Siemens SIMATIC S7

Overview

The Simatic S7 is a product line of PLCs (S7-200, S7-300, S7-400, S7-1200, S7-1500) by Siemens that are widely used in industrial automation. The S7 is capable of connecting several sensors and actuators through digital or analog IOs which can be modular extended.

The S7 PLC can be projected and programmed with STEP7 (TIA Portal) software from Siemens.

The read and write access to data on the PLC can be realized through the S7 Communication Services based on ISO-on-TCP (RFC1006). In this case the PLC acts as a server allowing communication partners to access PLC data without the need of projecting the incoming connections during PLC programming.

Important

To activate the S7 Communication Services you need to enable PUT/GET access in PLC Settings! You should keep in mind that this opens up the controller access by other applications as well.

../../_images/s7_put_get_access.PNG

Commissioning file specifics

A typical commissioning file for the S7 looks like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# ----------------------------------------------------------------------------#
# Commissioning File
# ----------------------------------------------------------------------------#
# Manufacturer: Siemens
# Device: S7-1200
# Copyright: Cybus GmbH (2017)
# Contact: support@cybus.io
# ----------------------------------------------------------------------------#
# Source Interface Definition - S7 Protocol
# ----------------------------------------------------------------------------#
source:
  driver: s7
  connection:
    protocol: s7.tcp
    host: {{IP address}}
    port: {{Port}}
    rack: 0
    slot: 1
# ----------------------------------------------------------------------------#
# Target Interface Definition - MQTT (Cybus Connectware Broker)
# ----------------------------------------------------------------------------#
target:
  driver: mqtt
  defaults:
    operation: write
    topicPrefix: io/cybus/s7
# ----------------------------------------------------------------------------#
# Mappings
# ----------------------------------------------------------------------------#
mappings:
- source:
    operation: subscribe
    typeAddress: 'DB10,REAL0' # Real on address 0 from DB10
  target:
    topic: db10/value1
- source:
    operation: subscribe
    typeAddress: 'I32.2' # Bit at input address I32.2
  target:
    topic: inputs/signal1

The address of a PLC variable is a string built like this:

<data block number>,<memory area><data type><byte offset>.<bit position>.<array length>

<data block number>
Name of the data block the value is stored in e.g. DB10. Only use this parameter if your value is part of a data block.
<memory area>
Memory area where the value is stored. Must not be defined if target is a data block! You can address the areas “input”, “peripheral input”, “output”, “peripheral output”, “marker”, “counter” and “timer” as I, PI, Q, PQ, M, C and T.
<data type>
Data type of the addressed value which can be “bit”, “byte”, “char”, “word”, “int16”, “dword”, “int32”, “real” as X (or empty), B, C, W, I, DW, DI and R. Data type “string” can only be used in data blocks with S.
<byte offset>
The offset of the byte to address.
<bit position>
To address a bit position place it here. In case you are addressing a string data type this parameter is the string length.
<array length>
To address multiple values in a row define the length of the array here.

The minimum information any address must contain is <data block number> or <memory area>, <data type> and <byte offset>. <bit position> is only necessary for addressing bits. <array length> is always optional.

Address Examples:
  • ‘MR4’ // REAL starting at marker byte 4 (MD4 in STEP 7)
  • ‘M32.2’ // Bit at marker byte 32 bit 2
  • ‘PIW30’ // WORD starting at peripheral input byte 30
  • ‘PII30’ // INT starting at peripheral input byte 30
  • ‘DB1,R0.20’ // Array of 20 REAL values in DB1 starting at byte 0
  • ‘DB1,R4’ // Single REAL value
  • ‘DB1,REAL8’ // Another single REAL value
  • ‘DB1,I12.2’ // Two INT value array
  • ‘DB10,INT6’ // DB10.DBW6 as INT
  • ‘DB10,I6’ // same as above
  • ‘DB10,I6.2’ // DB10.DBW6 and DB10.DBW8 in an array with length 2
  • ‘DB10,S20.30’ // String at offset 20 with length of 30 (actual array length 32 due to format of String type, length byte will be read/written)
  • ‘DB10,S20.30.3’ // Array of 3 strings at offset 20, each with length of 30 (actual array length 32 due to format of String type, length byte will be read/written)
  • ‘DB10,C22.30’ // Character array at offset 22 with length of 30 (best to not use this with strings as length byte is ignored)
  • ‘DB10,X6.0.1’ // Bit at DB10.DBX6.0 as array with length 1

Important

To access data from data blocks you need to disable “Optimized Block Access” in data block attributes!
../../_images/s7_data_block_attributes.PNG