Siemens SIMATIC S7

Overview

The Simatic S7 is a product line of PLCs (S7-200, S7-300, S7-400, S7-1200, S7-1500) by Siemens that are widely used in industrial automation. The S7 is capable of connecting several sensors and actuators through digital or analog IOs which can be modular extended.

The S7 PLC can be projected and programmed with STEP7 (TIA Portal) software from Siemens.

The read and write access to data on the PLC can be realized through the S7 Communication Services based on ISO-on-TCP (RFC1006). In this case the PLC acts as a server allowing communication partners to access PLC data without the need of projecting the incoming connections during PLC programming.

Important

To activate the S7 Communication Services you need to enable PUT/GET access in PLC Settings! You should keep in mind that this opens up the controller access by other applications as well.

../../_images/s7_put_get_access.PNG

Configuring the connection

Important

The S7 protocol driver behaves differently from other protocol drivers when polling, because it only allows a single polling interval to be set for all mappings. The reason for this is that the driver optimizes the request as it groups multiple readings into as few block reads as possible. For this reason the interval is set in the connection details, and not in the mappings for this protocol. If multiple different polling rates are required, you should consider using multiple commissioning files. Support for different polling rates in a single commissioning file may be added in the future.

Connection Properties

host (string, required)

IP Address or hostname of the PLC to connect to

Example: "192.168.2.60"

port (integer, required)

Port of the s7 device

Default: 102

Example: 102

rack (integer)

The rack index, as part of the addressing scheme for SIMATIC PLCs. This may be fixed depending on your PLC.

Default: 0

Example: 0

slot (integer)

The slot index, as part of the addressing scheme for SIMATIC PLCs. This may be fixed depending on your PLC.

Default: 1

Example: 1

pollInterval (integer)

The polling interval for reading data. This is implemented as a best-effort polling, if reading is slower than the interval, you should expect that data is coming at a slightly lower rate.

Default: 1000

Example: 2000

probeInterval (integer)

Interval to check if connection is still there

Default: 2000

Example: 2000

writingHighWaterMark (integer)

Defines a threshold for the internal write queue. When reached, a warning is issued.

Default: 100

Example: 1000

Additional restrictions:

  • Minimum: 1

Hardware specific values

Hardware specific values for rack and slot

CPU

Rack

Slot

S7-300

0

2

S7-400

see hardware configuration.

WinAC

see hardware configuration.

S7-1200

0

1

S7-1500

0

1

Endpoint Properties

address (string, required)

Address string describing the memory location and data type of the variable to be read

Examples: "DB1,B0.64", "DB1,R0.20", "PII30", "PIW30"

The address of a PLC variable is a string built like this:

<data block number>,<memory area><data type><byte offset>.<bit position>.<array length>

<data block number>

Name of the data block the value is stored in e.g. DB10. Only use this parameter if your value is part of a data block.

<memory area>

Memory area where the value is stored. Must not be defined if target is a data block!

Memory areas

Memory area

Address symbol

input

I

peripheral input

PI

output

Q

peripheral output

PQ

marker

M

counter

C

timer

T
<data type>

Data type of the addressed value. Data type “string” can only be used in data blocks.

Data types

Data type

Address symbol

bit

X (or empty)

byte

B

char

C

word

W

int16

I

dword

DW

int32

DI

real

R

int64

LI (S7-1200/1500 only)

lreal

LR (S7-1200/1500 only)

string

S (only in data blocks)

date_and_time

DT

date_and_time in UTC

DTZ

date_and_time (12 byte)

DTL (S7-1200/1500 only)

date_and_time in UTC (12 byte)

DTLZ (S7-1200/1500 only)
<byte offset>

The offset of the byte to address.

<bit position>

To address a bit position place it here. In case you are addressing a string data type this parameter is the string length.

<array length>

To address multiple values in a row define the length of the array here.

The minimum information any address must contain is <data block number> or <memory area>, <data type> and <byte offset>. <bit position> is only necessary for addressing bits. <array length> is always optional.

Address Examples:

  • MR4 // REAL starting at marker byte 4 (MD4 in STEP 7)

  • M32.2 // Bit at marker byte 32 bit 2

  • PIW30 // WORD starting at peripheral input byte 30

  • PII30 // INT starting at peripheral input byte 30

  • DB1,R0.20 // Array of 20 REAL values in DB1 starting at byte 0

  • DB1,R4 // Single REAL value

  • DB1,REAL8 // Another single REAL value

  • DB1,I12.2 // Two INT value array

  • DB10,INT6 // DB10.DBW6 as INT

  • DB10,I6 // same as above

  • DB10,I6.2 // DB10.DBW6 and DB10.DBW8 in an array with length 2

  • DB10,S20.30 // String at offset 20 with length of 30 (actual array length 32 due to format of String type, length byte will be read/written)

  • DB10,S20.30.3 // Array of 3 strings at offset 20, each with length of 30 (actual array length 32 due to format of String type, length byte will be read/written)

  • DB10,C22.30 // Character array at offset 22 with length of 30 (best to not use this with strings as length byte is ignored)

  • DB10,X6.0.1 // Bit at DB10.DBX6.0 as array with length 1

  • DB10,DT0 // Date and time

  • DB10,DTZ0 // Date and time in UTC

Important

To access data from data blocks you need to disable “Optimized Block Access” in data block attributes!

../../_images/s7_data_block_attributes.PNG

Example Commissioning File:

Download: s7-example.yml

 1---
 2# ----------------------------------------------------------------------------#
 3# Commissioning File
 4# ----------------------------------------------------------------------------#
 5# Copyright: Cybus GmbH (2020)
 6# Contact: support@cybus.io
 7# ----------------------------------------------------------------------------#
 8# Source Interface Definition - Siemens S7 PLC
 9# ----------------------------------------------------------------------------#
10# ----------------------------------------------------------------------------#
11description: |
12  Sample commissioning file for Siemens S7 PLC connectivity and data mapping
13
14metadata:
15
16  name: S7 Protocol Connectivity
17  icon: https://www.cybus.io/wp-content/uploads/2019/03/Cybus-logo-Claim-lang.svg
18  provider: cybus
19  homepage: https://www.cybus.io
20  version: 0.0.1
21
22parameters:
23
24  IP_Address:
25    type: string
26    default: 192.168.10.60
27
28  Port_Number:
29    type: integer
30    default: 102
31
32  Rack_Number:
33    type: integer
34    default: 102
35
36  Slot_Number:
37    type: integer
38    default: 102
39
40  Poll_Interval:
41    type: integer
42    default: 1000
43
44resources:
45
46  s7Connection:
47    type: Cybus::Connection
48    properties:
49      protocol: S7
50      targetState: connected
51      connection:
52        host: !ref IP_Address
53        port: !ref Port_Number
54        rack: !ref Rack_Number
55        slot: !ref Slot_Number
56        pollInterval: !ref Poll_Interval
57
58  s7EndpointQX00:
59    type: Cybus::Endpoint
60    properties:
61      protocol: S7
62      connection: !ref s7Connection
63      subscribe:
64        address: QX0.0
65
66  s7EndpointAIB0:
67    type: Cybus::Endpoint
68    properties:
69      protocol: S7
70      connection: !ref s7Connection
71      subscribe:
72        address: IB0
73
74  mapping:
75    type: Cybus::Mapping
76    properties:
77      mappings:
78        - subscribe:
79            endpoint: !ref s7EndpointQX00
80          publish:
81            topic: !sub '${Cybus::MqttRoot}/QX00'
82        - subscribe:
83            endpoint: !ref s7EndpointAIB0
84          publish:
85            topic: !sub '${Cybus::MqttRoot}/AIB0'

Output Format on Write

When data is written to a S7 endpoint, you will get the result of the operation over the /res topic like this:

{
  "id": 29194,
  "timestamp":1629351968526,
  "result": 0
}

Output Format on Read

If data is read from Siemens SIMATIC S7 the output will be provided as JSON object, with the actual S7 data in the property value, and the reception timestamp in the property timestamp.

{
  "value": "<value>",
  "timestamp": "<msSinceEpoch>"
}

Input Format on Write

If data is written to Siemens SIMATIC S7 it must be provided as JSON object, with the actual S7 data in the property value:

{ "value": "<value>" }

Additionally an id property can be provided in the published message to use as a correlation value for the response of the write operation.

{ "value": "<value>", "id": "<your correlation id>" }

The result of a write operation is published on the /res topic for the Endpoint see Operation results for more details on writing operations