terminal bus / local area network. As
reference partner, it is possible to specify whether the time is taken from a
connected WinCC server or from a defined computer (in this case from the
computer with the name Server1).

Via Ethernet / system bus


Time synchronization over the system bus/Industrial Ethernet is only available with
WinCC server projects. If the computer being configured is a WinCC client, no
settings are possible and the selection boxes are not available.

118

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

Via PROFIBUS / MPI


Direct time synchronization on the system bus over PROFIBUS / MPI is not
available in WinCC. Instead, the time can be set in the automation system. Time
setting, however, does not have the same level of accuracy as time
synchronization since message frames and script runtimes are included.
Detailed documentation of the procedure for setting the time can be found under
entry ID. 7802886 (http://support.automation.siemens.com/).

Note
Other concepts for time synchronization are documented in the "SIMATIC WinCC
Security Concept" manual.

5.9.3

Central Archive Server (CAS) time synchronization


The CAS must be linked to the project-dependent time synchronization concept. A
time master, that supplies all other system components, including the CAS, with an
actual time, must be declared in this time synchronization concept.

5.9.4

Time stamping

WinCC Alarm Logging


Messages archived from the automation system in WinCC Alarm Logging are given
the time stamp either of the WinCC system or of the automation system SIMATIC
S7-300/400.
With the bit message method, the message is detected due to a bit change in the
message tag. Alarm Logging assigns the time stamp of the WinCC system. The
time stamp has a certain inaccuracy due to the acquisition cycle, bus delay time
and time required for processing the message. Messages are lost if they are
shorter than the acquisition cycle.
If tags in WinCC violate a limit value, a message is generated in Alarm Logging
when the defined limit value is violated. The time stamp is set as in the bit
message method.
With chronologically ordered signaling, the automation system sends a frame with
the data of the message. The time stamp of the message is assigned by the PLC.
A standard function or function block is used on the automation system to generate
the message frame. Alarm Logging evaluates the frames. The date and time are
set according to the time at which the message was detected in the automation
system.
Note
For information on the message procedure, refer to the STEP 7 help >
Configuring Messages > Basics of the Message Concept > Selecting a
Message Procedure.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

119

Project settings and definitions

Note
The bit message procedure and limit value monitoring can be used with a singleuser system in WinCC. In redundant systems or WinCC systems with several
operator stations, chronological signaling is used for coordinated acknowledgment
and transmission.
For chronological signaling, the SFCs/SFBs Alarm, Alarm_S/SQ, Alarm_D/DQ,
Alarm_8/8P are used on the SIMATIC S7. Refer to the respective CPU manuals
and the block descriptions in the SIMATIC STEP 7 help to learn about restrictions
regarding the system resources for simultaneously pending messages.
To use the chronological signaling function, the SIMATIC S7-400 in conjunction
with the Alarm and Alarm 8/8P blocks is recommended.

WinCC Tag Logging


Process values acquired and evaluated in WinCC Tag Logging are given the time
stamp either with the time they are acquired in WinCC or with the value from the
automation system.
To read in the process values cyclically, acquisition cycles are defined. The
shortest acquisition cycle is 500 ms. A time stamp assigned when the process
value is acquired includes the inaccuracy of the acquisition cycle.
Note
SFB AR_SEND is available in SIMATIC S7-400 for rapid archiving. A description
of the procedure can be found under entry IDs 23780904 and 23629327
(http://support.automation.siemens.com/).

Process values that receive their time stamp from the automation system are
prepared in the form of a frame on the automation system and transferred as a raw
data tag. The packet structure is described in the WinCC Information System in
Working with WinCC > Archiving Process Values > Basics of Archiving
Process Values > Process Values and Tags > Structure of a Frame with Raw
Data Tags. The frames are evaluated in Tag Logging by format DLLs and entered
in the archive. The date and time correspond to the time at which the process
value was stored in the automation system.
The specification (URS, FS) of a GMP-compliant plant must describe the way in
which time stamping will be performed. The accuracy necessary for message and
process value acquisition must be checked in detail. The methods of time stamping
mentioned above can be used alongside each other.

120

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.10

Support for configuration management


Configuration of an computer system consists of various hardware and software
components; these may be standard components or specially tailored user
components. In accordance with configuration management according to GAMP 4,
the current system configuration must be available in full and in a clear manner at
all times. To achieve this, the system first has to be split into configuration
elements, and it must be possible for these to be identified using a unique
designation and version number and for them to be distinguished from the previous
version.

5.10.1

Definition of configuration elements


Standard components that are defined and documented with type designation,
version number, etc. are predominantly used for hardware. When using
customized hardware, more effort is needed, see chapter 2.1 "Hardware
categorization".
The standard components for software include for example the SIMATIC WinCC
system software, its libraries, other options and premium add-ons. Just like the
hardware, these are defined and documented with designation, version number,
etc.
The application software is configured and/or programmed on the basis of standard
software. The individual configuration elements into which the application software
should be split cannot be defined for all cases as it differs depending on different
customer requirements and system characteristics.

5.10.2

Versioning the configuration elements


While the version ID of standard software cannot be changed by the user /
configuration staff, the issuing of version numbers and a procedure for change
control must be defined in operating instructions etc. for configuring the application
software. From when the application is first created, all configuration elements
should be maintained following a defined procedure for configuration management.
Note
Examples of how individual software elements can be versioned are shown in the
Chapter below 5.10.3 "Versioning the application software".
More information on checking the configuration in WinCC can be found in Chapter
7.5 "Configuration " while GAMP 4 (chapter 7.11.7 and Annex M9) contains
general information about configuration management.
Always consult the end user to agree upon a procedure for making changes to a
plant in ongoing operation, see Chapter 8.1 "Operational ".

5.10.3

Versioning the application software


The project policies must contain definitions of which elements are versioned and
when, and whether a secondary or main version is incremented in the process, for
example:

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

121

Project settings and definitions

"The main version is set to 1.0 after the FAT and to 2.0 after commissioning. All
other changes are incremented in the secondary version".
The distinction between main and secondary version changes can also be made
for example by the scope or impact of the change.

5.10.3.1

General information about versioning


The software version provides information on the current version of the system and
application software.
The following data is specified for the versioning of the application software:

Name

Date

Version number

Comment on the change

The procedure for the versioning is part of the configuration management and must
be described in a SOP, which is binding for all persons participating in the project.
The following describes examples and options for versioning in WinCC:

122

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.10.3.2

Versioning pictures in Graphics Designer


When the Graphics Designer editor is selected in WinCC Explorer, all existing
process pictures are listed in the right window. The properties of every process
picture can be displayed using the shortcut menu. The data shown is generated
automatically by the WinCC system.

Additional information on versioning, for example the version ID, date changed and
name can be entered in a static text box. It is practical to place the text boxes for
versioning in a separate picture level that can be shown or hidden as required. The
display of the static text box during process mode is controlled by the Display
object property.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

123

Project settings and definitions

Note
Details of a change can, for example, be described in the relevant validation
documents.

Note
WinCC Audit RC or WinCC Audit Change Control feature a document check with
automatic versioning for WinCC pictures.

124

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.10.3.3

Versioning VB / C scripts
VB or C scripts are created to access tags and graphic picture objects during
operation and to trigger actions that are not dependent on pictures.
Scripts are also used to link functions triggered during process mode to individual
object properties in Graphics Designer (for example input using the mouse).
Two different methods of script creation are distinguished in WinCC:

Picture-dependent VB / C scripts that are linked to the property of an object in


the Graphics Designer WinCC editor. These scripts are part of the picture and
are stored with the picture. Versioning is performed in the picture.

Non picture-dependent VB / C scripts created in the Global Script WinCC


editor.

VB / C scripts created with the Global Script editor provide boxes in the Properties
dialog for entering the data Create By, Changed By, Version ID and Comment.
The creation date and date of change are entered automatically by the WinCC
system.

An optional password can also be assigned.


Note
If a password is used, this is not checked against the logged-on user. Knowing the
password allows the script to be opened / edited. If the password is forgotten,
access to the script is permanently denied.
It is advisable to maintain a history in the scripts indicating any changes made. The
history is entered as comment before the start of the code. As an alternative, the

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

125

Project settings and definitions

comment box of the Properties dialog (see above) can also be used to record the
history.
Example of recording the history in a C script

Example of recording the history in a VB script

Note
WinCC Audit RC or WinCC Audit Change Control feature a document check with
automatic versioning for C / VB scripts.

126

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Project settings and definitions

5.10.3.4

Versioning reports
The automatic issuing of version IDs in the report layouts is not supported. A static
field can be inserted in the report layout for a version ID allowing manual
versioning of different states. The version ID must be kept up-to-date as specified
in the SOP for configuration management. The following picture shows an example
of a report layout footer with a field added for versioning.

Note
WinCC Audit RC or WinCC Audit Change Control features a document check with
automatic versioning for report layouts.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

127

Project settings and definitions

128

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.1

Introduction
In a full automation solution, the SIMATIC WinCC SCADA system handles the
operator input, monitoring and data archiving functions. The interface to the
automation level is over powerful process links.
Chapter 6 explains the configuration of SIMATIC WinCC in a GMP environment
based on examples. The configuration of the automation level in a GMP
environment is not described in this chapter.
The following graphic shows the life cycle model. The configuration focused on in
this chapter belongs to the System build area in the graphic.
VP

PQ
VR

Development Life Cycle of


Automated Production Plant / Equipment
Development Life Cycle of
Computer System

QPP
QP

QR

PQ

Traceability
Matrix
IQ

ica

if
ec
Sp

FS

tio

SAT

n
DS

FAT

Module
Development

Qu
ali
fic
ati
on

OQ

Te
sti
ng
/

URS

Application
Development

Module
Testing

System Build

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

129

Creating the application software

6.2

Creating overview pictures


To visualize a complex process for operator control and monitoring, a series of
process pictures is created. This, however, means that a system is required for
screen selection or screen navigation during process mode. The Basic Process
Control option is a standardized system for process control available in SIMATIC
WinCC.
Note
The option is included on the WinCC system software DVD but installation must
be selected as an extra.

If the Basic Process Control WinCC option is installed, the following editors are
added to the WinCC Explorer.

The OS Project Editor is used to configure the WinCC project for standardized
operator control of the process among other things, the monitor layout, monitor
resolution, operating philosophy for the buttons, and message presentation are
configured.

130

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The user interface is divided into three areas, the overview area, the work area and
the button area.

For detailed information on configuration, refer to the WinCC Information System;


section Options > Options for Process Control.
Both the overview graphics and the operator control philosophy must be described
in the specification (for example URS, FS and P&I) and created accordingly. When
completed, these should be shown in the form of screenshots to the customer for
approval.
Note
The OS Project Editor should be configured before starting to create the process
pictures because the size of the individual process pictures depends on the
monitor resolution and screen layout.

Additional editors included in the Basic Process Control WinCC option are:

Time Synchronization (see chapter 5.9 "Time synchronization")

Acoustic horn for acoustic signaling of alarms

Lifebeat Monitoring (see chapter 6.10 "Lifebeat monitoring")

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

131

Creating the application software

6.3

Creating operator input messages


For plants operated in a GMP environment, FDA regulation 21 CFR Part 11
requires that operator input to the process that affects data relevant to GMP can be
traced.
GMP-relevant process input made using input/output boxes or buttons must be
configured in the WinCC Graphics Designer so that an operator input message is
generated. This operator input message is recorded in WinCC Alarm Logging with
the time stamp, user ID, old value and new value. This means that such actions
can be traced within the system.
The operator input message is a system message that is displayed in WinCC
Alarm Logging. WinCC AlarmControl must be configured accordingly (see also
chapter 6.5.2 "Audit trail via WinCC Alarm Logging").

Input/output field
To create an operator input message for an I/O field object, the Operator input
message property must be set to yes. If the Operator Activities Report property is
also configured with yes, the system opens a window for entering comments after
the value has been applied.
The I/O field is also assigned access protection. For the Operator permissions
property, a function is selected that was configured earlier in the WinCC User
Administrator (see chapter 4.6.5 "Configuring the user administrator"). Only
persons authorized to use this function can make changes in the I/O field.
The figure shows the Properties > Miscellaneous selection for an I/O field in
WinCC Graphics Designer.

132

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Button
As default in WinCC, an operator input message is generated only when a direct
connection to a tag is configured. This means that if there is a direct connection,
the mouse click event for the button writes the value specified for the constant to
the defined tag. If the Operator Input Message check box is selected, the system
generates a message. It is not possible to enter an operator input comment here.

Functions that are not offered here, for example entering comments, can be
programmed using script functions. These functions belong to software category 5
and require more work for validation.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

133

Creating the application software

Script functions for changing values


If the options described for creating an operator input message for I/O fields and
buttons are not adequate, an operator input message can be generated using C
scripts. The following project function was developed for this purpose:
ISALG_OperationLog

int ISALG_OperationLog( char* pszSource, char* pszArea,


char* pszEvent, char* pszBatch, char* pszUnit, double fOld,
double fNew, char* pszComment )

The transfer parameters in this function call have the following meaning:
pszSource
pszArea
pszEvent
pszBatch
pszUnit
fOld
fNew
pszComment

Source (for example tag name or process tag name)


Area (for process cell area or unit)
Event text (for example "Setpoint input" or "Motor ON")
Batch name
Unit of measurement
Old value
New value
Comment

This project function can be downloaded free of charge from Customer Support
under entry ID 24325381 (http://support.automation.siemens.com/).
Note
The operator input message produced in this way distributes the message
information to process value blocks 1 to 5. Compared with the automatically
created operator input message, the information is therefore contained in different
reporting columns.

134

Note
If the standard operator input message is used when creating the operator input
message, this is also automatically adopted by WinCC Audit.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.4

Electronic signature
Operator actions in WinCC, for example, input via I/O fields or buttons, can be
configured so that an electronic signature is required from the logged on user. The
operator actions that require an electronic signature during operation must be
specified in the specification (URS, FS).
Below, there is an example of configuring use of a button with an electronic
signature.
In the example, the Start / Stop buttons turn the air-conditioning on or off. When
the button is clicked, a picture window opens in which the password of the loggedon user is requested. The button function is executed only after the correct
password has been entered.
Procedure:
1. Two buttons for Start and Stop are configured in a process picture. In the
Object Properties > Miscellaneous, the operator control enable was set to
No for every button. The status of the operator control enable Yes / No is
controlled depending on the AirCond_Active tag. This is achieved by linking
the tag or using a dynamic value dialog.
2. For the Authorization property, the Aircondition function was assigned to
each button. This restricts the operator input permissions for the button to
those users who are members of a user group to which the Aircondition
function was assigned. This is configured in User Administrator (see chapter
4.6.5 "Configuring the user administrator").

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

135

Creating the application software

In the object properties in the Events tab, the Mouse Action property is linked to a
VB script. The SL_VerifyUser.bmo VB function which the SIMATIC Logon Service
dialog displays is called up in this script. The function authenticates the logged-on
user using the password entered. Depending on the outcome of this check, the
functions which are to be triggered by pressing the button are programmed. In this
example, the AirCond_Active tag is set to 1 for the Start button and reset to 0 for
the Stop button.
The SL_VerifyUser.bmo function can be downloaded free of charge from entry ID:
24458155 (http://support.automation.siemens.com/).
The InsertAuditEntry function inserted in the script produces an entry in the WinCC
Audit Trail which reflects the operator action and logged-on user.

136

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

During operation the details of the electronic signature have the following
appearance:

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

137

Creating the application software

6.5

Audit trail
To record an Audit Trail of user actions involving data relevant for GMP, the use of
the WinCC Audit option is recommended, however, Alarm Logging of WinCC can
also be used. Both variants are introduced below.

6.5.1

WinCC Audit

Configuring the Audit Trail for operator input


The runtime monitoring components are enabled in the configuration dialog of the
WinCC Audit option. Runtime Data / Archives monitors entries both in the
message / process value archives and in the user archives. Enabling Operator
Actions records operator input during operation in the Audit Trail. The logon/logoff
procedures during operation are also saved in the Audit Trail.

In WinCC Audit Trail, operator input to standard objects such as I/O fields, sliders,
check boxes, option buttons and text lists can be recorded. The recording of the
operator control elements is enabled for each individual object in each process
picture.
For I/O fields, text lists, and slider bars, the display of user comments can also be
enabled.

138

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Generation of an operator input message is enabled for WinCC tags described via
a direct connection in WinCC (see chapter 6.3 Creating operator input
messages).
The InsertAuditEntry function is also used to create Audit Trail entries. This
function can be linked both in C scripts and VB scripts. This allows user-specific
Audit Trail entries to be generated, for example due to events or changes in object
properties.

The RC license is required to configure the Audit Trail with WinCC Audit. Once
configuration is complete, this can be replaced with the RT license. This license is
sufficient for records in the Audit Trail during operation.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

139

Creating the application software

Configuring a central Audit Trail database


The Audit Trail database can be set up locally or remotely. WinCC Audit also
supports a central Audit Trail database for several WinCC applications
The graphic contains a diagram of a central WinCC Audit database.

If the Audit Trail is stored on a network drive, it is first recorded on the local
computer with the WinCC project and then transferred to the remote computer. If
the connection between the remote and local computer fails, all incoming Audit
Trail entries are buffered until the connection is established again. The buffered
Audit Trail entries are then automatically transferred from the local to the remote
computer. This avoids problems and loss of data if the network is disrupted.

140

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The type of database is selected during configuration.

Note
More information on configuring WinCC Audit can be found in the associated
documentation.

Displaying, printing and exporting the Audit Trail via Audit Viewer
The Audit Viewer displays the content of the selected WinCC Audit Trail. The Audit
Viewer is installed as an independent program under Windows and is part of the
WinCC Audit product. A large number of different filters can be set to filter out
important information for the application. WinCC Audit provides so-called Custom
filters, which represent frequently needed inquiries. Beyond that you can define
your own filters and store them in a file
Customers can also define their own filters and save them in a file.
If required for other purposes, the generated Audit Trail can be exported to an MS
Excel file. This is only possible if MS Excel >= 2003 is installed on the computer. It
is also possible to document the data on a printer. If a PDF writer is installed on the
computer, the data can be stored in PDF format.
To allow viewing of the Audit Trail in plant pictures during WinCC runtime, the Audit
Viewer application can also be linked into a WinCC picture as an OCX.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

141

Creating the application software

Note
The Audit Viewer only displays the data and there is therefore no possibility of
entries being manipulated.

The Audit Viewer can access all Audit Trail databases located on the network.
If access using the standard Audit Viewer tool is not sufficient, access via the MS
SQL Server Management Studio can be set up. This is done using the
WinCCAuditViewer user account with read-only rights so that the Audit Trail
database is protected from changes.

Backup configuration WinCC Audit - Audit Trails


The MS SQL Server Management Studio is used to back up the Audit Trail
database. This provides functions for exporting, importing, restoring, etc. Users
with administrator privileges in the Windows operating system can use these
functions. If the Microsoft SQL Server was installed with password protection, the
password must be known.

142

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.5.2

Audit trail via WinCC Alarm Logging


Operator input through input/output fields or buttons can be configured in the
Graphics Designer in WinCC so that an operator input message is generated by
the system (for configuration, see chapter 6.3 "Creating operator input messages").
To display login and logout activities in the WinCC system, the display of system
messages is generally set up in WinCC Alarm Logging. This is done by selecting
the WinCC System Messages entry in the Options menu. The following dialog
opens in Alarm Logging:

The operator input message is a system message that cannot be configured userdefined. Values that are changed due to the operator input are automatically
entered in process value 2 (old value) and in process value 3 (new value) by the
system. We therefore recommend that you rename process value blocks 2 and 3.
The tag designation is transferred in the tag system block.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

143

Creating the application software

To display operator input messages in a process picture, the WinCC Alarm


Control is dragged from the object palette to a picture in the Graphics Designer.

Double-clicking on the control opens the Properties dialog. To ensure that only
operator input messages are displayed, a selection must be made. The Selection
button opens the configuration dialog. Under System Blocks > Message Classes,
the System message, without acknowledgement is selected. On the right in the
detailed window, the operator input message must simply be selected.

144

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

145

Creating the application software

To allow entries for the login / logout of a user to be shown in the Audit Trail, the
type must be changed from process control to operator input message by doubleclicking in the Type column for the message numbers 1008000 through 1008007 in
the WinCC Alarm Logging.
The display of the message blocks is also configured in the Message Lists tab.

The Audit Trail is displayed in the process picture as follows:

The X in the Comment column shows that a comment exists. This can be
displayed with the button marked in the screenshot as follows:

146

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The C function ISALG_OperationLog, to which reference is made in chapter 6.3


"Creating operator input messages" can also be used to generate operator input
messages.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

147

Creating the application software

6.6

Archiving data: Setting up process value archives


It is highly important to provide full quality verification relating to production data,
especially for production plants operating in the GMP environment. This includes
archiving production-relevant data.
In SIMATIC WinCC, the Tag Logging editor is used to archive data. Tag Logging is
part of the WinCC system software. The editor is opened in WinCC Explorer for
configuration.
Configuration of the process value archive is broken down into the following steps:

Creating a process value archive and selecting the tags to be stored in the
short-term archive.

Configuration of the process archive, specifying the archive size, segment


change and storage location for transfer to backup.

Data (analog and binary values) relating to process tags is stored in a database via
the process value archive. A process value archive is created as a short-term
archive. The size is decided in the specification (URS, FS, DS).

Basic principle of operation


The process values are taken from a sensor via the I/O modules and transferred to
the automation system, from there, they are transferred to the tag management of
SIMATIC WinCC via the communication connection. Tag Logging handles the
archiving of the value with date and time in the configured process value archive.
For long-term archiving, the archived values can be transferred to an archive
server by the backup configuration (see chapter 6.8 "Long-term archiving").

148

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.7

Setting up user archives


The User Archive editor creates database tables (archives) containing several data
records for parameter data (recipe data / machine data).
To meet the GMP requirements for an Audit Trail, the parameter data of a data
record must be inserted in the database table using I/O fields. This is done by
creating I/O fields in a WinCC picture and linking them with the relevant data fields.
During configuration, a value input in one of the I/O fields replaces an operator
input message. The interface to the automation system for loading and receiving
data records takes the form of control variables that can also be linked to WinCC
operator controls for triggering an operator input message.
Operator input messages are recorded in WinCC Alarm Logging with the time
stamp, user ID, old value and new value.
When using the WinCC Audit option, the parameter data records can be entered
directly in the User Archive OCX table. There is no need to divert the data input via
I/O fields to create an operator input message. Entries in the table are transferred
directly into the WinCC Audit database.
More information on the User Archive can be found in the WinCC Information
System.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

149

Creating the application software

6.8

Long-term archiving
In the archiving concept of WinCC, a distinction is made between online archiving
(short-term) and offline archiving (long-term). Online archiving is handled by
WinCC Alarm Logging and WinCC Tag Logging.

6.8.1

Long-term archiving in SIMATIC WinCC


For long-term archiving in WinCC, it is advisable to use a separate server in the
network. The long-term archive server stores the transferred database segments
from WinCC Alarm Logging and WinCC Tag Logging as backup. The long-term
archive server is a server without a connection to the process.

A minimum WinCC installation (fileserver setup) is installed on the server.


There are various ways of viewing the data:

150

Copy backup files onto the configuration computer on which WinCC Runtime is
run. In Alarm Logging or Tag Logging, the backup files are connected to the
project so that the archived values can be displayed in operation.

Access via OLE-DB (the MS SQL Server must be installed)

Access via DataMonitor (see chapter 6.13 "Connecting to a Web client")

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Backup configuration in Alarm Logging

In the properties of the message archive, a folder is entered as the destination path
in the Backup Configuration tab. This folder is the folder set up on the long-term
server. To avoid problems if the long-term server fails, a second alternative
destination path can be specified.
The setting Signing off active is made in the backup configuration (Tag Logging
Fast and Tag Logging Slow) for process value archives that archive data from a
GMP environment. When the data is transferred, a checksum is generated. This
allows subsequent manipulation to be detected by the system when a backup
process archive database is reconnected to the WinCC system. If a manipulated
database is reconnected, WinCC displays a warning.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

151

Creating the application software

Backup configuration in Tag Logging

The backup for the Tag Logging Fast and Tag Logging Slow archives is configured
in Tag Logging.
For more information, refer to Alarm Logging above.

6.8.2

Long-term archiving with SIMATIC Central Archive Server


The Central Archive Server (CAS) is a dedicated server without a direct process
connection. It is used for long-term archiving of message archives, process value
archives and reports in conjunction with WinCC.

6.8.2.1

Method
Archived data, like process values (Tag Logging) and messages (Alarm Logging)
are collected in the Central Archive Server from the connected WinCC servers. The
advantage of the CAS is that the data that are transferred from the WinCC servers
and stored on the CAS are available for viewing and analysis purposes for longer
than is the case with the WinCC long-term archive server.
The archived process values are displayed in the form of trends and tables and the
alarms are displayed during operation (runtime) using the WinCC controls that are
provided as standard and incorporated in the process picture. Accessing the
archive data over a selected time period takes the form of transparent access that
is handled automatically by the system. This means that the user no longer needs
to concern himself with whether selected archive data are still available on the
WinCC servers or whether they have already been transferred to the CAS.

152

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The WinCC CAS software is used to automatically install the StoragePlus software
package on the computer. StoragePlus provides tools for CAS administration,
creating web views and a WebViewer. This allows various views of the archived
data to be configured using Internet Explorer.
The example shown in the following picture shows the possible forms of access for
displaying trends and tables (Tag Logging) and messages on the WinCC clients.
The individual server segments are transferred to the CAS once complete. If this
isnt possible, for example if the connection is interrupted, the data segments
remain on the server. Another transfer process is started later on. This procedure
is known as Store & Forward and offers high levels of data security.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

153

Creating the application software

6.8.2.2

Configuring the Central Archive Server


The configurations needed for the CAS and network with the WinCC system are
undertaken in a central engineering system either in SIMATIC NCM PC Manager
or SIMATIC Manager. Detailed descriptions can be found in the WinCC CAS
Information System.
The SIMATIC NCM PC Manager software can be found on the SIMATIC NET CD
that is supplied with the CAS software package. If the WinCC system is integrated
in STEP7 during Totally Integrated Automation, the CAS configuration is handled in
the SIMATIC Manager.
The details of how to configure the CAS using the SIMATIC NCM PC Manager are
provided below.
In the example shown, the CAS is configured in conjunction with a WinCC server
and WinCC client and separate computers are needed each for the CAS, WinCC
server, WinCC client and CAS engineering station. Configuration is undertaken in
the following order.

154

Create a new project in the SIMATIC NCM PC Manager

Import an existing WinCC server project via Menu Options > Import OS or
insert a SIMATIC PC station, double-click on the Configuration object in the
right-hand window (the hardware configuration is opened), select the Insert
object context menu from the table to select the HMI application type >
WinCC application

Create one more SIMATIC PC station each with the WinCC CAS application
type or the WinCC application client, as described above

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The path to the destination computer on which the corresponding project is running
in runtime is stated in the object properties for each application.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

155

Creating the application software

The Alarm Logging and Tag Logging are configured as usual in the WinCC project
via the engineering system and no backup configuration is entered. This is done
automatically by the system configuration.
The Long-term relevance option is automatically selected in Tag Logging for each
configured archive tag. This option can be deactivated in either the corresponding
column or properties dialog if long-term archiving is not needed in the CAS.

156

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The archive settings for data management on the Central Archive Server (CAS)
are configured in the CAS Options tag.

With regard to the hard disk memory capacity available, the operator must assess
the extent to which access including long-term access must remain for the
system.
CAS data that are transferred using a backup configuration must be reconnected to
the CAS for viewing.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

157

Creating the application software

Once all the WinCC applications have been configured, the server data for the
WinCC server and CAS are created using the context menu.

The server data of the CAS are then assigned to the WinCC server and the server
data of both the WinCC server and CAS assigned to the WinCC client. This is done
using the context menu Assign OS server.
The Destination system > Load context menu is used to transfer the project data
for every WinCC application to the destination computer. The WinCC project
should now be opened on the destination computers and runtime activated.
Note
The preconditions and details relating to the CAS configuration described above
can be found in the WinCC CAS Information System.

Note
Once the CAS project has been created, all configurations, including WinCC
server configurations, are run on the engineering station (ES) and not on the
destination computer. Each time the configuration is changed, a new server
package is created and loaded on the destination computer.

158

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Central Archive Server administration


The CAS software includes the StoragePlus software. This software contains three
software components:

The Administrator Console (server application) allows rights to be issued for


use of various users / groups in the CAS.
The database settings are also configured here and handling carried out to
create the backup.
You will, however, require Administrator Rights for access. Since system
settings / initializations can be undertaken here, access should only be granted
to an authorized circle of people.

The View Editor is used to configure trends and message displays that are
saved in a separate view.

The Web Viewer is used to display views that are produced using the View
Editor and have been published for this form of viewing.

Access protection
The Central Archive Server is a dedicated server, i.e. it is not a station on which for
example a process WinCC server can be operated and observed. It is simply used
for archiving. CAS access protection therefore takes two forms:

A WinCC client that has access protection thanks to SIMATIC Logon can be
used to display the data that is still linked in the CAS.

The archived data can be displayed on the CAS using the StoragePlus
WebViewer. StoragePlus offers dedicated access protection for this.

Network security
The Central Archive Server needs to access the WinCC terminal bus to receive
data from the WinCC servers.
There is just one approved folder called ArchivDir on the CAS for this purpose.
Completed database segments are transferred here from the WinCC servers.
The StoragePlus WebViewer is simply used to display the archived data on the
local computer.
The Central Archive Server must be included in the entire system security concept
(see chapter 3.2 "System network security").

Audit Trail CAS


Technically speaking, the data archived by CAS cannot be changed. In the WinCC
client or if using configured web views, users have read-only access to the
archived data. CAS therefore does not support an Audit Trail in accordance with 21
CFR Part 11.
All events, for example the transfer of data to external media or failed transfers, are
however saved in the log file directory on CAS.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

159

Creating the application software

6.8.2.3

Archiving and transfer to the CAS


Process data are first archived locally on the WinCC servers in Tag Logging or in
Alarm Logging. The archive data are divided into individual segments. Several
individual segments make up a complete database segment. The size of the
individual segments and database segments can be configured in both Alarm
Logging and Tag Logging. See also chapter 6.8.1 "Long-term archiving in SIMATIC
WinCC".

Transferring archive data (Backup)


"Closed" database segments are automatically transferred from the WinCC servers
to the CAS.
The database segments then attain "backed up & disconnected" status.
As can be seen in the previous diagram, a device with an appropriate burning
program can be specified as the storage location. Only if this device is not
available, is data transferred for example to a hard disk area via the secondary
storage location.
The criteria for automatic saving cover time setting ranges that extend from
immediate transfer to a delayed transfer, for example only when the hard disk
memory capacity has reached a certain level.
They should be assessed in terms of availability ("connected" status) for a
requirement relating to the possible display using views.
In the Common part of the administrator console, the configuration can be viewed
for the archive transfer. The settings are undertaken on the engineering station
when setting up the CAS. See chapter 6.8.2.2 "Configuring the Central Archive
Server".

6.8.2.4

Retrieving archived data


Database files already archived by backing up can be returned to the database
using StoragePlus and the "Connect" button (backed up & connected status). This
allows views to be accessed again for the time setting range of these data.
Data reconnected with the system in this way are disconnected using the
"Disconnect" button (backed up & disconnected status).

160

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.8.2.5

Data displays
Pre-assembled views are available as

diagram (trend display)

alarm (message display)

Views that have been fully produced are displayed on the CAS computer using the
Web Viewer via Internet Explorer.
More information can be found in the WinCC CAS Information System
documentation.
Since StoragePlus can only be used to access locally on your own PC, the address
for Internet Explorer is http://localhost/ when launching the WebViewer.exe
application.
As the Windows operating system user already logged in, you are automatically
logged in.

6.8.3

Batch-oriented long-term archiving with PM-QUALITY


PM-QUALITY offers several methods for archiving batch data.

Exporting in database format

Exporting in HTML format

Exporting in XML format

Only completed batches can be archived. A batch has the status closed, when:

The batch was completed manually or automatically.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

161

Creating the application software

The batch was aborted, locked or reported as completed.

Automatic export of a batch is performed only once. Selecting the Automatic batch
finalize check box in the Project Settings > Defaults dialog has the effect that
changes to the batch data are no longer possible after the automatic export.

For export in HTML format or XML format, subsequent manipulation of the data
can be prevented by assigning the appropriate rights to the drive (read-only).
PM-QUALITY checks if the completed batch is ready for export in the current
acquisition cycle. The data must first be exported to a local hard disk. Transferring
the batch data to an external drive, for example to the long-term archive server,
can be configured with Following action.

162

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The Export View application is used to view batch data in the database format. The
tool is contained in the PM-QUALITY package.

The batch is selected in a batch list dialog; viewing on screen is started with a
button in the toolbar.
For more detailed information on the WinCC premium add-on PM-QUALITY, refer
to the product's online help.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

163

Creating the application software

6.9

Reporting

6.9.1

Reporting with WinCC Report Designer


The Report Designer is integrated in the WinCC system software to allow
documentation of the configuration data and the runtime data.
The following runtime data can be logged:
Message sequence report

Chronological listing of all messages that have occurred

Message report

Messages of the current message list

Archive report

Messages from the message archive

Tag table

Tag contents from process value / compressed


archives in the form of a table

Tag trend / picture

Tag contents from process value / compressed


archives in the form of a trend

Note
WinCC Report Designer supports logging of continuous processes.

The contents of user archives can also be documented in the form of a table.
The design and output of the runtime data can be defined in page layouts. Print
jobs control the printout. The output range and options are also specified in the
print job.
A series of system layouts and system print jobs for various documentation
requirements are supplied with the product. These can be used to create new
layouts or print jobs but they should not be modified. Changing the system layout
means additional test effort from a GMP perspective. If the system software is
upgraded, the system layouts are overwritten by the installation.
Note
The WinCC Information System lists available layouts print jobs in Working with
WinCC > Documentation of Configuration and Runtime Data > Appendix
System Layouts and Print Jobs for Runtime Documentation.

164

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.9.1.1

Page layout editor


The page layout editor of the Report Designer is used to modify system layouts to
meet users' needs or to create new layouts. System layouts are opened in the
page layout editor and saved under a new name so that they can be modified.
The layouts are divided into a static and a dynamic section. To design the layout,
static and dynamic system objects are available in the form of an object palette. A
title page, for example with the company logo and a back page can be created for
each report.
Headers and footers are configured in the static section. A version ID can, for
example, be configured in the footer that is changed manually in a variable.
The runtime data for output are configured in the dynamic section. The required
object is selected from the Object Palette > Runtime Documentation and
dragged to the work area (dynamic section) of the report layout.

In the following example, the Archive Report object under Alarm Logging RT is
linked into the report to show the Audit Trail entries (user input messages). The
column appearance is configured in the properties.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

165

Creating the application software

166

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

As a filter, either the number of the operator input message is specified (the
message number is fixed by the WinCC system) or activated by clicking Message
Class > System, without acknowledgment and selecting the Operator input
check box.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

167

Creating the application software

6.9.1.2

Print jobs
WinCC Report Designer documents data from continuous processes over a
defined time. The period is set along with all other settings in the print job. During
process mode and before the log starts, it is also possible to open a parameter
assignment dialog in which the output selections, timebase, and time range for the
output of archive tags can be changed for the log being output.

Note
For more detailed information on the WinCC Report Designer, refer to the WinCC
Information System, section Working with WinCC > Documentation of
Configuration and Runtime data.
The Audit Trail entries are shown in the log as follows:

168

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.9.1.3

Logging the Audit Trail entries from WinCC Audit


The Audit Trail entries from the WinCC Audit database can be printed via the
Report Designer.

Creating an ODBC data source


Before configuration in the Report Designer, an ODBC data source is created for
the WinCC Audit database using the Windows control panel.
The ODBC data source administrator is opened via Start > Settings > Control
Panel > Management > Data sources (ODBC).

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

169

Creating the application software

The selected WinCC Audit database is added.

WinCC_Audit for example is entered as the name.


The following is specified under server: <Computer name with audit
database>\WinCC
The wizard is continued by selecting Next.

The default database is changed to WinCC_Audit. Further settings are not


necessary. The wizard is complete.

170

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Creating the report layout for WinCC Audit


A new layout is created in the Report Designer. This is set in Properties >
Orientation > Landscape format.

The Database table object is selected from the standard objects and dragged into
the layout using drag-and-drop.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

171

Creating the application software

The Database connection property is selected from the Connect tab in properties
for the database table.

172

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The Edit button opens a dialog in which the connection to the WinCC_Audit
database is configured.

The data source previously created is selected under ODBC data source.
Activating Display column headers prints the WinCC Audit column headers in the
report.
A user-specific selection for choosing the data to be displayed is specified under
SQL Statement. The Test SQL statement button checks that the syntax is correct.
The column width can be adjusted under Geometry > Columns > in the database
table properties.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

173

Creating the application software

6.9.2

Batch-oriented reporting with PM-QUALITY


The WinCC premium add-on PM-QUALITY is used for batch-oriented archiving
and reporting. The recording of the production-relevant data begins with the Batch
start signal and ends with the Batch end signal. The data is assigned to a specific
batch, which can be configured, and called back up again with the batch name.
The report layouts for printing the batch data can be customized in the Report
Editor application.

Static objects for report designs and dynamic objects for displaying the batch data
are listed in the highlighted area at the lower left.
The dynamic objects are configured for the specific plant beforehand in the
Topology Manager application. The dynamic objects include batch header data,
phase sections, snapshots, alarm events, Audit Trail entries, tag logging values,
etc. A tabular horizontal or vertical display style can be selected.
Tag logging values are shown in the form of trend curves. This involves defining
trend templates in which the values and the form of the trend graphic are specified.
You can also display comparable trends with values from different batches.
The procedure for including Audit Trail entries (operator input messages) in a batch
log is shown below based on an example.

174

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The PM-SERVER application functions as the interface between the WinCC


system software and PM-QUALITY. It is contained in the PM-QUALITY program
package. A station is configured for the WinCC server in PM-SERVER in which the
data from the WinCC project are imported (tags, alarm blocks, permissions and
archive data). PM-SERVER can not only record data from one but from several
WinCC servers with different projects. Based on the imported alarm blocks, a
message column structure is configured in which the messages arriving from the
WinCC projects are passed on to PM-QUALITY.
The operator input messages are recorded in WinCC Alarm Logging as Audit Trail
(see also chapter 6.5.2 "Audit trail via WinCC Alarm Logging"). To receive the
operator input messages, an Alarms object and an Alarm group is created in the
Topology Manager below the relevant production unit, in this case with the name
Audit Trail.

The alarm blocks to be shown in the batch report are selected in the properties of
the Audit Trail alarm group. The message number for the operator input message
as defined in the WinCC system is also entered in the Alarm filter dialog.
The Audit Trail alarm group is displayed in the area for the existing objects in the
Report Layout editor. The Audit Trail alarm group is dragged to the right to be
included in a report layout.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

175

Creating the application software

An Audit Trail can appear as follows in a batch report:

Change comments can be logged in the audit trail.


Note
For more detailed information on the WinCC premium add-on PM-QUALITY, refer
to the product's online help.

176

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.10

Lifebeat monitoring
The Lifebeat Monitor monitors all servers, clients and automation devices which
can be reached over PC networks and industrial networks (Industrial Ethernet,
PROFIBUS or OPC).
To configure the nodes to be monitored, the Lifebeat Monitoring editor is opened
in WinCC Explorer. Here, all the nodes to be monitored and the monitoring cycle in
which the lifebeat monitoring takes place can be set up.
Note
Lifebeat monitoring for third-party systems must be configured manually. Its use
depends on the communication partner of the third-party system. If the third-party
system represents an important interface to SIMATIC WinCC, Lifebeat Monitoring
is absolutely necessary.
For additional information, refer to the WinCC Information System > Options >
Options for Process Control > Lifebeat Monitoring.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

177

Creating the application software

6.11

Data communication with the plant management level


Data communication with the plant management level or other systems must be
covered by system functionalities. Here, there are several options available,
including the integrated OPC connection (OPC Data Access), the connections of
OPC A&E and OPC Historical Data Access, or the WinCC OLE DB connection.

6.11.1

Data communication with the connectivity pack


The WinCC Connectivity Pack option makes possible standardized access to the
WinCC data. This option is installed on the WinCC server.
The following mechanisms are available:

6.11.2

OPC Historical Data Access (access to the process value archive)


OPC HDA. All or selected process value archives can be read. The process
value archives can be read cyclically or user-controlled on certain events or at
certain times. It is not possible to write to the process value archives.

OPC Alarms and Events (access to the message archive)


OPC A&E. All or only selected messages can be read. The message archive
can be read cyclically or user-controlled for certain events or certain times.
Apart from acknowledgments, it is not possible to write to the message archive.

WinCC OLE DB allows read access to Tag Logging and Alarm Logging archive
databases.

Data communication with the connectivity station


The Connectivity Station software package offers the same functionality as the
aforementioned Connectivity Pack. The difference is in the installation. The
Connectivity Station does not require a WinCC installation and can therefore be
installed on any PC in the network. It is configured via the SIMATIC NCM manager
(free of charge on the SIMATIC Net CD) or the SIMATIC manager (STEP 7).

178

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.11.3

Data communication with Industrial Data Bridge


The IndustrialDataBridge application offers various mechanisms for communicating
data between WinCC and various applications, for example Oracle database.
Archived data cannot be manipulated.

6.11.4

Data communication via the ODK programming interface


The WinCC Open Development Kit (ODK) option describes the exposed
programming interfaces that can be used to access data and functions of the
WinCC configuration and WinCC runtime system. The interfaces are designed as
C-Application Programming Interface (C-API).
Note
Due to the large amount of work involved, the ODK interface should only be used
when there is no other way to implement certain functionalities.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

179

Creating the application software

6.12

Creating C and VB scripts


C und VB source files are programs written by the user that count as class 5 in the
software categorization. This type of software is developed to meet customerspecific requirements that cannot be covered by the standard library.
With category 5 software, the constraints governing the creation of software
according to ISO 9001 2000 should be adhered to.
If category 5 software is used, the development and system build must comply with
the stipulations of GAMP 4.
The procedure for creation of Category 5 software is as follows:
1. Creation of a functional description for the software
2. Specification of the function blocks used
3. Specification of the inputs and outputs used
4. Specification of the block for operator control and monitoring

180

Note
The creation of category 5 software should be limited to a minimum because it
significantly increases the work involved for testing and validation.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.13

Connecting to a Web client


When talking about web access from a computer in the network to a WinCC
project, a distinction is made between read-only access and read and write/user
input access. Read-only access is set up using the WinCC DataMonitor option and
operator inputs for the WinCC project, i.e. write access, is set up via the Web
Navigator option. Operator input via the web client is checked by both the SIMATIC
logon (user authentication) and the user administrator in WinCC (operator
permissions).
Note
There are standard tools on the market for open systems that encrypt data
transfer and make the "open path" secure.
Descriptions and more information on security can be found in the "SIMATIC
WinCC Security Concept" under entry ID. 23721796.
(http://support.automation.siemens.com/)

6.13.1

Configuring web access on the WinCC server for process


operator input
The following installation and configuration steps are needed for operator input in a
WinCC project via a web client:
The WinCC Web Navigator Server option is installed on the WinCC server or a
multiclient and licensed for the corresponding number of web clients. The Web
Navigator Client should be installed on the computer used for remote access. The
installation on this computer is not licensed.
The wizard for configuring the web connection is started via the Web Configurator
context menu for the Web Navigator object in WinCC Explorer.
In the first dialog the user chooses whether a new standard web page is to be
created or an existing one added.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

181

Creating the application software

The web page is configured in the second dialog. The settings are preassigned by
default. They can however be adapted by the user.

The Windows firewall is adapted in the third dialog. The settings needed are
described in detail in the Help section for the Web Navigator (Start > Programs >
SIMATIC > WinCC > DataMonitor > DataMonitor Information System).
The corresponding process pictures of the WinCC project must be published in the
Web Navigator Server application for remote access. Another wizard that is
launched in WinCC Explorer via the Web View Publisher context menu for the Web
Navigator object is used for this purpose.

182

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

The WinCC project path and folder for web access are entered automatically in the
dialog. The data can be preceded by a server prefix. This is needed when installing
on a multiclient.

Those WinCC process pictures that are to be viewed or operated via remote
access are published in the dialog.

The functions and pictures to which references are made in the process pictures
selected are published in the other dialogs.
Guidelines for Implementing Automation Projects in a GMP Environment
A5E01100604-02

183

Creating the application software

A completion report announces that all the information has been recorded.
Note
The corresponding client has to be installed and licensed on the computer for
remote access in order to view the process pictures that are included in the
controls of the WinCC premium add-ons PM-CONTROL and PM-QUALITY.

6.13.2

Setting up operator permissions on the WinCC server


The operator permissions in the web client are set up in the WinCC User
Administrator. The User Administrator editor is opened in WinCC Explorer for this
purpose.

Checking the check box for SIMATIC Logon activates authentication of the user
logged on via SIMATIC Logon. Also see chapter 4.6.4 "Configuring SIMATIC
Logon".
Remote access is activated by selecting the check box for the Web Navigator. The
start screen for the web client can be configured and may deviate from the start
screen for runtime on the WinCC server. There is also an option for selecting the
language for viewing in the web client.
The "DataMonitor Monitor only" function controls operator permissions between
WebNavigator and DataMonitor. If this function is not activated and the
WebNavigator license is detected, the operator can control the process pictures. If
this function is activated, the process pictures can only be monitored.

184

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Note
This configuration is undertaken separately for each user group. This means that
the definitions for release for remote access, the start page, language and
operator permissions may be different for each user group.

6.13.3

Remote access via the network


The web client must be installed on the computer for remote access. In Windows
Internet Explorer the link to the WinCC server is established and the computer
name stated in the address (for example http://Rechnername).
When the connection is first made, a check is run to determine whether additional
software is needed. Once the installation has been completed and the link to the
WinCC server established, a logon dialog appears in which the user ID and
password are demanded. SIMATIC Logon checks the logon. If the logon is
successful, the start page is opened according to the User Administrator
configuration. Operator input in the process picture is the same as operator input in
the WinCC runtime. The logged-on user is assigned the rights of the user groups of
which he is a member.
Note
The user cannot log off if using remote access. The time configured in SIMATIC
Logon for automatic user logoff also has no effect when using remote access. We
would therefore recommend closing the session after modifying data by exiting
Internet Explorer.

6.13.4

Configuring web access on the WinCC server to display data


To display and evaluate the archived data either from WinCC or from the long-term
archive server, the Trends & Alarms application of the WinCC DataMonitor option
is used. Trends & Alarms and the other tools available grant read-only access to
the archived data.
The process screens with the WinCC Alarm Logging and/or Tag Logging controls
can be used as an alternative for viewing data.
Using Internet Explorer, the archive data can be displayed on any computer in the
network. To set up the functionality, the DataMonitor Server is installed on the
WinCC server and licensed for the corresponding instances of remote access. The
DataMonitor client has to be installed for the data to be viewed on the remote
computer. No extra license is necessary for these computers because the license
is integrated in the server license.
Details of the procedure for installation, required user rights, adaptation of the
security policies in the network, etc. are described in the DataMonitor Information
System.
The Archive Connector tool is used to connect/disconnect the archived database
with/from the MS SQL server. The databases are grouped under a symbolic name.
The archived databases must be located on the computer with the DataMonitor
server for this to happen.
The Archive Connector is opened via Start > Programs > SIMATIC > WinCC >
DataMonitor > WinCC Archive Connector.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

185

Creating the application software

When the DataMonitor server is installed, the DM-ADMIN and DM-USER user
groups are automatically created.
To configure and operate the DataMonitor, a Windows user must be created on the
computer with the DataMonitor server and this user must either be a member of
DM-ADMIN or DM-USER. Users who are assigned to the DM-USER user group
have access to view the data.
A connection is established on the remote computer via Internet Explorer. The
name of the PC on which the DataMonitor server is installed is entered under
Address (http://Rechnername). A logon dialog for specifying user ID and password
is displayed. Once the logon is complete, the DataMonitor start page appears.

186

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

To display the archive data, the Trend & Alarms tool for example is started by
clicking on the left-hand side.
The menu offers the following views:

Process value table

Trend (process values)

Alarm table

Alarm hit list

Statistics functions for process values

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

187

Creating the application software

Example of process values being displayed in tabular form:

188

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

Example of a plot:

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

189

Creating the application software

6.14

Connecting SIMATIC WinCC flexible


More information on the use of SIMATIC WinCC flexible in a GMP environment in
conjunction with SIMATIC WinCC, can be found in the "SIMATIC WinCC flexible
GMP Engineering Manual: Guidelines for Implementing Automation Projects in a
GMP Environment".

190

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.15

Connecting SIMATIC S7

Connection via defined channels


To exchange data between WinCC and the automation systems, the first thing that
is required is a physical connection. Any communication connection is configured
in SIMATIC WinCC suitable for the hardware being used. The WinCC system
software includes a series of communication drivers for this purpose.
The SIMATIC S7-300 and S7-400 automation systems, for example, are linked
using the communication driver (communication channel) "WinCC SIMATIC S7
Protocol Suite". Depending on the communication hardware in use, various
channel units are available for the channel. The channel unit serves as an interface
with exactly one underlying hardware driver and therefore to exactly one
communication processor in the PC. A detailed list of the existing channel units can
be found in the WinCC Information System in the section Communication >
SIMATIC S7 Protocol Suite.
A connection is configured for the selected channel unit in the tag management by
creating the tags with a name and data type. These tags are also known as
external tags.
The tag management forms the data interface between the automation system and
WinCC system. All the editors integrated in WinCC read / write data to the tag
management.
An interruption to the communication connection is indicated in the WinCC Alarm
Logging if system messages are enabled.

Evaluating the tag status and quality status


To allow monitoring, a status value and a quality code are generated for each tag.
Among other things, the tag status indicates configured limit value violations and
the link status between WinCC and the automation level. The quality code is a
statement about the quality of the value transfer and value processing.
The evaluation of the tag status or the quality code can be configured, for example
in the dynamic values dialog in the properties of a graphic object.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

191

Creating the application software

The evaluation of the tag status in this example is shown by a color. If the
described state occurs, the color changes according to the configuration. The
quality code is configured in much the same way.
The checking of the quality code and tag status can also be performed in VB / C
scripts and linked to a user-defined action.
Note
For more detailed information on using SIMATIC S7 in a GMP environment, refer
to the "SIMATIC STEP 7 GMP Engineering Manual: Guidelines for Implementing
Automation Projects in a GMP Environment".

192

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Creating the application software

6.16

Connecting third-party components

Connection via defined channels


We recommend that the OPC channel is used as the communication connection
between WinCC and third-party automation devices. The communication driver for
OPC (OLE for Process Control) is certified by the OPC Foundation. The driver is
included in the WinCC system software.
It is possible to link the OPC client with third-party control systems over an OPC
server.
In tag management (data manager), a communication connection is configured for
the OPC channel in which tags with name and type can be created. These tags
form the interface between the automation system and WinCC. The WinCC system
software uses the contents of the data manager for the configured functionalities.
WinCC also operates as an OPC DA server and transfers process values to other
OPC clients.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

193

194

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

7.1

Introduction
The following graphic shows the life cycle model. Qualification, which is the focus
of this chapter, is assigned to the area of Test / Qualification in the graphic.
VP

PQ
VR

Development Life Cycle of


Automated Production Plant / Equipment
Development Life Cycle of
Computer System

QPP
QP

QR

PQ

Traceability
Matrix
IQ

ica

if
ec
Sp

FS

tio

SAT

n
DS

FAT

Module
Development

Qu
ali
fic
ati
on

OQ

Te
sti
ng
/

URS

Application
Development

Module
Testing

System Build

The aim of the qualification is to provide documented proof that the system was set
up according to the specifications and that all specified requirements have been
met. Qualification describes, executes and finally evaluates all the activities
necessary for this. Various standard functionalities of SIMATIC WinCC can be
used as support in qualification during IQ and OQ.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

195

Support for qualification

7.2

Planning qualification
Defining a life cycle for project development determines various test phases. The
basic qualification activities are then established at a very early stage in the project
and put into detailed specific terms during later specification phases.
The definitions laid down at the start of the project include

Responsibilities for planning, implementing and approving tests

Scope of testing in the individual test phases

Test environment (test structure, simulation)

Note
The amount of test work involved should reflect the results of the risk analysis and
the complexity of the components to be tested.
In parallel to completion of the system specification (FS, DS), the individual tests
are also planned in detail. This defines:

196

Test procedures for the individual tests

Test methods, for example structural (code review) and/or functional (black
box test)

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

7.3

Qualification of the system hardware


During the qualification phase, checks are run to establish whether the installed
components and entire system structure match the requirements of the Design
Specification. This includes details such as component name, firmware / product
version, installation location, server and clients used, interfaces to the automation
systems, etc.
Note
A visual inspection of the hardware can also be made.
Printouts and screenshots can be used as evidence during qualification (IQ/OQ).

Qualification of field devices


Field devices are specified and qualified with for example the following details:

Identification of vendor and type

Order number (MLFB)

Function / desired destination

Tag description / measuring range / unit

Connection type

Address number

Qualification of the automation hardware


Automation stations are specified and qualified with for example the following
details:

Identification of vendor and type

Order number (MLFB)

Number of racks

Verifying the hardware components used (CPU, CP, etc.)

Number of distributed I/O stations

Interfaces to third-party systems

Address description

Address number

Etc.

Note
The documentation is supported by print-outs of the HW config.
The switching cabinet documentation must also match this.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

197

Support for qualification

Qualification of the network structure


When qualifying the network structure, the following details are for example
specified and checked in the qualification:

Name of station, PC, AS, clients, etc.

Communications module, type of connection and communication partner


(Ethernet, PROFIBUS, serial etc.)

MAC address (when using the ISO protocol on the plant bus)

TCP/IP address and subnet mask (when using clients)

PROFIBUS addresses

Note
The SIMATIC NetPro configuration can be printed out.

Specification of the employed PC hardware


In the qualification of the PVC hardware used, checks are necessary to ensure that
the requirements of the hardware design specification were implemented. The socalled PC passport is useful for the qualification. All the installed hardware and
software components should be listed in the PC passport.
These include:

Order number of the employed PC hardware

Additionally installed hardware components (additional network adapters,


printers, etc.)

Check for the configured network addresses, monitor resolution, etc.

Note
The PC passport is normally created manually. Some PC manufacturers provide a
utility for automatic detection of the hardware information.
The PC passport can be printed and used to verify the qualification (IQ/OQ) of the
installed PC hardware. Visual inspection can be carried out at the same time.

198

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

7.4

Qualification of automation software

7.4.1

Software categorization according to GAMP Guide


According to the GAMP 4 Guide of Validation of Automated Systems, the software
components of a system can be assigned to five software categories. Below you
will find examples illustrating how this categorization relates to SIMATIC WinCC.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

199

Support for qualification

7.4.2

Qualification of standard software


When qualifying the standard software used, a check is run to establish whether
the installed software matches the requirements of the specification. These
include:

Operating system

SIMATIC WinCC system software

SIMATIC standard options (Audit, SIMATIC Logon, DataMonitor, UserArchive,


etc.)

SIMATIC WinCC premium add-ons (PM-CONTROL, PM-QUALITY)

Standard libraries

Note (operating system)


The installed software can be verified by operating system functions. The
information can be found in Control Panel > Add / Remove Programs). All
installed software components are displayed here. A screenshot can be printed
and used for the qualification (IQ/OQ).

Operating system
The installed software can be verified by operating system functions. The
information can be found under Control Panel > Install/Remove Programs. All
installed software components are displayed here.

SIMATIC Security Control


The settings required in the Windows operating system for the WinCC system
software can be retrieved from the SIMATIC Security Control application. The
current settings are displayed by selecting Start > Programs > SIMATIC >
Security Control > Accepted settings. Printed documentation is started using the
corresponding button (see also chapter 4.3 "Installation and configuration of
SIMATIC Security Control").

System programs of SIMATIC WinCC


In an environment in which GMP is mandatory, documentation listing the installed
software packages (operating system, SIMATIC products, and other applications)
with version and license should be created. Detailed documentation of the installed
SIMATIC software can be found under Programs > SIMATIC > Product notes >
Installed software.
Note
The installed components can be printed and used for the qualification (IQ/OQ).

200

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

Software licenses
The Automation License Manager program provides information on the installed
licenses on the WinCC computer. To view this information, open the Automation
License Manager and select the partition of the PC on which the licenses are
installed on the left in the Explorer bar. The available SIMATIC licenses of the
system are now shown on the right.

Note
The installed licenses must correspond to the requirements defined in the
specification.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

201

Support for qualification

7.4.3

Qualification of application software


For the qualification of application software, checks are necessary to ensure that
the requirements of the software design specification were implemented.
Descriptions of tests must be agreed on with the customer and generated. These
test descriptions must be coordinated individually to meet the software design
specifications.
As a minimum, the following must be checked and tested and can be used as a
reference for the qualification:

202

Check of the name of the application software

Check of the technological hierarchy (plant, plant section, technical equipment,


individual control element, etc.)

Software module test (typical test)

Check of the communication to other nodes (third-party controllers, MES


systems, etc.)

Check of all inputs and outputs

Check of all control modules (individual control level)

Check of all equipment phases and equipment operations (technical functions)

Check of the relationships between modes (MANUAL/AUTOMATIC


switchovers, interlocks, start, running, stopped, aborting, completed, etc.)

Check of the process tag names

Check of the visualization structure (P&I representation)

Check of the operating philosophy (access control, group rights, user rights)

Check of the archiving concepts (short-term archives, long-term archives)

Check of the message concept

Check of the trends

Check of the time synchronization

Note
If extra blocks are needed in addition to the WinCC standard libraries in order to
configure special processes or functions, the amount of validation work will
increase greatly.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

7.5

Configuration control: Versioning and archiving


projects
The concept for versioning and archiving WinCC projects is part of configuration
management. A detailed description of the type of versioning, how it will be
performed and how the version IDs will be assigned is required.
When the project status is versioned, archiving is also prepared at the same time.
The proposed methods each produce a compressed project file which is to be
saved on suitable media (e.g. network drive, burn to DVD) for archiving.
Versioning and archiving variants:
1. The SIMATIC Version Trail option for projects integrated in STEP 7
2. Software Project Versioning, part of WinCC Audit RC or WinCC
ChangeControl.
3. Manual versioning: Backup of WinCC project directory either using the Project
Duplicator or as a zipped file

SIMATIC Version Trail


Within the framework of Totally Integrated Automation (TIA), the WinCC HMI
system is integrated in the SIMATIC Manager. The WinCC project has been
integrated in the STEP 7 project. In this case, the SIMATIC Version Trail option is
used for versioning. SIMATIC Version Trail supports the archiving of projects and
assignment of a version ID (name and version number). The version ID is entered
in a dialog along with a suitable comment. A major version and minor version can
be distinguished.

SIMATIC Version Trail manages all actions such as creating, archiving, deleting
version statuses, etc. of a version project in the version history (Audit Trail). The
version history can be called up using the Options > Version History menu. All
actions relating to archiving projects and even deleting version statuses are also
logged here. The following diagram shows the version history of creating the
"Sample1" version project right up to archiving various version statuses.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

203

Support for qualification

When using SIMATIC Version Trail for continuous archiving, the version history
provides a good way of documenting various software statuses during the life cycle
of an computer system.
All software statuses along with archiving date and version are listed in
chronological order.
The version statuses are stored in zip files and can be easily archived and
retrieved.
More detailed information can be found in the "SIMATIC Step 7 GMP Engineering
manual: "Guidelines for Implementing Automation Projects in the GMP
Environment".
Note
To ensure traceable versioning with a version history, we recommend using
SIMATIC Version Trail in integrated mode. More detailed information can be found
in the "SIMATIC Step 7 GMP Engineering manual: Guidelines for Implementing
Automation Projects in a GMP Environment".

WinCC Project Versioning


When not in integrated mode, we would recommend the WinCC Audit Project
Versioning option for versioning WinCC projects. The WinCC project must be
closed for versioning.
The WinCC Project Versioning application is opened via Start > Programs >
SIMATIC > WinCC Audit > Audit PV.
This application can be used to manage several WinCC projects.
A table-based list shows the versions created for the WinCC project selected on
the left in the tree structure. A new archive is created or an older project version
retrieved using the buttons positioned at the top. A wizard supports the

204

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

corresponding process. The projects archive data are stored in zip files that can be
easily archived in the long term.

Manual versioning
In this storage concept, it might be specified, for example, that the project is
backed up following a change. The project can be backed up using the WinCC
Project Duplicator tool. The Project Duplicator tool is opened with Start >
Programs > SIMATIC > WinCC > Tools. The Project Duplicator produces a direct
copy of the WinCC project using the path specified.
Alternatively the folder containing the WinCC project is zipped in Windows Explorer
to back up a project. When zipping, all data are reliably compressed.
Versioning can, for example, be included in the file name of the compressed file.
When compressing the WinCC project, it is important that the folder hierarchy is
retained so that the project can be read again later.

Note
The WinCC project must be closed before it is copied.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

205

Support for qualification

Versioning / backup up data of WinCC options / WinCC premium add-ons


If WinCC options or WinCC premium add-ons such as PM-CONTROL / PMQUALITY are used in the WinCC project, the corresponding databases must also
be backed up. Before the data is backed up, a check must be made to make sure
that the databases of the add-ons were disconnected from the MS SQL Server
when the WinCC project was closed. If the databases were not disconnected
automatically, an error message is displayed when the data is backed up. The
databases can be disconnected either with the detachdb.exe application (in the
Programs/Siemens/PMCOMMON folder) or with the MS SQL Enterprise Manager.
During installation, WinCC options and WinCC premium add-ons automatically
store their data in a separate folder below the WinCC project. In this case, the data
are also backed up via the Project Duplicator, Version Trail and WinCC Audit
Project Versioning. If a user defined storage path was specified during installation,
the data must be backed up separately.

206

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

7.6

Tracking configuration changes

Change control with WinCC Audit


Configuration changes in the WinCC project can be recorded using the WinCC
Audit Change Control option. When tracking, a distinction is made between
changes in the WinCC database and in the documents. The tracking of changes in
both areas can be activated separately.

WinCC Explorer activation covers tracking changes in the following areas:

WinCC Explorer

Project properties

Server properties Properties on the "Graphics Runtime" tab; with Document


Control (gracs.ini)

Client properties Properties on the "Graphics Runtime" tab; with Document


Control (gracs.ini)

Tag management apart from System parameters

Alarm logging

Tag logging the most relevant changes to timers, archives and tag tables.

Text library for entries in German, English, French, Italian, Spanish.

User administrator

Report Designer print jobs

User archives

Other editor programs whose configuration data are saved in the projects CS
database.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

207

Support for qualification

The diagram shows two tags which have been created as new (Insert EventType).
One of the tags was then renamed (Update EventType).
The Document Control area covers changes in the following areas:

C project functions (.fct), global and local C-actions (.pas)

VBS project functions (.bmo), global and local VBS actions

Report layouts (.rpl)

Graphics documents (.pdl)

Graphics runtime settings (Gracs.ini)

All valid user documents in the project folder Misc. Documents

Checked documents are write-protected and must be checked out by a WinCC


Audit user before changes are possible. When checking out, a comment must be
specified. The document can be opened using the WinCC Audit Editor directly in
the associated application.
When checking out a document, a copy is saved in the database so that it can be
recovered if need be (rollback). The documents history records all the users who
have checked the document in and out.

208

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Support for qualification

7.7

Backing up the operating system and SIMATIC WinCC


The operating system and the WinCC installation should be backed up as hard
disk images. Such images can be used to restore the original state of the PC with
little effort.

The required images

Create an image of the operating system installation with all drivers and all
settings relating to the network, user administration, etc. without SIMATIC
WinCC.

Create an image of the installed PCs with SIMATIC WinCC, WinCC options
and WinCC premium add-ons.

Create an image of the installed PCs with SIMATIC WinCC including all the
projects.

Procedure for creating an image


Several applications are available for creating an image, for example, SIMATIC
PC/PG Image & Partition Creator. Note in this regard that the image is written to a
free partition.
Note
The backups of the application software and the backup of the operating system
with and without SIMATIC WinCC should be stored on external media (for
example MOD, CD, DVD, network backup).

Note
An image can only be restored on a PC with identical hardware. For this reason,
the hardware configuration of the PC must be adequately documented.
Images of individual partitions cannot be exchanged between PCs because their
settings, such as registry settings, differ.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

209

Support for qualification

210

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Systems productive mode

8.1

Operational Change Control


Changes on validated and operating systems must always be planned in
consultation with the plant user, documented and only run and tested once
approved.
The following chapters use examples to describe how to make changes to a
WinCC project:

1. Release of change
specification by plant owner

2. Description of the software


change (e.g. FS)

3. Back up of the actual WinCC


project

4. Implementation of software
change based on the new
version
WinCC Audit is used to record
changes in the engineering and
document check in an Audit
Trail. The version statuses of the
project software and documents
are also managed
5. Test of changes incl
documentation (e.g. FAT)

6. Back up of the changed


software incl. versioning
Changes in the WinCC project should not generally be undertaken during
operation.
The effects of the changes to other parts of a WinCC application and the resulting
tests must be specified as the basis of a risk assessment and documented.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

211

Systems productive mode

8.2

System recovery
The procedure described in this chapter should enable the end user to restore the
WinCC system after a disaster.
Disasters are taken to mean the following cases:

Damage to the operating system or installed programs

Damage to the system configuration data or configuration data

Loss or damage to runtime data

The system is restored using the saved data. The backed up data (medium) and all
the materials needed for the restoration (basic system, loading software,
documentation) must be saved at the defined point. There must be a Disaster
Recovery Plan which must be checked on a regular basis.

Restoring the operating system and installed software


The operating system and installed software are restored by loading the
corresponding images (see chapter 7.7 "Backing up the operating system and
SIMATIC WinCC"). The instructions provided by the relevant tool manufacturer
should be noted.
An image can only be restored on a PC with identical hardware. If a PC with an
identical configuration is not available, the installation has to be run again from
scratch. The documentation that contains descriptions of the installed software and
the updates, upgrades and hot fixes also installed, can be used to qualify the
software. The installation sequence described in chapter 4 "System installation"
should be observed.

Restoring the application software


The process for restoring the application software depends on the kind of backup.

212

Retrieving data using the Version Trail software


Version Trail lists all backup statuses with major and minor version and time
stamp. To retrieve the data, the corresponding backup status is selected and
the action started using the De-archive button.

Retrieving data using the WinCC Audit Project Versioning software


Even the WinCC Audit Versioning software lists the backup statuses created
along with version ID and time stamp. To retrieve the data, the corresponding
backup status is selected and the action started using the Restore Wizard
button.

Retrieving data from a manually created backup status


Application software that has been copied using the WinCC Project Duplicator
tool can be copied back using the same tool.
A manually compressed backup status is copied from the external medium
(network drive or CD/DVD) into the local project folder and unzipped.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Systems productive mode

If a CAS (Central Archive Server) is being used in the system configuration, a


separate engineering station (ES) must be set up for the CAS engineering,
WinCC server and connected clients. In this case, the application software can
be restored on the WinCC server by loading the server data from the ES to the
WinCC server using Load destination system.

Restoring the runtime data


Runtime data such as Alarm Logging data and Tag Logging data that has not been
backed up using a backup configuration are lost in the event of a hard disk
disaster.
To display lost data in WinCC Runtime, corresponding backup statuses ending
with mdf and ldf are copied back onto the local computer and linked to the WinCC
project in Tag Logging and/or Alarm Logging. The corresponding editor is opened
in Windows Explorer for this purpose and the corresponding databases linked
using Connect archive.

When using a CAS, the data do not have to be copied back. The data are
displayed directly in the OCX Alarm Control or Trend Control / Table Control by
selecting the lost time period.

Restoring a WinCC server in a redundant system


In the event of a hard disk disaster in a redundant WinCC system, the runtime data
are not yet available on the partner computer. Once the operating system, the
software needed and the application software have been restored, the WinCC
project is started. The runtime databases are automatically put through a
redundant calibration by the system.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

213

Systems productive mode

Restoring the long-term archive data on the CAS


To prevent data being lost as a result of hard disk defects, RAID systems that allow
the current data status to be used for future use should first be appointed.
Regular checks of the operating systems event log and a Raid controller of
sufficient performance are also required for this.
Restoration to a new hard disk by reinstalling StoragePlus is also possible if the
StoragePlus configuration data is currently available.
Data not yet transferred from StoragePlus (archive) are not lost. At least this
applies to the part which comes from the WinCC servers because depending on
how the times overlap they usually still exist on the WinCC servers as part of the
short-term archive that has not been overwritten.

214

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

System software updates and migration

9.1

Updates, service packs and hot fixes


Updates to the system software of a validated system in operation must be agreed
on with the operator. We are talking here about a system change that needs
planning and processing in accordance with the valid change procedure. Similar to
the description in chapter 8.1 "Operational Change Control", this roughly means
the following steps:

Description of the planned change

Impact on functions / system parts / documentation,


taking into account the system description of the new and changed
functions in the Readme file / Release Notes

Evaluation of risks

Definition of the tests to be run in order to retain the validated status on the
basis of the risk assessment

Approval / refusal for the change (according to defined responsibilities)

Update of the technical documentation

Implementation of change in accordance with manufacturers details (once


the system has also been approved for this)

Documentation of the actions undertaken

Qualification: Running and documenting the tests needed

The following may for example be of relevance when considering possible


influences:

Process pictures / objects / alarm system and process value archiving in


function and illustration /

Ports

Impacts when loading

Performance of the system

Documentation (specification)

New qualification tests and/or those to be repeated

Note
The SIMATIC Customer Support at http://support.automation.siemens.com
provides support for software updating and project migration.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

215

System software updates and migration

9.2

Migration of the application software


The WinCC system software is upgraded with a migration, in other words, its range
of functions is expanded or improved.
When there is a version change (for example from version 5.x to version 6) or a
software update of the WinCC system software, it may be necessary to migrate or
convert data created with the older version.

Note
The situations in which migration or conversion of the project data becomes
necessary are described in the WinCC Information System of the new version in
the section Upgrading WinCC > Notes on Migration of Projects.

The Project Migrator is available for migration. The project data is migrated offline,
the WinCC system software must be completely closed down. Follow the
instructions of the Project Migrator. If adaptation of the project is necessary, this
requires validation.
The validation effort is specified in consultation with the plant user. Possible test
points are the new functions available in WinCC and the correct installation of the
software components required for migration.
Note
The migration procedure is described in detail in the WinCC Information System in
the section "Migration".

Note
A WinCC project that has been opened once using WinCC V6.2 cannot be edited
or run again with version 6.0.

216

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

10

Additional hardware/software components

10.1

Uninterruptible power supply


An uninterruptible power supply (UPS) is a system for buffering the line voltage. If
the power supply from the line fails, the battery of the UPS takes over the power
supply. When the power supply from the line resumes, the power supply from the
UPS battery ceases and the battery begins to recharge. Some UPS systems offer
monitoring of the line voltage in addition to buffering the power supply from the line.
This guarantees output voltage at all times without interference voltage.
UPS systems are necessary so that process and Audit Trail data can continue to
be recorded during power failures. The system operator needs to be consulted in
regard to the design of the UPS, which should be specified in the URS, FS, or DS.
The following points must be considered in this regard:

Power consumption of the system to be supplied

Capacity of the UPS

Desired duration of the UPS buffering

The power consumption of the system to be buffered determines the size of the
UPS. Another criterion for the selection is the priority of the systems.
Systems with high priority are:

Automation system (AS)

Network components

Archive server

WinCC server

WinCC clients

Field devices, which usually have relatively high power consumption, can be
included in the buffering, depending on the performance capacity of the UPS. This
should be based on the process category and selected in consultation with the
system operator.
In any case, it is important to include the systems for reporting the data in the
buffering. The time of the power failure should also be included in the reporting.
The use of UPS systems is a factor in the software installation. It needs to be
installed and configured on the PC-based computer of the visualization system.

Configuration of the alarming for power failure

Specification of the time period for shutting down the PC

Specification of the duration of the UPS buffering

The automation systems (PLC) should be programmed in a way that allows the
process control system to be brought to a safe state with a specified buffer time in
the event of power failure.
Due to varying requirements of individual devices, three classes have been
established for the UPS context. These have been specified by the International
Guidelines for Implementing Automation Projects in a GMP Environment
A5E01100604-02

217

Additional hardware/software components

Engineering Consortium (IEC) under the product standard IEC 62040-3 by the
European Union under EN 50091-3:

Standby or offline UPS

The simplest and least expensive UPS systems (according to IEC 62040-3.2.20 of
UPS class 3) are standby or offline UPS systems. They only protect against power
failure and transient voltage fluctuations and peaks. They do not compensate for
undervoltage or overvoltage. Offline UPS systems automatically switch to battery
mode when undervoltage or overvoltage occurs.

Network-interactive UPS

Network-interactive UPS systems (according to IEC 62040-3.2.18 of class 2)


operate in a similar way to standby UPS systems. They protect against power
failure and transient voltage peaks, and can continually compensate for voltage
fluctuations using filters.

Online UPS

Double conversion or online UPS systems (according to IEC 62040-3.2.16 of


Class 1) are considered real power generators that continuously generate their
own line voltage. This means connected consumers are continuously supplied with
line voltage without restrictions. The battery is charged at the same time.

218

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Additional hardware/software components

10.1.1

Configuration of uninterruptible power supplies


The configuration of uninterruptible power supplies (UPS) differs from case to case
and must be described in the URS, DS or FS.
The two screenshots below are examples of the configuration of a UPS in
Windows 2000/2003/XP.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

219

Additional hardware/software components

The following table describes an example of configuring an uninterruptible power


supply for an operator station in a process control system. The situation with
automation systems (AS) is analogous.
Case

220

Action

Reaction

Power failure
< 10 seconds

The WinCC computers are buffered by the UPS. An alarm using


a digital input in WinCC documents the power failure.

Power failure
> 20 minutes
Power returns
after 25 minutes

The WinCC computers are buffered by the UPS, for example for
20 minutes. An alarm in the PCS documents the power outage
and the shutdown of the WinCC computers after 20 minutes.
The UPS stops supplying power after a defined time (for
example 25 minutes) so that an independent restart of the
WinCC computers is possible once power has been restored.

Power failure
> 1 hour

The WinCC computers are buffered by the UPS, for example for
20 minutes. An alarm in the PCS documents the power outage
and the shutdown of the WinCC computers after 20 minutes.
The UPS stops supplying power after a defined time so that an
independent restart of the WinCC computers is possible when
power returns.

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Additional hardware/software components

10.1.2

UPS configuration over digital inputs


In addition to the standard buffering provided by UPS devices, the option of
monitoring the power supplies should be used. In this strategy, the phase is
monitored over one or more digital inputs. The advantage of this is that power
outages can be registered, signaled and archived.

UPS 24 V buffering (load voltage)


The automation system CPU is supplied with power by the UPS 24 V module both
during voltage fluctuations and during longer power outages. The phase monitoring
module monitors the status change during a power failure using a digital input that
should be designed as a failsafe input signal. If there is a power outage, an alarm
can be generated to inform the operator of the power outage (alarm message). By
logging the outage in the message system, the power failure can be researched
later. Safety states can also be implemented based on power outage concepts that
take effect immediately or after a certain time has elapsed (for example hold
equipment phases, establish a safe plant status even after the return of the power
etc.).

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

221

Additional hardware/software components

UPS 110 V / 220 V buffering (line voltage)


In addition to the phase monitoring, the WinCC server is buffered by standard 110
V/220 V UPS modules. This ensures that the server remains in operation even
after a power outage.
The operator is informed of the power outage by the UPS buffering, for example
with alarm messages. Safe states can be initiated by the operator or by computer
concepts.
The safe shutdown of the WinCC server can be signaled by WinCC alarm
messages and put into effect if the power does not return within a specified time.
This functionality increases the availability of the system on the return of the power.
Note
Siemens provides SITOP UPS for an uninterruptible power supply. A description
of the quality requirement of the UPS can be found in entry ID 17241008. See
also (http://support.automation.siemens.com/).

222

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Index
2
21 CFR Part 11 ............................................... 17

A
Access protection...................................... 30, 53
Access protection CAS ................................. 159
Add-on packages ............................................ 52
Add-on software packages ............................. 60
Alarm Logging................................................. 58
Application software - creation ...................... 129
Application software backup ........................... 40
Application software specification ................... 51
Approval and change procedure ..................... 20
Archiving ......................................................... 36
Archiving - online ............................................ 58
Archiving - project ......................................... 203
Archiving/transfer - CAS ............................... 160
Audit trail ................................................. 34, 138
Audit Trail........................................................ 54
Audit Trail - CAS ........................................... 159
Audit Trail configuration - Alarm Logging ...... 143
Audit Trail configuration - WinCC Audit......... 138
Availability ....................................................... 61

B
Backup - operating system ........................... 209
Backup configuration - Alarm Logging .......... 151
Backup configuration - Tag Logging ............. 152
Backup configuration
WinCC Audit - Audit Trails ........................ 142
Backup StoragePlus ..................................... 160
Batch control ................................................... 61
Batch documentation ...................................... 37
Batch reporting................................................ 37
Batch-based long-term archiving .................... 60
Biometric systems........................................... 31

C
CAS - configuration....................................... 154
Central Archive Server (CAS) ......................... 59
Change control.......................................... 28, 56
Change control configuration changes....... 207
Change Control during operation .................. 211
Concepts for time synchronization ................ 115
Configuration control....................................... 28
Configuration identification.............................. 28
Configuration management..................... 27, 121
ConfigurationTool............................................ 56
Connectivity pack............................................ 66

Creating scripts - C, VB ................................. 180


Creating the report layout for
WinCC Audit.............................................. 171

D
Data Backup....................................................39
Data communication via the
ODK programming interface...................... 179
Data communication with Industrial
DataBridge ................................................179
Data communication with the
connectivity pack ....................................... 178
Data communication with the
connectivity station .................................... 178
Data communication with the
plant management level ............................ 178
Data display CAS/StoragePlus................... 161
Design specification ........................................15
Diagnostics for communication connections....97
Disabling the Windows level............................92

E
Electronic batch data .......................................38
Electronic record .............................................38
Electronic signature ........................... 32, 53, 135
Electronic signature - biometric .......................33
Electronic signature - changing values .......... 134
Electronic signature - conventional..................32
Engineering software.......................................55
EU-GMP Guide ...............................................17
EU-GMP Guide Annex 11 ............................18
EU-GMP Guide - Annex 18 .............................18

F
FAT..................................................................16
FDA .................................................................17
FDA sets of regulations ...................................18
Functional specification ...................................15

G
GAMP........................................................17, 18
GMP requirements ..........................................23
Guidelines .......................................................17

H
Hardware categorization..................................24

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Index-1

Index

Image & partition creator................................. 68


Implementation ............................................... 15
Installation - CAS ............................................ 91
Installation operating system........................ 70
Installation - SIMATIC WinCC......................... 71
Installation - SIMATIC WinCC options ............ 74
Installation utilities, drivers ........................... 75
Installation/configuration - SIMATIC Security
Control ........................................................ 73
Interfaces to process data............................... 65

L
Life cycle model .............................................. 12
Lifebeat monitoring ....................................... 177
Logging - Audit Trail entries from
WinCC Audit ............................................. 169
Long-term archive server - setup .................... 90
Long-term archiving ................................ 59, 150
Long-term archiving - CAS............................ 152
Long-term archiving PM-QUALITY ............ 161
Long-term archiving - WinCC........................ 150

M
Manufacturing execution systems (MES)........ 67
Manufacturing log ........................................... 37
Migration ....................................................... 216

N
NAMUR recommendation ............................... 18
Network security - CAS................................. 159

O
Object-oriented configuration ........................ 100
ODBC data source - creating ........................ 169
Operator input message - create .................. 132
Options packages ........................................... 52
Overview pictures - creation ......................... 130

P
Page layout editor ......................................... 165
Password .................................................. 31, 33
Permission management - WinCC User
administrator ............................................... 87
Picture windows ............................................ 101
Planning qualification .................................... 196
PM-CONTROL................................................ 61
PM-QUALITY .................................................. 63
Print drivers............................................... 68, 75
Print jobs ....................................................... 168
Process data backup ...................................... 41
Process pictures - creation ........................... 106
Process value archive - setup ....................... 148
Project library ................................................ 108
Project settings ............................................... 95

Index-2

Qualification............................................. 16, 195


Qualification application software ............... 202
Qualification - hardware................................. 197
Qualification - software .................................. 199
Qualification - standard software ................... 200
Qualification plan .............................................14
Qualification report ..........................................16
Quality and project plan...................................14

R
Redundancy - configuration........................... 111
Regulations .....................................................17
Report designer...............................................60
Reporting................................................. 60, 164
Reporting batch-oriented ..............................63
Reporting - Report Designer.......................... 164
Reporting with PM-QUALITY......................... 174
Retrieving archived data..................................42
Retrieving archived data CAS/StoragePlus 160

S
S7 - connecting ............................................. 191
SAT .................................................................16
Script ............................................................. 109
Security setting - Windows audit trail..............82
Security setting - account ................................81
Security setting - password .............................80
Security settings in Windows...........................79
Security vulnerability in configuration ..............92
SIMATIC IT......................................................67
SIMATIC Logon...............................................53
SIMATIC Logon - PM-QUALITY / PMCONTROL setup .........................................89
SIMATIC Logon WinCC Audit setup.............88
SIMATIC Logon configuration .........................84
SIMATIC NET - setting .................................. 110
Smart card.......................................................31
Software categorization ............................. 21, 25
Software categorization of SIMATIC WinCC . 199
Software creation ............................................29
Specification ....................................................14
Specification of system hardware....................47
Startup behavior ..............................................95
Structure tag.................................................. 102
Symbol library................................................ 107
System information channel ............................98
System installation ..........................................69
System network security..................................49
System recovery............................................ 212
System specification........................................45

T
Tag Logging ....................................................58
Tag management ............................................55
Third-party component ....................................43
Third-party components - connecting ............ 193
Time stamping............................................... 119
Time synchronization............................... 35, 114

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Index

Time synchronization - CAS ......................... 119


Time synchronization - configuring ............... 116
Typicals........................................................... 29

U
Uninterruptible power supply - configuration . 219
Uninterruptible power supply (UPS).............. 217
Updates, service packs, hotfixes................... 215
User administrator........................................... 53
User archive.................................................... 63
User archive setting up .............................. 149
User ID................................................ 30, 31, 33
User management .................................... 30, 53
User management setup.............................. 76
User objects .................................................. 100
User requirements specification...................... 15

V
Validation plan ................................................ 14
Validation report.............................................. 16
Version control - project .................................. 57
Version Trail.................................................... 57
Versioning ....................................................... 28
Versioning application software ................. 121
Versioning - manual ...................................... 205

Versioning - pictures......................................123
Versioning - project ....................................... 203
Versioning - reports ....................................... 127
Versioning - VB / C scripts............................. 125
Versioning with SIMATIC Version Trail.......... 203
Versioning with WinCC Project Versioning.... 204
Versioning/backup of data of WinCC options /
WinCC premium add-ons .......................... 206
Virus scanners........................................... 68, 75

W
Web access configuration for
process operator input............................... 181
Web access - configuration to display data ... 185
Web access operator permissions ............. 184
Web access - remote..................................... 185
Web client connecting ................................ 181
Web navigator .................................................65
WinCC Audit....................................................54
WinCC Audit ChangeControl...........................56
WinCC Audit Project Versioning......................58
WinCC DataMonitor.........................................66
WinCC flexible - connecting .......................... 190
WinCC long-term archive server .....................59
Windows domains ...........................................78
Windows workgroup ........................................78

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02

Index-3

Index

Index-4

Guidelines for Implementing Automation Projects in a GMP Environment


A5E01100604-02