Siemens S5-90U/95U Fault Diagnosis and Advanced Programming

Fault diagnosis and advanced programming practice of Siemens S5-90U/95U programmable controller

In the field of industrial automation, Siemens SIMATIC S5 series controllers have created an era with their durability and reliability. Although the S7 series has become mainstream nowadays, classic controllers such as S5-90U and S5-95U are still operating stably on numerous key production lines around the world. For engineers who maintain these 'old horses', mastering a system and efficient diagnostic and debugging methods is far more urgent than learning a new PLC. This article will delve into the internal world of S5-90U/95U, providing you with a comprehensive technical guide from hardware structure, diagnostic tools to advanced programming techniques.

1. System Overview: Performance Boundaries of Compact Controllers

S5-90U and S5-95U are compact controllers designed by Siemens to meet automation tasks in the mid to low performance range. Their biggest feature is modularity, scalability, and powerful functionality.

S5-90U: As an economical entry-level option, it comes with 10 digital inputs and 6 relay outputs, and can be expanded with up to 3 S5-100U bus lines (6 slots) through the IM 90 interface module. Its user program memory is 4KB, suitable for replacing traditional contactor and relay control systems.

S5-95U: With more powerful performance, it comes with 16 digital inputs, 16 digital outputs, 8 analog inputs (0-10V, 10 bit resolution), 1 analog output, 4 interrupt inputs, and 2 high-speed counter inputs (up to 5kHz). The user program memory is up to 16KB and supports up to 16 bus units (32 slots), which can handle more complex closed-loop control and communication tasks.

Understanding these hardware boundaries is the first step towards efficient diagnosis. For example, when the program cannot be loaded, the first thing to check is whether it is S5-90U but the program size exceeds 4KB, or if the compiled program has caused internal RAM overflow (the manual states that even if the STEP 5 program is less than 16KB, it may overflow after compilation, causing the STOP LED to flash).

2. Core diagnostic tools: Deep application of ISTACK and BSTACK

When a PLC unexpectedly enters STOP mode, the first reaction of most engineers is to reset or re download the program, but this often overlooks the root cause. The S5-90U/95U provides powerful internal analysis tools - Interrupt Stack (ISTACK) and Block Stack (BSTACK), which are the "black boxes" for troubleshooting.

ISTACK: The 'first witness' of the cause of the malfunction

ISTACK is a memory area inside the CPU used to store the cause of faults. When the PLC switches from RUN to STOP or fails to start, critical information will be recorded in ISTACK. By calling the ISTACK function through the programmer (PG), you can obtain the following decisive clues:

Control bit display: For example, ZYK bit indicates scan cycle timeout, NAU indicates central controller power failure, PEU indicates external I/O bus not ready, STUEB indicates block stack overflow (nested depth exceeding 16 layers).

Error ID (Cause of Interr.): This is the key to locating the issue.

NNN: The program cannot be interpreted. This is usually a 'compiler error', meaning that the STEP 5 statement you wrote has a syntax error or logic that cannot be converted by the compiler. At this point, REL-SAC (relative to STEP address counter) in ISTACK will point to the address after the error statement. You need to convert this hexadecimal address to decimal and then find the specific location in the corresponding block (such as PB7).

TRAF: Data transmission error. Common reasons include: the accessed data block (DB) is not opened or does not exist; The data word number specified in the program statement exceeds the length of the DB. For example, a DB defined as 10 words, but the program attempts to write the 11th word.

SUF: Replacement Error (S5-95U only). This usually occurs when the function block (FB) passes the wrong actual parameters when calling, or when an integrated FB is called in the interrupt program, and the FB is being processed by another program.

ZYK: Scan cycle timeout. The program execution time has exceeded the set monitoring time (default 300ms). Possible reasons may include dead loops in the program, frequent interrupts, or prolonged monitoring of STATUS through the programmer.

BSTACK: "Navigator" for program execution path

BSTACK records jump information during program execution, including which DB was open before the jump, the starting address of the called block, and so on. In structured programming, when errors occur within deeply nested blocks, BSTACK can clearly reveal how the program progressed step by step to the point of error.

For example, the system reports a TRAF error, indicating a DB access error. By examining BSTACK, you may find that the program execution path is: OB1->PB2->FB4, and when calling FB4, data block DB5 is open. This way, you can quickly lock in the statements accessing DB5 in FB4 instead of aimlessly searching throughout the entire program.

3. System Parameterization: The Clever Use and Pitfalls of DB1

Many advanced features of S5-90U/95U are parameterized through the integrated data block DB1. DB1 is interpreted and executed when the PLC switches from STOP to RUN. The default DB1 is integrated into the CPU, and users can modify and download it as needed.

DB1 consists of multiple parameter blocks, each starting with a block ID; End. Common parameter blocks include:

OBI: Parameterized interrupt input. For example, on S5-95U, IP 0 indicates configuring input I34.0 as a rising edge interrupt; IN 1 indicates that I34.1 is configured as a falling edge interrupt; IPN 2 indicates that I34.2 is configured to trigger interrupts for both rising and falling edges.

OBC: Parameterized onboard counter. For example, CAP 500 indicates that counter A is configured for rising edge counting, with a comparison value of 500. CCN 90000 represents cascading two counters into a 32-bit counter, with a falling edge count and a comparison value of 90000.

SDP: System parameter settings (S5-95U only). NT 128 sets the number of internal timers processed by the system (default is 128, if the program only uses 20, changing to 20 can shorten the scanning cycle). When PBUS N is set to start the PLC, it does not check the external I/O bus. If it is changed to PBUS J, the PLC can only enter RUN mode when the external I/O bus is ready.

CLP: Real time clock parameters (S5-95U only). STW MW10 specifies the status word at MW10, and CLK DB5 DW0 specifies the clock data area at the beginning DW0 of DB5.

Parameter error handling: If there are syntax errors or parameter overruns in DB1, the PLC will remain in the STOP state when switching from STOP to RUN. At this point, you can obtain detailed error codes by adding ERT: Error Return Parameter Block (such as ERR MW2) to DB1. The error code will be written into the continuous word starting from MW2, with the high byte indicating the error type (such as "range violation", "syntax error") and the low byte indicating the erroneous parameter block (such as OBC: corresponding to code 03). This can greatly improve the debugging efficiency of parameter configuration.

4. Advanced programming skills and performance optimization

In addition to basic bit logic, the S5-95U also offers a range of advanced operations that can be mastered to write more efficient and compact programs.

Bit testing operation (TB, TBN): allows you to directly test a bit of a word and set RLO based on the state of that bit. This is much more efficient in processing state information in words than loading words first and then using the 'and' operation for masking. For example, TB D 12.8 directly tests the 8th bit of data word DW12.

DO operation: This is a powerful tool for implementing indirect addressing. The DO FWx or DO DWx statement itself does not perform any operations, but it tells the CPU that the operand address of the next statement is dynamically determined by the content of the specified flag or data word. For example, first set the value of FW10 to KH 0108 (high byte=bits of the address, low byte=bytes of the address), and then execute:

step5

DO FW10

A F 0.0

This is equivalent to AF 8.1. By cyclically changing the value of FW10, a few lines of code can be used to achieve functions that originally required a lot of repetitive code, such as batch initializing data areas.

Scanning cycle and response time calculation: The manual provides precise formulas for calculating scanning cycle and response time. This is crucial for time sensitive applications. For example, the scanning time of S5-95U=process image transfer time (depending on the number and type of I/O modules)+operating system runtime (fixed at 500 µ s)+program execution time+timer update time. In the worst-case scenario, the response time needs to consider that the input signal changes only after PII reading, requiring three times the process image transfer time, three times the operating system runtime, and two times the program execution time.

Fine management of interrupt priority: S5-95U supports multiple interrupt sources (4 external interrupts, 2 counter comparison interrupts). When interrupts occur simultaneously, the execution order is: counter B>interrupt input>counter A. In addition, up to 8 interrupt events can be temporarily stored in the queue. By using IA (disable interrupt) and RA (enable interrupt) operations, you can protect critical segments of the program from interruption and ensure data consistency. For example, using IA and RA before and after performing TNB (block transfer) operations can prevent interruptions during the transfer process, thereby ensuring the integrity of the data source and target areas.

5. Analog quantity and communication processing

Analog processing: The onboard analog input of S5-95U is 0-10V with a resolution of 10 bits. The manual provides two standard functional blocks, FB250 and FB251, to simplify the reading and scaling of analog signals. FB250 can linearly map raw digital quantities (0-1024) to user-defined engineering value ranges (e.g. 0-1000L/min). FB251 performs a reverse operation to convert engineering values into the digital format required by the analog output module.

SINEC L1 communication: As a slave station on the SINEC L1 network, S5-90U/95U is configured through the SL1: parameter block in DB1. This includes defining the location of the slave station address (SLN), sending mailbox (SF), and receiving mailbox (EF). The handshake of communication is carried out by coordinating bytes KBS (sending) and KBE (receiving). The program needs to poll the 'receive complete' bit of KBE to determine if new data has arrived, and then read the data from EF; When sending data, fill in SF and set the "Send Request" position in KBS.