Siemens S7 Ip Industrial Ethernet
This driver supports communication over Ip with Siemens S7 PLCs, including the S7-200, S7-300 S7-400, S7-31x PN, S7-1200 and S7-1500 series.
Supported functions
The protocol uses the ISO messaging to read and write data to/from the PLC. In any exchange, the PC is the master and the PLC is a slave.
A maximum of 255 PLCs can be connected via the driver. All communication is run over the standard Ethernet network interface of a PC. A crossover cable is required for direct communication between a Siemens communication processor and a PC. The communication speed is limited to 100 Mb/sec.
| Series | Type | Part number | Standard packet size (bytes) | Frame max size (bytes) |
|
S7-200 |
CP243-1 |
6GK7243-1EX00-0XE0 |
240 |
8192 |
|
S7-300 |
CP343-1 |
6GK7343-1EX21-0XE0 |
240 |
8192 |
|
S7-400 |
CP443-1 |
6GK7443-1EX11-0XE0 |
480 |
8192 |
|
S7-31x PN |
Built-in |
|
240 |
8192 |
| S7-1200 | Built-in | |||
| S7-1500 | Built-in |
Redundancy is not available for the S7-200 series.
You can configure the S7 Ip Industrial Ethernet driver using the Smart Generator for Step7 or TIA Portal.
Prerequisites
For configuration of the network, connections and stations, the Siemens NetPRO package is required. Follow the steps below before configuring an equipment.
The Siemens NetPRO package can be ordered as standalone software or as part of the Step7 package (part number: 6ES7810-5CC10-0YA6 SIMATIC STEP7 PROF ED2006).
- In your Step7 project, open NetPRO and add a network or configure an already existing network to meet your requirements. Then add a new station, here called Other Station.
- Double-click on the station to open its Properties dialog. Select the General tab and enter the station name, author and any comment
- Click on the Interface tab to display the network connections. You must now configure the communications processor to allow for messages longer than 240 bytes.
- Double-click on the symbol representing the CP343 communications processor. The configuration dialog will open. Select the Options tab and tick the option Data length > 240 in the SEND/RECEIVE section then click OK button to save.
- Compile the program and transfer it to the PLC.
Network properties
This topic only includes a reference of objects' properties.
See the topic How to configure networks devices and frames for more information about how to configure communication objects.
| General properties | |
| Name | The name of the network |
| Description | The description of the network (optional) |
| Activate at start-up | If enabled, the network will start upon Equipment communication start-up |
|
Advanced properties |
|
|
Timeout |
Use default value |
|
Networking |
|
|
Servers |
The list of PcVue stations where the network will be active |
Device properties
| General properties | |
| Name | The name of the device |
| Description | The description of the device (optional) |
| Equipment type | Select the type of equipment that best suits the field device you want communicate with. The list of frame types and address ranges depend on the equipment type. |
| Address | The Ip address of the field device. Some drivers also support configuration by host name. |
| Activate at start-up | If enabled, the device will start upon network start-up |
|
Advanced properties |
|
|
Connection |
|
|
Timeout |
Maximum waiting time between a request and the reply from the equipment |
|
Slot number |
The slot in which the PLC CPU is located |
|
Rack number |
The rack in which the PLC CPU is located |
|
Reconnect period |
Minimum period between attempts to recover a connection. This period is also used as a waiting period after a time-out. |
|
Timestamping |
|
|
Enable |
Tick to enable field device timestamping mode |
| Error address | If timestamping is enabled, the address used to indicate a full stack. Must be set to a positive value (greater than 0). |
| Timestamp UTC | Specify if the field device transmits timestamps as UTC or as local time |
| Delta TS |
Used to set-up direct archiving. If the difference between the timestamp coded in a received timestamped block and the current time is greater than the Delta TS value, the data is sent directly for archiving but is not considered fresh enough to be used as instantaneous value. As a consequence, the value of the corresponding variable is not updated. |
|
Redundancy groups |
|
| Enable switch on CPU stop | Enables automatic switch of connection when the CPU goes to stop mode |
| Watchdog period | Polling period of the CPU mode. |
|
Redundancy connection n |
Allows the configuration of up to 4 additional field devices to provide redundant behavior for an item of equipment. When the application starts, the communication manager communicates with the primary device. When an error occurs, it switches to the next device in the sequence. For each device with redundant configuration, you can manage the operation using register variables linked to frames of type Command and Information (see below). |
|
Miscellaneous |
|
|
Virtual |
Reserved. Do not select. |
| Message delay | Reserved. Leave default value 0. |
Frame addressing
Depending on the equipment type you have selected when configuring the device, you have access to the following type of frames.
The Starting address and Quantity properties define the memory address range for each frame, how it is read from and written to, and how it is interpreted in PcVue.
The maximum quantity of data that can be read per frame is 8192 bytes. Since the approximate amount of data exchanged per TCP/IP packet is 700 Words, if the frame size is greater than 700 words the frame is transmitted in a set of TCP/IP packets. This multiple packet transmission is transparent to the user.
| Data type | Access | Max quantity | Starting address | Description |
| Bit | ||||
|
Wordbit DBW |
Read/Write |
65528 |
0..65535 |
|
|
Wordbit MW |
||||
|
Wordbit AW |
Read/Write |
1024 |
0..65535 | |
|
Wordbit EW |
Read |
1024 | 0..65535 | |
| Byte | ||||
| DBW |
Read/Write |
65535 | 0..65535 | |
|
MW |
||||
|
EW |
Read/Write |
128 | 0..65535 | |
|
AW |
||||
|
Word |
||||
| DBW |
Read/Write |
32768 | 0..65535 | |
| MW | ||||
|
EW |
Read/Write |
64 |
0..65535 | |
|
AW |
||||
| ZW |
Read |
128 | 0..65535 | |
| Information |
Read |
2 | 0..1 |
Address 0: Gives the active connection number. Address 1: Gives the CPU mode (0: Stop; 1: Start; 2: Run; 3: Unknown). |
| Command |
Read/Write |
1 | 0 | |
| S7 Block CEI |
Read |
4095 | 0..65535 | |
| Real | ||||
|
DBW |
Read/Write |
16384 |
0..65535 |
|
|
MW |
||||
|
EW |
Read/Write |
32 |
0..65535 | |
|
AW |
||||
|
Double word |
||||
|
DBW |
Read/Write |
32768 | 0..65535 | |
|
MW |
Read/Write |
16384 | 0..65535 | |
|
EW |
Read/Write |
32 | 0..65535 | |
|
AW |
||||
| ZW |
Read |
64 | 0..65535 | |
| TW | ||||
For the DBW data type, it is necessary to enter a DB number. Only DB1 to DB32767 are accessible. The S7-200 series has only DB1. The DB number property can be found in the Advanced tab.
The Information frame provides the active connection number and the Command frame allow you to set the active connection number. Using the Information and Command frames, you can manage the operation for redundant field devices:
- A word format frame with the Information data type. This frame should be configured for cyclic read and linked to one or two registers variable. The address 0 contains the number of the active connection (0, 1, 2, or 3), the address 1 contains the CPU mode (0: Stop; 1: Start; 2: Run; 3: Unknown).
- A word format frame with the Command data type. This frame should be configured for write only and linked to a register variable with the control attribute set. The value of the register variable at address 0 selects the active connection (0, 1, 2 or 3).
Memory organization in the PLC
The PLC variables in the SIMATIC S7 use a byte addressing mode.
The driver can be used to read a series of words, double or floating words with byte, word or double word alignments. These alignment modes enable you to obtain words or double words with even or odd addresses.
The following gives an example for the word frame.
| Byte address | Even start | Odd start |
| 0 | Word 1 | |
| 1 | Word 1 | |
| 2 | Word 2 | |
| 3 | Word 2 | |
| 4 | Word 3 | |
| 5 | Word 3 | |
| 6 | Word 4 | |
| 7 | Word 4 |
Driver status
The driver status provides driver-specific information to supplement the frame general status. For more information on status in general, refer to the topic General communication status.
| Driver status | Description |
| 0x0007 | Device not open |
| 0X5000 | No queue |
| 0X5001 | Invalid packet |
| 0X5002 | Not connected (equivalent to 102 in Modbus IP) |
| 0X5003 | Connection closed |
| 0X5004 | Timeout |
| 0X5005 | Wrong context |
| 0X5006 | PLC memory error |
| 0X5007 | Wrong op state |
| 0X5008 | Wrong address |
| 0X5009 | Invalid mode error |
| 0X500A | No data error |
| 0X500B | PLC priority class error |
| 0X500C | Empty block list |
| 0X500D | PLC block size error |
| 0X500E | Invalid block number |
| 0X500F | Protect error |
| 0X5010 | Unknown SZL ID |
| 0X5011 | Unknown SZL index |
| 0X5012 | No information |
| 0X5013 | Unknown PLC error |
| 0X5014 | Hardware error |
| 0X5015 | Object access not allowed |
| 0X5016 | Context not supported |
| 0X5017 | Type not supported |
| 0X5018 | PDU error |
| 0X5019 | No PLC start |
| 0X501A | No PLC resume |
| 0X501B | Disconnect request |
| 0X501C | PLC not found |
SCADA Basic scripting
You can control communication with this driver in SCADA Basic scripts with the CIMWAY instruction.
The driver also supports the following specific capabilities in SCADA Basic.
Changing a device address
IntVal = CIMWAY(CFG, CommObjName, Modif, Param, [, ResultVar]);
|
Argument |
Meaning |
|
CommObjName |
Configuration element to modify: A device. |
|
Modif |
The property you want to modify: |
|
|
EQT_ADDRESS: Modification of the equipment address. CommObjName is the name of a device attached to the network. For example, Net1.Dev1. |
|
Param |
Param is a string with a typical syntax like Param1#Param2#Param3...#ParamN. Type STR. See below for the syntax specific to this driver. |
|
ResultVar |
Specifies the name of the variable where the status of the modification is stored. |
Syntax for Siemens S7 Industrial Ethernet:
slot#ip1#ip2#ip3#ip4#rack#ts_errorword#ts_errordb#flag#reconnection_period#0#watchdog_periodWhere:
-
slot: The slot number
-
ip1 to ip4: The 4 segments of the Ip address
-
rack: The rack number
-
ts_errorword: The error address for source timestamping (word address in ts_errordb)
-
ts_errordb: The db number where the error address for source timestamping is located
-
flag: Additional properties under the form of a bit mask - Correspond to the following device properties
-
bit 1: Disable switch on CPU OP mode Unknown (1), or enable (0)
-
bit 4: UTC (1) or local (0)
-
-
reconnection_period: The reconnection period
-
redundant_connections_number: 0 if no redundant connection
-
watchdog_period: Polling period of the CPU mode
If redundant connections are in place, the syntax is as follow:
slot#ip1#ip2#ip3#ip4#rack#ts_errorword#ts_errordb#flag#reconnection_period#redundant_connections_number#watchdog_period#[ip1_redn#ip2_redn#ip3_redn#ip4_redn#rack_redn#slot_redn]Where:
-
redundant_connection_number: The number of redundant connections (1..4)
-
The part between square brackets [] is repeated for each redundant connection (1..4)
Changing a frame address
IntVal = CIMWAY(Mode, CommObjectName, Modif, Param, [, ResultVar]);
|
Argument |
Meaning |
|
CommObjectName |
Configuration element to modify: A frame. |
|
Modif |
The property you want to modify: |
|
|
MEMORY_ADDRESS: Modification of a frame address. |
|
Param |
See below for the syntax specific to this driver. |
|
ResultVar |
The name of a register variable. Type STR. |
Syntax for Siemens S7 Industrial Ethernet:
"start_address#DBnumberSending a control message to the driver
IntVal = CIMWAY (SENDMSG, CommObjectName, CommandString);
Return type: INTEGER.
|
Argument |
Meaning |
|
CommObjectName |
Identifies the target object identifier: All networks: Empty string. A specific network: NetworkId. A specific device: NetworkID.EquipmentId. A specific frame: NetworkID.EquipmentId.FrameId. Type STR. |
|
CommandString |
The command to send to the driver. Type STR. See below for the list of messages supported by the driver. |
Control messages for Siemens S7 Industrial Ethernet:
| Control message | Description |
|
Switching the connection for a redundant PLC configuration |
Command string syntax is "ConnecTo;num" ComObj must be the name of a device, for example NET.DEV1. |
Timestamped data - Data table and block structures
This section describes how to exchange timestamped data between the field device and PcVue. Switching between cyclic and event mode for the frame ticked as Refreshed using timestamp block is automatically triggered by a bit in the field device. The trigger is the bit (offset 0) of the word you specified when configuring the equipment.
When using S7, the trigger to cease timestamp operation is bit 0 of the word you specified in the device configuration, for example bit 0 of DB5.DBW8. The timestamped table is held in a dedicated DB. The DB number can be different to the one for the Error Address.
Timestamped data is exchanged between slave and master using the S7_CEI frame.
| Master | Network | Slave |
|
—> |
Reading of the timestamped data table |
—> |
| <— |
Response to Read request |
<— |
If the number of blocks is greater than zero, the protocol reads all of the blocks set in the PLC and then does the following.
| Master | Network | Slave |
| —> |
Set the number of blocks to 0 and send the exchange number |
—> |
| <— |
Acknowledge the Write |
<— |
If the exchange number returned by the PC is wrong, the field device has to send the same exchange as before. The number could be wrong because the slave received an incorrect acknowledgment.
Timestamped data table structure
|
|
15 |
14 |
13 |
12 |
11 |
10 |
9 |
8 |
7 |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
|
Word W |
Exchange number |
Number of blocks |
||||||||||||||
|
Word W+1 |
First block (size 8) |
|||||||||||||||
|
Word W+1 |
Nth block (size 8) |
|||||||||||||||
N = The number of blocks as specified by the timestamp frame's Quantity of data property.
W = The starting address as specified by the timestamp frame's Starting address property.
Unlike Modbus Ip, there is no limit to the size of the frame with S7 Industrial Ethernet. However, in order for the frame to be contained within a single IP packet, it is recommended that the number of blocks does not exceed 30.
S7_CEI block structures
|
|
15 |
14 |
13 |
12 |
11 |
10 |
9 |
8 |
7 |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
|
Word W+1 |
Data Type |
DB Number |
||||||||||||||
|
Word W+2 |
Address |
|||||||||||||||
|
Word W+3 |
Value1 |
|||||||||||||||
|
Word W+4 |
Value0 |
|||||||||||||||
|
Word W+5 |
Reserved |
0 |
Year |
|||||||||||||
|
Word W+6 |
0 |
0 |
0 |
0 |
Month |
0 |
0 |
0 |
Day |
|||||||
|
Word W+7 |
0 |
0 |
0 |
Hour |
0 |
0 |
Minute |
|||||||||
|
Word W+8 |
Millisecond |
|||||||||||||||
Value0 is the least significant word when reading a 32 bit value (Real and Double Word). Value1 is the most significant word when reading a 32 bit value (Real and Double Word).
Coding of the data Type field
| Type | Data Type | Type | Data type |
|
1 |
Bit in DB |
24 |
Real in DB |
|
2 |
Bit in MW |
25 |
Real in MW |
|
3 |
Bit in EW |
26 |
Real in EW |
|
4 |
Bit in AW |
27 |
Real in AW |
|
8 |
Byte in DB |
32 |
Double in DB |
|
9 |
Byte in MW |
33 |
Double in MW |
|
10 |
Byte in EW |
34 |
Double in EW |
|
11 |
Byte in AW |
35 |
Double in AW |
|
16 |
Word in DB |
|
|
|
17 |
Word in MW |
|
|
|
18 |
Word in EW |
|
|
|
19 |
Word in AW |
|
|
Coding of the date and time fields
| Field | Coding |
| Year | 0..99 (The number of years since 1980) |
| Month | 1..12 |
| Day | 1..31 |
| Hour | 0..23 |
| Minute | 0..59 |
| Millisecond | 0..59999 |
There is no field for seconds. Instead, the seconds are included with the milliseconds.