Siemens S7 Indirect Addressing

by Automation Training

The following is provided by Automation Training from their excellent Siemens Step 7 training manual. This is a really nice explanation of a difficult but important subject. Check out their website for hands-on and online training classes.

Automation Training

Introduction

The most common form of addressing used in the Siemens S7 PLCs is direct and symbolic. When a direct addressed is referenced by an instruction there is no question as to the location in memory. The following are examples of direct addressing:

Inputs:

I4.0, IB4, IW4 , ID4

Outputs:

Q124.0, QB124, QW124, QD124

Markers:

M11.0, MB10, MW10, MD10

Timers:

T34

Counters:

C23

Local:

L0.0, LB1, LW2, LD4

Data Block:

DB5.DBX2.0, DB5.DBW6, DBD8

By using the methods of indirect addressing the address used by an instruction can be varied to point to any number of locations. In this case, a memory location stores a “pointer” to another memory location. While this may increase the difficulty of troubleshooting, its advantage is to greatly reduce the number of networks and instructions needed to control a process. It is also a method that must be understood to use some of the library and system function calls provided by Siemens.

The POINTER and ANY Data Types

A POINTER data type is used to format a number to be accepted as an address rather then a value. A pointer is always preceded by a P# symbol. The pointer address may be in three different formats.

Format

Example

Memory Storage

P#<byte>.<bit>

P#8.0
P#124.3

4 Bytes

P#<area><byte>.<bit>

P#M50.0
P#I4.0

6 Bytes

P#<area><byte>.<bit><length>

P#DB25.DBX0.0 BYTE 14
P#M0.0 WORD 2
P#I0.0 DWORD 5

10 Bytes

The ANY data type is used to pass a parameter of an unknown or undefined data type. Some functions in the library use the ANY data type to work on whole sections of memory. To do this, the last pointer method is used to describe an area. For example the address P#DB25.DBX 0.0 Byte 14 points to the first byte of DB25 with a length of 14 bytes.

NOTE: A DINT can be converted to a POINTER by simply shifting the double word left by 3 bits.

Data Block Instructions

When working with indirect addressing it is sometimes needed to first of all open a DB and then begin working on the
address without directly referring to any one DB. This is done using the OPN instruction. The OPN instruction can open either a shared data block (DB) or an instance data block (DI).

OPN DB 10 //Open DB10 as a shared data block
L DBW 36 //Load data word 36 of DB10 into ACCU1
T MW 22 //Transfer the contents of ACCU1 into MW22
       
OPN DI 20 //Open DB20 as an instance data block
L DIB 12 //Load data byte 12 from DB20 into ACCU1
T DBB 37 //Transfer the contents of ACCU1 to data
//byte 37 of the open shared data block DB10

When monitoring in STL the shared DB number is displayed in the DB1 column and the instance DB number is displayed in the DB2 column.

Furthermore, there are instructions to confirm that the correct DB number is opened and that it is large enough for the next operation.

L DBNO   //Loads the number of the opened
//shared data block into ACCU1
L DBLG   //Loads the length of the opened
//shared data block into ACCU1
       
L DINO   //Loads the number of the opened
//instance data block into ACCU1
L DILG   //Loads the length of the opened
//instance data block into ACCU1

Memory Indirect Addressing

The first method of indirect addressing is called memory indirect addressing because it allows for a memory location (M, DB or L) to determine or point to another.

The memory area identifiers T, C, DB, DI, FB and FC use a word (16-bit) pointer location in integer format. Two examples are as follows:

L 5   //Load ACCU1 with pointer value
T MW 2 //Transfer pointer into MW2
L T [MW 2] //Load ACCU1 with T5 current time value
       
OPN DB [#DB_Temp] //Open DB whose data block number is
//from the interface temp parameter
//named DB_Temp

The memory area identifiers I, Q, M, L, DB use a double word (32-bit) location using the POINTER data type.

L P#0.7   //Load ACCU1 with pointer value
T MD 2 //Transfer pointer into MD2
A I [MD 2] //Check state of I0.7
= M [MD 2] //Assign value of RLO to M0.7
     
OPN DB 5 //Open DB5
L P#2.0 //Load pointer into ACCU1
T #TempPointer //Transfer pointer to temp location
L DBW [#TempPointer] //Load the value at DB5.DBW2 into ACCU1
L 0 //Load a zero into ACCU1
>D   //Check if the value is greater
//then zero

When monitoring memory indirect addressing the INDIRECT column displays the current address the instruction is using.

Note that math can be done on the POINTER data type using the double math instructions (e.g. P#2.0 + P#5.0 = P#7.0).

L P#2.0   //Load ACCU1 with pointer value
L P#5.0   //Load ACCU1 with secondpointer value
+D      
T MD 0 //MD0 now contains the value P#7.0

Since the bit position only goes to eight the result of P#8.7 + P#1.1 = P#10.0 and not P#9.8. These methods can be used to offset the address or increase/decrease the pointer in a loop.

The Address Registers

Besides the regular accumulators, there are two 32-bit address registers (AR1, AR2) for storing pointers used in register indirect addressing methods. A series of different load and transfer type instructions can be used to work with AR1. A similar set is available for AR2.

STL

Description

LAR1

Loads AR1 with the contents of ACCU1

LAR1 P#M100.0

Loads AR1 with a pointer constant

LAR1 MD24

Loads AR1 with the pointer in MD24

LAR1 AR2

Loads AR1 with the contents of AR2

 

 

TAR1

Transfers the contents AR1 into ACCU1

TAR1 MD28

Transfers the contents in AR1 to a memory location

TAR1 AR2

Transfers the contents in AR1 to AR2

 

 

CAR

Exchanges the contents of AR1 with AR2

Addition can be directly accomplished on AR1 and AR2 with the following:

STL

Description

+AR1

Adds the contents of ACCU1 to AR1 and stores the result back into AR1

+AR1 P#100.0

Adds the pointer constant to AR1 and stores the result back into AR1

Area-Internal Register Indirect Addressing

The area-internal register indirect addressing method uses one of the address registers plus a pointer to determine the address the instruction is to reference. The format is:

address identifier [address register, pointer]

The address identifier can be I, Q, M, L, DI or DB in bit, byte, word or double word form. The address register must be previously loaded with a double word pointer without reference to the address identifier. The exact address is determined by adding the address register with the pointer. The example below shows the area-internal method using bit locations.

L P#0.7   //Load ACCU1 with pointer value
LAR1     //Load AR1 with pointer in ACCU1
A I [AR1, P#0.0] //Check input I0.7
= Q [AR1, P#1.1] //If RLO=1 turn on Q2.0

Area-Crossing Register Indirect Addressing

Area-crossing register indirect addressing is similar to the area-internal method except the pointer loaded into the address register references a memory area (e.g. P#M10.0 or P#DBX0.0). This means the address identifier used before the opening bracket is not needed if referencing a bit otherwise it will be a B for byte, W for word or D for double. The example below shows the area-crossing method using bit locations.

L P#I0.7   //Load ACCU1 with pointer value
LAR1     //Load AR1 with pointer in ACCU1
L P#Q124.0   //Load ACCU1 with pointer value
LAR2     //Load AR2 with pointer in ACCU1
A [AR1, P#0.0] //Check input I0.7
= [AR2, P#1.1] //If RLO=1 turn on Q125.1

This next example shows area-crossing methods using a word and double word format.

L P#M0.0 //Load ACCU1 with pointer value
LAR1   //Load AR1 with pointer in ACCU1
L W [AR1, P#10.0] //Load the word whose address is
//determined by the contents of
//AR1 plus 10 bytes (MW10) into ACCU1
     
OPN DB 5 //Open DB5
L P#DBX 0.0 //Load ACCU1 with pointer value
LAR2   //Load AR2 with pointer in ACCU1
L L#0 //Load zero into ACCU1
T D [AR2, P#50.0] //Transfer the value in ACCU1 to the
//double word whose exact location is
//the address in AR2 plus 50 bytes
//(DB5.DBD50)

Exercise #1

  1. Comment the lines of STL below to describe what this network does:
  A I 0.0  
  JC M001  
       
  L P#M10.0  
  JU M002    
         
M001: L P#Q0.0  
       
M002: LAR1    
  A I 0.1  
  = [AR1, P#0.1]  
  1. Enter the code, monitor it and verify your answers.

Exercise #2 (Advanced)

  1. Create a DB with an array of 10 real numbers. Populate the array with random values.
  2. Create a function that will return the max number in the array and its position. Use the indirect addressing method of your choice.