Вы находитесь на странице: 1из 71

Siemens SIMATIC Step 7 Programmer's Handbook

This handbook is a collection of programming overviews, notes, helps, cheat sheets and whatever that can help you (and me) program a Siemens PLC. If you have experience with Siemens then please contribute.

Siemens Website Quick Links

This is a listing of tutorials and manuals found on the Siemens automation website that will get you started on the SIMATIC Step 7 software for S7-300 and S7-400 systems. From a new users perspective Ive only heard disparaging comments about finding the right information on the Siemens website. I have to agree. Its information overload at its best. Theres a lot of different stuff there thrown together and found in different spots with very long URL addresses to add to the confusion. Have no fear. Were here to help. So well look at the essentials for your journey.
The software if you havent got it yet Getting a sense for the product line Where to start with the manuals

Online training material Downloadable Flash tutorials

Of course the best type of training is the hands on type but if thats not an option then youll need to start digging in.

Whos got the Software?

If you are just learning and cant easily get the software then there are two options. 1. Order the demo CD which will give you a free 30-day trial period. 2. Download a free working copy of Step 7 Lite. There are differences between the regular version of Step 7 and Step 7 Lite but for learning purposes you can go along way with the free Lite version.

First Things First

The first thing I like to do with a new product is get an overview of everything. Getting used to part numbers and product groupings can go a long way with your comfort level. The best thing for this is the sales catalog (ST 70 2005). You can also order a hard copy.

Where to Start? Manuals, manuals, everywhere!

Once you install the Step 7 software there will be a directory under the SIMATIC folder called Documentation that includes the most important manuals. Hard copies can be ordered with number 6ES7810-4CA08-8BW1. Heres how I would digest them. 1. Working with STEP 7 - This is a basic introduction to Step 7 which walks through an example of controlling engines. While its not the complete picture it does ease you very well into the learning curve of the Step 7 software. 2. Programming with STEP 7 Manual - Heres the fuller manual for the programming interface which is also the same as the online help accessed by pressed the F1 key. 3. Configuring Hardware and Communication Connections STEP 7 Manual Everything to do with the Hardware Configurator. 4. Statement List, Ladder Logic, and Function Block Diagram Reference Manuals These manuals contain both the users guide and the reference description of the programming language or representation type. You only require one language type for programming an S7-300/S7-400, but you can mix the languages within a project, if required. If youre more comfortable with Ladder Logic or Function Block Diagram then start there but sooner or later youll have to become familiar with Statement List. 5. System Software for S7-300 and S7-400 System and Standard Functions Reference Manual - The S7 CPUs have integrated system functions and organization blocks included with their operating system, which you can use when programming. This manual provides you with an overview of the system functions, organization blocks, and loadable standard functions available in S7, and detailed interface descriptions for their use in your programs.

Training Material
Theres gold in that website if you just do a little digging! If youre having a tough go with the manuals then you should definitely download the training material. Theres a lot more screen shots and even a picture of a balding pudgy guy to point things out to you. What more could you want?

Flash Tutorials
If youre not the manual type (and even if you are) check out the Siemens Step 7 Flash tutorials. These are very professionally done with a nice sounding narrator to take you through all the basics of the Step 7 software and hardware.

What's Next?
Of all the starting places to dig for more info I find the support section the best especially if you have a part number or key word you can search on. Clicking on the Product Support link will bring up a tree on the left hand side that can be expanded down to the product of your affection. Good luck and happy hunting.

Review of Siemens SIMATIC Step 7 Lite Programming Software

Great taste. Less filling.

When one hears the words Lite and software you tend to think of software thats not really usable. Depending on your needs this may not be the case with the Siemens STEP 7 Lite package. The four major limitations in STEP 7 Lite verses the more advanced STEP 7 package are: 1. Support limited to the SIMATIC S7-300 PLC, the C7 all-in-one PLC and HMI, and the intelligent CPUs of the ET200 distributed I/O family. So no programming for the S7-200 or S7-400 PLC series. 2. No networking whatsoever. Remote I/O racks (IM modules) are supported but theres nothing for Profibus DP even if you have a DP port on your CPU. 3. No support for multi-projects or HMI integration. 4. No communication processors (CP) or function modules (FM) supported. If youre interested in more details then refer to our chart of differences between the Step 7 program packages. So there are quite a few major limitations with the Step 7 Lite software which may end your further reading of this review. On the other hand, the current availability of a free download of the SIMATIC Step 7 Lite software makes it awfully tempting to take a look at it. If your only use of Siemens PLCs are an S7-300, C7 or ET200 in a stand alone application with no special needs (CP or FM) then I could highly recommend the Lite package. It has the same level of programming functionality as the regular Step 7 packages plus some nifty interface enhancements to make it easier on the eyes and on the brain. It is possible (though not easy) to convert any software created in the STEP 7 Lite to STEP 7 and visa versa keeping in mind the limitations of the Lite version. Since the packages bear a lot of similarities it will also be easy for the student to transfer any learning on the Lite package over to STEP 7.

First Impressions

For a user of the regular STEP 7 software the first thing to notice is there is no SIMATIC Manager. Thats because the Lite version doesnt support multi-projects or networking. The STEP 7 Lite software opens right up to the editor screen.

The overall aim of the Lite package was to make the interface easier for new users. I think theyve done that while making it friendlier for everyone involved. The added graphics and color are a welcome addition. Another nice friendly feature is the extended hover help on the menus and icons where clicking on the tool tip expands it into more help text. On that note all the pop up dialogs are clearer then its STEP 7 counterpart. One of the major differences can be seen on the left hand side window. Pretty much everything the programmer needs for maintaining the project is neatly organized here. Theres even a convenient thumb tack to pin it or make it automatically slide in and out when needed. On the right hand side is the old familiar tree structure of commands and blocks. Its missing the quick little reference help window on the bottom which has been replaced by just hovering your mouse over the command to get a fuller title (the F1 key works just the same too). The FC and FB blocks have been moved from here to a more logical place in the project window on the left hand side.

The Left Side Bar CPU Overview and Project Window

The top portion introduces a CPU box with easy access to controls, diagnostics (Ctrl+D) and setup of the CPU. Thats not something I feel is necessary to be there all the time so I minimized it. Too bad theres no apparent way to just get rid of it all together. The Project Window below it is great. Everythings is here from hardware to documentation. Something that just thrilled me is the tabs below that separate the offline and online versions of the program. On the regular STEP 7 software there is often a confusion between when you are offline or online. STEP 7 Lite minimizes that confusion by also provided clearly differentiated color schemes for when you have a block open online. And if that wasnt all, the symbols beside the hardware and each block instantly tell you of differences between the offline and online versions of your program. You can just hover the mouse over the symbol to get more detail. Its also nice to have all the blocks clearly color coded and nicely arranged. You can drag and drop then anywhere in the list. Theres even a new feature of Category which is simply an organizational label inserted between blocks. In this screen Ive inserted the category Engine Data and Special Data. This could be really helpful for logically grouping blocks in larger projects. I also like the new way of creating blocks. From the pull down menu select Insert | Block and this nifty dialog box pops up with all the selections on it. Even the OB selection has a nice drop down box of all the OBs available with its symbolic name.

The Hardware Manager

The greatest change of all is the overhauled hardware manager. The layout is great and is to be expected without the need to factor in networking. Just drag and drop your hardware on the picture and away you go. Theres even a nice hardware comparison feature clearly showing any differences between the offline and online setups.

The Editor
Much of the editor is like its big sister STEP 7. One noticeable part thats missing in action is the detail view that gives quick access to info, cross reference, address info, etc. One part I like is a slight revamp of the declaration table. Instead of the tree like structure its one simple table with a column indicating its declaration. That means no having to dig through the tree just to see all the declaration variables.

Other then what weve all ready listed there are no other major differences. The symbol table, monitor/modify (a.k.a. VAT), and the reference data are all very similar to STEP 7. Overall, if you can live with the limitations, the STEP 7 Lite version is a great little package. Hopefully some of the better implementations will find there way into the STEP 7 software. P.S. One little caveat is that it kept crashing on my plenty beefy enough Windows XP Home computer. Save often, arrgh!

Step 7 Connecting, Downloading and Uploading

These are general guidelines for connecting, downloading and uploading from an S7-300 or S7400 PLC. The following procedures were created using Siemens SIMATIC STEP 7 version 5.4 software. To start, open the SIMATIC Manager.

Now follow the links below.

Connecting to the S7 PLC

The Programming Cables
There are three major types of programming cables: 1. The CP5512 card in a PCMCIA slot.

2. The PC Adapter using a serial or USB connection

3. An Ethernet cable

The CP5512 card and the PC Adapter can communicate on either an MPI or PROFIBUS port. Note that PROFIBUS is labeled as DP on the Siemens connection ports. These cables can piggyback on existing connectors. Be aware that the PC Adapter draws its power to work from the connection port so check the power LED for proper operation. The CP5512 card draws its power from the computer. For Ethernet (TCP/IP) use a standard Ethernet cable from the computer to a CPU with an Ethernet port, a CP 343/443 module or a network switch all ready attached to the PLC network.

Checking Communications
With the programming cable plugged in, you can check for proper operation by clicking on the Accessible Nodes icon.

If communications are successful, you'll see a window pop up similar to the one below. If so, then close the Accessible Nodes window and proceed to the download or upload section.

If communication fails then you will receive a message like below.

This indicates that the cable is not in the right computer port or the cable is not plugged in properly.

Setting the PG/PC Interface

In order to start communication to the PLC you will need to match the "PG Interface" setting with the programming cable and protocol. To do this, select the menu Options > Set PG/PC Interface.

The following dialog box will open up displaying all the different interfaces (i.e. communication drivers).

Each cable has its own interface. For Ethernet select the TCP/IP interface for your computers network card. Be careful not to select your wireless Ethernet connection. To get it working quickly it is best to select the interface with the Auto designation. This will discover working settings and use them automatically. For the PC Adapter click on the Properties button and make sure the Station Parameters Address is a unique network address. It should not conflict with existing PLC and slave devices on the network. Also, check under the Local Connection tab and make sure connection selection matches the port the cable is connected into. Once the proper interface is selected and the properties are set then click OK and use the Accessible Nodes window to check for successful communications. It should work. If not double-check the connection and cable. With the CP5512 and PC Adapter cables, you should use the MPI port, as this is the default connection for Siemens. If this doesn't work then I don't know what to tell you.


First, in order to enable the download menu commands, you must select the Block folder in the project's station you wish to download.

There are three methods of downloading. 1. Partial download of selected blocks 2. Full download of all blocks and system data 3. Complete deletion of online PLC blocks and then downloading of all blocks and system data

Partial Download
Partial downloads are used in existing projects where only one or more blocks will be downloaded. To perform this type of download select the block(s) you wish to download and then select the PLC > Download menu item or the download button .

Holding down the Ctrl key or the Shift key allows more then one block to be selected at a time. Be careful though as the order of download will occur in the order that the blocks were selected. This may mean that an error will occur if a block is called before it is downloaded.

The CPU will need to be in Stop mode before downloading the System Data Block (SDB) as this is equivalent to a hardware configuration download. This is usually not necessary in a PLC that has all ready had its hardware configured. If you do download the system data, the following messages will prompt you through the transitions.

If the CPU is in Run mode then you will be prompted to Stop the CPU. The software will do the Run to Stop transition when you click OK.

After downloading the SDB you will be prompted to Run the CPU again.

Clicking Yes will automatically put the CPU back into run mode.

Full Download
To download all the blocks at once make sure you are in the Block folder and select the Edit > Select All menu item. Click on the Download icon . You will be prompted to overwrite any existing blocks and if you want to load the system data (see above).

Clearing the CPU Memory and then Downloading

The partial and full download methods above will overwrite existing blocks but will not any blocks from memory. In order to completely delete the existing program in the CPU and download a new project select the Blocks folder and then use the PLC > Download User Program to Memory Card menu item.

The following dialog box will pop up prompting you about the deletion of all the blocks and project data in the PLC. Click Yes to perform the operation.

After this, follow the normal download procedure.

There are two methods for uploading. The first is when you have the original project and you want to preserve the symbols and comments. The second method, when you don't have the original project, will upload everything from the CPU but will have no associated documentation (i.e. symbols and comments).

Uploading to an Existing Project

With the existing project open, select the View > Online menu item.

This is the same as the Online button on the icon bar.

This will open up another window called the Online Partner. It shows the existing blocks inside the CPU. The Online version is indicated by the highlighted title bar.

There is a connection between these two versions so that uploading from the online partner makes sure to preserve all the symbols and comments. Be careful. After uploading, make sure to close the online partner and do all work from the offline version. To upload individual blocks, select them in the Online view and choose the PLC > Upload to PG menu item. For a full upload, select the Block folder and do the same.

Upload without an Existing Project

Follow these steps when you do not have the original project but wish to upload the program for backup purposes. With an existing project open or a new blank project select the PLC > Upload Station to PG menu selection.

In the next screen, fill in the slot the CPU is in (this is always 2 for S7-300) and the node address of the communication port on the CPU. In the case below we are talking to a CPU over MPI with node address 10.

After clicking OK, the whole contents of the PLC including all blocks and hardware configuration will be uploaded into a new station in the project.

While this project contains no documentation, it can be used as a backup to download later if needed.

Step 7 Lite, Step 7 and Step 7 Professional Differences

STEP 7 Lite
Configuring PLCs Modules S7-300/C7 Digital, analog I/O, IFM centralized only S7-300/S7-400/C7/WinAC Digital, analog I/O, IFM, FM, CP centralized and distributed (DP) Time-driven, cyclic data transmission between automation components; MPI, PROFIBUS or Industrial Ethernet Yes Yes Yes, in CPU and direct on PG/PC (updating of PLC operating system possible) Program, symbols, hardware configuration Included - S7-DOCPRO option for standard-compliant documentation of the S7 project Yes Yes


STEP 7 Professional



Distributed I/O Alarm configuring (display>HMI) Write/read to/from MMC

No No

Yes, in CPU only Program, symbols Included


Documentation function Multi-language documentation of projects Multi-user engineering Programming Languages

Yes No


LAD/FBD/STL and STL sources

As Step 7 + S7-Graph (sequencer)/S7-

SCL (textual highlevel language) Structured/symbolic programming Check/establish program consistency Standard libraries/user libraries Online functions Online access Test functions Comparison function offline/online MPI Monitor, control, force Program, hardware configuration System diagnostics MPI, Profibus, Option: Industrial Ethernet Monitor, control, force, single step (debug) Program System diagnostics, report system fault, integrated process fault diagnostics in S7-Graph Yes/Yes Yes/Yes Yes/No Yes/Yes Yes/Yes Yes/Yes

Diagnostics Optional packages Optional programming languages


S7-Graph, S7SCL, S7HiGraph, CFC S7-PLCSIM, S7Teleservice, S7DOCPRO, S7Pdiag

S7-HiGraph, CFC S7-Teleservice, S7DOCPRO, S7Pdiag (S7-PLCSIM is all ready included in package)

Options for simulation, documentation, diagnostics and remote maintenance

S7-PLCSIM, S7Teleservice

The Case of the Missing SIMATIC Step 7 Documentation

We had documentation at one time. Sound familiar? Have you suddenly found changes that have been made in the PLC but not in the offline program? Nobody knows what happened.

Unfortunately this is an all too common phenomena with the Siemens SIMATIC Step 7 software. The problems stem from the flexibility of the software both for downloading and editing the online program. If the person is not familiar with the software its very easy to get confused if the changes are being made on the computer or in the controller. How to solve this problem? Lets first of all review some basic terminology. After that is a step by step best practice when editing programs. Finally, well highlight the pitfalls and the indicators that tell you whether you are offline or online. This procedure applies to SIMATIC Step 7 version 5.4.

Offline program The program that is stored on the hard disk of the computer. This will contain the documentation. Its very important to keep a pristine copy of the offline program as the associated documentation is not stored in the PLC. Online program This is the program resident in the PLC. Download The act of taking the offline program on the computer and downloading it into the PLC. Upload Taking the program in the PLC and bringing it up to the computer. Doing this without having the associated offline program open will cause a loss of documentation.

Save Stores the open block onto the hard drive. Its important to realize that an edited block can be downloaded to the PLC without saving it offline. Note that this only saves the opened block and not any others that are concurrently open. These may seem like simple terms but its important to understand how theyre used in the Siemens environment. Here are some other terms that may come up. PG/PC This is Siemens way of referring to a PC or laptop running the SIMATIC software. Nodes Refers to any programmable device (in our case a PLC) in the network which will have its own unique address.

Best Practice
The best practice is to make sure you are working from an offline file. There really isnt any reason to be working on the program inside the PLC. Of course, this assumes that you have a good working copy to begin with. The golden copy of the program should live somewhere on a network server or have a dedicated place on one computer or laptop. Ive even heard of some companies using USB memory sticks to store the latest and greatest which is great but an original copy should still live on a computer that is backed up. 1. Open the offline file from the File pull down menu and select Open or use the Open Project icon on the toolbar. In the dialog box select the project under the User Project tab. Click OK. You may have to select Browse to find it in the directory structure. Note if the Manager was closed with a project open then it will open back up to that project automatically. 2. Expand the project tree down to the program files and select the Blocks folder. Good practice dictates that all blocks should be opened from here. 3. Once changes have been made: 1. Save the block to the hard disk by clicking the Save icon File | Save) (or menu item

2. Download the block by clicking the Download icon (or menu item PLC | Download). If the block all ready exists in the PLC then it will confirm that you want to overwrite it1. Click Yes. 3. Note that downloading from here only sends that one block to the PLC. It does not download the entire program. 4. To monitor the block make sure to open it using steps 1 through 3 and then press the Monitor icon (or menu item Debug | Monitor). The windows title bar will highlight a lovely shade of blue to indicate a connection to the CPU. Its important to note here that you are still working with the program on the computer and not the PLC. If the procedure in step 3 has not been followed then discrepancies can occur

between what you are monitoring in the PLC and what is displayed in the SIMATIC software. Thats it. Following these simple steps will save a lot of headaches.

The Pitfalls and Warning Signs

So where do some people get lost? Here are some common mistakes and their warning signs. If you get any of these dialog boxes then you should really back out and start over because youre on the road to losing your documentation.

These dialog boxes are telling you that it cannot find the documentation for the local parameters and symbols. More then likely it will also not show any network comments or titles. The result of opening the block looks like this

This is an example void of documentation. Notice the local parameters all say TEMP. There are no comments or titles. There are no symbols so its all in direct addressing. The properly documented copy looks like this...

Pitfall #1 Using Accessible Nodes to Open Blocks The Display Accessible Nodes selection under the PLC menu is a handy way to see what is connected to the network but it should never be used to open blocks. Opening blocks from here uploads it straight from the PLC and produces the warnings dialog boxes shown above.

Pitfall #2 Viewing Online from SIMATIC manager Once a project is open and a connection to a PLC is established then selecting the Online button (menu View | Online) brings up a similar project tree showing the contents inside the PLC. The window title bar is highlighted in blue to indicate its online status. Working from this window presents less of a danger for losing documentation but it is confusing and could lead to problems. For instance if a block is renamed offline and then the old one is opened online then it will have no associated documentation. The proper way to view a block online is to open the block and select the Establish Connection to Configured CPU icon PLC. . Just make sure what you are viewing has been downloaded to the

Pitfall #3 Opening the Online Partner If an offline block is open then selecting the Open Offline/Online Partner icon (menu item File | Open Online) will switch it to the online version of the block for editing. Essentially this puts you in the same place as pitfall #2.

Programming with SIMATIC Step 7 is different enough from other types of PLCs to throw off the casual user. Always working from the offline copy will make it less likely to screw up. Opening up a block from the accessible nodes window is always a no-no. Likewise, opening a block from a window that has a highlighted blue title bar will also cause potential problems. Be

sure and read all dialog boxes especially the ones weve shown in the article. Avoid the pitfalls and keep that documentation. Mystery solved.

Footnote: (1) Siemens dialog boxes have an option that says, Do not display this message again. This is handy for some annoying pop ups but it is really not a good idea to turn off important ones like warnings for overwriting blocks. These warnings are especially crucial if you are working on real machinery. If more then one person is using the software then you can reset these messages to display again by going to the SIMATIC Manager and select the menu Options | Customize. Click the General tab and press the Activate button. If its grayed out then all messages are set to display.

S7 Library Functions
I couldn't find a complete listing of all the function blocks in the standard Siemens S7 Libraries so I made one myself. It helps me get a better overview of what is available. The complete listing is also available as an Excel spreadsheet so you can sort or adjust to your needs.

System Function Blocks

Number Name SFB 0 SFB 1 SFB 2 SFB 3 SFB 4 SFB 5 SFB 8 SFB 9 SFB 12 SFB 13 SFB 14 SFB 15 CTU CTD CTUD TP TON TOF USEND URCV BSEND BRCV GET PUT Family IEC_TC IEC_TC IEC_TC IEC_TC IEC_TC IEC_TC Description Count Up Count Down Count Up/Down Generate a Pulse Generate an On Delay Generate an Off Delay

COM_FUNC Uncoordinated Sending of Data COM_FUNC Uncoordinated Receiving of Data COM_FUNC Sending Segmented Data COM_FUNC Receiving Segmented Data COM_FUNC Read Data from a Remote CPU COM_FUNC Write Data to a Remote CPU

SFB 16 SFB 19 SFB 20 SFB 21 SFB 22 SFB 23 SFB 29 SFB 30 SFB 31 SFB 32 SFB 33 SFB 34 SFB 35 SFB 36 SFB 37 SFB 38 SFB 39 SFB 41 SFB 42 SFB 43 SFB 44 SFB 46


COM_FUNC Send Data to Printer COM_FUNC Initiate a Warm or Cold Restart on a Remote Device COM_FUNC Changing a Remote Device to the STOP State COM_FUNC Initiate a Hot Restart on a Remote Device COM_FUNC Query the Status of a Remote Partner COM_FUNC Receive the Status of a Remote Device

HS_COUNT COUNTERS Counter (high-speed counter, integrated function) (only exist on the CPU 312 IFM and CPU 314 IFM) FREQ_MES COUNTERS Frequency Meter (frequency meter, integrated function (only exist on the CPU 312 IFM and CPU 314 IFM) NOTIFY_8P COM_FUNC Generating block related messages without acknowledgement indication DRUM ALARM ALARM_8 TIMERS Implement a Sequencer

COM_FUNC Generate Block-Related Messages with Acknowledgment Display COM_FUNC Generate Block-Related Messages without Values for 8 Signals

ALARM_8P COM_FUNC Generate Block-Related Messages with Values for 8 Signals NOTIFY AR_SEND HSC_A_B POS CONT_C CONT_S COM_FUNC Generate Block-Related Messages without Acknowledgment Display COM_FUNC Send Archive Data COUNTERS Counter A/B (integrated function) (only exist on the CPU 314 IFM) ICONT ICONT ICONT Position (integrated function) (only exist on the CPU 314 IFM) Continuous Control (only exist on the CPU 314 IFM) Step Control (only exist on the CPU 314 IFM) Pulse Generation (only exist on the CPU 314 IFM) Positioning with Analog Output (only exist on the S7300C CPUs) Positioning with Digital Output (only exist on the S7-


300C CPUs) SFB 47 SFB 48 SFB 49 SFB 52 SFB 53 SFB 54 SFB 60 SFB 61 SFB 62 SFB 63 SFB 64 SFB 65 SFB 75 SFB 81 COUNT TEC_FUNC Controlling the Counter (only exist on the S7-300C CPUs) Controlling the Frequency Measurement (only exist on the S7-300C CPUs) Controlling Pulse Width Modulation (only exist on the S7-300C CPUs) Reading a Data Record Writing a Data Record Receiving an Interrupt Sending Data (ASCII, 3964(R)) (only exist on the S7300C CPUs) Receiving Data (ASCII, 3964(R)) (only exist on the S7300C CPUs) Deleting the Receive Buffer (ASCII, 3964(R)) (only exist on the S7-300C CPUs) Sending Data (RK 512) (only exist on the S7-300C CPUs) Fetching Data (RK 512) (only exist on the S7-300C CPUs) Receiving and Providing Data (RK 512) (only exist on the S7-300C CPUs) Send interrupt to DP master Read Predefined Parameter




System Function Calls

Number Name SFC 0 SFC 1 SFC 2 SFC 3 SET_CLK READ_CLK SET_RTM CTRL_RTM Family Description

CLK_FUNC Set System Clock CLK_FUNC Read System Clock CLK_FUNC Set Run-time Meter CLK_FUNC Start/Stop Run-time Meter

SFC 4 SFC 5 SFC 6 SFC 7 SFC 9 SFC 10 SFC 11 SFC 12 SFC 13 SFC 14 SFC 15 SFC 17 SFC 18 SFC 19 SFC 20 SFC 21 SFC 22 SFC 23 SFC 24 SFC 25 SFC 26 SFC 27 SFC 28 SFC 29 SFC 30


DB_FUNCT Read OB Start Information DP Trigger a Hardware Interrupt on the DP Master

COM_FUNC Enable Block-Related, Symbol-Related and Group Status Messages COM_FUNC Disable Block-Related, Symbol-Related and Group Status Messages DP DP Synchronize Groups of DP Slaves Deactivation and activation of DP slaves Read Diagnostic Data of a DP Slave (Slave Diagnostics) Read Consistent Data of a Standard DP Slave Write Consistent Data to a DP Standard Slave



ALARM_SQ PMC_FUNC Generate Acknowledgeable Block-Related Messages ALARM_S ALARM_SC BLKMOV FILL CREAT_DB DEL_DB TEST_DB COMPRESS UPDAT_PI UPDAT_PO SET_TINT CAN_TINT ACT_TINT PMC_FUNC Generate Permanently Acknowledged Block-Related Messages PMC_FUNC Query the Acknowledgment Status of the last ALARM_SQ Entering State Message MOVE MOVE Copy Variables Initialize a Memory Area

DB_FUNCT Create Data Block DB_FUNCT Delete Data Block DB_FUNCT Test Data Block DB_FUNCT Compress the User Memory IO_FUNCT IO_FUNCT Update the Process Image Update Table Update the Process Image Output Table

PGM_CNTL Set Time-of-Day Interrupt PGM_CNTL Cancel Time-of-Day Interrupt PGM_CNTL Activate Time-of-Day Interrupt

SFC 31 SFC 32 SFC 33 SFC 34 SFC 35 SFC 36 SFC 37 SFC 38 SFC 39 SFC 40 SFC 41 SFC 42 SFC 43 SFC 44 SFC 46 SFC 47 SFC 48 SFC 49 SFC 50 SFC 51 SFC 52 SFC 54 SFC 55 SFC 56 SFC 57 SFC 58


PGM_CNTL Query Time-of-Day Interrupt PGM_CNTL Start Time-Delay Interrupt PGM_CNTL Cancel Time-Delay Interrupt PGM_CNTL Query Time-Delay Interrupt PGM_CNTL Trigger Multicomputing Interrupt DIAGNSTC DIAGNSTC DIAGNSTC IRT_FUNC IRT_FUNC IRT_FUNC IRT_FUNC Mask Synchronous Errors Unmask Synchronous Errors Read Error Register Disable New Interrupts and Asynchronous Errors Enable New Interrupts and Asynchronous Errors Delay Higher Priority Interrupts and Asynchronous Errors Enable Higher Priority Interrupts and Asynchronous Errors

PGM_CNTL Re-trigger Cycle Time Monitoring DIAGNSTC Transfer Substitute Value to Accumulator 1

PGM_CNTL Change the CPU to STOP PGM_CNTL Delay Execution of the User Program CLK_FUNC Synchronize Slave Clocks IO_FUNCT IO_FUNCT DIAGNSTC Query the Module Slot Belonging to a Logical Address Query all Logical Addresses of a Module Read a System Status List or Partial List Write a User-Defined Diagnostic Event to the Diagnostic Buffer Read Defined Parameters Write Dynamic Parameters Write Default Parameters Assign Parameters to a Module Write a Data Record



SFC 59 SFC 60 SFC 61 SFC 62 SFC 63 SFC 64 SFC 65 SFC 66 SFC 67 SFC 68 SFC 69 SFC 70 SFC 71 SFC 72 SFC 73 SFC 74 SFC 78 SFC 79 SFC 80 SFC 81 SFC 82 SFC 83



Read a Data Record

COM_FUNC Send a GD Packet COM_FUNC Fetch a Received GD Packet COM_FUNC Query the Status of a Connection Belonging to a Communication SFB Instance PLASTICS Assembly Code Block (only exists for CPU 614)

CLK_FUNC Read the System Time COM_FUNC Send Data to a Communication Partner outside the Local S7 Station COM_FUNC Receive Data from a Communication Partner outside the Local S7 Station COM_FUNC Read Data from a Communication Partner outside the Local S7 Station COM_FUNC Write Data to a Communication Partner outside the Local S7 Station COM_FUNC Abort an Existing Connection to a Communication Partner outside the Local S7 Station IO_FUNCT IO_FUNCT Determine Start Address of a Module Determine the Slot Belonging to a Logical Address

COM_FUNC Read Data from a Communication Partner within the Local S7 Station COM_FUNC Write Data to a Communication Partner within the Local S7 Station COM_FUNC Abort an Existing Connection to a Communication Partner within the Local S7 Station DIAGNSTC BIT_LOGC BIT_LOGC MOVE DB_CTRL DB_CTRL Determine OB program runtime Set a Range of Outputs Reset a Range of Outputs Uninterruptible Block Move Create a Data Block in the Load Memory Read from a Data Block in Load Memory

SFC 84 SFC 85 SFC 87 SFC 90



Write from a Data Block in Load Memory

DB_FUNCT Create a Data Block COM_FUNC Diagnosis of the Actual Connection Status HF_FUNCT Control Operation in H Systems


CLK_FUNC Setting the Time-of-Day and the TOD Status CLK_FUNC Handling runtime meters IO_FUNCT DP Redefined Parameters Identifying the bus topology in a DP master system

PGM_CNTL Controlling CiR PMC_FUNC Reading Dynamic System Resources PMC_FUNC Deleting Dynamic System Resources

SFC 107 ALARM_DQ PMC_FUNC Generating Always Acknowledgeable and BlockRelated Messages SFC 108 ALARM_D SFC 112 PN_IN SFC 113 PN_OUT SFC 114 PN_DP SFC 126 SYNC_PI SFC 127 SYNC_PO PMC_FUNC Generating Always Acknowledgeable and BlockRelated Messages PROFIne2 PROFIne2 PROFIne2 IO_FUNCT IO_FUNCT Update inputs in the user program interface of PROFInet components Update outputs in the user program interface of PROFInet components Update DP interconnections Update process image partition input table in synchronous cycle Update process image partition output table in synchronous cycle

S5-S7 Converting Blocks

Number Name FC 61 FC 62 FC 63 GP_FPGP GP_GPFP GP_ADD Family Description

S5_CNVRT Change fixed point number to floating point number S5_CNVRT Change floating point number to fixed point number S5_CNVRT Add floating point numbers

FC 64 FC 65 FC 66 FC 67 FC 68 FC 69 FC 70 FC 71 FC 72 FC 73 FC 74 FC 75 FC 78 FC 79 FC 80 FC 81 FC 82 FC 83 FC 84 FC 85 FC 86 FC 87 FC 88 FC 89


S5_CNVRT Subtract floating point numbers S5_CNVRT Multiply floating point number S5_CNVRT Divide floating point numbers S5_CNVRT Compare floating point numbers S5_CNVRT Extract root of floating point numbers S5_CNVRT Clock generator S5_CNVRT Clock generator (timing element) S5_CNVRT Message of first value with single flashing light, wordwise, A S5_CNVRT Message of first value with double flashing light, wordwise, A

MLD_SAMW S5_CNVRT Collected message, wordwise (sound alert) MLD_SAM MLD_EZ S5_CNVRT Collected message, bitwise S5_CNVRT Message of first value with single flashing light, bitwise, A

MLD_EDWK S5_CNVRT Message of first value with double flashing light, wordwise, A+M MLD_EZK MLD_EDK COD_B4 COD_16 MUL_16 DIV_16 ADD_32 SUB_32 MUL_32 DIV_32 RAD_16 S5_CNVRT Message of first value with single flashing light, bitwise, A+M S5_CNVRT Message of first value with double flashing light, bitwise, A+M S5_CNVRT Change BCD number to 16 bit dual number S5_CNVRT Change 16 bit dual number to BCD number S5_CNVRT Multiply 16 bit dual numbers S5_CNVRT Divide 16 bit dual numbers S5_CNVRT Add 32 bit dual numbers S5_CNVRT Subtract 32 bit dual numbers S5_CNVRT Multiply 32 bit dual numbers S5_CNVRT Divide 32 bit dual numbers S5_CNVRT Extract roots of 16 bit dual numbers

FC 90 FC 91 FC 92 FC 93 FC 94 FC 95 FC 96 FC 97 FC 98 FC 99 FC 100 FC 101 FC 102 FC 103 FC 104 FC 105 FC 106 FC 107 FC 108 FC 109 FC 110 FC 111 FC 112 FC 113 FC 114 FC 115


S5_CNVRT Bi-directional shift register, bitwise S5_CNVRT Bi-directional shift register, wordwise S5_CNVRT Buffer memory (FIFO) S5_CNVRT Stack register (LIFO) S5_CNVRT Copy data block, direct assignment of parameters S5_CNVRT Copy data block, indirect assignment of parameterization S5_CNVRT Save scratchpad memory S5_CNVRT Load scratchpad memory S5_CNVRT Change BCD number to 32 bit dual number S5_CNVRT Change 32 bit dual number to BCD number S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Read analog value S5_CNVRT Output analog value S5_CNVRT Output analog value S5_CNVRT Read and Write for extended periphery (direct assignment of parameters) S5_CNVRT Read and Write for extended periphery (indirect assignment of parameters) S5_CNVRT Sine (x) S5_CNVRT Cosine (x) S5_CNVRT Tangent (x) S5_CNVRT Cotangent (x)

FC 116 FC 117 FC 118 FC 119 FC 120 FC 121 FC 122 FC 123 FC 124 FC 125


S5_CNVRT Arc sine (x) S5_CNVRT Arc cosine (x) S5_CNVRT Arc tangent (x) S5_CNVRT Arc cotangens (x) S5_CNVRT Natural logarithm ln (x) S5_CNVRT Decade logarithm Iog (x) S5_CNVRT General logarithm log (x) to basis b S5_CNVRT e to the power of n S5_CNVRT 10 to the power of n S5_CNVRT AKKU 2 to the power of AKKU 1

IEC Function Blocks

Number Name FC 1 FC 2 FC 3 FC 4 FC 5 FC 6 FC 7 FC 8 FC 9 FC 10 FC 11 FC 12 FC 13 FC 14 FC 15 Family Description Point Math Add duration to a time Combine two STRING variables Combine DATE and TIME_OF_DAY to DT Delete in a STRING variable Data type conversion DINT to STRING Extract the DATE from DT Extract the day of the week from DT Extract the TIME_OF_DAY from DT Compare DT for equal Compare STRING for equal Find in a STRING variable Compare DT for greater than or equal Compare STRING for greater than or equal Compare DT for greater than Compare STRING for greater than






FC 16 FC 17 FC 18 FC 19 FC 20 FC 21 FC 22 FC 23 FC 24 FC 25 FC 26 FC 27 FC 28 FC 29 FC 30 FC 31 FC 32 FC 33 FC 34 FC 35 FC 36 FC 37 FC 38 FC 39 FC 40



Data type conversion INT to STRING Insert in a STRING variable Compare DT for smaller than or equal Compare STRING for smaller than or equal Left part of a STRING variable Length of a STRING variable Point Math Limit Compare DT for smaller than Compare STRING for smaller than Point Math Select maximum Middle part of a STRING variable Point Math Select minimum Compare DT for unequal Compare STRING for unequal Data type conversion REAL to STRING Replace in a STRING variable Right part of a STRING variable Data type conversion S5TIME to TIME Point Math Subtract two time values Point Math Subtract duration from a time Point Math Binary selection Data type conversion STRING to DINT Data type conversion STRING to INT Data type conversion STRING to REAL Data type conversion TIME to S5TIME





PID Control Blocks

Number Name Family Description

FB 41 FB 42 FB 43 FB 58 FB 59



Continuous Control Step Control Pulse Generation


TCONT_CP CONTROL Temperature Continuous Controller TCONT_S CONTROL Temperature Step Controller

Communication Blocks
Number Name FB 2 FB 3 IDENTIFY READ Family CP_300 CP_300 Description For checking device properties Reads data from a data area of the communication partner specified by a name or index depending on the assignment of parameters for the job. Allows unconfirmed transmission of variables by an FMS server. allows status information to be requested from the communications partner on the specified FMS connection. Transfers data from a specified local data area to a data area on the communication partner. Uncoordinated Sending of Data Uncoordinated Receiving of Data Sending Segmented Data Receiving Segmented Data Read Data from a Remote CPU Write Data to a Remote CPU

FB 4 FB 5


CP_300 CP_300

FB 6 FB 8 FB 9 FB 12 FB 13 FB 14 FB 15 FB 20 FB 21 FB 22


CP_300 CP_300 CP_300 CP_300 CP_300 CP_300 CP_300

IO_FUNCT Read All Inputs of a DP Standard Slave/PROFINET IO Device IO_FUNCT Write All Outputs of a DP Standard Slave/PROFINET IO Device IO_FUNCT Read a Part of the Inputs of a DP Standard Slave/PROFINET IO Device

FB 23 FB 55 FB 63 FB 64 FB 65 FB 66 FB 67 FB 68 FC 1 FC 2 FC 3 FC 4 FC 5 FC 6 FC 7 FC 8 FC 10


IO_FUNCT Write a Part of the Outputs of a DP Standard Slave/PROFINET IO Device CP_300 COMM COMM COMM COMM COMM COMM CP_300 CP_300 CP_300 CP_300 CP_300 CP_300 CP_300 CP_300 CP_300 Transfers a configuration data block (CONF_DB) containing connection data for an Ethernet CP. Sending Data via TCP native and ISO on TCP Receiving Data via TCP native and ISO on TCP Establishing a Connection using TCP native and ISO on TCP Terminating a Connection using TCP native and ISO on TCP Sending Data via UDP Receiving Data via UDP transfers data to the PROFIBUS CP receives data on PROFIBUS used to request diagnostic information transfers control jobs to the PROFIBUS CP data by means of a configured connection to the communication partner (<= 240 bytes). data by means of a configured connection from the communication partner (<= 240 bytes, not email). the external data access by means of FETCH/WRITE (not for UDP, email). the external data access by means of FETCH/WRITE (not for UDP, email). allows you to diagnose connections. When necessary, you can reinitialize connection establishment using the FC. used for data transfer in the CP modes PROFINET IO controller or PROFINET IO device. used to receive data in the CP modes PROFINET IO controller or PROFINET IO device. Establish an FTP connection

FC 11



FC 12 FC 40




FC 41 FC 42 FC 43 FC 44 FC 50 FC 60 FC 62



Store a file on the FTP server Retrieve a file from the FTP server Delete a file on the FTP server Enable an FTP connection data by means of a configured connection to the communication partner. data by means of a configured connection from the communication partner (not email). Query a connection status for S7-300


TI-S7 Converting Blocks

Number Name FB 80 FB 81 FB 82 FB 83 FB 84 FB 85 FB 86 FC 80 FC 81 FC 82 FC 83 FC 84 FC 85 FC 86 FC 87 FC 88 FC 89 Family Description


COMPARE Index Matrix Compare COMPARE Scan Matrix Compare TIMERS MOVE TIMERS MOVE Event Maskable Drum Pack Data Software Timer On DelayRetentive Indirect Block Move

BIT_LOGC Reset Range of Outputs BIT_LOGC Set Range of Outputs TABLE TABLE TABLE TABLE TABLE TABLE Add to Table First In/First Out Unload Table Table Find Last In/First Out Unload Table Table Move Table to Word

FC 90 FC 91 FC 92 FC 93 FC 94 FC 95 FC 96 FC 97 FC 98 FC 99 FC 100 FC 101 FC 102 FC 103 FC 104 FC 105 FC 106



Word Shift Register Word to Table Bit Shift Register

CONVERT Seven Segment Decoder CONVERT ASCII to Hex CONVERT Hex to ASCII CONVERT Encode Binary Position CONVERT Decode Binary Position CONVERT Tens Complement CONVERT Sum Number of Bits BIT_LOGC Reset Range of Immediate Outputs BIT_LOGC Set Range of Immediate Outputs MATH_FP Standard Deviation TABLE TABLE Correlated Data Table Table to Table

CONVERT Scaling Values CONVERT Unscaling Values

Miscellaneous Blocks
Number Name FB 60 SET_SW Family Description

TIMEFUNC supports the summertime/wintertime changeover in CPUs that do not have the time status. For this purpose it sets the CPU clock to the current time and according to the changeover rules in the Control DB.

FB 61

SET_SW_S TIMEFUNC supports the summertime/wintertime changeover in CPUs that do have the time status. For this purpose it sets the time status to the current time and according to the changeover rules in the Control DB. TIMESTMP TIMEFUNC transfers the time-stamped messages of an IM153-2 into its instance DB. LOC_TIME TIMEFUNC reads the time status or time of the CPU and calculates

FB 62 FC 60

the local time. It is therefore only useful on CPUs with time status. FC 61 FC 62 FC 63 BT_LT LT_BT S_LTINT TIMEFUNC calculates the local time from the base time given at the input. TIMEFUNC calculates the base time from the local time given at the input. TIMEFUNC sets the required time interrupt to the preset time. This time is given in local time.

Siemens Technical Terms

Otherwise known as Siemens speak. Here's a list of Siemens specific abbreviations and their meanings.


Description Combo PLC/HMI system Continuous Function Chart

Explanation A PLC and screen in one package Optional programming language

Communication Processor Modules used for special communication protocols Data Block Function Block Function Block Diagram Function Call Function Module Generic Station Description Memory storage areas for user data A function with it's own data block Standard programming language Called progammed blocks Modules with special functions (e.g. positioning) Files used for Profibus descriptions Optional programming language Interface Module Ladder Logic Diagram Programmable modules Modules to connect remote racks Standard programming language A module with processing capabilities


Micro Memory Card Multi Point Interface Organization Block Operator Panel Process Control System Programming Terminal Point to Point Interface Profibus Decentral Peripherals Profibus Process Automation

Compact plug-in memory card Standard communication protocol Blocks for user programs based on different operating system events. Simple display with or without buttons Software for the entire process chain Dedicated Siemens device - basically a PC Serial RS-232 communication Networking protocol used for factory automation Networking protocol used for process automation SIMATIC Step 7 product line

Structured Control Language System Function Block System Function Call Signal Module Statement List Touch Panel User-Definded Data Type Variable Access Table

Optional programming language Integrated FB for CPU information Integrated FC for CPU information Standard Input/Output modules Text based programming language Touch screen display Special data structures defined by the user Tables used to monitor/modify values in the PLC

Step 7 Elementary Data Types

Type and Descriptio n Siz e in Bit s Format Options Range and Number Notation Example in STL (lowest to highest values)

BOOL (Bit) BYTE (Byte) WORD (Word)

1 Boolean text


TRUE L B#16#10 L byte#16#10 L 2#0001_0000_0000_0000 L W#16#1000 L word#16#1000 L C#998 L B#(10,20) L byte#(10,20) L 2#1000_0001_0001_1000_ 1011_1011_0111_1111 L DW#16#00A2_1234 L dword#16#00A2_1234 L B#(1, 14, 100, 120) L byte#(1,14,100,120) L 101

8 Hexadecima B#16#0 to B#16#FF l number 16 Binary number 2#0 to 2#1111_1111_1111_1111

Hexadecima W#16#0 to W#16#FFFF l number BCD Decimal number unsigned DWORD (Double word) 32 Binary number C#0 to C#999 B#(0,0) to B#(255,255)

2#0 to 2#1111_1111_1111_1111_ 1111_1111_1111_1111

Hexadecima W#16#0000_0000 to l number W#16#FFFF_FFFF Decimal number unsigned INT (Integer) DINT (Double integer) REAL (Floatingpoint number) S5TIME (SIMATIC time) TIME (IEC time) 16 Decimal number signed 32 Decimal number signed 32 IEEE Floatingpoint number 16 S7 time in steps of 10ms (default) 32 IEC time in steps of 1 ms, integer B#(0,0,0,0) to B#(255,255,255,255) -32768 to 32767

L#-2147483648 to L#2147483647 Upper limit +/-3.402823e+38 Lower limit +/-1.175495e-38

L L#101

L 1.234567e+13

S5T#0H_0M_0S_10MS to S5T#2H_46M_30S_0MS and S5T#0H_0M_0S_0MS

L S5T#0H_1M_0S_0MS L S5TIME#0H_1H_1M_0S_0M S

T#24D_20H_31M_23S_648M L T#0D_1H_1M_0S_0MS S L to TIME#0D_1H_1M_0S_0MS

signed DATE (IEC date) TIME _OF_DAY (Time) CHAR (Character) 16 IEC date in steps of 1 day 32 Time in steps of 1 ms 8 ASCII characters

T#24D_20H_31M_23S_647M S D#1990-1-1 to D#2168-12-31 TOD#0:0:0.0 to TOD#23:59:59.999 A', 'B' etc. L D#1996-3-15 L DATE#1996-3-15 L TOD#1:10:3.3 L TIME_OF_DAY#1:10:3.3 L 'E'

Underscores in time and date are optional It is not required to specify all time units (for example: T#5h10s Maximum time value = 9,990 seconds or 2H_46M_30S

is valid)

S5TIME Format

Time base Binary Code 10 ms 100 ms 1s 10 s 00 01 10 11

Symbol Table Allowed Addresses and Data Types

English German Description Mnemonics Mnemonics I/O Signals I IB IW ID Q QB QW QD E EB EW ED A AB AW AD Input bit Input byte Input word Input double word Output bit Output byte Output word Output double word BOOL BYTE, CHAR WORD, INT, S5TIME, DATE DWORD, DINT, REAL, TOD, TIME BOOL BYTE, CHAR WORD, INT, S5TIME, DATE DWORD, DINT, REAL, TOD, TIME 0 to 65535.7 0 to 65535 0 to 65534 0 to 65532 0 to 65535.7 0 to 65535 0 to 65534 0 to 65532 Data Type Address Range

Marker Memory M MB MW MD M MB MW MD Memory bit Memory byte Memory word Memory double word BOOL BYTE, CHAR WORD, INT, S5TIME, DATE DWORD, DINT, REAL, TOD, TIME 0 to 65535.7 0 to 65535 0 to 65534 0 to 65532

Peripheral I/O PIB PIW PEB PEW Peripheral input byte Peripheral input word BYTE, CHAR WORD, INT, S5TIME, DATE 0 to 65535 0 to 65534



Peripheral input double word Peripheral output byte Peripheral output word Peripheral output double word


0 to 65532 0 to 65535 0 to 65534 0 to 65532

Timers and Counters T C Logic Blocks FB OB FC SFB SFC Data Blocks DB DB Data block DB, FB, SFB, UDT 1 to 65535 FB OB FC SFB SFC Function block Organization block Function System function block System function FB OB FC SFB SFC 0 to 65535 1 to 65535 0 to 65535 0 to 65535 0 to 65535 T Z Timer Counter TIMER COUNTER 0 to 65535 0 to 65535

User-defined data types UDT UDT User-defined data type UDT 0 to 65535

Siemens S7 Indirect Addressing

by Automation Training The following is provided by Automation Training from their excellent Siemens Step 7 training manual. This is a really nice explanation of a difficult but important subject. Check out their website for hands-on and online training classes.

The most common form of addressing used in the Siemens S7 PLCs is direct and symbolic. When a direct addressed is referenced by an instruction there is no question as to the location in memory. The following are examples of direct addressing: Inputs: Outputs: Markers: Timers: Counters: Local: Data Block: I4.0, IB4, IW4 , ID4 Q124.0, QB124, QW124, QD124 M11.0, MB10, MW10, MD10 T34 C23 L0.0, LB1, LW2, LD4 DB5.DBX2.0, DB5.DBW6, DBD8

By using the methods of indirect addressing the address used by an instruction can be varied to point to any number of locations. In this case, a memory location stores a pointer to another memory location. While this may increase the difficulty of troubleshooting, its advantage is to greatly reduce the number of networks and instructions needed to control a process. It is also a method that must be understood to use some of the library and system function calls provided by Siemens.

The POINTER and ANY Data Types

A POINTER data type is used to format a number to be accepted as an address rather then a value. A pointer is always preceded by a P# symbol. The pointer address may be in three different formats. Format P#<byte>.<bit> P#<area><byte>.<bit> P#<area><byte>.<bit><length> Example P#8.0 P#124.3 P#M50.0 P#I4.0 Memory Storage 4 Bytes 6 Bytes

P#DB25.DBX0.0 BYTE 14 10 Bytes P#M0.0 WORD 2 P#I0.0 DWORD 5

The ANY data type is used to pass a parameter of an unknown or undefined data type. Some functions in the library use the ANY data type to work on whole sections of memory. To do this,

the last pointer method is used to describe an area. For example the address P#DB25.DBX 0.0 Byte 14 points to the first byte of DB25 with a length of 14 bytes. NOTE: A DINT can be converted to a POINTER by simply shifting the double word left by 3 bits.

Data Block Instructions

When working with indirect addressing it is sometimes needed to first of all open a DB and then begin working on the address without directly referring to any one DB. This is done using the OPN instruction. The OPN instruction can open either a shared data block (DB) or an instance data block (DI).
OPN DB 10 //Open DB10 as a shared data block



//Load data word 36 of DB10 into ACCU1



//Transfer the contents of ACCU1 into MW22




//Open DB20 as an instance data block



//Load data byte 12 from DB20 into ACCU1



//Transfer the contents of ACCU1 to data //byte 37 of the open shared data block DB10

When monitoring in STL the shared DB number is displayed in the DB1 column and the instance DB number is displayed in the DB2 column. Furthermore, there are instructions to confirm that the correct DB number is opened and that it is large enough for the next operation.
L DBNO //Loads the number of the opened //shared data block into ACCU1


//Loads the length of the opened

//shared data block into ACCU1


//Loads the number of the opened //instance data block into ACCU1


//Loads the length of the opened //instance data block into ACCU1

Memory Indirect Addressing

The first method of indirect addressing is called memory indirect addressing because it allows for a memory location (M, DB or L) to determine or point to another. The memory area identifiers T, C, DB, DI, FB and FC use a word (16-bit) pointer location in integer format. Two examples are as follows:
L 5 //Load ACCU1 with pointer value


//Transfer pointer into MW2

T [MW 2]

//Load ACCU1 with T5 current time value


DB [#DB_Temp]

//Open DB whose data block number is //from the interface temp parameter //named DB_Temp

The memory area identifiers I, Q, M, L, DB use a double word (32-bit) location using the POINTER data type.
L P#0.7 //Load ACCU1 with pointer value


//Transfer pointer into MD2

I [MD 2]

//Check state of I0.7

M [MD 2]

//Assign value of RLO to M0.7



//Open DB5


//Load pointer into ACCU1


//Transfer pointer to temp location

DBW [#TempPointer] //Load the value at DB5.DBW2 into ACCU1

//Load a zero into ACCU1


//Check if the value is greater //then zero

When monitoring memory indirect addressing the INDIRECT column displays the current address the instruction is using. Note that math can be done on the POINTER data type using the double math instructions (e.g. P#2.0 + P#5.0 = P#7.0).
L P#2.0 //Load ACCU1 with pointer value


//Load ACCU1 with secondpointer value



//MD0 now contains the value P#7.0

Since the bit position only goes to eight the result of P#8.7 + P#1.1 = P#10.0 and not P#9.8. These methods can be used to offset the address or increase/decrease the pointer in a loop.

The Address Registers

Besides the regular accumulators, there are two 32-bit address registers (AR1, AR2) for storing pointers used in register indirect addressing methods. A series of different load and transfer type instructions can be used to work with AR1. A similar set is available for AR2. STL LAR1 LAR1 P#M100.0 LAR1 MD24 LAR1 AR2 Description Loads AR1 with the contents of ACCU1 Loads AR1 with a pointer constant Loads AR1 with the pointer in MD24 Loads AR1 with the contents of AR2


Transfers the contents AR1 into ACCU1 Transfers the contents in AR1 to a memory location Transfers the contents in AR1 to AR2


Exchanges the contents of AR1 with AR2

Addition can be directly accomplished on AR1 and AR2 with the following: STL +AR1 +AR1 P#100.0 Description Adds the contents of ACCU1 to AR1 and stores the result back into AR1 Adds the pointer constant to AR1 and stores the result back into AR1

Area-Internal Register Indirect Addressing

The area-internal register indirect addressing method uses one of the address registers plus a pointer to determine the address the instruction is to reference. The format is: address identifier [address register, pointer]

The address identifier can be I, Q, M, L, DI or DB in bit, byte, word or double word form. The address register must be previously loaded with a double word pointer without reference to the address identifier. The exact address is determined by adding the address register with the pointer. The example below shows the area-internal method using bit locations.
L P#0.7 //Load ACCU1 with pointer value


//Load AR1 with pointer in ACCU1

I [AR1, P#0.0]

//Check input I0.7

Q [AR1, P#1.1]

//If RLO=1 turn on Q2.0

Area-Crossing Register Indirect Addressing

Area-crossing register indirect addressing is similar to the area-internal method except the pointer loaded into the address register references a memory area (e.g. P#M10.0 or P#DBX0.0). This means the address identifier used before the opening bracket is not needed if referencing a bit otherwise it will be a B for byte, W for word or D for double. The example below shows the area-crossing method using bit locations.
L P#I0.7 //Load ACCU1 with pointer value


//Load AR1 with pointer in ACCU1


//Load ACCU1 with pointer value


//Load AR2 with pointer in ACCU1

[AR1, P#0.0]

//Check input I0.7

[AR2, P#1.1]

//If RLO=1 turn on Q125.1

This next example shows area-crossing methods using a word and double word format.


//Load ACCU1 with pointer value


//Load AR1 with pointer in ACCU1

W [AR1, P#10.0]

//Load the word whose address is //determined by the contents of //AR1 plus 10 bytes (MW10) into ACCU1



//Open DB5

P#DBX 0.0

//Load ACCU1 with pointer value


//Load AR2 with pointer in ACCU1


//Load zero into ACCU1

D [AR2, P#50.0]

//Transfer the value in ACCU1 to the //double word whose exact location is //the address in AR2 plus 50 bytes //(DB5.DBD50)

Exercise #1
1. Comment the lines of STL below to describe what this network does:
A I 0.0






M001: L


M002: LAR1


[AR1, P#0.1]

2. Enter the code, monitor it and verify your answers.

Exercise #2 (Advanced)
1. Create a DB with an array of 10 real numbers. Populate the array with random values. 2. Create a function that will return the max number in the array and its position. Use the indirect addressing method of your choice.

Siemens S7 Status Word

In Siemens PLCs the Status Word is an internal CPU register used to keep track of the state of the instructions as they are being processed. In order to use STL more effectively it is important to understand the Status Word and its functions. Each bit in the Status Word has a specific function to keep track of bit logic (RLO, STA), math (OV, OS), comparison operations (CC0, CC1) and whether the logic should continue, be nested or start new (/FC, OR, BR). Only the first 9 of the 16 bits are used. Bit Positions 8 7 6 BR CC0 CC1 5 OV 4 OS 3 2 1 OR STA RLO 0 /FC

Each instruction may do the following to each bit in the status word.

* x 0 1

No read or write Read May write "1" or "0" Reset to "0" Set to "1"

The status word can be seen by displaying the STATUS column while monitoring in STL view. The RLO (bit 1) and the STA (bit 2) are also displayed in the RLO and STA column.

The Most Important Status Word Bits /FC First Check (bit 0) If the /FC bit is a 0 then the instruction is considered to be the first instruction being processed. If the /FC is a 1 then the instruction being scanned will use the logic from the previous instruction. Certain instructions like =, S and R will set the /FC bit to 0 thus starting new logic after it. Other instructions like A or O will set the /FC bit to 1 signalling to combine the logic with the next instruction. RLO Result of Logic Operation (bit 1) The RLO bit stores the running logic state of the currently processing instructions. Certain bit logic and comparison instruction will turn the RLO to a 1 when the condition is TRUE and write a 0 when the condition is FALSE. Other instructions read the RLO (=, S, R) to determine how they are to execute. STA Status (bit 2) The STA bit reflects the state of the current Boolean address. Help with RLO, STA and /FC

If you are used to ladder logic and struggling to understand the purpose of the RLO and STA it may help to visualize a rung like below. The STA is used to keep track of the state of the addresses. The RLO is used to keep track of the state of the rung.

The equivalent STL is shown below.

It steps through the logic as follows: 1. At the start the First Check bit (/FC) is zero so an And instruction will logically mirror the Status bit (STA) over to the Result of Logic Operation (RLO). In this case the address I0.0 is 1 so the STA is one and the result of the logic (RLO) will be 1. The A instruction writes a 1 to /FC.

2. On the second line, the /FC bit is now 1 indicating that this line needs to use the RLO from the previous line. The address I1.1 is on so the STA = 1. The RLO from the last line is 1 and this is anded with the current STA with a result of 1 in the current RLO.

3. The same thing happens on the second line but this time 1 and 0 makes the current RLO = 0.

4. The fourth is the Assign instruction which takes the RLO and writes it out to the corresponding address. In this case the final RLO = 0 so the output will be off. If M0.0 was 1 then the And operation will evaluate to true making the RLO = 1 which will then turn on the output Q1.0.

The Other Status Bits OR (bit 3) The OR bit is used for combining AND functions before OR functions. OS Overflow Stored (bit 4) In the event of an overflow (OV bit 5) the OS bit will store the value even after the OV bit has been reset. The following commands reset the OS bit: JOS (Jump if OS=1), block call instructions, block end instructions. OV Overflow (bit 5) The OV bit is set by a math instruction with floating point numbers after a fault has occurred (overflow, illegal operation, comparison unordered). The OV bit is reset when the fault is eliminated. CC0, CC1 Condition Code (bits 6 and 7) The Condition Code bits provide results for comparison and math instructions. Comparison Instructions CC 1 CC 0 Meaning 0 0 ACCU 2 = ACCU 1 0 1 ACCU 2 < ACCU 1

1 1

0 1

ACCU 2 > ACCU 1 Unordered (floating point comparison only)

Math Instructions, without Overflow CC 1 0 0 1 CC 0 0 1 0 Meaning Result = 0 Result < 0 Result > 0

Integer Math Instructions, with Overflow CC 1 0 0 1 1 CC 0 0 1 0 1 Meaning Negative range overflow in ADD_I and ADD_DI Negative range overflow in MUL_I and MUL_DI Negative range overflow in ADD_I, ADD_DI, SUB_I, and SUB_DI Division by 0 in DIV_I, DIV_DI, and MOD_DI

Floating Point Math Instructions, with Overflow CC 1 0 0 1 1 CC 0 0 1 0 1 Meaning Gradual underflow Negative range overflow Positive range overflow Not a valid floating-point number

Shift and Rotate Instructions CC 1 CC 0 Meaning 0 0 Bit shifted out = 0 1 0 Bit shifted out = 1 Word Logic Instructions CC 1 CC 0 Meaning 0 0 Result = 0 1 0 Result <> 0 BR Binary Result (bit 8) The Binary Result transfers the result of the operations onto the next instruction for reference. When the BR bit is 1 it enables the output of the block (ENO) to be TRUE and thus allow other blocks after it to be processed. The SAVE, JCB and JNB instructions set the BR bit.

Statement List (STL) Cheat Sheets

If you are a Siemens PLC user then you've more then likely have run into Statement List (STL) programming. STL corresponds to the Instruction List language defined in the IEC 61131-3 specification. The programming is done with very simple mnemonics that can be hard to remember if you don't use it very often. These cheat sheets provide a quick reference guide for all the instructions and formatting. They are two pages long but if you can print on the front and back then they make for a nice one sheet reference.

STL Listed Alphabetically

Best used when trying to interpret an existing program. Download: PDF (131KB)

STL Listed by Category

Best when doing programming. Download: PDF (140KB)

Connecting IFIX SCADA to Siemens S7 using TCP/IP

Setting up an S7 connection using TCP/IP
The TCP/IP method of communication to the S7-300 and S7-400 PLC's via TCP/IP communication module uses the S7WIN, S7WINSP, S7NT, or S7NTSP protocol.

Software requirements
Siemens SIMATIC NET software v6.1 IFIXSCADA v5.x or above Windows XP + SP1

SOFTNET-S7 Industrial Ethernet

Hardware requirements
Standard network card S7-300 with CPU315-2 DP Siemens power supply PS30/5A Siemens CP343-1 TCP

The hardware modules occupy the following slots in the Siemens PLC: 1. Siemens power supply

2. S7-300 CPU 315-2 DP 3. Ethernet CP343-1 TCP

Example configuration
All wiring should be installed according to Siemens documentation.

Installing the SIMATIC NET software

You must log in as an Administrator to install the SIMATIC NET software. Close all other running applications, including any antivirus software you may be running. 1. On the SIMATIC NET flash screen, start the installation by clicking Install SIMATIC NET Software. 2. The PC configuration screen appears. Click Next. 3. Select the English language option, then click Next. Click Next again. 4. Click yes to the licensing agreement screen. 5. Enter your Name and Company on the User Registration screen. 6. If you already have SIMATIC NET software installed, this will be the drive selected by default. Clear the Run automatic authorization option, and then click next. The Setup: Configuration screen appears. 7. Select all application options to be installed. (This is necessary if you do not already have STEP7 installed on your machine. If STEP7 v5.2 or higher is already installed, you do not have to select the NCM PC/S7 v5.2 application.) Click Next. 8. The applications you selected are installed. At the prompt, click OK to restart your system. The system restarts and installs the selected applications. Click Finish to restart your system again. The SIMATIC NET software is now installed.

Configuring the SIMATIC NET software

This step involves using the Commissioning Wizard to configure the software you installed in the previous step.

Configuring the module

When your system restarts after the software has been installed, your system's hardware configuration is scanned. The Commissioning Wizard appears automatically. (You can also access the Commissioning Wizard at Start/Simatic/SIMATIC NET/Settings/Commissioning Wizard.) The number of steps required depends on the number of PC Ethernet cards (or modules) detected in your PC. The more modules you operate in the computer, the more steps are required.

1. Click Next. An Ethernet Network Card with with the IP addresses settings shown above was found. This is the network card that will be configured for communication with the Siemens PLC. This is put on index 5. Note: The index of the network card can be set with the NCM PC Configuration (hardware configuration). The station index defaults to 5 if you use the Commissioning Wizard. 2. Select the Use the module for productive operation in configured PC station option, and then click next. 3. Clear the SIMATIC NET OPC Server in configured PC Station option and select the Configure more applications option. Then click next. 4. Register the names for your user application: enter VFD1 in the Name text box. This user application is put on index 1. Click Next. Note: The name of the application is the VFD name. This comes later in the IFIX Project Editor under Communication | Ports in the Special options text box. 5. Click Next. This screen appears, confirming you have completed configuring the module: 6. The configuration is saved and the PC station is reconfigured. Your existing configuration data is overwritten. Click OK to confirm at the prompt. This completes the module configuration.

Configuring the project with the PC Station Wizard

The next step to configure the project using the PC Station Wizard. 1. Start the PC Station Wizard. 2. Choose Create a new project and configuration. A new project is created. Click Next. 3. Define a new Project name; this example uses IFIXS7. Specify where the copy of the local PC station settings resides, and then click Next. 4. Select the Edit network and connection configuration option, and then click Finish. NetPro automatically starts, displaying the network configuration. 5. Click the Application box in the PC station, and then choose Insert | New Connection. The Insert New Connection dialog box appears. 6. Choose the Unspecified item in the tree. From the Type menu in the Connection area, choose S7 connection. Then click Apply, and then click OK. 7. In the Properties -S7-Connection dialog box, the local IP Address should be the address of the Ethernet card in the PC. This example uses The partner IP Address should be that of the Ethernet CP343 module in the PLC, in this case The Local ID is the connection identifier of this connection (here it is S7-Connection_1). It will be used later on as the address of the IFIX I/O device. Click

Address Details. Note: The Local ID S7-Connection_1 is used later in the IFIX Project Editor under Communication | I/O Devices in the I/O Device Address text box. This name is casesensitive and cannot not contain any spaces. 8. In the Address Details dialog box, enter the card location of the CPU that the SIMATIC S7 communicates with. Here the card location is 2. Click OK. Note: Some power supplies might occupy 2 slots. If so, the card location of the CPU is one higher at 3. 9. In the NetPro window the new S7-Connection_1 connection appears. Choose Network | Save and Compile. The Save and Compile dialog box appears. 10. Select the Compile and check everything option, and then click OK. 11. After completing the save and compile operation, a message appears in the NetPro window. This indicates the warnings and errors present in the configuration. If warnings occur here, then this is to be handled as information only. But if errors occur, the project configuration cannot be loaded. To view errors, choose View |Outputs. 12. Highlight by clicking on the PC Station (TESTXP). Afterwards the connection table disappears in the message window. From the NetPro menu choose PLC | Download | Selected Stations to transfer the project configuration to the PC. Alternatively, rightclick the PC Station and choose Download | Selected Stations. 13. To confirm the overwrite of configuration data and to proceed with the download, click Yes. 14. To confirm stopping the Target Module (Network interface Card), click OK. 15. The configuration should now be successfully loaded. Exit NetPro and click next, and next again to finish the Commissioning Wizard. If you have errors, see for details.

Defining an access point for the application

The next step is to define an access point for the application. 1. The Configuration Console should appear after terminating the Commissioning Wizard. If it doesn't, open the Configuration Console by selecting START / SIMATIC / Simatic Net / Settings / Configuration Console. 2. In the Configuration Console dialog box, right-click the Access Point object, and choose New | New access point. Note: You can choose any name for the Access point, but it cannot contain spaces and be longer than 32 characters. 3. In the New access point dialog box, enter your access point name (this example uses IFIXS7). Select the hardware component that will be associated with this access point (TCP/IP -> ASUSTeK/Broadcom 440x in the example). Note: The access point name is used later in IFIXSCADA in the Project Editor under

Communication | Boards in the Special Options text box. The access point name is case-sensitive. After creating the access point the Configuration Console should look like this: 4. Close the Configuration Console. This completes the Simatic NET software configuration.

Configuring the S7 driver

The IFIX S7 driver needs three names (settings) from the SIMATIC NET software configuration. The following points are needed: SIMATIC NET Access point of the application VFD/Application Name Configuration example IFIXS7 VFD1 IFIX Info Boards, Special options Field Ports, Special options Field

Name of the connection (or Local S7-Connection_1 IODevices, Address Field ID)

Using the Express Wizard

You use the Express Wizard to configure your communications. 1. In IFIX Explorer, create a new (empty) test project. 2. In the IFIXSCADA Project Editor, choose Communication | Express Wizard. 3. In the wizard: o Create a new I/O Servers e.g. IOServer. o Create a new I/O Device e.g. IODev. o Select external as the type of the I/O Device (PLC): Select the Siemens | S7300 or S7-400| TCPIP using NE2000 network CARD for Windows NT for NT/W2K/XP/2003, or the TCPIP using NE2000 network CARD for Windows 95/98 for 95/98/ME option. 4. Define the name of the connection. In this example it is S7-Connection_1. Note: Do not select the Link I/O Device to an external tag Database option. This completes this section.

Setting the Access Point

The next step in the process is to set the access point of the application.

1. Open the Boards dialog box by choosing Communication | Boards. 2. In the Special Opt text box, enter the access point of the application. This example uses IFIXS7.

Setting the VFD name

The next step is to set the VFD name. 1. Open the Ports dialog box by choosing Communication | Ports. 2. In the Special Opt text box enter the VFD Name. In this case VFD1.

Checking the name of the S7 connection

The next step is to check the name of the S7 connection. 1. Open the I/O Device dialog box by choosing Communication | I/O Devices. 2. In the Address field enter the name of the connection to the PLC. This example uses S7-Connection_1.

Variable declaration
The next step is to declare the variables. 1. Open the Tags Form by choosing Tags | Variable Tags. 2. Create a variable with the following information: o Variable Tag Name: TestInteger o I/O Device Name: IODev o Type: INT o Address: DB190,0

Troubleshooting your S7 connection

Question: I receive the following error message when downloading the PC station in the SIMATIC NCM PC manager:
"The module "station manager" cannot be contacted. Change the on-line interface." "For On-line connections via the PC internal interface a station name must be assigned

in the component configurator. This name must be identical to the name of the PC station, as configured in the STEP7 (or Simatic Net) project." "Online: No connection could be made. The participant does not announce itself." Solution 1. Check in SIMATIC NCM PC Manager under the Menu option Options | Set PG/PC Interface, whether the point of entrance S7ONLINE is linked with the PC internal (local) interface.

2. The Station Configuration Editor tells you whether your module is Online. You can start the Station Configuration Editor by double-clicking the icon. This should not be OFFLINE, so to change its mode of operation, click Change Mode. The mode of operation should now change to ONLINE. 3. Check the station name in the Station Configuration Editor. This must match with the name in SIMATIC NCM PC Manager. You can change the station name in the Station Configuration Editor by clicking Station Name. 4. Open the Station Configuration Editor and the SIMATIC NCM PC Manager. Check the order and the number of configured components and the indexes that are used. These should match.