ISBN 978-952-5726-06-0
Proceedings of the 2009 International Workshop on Information Security and Application (IWISA 2009)
Qingdao, China, November 21-22, 2009
Exploitation of Intelligent Slave Based on
PROFIBUS-DP
ZHAO Hui, LI Dan-dan
(School of Electrical Engineering, Tianjin Key Laboratory of Control Theory and Applications in
Complicated Systems (Tianjin University of Technology), Tianjin, 300384, China)
Email: zhaohui3379@126.com
üü
Abstract
This article focuses on an approach of
Intelligent Slave which using microcomputer and
spc3 what is Lean Siemens PROFIBUS
Multiplexer. The development of slave is stable in
performance, low cost and worth definite economic
value. This paper discusses the hardware
configuration and Software Architecture. In order
to achieve the compete communication between the
master and slave of profibus and ensure the
stability and reliability of system, use spc3 what is
Lean Siemens PROFIBUS Multiplexer to achieve
the design of DP slave.
Master
Opt
Bus
coupler
driver
isolation
Slave
device
Index Terms—PROFIBUS-DP, Intelligent Slave,
Field Bus
Figure 1.
SPC3
P89V51
The overall structure of the hardware from the
slave
I. SPC3 ASIC
PROFIBUS is an international, open-label,
not relying on equipment manufacturers’ field
bus standard, widely used in manufacturing
automation, process automation and industrial
buildings, transportation, electric power and
other areas of automation. PROFIBUS consist of
three parts which are PROFIBUS-FMS,
PROFIBUS-PA and PROFIBUS-DP. FMS is
mainly used for workshop control network, it is
a token structure and real-time multi-master
network; PA is specially designed for
process-oriented, and has intrinsic safety
specification; DP is a high-speed low-cost
communicational link, used for device-level
control system and distributed communication.
PROFIBUS-DP have high-speed, low-cost
advantages. PROFIBUS-DP can be used to
replace the DC 24 V or 4 ~ 20 mA signal
transmission, has a very short response time and
high anti-interference performance. With these
advantages, PROFIBUS-DP occupies vast
Chinese market.
In this paper, microcomputer plus
PROFIBUS communicational ASIC solution
developed intelligent slave. In order to ensure
the shortest bus cycle time, the control system
uses a single master network control system.
Overall system architecture is shown in Figure 1.
© 2009 ACADEMY PUBLISHER
AP-PROC-CS-09CN004
RS485
PROFIBUS communication protocol in
theory can be achieved by programming with
microcontroller, however, because the protocol
is too complicated, and even if the
micro-controller can get the implementation,
communication speed can hardly meet the
requirement, so generally use a specialized ASIC
chip to achieve, such as the SPC3.
SPC3
(SIEMENS
PROFIBUS
CONTROLER) is a PROFIUBS-DP open
industrial field bus intelligent interface chip, it
can be widely used in industrial automation and
building managerial automation in the MCU
interface. SPC3 integrates a complete DP
agreement, including mode registers, interrupt
registers, status registers, variety of buffers and
buffer pointers and so on. The chip contains
1.5 KB RAM, parallel 8-bit interface with 11
address lines. SPC3 supports all microprocessors
and 8-bit processor. It can also be done
automatically the "Byte conversion", which
makes Motorola processor can directly read the
16-bit value correctly, usually reading and
writing through the two port (8-bit data bus) to
complete. SPC3 integrated a protection of
watching timer
WatchDog , operate in 3
different states: ‘DP_Control’, ‘Baud_Control’,
and ‘Baud_Search’. When application processor
˄
673
˅
B
fails, PROFIBUS-DP communication would be
prohibited, so as not to endanger the peripherals.
Micro-sequencer controls the entire working
process. UART inside can achieve the mutual
transformation between the string and the data
flowing, SPC3 can automatically identify the bus
baud rate (9.6 K ~ 12 M). Idle timer control the
bus timer on the serial bus cable. [1]
A
Monitoring times between 2 ms and 650 s independent of the baud rate - can be
implemented with the permissible watchdog
factors.
If the monitoring time runs out, the SPC3
goes again to ‘Baud_Control,’ and the SPC3
generates the
‘WD_DP_Control_Timeout-Interrupt’. In
addition, the DP_State machine is reset, that is,
generates the reset states of the buffer
management.
If another master accepts SPC3, then there
is either a switch to ‘Baud_Control” (WD_On =
0), or there is adelay in ‘DP_Control’ (WD_On
= 1), depending on the enabled response time
monitoring (WD_On = 0).
RAM Structure
The integrated 1.5kB Dual-Port-RAM, is
divided into 192 segments, 8 bytes per segment,
the user can immediately address. Table I is the
memory
structure.
The
organizational
parameters are located in RAM beginning with
address 00H., as well as the internal workings
cells, but users can not access to the internal
workings cells. [2]
Table I.
Memory structure
Address
Function
000H
Processor parameters
II State Machine of a PROFIBUS DP Slave
The sequence in principle of this state
machine is helpful in understanding the
firmware sequence. Details are found in the
Standard.
After power-on, CPU initialize the slave,
when it is correct, the station can receive
Set_slave_add telegram to change its address
from the master, and then the slave get into the
Wait_prm state to wait for its parameterization
from master, in this status slave can also receive
Slave_diag and Get_cfg telegram from the
master. After parameterization, the slave get into
the Wait_cfg state, waiting for Chk_cfg
telegrams, while also receiving Slave_diag,
Get_cfg and Set_prm telegram. Afer the
Chk_cfg, the slave enter the Data_exch state to
get into the data communications. If the
configuration and data exchange is unsuccessful
at any stage, then the state machine will return to
the
Wait_prm
state,
waiting
to
re-parameterization. (Figure 2)[3]
internal work cells
Latches/register
(21 bytes)
016H
Organizational
parameters
(42 bytes)
040H
DP-buffer:
Data in (3)*
Data out (3)*
Diagnostics (2)
Parameter setting data (1)
5FFH
Watchdog Timer
Configuration data (2)
Auxiliary buffer (2)
SSA-buffer (1)
In addition, in the processor parameter area,
the user can set all processor parameters, and
organizational parameters in mode register 0,
such as SYNC, FREEZE and so on. Mode
register 0 must be assigned offline, once turn on
power, it can not be changed. The following 42
bytes (16H~39H) is the organization parameter
area, the structures of the entire SPC3 buffer are
located here, in addition, the data of general
parameter setting (including address allowed to
be change, the station address, user watchdog
values and device identified number, etc.) is set
in these units, the status displays are stored in
these units (Universal control commands, etc.).
Rest of the RAM are used by the user's buffer
area for storing the user input and output data,
parameter data, configuration data, diagnostic
data.
Power-on
Set-Slave-Set
Init-dp()
Slave-Diag.
WPRM
Get-cfg.
Slave-Diag.
Set-Prm,ok
WCFG
Get cfg
Chk-Cfg, not ok
Set-Prm, not ok
Chk-Cfg,ok
DXCHG
Figure 2.
674
State machine of a PROFIBUS DP slave
ċ Structure of Hardware
Start
CPU is P89V51RD2, P89V51RD2 is a
microprocessor
produced
by
PHILIPS
Corporation, including the 64 KB FLASH, and 1
KB RAM; an internal WDT (watchdog);
operating frequency is 0~40 MHz; supporting
the IAP (In Application Programming), and the
ISP (In System Programming) feature.
CPU and SPC3 interface is shown in Figure
3. Because the P89V51RD2 is belongs to the
8-bit microcontroller series, and the data bus
multiplexing. SPC3 own internal address latch,
so CPU-P0 port connect to DB7~DB0, P2 to
AB7~AB0, AB8~AB10 connect to ground.
The initialization of P89V51
and SPC3
N
Whether collect
the data
Y
The user equipment connect to I / O interface
Data collection and processing, intelligent
control algorithms and output
Start SPC3
N
SPC3 have data?
Y
Read the data update of SPC3 buffer
SPC3 input buffer
Figure 3.
The CPU/SPC3 interface circuit
Because P89V51RD2 integrate 1 KB RAM,
there are 768B on-chip external memory, it need
to be accessed by "MOVX", the address is
00H-2FFH; SPC3 is also the equivalent of an
off-chip memory, so in order to avoid address
duplication, P2.4 port connect to AB4 by adding
a inverter, so the starting address of SPC3
change into 0x8000H. In order to eliminate the
interference from outside and improve the
accuracy of the signal, bus signal has to isolate
by high-speed optocoupler, and then connect
with RS-485 bus driver and 9-pin D-type sockets.
The power supply of bus driver and optocoupler
output should also take quarantine measures,
such as using DC-DC Isolated module or
transformer isolation.[4-7]
N
External diagnosed?
Y
Write the external diagnostic
End
Figure 4. Flowchart of main program
In the beginning of the main program,
SPC3 must be initialized first, including
addresses of slaves, the buffer zone, all registers
and the setting of watchdog’s initial value. Data
output and input, and user input of diagnostic
data can be placed in the main loop of
application. Each cycle, it must refresh the data
of BUF, ensuring that all input data is real-time
data. When SPC3 received the output data from
the master of PROFIBIUS, it will produce the
interrupt flag of output data, CPU will receive
the data from master after polling the flag in a
loop. SPC3 will automatically real-time transfer
the specific diagnostic information to the master.
Č Software Design
A
Program flow
The flow chart of main program is shown in
Figure 4.
675
of the baud rate events. [10]
If in the initialization process the user located
diagnostic data, the main program in a loop
determine whether there are available diagnostic
BUF, when the BUF is in idle time, the
application input the diagnostic information and
request update. [8-9]
The Flowcharts of interruption is shown in
Figure 5.
B
Analysis of telegram
The slave receive every telegram on the bus,
if nothing to do with their own, then ignore it,
while if it is issued in accordance with its state
machine to respond.
The following is a part of telegram data
collected from the PROFIBUS-DP network; the
network has a master addressed 2 and a slave
addressed 3. And it explain the telegram
combining the wording mechanism of slave 3.
(The data of telegram is 16 hex.)
Start
N
New PRM telegram
……
10 03 02 49 4E 16
Request frame that
mast 2 sent to slave 3, searching
whether slave 3 is “existence”.
10 02 03 00 05 16
Response frame that
slave 3 sent to master 2,
responding its "existence" or
"alive."
……
68 05 05 68 83 82 5D 3C 3E DC 16
Diagnostic frame that master 2
sent to slave 3, getting the
current state of slave 3.
Y
Dealing with PRM telegram
N
New CFG telegram
Y
Dealing with CFG telegram
68 0B 0B 68 82 83 08 3E 3C 02 05 00 FF 00 08 95 16
The same as the
Response frame of slave 3, the
last 6 bytes is diagnostic
information.
N
original PRM
......
68 0C 0C 68 83 82 7D 3D 3E 88 19 1A 0B 00 08 00
CB 16
Y
Parametric frame that master 2
sent to slave 3, 7 bytes
parametric data: 88 19 1A 0B 00
08 00
ACK frame
Update the original CFG
E5
……
68 07 07 68 FF 82 46 3A 3E 00 00 3F 16
Global telegram that master 2
sent to slave 3
……
68 07 07 68 83 82 5D 3E 3E 11 21 10 16
Configuration frame that master 2
sent to slave 3, 2 bytes
configuration data: 11 21
E5
ACK frame
……
68 05 05 68 83 82 7D 3C 3E FC 16
The second diagnostic frame
that master 2 sent to slave 3.
N
Have SSA telegram?
Y
Save into buffer
Interrupt returning
Figure 5.
Flowchart of interruption
The interrupt handler is used for handling
all kinds of unexpected events occurred by SPC3,
including the command of global controlling
telegram events, new parameter telegram events,
entered or exited the state of exchanging data
events, the new configuration telegram events,
the new address settings telegram events,
watchdog overflowing events and the monitoring
68 0B 0B 68 82 83 08 3E 3C 00 0C 00 02 00 08 9D
16
6 bytes diagnostic frame: 00 0C
00 02 00 08
……
676
68 05 05 68 03 02 5D 00 00 62 16
Master 2 sent 2 bytes data to
slave3, and require slave 3 to
input data.
68 05 05 68 02 03 08 00 00 0D 16
Response frame that slave 3 sent
to master 2, including 2 bytes
input data: 00 00
……
č Conclusion
PROFIBUS-DP field bus has become the
industry standard of Chinese mechanical
industry, in recent years, it is paid attention by
a number of institutions and manufacturers.
This paper describes the design methods of
PROFIBUS-DP slave hardware and software
by using P89V51 and SPC3. The devices
developed with the PROFIBUS-DP bus
interface have a high stability, which can meet
the
interoperability
and
real-time
communication requirements.
REFERENCES
[1] Siemens Simatic- Net SPC3 and DPS2 User
Description (Siemens PROFIBUS Controller
According to IEC 61158) Version:
2.0,2002:38-46.
[2] SIMATIC PROFTBUS Interface Components.
Siemens, 1998.11
[3] SIMATIC NET SPC3 SIEMENS PROFTBUS
Controller User Description. Siemens, 2002.9
[4] Laurent Cauffrieza, Joseph Ciccotelli, Blaise
Conrard. Design of intelligent distributed Control
systems: a dependability point of view. Reliability
Engineering and System Safety , 2004, 84; 19-32
[5] P .Marino, J .No gueira, C .Siguenza, etal. The
PROFIBUS formal specification: a comparison
between two FDTs. Computer Networks, 2001,
37(3-4), 345-362
[6] SIEMENS corporation. Configuring Hardware and
Communication Connections STEP 7 V510
SIMATIC SoftwareManual [Z]. 1998
[7] Stephen Northcutt,Judy Novak.Network Intrusion
Detection,
Third
Edition.
New
Riders
Publishing,2002.
[8] Device Description Data Files GSD 1999
[9] PROFIBUS Specification EN 50170 Vo1ume2
1999
[10] P.Vittur. Dp-Ethemet: the Probus DP Protocol
implemented on Ethernet, Computer
communications. 2003, 26(10): 1095-1104
ˈ
ˈ
677