Everything automation engineers need — Siemens S7 fault codes, Allen-Bradley errors, PROFIBUS vs PROFINET, Modbus RTU/TCP, ladder logic, IEC 61131-3 and how AI is changing the way engineers troubleshoot on the plant floor.
A PLC fault code is an alphanumeric or numeric error generated by the PLC CPU, I/O module, or fieldbus interface when it detects an abnormal condition. Faults can originate from hardware failures, software logic errors, communication breakdowns or power supply issues. Knowing how to decode them fast is the difference between a 10-minute fix and a 4-hour outage.
Most PLCs store faults in a diagnostic buffer (Siemens) or fault log (Allen-Bradley) accessible via the programming software. The fault entry typically includes:
Siemens S7 PLCs (S7-1200, S7-1500, S7-300, S7-400) use Organisation Blocks (OBs) to handle faults. The CPU calls a specific OB when a fault occurs — if the OB is not programmed, the CPU stops with a fault.
| OB / Code | Fault Type | Most Likely Cause | First Fix |
|---|---|---|---|
| OB 122 | I/O Access Error | Loose wiring / failed I/O module | Check module LEDs and wiring continuity |
| OB 82 | Diagnostic Interrupt | Sensor or I/O fault (PROFIBUS slave) | Check diagnostic buffer for sub-error |
| OB 85 | Program Cycle Error | Missing OB (OB1 not loaded) | Download complete program to CPU |
| OB 86 | Rack/Station Failure | DP slave or PROFINET device offline | Check fieldbus wiring and device power |
| OB 121 | Programming Error | Wrong data type / address overflow | Check DB access and pointer arithmetic |
| 16#7002 | CPU Not in RUN | Mode switch in STOP or fault | Check mode switch; clear diagnostic buffer |
| 16#0A00 | Password Protected | Wrong or missing password | Enter correct password in TIA Portal |
The S7-1200 is designed for standalone machines and small automation cells. It supports PROFINET RT but not IRT — even the safety-rated S7-1200F variant does not support IRT (the F suffix means SIL-rated safety, not IRT capability). The S7-1200 has no onboard trace/trending — use HMI data logging for trend capture.
The S7-1500 supports PROFINET IRT, integrated motion control, trace/trending, OPC UA server, and provides significantly more processing power for complex applications.
S5TIME format with S7-1200/1500. These use IEC timers only — write T#5S not S5T#5S. S5TIME is legacy S7-300/400 only.Allen-Bradley ControlLogix and CompactLogix PLCs store faults in the Major/Minor Fault log accessible via Studio 5000 Logix Designer. Faults are categorised as Major (CPU stops) or Minor (execution continues with flag set).
| Fault Code | Type | Description | Resolution |
|---|---|---|---|
| Type 4, Code 20 | Major | Watchdog timer expired | Check scan time; optimise heavy routines |
| Type 7, Code 83 | Major | Tag subscript out of range | Check array index in logic |
| Type 1, Code 11 | Minor | Power loss detected | Check UPS / power supply |
| Type 10, Code 27 | Major | I/O module not responding | Check EtherNet/IP connection and module |
| Type 6, Code 07 | Major | Illegal instruction | Firmware mismatch — update controller |
For AB ControlLogix/CompactLogix, 4 mA = 3277 and 20 mA = 16383 raw counts. Use the PIDE instruction for PID control — the legacy PID instruction is for SLC/PLC-5 only and should not be used in Logix-based controllers. Timers are always in milliseconds — a 5-second timer is set to 5000, not 5.
This is the most frequently confused topic in industrial networking. Here is a precise comparison:
| Feature | PROFIBUS-DP | PROFINET |
|---|---|---|
| Physical Layer | RS-485 serial | 100 Mbps Ethernet (1 Gbps newer) |
| Max Speed | 12 Mbps | 100 Mbps / 1 Gbps |
| Max Nodes | 126 total (32 per segment) | 512 per CPU |
| Cycle Time | 1–10 ms @ 12 Mbps | RT < 10 ms / IRT < 1 ms |
| TCP/IP Stack | Not used | Bypassed for RT & IRT; used for Class TCP/IP only |
| Config File | GSD (NOT GSDML) | GSDML (NOT GSD) |
| Connector | D-Sub 9-pin | RJ45 |
| Cable | Purple, RS-485 | Standard Cat5e/Cat6 |
| Termination | 120Ω both ends only | Switch-managed |
| IRT Masters | CP 443-5 / S7-400 | S7-1500, S7-300/400 + CP343-1 Advanced |
| S7-1200 Support | Via CM 1243-5 | RT only — NOT IRT (even S7-1200F) |
Modbus is the most widely deployed industrial protocol in the world — simple, open and supported by virtually every PLC, VFD, sensor and meter. Understanding its two variants prevents the most common commissioning errors.
| FC | Function | Data Type | Access |
|---|---|---|---|
| FC01 | Read Coils | Bit (output) | Read |
| FC02 | Read Discrete Inputs | Bit (input) | Read |
| FC03 | Read Holding Registers | 16-bit word | Read/Write |
| FC04 | Read Input Registers | 16-bit word | Read only |
| FC05 | Write Single Coil | Bit | Write |
| FC06 | Write Single Register | 16-bit word | Write |
| FC16 | Write Multiple Registers | Multiple 16-bit words | Write |
Modbus TCP wraps the same function codes over Ethernet on port 502. The CRC is dropped — TCP handles error checking. The slave ID is replaced by a Unit ID in the MBAP header. Maximum 247 simultaneous connections per server is a common vendor limit.
EtherNet/IP uses the Common Industrial Protocol (CIP) over standard Ethernet. Two connection types:
OPC UA (Unified Architecture) is the preferred protocol for MES/SCADA-to-PLC communication and Industry 4.0 / IIoT integration. Default port is 4840. Security policies include None, Basic256Sha256, and Aes256Sha256RsaPss. Certificate-based authentication is recommended for production.
IEC 61131-3 defines five standard PLC programming languages supported by all modern platforms including Siemens TIA Portal, Rockwell Studio 5000, Beckhoff TwinCAT 3, Schneider EcoStruxure, and all Codesys-based controllers.
| Platform | 4 mA (0%) | 20 mA (100%) | Scaling Method |
|---|---|---|---|
| Siemens S7-1200/1500 | 0 | 27648 | NORM_X + SCALE_X |
| Siemens S7-300/400 | 6912 | 27648 | FC105 / FC106 |
| Allen-Bradley ControlLogix | 3277 | 16383 | CPT or SCL instruction |
| Schneider M340/M580 | 3277 | 16383 | SCALE function block |
| Beckhoff TwinCAT | 0 or 3277 | 27648 or 32767 | Depends on module type |
NAMUR NE43 defines fault states outside the normal 4-20mA operating range:
Always check for NAMUR fault states before scaling. Scaling a 3.8mA wire-break signal will produce a negative engineering value that looks like a valid reading.
For decades, automation knowledge lived in people — senior engineers who had memorised hundreds of fault codes, knew exactly which termination resistor to check on a PROFIBUS segment, and could write a production-ready function block from memory. When those engineers retire or are unavailable at 2am, production stops.
AI tools trained on verified automation knowledge are beginning to fill that gap — not by replacing engineers, but by making expert-level knowledge instantly accessible to everyone on the team:
PLCpilot is an AI assistant built specifically for industrial automation engineers. Unlike general-purpose AI, PLCpilot is trained on verified automation knowledge — correct Siemens raw counts, proper PROFIBUS termination rules, Allen-Bradley fault codes, and platform-specific programming patterns.
Free plan · 10 messages/day · No credit card required
A Programmable Logic Controller (PLC) is an industrial computer that controls machinery and processes by reading inputs (sensors, switches), executing a user program (ladder logic, structured text etc.), and writing outputs (actuators, valves, motors). The CPU executes the program in a continuous scan cycle — typically 1–50ms depending on program size and complexity.
PROFIBUS-DP is a serial RS-485 fieldbus at up to 12 Mbps with max 126 nodes. PROFINET is Ethernet-based at 100 Mbps with RT (<10ms) and IRT (<1ms) modes that bypass the TCP/IP stack. PROFIBUS uses GSD files; PROFINET uses GSDML. S7-1200 supports PROFINET RT only — not IRT.
Open TIA Portal and navigate to Online & Diagnostics > Diagnostic Buffer for the CPU. Each fault entry shows the OB number, timestamp, and additional info bytes. Common ones: OB122 = I/O access error (check wiring), OB86 = station failure (check fieldbus), OB121 = programming error (check data types). You can also paste the code directly into PLCpilot for an instant plain-English explanation.
4-20mA is the standard current loop signal for process instruments. 4mA = 0% of range, 20mA = 100%. In Siemens S7-1200/1500, raw counts are 0 (4mA) to 27648 (20mA) — use NORM_X then SCALE_X. In Allen-Bradley ControlLogix, 4mA = 3277 and 20mA = 16383. Always check for NAMUR NE43 fault states (below 3.8mA or above 20.5mA) before scaling.
IEC 61131-3 is the international standard defining five PLC programming languages: Ladder Diagram (LD), Function Block Diagram (FBD), Structured Text (ST), Instruction List (IL, now deprecated), and Sequential Function Chart (SFC). All modern PLC platforms — Siemens, Allen-Bradley, Beckhoff, Schneider, Codesys — support these languages.
Modbus registers are 0-based in the protocol but 1-based in most documentation. Register 40001 in a datasheet = address 0 in your read command. Slave IDs run from 1-247 (0 = broadcast). Max RS-485 baud rate is 115.2 kbps — not 12 Mbps, which is PROFIBUS.
PLCpilot supports Siemens S7-1200, S7-1500, S7-300/400; Allen-Bradley ControlLogix, CompactLogix, MicroLogix; Schneider M340, M580; Beckhoff TwinCAT 3; Mitsubishi FX, iQ-R; Omron NX/NJ, CJ series; and all Codesys-based platforms (Wago, B&R, Phoenix Contact, Pilz, Bosch Rexroth).
Yes. PLCpilot has a free plan with 10 messages per day — no credit card required. The Pro plan at €29/month provides 150 messages/month with access to more powerful AI models for deeper troubleshooting and code generation.
Free to try. No credit card. No setup. Just paste your fault code and get an answer.
Start Free — 10 Messages/Day →