This article will go over the basic characteristics of the Modbus protocol with special emphasis for PLC users.
We’ll be covering some of the broad differences between Modbus over serial and over Ethernet.
We’ll also discuss the different wiring standards for serial communications.
Next, we’ll cover the dynamics of Modbus as a Master and slave network over serial and as a Client and Server over Ethernet.
We’ll delve into my Modbus data addressing and the associated function codes and breakdown coils, bites, bytes, and registers.
We’ll also talk about float and double integer values and how they’re handled by my Modbus.
First, a brief history lesson.
Modbus is a serial communications protocol developed by Modicon in 1979.
It was created specifically for use in Modicon PLC’s for industrial applications.
Today it is an open protocol, used by a wide range of automation products.
Modbus can be used over Ethernet as well as serial cable.
There are three major types or variations of the Modbus protocol: Modbus ASCII, Modbus RTU and Modbus TCP/IP.
Modbus was originally developed using ASCII characters to encode messages and this version of the protocol is still in use today.
Modbus RTU is, by far, the most common implementation, using binary coding and CRC error checking.
The two modes are incompatible so a device configured for ASCII mode cannot communicated with one using RTU.
Modbus RTU devices typically use one of three electrical interfaces: RS232, RS485, and RS422.
RS232 is a simple point to point arrangement.
If you only need to connect one device to another and the distance between the two devices is less than 50 feet or 15 meters, then RS232 will do the job.
To connect more than two devices on the same line, and/or have a distance greater than 50 feet, you should use RS485 or RS422.
For a master communicating with multiple slave devices, RS485 is by far the most popular method.
This standard can support up to 32 nodes over a range up to 4000 feet, roughly 1200 meters without a repeater.
The speed that Modbus messages are sent at is referred to as the baud rate or bit per second.
All devices on an RTU network must use the same baud rate.
Different devices support different transmission speeds, but between 9600 and 19200 bps is a typical range.
Modbus modules can be configures from as low as 300 to as high as over a 10000.
A Modbus serial network has a master device that issues commands to the slave devices.
The slave will not transmit information unless they receive a command to do so from master.
There can only by one master on a network and a maximum up 247 slaves, each with a unique slave ID from 1 to 247.
RS485 cannot drive more than 32 nodes in a single segment; so foe the rare application that needs more than 32 nodes, a repeater is required.
The master can write to the slaves as well as read data from them.
SCADA/HMI systems typically would be the master, communicating with a series of Modbus slave devices.
Here is a diagram of a serial network where the master is connected to a slave who is then daisy chained along to all the other slaves on the line.
The devices must be connected in a daisy chain manner; they cannot be connected in a star topology.
Modbus over Ethernet operates exactly like it sounds: Modbus devices using regular Ethernet cables and switches to communicate with each other.
The big difference with Modbus TCP/IP is that an MBAP header or Modbus application header is added to the star each message.
The slave ID at the beginning at the message is removed as well as the cyclic redundancy check at the end.
The MBAP header contains all the identifying information needed to route the data to the addressed device.
Modbus uses port 502 for TCP/IP communication.
This is important if your data needs to go through a firewall.
ProSoft uses that port for MBAP messaging specifically.
Modbus serial messages can also be sent as regular RTU messages encapsulated inside and Ethernet TCP/IP packet.
Encapsulated messages can use any port, but ProSoft products are set to use port 2000 by default.
Note that MBAP and RTU encapsulation are not compatible; devices must be set to use one or the other.
MBAP messaging is by far the most popular Modbus TCP/IP communication method.
So, for this article, we will be focusing on Modbus RTU and Modbus TCP/IP using MBAP.
Modbus TCP/IP uses the terms client and server instead of master and slave.
The TCP/IP network consists of the client connected to a switch or series of switches, to which all the servers on the network are also connected.
Modbus TCP/IP devices use Internet Protocol addressing and require a subnet mask.
The IP address and subnet mask are both represented by 8-bit numerical group or octets.
The IP addresses the location of a particular device on a network and the subnet masks servers to simplify the task of routing traffic within the network.
If you don’t know your IP addressing your IT group or network administrator will let you know the IP addresses and subnet mask your devices will need.
The default gateway is optional and not required for networks that do not use a default gateway.
Again you can consult your IT group or network administrator.
Now let’s talk about Modbus’s eccentric addressing system and the different between tables.
There are four tables where information is stored.
Two tables store simple discrete values called coils and two store numerical 16-bit values known as registers.
For each type data there is one read only table and one read write table.
There are no tables for 32-bit data types because back when Modbus was defined, double integers and floating-point values were not available in PLC’s.
There is a way to use those data types though, we’ll get to that in a moment.
Each table has a maximum love 9999 addresses.
Data tables addresses 1 through 9999 are the read write table for coils, addresses 10001 through 19999 are the read only for discrete inputs.
Data table addresses 30001 through 39 999 are the read only for input registers and addresses 40 001 through 49 999 are the read write table foe holding registers.
At this point it might be helpful to explain the terms used for data types in Modbus.
Coils in discrete inputs are the Modbus vernacular for 1-bit of data or in Rockwell terms a bool; basically on or off.
A register is the term for 1 word or 16-bits or 2-bits of data or in Rockwell terms an INT.
There are no registers for floats or double integers although, they can be sent by dividing them into two registers.
Float values are any real number with a decimal point that is represented by a 32-bit register.
Double integers, or DINT’s are simply two 16-bit values stacked together, and also represented by 32-bits.
This presents a small problem since Modbus does not have a float or DINT data type.
The solution, obviously enough, is that did 32+-bit value is broken into 2 separate 16-bit registers and then recombined into a 32-bit real value.
This is accomplished by copying the two 16-bit registers to 1 REAL tag in the Rockwell processor. Modbus function codes are simple numerical codes that tell the slave which tables to access and whether to read or write to that table.
Each function code relates to a specific data table address range.
For instance, function code 1 is the code to read and individual bit status.
Function code 16 is code to write multiple holding registers.
Here are some of the most commonly used function codes.
Modbus as a protocol does not define exactly how the data should be store in registers.
Different vendors have different ways of storing and transmitting data.
Some devices will transmit the higher byte first, followed by the lower byte.
Others will do it the other way around.
By the same token, when registers are combines to represent 32+-bit real values, some devices will transmit the higher 16-bit in the first register and the lower 16-bits in the second register.
Other vendors do it the other way around.
The order that bytes or words are sent it doesn’t matter as long as the receiving device knows which way they are ordered.
If the data is not appearing correctly because the byte or word order is incorrect; ProSoft products feature a byte and words swap function which will reverse the order in which the data is stored and sent, resolving the issue instantly.
To wrap up, we’ll take a look at Modbus RTU message being sent from a master out to a slave device.
The message contains the slave ID of the device the command is intended for, the function code to read or write data and the message data itself.
Once the slave receives the command, it will return the requested data to the master in the case of read command, or it will write the data to its own database and sent an echo of the original message back to the Master to confirm that the message was receives.
We hope this article gives you a better understanding of Modbus serial and TCP/IP.
#Modbus, #protocol, #features