Tracing code in S7

Hello,
Is there a more simple method to trace a PLC code (Siemens S7) other than doing a cross reference on every marker? I'm trying to find out what affects the values of a bunch of outputs.
Maybe a certain strategy or an open source program that can draw charts for the variables' connections?

Thanks in advance.


PS: Also, the symbol table is empty since the program was downloaded from a PLC.

I'm presuming a S7-300 or 400 PLC.

Uploading a program from a PLC is not recommended, I would try to get the original code with all the documentation.

Most experienced people would program without too many marker flags in the program, it is usual for the majority of the code to be done in FB's, therefore a lot of information would be held in Data Blocks.

When you upload, not only do you not have the comments and symbols for any part of the program but also all the formatting in the DB area will be wrong.

It is very difficult to use an uploaded program file.

The newer Siemens PLC's, the 1200 and 1500 hold all comments in the PLC, the 300 and 400 PLC's do not.

Yes it's a S7 300. And the documentation isn't available, probably lost.
So basically the only method is to cross reference every marker? IT does contain a lot of markers.
So far I've been cross referencing the markers and it's getting bigger and bigger.

I feel for you.

How big is the program?

Is it all ladder or a lot in STL?

How old is the program, is the original developer still about. To get an old out of date copy would be a big help, even if they charge.

On the rare occasion I have had to do this, I start with the IO.

Depending on size of the program, I'd start with I/O naming, then looking for flags that are results of those IO's and comment them.

This way You can comment some logic. When using cross reference Go-To always have checked 'overlapping access' - sometimes it's really helpful.

Well the program is pretty huge. A senior engineer gave it to me so that I'd trace it.. No specific I/Os, no symbol table, no wiring diagrams.. Nothing. So far I've been cross referencing every marker that I come across while cross referencing the outputs I was asked to trace.. It's just getting bigger but it seems like it's coming to an end soon. So yea, I thought there might be an open source program or something that could do it.
I did find this but I haven't had a chance to try it yet since it's for Linux.
http://www.proview.se/doc/en_us/man_opg_opg_trace.html
I'm not sure if it's even related.

Also, in what way does the DB area formatting become wrong?

It really is worht putting a lot of effort in to tracking down an original documented copy of the program. I have reverse engineered a few, mostly for S5 to S7 upgrades. When you tell a client that the cost of his upgrade will increase by 1000% without a documented copy of the program, very often a copy can be found.

I liken this process to a giant jigsaw puzzle but when you start out you have no idea what the final picture will look like; all you can do is look for the links between the pieces. With an actual jigsaw you start with the outside edges and work your way towards the middle. In a PLC, the I/O are the outside pieces.

Start with a set of drawings and then, as others have said, name the I/O from the drawings.

With data blocks, elements might originally have been defined as bits, bytes, words, doubles, arrays, strings, UDTs etc. all with meaningful names, but after an upload you'll get D_0, D_1 etc.

Nick

Find a set of electrical drawings and create a symbol file. All of the inputs and outputs will make more sense to you. Once you get them in the program, start working your way from the outputs back. There will be a lot of "L" (local memory). Just skip it. work your way as far as possible. You can start back in from the inputs next.