Promotic

PmS7 - Driver for communication by the S7-TCP/IP protocol

The S7-TCP/IP protocol is also known as "RFC1006" or "ISO on top of TCP". The PLC devices usually communicate by this protocol via PROFINET connector (connector for Ethernet network).
This protocol can be used, for example, for communication with following devices:
- Siemens Simatic:
- S7-200 via the CP243-Ethernet module
- S7-300 via the CP343-Ethernet module, with the NETLink PRO ETH converter, or via processor with Ethernet interface
- S7-400 via the CP443-Ethernet module, with the NETLink PRO ETH converter, or via processor with Ethernet interface
- S7-1200 (Ethernet interface is integrated)
- S7-1500 (Ethernet interface is integrated)

Caution: For correct setup of Simatic devices see Important settings of Simatic PLC communication by the TIA portal software.
- ET-200S, ET-200SP (CPU1512) (Ethernet interface is integrated)
- IPC + WinAC (software PLC device)
- Frequency inverters (Sinamics, Micromaster).
- VIPA (control system 300S, SLIO, ...)
- BERTHEL


Before using this driver in the PROMOTIC application it is highly recommended to watch "PROMOTIC video tutorial 4 - Communication drivers".

Basic properties of the driver:
- Usage of this driver requires purchase of the PmS7 licence. When developing the application in the freeware mode PmFree, or with development environment and while testing it in runtime, this component is always functional.
- The communication is done for Ethernet (PROMOTIC application is client). A standard Ethernet card is sufficient for communication. If the NETLink PRO ETH converter is used it is also possible to communicate via the interfaces MPI, PROFIBUS or PPI.
- The driver requires no special libraries or hardware.
- The PROMOTIC application is the Master (it means that it initiates the data transfer) from this communication point of view.
- The driver optimalizes the physical transfers of data messages with PLC devices. Single message can be used for transfering values from different data areas (data blocks, inputs, outputs,...) and therefore the communication is still fast enough even if large data volumes are transferred. This way it is possible to refresh the data in the Ethernet network, for example 15x per second.
- The driver is incorporated into the PROMOTIC system by means of the PmaComm object.
The driver supports the usage of the PmaCommGroup object. The PmaCommMsg object cannot be used.
For easy integration of this driver into the application it is handy to use: Preconfigurations in group "S7"


The following Data areas are supported:
- I = Input: Digital inputs (in German E = Eingang). Bit values (X type) that are read only.
These values can be accessed also as 1-byte (8 bits, B type), 2-bytes (16 bits, W type) or 4-bytes (32 bits, DINT type). Then each bit can be accessed by methods PmVar.GetBit / PmVar.SetBit or by methods Pm.GetBit / SetBit.
- Q = Output: Digitál outputs (in German A = Ausgang). Bit values (X type) that are available for both reading and writing.
These values can be accessed also as 1-byte (8 bits, B type), 2-bytes (16 bits, W type) or 4-bytes (32 bits, DINT type). Then each bit can be accessed by methods PmVar.GetBit / PmVar.SetBit or by methods Pm.GetBit / SetBit.
- M = Memory, Marker, Flag: Memory that is available for both read and write. Contrary to data blocks, this memory is not persistent, i.e. it is cleared after the PLC is switched off.
The values in this memory can be accessed by using all supported data types (X, W, INT, STRING ...).
- DB = Data Block: Persistent memory that is available for both read and write.
The values in this memory can be accessed by using all supported data types (X, W, INT, STRING ...).
- T = Timer: Timers (read only). The values can be read as data types S5T(=default), Wbcd and W.
- C = Counter: Counters (German Z = Zähler) (read only). The values can be read as data types Wbcd(=default) and W.


Following S7 data types are supported:
- X: Bit, Boolean - Bit defined by byte address and bit number.
In the PROMOTIC application represented by the Boolean data type.
- B: Unsigned Byte - 1-byte integer (from 0 to 255).
In the PROMOTIC application represented by the Byte data type.
- W: Unsigned Word - 2-byte integer (from 0 to +65 535).
In the PROMOTIC application represented by the Long data type.
- INT: Signed Word - 2-byte integer (from -32 768 to +32 767).
In the PROMOTIC application represented by the Integer data type.
- D: Unsigned Double Word - 4-byte integer (from 0 to +4 294 967 295). Because the VBScript language does not have the whole number data type for unsigned 4-byte value, in the PROMOTIC system stores the value of the Double type.
- DINT: Signed Double Word - 4-byte integer (from -2 147 483 648 to +2 147 483 647).
In the PROMOTIC application represented by the Long data type.
- Bbcd: Unsigned Byte in BCD code - 1-byte integer. In the PLC device is stored in BDC coding (from 0 to 99).
In the PROMOTIC application represented by the Byte data type.
- Wbcd: Unsigned Word in BCD code - 2-byte integer. In the PLC device is stored in BDC coding (from 0 to 9999).
In the PROMOTIC application represented by the Integer data type.
- Dbcd: Unsigned Word in BCD code - 4-byte integer. In the PLC device is stored in BDC coding (from 0 to 99999999).
In the PROMOTIC application represented by the Long data type.
- REAL: Real number, 4B IEEE - 4-byte real number in the IEEE-754 (32-bit) format.
In the PROMOTIC application represented by the Single data type.
- LREAL: Long Real number, 8B IEEE - 8-byte real number in the IEEE-754 (64-bit) format. This type is used, for example, by the Simatic S7-1200. This type is not supported by older types of PLC devices.
In the PROMOTIC application represented by the Double data type.
- CHAR: Signed Byte, Raw string - The character sequence with defined number of characters (1 character = 1 byte). In the PLC device, this data type is stored without the text length information. If the text written into the PLC device is shorter than defined number of characters, then the empty characters are appended by the 0 value.
In the PROMOTIC application represented by the String data type.
- STRING: S7 string - Text with defined number of characters (1 character = 1 byte). This type is stored in the PLC device together with a header that contains the value of text length. If the text written into the PLC device is shorter than defined number of characters, then the empty characters are appended by the 0 value.
In the PROMOTIC application represented by the String data type.
- DTL: Date and Time, 12B Bin format - Date and time. It is stored binary in the PLC device to 12B. This type is supported, for example, by Simatic S7-1200. It is not supported by older types of PLC devices.
In the PROMOTIC application represented by the Date data type.
- DT: Date and Time, 8B BCD format - Date and time. It is stored in the PLC device in BDC code at 12B. It is supported by older types of PLC devices. The year range is 1990 - 2089.
In the PROMOTIC application represented by the Date data type.
- S5T: S5TIME, Time Duration - Time or duration. It is stored in BDC code in the PLC device to 4B. It is supported by older types of PLC devices. It is usually used in the memory of the Timer type.
In the PROMOTIC application represented by the Long data type = number of milliseconds.
- Array: The driver itself does not directly support reading/writing of arrays in a single variable (e.g. of the Array type). But taking into account the fact that the "Optimized block access" in the PLC device must be turned off (see DB optimized) then the array type variables in the PLC device behave as areas of individual variables for the PmS7 driver. It means that these variables can be read/written as individual variables with specific addresses in the datablock.


Note1: The TIME data type is in fact the number of milliseconds and the value can be read as DINT data type. Therefore the TIME type itself is not supported by the driver.
Note2: If the value of date and time is of the Date type, then the values of year/month/day/hour/minute/second can be obtained, for example:
- by means of the PmDateObject object and its methods GetYear/GetMonth/GetDay/GetHour/GetMinute/GetSecond etc.
- by the VBScript methods Year/Month/Day/Hour/Minute/Second.
See also Pm date and time methods and VBScript date and time functions.


Recommended values of the PmaComm object parameters:

Recommended values for the Ethernet-client parameters:
TCP/UDP remote port numberNumber of ethernet port. This number is defined by the selection of S7 communication type:
102 - The communication is direct with PLC devices supporting the S7 protocol (with Ethernet interface).
7777 - The communication is indirect via the NETLink PRO ETH converter.
Ethernet transfer typeTCP
Number of repeats after unsuccessful Master transmissionIf the opposite side does not respond, then the driver closes the port and starts reconnection. Therefore it is recommended to set this configurator to "without repeat", i.e. the value of 0.
Timeout of one packet transfer [ms]If "Communication type = Ethernet ISOonTCP Standard" then it is necessary to set 4000 ms. Otherwise 2000 ms is sufficient.
Not connect until first transferNOT checked (mandatory)
Close connection after every transferNOT checked (mandatory). After each connection, it is necessary to transfer several initialization messages and if the connection is closed repeatedly, the communication speed would be decreased significantly.
Description and recommended values for the Protocol parameters:
Communication typeSpecifies communication type with the device.
Ethernet ISOonTCP Standard - (for S7-300/400/1200/1500..)
The communication will be executed with the device that supports Ethernet communication by the S7 protocol (supports PROFINET).
Ethernet ISOonTCP for CP243 - (for S7-200)
The communication will be executed with Simatic S7-200 via the CP243-Ethernet module.
For Simatic S7-200 and for the specific module the data area is redirected in this case. For example the area V is not supported by the S7 protocol and therefore it is redirected to area DB1. Examples:
- address "V103.4" is redirected to "DB1,X103.4"
- address "VD62:REAL" is redirected to "DB1,REAL62"
- address "VW78:INT" is redirected to "DB1,INT78"
Ethernet NETLink PRO ETH - (Helmholz, Softing, Accon)
The communication will be executed with NETLink PRO ETH converter.
Max. PDU lengthHere, it is possible to enter the maximum length transmitted in one message. Standard values are 240, 480 or 960. Usually the maximum can be entered, i.e. 960. While communcation is being initialized, the driver detects the message length supported by the PLC and if the supported length is smaller, then the value is lowered automatically.
In reality the PLC sometimes sends smaller ammount of data in one message (e.g. only 240) even if during initialization it was detected that the maximum data ammount is higher (e.g. 480). The result is that after data receive in the PmaCommGroup object only some of variables are filles with data. The rest of the varibles are not communicated. Then it is necessary to modify the length from 960 to 240.
Rack(0-7) Specifies the rack number where the CPU for communication is located. Usually is 0.
Defined only if Communication type = "Ethernet ISOonTCP Standard"
CPU Slot(0-31) Specifies the slot number where the CPU for communication is located. (Caution: it is NOT the slot of the communication card!)
- Very often the value is 2.
- For built-in Ethernet interface (e.g. S7-1200, S7-1500, CPU1512SP ...) the value is 1.

Example: The slot no. 1 is usually populated by the power source and if the source is bigger (e.g. for S7-400), then more slots can be taken. If the power source populates the slots no. 1 and 2 and slot no.3 is taken, for example, by the fan (or the slot is empty), then the CPU is in slot no. 4. This configurator will then hold the value of 4.
Defined only if Communication type = "Ethernet ISOonTCP Standard"
Local TSAP(hex) Specifies the address of LocalTSAP (in hexadecimal). Usually is 4d57 ('MW').
Defined only if Communication type = "Ethernet ISOonTCP for CP243"
Remote TSAP(hex) Specifies the address of RemoteTSAP (in hexadecimal). Usually is 4d57.
Defined only if Communication type = "Ethernet ISOonTCP for CP243"
MPI/DP address(0-31) Specifies the MPI or DP-PROFIBUS address of the CPU for communication. The default MPI value is 2.
Defined only if Communication type = "Ethernet NETLink PRO ETH".
Connection typeConnection type. In the network configuration, it can be set the maximum number of connections for corresponding type.
Defined only if Communication type = "Ethernet ISOonTCP Standard" or "Ethernet NETLink PRO ETH".
1 = PG-connection - Programming device
2 = OP-connection - Operator panel
3 = OTHER-connection - Other type

The communication description by means of the PmaCommGroup object

The PmaCommGroup objects can be used for this driver.
The variables in the PmaCommGroup object (or even better the variables in the PmaData object with ExtComm data extension) can be of arbitrary number, type and order. The driver uses optimalised internal communication messages for reading the data from the device.
All variables are read (if the "Data refresh enabled" configurator is checked). When writing into the variable, only the single variable is sent into the device (if the "Auto send when writing to item" configurator is checked).

Description of the "ItemId" configurator:
ItemId is the text identifier of the item that is used for addressing the item in the device. The "ItemId" configurator tells the driver how to receive or send the item value.
The text can be written manually, or it can be assembled in the window opened by the button to the right of the configurator.
Macro expression can be used for input (it is evaluated after the application is launched).
Examples of the identifier syntax:
- "I0.2" = The I=Input value saved at address 0 in the second bit as data type X=bit=default.
- "Q0.2" = The Q=Output value saved at address 0 in the second bit as data type X=bit=default.
- "QB0" = The Q=Output value saved at address 0 as data type B=Byte=8 bits.
- "MREAL30" = The M=Memory value saved at address 30 as data type REAL=4-byte real number.
- "DB10,W83" = The DB=DataBlock value no. 10 saved at address 83 as data type W=Unsigned Word.
- "DB3,Wbcd83" = The DB=DataBlock value no. 3 saved at address 83 as data type Wbcd=Unsigned Word in BCD code.
- "DB24,CHAR0.12" = The DB=DataBlock value no. 24 saved from address 0 (at address 0,1,..11) as 12 items of the CHAR type that are stored in the PROMOTIC system to one value of the String type.
- "DB25,STRING0.12" = The DB=DataBlock value no. 25 saved from address 0 as S7 STRING data type that is stored in the PROMOTIC system to the value of the String type.
- "T15" = The T=Timer value saved at address 15 as S5T data type that is stored in the PROMOTIC system to the value of the Date type.
- "TWbcd15" = The T=Timer value saved at address 15 as data type Wbcd=Unsigned Word in BCD code.
- "C20" = The C=Counter value saved at address 20 as data type Wbcd=Unsigned Word in BCD code.
- "CW20" = The C=Counter value saved at address 20 as data type W=Unsigned Word.


Note: The driver so far does not support transfers of vector of values in a single variable with one ItemId (except for CHAR type vectors).

Description of the "PmaCommGroup > Parameters > Special Parameters" configurator:
This configurator is not used for given driver.

PduErrCodes error codes

If some variables cannot be transferred, then the PLC device returns the error code PduErrCode.
The value of this code can be for example detected in the INFO system on the "/COMM/Log" tab.
The meaning of error code values (values are in hexadecimal):
0000 - NoError.
0001 - There is no peripheral at given address.
0003 - A piece of data is not available, e.g. when trying to read a bit block (with a length other than 1) or a non existing DB (200 family).
0005 - The data address exceeds the address range.
0006 - Can not read a bit block with a length other than 1.
0007 - Write data size does not fit item size.
000A - A piece of data is not available, e.g. when trying to read a non existing DB.
8000 - Function already occupied.
8001 - Not allowed in current operating status.
8101 - Hardware fault.
8103 - Object access not allowed.
8104 - Context is not supported. Step7 says:Function not implemented or error in telgram.
Occurs if communication is not set up properly in the TIA portal - see Important settings of Simatic PLC communication by the TIA portal software.
8105 - Invalid address.
8106 - Data type not supported.
8107 - Data type not consistent.
810A - Object does not exist.
8301 - Insufficient CPU memory.
8402 - CPU already in RUN or already in STOP.
8404 - Severe error.
8500 - Incorrect PDU size.
Probably it is necessary to reduce the value of in the "Max. PDU length" configurator.
8702 - Address invalid.
D002 - Step7:variant of command is illegal.
D004 - Step7:status for this command is illegal.
D0A1 - Step7:function is not allowed in the current protection level.
D201 - Block name syntax error.
D202 - Syntax error function parameter.
D203 - Syntax error block type.
D204 - No linked block in storage medium.
D205 - Object already exists.
D206 - Object already exists.
D207 - Block exists in EPROM.
D209 - Block does not exist/could not be found.
D20E - No block present.
D210 - Block number too big.
D240 - Unfinished block transfer in progress?
D240 - Coordination rules were violated. Multiple functions tried to manipulate the same object. Example: a block could not be copied, because it is already present in the target system.
D241 - Operation not permitted in current protection level.
D242 - Protection violation while processing F-blocks. F-blocks can only be processed after password input.
D401 - Invalid SZL ID.
D402 - Invalid SZL index.
D406 - Diagnosis: info not available.
D409 - Diagnosis: DP error.
DC01 - Invalid BCD code or Invalid time format?

Communication with the NETLink PRO ETH converter


The NETLink PRO ETH converter converts Ethernet S7 protocol to MPI, PROFIBUS or PPI physical interface. If the converter is connected to the MPI/PROFIBUS network, then multiple CPUs can be connected to this network for communication (each CPU will have different MPI/DP address). Each PmaComm object communicates with a single CPU. It is possible to have more PmaComm objects connected to the same IP address of the converter but with different "MPI/DP address" value.

The NETLink PRO ETH converter is supplied for example by:
- The Helmholz company (http://www.helmholz.com). Some hardware components by this company are used also by other companies for manufacturing their converters (see further).
If the configurator "Go online after boot" is set via the Web interface, then the converter works as transparent and in the PmS7 driver can be set "Communication type = Ethernet ISOonTCP Standard".
- The Softing company (http://www.softing.com). These converters use the hardware by the Helmholz company.
- The Deltalogic company (http://www.deltalogic.de, typ ACCON). These converters use the hardware by the Helmholz company.
- Converters from other firms (e.g. IBH NETLink, NETLink Kepware ...). It has not been tested whether these converters work with the PmS7 driver.

Important settings of Simatic PLC communication by the TIA portal software

The version of Simatic-1200 and -1500 since 2014 require programming in TIA portal 13 or higher.
Caution: In 2015 for new versions of PLCs (e.g. Simatic S7/1200 V.4.1.1 - 4.1.3) it is necessary to upgrade TIA portal 13 SP1 to Update 5 (9/2015).
 
In this software, some configurators are set by default in order to prevent external SCADA systems (including the PROMOTIC system) to communicate with such PLCs.
In TIA portal it is therefore necessary to modify following settings:

1) Protection:
Select the "CPU project" on the left side and press Alt+Enter keys or in the contextual menu select "Properties".
In the "Protection" section:
1) Select configurator "Full access".
2) Check configurator "Permit access with PUT/GET communication from remote partner".


2) DB optimized:
Select the "DB" on the left side under "Program blocks" and press Alt+Enter keys or in the local menu select "Properties".
Uncheck setting "Optimized block access" (it is checked by default).
Additional interesting setting that usually can stay unchanged:
 
General > Communication load:
The CPU operating system provides the maximum specified percentage of total CPU processing power for communication tasks. The communication load can be set in STEP 7 for the CPUs of the S7 series. The default value depends on the type and version of CPU used. If the processing power is not needed for communication, then the processing power is available to the operating system and the user program.
 
Communication is allocated the requisite computing time in 1 ms increments, with priority 15. At 50% communication load, 500 μs of each 1 millisecond are used for communication.


History:
Pm9.00.22: Fixed bug: If PLC device split the received data of one request into multiple submessages, then a bad receive was signalled.
Pm8.03.09: Fixed bug: Variables from one PmaCommGroup were sometimes incorrectly distributed among communication messages and then some variables were not transmitted. (bug since Pm8.3.2 version)
Pm8.03.06: Fixed bug: If connection is lost then the Quality property is overwritten in all variables.
Pm8.03.02:
- New configurators in protocol parameters
- Max. PDU length: maximum message length limit
- Connection type: Connection type (specifies whether application connects to PLC as PG=Programming device or OP=Operator panel).
- Commnication with LOGO! modules version 8 has been tested. The modules support S7 protocol since this version so the S7 driver can be used.
Pm8.02.17: Fixed bug: While reading or writing value of the S5Time type.
Pm8.01.05: Fixed bug: If the PmaCommGroup object contained many bit (Boolean) variables, then the communication messages were not composed correctly and some variables were unable to transmit.
Pm8.01.00: Created
PROMOTIC 9.0.27 SCADA system documentation MICROSYS, spol. s r.o.

Send page remarkContact responsible person
© MICROSYS, spol. s r.o.