Abstract: Siemens' SIMATIC S7-200 series is a micro PLC suitable for controlling small and medium-sized equipment, with a wide range of applications. Whether operating independently or connected in a network, it can realize complex control functions in automation systems, and its powerful communication capabilities make it unique among similar PLC products. This article takes a flying shear control system as an example to introduce the communication mode of S7-222, focusing on the parameter setting, protocol planning, and communication program design of freeport communication. Keywords: PLC; S7-200; Win9x; freeport mode; serial port 1. Introduction Programmable Logic Controllers (PLCs), as high-performance industrial field control devices, have been widely used in various fields of industrial control. Currently, industrial automatic control places increasingly higher demands on the network communication capabilities of PLCs, requiring data sharing and control between PLCs and host computers, and between PLCs themselves. The flying shear control system requires real-time monitoring of equipment such as motors, paper feeders, and cutter rollers from a control room far from the PLC. The host computer is a standard PC, and the slave computer is a SIEMENS S7-222 PLC. In actual development, a freeport communication mode is adopted, with a custom communication protocol between the PC and the PLC. The communication program on the PLC side is written using Step7, while the serial communication control and monitoring interface on the PC side is implemented using VC6.0. 2. Communication Methods and Principles The S7-200 series PLC has three communication methods: Point-to-Point (PPI) mode, used for communication with Siemens PLC programmers or other products, and its communication protocol is not publicly available. Another is DP mode, which allows the PLC to connect to a fieldbus network via the PROFIBUS DP communication interface, thereby expanding the PLC's application range. The last method is FreePort communication, where the communication protocol is defined by the user to achieve communication between the PLC and peripherals. This system uses the FreePort communication mode. It is a distinctive feature of the S7-200 series PLC. This method requires no additional investment, has good flexibility, and is suitable for small-scale control systems. Freeport communication requires both parties to use RS485 interfaces, with a maximum baud rate of 38400bps. Although the standard serial port of a PC is RS232, the PC/PPI cable provided by Siemens has an RS232/RS485 level converter, so the PLC and PC can be easily interconnected without adding any hardware. 2.1 Initialization of Freeport Mode The first step in programming freeport mode communication for a PLC is to initialize the serial port. The initialization of an S7-200 PLC is done by writing a communication control word into the special storage byte SMB30 (port 0) to set the baud rate, parity, stop bits, and data bits. Obviously, these settings must be consistent with the settings of the host computer. In addition, communication mode and master-slave mode can be selected. The specific contents of each storage bit can be found in the SIMATIC S7-200 system manual. 2.2 Sending and Receiving Data in Freeport Mode After initializing the freeport communication mode, data can be sent and received. (1) Sending Data Command XMT Format: XMT Table, Port. Data can be sent using the XMT instruction. The XMT instruction activates the data in the send buffer (the variable storage area starting from Table). The first data in the data buffer indicates the number of bytes to be sent, and Port indicates the port used for sending. The buffer can hold a maximum of 255 characters. An interrupt is generated when the last character in the buffer is sent (interrupt event 9 for port 0). The format of the XMT buffer in this example is shown in Table 1. The status byte indicates whether the PLC has correctly received the data transmitted from the host computer; the uploaded data is the data uploaded by the PLC to the PC, which needs to be encoded from 9 bytes of hexadecimal into 18 bytes of ASCII code, so the number of bytes is 18; BCC is the XOR sum of the uploaded data, also encoded from hexadecimal into ASCII code; the value of the end character is 26. [align=center] Table 1 Send Buffer Table 2 Receive Buffer[/align] RCV Table, Port. The RCV instruction receives up to 255 characters of data, which are stored in the buffer. An interrupt is generated when the end character is received (interrupt event 23 for port 0). The format of the RCV buffer in this example is shown in Table 2. The command type indicates what operation the host computer instructs the PLC to perform, such as read or write; the target station number is a code assigned to the PLC; the starting address is the starting address of the memory area to be read or written by the PLC; the number of bytes read/written is the number of bytes the PLC reads or writes after receiving the command; in this example, a maximum of 16 bytes are written and 9 bytes are read; the data to be written is the data to be written by the host computer to the PLC, and has no effect on read commands; BCC is the XOR sum of 43 bytes of data from the command type to the data to be written. All items from the target station number to BCC are represented using ASCII encoding from hexadecimal. 3. Freeport Communication Program Design The design of the communication program must follow certain rules, such as keeping the interrupt communication handling program concise and avoiding the simultaneous execution of XMT and RCV instructions on the same port. The entire PLC communication program includes the main program, communication initialization subroutine, verification subroutine, read/write data subroutine, and interrupt service routines for transmission completion and reception completion. 3.1 Main Program The main communication program is the framework for the PLC to implement receiving and sending functions. Its main flow is to check whether the reception is complete, verify it, and then perform read and write operations according to the command type. Its role is to control the main flow of the program; the specific work such as verification and reading/writing is completed by the corresponding subroutines. The flow is shown in Figure 1. 3.2 Communication Initialization Program The communication initialization subroutine sets the relevant parameters for free port communication, writes the control word to the receiving information control register SMB87, and defines the start character, end character, and receive timeout. After setting these parameters for free port mode, it is also necessary to connect the interrupt event and interrupt service routine and enable interrupts. Finally, the receive and transmit buffers are written with initial values. 3.3 Verification Subroutine This subroutine is called to perform verification after the PLC receives one frame of data. After entering the subroutine, the receive completion flag is cleared first, and then the checksum (BCC) of the received data is calculated. If correct, it is also necessary to check whether the end character is 'G'. If not, it means that the data message length is incorrect or an error occurred during transmission, and the corresponding error information needs to be returned to the host computer. The flow is shown in Figure 2. [align=center]Figure 1 Main Program Flowchart Figure 2 Verification Subroutine Flowchart[/align] 3.4 Read and Write Data Subroutines The task of these two subroutines is to send data from the PLC storage area to the host computer or write data from the host computer to the PLC storage area. The two processes are similar, only the data flow is different. After entering the subroutine, the receiving is stopped first, then the data transmission is completed, and finally an acknowledgment message is sent. The difference is the status byte in the acknowledgment message: 1 for read operation and 2 for write operation. 3.5 Receive and Send Completion Interrupt Service Program When the PLC generates an interrupt (event number 9) after receiving the end character or an interrupt (event number 23) after the data transmission is completed, these two service programs are executed. After receiving, the receive completion flag is set to 1 first, and then receiving is restarted. After sending, the verification correct flag is cleared first, then the end character in the receive buffer and the calculated receive BCC result are cleared to zero, and finally receiving is restarted. Since it is half-duplex communication, the PLC must set the communication port to receive mode after sending and receiving data. Otherwise, the PLC will not receive any data. 4. Communication Programming of the Host Computer The host computer communicates with the PLC via an RS232 port. The serial communication program in the Windows environment is written using VC6. There are generally two methods for writing serial communication programs in VC6: the MSCOMM control and the communication API. Each has its advantages and disadvantages. The MSCOMM control encapsulates the basic functions of microcomputer serial communication. Users only need to set some basic parameters to send and receive data through the serial port. This method is simple and easy for programmers to use, and there are many examples available for reference. Writing serial programs using the communication API is relatively more complex. Developers must directly use a set of API functions provided by Windows to complete the functions encapsulated by the control. Therefore, API programming is more complex than using the control, but it is also more flexible. The functions encapsulated by the communication control cannot be changed, while using the API allows for writing more efficient code tailored to the communication protocol. In the host computer program of the flying shear control system, a serial port read/write module was written using the communication API. During reception, the program searches for the start character 'g' to determine the beginning of a data frame; then it checks the correctness of the communication based on the next status byte; finally, it receives the 23-byte data frame and prepares to receive the next frame. The sending process does not require checking the data content; it simply executes the send function. It is important to note that since the PLC communication port is half-duplex, when the PLC uploads data to the host computer, the host computer must wait for one data frame to be received before executing the send operation to avoid send-receive conflicts. [align=center] Figure 3: Flowchart of Host Computer Serial Communication[/align] 5. Conclusion This system leverages the characteristics of both PCs and PLCs to achieve real-time monitoring of the flying shear system. By utilizing the free port communication protocol of the PLC (lower computer) and the VC development tools of the host computer, communication application software between the PC and PLC can be easily developed. This method saves investment and is highly practical for small-scale systems. The system has advantages such as good real-time performance, high speed, high reliability, and convenient operation, achieving the expected results. Field debugging and operation show that this system is suitable for real-time monitoring of flying shear systems. References [1]. SIEMENS SIMATIC S7-200 Programmable Controller Manual [M]. 2000 [2]. Xu Yi. Research on Free Communication Protocol Based on PC and S7-200 [J]. Journal of Wuhan University of Technology, 2002 (4): 512-515 [3]. Long Wei. Implementation Method of Real-time Communication between S7-200 Series PLC and PC [J]. Journal of Nanchang University, 2002 (2): 81-83 [4]. Liao Changchu. PLC Programming and Application [M]. Machinery Industry Press, 2002.9