From OpenSCADAWiki
Jump to: navigation, search
Other languages:
Module Name Version License Source Languages Platforms Type Author
Siemens Siemens DAQ and Beckhoff 4.4 GPL2 en,uk,ru,de x86,x86_64,ARM DAQ Roman Savochenko
  Maxim Lysenko (2009) — the page initial translation
Provides for support of data sources of Siemens PLCs by means of Hilscher CIF cards (using the MPI protocol) and LibnoDave library (or the own implementation) for the rest. Also there is supported the data sources of the firm Beckhoff for the protocol TwinCAT ADS/AMS due it working with data blocks also.
  • Sponsored by, for the Simple type support, the data area specifying and other extension on 1.6 HD[!]: INSERTEC LTDA
  • To Do:
+ append the builtin Standard Mode of the DAQ-Parameters.

The primary goal of this module was to support the Siemens S7 industrial controllers (S7-200,300,400,1200). Historically, access to the controllers of this company in the ProfiBus network is carried out only through its own communication processors (CP5412, CP5613, etc.) and its own protocol S7. The specified communication processors and APIs for the S7 protocol are quite expensive, besides, the drivers for the communication processors and the S7 API are closed, and also available only for the Intel + MS Windows platform (there was some information about the possibility of purchasing it for Linux).

As an alternative to communication processors of the company Siemens, which allows you to fully work with the Siemens controllers, is the range of communication products of the firm Hilscher, through the communications processors CIF of the series ProfiBus (PB) and the library LibnoDave.

Feature of the Hilscher products is completely open specification of the protocol of exchange with the communication processor, the unified driver for all CIF cards, the availability of drivers for many common operating systems (OS) and openness of the driver for OS Linux (GPL).

The basis of the module is the driver of the version 2.621 of the firm Hilsher, kindly provided by Hilsher in the face of Devid Tsaava for the 2.6 series kernels of OS Linux. All files needed for the assembly are included in the module and it does not require special dependencies. The driver version 2.621 of the CIF cards is available to download here.

The CIF family boards of the firm Hilsher and the unified driver support the widest range of equipment. To support all these features in this module without having all this equipment in the hands is not possible. Therefore, the support of this or that equipment will be added as needed and the availability of the equipment. In version 2.0.0, the module provides for support of the data sources in ProfiBus or MPI networks, via MPI, at network speeds from 9600Bod to 12MBod. In particular, the controllers of the firm Siemens of the family S7 (S7-200,300,400) are supported and verified.

The library LibnoDave is an implementation, by means of revers-engineering, of the MPI, S7, ISO-TSAP and others protocols, those are used in interaction with the Siemens controllers. The library supports many MPI and USB adapters, as well as ProfiNet. Siemens communication processors, on platforms other than MS Windows, are not supported by the library. Through the library LibnoDave, at this stage, the module has support for the protocol ISO-TSAP (ProfiNet). Library LibnoDave fully incorporated in this module and does not require a special permit of any dependencies during building and in the performance. The LibnoDave library is fully included in this module and it does not require dependencies to be resolved both during assembly and execution.

At.png The LibnoDave library code contains sophisticated bugs, those are mostly reproduced under heavy load and at the time of connections, which result in damage to the process memory and crashing in unexpected locations. In this regard, from version 2 of this module, the process of rewriting the required functions is started and the connection code of ISO-TCP is ready for use.

Also, the module implements the functions of the horizontal redundancy, working in conjunction with the remote station of the same level. In addition to the synchronization of the archives of values and archives of attributes of parameters the module implements synchronization of computational templates, in order to shockless catch of the algorithms.

1 Communication controllers CIF

CIF family card driver supports the ability to install up to 4 CIF boards. In order to control the availability of cards in the system and their possible configurations, the module provides a form of control and configuration of the CIF-cards (Fig.1).

Fig.1. Configuration tab of CIF-boards.

Using this form you can verify the existence of communication processors and their configuration, and configure the network settings of ProfiBus in the view of the PB address of the communication processor and speeds of the bus ProfiBus. In the other tab of the module (Fig.2) you can verify the presence of various stations in the network ProfiBus.

Fig.2. Monitoring tab of a ProfiBus network.

2 Controller object

To add a data source the controller object of OpenSCADA creates and configures. An example of a configuration tab for a controller object of this type is shown in Figure 3.

Fig.3. Configuration tab of a controller object.

Using this tab you can set:

  • The state of the controller object, as follows: Status, "Enabled", "Running" and the name of the database containing the configuration.
At.png Manual restart of the enabled controller object causes the force reformation of the acquisition blocks.
  • Identifier, name and description of the controller.
  • The state "Enabled" and "Running", in which the controller object must be translated at boot.
  • Names of tables of storing the configuration of the parameters of the controller object for standard and logical types.
  • Policy of scheduling and priority of the data acquisition task.
  • Connection recovery time, in seconds, after lost connection.
  • Mode of asynchronous writing to the remote controller.
  • Connection type, supported ones:
    • CIF_PB — connection to S7 controllers of the firm Siemens via CIF-50PB communication processor or similar;
    • ISO_TCP, ISO_TCP243 — connection to S7 controllers of the firm Siemens via the Ethernet network (TCP243 by CP243);
    • ADS — TwinCAT ADS/AMS protocol for connecting to controllers of the firm Beckhoff.
  • Remote controller address, for the connections:
    • CIF_PB — controller address in the ProfiBus network, one digit 0-255;
    • ISO_TCP, ISO_TCP243 — IP-address into the Ethernet network;
    • ADS — network identifier and port for the target and source stations, in view {Target_AMSNetId}:{Target_AMSPort}|{Source_AMSNetId}:{Source_AMSPort} (for example: "|"), where:
      • AMSNetId — network identifier, writes in view of six digits 0-255, for example: "";
      • AMSPort — port, writes in view of one digit 0-65535.
  • CPU slot of the PLC in which the central processor of the controller is placed.
  • CIF card used for access to the industrial controller through CIF communication processors.
  • OpenSCADA output transport for the protocol ADS (port 48898, 801 for AMS) and ISO_TCP (port 102) for sending requests.
  • Maximum size of the request block in bytes, useful for controllers with such limits.

3 Parameters

The data acquisition module provides two types of parameter: "Logical (logic)" and "Simple (simple)". Additional configuration fields of the parameters of this module are:

  • Logical (logic):
    • Parameter template — address of the DAQ-parameter template.
  • Simple (simple):
    • Attributes list — contains a structured list of configuration for the attributes Siemens.

3.1 Logical (logic)

Given of high intelligence of the data sources, in face of the industrial controllers of Siemens S7-200,300,400,1200, the type parameter objects are executed on the basis of templates. This approach allows you not to be restricted to a rigid list of types of parameters, which also restricts the capabilities of the controllers, but to allow the user to create the required types of parameters independently, or to use libraries of earlier developed types of parameters — templates.

The additional configuration fields of the type parameters (Fig.4) is the selection field of the parameter template.

Fig.4. Configuration tab of the parameter.

To configure the parameter template a corresponding tab is provided, the content of which is determined by the configuration of the template, that is the corresponding link fields and constant ones are created.

Siemens-DB end address writes in the form "(DB{N}|F).{off}[.[{tp}]{SzBit}]", where:

  • DB{N} — Data Block number in decimal, can be negative one for the specific data areas of the ISO_TCP connection types (see Appending A for the data areas);
  • F — the Flags/Markers specific data area (131) of the ISO_TCP connection types;
  • off — offset in the Data Block;
  • tp — type in one symbol from the list: b-Boolean, i-Signed integer, u-Unsigned integer, r-Real, s-String;
  • SzBit — type size for non Boolean or bit of byte for it: b=[0...7], iu=[1,2(def),4,8], r=[4(def).8], s=[0(def10)...100].

Examples of the end addresses:

  • "DB1.12.2", "DB1.0xC.2", "DB1.12.b2" — Boolean in DB 1, offset 12 and bit 2;
  • "DB2.24", "DB2.0x18.8" — Integer or Real, taken from the template's IO type, in DB 2, offset 24, size default and 8;
  • "DB3.36.i4", "DB3.0x24.r8" — directly specified Integer and Real in DB 3, offset 36, size 4 and 8;
  • "DB4.48.20", "DB4.0x30.s20" — implicitly, from the template IO type, and directly specified String in DB 4, offset 48 and size 20;
  • "F.12.5" — Boolean in the Flags/Markers data area, offset 12 and bit 5.

The link types by default are determined by the parameter type in the template (Logical, Integer, Real, and String) and the definition of the link value (for group links). The definition of a group link in the template is written in the format "{LnkName}|{OffDB}[.{bit}][|[{tp}]{sz}]", where:

  • LnkName — name of the group link. All references with the same name are grouped and indicated as one reference to the data block or data block with the specified offset.
  • OffDB — offset number in the data block. If you specify only the data block, when configuring the template, this offset will be specified for the parameter. If the configuration of the template also specifies an offset, both offsets will be summed together. This approach allows you to access several structures in one data block. The data block number and the offset can be specified in the decimal (3245) and hexadecimal format (0xCAD).
  • bit — bit number for Boolean, [0...7].
  • tp — type in one symbol from the list: i-Signed integer, u-Unsigned integer, r-Real, s-String;
  • sz — type size: iu=[1,2(def),4,8], r=[4(def).8], s=[0(def10)...100].

Examples of the link types:

  • "Grp 1|0.0" — Boolean in "Grp 1", offset 0 and bit 0;
  • "Grp 2|10|1", "Grp 2|0xA|i1" — Integer, from the template IO type and directly, in "Grp 2", offset 10 and size 1;
  • "Grp 3|20|20", "Grp 3|0x13|s20" — String, from the template IO type and directly, in "Grp 3", offset 20 and size 20.

An illustrative example of the general process of configuring a parameter from a template to values is shown in Figures from 5 to 8.

Fig.5. Example of a template with grouping.
Fig.6. Configuration tab of a template of a parameter.
Fig.7. Configuration tab of a template of a parameter with an indication of the parameters separately.
Fig.8. Values of a parameter.

At.png The module supports only the data blocks (DB) addressing of the controllers.

The module provides special processing of a number of attributes of the template:

  • f_frq — frequency of the calculation of the template procedure, read-only.
  • f_start — first calculate of the template procedure — start, read-only.
  • f_stop — last calculate of the template procedure — stop, read-only.
  • f_err — parameter error, full access. Value of the attribute is set to the parameter's error attribute — "err".
  • SHIFR — parameter code, read-only.
  • NAME — parameter name, read-only.
  • DESCR — parameter description, read-only.
  • this — parameter object, allows access to the attributes of the parameter, for example, to access the archives.

3.2 Simple (simple)

Main page of configuration parameters of the simple type parameter is shown in Figure 9.

Fig.9. Configuration tab of the simple parameter type.

One attribute line in the parameter of the attributes list can be written as "(DB{N}|F).{off}.{tp}{SzBit}:{flg}:{id}[:{name}]".

  • DB{N} — Data Block number in decimal, can be negative one for the specific data areas of the ISO_TCP connection types (see Appending A for the data areas);
  • F — the Flags/Markers specific data area (131) of the ISO_TCP connection types;
  • off — offset in the Data Block;
  • tp — type in one symbol from the list: b-Boolean, i-Signed integer, u-Unsigned integer, r-Real, s-String;
  • SzBit — type size for non Boolean or bit of byte for it: b=[0...7], iu=[1,2(def),4,8], r=[4(def).8], s=[0(def10)...100];
  • flg — flags: read/write mode (r-read, w-write);
  • id — identifier of the created attribute;
  • name — name of the created attribute.


"DB1.12.b2:r:var:Variable" — Boolean in DB 1, offset 12 and bit 2;
"DB2.24.u:rw:var:Variable", "DB2.0x18.r8:w:var" — Integer or Real in DB 2, offset 24, size default and 8;
"DB4.0x30.s20:r:var:Variable" — String in DB 4, offset 48 and size 20;
"F.12.b5:r:var:Variable" — Boolean in the Flags/Markers data area, offset 12 and bit 5.

Line starting with the '#' character is considered as a comment and it is not processed.

In accordance with the specified attributes list, the acquisition and creation of attributes of the parameter are performed (Fig. 10).

Fig.10. The attributes tab of the simple parameter type.

4 Asynchronous writing mode

The standard writing mode for SCADA systems, which interact with the PLC, is synchronous, because it allows you to control the correctness of the completion of the write operation. However, in the case of writing a set of parameters at once, such the approach is not efficient due to sending a lot of small queries to the controller that overloads it and takes a long range of time. Solving this problem is asynchronous writing of adjacent values by one block. This mode is supported by this module and allows you to write all parameters immediately by adjacent blocks of 240 bytes. Reading and writing in this mode are carried out by adjacent blocks with periodicity of the controller's polling.

5 User programming API

Due to the support of the logical type parameters, it makes sense to provide a number of functions of the user API for calling them from the template of the logical parameter.

The object "Parameter" [this]

  • bool attrAdd( string id, string name, string tp = "real", string selValsNms = "" ) [for enabled parameter of the logical type] — adds the attribute id with the name name and the type tp. If the attribute is already present, the properties will be applied that can be changed on the go: name, selection mode and selection options.
    • id, name — identifier and name of the new attribute;
    • tp — attribute type [boolean | integer | real | string | text | object] + selection mode [sel | seled] + read-only [ro];
    • selValsNms — two lines with values in first and their names in second, separated by ";".
  • bool attrDel( string id ) [for enabled parameter of the logical type] — removes the attribute id.

6 Appending A. Data Areas of the ISO_TCP connections (source table of LibnoDave)

Name Code Example item(German) Example item(English)
Data blocks 132 DB3.DBD4 DB3.DBD4
Flags/Markers 131 MW4 FW4
Input memory image 129 EB2 IB2
Output memory image 130 AD8 QD8
Timers 29 T2 T2
Counters 28 Z2 C2
Direct I/O 128 PEW4 PIW4
System information of 200 family 3
Data (V-memory) in S7-200 132 VW1234 VW1234
System flag area of 200 family 5 SMB0 SFB0?
Analog input words of 200 family 6 AEW0 AIW0?
Analog output words of 200 family 7 AAW0 AQW0?
IEC Timers 31 T2 T2
IEC Counters 30 Z2 C2

7 Notes

After a targeted search was found a few solutions of the problem of communication with industrial controllers of firm Siemens through various communication interfaces:

Some specific problems and their resolving about the communication with the Siemens PLCs:

Problem Resolving
The connection is broken down by the PLC The specified CPU slot of the PLC is wrong, try some other.
The connection seems established but the data is not read from the PLC. It looks like you are using S7-1200 which has different changes in the security policy:
  • Create a data block with the compatibility to S7-300/400 and/or disable this block optimisation to appear the offset column. Disable any protection of this data block.
  • If you have the LibnoDave message "error 33028 context is not supported. Step7 says: Function not implemented or error in telegram.", you have S7-1200 V4.0 and you must grant access for the interface functions Get/Put into the PLC configuration.

8 Links