Siemens SINAMICS Configuration Manual

Siemens SINAMICS Configuration Manual

Industrial security, medium-voltage converter
Hide thumbs Also See for SINAMICS:
Table of Contents

Advertisement

Medium-voltage converter
SINAMICS
Industrial Security
Configuration Manual
08/2017
A5E36912609A
Introduction
Safety instructions
Industrial Security
General security measures
Security measures for
SINAMICS
Communication
Service & Support
References
1
2
3
4
5
A
B
C

Advertisement

Table of Contents
loading

Summary of Contents for Siemens SINAMICS

  • Page 1 Introduction Safety instructions Industrial Security Medium-voltage converter General security measures SINAMICS Industrial Security Security measures for SINAMICS Communication Configuration Manual Service & Support References 08/2017 A5E36912609A...
  • Page 2 Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
  • Page 3: Table Of Contents

    4.3.1 System hardening........................26 4.3.1.1 Reduction of attack points......................26 4.3.1.2 Virus scanner.........................28 4.3.2 Whitelisting..........................29 4.3.3 Patch management........................29 Security measures for SINAMICS......................31 Network security........................31 Write protection and know-how protection................31 5.2.1 Write protection........................32 5.2.2 Know-how protection......................34 5.2.2.1 Overview..........................34 5.2.2.2 Features of know-how protection...................35 5.2.2.3...
  • Page 4 5.6.10 Messages and parameters.....................77 Information about individual interfaces...................77 SINAMICS Startdrive and Starter...................79 5.8.1 SINAMICS Startdrive......................79 5.8.2 SINAMICS STARTER......................79 SINAMICS Drive Control Chart (DCC)...................80 5.9.1 Use write and know-how protection..................82 Communication............................83 Communication........................83 A.1.1 Communication according to PROFIdrive................83 A.1.1.1 PROFIdrive application classes.....................85 A.1.1.2...
  • Page 5 Configuring and commissioning...................207 A.1.6.4 Example..........................211 A.1.6.5 Communication failure when booting or in cyclic operation..........214 A.1.6.6 Examples: Transmission times for SINAMICS Link.............214 A.1.6.7 Function diagrams and parameters..................214 A.1.7 Communication services and used port numbers..............215 A.1.8 Time synchronization between the control and converter............218 A.1.8.1...
  • Page 6 Table of contents Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 7: Introduction

    The following knowledge is a prerequisite for implementing the described security concepts: ● Administration of the IT technologies familiar from the office environment ● Configuration of the SINAMICS products used ● Configuration of the products of third-party manufacturers used Industrial Security...
  • Page 8 Introduction Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 9: Safety Instructions

    Safety instructions WARNING Incorrect or changed parameterization As a result of incorrect or changed parameterization, machines can malfunction, which in turn can lead to injuries or death. ● Protect the parameterization (parameter assignments) against unauthorized access. ● Respond to possible malfunctions by applying suitable measures (e.g. EMERGENCY STOP or EMERGENCY OFF).
  • Page 10: Note On Safety Integrated

    2.1 Note on Safety Integrated Note on Safety Integrated To actually reduce the risk for machines and plants through the use of Safety Integrated functions, working with Safety Integrated functions requires special care for all SINAMICS devices that have it. DANGER...
  • Page 11: Industrial Security

    In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks.
  • Page 12: Why Is Industrial Security So Important

    Industrial Security 3.3 Why is Industrial Security so important? Objectives of industrial security The objectives of industrial security encompass: ● Fault-free operation and guaranteeing of availability of industrial plants and production processes ● Preventing hazards to people and production ● Protection of industrial communication from espionage and manipulation ●...
  • Page 13 Industrial Security 3.3 Why is Industrial Security so important? Possible security holes or weak points The security chain of a company is only as strong as its weakest link. Security holes can exist at numerous points. The following list gives only a few examples: ●...
  • Page 14: Security Measures In Automation And Drive Technology

    3.3 Why is Industrial Security so important? 3.3.1 Security measures in automation and drive technology Siemens automation and drive technology concerns itself with security aspects at the following levels: ● Application security Refers to products and functions that take into consideration the needs of Industrial Security in the field of automation.
  • Page 15 Siemens Industrial Holistic Security Concept™ Siemens places great emphasis on protecting the integrity and guaranteeing the confidentiality of the processed data for its own products. Intellectual property and know-how of the Siemens products are also in focus. To achieve this, the Siemens Industrial Holistic Security Concept (SI HSC) is applied which protects development departments and production plants.
  • Page 16: Security Management

    Industrial Security 3.4 Security management considered with regard to security so that Siemens already applies the same security standards when purchasing as for the manufacture of its own products. Figure 3-1 SI HSC security management process Standards and regulations Siemens complies with the valid standards and regulations in the industrial security area throughout the entire development process: ●...
  • Page 17 3. Introduce coordinated technical measures. You can find a list of general measures that help to protect your plant against threats in Section General security measures (Page 19). You can find measures recommended for SINAMICS environments in chapter Security measures for SINAMICS (Page 31).
  • Page 18 Industrial Security 3.4 Security management Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 19: General Security Measures

    The following section shows the general security measures you can take in order to protect your system from threats. All of the measures are recommended. Additional specific security measures for SINAMICS products can be found in chapter Security measures for SINAMICS (Page 31).
  • Page 20: Plant Security

    General security measures 4.1 Plant security ● Plant security Plant security represents the outermost protective ring. Plant security includes comprehensive physical security measures, e.g. entry checks, which should be closely coordinated with protective measures for IT security. ● Network security The measures, grouped under the keyword "Network security", form the core of the protective measures.
  • Page 21: Network Security

    ● Guidelines that prevent the use of third-party data storage media, e.g. USB flash drives, and IT devices, e.g. notebooks, classified as insecure in systems. Further information Further information on integrated Siemens security solutions can be found on the Siveillance page (http://www.buildingtechnologies.siemens.com/bt/global/en/security-solution/Pages/ security-solution.aspx).
  • Page 22: Network Segmentation With Scalance S

    See also Reduction of attack points (Page 26) 4.2.1.2 Network segmentation with SCALANCE S Siemens provides SCALANCE S security modules to meet network protection and network segmentation requirements. Further information on SIEMENS SCALANCE S can be found on the Internet (http://w3.siemens.com/mcms/industrial-communication/en/ie/industrial-ethernet- security/scalance-s/Pages/default.aspx).
  • Page 23 General security measures 4.2 Network security Requirement NOTICE Data misuse Long distances between the device to be protected and the upstream security modules represent an invitation for data misuse. ● Note that upstream security modules, such as SCALANCE S, must be installed close to the device to be protected in a locked control cabinet.
  • Page 24 General security measures 4.2 Network security Principle of cell segmentation The following application example shows cell segmentation by several SCALANCE S modules, each of which is upstream of the automation cells. The firewall of SCALANCE S filters and controls the data traffic from and to the devices within the automation cells. If required, the traffic between the cells can be encrypted and authenticated.
  • Page 25 General security measures 4.2 Network security Figure 4-2 SCALANCE S application example Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 26: System Integrity

    FTP, remote maintenance, etc. A description of all of the ports used can be found in chapter "Security Measures for SINAMICS (Page 31)" or in the operating instructions and Function Manuals of the respective products.
  • Page 27 General security measures 4.3 System integrity ● If possible, the PC should not be used for other tasks, e.g. in the office network. This is used for separating the networks, which was dealt with in chapter "Separation of the production and office networks (Page 21)". ●...
  • Page 28: Virus Scanner

    General security measures 4.3 System integrity Assigning secure passwords Observe the following rules when assigning new passwords: ● Never assign passwords that can be easily guessed, e.g. simple words, simple key combinations on the keyboard, etc. ● Passwords must comprise at least eight characters. ●...
  • Page 29: Whitelisting

    WSUS automatically downloads update packages (Microsoft update) from the Internet and offers them to the Windows clients for installation. The fully automatic update process ensures that Microsoft security updates are always available on Siemens clients. NOTICE Security gaps for out-of-date operating systems Note that security updates, hotfixes, etc.
  • Page 30 General security measures 4.3 System integrity Note Before installing Microsoft Updates, note the following important points: ● Before installing the update, carefully check whether the current update is really compatible with your system. You are responsible for the installation of the update! ●...
  • Page 31: Security Measures For Sinamics

    Detailed descriptions and procedures can be found in the corresponding SINAMICS documentation. Network security SINAMICS must only be used in a secure and trustworthy network with a firewall. Note the information in chapter "Network segmentation (Page 21)". Write protection and know-how protection The "write protection"...
  • Page 32: Write Protection

    Security measures for SINAMICS 5.2 Write protection and know-how protection 5.2.1 Write protection The write protection prevents unauthorized changing of the drive unit settings. If you are working with a commissioning tool, such as STARTER, then write protection is only effective online.
  • Page 33 Security measures for SINAMICS 5.2 Write protection and know-how protection 3. Call the shortcut menu "Write protection drive unit > Activate". Figure 5-1 Activating write protection Active write protection can be identified as in the expert list the input fields of adjustable parameters p …...
  • Page 34: Know-How Protection

    Security measures for SINAMICS 5.2 Write protection and know-how protection Exceptions to write protection Some functions are free from write protection, such as: ● Deactivating/activating the write protection ● Changing the access level (p0003) ● Saving parameters (p0971) ● Safe removal of the memory card (p9400) ●...
  • Page 35: Features Of Know-How Protection

    Figure 5-2 Setting options for know-how protection Know-how protection with copy protection is only possible with a Siemens memory card. Know-how protection without copy protection The drive unit is only operable with a memory card. You can transfer drive unit settings to other drive units using a memory card, an operator panel, or STARTER.
  • Page 36 After setting up and activating the know-how protection, for encrypted data backup on the memory card, previously backed up, non-encrypted data of the SINAMICS software will be deleted. This is standard deletion procedure, in which only the entries on the memory card are deleted.
  • Page 37: Configuring Know-How Protection

    Security measures for SINAMICS 5.2 Write protection and know-how protection Functions inhibited by know-how protection Active know-how protection inhibits the following functions: ● Drive unit settings download with STARTER ● Automatic controller optimization ● Stationary or rotating measurement of the motor data identification ●...
  • Page 38 Security measures for SINAMICS 5.2 Write protection and know-how protection In the factory setting, the exception list only includes the password for know-how protection. You do not need to change the exception list, if, with exception of the password, you do not require additional adjustable parameters in the exception list.
  • Page 39 Security measures for SINAMICS 5.2 Write protection and know-how protection Activate know-how protection Requirements Before activating know-how protection, the following conditions must be met: ● The drive unit has been fully commissioned. ● You have generated the exception list for know-how protection (see Configuring know-how protection (Page 37)).
  • Page 40 Security measures for SINAMICS 5.2 Write protection and know-how protection 6. Click "Specify". The "Know-how Protection for Drive Unit - Specify Password" dialog box opens. Figure 5-4 Setting the password 7. Enter your password. Length of the password: 1 … 30 characters.
  • Page 41 Security measures for SINAMICS 5.2 Write protection and know-how protection In order to guarantee know-how protection, after activating know-how protection, we recommend that you insert a new, empty memory card. For memory cards that have already been written to, previously backed up data that was not encrypted can be reconstructed.
  • Page 42 Security measures for SINAMICS 5.2 Write protection and know-how protection 5. Select the required option: – "Temporarily" deactivating: Know-how protection is active again after switching off and switching on. – "Permanently" deactivating: Know-how protection remains deactivated even after switching off and switching on again.
  • Page 43: Loading Know-How Protected Data To The File System

    The activated know-how protection ensures that the data cannot be forwarded to unauthorized third parties. The following applications are conceivable at the end user: ● Adaptations of encrypted SINAMICS data are required. ● The memory card is defective. ● The Control Unit of the drive is defective.
  • Page 44 Security measures for SINAMICS 5.2 Write protection and know-how protection 5. The end user copies the "User" directory to the new memory card and inserts it into the new Control Unit. 6. The end user switches on the drive. When powering up, the Control Unit checks the new serial numbers and deletes the values p7759 and p7769 if they match.
  • Page 45 Security measures for SINAMICS 5.2 Write protection and know-how protection Specifying the general memory data The "General" tab is displayed automatically when the dialog is called. The "Save normally" option is activated by default. 1. If you want to save the data in compressed form, click the "Save compressed (.zip archive)"...
  • Page 46 Security measures for SINAMICS 5.2 Write protection and know-how protection Configuring know-how protection Make the settings for the know-how protection on the "Drive unit know-how protection" tab. 1. Click the "Drive unit know-how protection" tab. Figure 5-8 Load to file system know-how protection By default, the "Without know-how protection"...
  • Page 47: Overview Of Important Parameters

    Security measures for SINAMICS 5.2 Write protection and know-how protection Figure 5-9 Activating load to file system know-how protection The active input fields are mandatory inputs. 3. Enter the required password in the "New password" field and enter it again in the "Confirm password"...
  • Page 48: Parameters: Access Levels + Password

    Memory card serial number Parameters: Access levels + password The SINAMICS parameters are divided into access levels 0 to 4. With the aid of the access levels, you can specify which parameters can be modified by which user or input/output device.
  • Page 49: Communication Services And Used Port Numbers

    Communication services and used port numbers SINAMICS converters support the communication protocols listed in the following table. The address parameters, the relevant communication layer, as well as the communication role and the communication direction are decisive for each protocol. You require this information to match the security measures for the protection of the automation system to the used protocols (e.g.
  • Page 50 Security measures for SINAMICS 5.5 Communication services and used port numbers Report Port number (2) Link layer Function Description (4) Transport layer Not relevant (2) Ethernet II and PROFINET me‐ MRP enables the control IEEE 802.1Q and dium redundan‐ of redundant routes Media Redun‐...
  • Page 51 Security measures for SINAMICS 5.5 Communication services and used port numbers Report Port number (2) Link layer Function Description (4) Transport layer ISO on TCP (4) TCP ISO-on-TCP ISO on TCP (according protocol to RFC 1006) is used for (according to...
  • Page 52: Web Server

    Modbus TCP. Web server The web server provides information on a SINAMICS device via its web pages. The web server accesses the device via an Internet browser. The information on the web pages is shown in German or English. You can choose the language for the following information: ●...
  • Page 53: Requirements And Addressing

    IP addresses. As delivered, the integrated Ethernet interface has IP address 169.254.11.22. Supported Internet browsers In the current version, the SINAMICS web server supports large displays such as on usual PC screens. Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 54: Configuring The Web Server

    Access to the web server is possible with the following Internet browsers: ● Microsoft Internet Explorer 8 – Only on Windows XP Professional SP3 32 bit – Only functions already available in SINAMICS Runtime V4.7 (excluding file and folder handling) – No longer any support in future SINAMICS firmware versions ●...
  • Page 55 Security measures for SINAMICS 5.6 Web server Default settings of the web server The web server is activated per default in the configuration. Figure 5-10 Configuring the web server with default settings Deactivating the web server 1. Deselect the "Activate the Web server" checkbox.
  • Page 56: Assigning A Password

    The configuration dialog in STARTER for the web server is open. The web server is activated by the checkbox "Activate the Web server". Enabling users The "SINAMICS" and "Administrator" users can be enabled with their specific rights. You can also specify whether password protection should be active for the "SINAMICS" user. Default settings: ●...
  • Page 57 To enable a user and activate a password, proceed as follows: 1. Click the checkbox of the user you want to enable (e.g. enable "Enable user "SINAMICS" ① (restricted rights)" user, etc.) ②...
  • Page 58 At the same time, the two entries in the input dialog are cleared. In this case, you must enter the password into both input fields again. Password forgotten? If you have forgotten your password, you can no longer access your SINAMICS data or SINAMICS functions via the web server. To assign a new password, proceed as follows: 1.
  • Page 59: Access Protection And Rights

    For security reasons, as the "Administrator" user, you should never assign the "SINAMICS" user with the "write" and "change list" rights at the same time. Otherwise, the "SINAMICS" user would be able to change any chosen parameter at access levels 1 - 3.
  • Page 60 Password assignment By default, password protection is regulated as follows: ● "SINAMICS" user: No password protection We recommend that you assign a password. The password must consist of 8 characters or more. ● "Administrator" user: Password protection. A password is not pre-set.
  • Page 61: Access Protection For Parameter Lists In The Web Server

    You can change the rights of individual parameter lists based on the default settings shown in the table. ● The "SINAMICS" and "Administrator" users can reduce their own rights. ● The "Administrator" user can reduce the rights of "SINAMICS" users or expand them up to their own level. Note For security reasons, as the "Administrator"...
  • Page 62: Starting The Web Server

    The "Access rights" dialog box opens with the access settings of the parameter list. Figure 5-12 Access rights The default access rights for "SINAMICS" and "Administrator" users are visible. The checkbox is selected for the activated access rights. 6. Activate or deactivate the relevant access rights by clicking the corresponding checkbox.
  • Page 63 Security measures for SINAMICS 5.6 Web server 1. Enter the IP address of the SINAMICS drive in the address line of the Internet browser. The default setting for the Ethernet interface X127 is 169.254.11.22. 2. Confirm with <Return>. The start page of the web server then opens. The most important data of your drive is displayed.
  • Page 64: Displaying Device Information

    Security measures for SINAMICS 5.6 Web server 5.6.5 Displaying device information Click the "Device Info" entry from the navigation. The most important device information is then shown in the display area. Figure 5-14 Example: Device Info display area You can sort the table displayed using the arrows in the column headers.
  • Page 65: Displaying Diagnostic Functions

    Security measures for SINAMICS 5.6 Web server 5.6.6 Displaying diagnostic functions 5.6.6.1 Status and operating display of the drive object 1. Click the "Diagnostics" entry from the navigation. 2. Click the "Service overview" tab. All drive objects of the drive are listed.
  • Page 66: Loading A Multiple Trace

    5.6.6.2 Loading a multiple trace All trace files created by a multiple trace can be loaded to the web client (PC). The files must be located in the memory card under "USER/SINAMICS/DATA/TRACE". Note Activation and parameterization of the multiple trace...
  • Page 67: Displaying Messages

    Security measures for SINAMICS 5.6 Web server 5.6.7 Displaying messages 5.6.7.1 Displaying the diagnostic buffer The diagnostic buffer can be used to log important operating events as a logbook. The diagnostic buffer is stored in non-volatile memory. The logged data can be read for subsequent analysis of an operating fault.
  • Page 68: Displaying Faults And Alarms

    Security measures for SINAMICS 5.6 Web server 5.6.7.2 Displaying faults and alarms Pending alarms and faults from the drive are displayed. You can acknowledge the faults that have not yet been acknowledged. 1. Click the "Messages and Logs" entry from the navigation.
  • Page 69 Security measures for SINAMICS 5.6 Web server An existing write and know-how protection also applies without restrictions for parameter access via the web server. Note You can find detailed information in the chapter "Parameters for write protection and know- how protection" of the converter List Manual: ●...
  • Page 70: Deleting A Parameter List

    9. Save the parameter list on the memory card of the drive under the directory "OEM/ SINAMICS/HMI/PARLISTS"". To do this, click the "Save list" button to create a new tab for the new parameter list. The name of the parameter list appears in the tab.
  • Page 71 Security measures for SINAMICS 5.6 Web server Deleting a parameter list 1. From the "List name" drop-down list, select the parameter list you wish to delete. Figure 5-20 Example: Deleting a parameter list 2. Then click the "Delete list" button to delete the displayed parameter list.
  • Page 72: Displaying And Changing Drive Parameters

    Security measures for SINAMICS 5.6 Web server 5.6.8.3 Displaying and changing drive parameters ● Each parameter list created is displayed as a separate tab in the "Parameter" display area. ● The list of parameters displayed is updated regularly. If an update is not possible, the corresponding parameters are marked red.
  • Page 73: Certificates For The Secure Data Transfer

    The "Transport Layer Security" (TLS) protocol enables encrypted data transfer between a client and the SINAMICS drive. TLS is the basis for https access of the browser to the drive. "Transport Layer Security" (TLS), more widely known under the predecessor designation "Secure Sockets Layer"...
  • Page 74 SINAMICS drive reached during the HTTPS access. Note Encrypted access to the SINAMICS drive is only possible using the name or IP address of the interface specified when the key was created. The certificates are handled as follows:...
  • Page 75: Using The Standard Configuration Of The Certificate

    2. Import the server certificate in your standard browser. Instructions for importing the certificate can be found in your browser's help options. – Alternatively, you can import the root certificate via the path "OEM/SINAMICS/HMICFG/ CERT/ITDIAGROOTCA.CRT" instead of the server certificate.
  • Page 76: Generating Your Own Certificates

    (e.g. ITDiagRootCA.key) to the memory card. 5. Make a backup copy of your certificate and rename the copy, e.g. as "SINAMICS.crt". 6. Import the renamed server certificate to the browser on your PC. Instructions for importing the certificate can be found in your browser's help options.
  • Page 77: Messages And Parameters

    Security measures for SINAMICS 5.7 Information about individual interfaces 3. Import the renamed server certificate to the browser on your PC. Instructions for importing the certificate can be found in your browser's help options. 4. Open an HTTPS web server connection to your drive in the browser.
  • Page 78 ● Keep a port open for local service access. Notify the operator of any deviating access data. Deviating access data can also be managed by the operator. ● Reduce LAN interfaces which are networked outside of the SINAMICS MV cabinets to a minimum. Configure an appropriate switch corresponding to the SECURITY requirements of the operator.
  • Page 79: Sinamics Startdrive And Starter

    SINAMICS Startdrive Startdrive in the TIA Portal SINAMICS Startdrive is an option package in the TIA Portal with which SINAMICS drives are commissioned. With regard to Industrial Security, the specifications for SINAMICS drives and for the TIA Portal must be taken into account.
  • Page 80: Sinamics Drive Control Chart (Dcc)

    As for DCC charts, scripts can also be protected via know-how protection. SINAMICS Drive Control Chart (DCC) SINAMICS DCC offers a modular, scalable technology option, which has chiefly been developed for drive-related, continuous open-loop and closed-loop control engineering tasks. Industrial Security...
  • Page 81 Security measures for SINAMICS 5.9 SINAMICS Drive Control Chart (DCC) With the DCC Editor based on CFC, technology functions with DCC for SINAMICS drives can be configured graphically. The following figure illustrates the data flow of the configuration data when configuring with SINAMICS DCC. The figure also shows the options for protecting the...
  • Page 82: Use Write And Know-How Protection

    Windows tools against unauthorized access using secure passwords. Note the information on SINAMICS and on the engineering systems Also note the Industrial Security information for SINAMICS drives and engineering systems with which SINAMICS drives are commissioned. Particularly the information on network security is important.
  • Page 83: A.1 Communication

    Communication Communication A.1.1 Communication according to PROFIdrive PROFIdrive is the PROFIBUS and PROFINET profile for drive technology with a wide range of applications in production and process automation systems. PROFIdrive is independent of the bus system used (PROFIBUS, PROFINET). Note PROFIdrive for drive technology is standardized and described in the following document: ●...
  • Page 84 Communication A.1 Communication Properties of the Controller, Supervisor and drive units Table A-2 Properties of the Controller, Supervisor and drive units Properties Controller Supervisor Drive unit As bus node Active Passive Send messages Permitted without external re‐ Only possible on request by the quest Controller Receive messages...
  • Page 85: A.1.1.1 Profidrive Application Classes

    Free telegram Isochronous mode Drive object types Can be used for PROFINET IO, PROFIBUS DP, PROFINET IO, PROFIBUS DP, SINAMICS Link, PN Gate, Ether‐ CANopen, SINAMICS Link, net/IP PN Gate, Ethernet/IP Cyclic operation PROFIsafe Note For additional information on the IF1 and IF2 interfaces, see chapter "Parallel operation of communication interfaces (Page 90)"...
  • Page 86: A.1.1.2 Cyclic Communication

    Communication A.1 Communication A.1.1.2 Cyclic communication Cyclic communication is used to exchange time-critical process data (e.g. setpoints and actual values). Telegrams and process data The process data (PZD) that is to be transferred is defined through the configuration of the drive unit (Control Unit).
  • Page 87 The drive-internal process data links are set up automatically in the STARTER in accordance with the telegram number setting. The converter List Manual contains the manufacturer-specific telegrams (SIEMENS telegrams) in the following function diagrams: – 2419 PROFIdrive - Manufacturer-specific telegrams and process data 1 –...
  • Page 88 Communication A.1 Communication SERVO, TM41 VECTOR CU_S A_INF, B_INF, TB30, TM31, ENCODER S_INF TM15DI_DO, TM120, TM150 Free connector- p2099[0 ... 1] / r2094.0 ... 15, r2095.0 ... 15 binector convert‐ Send process data DWORD connec‐ p2061[0 ... 26] p2061[0 ... 30] p2061[0 ...
  • Page 89 Communication A.1 Communication ● Physical word and double word values are inserted in the telegram as referenced variables. ● p200x apply as reference variables (telegram contents = 4000 hex or 4000 0000 hex in the case of double words if the input variable has the value p200x). Figure A-2 Scaling of speed You can find the detailed structure of the telegrams in the converter List Manual in the...
  • Page 90: A.1.1.3 Parallel Operation Of Communication Interfaces

    ● When standard telegram 20 is set, the "VIK-NAMUR" Interface Mode is permanently specified (p2038 = 2). This relationship cannot be changed. ● When all other telegrams are set, the "SINAMICS" Interface Mode is permanently specified (p2038 = 0). This relationship cannot be changed.
  • Page 91 Control Unit. Parameter p8839 is used to set the parallel use of the Control Unit onboard interfaces and COMM - BOARD in the SINAMICS system. The functionality is assigned to interfaces IF1 and IF2 using indices. For example, the following applications are possible: ●...
  • Page 92 Using the HW Config configuration tool, a PROFIBUS slave/PROFINET device with two interfaces cannot be shown. In parallel operation, this is why a SINAMICS drive appears twice in the project or in two projects, although physically it is just one device.
  • Page 93: A.1.1.4 Acyclic Communication

    Communication A.1 Communication Parameter p8839 PZD interface hardware assignment Description: Assigning the hardware for cyclic communication via PZD interface 1 and interface 2. Values: 0: Inactive 1: Control Unit onboard 2: COMM BOARD 99: Automatic For p8839, the following rules apply: ●...
  • Page 94 Communication A.1 Communication The "Read data record" and "Write data record" services are available for acyclic communication. The following options are available for reading and writing parameters: ● S7 protocol This protocol uses the STARTER commissioning tool in online operation via PROFIBUS/ PROFINET.
  • Page 95 Communication A.1 Communication Characteristics of the parameter channel ● One 16-bit address exists for each parameter number and subindex. ● Concurrent access by several additional PROFIBUS masters (master class 2) or PROFINET IO supervisor (e.g. commissioning tool). ● Transfer of different parameters in one access (multiple parameter request). ●...
  • Page 96 Communication A.1 Communication Parameter response Offset Values for Response header Request reference mirrored Response ID read access Axis mirrored Number of parameters only 1st parameter value(s) Format Number of values Error values Values or error values for negative re‐ sponse only nth parameter value(s) Format Number of values...
  • Page 97 Communication A.1 Communication Field Data type Values Remark Number of elements Unsigned8 0x00 Special function 0x01 ... 0x75 No. 1 ... 117 Limited by DPV1 telegram length Number of array elements accessed. Parameter number Unsigned16 0x0001 ... 0xFFFF No. 1 ... 65535 Addresses the parameter to be accessed.
  • Page 98 Communication A.1 Communication Error Significance Remark Additional value info 0x03 Invalid subindex. Access to a subindex that does not exist. Subindex 0x04 No array. Access with subindex to an unindexed parameter. – 0x05 Wrong data type. Modification access with a value that does not match the data –...
  • Page 99 Communication A.1 Communication Error Significance Remark Additional value info 0x6F Parameter %s [%s]: Write access only – – in the commissioning state, power unit (p0010 = 2). 0x70 Parameter %s [%s]: Write access only – – in the quick commissioning mode (p0010 = 1).
  • Page 100 Communication A.1 Communication Error Significance Remark Additional value info 0x7F Parameter %s [%s]: Write access only – – in the commissioning state, device (device: p0009 not equal to 0). 0x81 Parameter %s [%s] must not be writ‐ – – ten during download. 0x82 Transfer of master control is blocked –...
  • Page 101 Communication A.1 Communication Example 1: read parameters Requirements ● The PROFIdrive controller has been commissioned and is fully operational. ● PROFIdrive communication between the controller and the device is operational. ● The controller can read and write data sets in conformance with PROFINET/PROFIBUS. Task description Following the occurrence of at least one fault (ZSW1.3 = "1") on drive 2 (also drive object number 2), the active fault codes must be read from the fault buffer r0945[0] ...
  • Page 102 Communication A.1 Communication ● Parameter number: 945 dec → p0945 (fault code) is read. ● Subindex: 0 dec → Reading starts at index 0. Initiate parameter request. If ZSW1.3 = "1" → Initiate parameter request Evaluate the parameter response. Parameter response Offset Response header Request reference mirrored =...
  • Page 103 Communication A.1 Communication ● The controller can read and write data sets in conformance with PROFINET/PROFIBUS. Special requirements for this example: ● Servo control or vector control with activated "Extended setpoint channel" function module Task description Jog 1 and 2 are to be set up for drive 2 (also drive object number 2) via the input terminals of the Control Unit.
  • Page 104 Communication A.1 Communication Parameter request Offset 1st parameter ad‐ Attribute = 10 hex Number of elements = 01 hex 4 + 5 dress Parameter no. = 1055 dec Subindex = 0 dec 2nd parameter ad‐ Attribute = 10 hex Number of elements = 01 hex 10 + 11 dress Parameter no.
  • Page 105: A.1.1.5 Diagnostics Channels

    Diagnostics channels SINAMICS drives provide the standard diagnostics for PROFIBUS and PROFINET. This allows the PROFIdrive classes of the SINAMICS drive to be integrated into the system diagnostics of a higher-level control system and automatically displayed on an HMI. Industrial Security...
  • Page 106 ‑ ● SINAMICS transfers the messages in the sequence in which they occurred. ● If an alarm appears, SINAMICS sends an "incoming" message. The alarm remains until SINAMICS sends the corresponding "outgoing" message. ● The time stamps are generated from the higher-level controller when the messages are received ●...
  • Page 107 Communication A.1 Communication PROFINET-based diagnostics For PROFINET, to transfer PROFIdrive message classes, channel diagnostics (Channel Diagnosis) are used (see PROFINET IO specification (http://www.profibus.com)). A message always comprises the following components in this specific sequence: ● Block Header (6 Byte) – Blocktype –...
  • Page 108 A.1 Communication Individual components of the Channel Diagnosis Data block can be included n times in a message. A precise explanation of these message components is subsequently provided: Designation Data type/ For SINAMICS length Value Significance Channel Number 1 ... 399...
  • Page 109 Communication A.1 Communication System response - reading out diagnostics data The converter can request diagnostics data via "Read data set" (detailed information is provided in the PROFINET-IO specification (http://www.profibus.com)). Example: For example, a read record with index 0x800C can be used to read out diagnostics data from specific sub slots.
  • Page 110 Communication A.1 Communication The diagnostic data type can be uniquely identified based on the header. Note The master must operate in the DPV1 mode. Standard diagnostics For communication via PROFIBUS, standard diagnostics is structured as follows. Octet Name Station Master_ Prm_Fault Not_ Ext_Diag...
  • Page 111 Slot_2 Slot_1 Slot_7 Slot_6 Slot_5 Slot_n Note Status value Diagnostics for SINAMICS are only available in cyclic PROFIBUS operation, so that the state 00 = "Valid useful data" is always output for all slots. Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 112 Communication A.1 Communication Channel-related diagnostics Channel-related diagnostics encompasses the following data: Octet Name Header- 0 ... 63 (module number) including this byte Byte x + 1 0 (no component assignment) x + 2 Message classes: 2 undervoltage 3 overvoltage 9 error 16 Hardware/software error 17 Line supply/filter faulted 18 DC-link overvoltage...
  • Page 113: A.1.2 Communication Via Profibus Dp

    Name DS0 (byte 1) DS0 (Byte 2) DS0 (byte 3) Info (byte 1) Mixed = 0x45 (ChannelTypeID = SINAMICS) Info (byte 2) = 24 (number of diagnostic bits/channel) Info (byte 3) = 1 (1 channel signals) Channel Error Channel 0...
  • Page 114 Devices for configuration, commissioning, operator control and monitoring during bus operation. Devices that only exchange data with the slaves in acyclic mode. Examples: Programming devices, human machine interfaces ● Slaves With respect to PROFIBUS, the SINAMICS drive unit is a slave. Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 115 Communication A.1 Communication Bus access method PROFIBUS uses the token passing method, i.e. the active stations (masters) are arranged in a logical ring in which the authorization to send is received within a defined time frame. Within this time frame, the master with authorization to send can communicate with the assigned slaves and/or with other masters in a master/slave procedure.
  • Page 116 Communication A.1 Communication Note The sequence of drive objects in HW Config must be the same as that in the drive (p0978). Drive objects after the first zero in p0978 must not be configured in the HW Config. The structure of the telegram depends on the drive objects taken into account during configuration.
  • Page 117: A.1.2.2 Commissioning Profibus

    Communication A.1 Communication A.1.2.2 Commissioning PROFIBUS Setting the PROFIBUS interface Interfaces and diagnostic LED A PROFIBUS interface with LEDs and address switches is available as standard on the CU320-2 DP Control Unit. Figure A-6 Interfaces and diagnostic LED Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 118 Communication A.1 Communication ● PROFIBUS interface The PROFIBUS interface is described on the CD of the converter in the document "Supplementary component descriptions". ● PROFIBUS diagnostic LED Note A teleservice adapter can be connected to the PROFIBUS interface (X126) for remote diagnostics purposes.
  • Page 119 A generic station description file clearly and completely defines the properties of a PROFIBUS slave. The SINAMICS S GSD file contains among other things standard telegrams, free telegrams and slave-to-slave telegrams for configuring slave-to-slave communication. With the aid of these telegram parts and an axis separator, a telegram for the drive unit must be composed for each drive object.
  • Page 120 Note for commissioning for VIK-NAMUR To be able to operate a SINAMICS drive as a VIK-NAMUR drive, standard telegram 20 must be set and the VIK-NAMUR identification number activated via p2042 = 1.
  • Page 121 The standard slave diagnostics can be read online in the HW config. SIMATIC HMI addressing You can use a SIMATIC HMI as a PROFIBUS master (master class 2) to access SINAMICS directly. With respect to SIMATIC HMI, SINAMICS behaves like a SIMATIC S7. For accessing drive parameters, the following applies: ●...
  • Page 122 Communication A.1 Communication Table A-8 Variables: "General" tab Field Value Name Controller Type Depending on the addressed parameter value, e.g.: INT: for integer 16 DINT: for integer 32 WORD: for unsigned 16 REAL: for float Area Parameter number (data block number) 1 ...
  • Page 123 Communication A.1 Communication Monitoring telegram failure When monitoring the telegram failure, SINAMICS differentiates between two cases: ● Telegram failure with a bus fault After a telegram failure and the additional monitoring time has elapsed (p2047), bit r2043.0 is set to "1" and alarm A01920 is output. Binector output r2043.0 can be used for a quick stop, for example.
  • Page 124: A.1.2.3 Slave-To-Slave Communication

    Communication A.1 Communication Example: Quick stop at telegram failure Assumption: ● A drive unit with an Active Line Module and a Single Motor Module. ● VECTOR mode is activated. ● After a ramp-down time (p1135) of two seconds, the drive is at a standstill. Settings: p2047 = 20 ms A_INF...
  • Page 125 Communication A.1 Communication The following terms are used for the function described in this chapter: ● Slave-to-slave communication ● Data Exchange Broadcast (DXB.req) ● Slave-to-slave communication (is used in the following) From the perspective of the Class 1 master Figure A-9 Slave-to-slave communication with the publisher-subscriber model Publisher With the "slave-to-slave communication"...
  • Page 126 Communication A.1 Communication Links and taps The links configured in the subscriber (connections to publisher) contain the following information: ● From which publisher is the input data received? ● What is the content of the input data? ● Where are the additional setpoints received? Several taps are possible within a link.
  • Page 127 ● Contents of the setpoints The structure and contents of the data are determined using the local process data configuration for the "SINAMICS slave". ● Operation as "standard" slave The drive unit (slave) only receives its setpoints as output data from the master.
  • Page 128 (e.g. HW Config) generates this ID. The ID is then transferred with the ChkCfg into the drive devices that operate as subscribers. Commissioning PROFIBUS slave-to-slave communication The commissioning of slave-to-slave communication between two SINAMICS drive devices using the additional Drive ES package is described below in an example. Industrial Security...
  • Page 129 1. You have generated a project, e.g. with SIMATIC Manager and HW Config. In the project example, you defined a CPU 314 controller as master and 2 SINAMICS Control Units as slaves. Of the slaves, one CU310-2 DP is the publisher and one CU320-2 DP the subscriber.
  • Page 130 Communication A.1 Communication 3. Via its properties dialog in the overview, configure the telegram for the connected drive object. Figure A-12 Telegram selection for drive object 4. Then switch to the detailed view. – Slots 4/5 contain the actual and setpoint values for the first drive object, e.g. SERVO. –...
  • Page 131 Communication A.1 Communication 5. Create an additional setpoint slot 6 for the first drive object using the "Insert slot" button behind the existing setpoint slot 5. Figure A-14 Insert new slot 6. Under the "PROFIBUS Partner" column, change the new setpoint slot 6 from an "output" type to a "slave-to-slave communication"...
  • Page 132 Communication A.1 Communication 8. The "I/O address" column displays the start address for every drive object. Select the start address of the data of the drive object to be read. In the example, "268" is proposed. If the complete data of the publisher is not to be read, set this using the "Length" column. Alternatively, you can shift the start address of the access, so that the required data can be read out from the center section of the telegram component of the drive object.
  • Page 133 Communication A.1 Communication 9. Click the "Slave-to-slave communication overview" tab. The configured slave-to-slave communication relationships are shown here which correspond to the current status of the configuration in HW Config. Figure A-16 Slave-to-slave communication - overview After the slave-to-slave communication link has been created, instead of showing "Standard telegram 2"...
  • Page 134 Communication A.1 Communication Figure A-18 Details after the creation of the slave-to-slave communication link 10.You should therefore adjust the telegrams for each drive object of the selected drive device that is to participate actively in slave-to-slave communication. Autodetect in the STARTER The settings configured in HW Config for the cross-reference telegrams are automatically detected by the STARTER.
  • Page 135: A.1.2.4 Messages Via Diagnostic Channels_Profibus

    Communication A.1 Communication r2074 and r2075 enable the source of a slave-to-slave communication relationship to be verified in the subscriber. Note The subscribers do not monitor the existence of an isochronous publisher sign-of-life. Faults and alarms with PROFIBUS slave-to-slave communication The alarm A01945 signals that the connection to a least one publisher of the drive device is missing or has failed.
  • Page 136 When establishing the communication between SINAMICS and a master, the activated diagnostics mode of this controller is first transferred to the drive. With activated diagnostics, SINAMICS first transfers all pending messages to the master. Similarly, all currently pending messages in the master are deleted by SINAMICS when closing the communication connection.
  • Page 137: A.1.3 Communication Via Profinet Io

    ● An IO supervisor is an engineering tool, typically based on a PC, to configure e and diagnose the individual IO devices (drive units). IO devices: Drive units with PROFINET interface ● SINAMICS with CU320‑2 DP and inserted CBE20 ● SINAMICS with CU320-2 PN Industrial Security...
  • Page 138 Communication A.1 Communication Cyclic communication using PROFINET IO with IRT or using RT is possible on all drive units equipped with a PROFINET interface. This means that error-free communication using other standard protocols is guaranteed within the same network. Note PROFINET for drive technology is standardized and described in the following document: PROFIBUS profile PROFIdrive - Profile Drive Technology Version V4.1, May 2006...
  • Page 139 (topology) is utilized. IRT requires special network components that support planned data transfer. SINAMICS cycle times of minimum 250 μs (onboard) / 500 μs (CBE20) and a jitter accuracy of less than 1 μs can be achieved when this transmission method is implemented.
  • Page 140 Communication A.1 Communication IP address The TCP/IP protocol is a prerequisite for establishing a connection and parameterization. To allow a PROFINET device to be addressed as a node on Industrial Ethernet, this device requires a unique IP address in the network. The IP address is made up of 4 decimal numbers with a range of values from 0 through 255.
  • Page 141 IP address centrally using a DHCP (DHCP = Dynamic Host Configuration Protocol) server. The following requirements must be satisfied to do this: ● At least one DHCP server must be active. ● The PG/PC and the SINAMICS devices must be connected to the same physical Ethernet subnet. Note DHCP is not supported together with PROFINET.
  • Page 142 5. Activate either the "MAC address" or the "Device name" option in the "Identified via" area. 6. Click "Assign IP configuration". The IP address is then taken from the DHCP server. The SINAMICS device uses the associated setting after a POWER ON to obtain a new IP address from the DHCP server.
  • Page 143 Communication A.1 Communication DCP flashing This function is used to check the correct assignment to a module and its interface. This function is supported by a CU320‑2 DP/PN with inserted CBE20. The function can also be used without CBE20 in a CU320-2 PN. DCP flashing 1.
  • Page 144 Communication A.1 Communication When you create the configuration on the controller side (e.g. HW Config), the process-data- capable drive objects for the application are added to the telegram in the shown sequence (see above). The following drive objects can exchange process data: ●...
  • Page 145 Communication A.1 Communication Control Unit with CBE20 A Communication Board can be optionally inserted in the CU320-2 PN/DP Control Unit: ● The CBE20 Communication Board (X1400) is a PROFINET switch with 4 additional PROFINET ports. Notes Note PROFINET routing Routing is not possible between the onboard interfaces X127 and X150 – or between the onboard interfaces of the Control Unit 320-2 PN and an inserted CBE20 (X1400).
  • Page 146 Communication A.1 Communication Ethernet interface ● p8900[0...239] IE Name of Station ● p8901[0...3] IE IP Address ● p8902[0...3] IE Default Gateway ● p8903[0...3] IE Subnet Mask ● p8904 IE DHCP Mode ● p8905 IE Interface Configuration ● r8910[0...239] IE Name of Station actual ●...
  • Page 147: A.1.3.2 Rt Classes For Profinet Io

    Communication A.1 Communication ● r8950[0...239] CBE2x Name of Station actual ● r8951[0...3] CBE2x IP address actual ● r8952[0...3] CBE2x Default Gateway actual ● r8953[0...3] CBE2x Subnet Mask actual ● r8954 CBE2x DHCP Mode actual ● r8955[0...5] CBE2x MAC address ● r8959 CBE2x DAP ID ●...
  • Page 148 Control Unit synchronizes with the bus and the send cycle becomes the cycle for the Control Unit. ● RT or IRT (option drive unit "not isochronous") has been configured. SINAMICS uses the local cycle configured in SINAMICS.
  • Page 149 The following applies to a CU320‑2 DP/CU320‑2 PN for which a CBE20 is configured, but does not exist: ● SINAMICS uses the local clock (clock configured in SINAMICS); if there is no data exchange via PROFINET, alarm A01487 is output ("Topology: Comparison option slot component missing in the actual topology").
  • Page 150 Example: ● Synchronization domain IRT: SIMOTION2 with SINAMICS ● SINAMICS drive that is assigned to the I/O system of SIMOTION1. This is arranged in the topology in such a way that its RT communication must be established through the IRT synchronization domain.
  • Page 151 It is generally only possible to set a reduction ratio of 1:1 between the update time and send cycle for IO devices (ET200S IM151-3 PN HS, SINAMICS S) which are operated in isochronous mode. In this case, the update cycle mode must always be set to "fixed factor"...
  • Page 152: A.1.3.3 Profinet Gsdml

    GSDML files for devices which contain IRT as of firmware version V2.5. A.1.3.3 PROFINET GSDML SINAMICS supports the GSDML version: "PROFINET GSDML" to embed the converter in a PROFINET network. PROFINET GSDML allows standard telegrams to be combined with a PROFIsafe telegram –...
  • Page 153: A.1.3.4 Communication With Cbe20

    Communication A.1 Communication The following table shows the possible submodules depending on the particular drive object. Table A-11 Submodules depending on the particular drive object Module Subslot 1 Subslot 2 Subslot 3 Subslot 4 Max. number PROFIsafe PZD telegram PZD extension of PZD VECTOR Telegram...
  • Page 154: A.1.3.5 Communication Via Profinet Gate

    Ethernet interface of the controller without the need for a communication module or an option module. "PN GATE FOR SINAMICS" enables control devices with a standard Ethernet interface to be connected isochronously via PROFINET with IRT to SINAMICS, and enables robotics or CNC applications to be implemented with SINAMICS drives.
  • Page 155 Possible drive units: ● CU320-2 PN The CBE20 in the CU320-2 PN of the SINAMICS contains the "PN Gate" function (p8835 = 2). The PN Gate represents the controller in the sense of PROFINET. It covers a standard PROFINET network.
  • Page 156 Communication A.1 Communication Functions supported by PN Gate PN Gate function overview Function Description Communication channels ● Cyclic data communication: – IRT – RT ● Acyclic data communication: - PROFINET alarms - Read/write data set - TCP/IP PROFINET basic services ●...
  • Page 157 A.1 Communication Preconditions for PN Gate Hardware ● SINAMICS CU320-2 PN with firmware version as of 4.5 ● Communication Board Ethernet 20 (CBE20) ● Short Ethernet cable to connect CBE20 and CU320-2 PN (X150) Recommendation: Ethernet cable with the article number: 6SL3060-4AB00-0AA0 ●...
  • Page 158: A.1.3.6 Profinet With 2 Controllers

    Note Operation with two controllers is only possible in conjunction with an F-CPU. SINAMICS allows 2 control systems to be connected simultaneously to a Control Unit via PROFINET, e.g. an automation controller (A-CPU) and a safety controller (F-CPU). SINAMICS supports, for this communication, PROFIsafe standard telegrams 30 and 31, as well as Siemens telegrams 901 and 902 for the safety controller.
  • Page 159 The following diagram shows a configuration example of a drive with three axes. The A-CPU sends Siemens telegram 105 for axis 1 and Siemens telegram 102 for axis 2. The F-CPU sends PROFIsafe telegram 30 for axis 1 and axis 3.
  • Page 160: A Communication

    Communication A.1 Communication Note CPU failure Communication is carried out by both controllers independently of one another. In the event of failure of a CPU, communication with the other CPU is not interrupted, it continues to operate without interruption. Error messages are output regarding the components that have failed. ●...
  • Page 161 Communication A.1 Communication 3. Select a drive from the object manager (in the example, a CU320-2 PN). Figure A-25 Automation controller created in HW Config Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 162 A.1 Communication 4. Select menu "Station/save and compile" (Ctrl+S). The previous project is saved. 5. To configure the drives in STARTER, from the shortcut menu of the SINAMICS drive, select "Open object with STARTER". Figure A-26 New project transferred from HW Config into STARTER...
  • Page 163 Communication A.1 Communication The STARTER window opens automatically The project is displayed in the navigation window. 1. In the expert list of the Control Unit, set parameter p8929 = 2. Figure A-27 p8929 from the expert list of the Control Unit 2.
  • Page 164 Communication A.1 Communication 3. Under "..", add the safety telegrams 30 for the 1st and 3rd drive: – In the table, click the drive that you want to monitor with PROFIsafe. – Click the "Adapt telegram configuration" button and select "Add PROFIsafe". Figure A-29 Add the PROFIsafe telegram to the drive The PROFIsafe telegrams were added to the PROFIdrive table:...
  • Page 165 There is full access to all telegrams. You must enable this in order that the PROFIsafe controller can access telegram 30. 2. Select the "Object properties..." option from the SINAMICS drive shortcut menu. 3. In the following window, you lock the access of the PROFIsafe telegrams through the A- CPU.
  • Page 166 Communication A.1 Communication Figure A-33 Safety telegrams of the A-CPU enabled Inserting the PROFIsafe controller in STEP 7 You configure the PROFIsafe controller in precisely the same way as the automation controller under STEP 7. Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 167 PROFIsafe controller configuration 3. In HW Config, click "Station\Save and compile". 4. In the automation controller window, click the SINAMICS drive. 5. In the menu, select "Edit/copy" to start copying. 6. Return to the HW Config window of the PROFIsafe controller.
  • Page 168 Communication A.1 Communication 8. Select "Insert shared" in the shortcut menu. The S120 automation controller is connected to the PROFINET of the PROFIsafe controller. In the table, the PROFIsafe controller has automatically been allocated full access for PROFIsafe telegram 30. Figure A-35 New project completed in HW Config 9.
  • Page 169: A.1.3.7 Profinet Media Redundancy

    PROFINET IO interfaces and a CBE20 is not possible. A.1.3.8 PROFINET system redundancy Thanks to SINAMICS PROFINET Control Units, the assembly of system-redundant systems is possible. Precondition for system-redundant systems is a so-called H-system. The H-system consists of 2 fault-tolerant controls –...
  • Page 170 ● No simultaneous operation of Shared Device and Shared I-Device ● Maximum 2 cyclical PROFINET connections ● System redundancy only via the onboard interface of SINAMICS PROFINET Control Unit ● For the duration of switching from one controller to the other, the setpoints of the last connection remain frozen and valid.
  • Page 171 The figure below shows a sample structure of a system-redundant controller with 3 converters. ① SIMATIC S7-400H with two CPU 414H ② SINAMICS frequency converter with PROFINET Control Units Figure A-37 System redundancy with converters Configuring Configuring the redundancy takes place in STEP 7. In the converter, you only have to configure the communication via PROFINET.
  • Page 172 You can find further descriptions of the PROFINET system redundancy online in the following manuals: ● System manual “Fault-tolerant SIMATIC S7-400H systems” SIMATIC S7-400H Manual (https://support.industry.siemens.com/cs/document/82478488/ simatic-fault-tolerant-systems-s7-400h?dti=0&lc=en-WW) ● Application description Configuration examples for S7-400H PROFINET SIMATICS S7-400H configuration examples (https://support.industry.siemens.com/cs/ document/90885106/configuration-examples-for-s7-400h-with-profinet-simatic-s7-400h- as-of-v6-0?dti=0&lc=en-WW)
  • Page 173: A.1.3.9 Support Of I&M Data Sets 1...4

    I&M data sets 1...3 can be set with the SIMATIC Manager (STEP 7) and also with HW Config (STEP 7). I&M parameters Table A-13 Parameter designation, assignment and meaning I&M parameter Format Size/oc‐ Initialization SINAMICS pa‐ Significance designation tets rameters I&M 0: IM_SUP‐ ‑ ‑ ‑...
  • Page 174 3 parameters: ● They can be displayed in the STARTER expert list. ● The SINAMICS "Reset parameter" (p0976 = 1, p0970 = 1) function does not have any effect on the content of the parameters. ● I&M data sets are not changed when the alternative parameter sets are stored or loaded.
  • Page 175: A.1.4 Communication Via Modbus Tcp

    The data throughput is greater than in ASCII code. ● Modbus TCP - via Ethernet data as TCP/IP packages. TCP port 502 is reserved for Modbus TCP. In SINAMICS, only the "Modbus TCP" transmission mode is available. Possible drive units: ● CU320-2 PN ●...
  • Page 176 Communication A.1 Communication Modbus TCP always provides a basic Ethernet functionality, which corresponds to the functionality of Ethernet interface X127: ● Commissioning access for STARTER/Startdrive with S7 protocol ● DCP to set the IP address etc. ● SNMP for identification General information about communication Communication with Modbus TCP runs via the Ethernet/PROFINET interfaces: ●...
  • Page 177: A.1.4.2 Configuring Modbus Tcp Via Interface X150

    Communication A.1 Communication A.1.4.2 Configuring Modbus TCP via interface X150 Activate Modbus TCP via X150 (CU320-2 PN or CU310-2 PN) 1. For drive object DO1, set p2030 = 13 (Modbus TCP). 2. Using p8921, set the IP address for the onboard PROFINET interface on the Control Unit. 3.
  • Page 178: A.1.4.3 Configuring Modbus Tcp Via Interface X1400

    Communication A.1 Communication A.1.4.3 Configuring Modbus TCP via interface X1400 Activating Modbus TCP via X1400 (CBE20) 1. For drive object DO1, set p8835 = 5 (Modbus TCP). 2. Set the IP address for the CBE20 using p8941. 3. Set the standard gateway for the CBE20 using p8942. 4.
  • Page 179: A.1.4.4 Mapping Tables

    Communication A.1 Communication A.1.4.4 Mapping tables Modbus register and Control Unit parameters The Modbus protocol contains register or bit numbers for addressing memory. You must assign the appropriate control words, status words, and parameters to these registers in the device. The valid holding register address range extends from 40001 up to 40722.
  • Page 180 Communication A.1 Communication Table A-15 Assigning the Modbus register to the parameters - parameter data Regis‐ Description Ac‐ Unit Scaling ON/OFF text Data / parameter cess or Value range Drive identification 40300 Actual power unit code number 0 … 65535 r0200 40301 Control Unit firmware...
  • Page 181: A.1.4.5 Write And Read Access Using Function Codes

    -100.0 … 100.0 r2294 For these registers, for SINAMICS servo drives, parameters p1120 and p1121 are only available (and can only be parameterized) with the extended setpoint channel. These registers are not supported for linear motors as the unit and value range differ from normal rotary drives.
  • Page 182 Communication A.1 Communication The Control Unit uses the following Modbus function codes: ● FC 03: Holding register to read data from the inverter ● FC 06: Write single register to write to individual register ● FC 16: Write to multiple registers to write to several registers Structure of a Modbus TCP message Application Data Unit (ADU) Modbus Application Header...
  • Page 183 Communication A.1 Communication Table A-19 Invalid read request Read request Inverter response Invalid register address Exception code 02 (invalid data address) Read a write-only register Telegram in which all values are set to 0. Read a reserved register Controller addresses more than 125 registers Exception code 03 (invalid data value) The start address and the number of registers of an Exception code 02 (invalid data address)
  • Page 184: A.1.4.6 Communication Via Data Set 47

    Communication A.1 Communication A.1.4.6 Communication via data set 47 Via FC 16, with one request, up to 122 registers can be written to directly one after the other, while for Write Single Register (FC 06) you must individually write the header data for each register.
  • Page 185 Communication A.1 Communication 4 hex: Response not ready (the response has still not been issued) 5 hex: Internal Error (general system error) Incorrect access operations to parameters via data set 47 are logged in registers 40603 … 40722. The error codes are described in the PROFIdrive profile. Examples: Read parameter Table A-23 Write parameter request: Reading parameter value of r0002 from device number 17...
  • Page 186 Communication A.1 Communication Table A-26 Response for unsuccessful read operation - read request still not completed Value Byte Description MBAP header 03 h Function code (read) 20 h Number of following data bytes (20 h: 32 bytes 16 registers) 0001 h 9,10 40601: Check value 1 = request is processed 2F00 h...
  • Page 187: A.1.4.7 Communication Procedure

    Communication A.1 Communication Table A-29 Response for successful write operation Value Byte Description MBAP header 03 h Function code (read) 20 h Number of following data bytes (20 h: 32 bytes 16 registers) 0002 h 9,10 40601: DS47 Control = 2 (request was executed) 2F04 h 11,12 40602: Function code 2F h (47), response length 4 bytes...
  • Page 188: A.1.4.8 Messages And Parameters

    Communication A.1 Communication Fieldbus interface: In parameter p2040 you define the time for cyclic data exchange for process data. Setting range 0 - 2000 s. The time depends on the amount of data to be transferred and the control. "Setpoint timeout" (F01910) is issued by the Modbus if p2040 is set to a value > 0 ms and no process data is requested within this time period.
  • Page 189: A.1.5 Communication Via Ethernet/Ip

    Communication A.1 Communication Parameter Description p2051[0...24] CI: IF1 PROFIdrive PZD send word r2053[0...24] IF1 PROFIdrive diagnostics PZD send word r2054 PROFIBUS status p8835 CBE20 firmware selection p8839[0...1] PZD interface hardware assignment p8840 COMM BOARD monitoring time r8850[0...19] CO: IF2 PZD receive word p8851[0...24] CI: IF2 PZD send word r8853[0...24]...
  • Page 190 Further, you can find a detailed description of how to create a generic I/O module on the following Internet page: (Creating a generic module (http://support.automation.siemens.com/WW/view/en/92045369)). Routing and shielding Ethernet cables You can find information on how to do this on the following Internet page: Ethernet IP (https://www.odva.org/Publication-Download).
  • Page 191: A.1.5.3 Requirements For Communication

    Communication A.1 Communication A.1.5.3 Requirements for communication Check the communication settings using the following questions. If you answer "Yes" to the questions, you have correctly set the communication settings and can control the drive via the fieldbus. ● Is the drive correctly connected to the EtherNet/IP? ●...
  • Page 192: A.1.5.5 Supported Objects

    4 hex Assembly Object ‑ 6 hex Connection Management Object ‑ 32C hex Siemens Drive Object ‑ 32D hex Siemens Motor Data Object ‑ F5 hex TCP/IP Interface Object ‑ F6 hex Ethernet Link Object ‑ 300 hex Stack Diagnostic Object ‑...
  • Page 193 Communication A.1 Communication Table A-33 Instance Attribute Service Type Name Value/explanation UINT16 Vendor ID 1251 UINT16 Device Type - Siemens Drive 0C hex UINT16 Product code r0964[1] UINT16 Revision ‑ UINT16 Status See the following table UINT32 Serial number Bit 0 … 19: consecutive number;...
  • Page 194 Communication A.1 Communication Table A-35 Class Attribute Service Type Name UINT16 Revision UINT16 Max Instance UINT16 Num of Instances Table A-36 Instance Attribute Service Type Name Value/explanation Array of Assembly 1 byte array UINT8 Connection Management Object, Instance Number: 6 hex Supported services Class ●...
  • Page 195 Communication A.1 Communication Siemens Drive Object, Instance Number: 32C hex Supported services Class ● Get Attribute single Instance ● Get Attribute single ● Set Attribute single Table A-39 Class Attribute Service Type Name UINT16 Revision UINT16 Max Instance UINT16 Num of Instances...
  • Page 196 Communication A.1 Communication Service Name Value/explanation Speed setpoint r0020 speed setpoint Output Frequency r0024 output frequency Output Voltage r0025 output voltage DC Link Voltage r0026[0] DC link voltage Actual Current r0027 current actual value Actual Torque r0031 torque actual value Output power r0032 actual active power value Motor Temperature...
  • Page 197 Communication A.1 Communication ((Siemens Motor Object - Details)) Siemens Motor Data Object, Instance Number: 32D hex Supported services Class ● Get Attribute single Instance ● Get Attribute single ● Set Attribute single Object "32D hex" is only available on the "VECTOR DO = 12" drive object.
  • Page 198 Communication A.1 Communication Table A-43 Class Attribute Service Type Name UINT16 Revision UINT16 Max Instance UINT16 Num of Instances Table A-44 Instance Attribute Service Type Name Value/explanation UNIT32 Status Fixed value: 1 hex 1: Configuration acknowledged, by DHCP or saved values UNIT32 Configuration Ca‐...
  • Page 199 Communication A.1 Communication Table A-45 Class Attribute Service Type Name UINT16 Revision UINT16 Max Instance UINT16 Num of Instances Table A-46 Instance Attribute Service Type Name Value/explanation UINT32 Interface Speed 0: link down, 10: 10 Mbps, 100: 100 Mbps ‑ Interface Flags Bit 1: Link-Status Bit 2: Duplex Mode (0: half duplex, 1 duplex)
  • Page 200 Communication A.1 Communication Service Type Name Value/explanation get, Struct of Media Counters Media-specific counters get_and_ UINT32 Alignment Errors Structure received, which does not match the num‐ clear ber of octets UINT32 FCS Errors Structure received, which does not pass the FCS check UINT32 Single Collisions...
  • Page 201 Communication A.1 Communication Table A-47 Class Attribute Service Type Name UINT16 Revision UINT16 Max Instance UINT16 Num of Instances Parameter access to drive object 0 (DO 0) is realized via this class. Example: Read parameter 2050[10] (connector output to interconnect the PZD received from the fieldbus controller) Get Attribute single function with the following values: ●...
  • Page 202: A.1.5.6 Integrate The Drive Device Into The Ethernet Network Via Dhcp

    Communication A.1 Communication 0x43E -> DO 62 A.1.5.6 Integrate the drive device into the Ethernet network via DHCP Integrating the drive into an Ethernet network Proceed as follows to integrate the drive into Ethernet: 1. Set p8944 (CBE2x DHCP mode) = 2 or 3. –...
  • Page 203: A.1.6 Communication Via Sinamics Link

    (DOs). SINAMICS Link allows data to be directly exchanged between up to 64 CU320-2 PN or CU320-2 DP Control Units or CUD. All of the participating Control Units must be equipped with a CBE20 in order that SINAMICS Link functions. Possible applications are, for example: ●...
  • Page 204 ● In a telegram, a PZD may only be sent and received once. If a PZD occurs more than once in a telegram, then Alarm A50002 or A50003 is output. ● It is not possible to read in your own send data. SINAMICS S then initiates the corresponding alarms. The following alarms are possible: –...
  • Page 205 A08531 is output. In this case, a POWER ON is required to activate the values. Transmission time With SINAMICS Link, a transmission time of up to 500 µs is possible (with a max. controller cycle of 500 µs; synchronous bus cycle of 500 µs).
  • Page 206: A.1.6.2 Topology

    You must always connect port 2 (P2) of node n with port 1 (P1) of node n + 1. ● In the "SINAMICS Link" mode, ports 3 and 4 of the CBE20 can only be used to connect to the STARTER commissioning tool or Startdrive.
  • Page 207: A.1.6.3 Configuring And Commissioning

    2. Set the Control Unit parameter p8835 = 3 (SINAMICS Link). 3. Using p8839, define which interface should be used (for example for IF1: p8839[0] = 2). 4. If SINAMICS Link is assigned to IF1, set parameter p2037 of the drive objects to 2 (do not freeze setpoints).
  • Page 208 In this example, the first "Control Unit 1" node has two drive objects: "Drive 1" and "Drive 2". Proceed as follows to send data: 1. If SINAMICS Link is assigned to IF1, then for each drive object, in its associated parameter p2051[0...31], you define which data (PZDs) should be sent.
  • Page 209 Communication A.1 Communication p2051[x] p2061[x] Contents From pa‐ Slots in the send buffer rameter p8871[x] Index Index Telegram word Actual torque value part 1 r0080 Actual torque value part 2 Actual fault code r2131 0...5 here remain free, as they are already assigned by DO2. Table A-52 Compile send data of Control Unit 1 (DO1) p2051[x]...
  • Page 210 A.1 Communication Receiving data The sent telegrams of all nodes are simultaneously available at the SINAMICS Link. Each telegram has a length of 32 PZD. Each telegram has a marker of the sender. You select those PZD that you want to receive for the relevant node from all telegrams. You can process a maximum of 32 PZD.
  • Page 211: A.1.6.4 Example

    Without POWER ON, the following can be changed: ● The assignments of p2051[x]/2061[2x] and the links of the read parameters r2050[x]/ 2060[2x] ● Parameters p8870, p8871, and p8872 In this case, the SINAMICS Link connections can also be connected via p8842 = 1. A.1.6.4...
  • Page 212 Communication A.1 Communication 5. Set all CBE20 to the isochronous mode by setting p8812[0] = 1. 6. Make the following interface setting for all nodes: – For IF1: p8839[0] = 2 (COMM BOARD) – For IF2: p8839[1] = 1 (Control Unit onboard) 7.
  • Page 213 – r2050[0] subsequently contains (after step 13) the value of PZD 1 of node 2. 12.At the two nodes carry-out a "Copy RAM to ROM" to backup the parameterization and the data. 13.Set p8842 =1, to activate parameters p8870, p8871 and p8872. Figure A-40 SINAMICS Link: Configuration example Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 214: A.1.6.5 Communication Failure When Booting Or In Cyclic Operation

    If at least one sender does not correctly boot after commissioning or fails in cyclic operation, then alarm A50005 is output to the other nodes: "Sender was not found on the SINAMICS Link." The message contains the number of the faulted node. After you have resolved the fault at the node involved and the system has identified the node, the system automatically withdraws the alarm.
  • Page 215: A.1.7 Communication Services And Used Port Numbers

    A.1.7 Communication services and used port numbers SINAMICS converters support the communication protocols listed in the following table. The address parameters, the relevant communication layer, as well as the communication role and the communication direction are decisive for each protocol. You require this information to match the security measures for the protection of the automation system to the used protocols (e.g.
  • Page 216 Communication A.1 Communication Layers and protocols Report Port number (2) Link layer Function Description (4) Transport layer PROFINET protocols Not relevant (2) Ethernet II and Accessible no‐ DCP is used by PROFI‐ IEEE 802.1Q and des, NET to determine PRO‐ Discovery and Ethertype 0x8892 FINET devices and to...
  • Page 217 Communication A.1 Communication Report Port number (2) Link layer Function Description (4) Transport layer PROFINET Con‐ 34964 (4) UDP PROFINET The PROFINET context text Manager connection less manager provides an endpoint mapper in order to establish an applica‐ tion relationship (PROFI‐ NET AR).
  • Page 218: A.1.8 Time Synchronization Between The Control And Converter

    A.1.8 Time synchronization between the control and converter In the factory setting, SINAMICS drives use an operating hours counter. Based on the operating hours, the SINAMICS drive saves alarms and warnings that occur. Using this method, it is not possible to have a comparable timestamp between various converters.
  • Page 219 Communication A.1 Communication Converters provide the following options to synchronize the time: Synchronization type Accuracy Basic synchronization approx. 100ms Synchronization using ping compensation for non-isochronous communication approx. 10 ms Synchronization using ping compensation for isochronous communication approx. 1 ms Principle of operation of time synchronization Basic synchronization The control system transfers the time to the converter at time intervals that you specify in the control system.
  • Page 220: A.1.8.1 Settings

    Communication A.1 Communication A.1.8.1 Settings Setting time synchronization 1. Using p3100, changeover the time format from operating hours into the UTC format (see "Changing the time format"). 2. Set the synchronization technique: – Basic synchronization (p3103 = 2) – Time synchronization with ping compensation (p3103 = 0) 3.
  • Page 221: A.1.8.2 Messages And Parameters

    You have now changed over the converter time format to UTC format. Application example In the SIEMENS "Industry Online Support", for a typical application example, you can find detailed documentation with solution strategies and matching code examples: Time synchronization example (https://support.industry.siemens.com/cs/de/en/view/...
  • Page 222 Communication A.1 Communication Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 223 You can find your contact person in the relevant contact data‐ base: www.siemens.com/yourcontact (www.siemens.com/yourcontact) Siemens Support for on the move You can obtain optimum support anywhere you go using the "Siemens In‐ dustry Online Support” app. The app is available for Apple iOS, Android and Windows Phone. Industrial Security...
  • Page 224 Service & Support Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 225: C.1 Additional Information

    Operational Guidelines for Industrial Security (https://www.industry.siemens.com/ topics/global/en/industrial-security/Documents/ operational_guidelines_industrial_security_en.pdf) Additional product-specific information about Industrial Security is available here: SINAMICS homepage (https://www.industry.siemens.com/drives/global/en/ converter/Pages/Default.aspx) Product-specific manuals for the individual products can be found on the Internet: Industrial Security Configuration Manual, 08/2017, A5E36912609A...
  • Page 226 (https://support.industry.siemens.com/My/ww/en/ documentation) Here you can find information on how to create your own individual documentation based on Siemens' content, and adapt it for your own machine documentation. You can find information on the training here: Sitrain (https://sitrain.automation.siemens.com/DE/sitrain/default.aspx? AppLang=en), training courses from Siemens for products, systems and solutions in drive and automation technology.
  • Page 227: Glossary

    Glossary Abbreviation for SINUMERIK Integrate Analyze MyCondition Abbreviation for SINUMERIK Integrate Access MyData Abbreviation for SINUMERIK Integrate Access MyMachine Abbreviation for SINUMERIK Integrate Analyze MyPerformance Abbreviation for Intel® Active Management Technology Area of attack The scope to which a system can be deprived of its protection so that it can be attacked. Attack An attempt to destroy a resource, to deprive it of its protection, to change it, to deactivate it, to steal it, to gain unauthorized access to it or to use it in an illegal way.
  • Page 228 Glossary Brute force There are no efficient algorithms for solving many of the problems in computer science. The most natural and simplest approach to an algorithmic solution for a problem is to simply try out all possible solutions until the correct one is found. This method is called brute-force searching. One typical application is given again and again when it comes to listing an example of brute- force searching - the "cracking"...
  • Page 229 Glossary Hacker Person involved in an intentional hacking activity. The reasons for these activities can be malicious or not malicious, or also remain within the limits of what is ethnically and legally acceptable. Hardening Procedure in which the security of a system is increased by reducing the area of attack. IANA The Internet Assigned Numbers Authority (IANA) is a department of ICANN, and is responsible for assigning numbers and names in the Internet, especially IP addresses.
  • Page 230 (code changes) for an administered computer system or in such a system. At the same time, a subprocess of the Security Vulnerability Management whose tasks include the correction and containment of security holes for Siemens products by means of software corrections.
  • Page 231 Threat and Risk Analysis The TRA (Threat and Risk Analysis) is a Siemens-wide standardized method for use in the product, solution and service business, for product development, engineering or service projects. The method is intended to help those involved in the project to identify typical security defects and weak points, analyze the hazards that could exploit these defects and weak points, and evaluate the resulting risks.
  • Page 232 Glossary VPN (Virtual Private Network) An encrypted connection of computers or networks via the Internet. It enables confidential data to be exchanged via public networks. WSUS (Windows Server Update Services) Windows Server Update Services (abbreviation WSUS) is the software component of the Microsoft (Windows) Server since Version 2003 which is responsible for patches and updates.
  • Page 233: Index

    Make the communication settings, 191 Communication Requirements, 191 Communication services, 49, 215 Exchangeable storage media Dynamic IP address assignment for PROFINET SINAMICS, 48, 49 IO, 141 Exchangeable storage medium, 27 I&M, 173 Identification & Maintenance, 173 Port numbers used, 49, 215...
  • Page 234 Changing the password, 42 Creating in the web server, 68 Data security of the memory card, 36 Parameters: Access levels Deactivating, 41 SINAMICS, 48 Executable functions, 37 Password For loading to the file system, 44 Change, 27 Inhibited functions, 37...
  • Page 235 Reading parameters, 101 Shared device, 158 Telegrams, 87 SI HSC, 15 Write parameter, 103 SIEM system, 15 PROFINET Siemens Industrial Holistic Security Concept, 15 Connection channels, 144 SINAMICS Data transfer, 143 Certificates, 73 Diagnostics, 107 Exchangeable storage media, 48, 49...
  • Page 236 Deactivating, 33 WSUS, 29 USB stick, 27 User accounts, 26 X140 SINAMICS, 78 Virus protection SINAMICS, 48, 49 Virus protection program, 28 Virus scanner, 28 Viruses, 28 Web server Access protection, 59 Access rights, 53 Access rights for parameter lists, 61...

Table of Contents