WP Time Synchronization With WinCC OA EN
WP Time Synchronization With WinCC OA EN
WP Time Synchronization With WinCC OA EN
com/wincc-open-architecture
Whitepaper
Discussion of WinCC OA time behavior
Disclaimer
This whitepaper is for information purposes only and is provided “as is” with no warranties whatsoever including any war-
ranty of merchantability, fitness for any particular purpose, or any warranty otherwise arising out of any proposal, specifi-
cation, or sample.
No license, expressed or implied, to any intellectual property rights is granted or intended hereby.
Product or company names mentioned herein may be the trademarks of their respective owners.
This whitepaper may not be incorporated into any contract. It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making purchasing decisions. The development, release and timing of
any features or functionality described for ETM’s products remains at the sole discretion of ETM.
No part of this document may be reproduced except as authorized by written permission. The copyright and the forego-
ing restriction extend to reproduction in all media.
The information provided in this documentation contains merely general descriptions or performance characteristics,
which in case of actual use, do not always apply as described and may change as a result of further developments of the
products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of con-
tract.
Security information
Siemens provides products and solutions with industrial security functions that support the secure operation of plants,
solutions, machines, equipment and/or networks. They are important components in a holistic industrial security con-
cept. With this in mind, Siemens` products and solutions undergo continuous development. Siemens recommends
strongly that you regularly check for product updates.
For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell
protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-
party products that may be in use should also be considered. For more information about industrial security, visit
http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information,
visit http://support.automation.siemens.com.
Whitepaper | Time synchronization | January 2015
Contents
This whitepaper gives an overview on principles and behavior of WinCC OA in case of failures of time
synchronization as well as changes in time / time zones.
This document also includes UseCases which describe topics related to time synchronization and the behavior of
WinCC OA.
WinCC OA is designed to work in distributed and complex SCADA architectures. Some principal architectures which
are supported by WinCC OA will be explained. For example the following architectures are considered: Connection
via driver to field devices, Remote UI, distributed System and redundancy System.
This document does not consider the topics of remote CTRL-Managers or remote WinCC OA drivers.
Normally it should be guaranteed that the whole SCADA System uses the same time synchronization. This can be
realized with a GPS clock and the usage of a NTP-Server. ETM recommends using two GPS clocks (redundant) with a
NTP server for complex SCADA systems.
This document is valid for WinCC OA 3.12 on Microsoft Windows operating system (Windows Server 2008 and for
Clients Windows 7 and Windows 8).
Contents 3
1. Introduction 4
1.1. General problems of time rollback related to operating systems ........................................................ 4
1.2. Behavior of WinCC OA ....................................................................................................................... 5
1.3. Config entries in WinCC OA ............................................................................................................. 13
1.4. Possible alternative behavior – Accept all time stamps ..................................................................... 16
1.5. Behavior of operating systems / time synchronization software ....................................................... 18
1.6. Behavior of Oracle RAC ................................................................................................................... 21
1.7. Prerequisites ................................................................................................................................... 21
1.8. Limitations ..................................................................................................................................... 21
2. UseCases 22
2.1. Daylight saving and time zone changes ........................................................................................... 22
2.2. Time jumps into the past and into the future ................................................................................... 23
3. Conclusion 24
1. Introduction
A second fundamental principle is, that time has to increase monotonously. That means messages are treated in the
order of arrival. It’s absolutely forbidden, that a message moves ahead of another. Imagine an operator or a control algo-
rithm sends the commands open valve and then close valve but the valve receives the commands in opposite order:
close and then open.
So all operating systems and standard software products recommend or even expect that systems are time synchro-
nized. Several mechanisms are provided to handle small time differences in a defined way and there are algorithms
available which allow synchronizing systems after they had different times. These algorithms allow a smooth approach
to the correct time by avoiding time jumps, which lead to the above mentioned problems.
It has to be mentioned that those time tolerance mechanisms or time correction mechanisms are always problematic,
since there is a certain period where the system stores values with a more or less wrong time stamp since the “correct”
or “absolute” time is not known until the system or the total network is synchronized again to a reliable time reference.
That's why a system design with reliable time source and time synchronization is very important to avoid problems,
when trying to analyze historical data.
Windows operating systems include the Time Service tool (W32Time service) that is used by the Kerberos authentication
protocol.
Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled
time skew. The default is 5 minutes.
To handle messages from the past, WinCC OA has a special mechanism: For a value with a time stamp before the last
received value change, WinCC OA uses the latest source time of this value and adds a short time interval. So the correct-
ed time is latest source time + interval. This value will be marked by “time invalid” status bit.
To solve the problem of wrong time synchronization some config entries exist. There are two groups of relevant config
entries. One group defines the behavior for future value time stamps (valueChangeTimeDiff, validTimeDiff) and the
other group defines the behavior for values in the past (negativeSourceTimeDiff).
These entries and the relation between them will be explained in following chapters.
Future in WinCC OA means a time stamp, which is larger than the system time of the WinCC OA server.
Past in WinCC OA always means a time stamp, which is older than the last time stamp of a data point element.
Example: If there are two datapoint elements X and Y. If X got its last value at 12:00 and Y got its last value at 14:00,
than new value changes for X and Y at 13:00 would mean X would get a normal new value in monotonous order, while
Y would get a value from the past.
Figure 2: WinCC OA adopts the time stamp of values from the past
Figure 3: WinCC OA config entries and their relation to the status and time stamp of the value
Value is ok:
This means that the status bit of the value is ok.
Value time stamp corrected:
This means that the value will be saved with another time stamp as arrived in the WinCC OA system.
Value message discarded:
This means that the value message is discarded. The value change is not saved in the WinCC OA system.
Status set to time invalid:
This means that the status bit of the value is time invalid. One can identify those values in reports and trends.
Figure 4 above shows a redundant WinCC OA system, which receives values from a PLC with timestamp and provides
these values to a connected User Interface. Furthermore the figure explains how value change messages are processed.
Following scenario applies:
1) The PLC sends a value (1)==(1’) at 12:00 to both redundant servers
a. The passive server B stores the received value (1’) in its memory (in the so called “Dejavu Queue”)
b. The active server A forwards the value (1) from the PLC first to server B and then to the UI
c. When the passive server receives the value (1) from the active sever, it updates its process image and
forwards the value (1) to the UI which then only processes the value from the active server A.
2) The PLC sends a value (2)==(2’) from the past (e.g.: time of PLC jumped two hours into the past)
a. The passive server stores the original value (2’) from the PLC into his “Dejavu Queue”.
b. The active server A
If a redundancy switch occurs the new active server B compares the values of its Dejavu Queue to the current values of
its process image. If the values in the Dejavu Queue are younger than the values in process image (e.g.: failure of former
active redu host A, before it was able to forward the value to the former passive server B) the server B will update its
process image by performing the same correction action as server A and notify the connected UI manager. All values in
Dejavu Queue which are older than the current value in the process image are discarded.
4) The PLC jumped into the past and sends a value (4)==(4’) after a redundancy switch occurred
When the new active server B receives a value (4’) from the PLC, the Event manager compares the value (4’)
against the last received value in its process image and following rules apply:
a. If a General Query (GQ) is not performed (e.g.: deactivated via config entry) and the value (2) in the
process image of server B is invalid, which is normally the case because per default WinCC OA markes
values from the past as invalid, Server B accepts the next value change from the PLC (4’). The time
stamps are corrected and values are marked as invalid until the time of the PLC and therefore also the
time stamp of the next value (5’) is newer than the time stamp of the last accepted value in the pro-
cess image (4’). Table 1 shows a complete example from the viewpoint of Server B with real time
stamps:
Table 1: Complete example, if current value is invalid from the viewpoint of Server B
b. A different behavior is intended, if the Genarl Query (GQ) is not perfomed and due to any reason, the
last received value in the process image of Server B is valid (e.g.: due to config entry
negativeSourceTimeDiff = 3h) and was received from its redundancy partner Server A. In this case the
Event Manager discards all values from the PLC (e.g. values (4’) and (5’) in Table 2 below), because it
has already received a valid and newer value (2) in its process image received from former active serv-
er A. Values are discarded until the time of the PLC and therefore also the time stamp of the next value
(6’) is newer than the timestamp of the last accepted value (2) in the process image of Server B. Table
2 shows a complete example from the viewpoint of Server B with real time stamps :
Time PLC Todo Time of ac- Accepted Value status Value
Server B Time cepted value value at Server B Origin
Table 2: Complete example, if current value is valid from the viewpoint of Server B
c. If a Gernal Query (GQ) is performed by the driver after a redundancy switch (=WinCC OA default) the
value (4’) is marked with the General Query (GQ) flag. Those values are always accepted by server B,
independed of their current status in the process image. Because of the time stamp of value (4’) in the
example below, the time stamp is corrected and the status is set to invalid. All following values from
the PLC are accepted and processed. The time stamps are corrected and values are marked as invalid
until the time of the PLC and therefore also the time stamp of the next value (5’) is newer than the
time stamp of the last accepted value (4’). Table 3 shows a complete example from the viewpoint of
Server B with real time stamps:
Table 3: Complete example with General Query flag from the viewpoint of Server B
Conclusion:
With its default time behavior configuration (see chapter 2.5), a redundant WinCC OA system is able to process values
with a timestamp from the past (or the future) even if a redundancy switch occurs. It is also not recommended to deac-
tivate the GQ after a redundancy switch, because the GQ guarantees, that the current process value of the PLC is accept-
ed by the WinCC OA system (as described in 2.4.4 point 4)
This would lead to following output (shown in table Table 4) in the WinCC OA alert screen. One could think that the
operator needed more than 1 hour to acknowledge the alarm, where he needed only 1 minute in real time.
To overcome this szenario of “A blamed operator” WinCC OA additionally stores the current system time of the WinCC OA
server for every alert, which means, one can find out, at which time the alert arrived in the WinCC OA system. The sys-
tem time is stored in a special WinCC OA attribute and can be queried if necessary. So one can build following analyse
screen to show the real progress of the alert
DP PRIO Direction Alert Time Alert System time Acknowledge time Acknowledge user
WinCC OA supports some config entries to solve the problem of time synchronization within their configured parame-
ters. The relevance of each entry and their default settings will be explained in Table 6, which presents an extract of the
WinCC OA Online Help [2].
The following config entries can be used to change allowed time differences for values in the future:
Note
Remote UIs are using an automatic adjusting so
the validTimeDiff value will not be used, see Syn-
chronization Client-Server.
Note
Should not be used for the correction of invalid
time information of a PLC. For the purpose of com-
pensating unreliable time information it may be
advisable to use the driver time instead.
valueChangeTimeDiff uint 30 >= 0 If the original value is changed, the Event Manag-
er checks if the provided source time is more than
valueChangeTimeDiff seconds in the future. In this
case the system adjusts the source time to the
current time and additionally sets the status bit
invalid source time (_original.._stime_inv).
Thereby, the system also sets the invalid bit.
Redundancy:
When a manager starts, it determines the time
difference between its own computer and the
computer of the server. If the system times differ
for more than "valueChangeTimeDiff/2" seconds,
the manager shows an error message.
Caution:
When changing valueChangeTimeDiff it is neces-
sary to
check the validTimeDiff value.
valueChangeTimeDiff must be less or equal to
validTimeDiff!
Note
Remote UIs are using an automatic adjusting inde-
pendent of the valueChangeTimeDiff value, see
Synchronization Client-Server.
The following config entry can be used to change allowed time differences for values in the past:
negativeSourceTimeDiff uint 0 >= 0 Time in seconds between one source time and
the last source time without that the bit is set to
"invalid source time". The source time will be
corrected to "last source time + 1 nanosecond".
Note:
These settings are for single WinCC OA Systems with Remote UIs or for standalone redundancy Systems with
Remote UIs.
The default values of the config entries have been proven settings in many distributed and redundant projects.
Significant changes have to be tested thoroughly.
To increase the tolerance for not synchronize PLCs one could set e.g.: negativeSourceTimeDiff = 30 (seconds).
Each WinCC OA driver must switch on “General Query” (GQ) in their config section.
The default value of validTimeDiff (10 minutes) is in accordance with recommendations for e.g. Active Directory
or Kerberos (see Microsoft support pages).
With this theoretical alternative approach, the value “CLOSED” (3) will be marked as time invalid and be written with
time stamp 12:00 into the WinCC OA database.
Consequences:
1. For the given example, WinCC OA would not be able to decide which value should be shown to the operator in
the User Interface. It is not clear, if one should see value “OPENED” or value “CLOSED” as actual value for the
valve.
2. A historical query would provide a value trend, which differs from the real progress at the field (see Figure 9).
Conclusion:
Due to noted consequences, the WinCC OA default behavior is the only useful approach to handle such values.
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest positive time correction in seconds that the service can make. If the service
determines that a change larger than this is required, it logs an event instead. Special case: 0xFFFFFFFF
means to always make the time correction. The default value for domain members is 0xFFFFFFFF. The default
value for stand-alone clients and servers is 54,000 (15 hours).
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest negative time correction in seconds that the service can make. If the service
determines that a change larger than this is required, it logs an event instead. Special case: -1 means always
make the time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-
alone clients and servers is 54,000 (15 hours).
Microsoft recommends that these entries should be reduced for Client settings. Dependent of time source, network and
update interval as well security requirements. The recommended value is 3600 (=1hour) or smaller.
In Windows Server 2008, a default value for the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries
has been adopted. This default value is 48 hours [1].
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest interval, in seconds, that is enabled for the system polling interval. Notice that,
although a system must poll according to the scheduled interval, a provider can refuse to produce samples
when samples are requested. The default value for domain members is 10. The default value for stand-alone
clients and servers is 15.
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Notes This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is
enabled, W32Time uses this poll interval instead of a poll interval that the operating system determines. The
default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer
clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly.
The default value for domain members is 300. The default value for stand-alone clients and servers is 1.
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry controls the rate at which the phase error is corrected. Specifying a small value corrects the phase
error quickly, but might cause the clock to become unstable. If the value is too large, it takes a longer time to
correct the phase error.
The default value on domain members is 1. The default value on stand-alone clients and servers is 7.
Value DWORD
Type
Subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the number of clock ticks between phase correction adjustments. The default value for
domain controllers is 100. The default value for domain members is 30,000. The default value for stand-
alone clients and servers is 360,000.
1.7. Prerequisites
The following prerequisites have been set for a WinCC OA SCADA System:
PLC messages are sequentially correct, that means that no message overtakes another message which was created later
than the message before.
Redundancy servers or servers with DIST connection must have the same time source which means that all WinCC OA
servers have the same time.
Note: It is assumed that each device of the SCADA system can have time synchronization problems.
1.8. Limitations
If it is not possible to synchronize the whole SCADA system, you will face the following limitations:
• It is not allowed to use the dpSetTimed(), alertSetTimed() function in CTRL-Code. These functions use the time
of the machine where the command is generated.
• Smoothing over time is not useable. Only smoothing over value works correctly.
• Hysteresis is not useable.
• Statistic functions are not useable.
• It is possible that during a time synchronization problem some limitations in the monitoring of the system in-
cluding some differences in alert times to real time can appear.
• A manual change of the system time is generally not allowed.
This list does not claim to be complete; there may be some other restrictions which are not mentioned above.
2. UseCases
This chapter describes UseCases which explain the standard behavior of WinCC OA when the system time changes or will
be adapted. The UseCases cover simple SCADA systems (PLC-Server-Remote UI) and more complex SCADA systems ( e.g.
distributed WinCC OA System).
2.2. Time jumps into the past and into the future
General:
This chapter describes UseCases which consider time jumps into the past and into the future. Furthermore the UseCases
describe manual and external (e.g.: GPS clock provides a wrong time) time changes.
Description:
The following table (Table 7) gives an overview, how WinCC OA works, if WinCC OA gets a wrong time signal, a manual
time change is performed or PLC and WinCC OA system times are not synchronized.
1)OK, because the operating system supports monotonic increase of the system time, so jumps into the past are realized
by making the system time run slower.
2)OK, because the operating system supports monotonic increase of the system time, so jumps into the future are real-
ized by making the system time run faster.
3) OK, within standard WinCC OA parameters (valueChangeTimeDiff, validTimeDiff)
4) OK, within standard WinCC OA parameter (negativeSourceTimeDiff)
3. Conclusion
WinCC OA treats time changes in a similar way as other time sensitive software.
WinCC OA handles daylight saving time changes and time zone topics without any problems.
WinCC OA has built in tolerance mechanisms to handle not time synchronized data sources like PLCs.
WinCC OA marks value changes which had to be time corrected by setting a specific status bit so that these changes can
be identified in the history.
It is strictly recommended to use a time synchronization software and provide a reliable time reference (GPS).
Disable manual system time manipulation for operators.
Ideally time synchronize PLCs if PLC is time stamping their values.
List of references
[1] Microsoft, "How to configure the Windows Time service against a large time offset," 11 09 2011. [Online]. Available:
http://support.microsoft.com/kb/884776. [Accessed 12 01 2015].
[2] ETM professional Control GmbH, WinCC OA V3.12 Online Help, Eisenstadt, 2013.
[3] Microsoft, "Windows Time Service Tools and Settings," 05 2012. [Online]. Available: http://technet.microsoft.com/de-
de/library/cc773263(WS.10).aspx. [Accessed 12 01 2015].
[4] Internet Engineering Task Force, "Network Time Protocol Version 4: Protocol and Algorithms Specification," June
2010. [Online]. Available: http://tools.ietf.org/html/rfc5905#page-8. [Accessed 12 01 2015].
[5] ORACLE, "Clusterware Administration and Deployment Guide," 2014. [Online]. Available:
http://docs.oracle.com/cd/E11882_01/rac.112/e41959/admin.htm#CWADD838. [Accessed 12 01 2015].
www.siemens.com
All rights reserved. All trademarks used
are owned by Siemens or their respective owners.
© Siemens AG 2015