Introduction
This manual describes how to connect the Siemens SIMATIC S7 controllers to the driver, and how they communicate via ISO over TCP/IP.
Addressing of an item in the controller is made in the regular SIMATIC way.
The driver supports the SIMATIC S7 200, 300, 400, 1200 and 1500 series controllers.
Note: Some controller firmware revisions has an increased security level which means that some settings needs to be changed before connecting the HMI, in the TIA software these settings are availible under Device configuration -> Protection. Make sure the HMI has function access and also set the "Permit access with PUT/GET communication..." checkbox.
For information about the controller we refer to the manual for the current system.
Release Notes
| Version | Release | Description |
|---|---|---|
| 4.17 | November 2016 | Corrected problem in import module. |
| 4.16 | June 2016 | Added support for new HMI models. |
| 4.15 | February 2016 | Corrected initialization towards redundant plc systems. Added support for S5TIME objects. Added support for redundant stations in driver. Updated help file. |
| 4.14 | August 2014 | Updated help file. |
| 4.13 | May 2014 | Corrected initialization against certain controllers. |
| 4.12 | October 2012 | Corrected problem in import module when importing arrays with comments. Added possibility to use Siemens string format. Updated import module with new function for importing data blocks. Updated helpfile. |
| 4.11 | September 2010 | Added support for new HMI models. Merged station model selection to fix S7-1200 addressing problems with DB registers. |
| 4.10 | May 2010 | Problem with Bad device error when using by Controller clock solved. |
| 4.09 | March 2010 | Corrected problem with BCD presentation formats. Added support for S7-1200 controller. |
| 4.08 | January 2010 | Corrected read problem when using multiple controllers. Added possibility to change TSAP (Transport Service Access Point) when connecting to a S7-200 system. Note: Check stations settings to make sure they are configured correctly. |
| 4.07 | August 2009 | Fixed problem with the VX-device. Corrected issue with device validation during name import. Upgrade from version 4.04 does not corrupt Ethernet settings any more. |
| 4.06 | April 2009 | Added support for new HMI platform. Added possibility to index data blocks. |
| 4.05 | November 2008 | Added retry handling. Fixed problem with toggle and increase/decrease analog value. Fixed problem with reading of certain devices. Added support for station indexing. Added support for more stations. Improvement of performance. Added import module. |
| 4.04 | August 2007 | Added device V and support for timers and counters when using S7200 systems. |
| 4.03 | October 2006 | Improved Byte write. |
| 4.02 | June 2006 | Changes for clock. |
| 4.01 | December 2005 | Improved performance when jumping between different display blocks. |
| 4.00 | May 2005 | Initial version. |
Disclaimer
Please note that changes in the controller protocol or hardware, which may interfere with the functionality of this driver, may have occurred since this documentation was created. Therefore, always test and verify the functionality of the application. To accommodate developments in the controller protocol and hardware, drivers are continuously updated. Accordingly, always ensure that the latest driver is used in the application.
Connecting To The Controller
Ethernet connection
Connection in a network is made according to Ethernet standards.
To extend the network a hub or switch may be used.
NOTE!
A crossed CAT5 cable must be used when connecting the HMI directly to the controller.
In other cases a straight cable is used.
For further information about settings in the controller, cable specifications and information about connecting the controller to the HMI we refer to the manual for the current controller.
Settings
Under Settings the language and the Controller clock register can be stated.
| Parameter | Description |
|---|---|
| Language | Controls whether English or German datatype addressing should be used. |
| String format | Selects which string format to use when reading/writing strings to/from the controller. For more information about the different formats see the section "String formats" in the addressing chapter. |
Advanced
| Parameter | Description |
|---|---|
| Timeout | The number of milliseconds between retries when communication fails. Note that functions that uses the HMI as a gateway for passing on communication may require a higher Timeout value. Transparent mode, Routing, Passthrough mode, Modem and Tunneling are such functions. |
| Retries | Number of retries before a communication error is detected. |
| Offline station retry time | How long to wait after a communication error before trying to restore communication. |
| Hide Comm Error | Hide the error message that is displayed during communication problem. |
| Command line options | Special commands that can be passed to the driver. For available commands for this driver see chapter commands.
NOTE: This chapter does not exist for all drivers. |
Redundancy
| Parameter | Description |
|---|---|
| Enable redundancy | Enable the possibility to add redundant controllers in the stations setting. |
| Automatic redundant recovery | If true the driver tries to reconnect to the main controller automatically when running on a redundant controller. If not using automatic recovery use REDUNDANT_RESET to manually reset communication to main controller. |
| Redundant recovery time | The number of seconds the driver wait before trying to reconnect to the main controller if running on redundant controller. Only active if Automatic redundant recovery is true. |
When using manual recovery add the device x:REDUNDANT_RESET, where x is the main controller station number.
Example: 2:REDUNDANT_RESET is connected to the controller with station number 2 according to the station settings. When this digital device is set the driver will try to reconnect to the main controller the next time it sends a telegram.
Stations
Under Stations, IP addresses, address parameters and system models can be stated.
Up to 20 stations can be configured. Each specifying IP address, model and TSAP or rack/slot number.
Note: Station 0 is the default station and must be defined.
| Parameter | Description | |
|---|---|---|
| Station | The station number for the controller with the corresponding IP address | |
| IP Address | IP address of the S7 Ethernet module | |
| Parameter | Description S7-200 | Description S7-300/400/1200/1500 |
| Src TSAP/Rack | Source TSAP (hex) Default value for S7-200: 4D57 Default value for S7-1200/1500: 0 |
Rack number of S7 CPU (dec) |
| Dst TSAP/Slot | Destination TSAP (hex) Default value for S7-200: 4D57 Default value for S7-1200/1500: 1 |
Slot number of S7 CPU (dec) |
| System | S7-200 if connected to a S7-200 with a CP243 module | S7-300/400/1200/1500 if connected to a S7-300, S7-400, S7-1200 or a S7-1500 system. |
| Link type | Not used. | The link type of the connection, PG (programming device) and OP (operator panel) can be used. |
| Red.station | The station number to the redundant station for the selected station (see further description below). | The station number to the redundant station for the selected station (see further description below). |
The parameters differ between the S7-200 and the S7-300/400/1200/1500 systems. See the description for the different systems. Also the S7-200 parameters are entered in hexadecimal and the S7-300/400/1200/1500 parameters are entered in decimal format.
Note: S7-1200/1500 systems must use the ISO Transport over TCP protocol.
How to configure redundant stations
Configure the stations as normal and in the Red.station column add the station number which should be used if the connection to the selected station is lost. Entering the same value as in the Stations column will disable the redundancy function.
Example: Station 0 is the main station and station 1 is the redundant station.
In station 0 set Red.station = 1.
In station 1 set Red.station = 1 because redundant stations are not in use for this station.
Addressing
The HMI can handle the following data types in the controller.
| Description | Data type German |
Data type English |
|---|---|---|
| Flag | M | M |
| Output | A | Q |
| Input | E | I |
| Data block 1) | DB | DB |
| Timer (read only) | T | T |
| Counter (read only) | Z | C |
| Variable memory 2) | V | V |
1) Only in 300, 400, 1200 and 1500 series
2) Only in 200 series
The project memory decides the max length of the Data Block (DB) in SIMATIC S7. The HMI can access all DBs in the controller.
Note: The controller will stop if you try to access an undefined Data Block.
All data types consist of byte areas. Addressing is always byte specific, regardless of whether it is 1, 16 or 32 bits. The addresses are always decimal, 0 - 65535.
For information about the instructions in SIMATIC S7 we refer to the manual for the controller.
Digital Signals
For digital signals you state current bit in the byte. For example I50.3 means bit 3 in input byte 50.
| Data type German |
Data type English |
|---|---|
| Exxxx.b | Ixxxx.b |
| Axxxx.b | Qxxxx.b |
| Mxxxx.b | Mxxxx.b |
| DBno.DBXyyyy.b | DBno.DBXyyyy.b |
| VXyyyy.b | VXyyyy.b |
yyyy = 0 - 8191
no = Data Block number
xxxx = address (minimum value = 0, maximum value depend on the
controller)
b = bit number 0 - 7.
Writing bits of device type E/I, A/Q and DB from the HMI to the controller is done in three steps:
- Reading the whole byte from the controller to the HMI.
- The current bit is set/reset in the HMI.
- Writing of the whole byte from the HMI to the controller.
Note: During the time it takes for the HMI to do the three steps the controller may not change the other bits in the current byte since it will be overwritten.
Analog Signals
For bytes, you state the suffix B after the data type.
| Data type German |
Data type English |
|---|---|
| EBxxxx | IBxxxx |
| ABxxxx | QBxxxx |
| MBxxxx | MBxxxx |
| DBno.DBBadr | DBno.DBBadr |
| VBxxxx | VBxxx |
xxxx = address minimum value = 0, maximum value depend on the
controller
no = Data Block number
adr = Data byte within the data block
For 16-bit numbers, you state the suffix W after the data type; e.g. MW100 means 2 bytes from memory byte 100-101.
| Data type German |
Data type English |
S5TIME syntax* |
|---|---|---|
| EWxxxx | IWxxxx | EWTxxxx/IWTxxxx |
| AWxxxx | QWxxxx | AWTxxxx/QWTxxxx |
| MWxxxx | MWxxxx | MWTxxxx |
| DBno.DBWaddr | DBno.DBWaddr | DBno.DBWTaddr |
| Txxxx (read only) | Txxxx (read only) | TTxxxx (read only) |
| Zxxxx (read only) | Cxxxx (read only) | ZTxxxx (read only)/CTxxxx (read only) |
| VWxxxx | VWxxxx | VWTxxxx |
*S5TIME uses a special format of the data, see section S5TIME objects below.
xxxx = address minimum value = 0, maximum value depend on the
controller
no = Data Block number
adr = Data Word within the data block
Note: When storing ASCII values in 16-bit numbers the eight least significant bits contain the second ASCII code.
For 32-bit numbers, you state the suffix D; e.g. MD100 means 4 bytes from memory byte 100-103.
|
Data type |
Data type English |
|---|---|
| EDxxxx | IDxxxx |
| ADxxxx | QDxxxx |
| MDxxxx | MDxxxx |
| DBno.DBDadr | DBno.DBDadr |
| VDxxxx | VDxxxx |
xxxx = address minimum value = 0, maximum value depend on the
controller
no = Data Block number
adr = Data Word within the data block
S5TIME objects
S5TIME is a format to represent time data in the controller. The data consists of 16 bits where bit 12 - 13 represents the time base (0 = 10ms, 1 = 100ms, 2 = 1s or 3 = 10s) and bit 0 - 11 represents the time value in BCD format. The maximum value that can be represented is 9990 seconds.
The value of the time base depends on the preset value of the time register:
| Time interval | Time base | S5TIME value |
|---|---|---|
| 10 ms - 9.99 s | 10 ms (=0) | 0x0001 - 0x0999 |
| 10 s - 99.9 s | 100 ms (=1) | 0x1100 - 0x1999 |
| 100 s - 999 s | 1 s (=2) | 0x2100 - 0x2999 |
| 1000 s - 9990 s | 10 s (=3) | 0x3100 - 0x3999 |
The S5TIME tags can be read and written from the HMI. To address them a 'T' is added as a suffix to the type string in the address.
Examples:
- MWT20 reads and writes memory word 20 in S5TIME format.
- DB4.DBWT2 reads and writes word 2 in data block 4 in S5TIME format.
More examples can be found in the table for 16-bit numbers.
The value of the time data in the controller is represented as a 32 bit value in the HMI and that all time values are shown in milliseconds.
For example 1h50s will be displayed as 3650000 and 2m30s as 150000.
All new values that shall be written to the controller must also be in milliseconds, range 10 - 9990000, the value will then be converted to S5TIME format before sent.
Indexing Data blocks
The data block address in a DB-tag can be addressed using an index, the value of the current index register then determines from which data block the data will be read/written.To use data block indexing type in an 'I' and the indexregister after the data block number, the index value will then be added to the data block address.
Example:
DB4I2.DBW10 will address word 10 in data block 4 + (value of index register 2)
Control the preset value for timers
In order to control the preset value for S5TIME objects in the controller from the HMI, perform the following operation:
Add a data register for TV/TW on the S5TIME block in the PLC program.
The time base is controlled with the first digit in the object which can be 0, 1, 2, or 3 (10 ms, 100 ms, 1 s or 10 s). The three remaining digits represent the time value. Desired preset value for the timer is acquired by multiplying the time base with the time value.
0000-0999 = 10 ms - 9.99 s 1000-1999 = 100 ms - 99.9 s 2000-2999 = 1 s - 999 s 3000-3999 = 10 s - 9990 s
Use the minimum and maximum input levels for the object in the HMI to protect the time base.
String formats
The driver can use two different string formats. Either the standard format or the Siemens format. The standard format store the first character of the sting in the first byte, second character in second byte etc. The Siemens format on the other hand have max string length in byte 0, actual string length in byte 1 and the string itself from byte 2 and beyond. When using the Siemens format the first two bytes will not be visible to the user, but they can be accessed by addressing the bytes directly.
Note: When using Siemens format the string length is expanded with the two bytes needed for the string length bytes. This means a string with length 10 will actually read/write 12 bytes of data in the controller.
Time of day
The driver supports the Siemens Time of day format. The values are read/written to the controller as a 32 bit value but presented in the HMI as a string, the syntax for the full TOD-string is hh:mm:ss.mss where hh is the hour, mm the minute, ss the second and mss the milliseconds. The hour, minute and second are presented with two characters and the millisecond with three.
To read/write the TOD-data a string tag must be added in the project and the adress must start with "TOD:". The tag address in the PLC must be a 32 bit address.
The length of the tag string is dependant of how many TOD-parameters that shall be read/written.
Example:
All TOD-parameters shall be accessed, the data is in DB1.DBD4. A tag is added in the HMI project with address TOD:DB1.DBD4, the data type of the tag is set to string with 12 characters.
If the decimal value 45000500 is stored in the registry this will be presented as the string "12:30:00.500" in the HMI.
Only the hours and minutes shall be accessed, the data is in MD0. A tag is added in the project with address TOD:MD0, the data type is set to string with 5 characters.
If the decimal value 66000000 is stored in the registry this will be presented as the string "18:20" in the HMI.
Only the hours shall be accessed, the data is in MD0 in station 2. A tag is added in the project with address 2:TOD:MD0, the data type is set to string with 2 characters.
If the decimal value 57600000 is stored in the registry this will be presented as the string "16" in the HMI.
If a new time of day value is to be written to the tag it can either be written in standard TOD format or hh, hh.mm, hh.mm.ss.
Example:
New value where all parameters shall be written: the string is entered as "12:30:45.500"
New value where only the hours and minutes are crucial: the string is entered as "15:20". The seconds and milliseconds are automatically set to 0 by the driver.
New value where only the hours shall be written: the string is entered as "20", all other parameters are set to 0 by the driver.
Station Handling
For communication with other stations than the default station, the station number is given as a prefix to the device.
Example:
2:MW8 addresses memory word MW8 in station 2.
5:DB1.DBW12 addresses word DBW12 in datablock 1 in station 5.
1:TOD:DB3.DBD12 addresses time of day dword DBD12 in datablock 3 in station 1.
Indexing stations
Station number may be an index, using an index register, The contents of the index register determine from which station the device will be read/written.
Syntax:
Iindexregister:device
Example:
I2:MW8
The indexregister may contain values 0 to 5. If a number to a station which does not exist is found, an error message is displayed.
Redundancy Variables
There are two internal variables availible when using redundant stations (see chapter settings), these are REDUNDANT_RESET and STATION_CONNECTED.
REDUNDANT_RESET is used when automatic redundant recovery is disabled. When a station is disconnected and the redundant station is activated a reconnect attempt can be made by setting the REDUNDANT_RESET tag to 1. The value of the tag is default 0.
STATION_CONNECTED is used to monitor if the current station is connected (the value of the tag is 1) or the redundant station is activated (the value is set to 0).
Note: This tag is only updated if there are active tags towards the station.
Both the redundancy variables can be station addressed as ordinary controller tags.
Examples:
1:REDUNDANT_RESET will force a reconnect attempt on station 1.
4:STATION_CONNECTED will check if station 4 is conencted.
I2:REDUNDANT_RESET will force a reconnect on the station addressed in index register 2.
Import Module
The import module makes it possible to import symbols and structs to the Name List from projectfiles generated by Step7.
To import the tags select Name List in the View menu and click import. Select the project-file (.s7p) for the Step7-project that is to be imported and click OK. If the file is valid the following screen will appear:
Click "Find Sources" to search the project folder for the symbol and struct-files, if more than one struct-file are found select the one that is to be imported from the list that is shown.
Import the tags by clicking on the corresponding Import-button.
Data from more than one file or project can be added at the same time, to import from additional .dbf, .awl or project-files click on the button with the three dots and select the file.
A choice is available to add the datablock number to the tagname if for example the same tagname is used in different datablocks. This selection will add "DB_XX_" before the tagname and needs to be selected before pressing the "Import Structs" button.
Note: Project needs to be made with absolute addressing.
Efficient Communication
Packing Of Signals
When signals are transferred between the driver and the controller, all signals are not transferred simultaneously. Instead they are divided into packages with a number of signals in each package. By decreasing the number of packages that has to be transferred the communication speed can improve. The number of signals in each package depends on the used driver.
In the SIMATIC ISO over TCP/IP driver different device types can be
mixed in a package. Bits are only read together with other bits.
The used controller decides how many read requests (known as any
pointers) that can be packed in one package.
Arrays and strings (numeric tables, diagrams and string objects) are
sent in separate packages.
Troubleshooting
Error Messages
The error message is shown on the display of the HMI.
| Error Messages | Description |
|---|---|
| Comm error stn X | Communication error between the HMI and the controller. For example an undefined device could be addressed in station X or the cable between the HMI and the controller is disconnected. |
| Comm error Y stn X | Comm error Y stn X (Y is an error code returned from the PLC.) |
If station 0 is not defined or if undefined stations are used, this will not generate any communication or errors.