Protokoll

SIEMENS SIMATIC S5 AS511 (Programming port) protocol description

Last reviewed: May 4, 1999
- corrected a DLE/ACK sequence in DBWrite function
- provided new informations on data synchronisation between AS511 interface and the CPU.

COM port setup

Siemens data frame is not usual, open your port with:

speed 9600 baud
data 8 bits
stop 1 bit
parity EVEN

DLE control character

DLE (10hex) is a control character, used to inform the receiver that the following byte is to be considered a control character and not a data byte. In other words, DLE is a software switch within the AS511 protocol to divide control and data bytes. Whenever a DATA byte containing the value 10hex is to be sent, the sender must DOUBLE the char. This means that to send a data byte 10hex, the sender must send 10hex 10hex (DLE DLE). The receiver must consider the thing, so a single DLE will mean a protocol signal, while two consecutive DLE are to be interpreted as a SINGLE data byte containing the 10hex value. This is a little tricky, since the receiver NEVER knows exactly how many bytes to expect.

Communication breaks

Take also note that the AG can answer DLE NAK instead of DLE ACK if the requested operation can not be carried out. In this case, the PG must abort the communication and wait for 500ms before attempting a new communication. The value of 500mS is also applied as timeout value in case of missing response from the partner.This also means that no "holes" of 500mS (or more) are allowed during a communication (e.g. within a DB_READ function)

Data addressing

To read or write a datablock value, you need to know its address in PLC memory. Therefore you must invoke B_INFO function to know the address, then you can call DB_READ or DB_WRITE by giving the initial and final address of the area to be read or written. Be aware that when the datablock is rewritten in CPU (or after a program compression), its address in PLC memory changes. Therefore when communicating with double-port CPUs (or H1 networked CPUs) you must take care of it, since the PLC program may be unexpectedly modified by somebody else via other interfaces.

MOTOROLA and INTEL byte order conversion

Be aware that in SIMATIC the LSB/MSB bytes order is reversed:

SIMATIC:
15..............0
BYTE 0.....BYTE 1

INTEL:
15..............0
BYTE 1.....BYTE 0

To obtain the correct integer value of a dataword on INTEL processors, the user must therefore:
- swap the received bytes
and
- swap the bytes before sending them to the PLC

Data synchronisation

The AS511 protocol is NOT synchronized with the CPU scan cycle. This means that data transmitted by a computer can drop in the PLC memory at any time during the PLC program scan.. If the program is reading some data (such as a recipe), there is no guarantee that all data is "fresh received". The best solution is to send recipe data in two steps:
a) send all the recipe data, then
b) send a "data ready" code in a further DataWord.
The PLC program, when receives the "data ready" code, will read all the recipe data and clear the "data ready" info. In this way you are sure to accept the recipe data only when it has been completely transmitted to the PLC memory.

B_INFO

input: - block number output: - initial address of DW0 in AG PG AS (hex) (hex) ---------------------- function start -------- 02 ----> STX <---- 10 DLE <---- 06 ACK 1A ----> B_INFO function code = 1Ah <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 16 AG answer=16h <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK ---------------------- header info -------- 01 ----> ID=01h for Datablock XX ----> DB number (0..255) 10 ----> DLE 04 ----> EOT <---- 10 DLE <---- 06 ACK ---------------------- data -------- <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 00 NUL <---- XX DB initial address <---- XX <---- 70 synchronization code: 70 70 <---- 70 <---- 41 block ID and DB number : 41 XX <---- XX <---- XX PG ID code: XX XX <---- XX <---- XX library number: XX XX <---- XX <---- XX block length (words): XX XX <---- XX <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK ---------------------- terminate -------- <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 12 AG "end of transmission" code: 12h <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK

DB_READ

input: - initial address in AG - final address in AG output: - contents of datawords PG AS (hex) (hex) ---------------------- function start -------- 02 ----> STX <---- 10 DLE <---- 06 ACK 04 ----> DB_READ function code = 04h <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 16 AG answer=16h <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK ---------------------- header info -------- XX ----> initial address in AG: XX XX XX ----> XX ----> final address in AG: XX XX XX ----> 10 ----> DLE 04 ----> EOT <---- 10 DLE <---- 06 ACK ---------------------- data -------- <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 00 NUL <---- 00 NUL <---- 00 NUL <---- 00 NUL <---- 00 NUL <---- XX first byte of data <---- XX <---- XX . . . . . . <---- XX <---- XX <---- XX last byte of data <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK ---------------------- terminate -------- <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 12 AG "end of transmission" code: 12h <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK

DB_WRITE

input: - initial address in AG
- contents of datawords
output: - none PG AS (hex) (hex) ---------------------- function start -------- 02 ----> STX <---- 10 DLE <---- 06 ACK 03 ----> DB_WRITE function code = 03h <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 16 AG answer=16h <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK ---------------------- header info -------- XX ----> initial address in AG: XX XX XX ----> ---------------------- data -------- XX ----> first byte of data XX ----> XX ----> . . . . . . XX ----> XX ----> XX ----> last byte of data 10 ----> DLE 04 ----> EOT <---- 10 DLE <---- 06 ACK ---------------------- terminate -------- <---- 02 STX 10 ----> DLE 06 ----> ACK <---- 12 AG "end of transmission" code: 12h <---- 10 DLE <---- 03 ETX 10 ----> DLE 06 ----> ACK

end of document