High available controller systems
... Tailored redundancy

Maximum availability only becomes ideal when it can be adapted to your own specific requirements. We offer I/O modules that can be configured and operated in redundant mode. These modules can be configured in separate racks – but also in a single rack – using standard or redundant PROFIBUS or PROFINET connections.

SIMATIC S7-400H sets completely new standards in terms of flexibility, modularity and redundancy and supports fault-tolerant architectures. The level of fault tolerance can be perfectly tailored to requirements by mixing and coordinating single and multiple redundancies in one and the same system.

Flexible modular redundancy (FMR)

Depending on the automation task and safety requirements, FMR allows the configuring engineer to seperately define the degree of redundancy for the individual architecture levels comprising controller, fieldbus and I/O. Each component within a level can be provided with a redundant configuration, and also physically separated. All components also meet the requirements of safety integrity level SIL 3. You can then implement individual, fault-tolerant architectures exactly tailored to individual tasks which tolerate several faults occurring at once.

The design of the S7-400H system is unique thanks to its flexibility, modularity and redundancy. The configuration of controller, I/Os and fieldbus can be tailored to a wide variety of requirements. Single and double redundancies can be mixed in one and the same system and coordinated with each other. Thanks to this flexibility, redundancy only has to be provided where it is actually needed. This enables more attractive and cost-effective solutions than conventional architectures with uniform design.

Configuration versions for safety-related systems

Configuration versions with FMR

A general distinction is made between two configuration versions covering a safety-related system based on Safety Integrated:

  • Single-channel, non-redundant configuration

  • Redundant, high-availability and fault-tolerant configuration

The two configuration versions are extremely flexible, and offer a wide design scope with respect to different customer-specific requirements. You can not only combine standard and safety functions not just in the I/O area, but also at the controller level you are able to combine or separate standard control and safety functions. In addition, there are numerous possibilities arising from the use of Flexible Modular Redundancy.

At the individual architecture levels (controller, fieldbus, I/O) you will have the configuration alternatives shown in the figure and in the following table depending on the I/O used (remote ET 200 I/O stations).

Central devices

There are two configuration options for central devices:

  1. Design with split module rack

  2. Design with two separate module racks if systems have to be completely separate from each other for reasons of availability. The distance between the systems can be up to 10 kilometers (16 miles).  If a particularly high availability is required, you can use two redundant power supplies.

I/O connection

You can connect the I/Os via PROFIBUS or PROFINET.

You can also combine PROFIBUS and PROFINET configurations.


The fail-safe communication for redundant connections is already integrated in the S7-400H. High-available communication continues automatically and without.