Siemens S7-1500 Client Tutorial

The Siemens S7-1500 PLC, together with the Siemens TIA Portal version 15.1 and above, can be used as an OPC UA client and thus connect to the OPC UA server on the Franka Emika Robot.

The example project from the Siemens website can serve as a starting point. This example project contains both a OPC UA client and a server device. The server is provided by the robot in our setup, you can therefore delete the server device from the project.

You might have to change the device type because your S7-1500 might not be exactly the same model as the one that’s used in the example project.

change the device from inside the device configuration

Changing the device

After that you can change the IP address assigned to the device by double clicking on the ethernet port of the device in the device view.

Protecting the Project

The TIA Portal has the option to password protect a project. In our tests we didn’t manage to connect the PLC to the Franka Emika Robot with an unprotected project, which might be due to the differences in how certificates are handled in protected and unprotected projects.

Note that after this step you will be unable to access the project without your chosen username and password, make sure to write this information down.

project protection settings

Activating the project protection

Configuring the connection to the OPC UA server

client interface settings

Open the client interface settings.

In the OpcUaClientInterface settings you can enter the IP address that is assigned to the Franka Emika Robot in your network, in the above screenshot that is 192.168.1.180. The Port should be set to 4840.

Activate the global security settings for the project. This is only available in protected projects.

global security settings

Global security settings.

For the client security settings you should select either a signed or a signed & encrypted connection as the security mode, otherwise the login doesn’t work because the S7 doesn’t want to transmit passwords via an unencrypted connection. Note that when selecting a signed connection without encryption, the password is still encrypted even though the rest of the communication is in plaintext. The security policy should be set to Basic256Sha256.

client security settings

OPC UA client security settings.

Inside the client certificate dropdown you can generate a new certificate that the S7 can later use to identify itself when communicating with the OPC UA server.

Tick the option to automatically trust the server certificate at runtime. If you don’t want to do this, then you need to insert the certificate of the Franka Emika Robot (the one that is sent when accessing DESK in a browser) as a trusted certificate in the certificate manager which you can find under security functions in your TIA Portal project. Note that the certificate manager only becomes visible after password protecting the project.

Select “Username and Password” as the authentification mechanism and insert the username and password that you use to access DESK.

Selecting variables and methods

In the top right panel of the OpcUaClientInterface settings a connection can be made from the TIA Portal directly to the OPC UA Server. There you can browse available variables on the server, for example “BrakesOpen” and insert them via drag and drop in the read list. You can remove any previous entries that are present in the read list from the example project.

When adding a method to the method list you will have to adjust the inputArguments field to the OPC UA block in the main program block.

method input argument to OPC UA block

Select the correct inputs field for the OPC UA method that will be called.

For calling methods without any arguments, this field can be set to NULL.

You will also have to update the list of variables in the ControllingOpcUaClient table because the existing entries point to the now removed entries. Delete the invalid entries and replace them with the new entries from the OpcUaClientInterface_Data table. You can float one of the panels in order to have both visible at once and then add entries via drag and drop.

Loading the project to the S7-1500

Some settings, like the IP address that is assigned to the PLC, count as hardware settings, and others count as software settings. Because it’s not always intuitive where the boundary is, it’s easiest to just load both the hardware and software configuration to the device after making any changes.

client security settings

Loading the settings to the connected PLC.

Note that in our tests we sometimes ran into the situation where the first attempt to load the project to the S7 resulted in some nonsensical error, but trying the exact same thing a second time worked. This was especially the case every time after changing the method input and output arguments to the OPC UA client block.

Starting the OPC UA connection

controlling the OPC UA client at runtime

Controlling the OPC UA client at runtime.

The ControllingOpcUaClient table can be used to set variables at runtime. First make sure that the PLC is in Run mode, then enter the monitoring mode by pressing the button with the glasses and green arrow icon.

The OPC UA client can be started by right-clicking the "ControllingInterface".opcUaConnect variable and setting the value to 1. The variables in the status section indicate whether the client managed to connect successfully. The "ControllingInterface".opcUaDiagnostics.subfunctionStatus variable contains error codes that can be used to debug connection problems. The Error Code Reference below lists common errors. For the full list of possible errors consult the OPC UA specification in Part 6 Annex A 2. Additional help can also be found in the documentation of the example project.

Once the connection is established you can read variables from the server by setting opcUaRead to 1 after which the values in the // data READ section should update.

To call methods you need to first select the correct method index. This index starts at 0 and refers to the order that you used in the method list in the OPC UA client interface configuration. The method call can then be triggered by setting opcUaMethodCall to 1. Make sure that the input and output arguments specified in the main program block correspond to the called method. A technique for dynamically switching the input arguments at runtime is given in section 3.4 of the documentation of the example project.

Current Limitations

Certain methods provided by the OPC UA server currently cannot be used by the S7 OPC UA client. Right now this includes all the methods that have a KeyIntPair or a KeyPosePair as an input or output value, because these are implemented as OPC UA extension objects. In our tests we didn’t manage to get the S7 to send or receive any extension objects.

Error Code Reference

16#8005_0000 : BadCommunicationError

“A low level communication error occurred.”

Probably just a wrong IP address or the OPC UA server not running.

16#8017_0000 : BadCertificateUriInvalid

“The URI specified in the Application Description does not match the URI in the Certificate.”

Try to regenerate the certificate used by the client. The Subject Alt Names list of the certificate should contain the client Application URI, by default urn:SIMATIC.S7-1500.OPC-UA.Application:OPC_UA_Client.

In our attempts we had the problem that a certificate generated by the TIA Portal before protecting the project didn’t contain this URI. Regenerating the certificate once the project was password protected fixed the problem.

16#801F_0000 : BadUserAccessDenied

“User does not have permission to perform the requested operation.”

Check your username / password.

16#8055_0000 : BadSecurityPolicyRejected

“The security policy does not meet the requirements by the Server.”

Check if you selected the correct encryption algorithm in TIA. By default it selects Basic128Rsa15, which is outdated and thus not provided on the OPC UA server of the Franka Emika Robot. Select Basic256Sha256 instead.

16#806F_0000 : BadNoMatch

“The requested operation has no match to return.”

When this error appeared in our tests, the communication didn’t show any errors. The problem for us was that we still had a variable from the example project in the write list. Even though we weren’t calling the write operation, the S7 still tried to find the specified variable.

16#8074_0000 : BadTypeMismatch

“The value supplied for the attribute is not of the same type as the attribute’s value.”

Trying to call the Read method on the KeyIntMap with an incorrect variable name also results in this error in the S7 OPC UA Client block, not just type errors.

16#8076_0000 : BadArgumentsMissing

“The client did not specify all of the input arguments for the method.”

Check the method input arguments on the OPC UA client block, and also verify the index of the method that you are trying to call.

16#80E5_0000 : BadTooManyArguments

“Too many arguments were provided”

Check the method input arguments on the OPC UA client block, and also verify the index of the method that you are trying to call.

16#80E6_0000 : BadSecurityModeInsufficient

“The operation is not permitted over the current secure channel.”

You’re probably trying to use unencrypted username and password auth, which Siemens doesn’t allow apparently. Try to use either guest auth or to switch to a signed / signed & encrypted channel.