Industrial Communication

Chapter 2: Modbus Serial

Truong Dinh Chau

(+84) (0)91. 543-74-40
chau.truong@me.com,
chau.truong@hcmut.edu.vn
http://truongdinhchau.com
Modbus Serial Features

2
Introduction

● Modbus = Modicon Bus (1979)

● is an application layer messaging protocol for client/server communication
between devices connected on the bus.
● Independent from the other layers
● Openly published and royalty-free
● Relatively easy industrial network to deploy
● It moves raw bits or words without placing many restrictions on vendors

● Various versions
● Modbus RTU (Serial), Modbus ASCII, Modbus Ethernet TCP/IP, Modbus
Plus (Proprietary of =S=)

3
Layers Used in ISO Model

● 3 Layers used for Modbus Serial

APPLICATION Modbus Protocol

PRESENTATION Not used

SESSION Not used

TRANSPORT Not used

NETWORK Not used

DATALINK Master / Slave, Transmission RTU / ASCII

PHYSICAL RS485, RS422, Fiber Optic, Radio, Cellular, …

4
Physical Layer
Required Multi-point and
RS485 2 wire point-to-point

To integrate into an
RS485 4 wire Optional
existing installation
without modification

RS232 Optional Point-to-point mode

15 meter max.

Transmission speeds:
9600 bps and 19200 bps required with 19.2 Kbps by default
Other speeds: 1200, 2400, 4800, 38400, 56 Kbps, 115 Kbps optional

RS485 is the most common physical layer used on Modbus. 32

devices included the master can be connected on the bus.

5
 Modbus RS485 4 wire installation
Master
Topology: bus type
T
R 5V

650 ohms

Slave pair
650 ohms
120 ohms 5V 120 ohms
1 nF 1 nF

Master pair

120 ohms Common 120 ohms

1 nF 1 nF

PG
R R
T T
Max. number of devices:
Slave 1 Slave n 32 including master without a repeater

Max. length:
Main segment: 1,000 m at 19,200 bits/s
Drops: 40 m in total (20 m for one tap link)
6
 Modbus RS485 2 wire installation
Master

T
R

5V

650 ohms

Balanced pair
650 ohms 120 ohms
120 ohms
1 nF
Common 1 nF

PG
R R
T T

Slave 1 Slave n Max. number of devices:

32 including master without a repeater

Max. length:
Main segment: 1,000 m at 19,200 bits/s
Topology: bus type Drops: 40 m in total (20 m for one tap link)

7
Data Transmission

● Method of accessing the medium

● Master slave

● Transmission method:
● Client / Server

● Max. useful data size:

● 120 words

8
 Unicast Addressing Mode
Address = 1 to 247

Request
Funct.
5 Code
Request data CRC

Adr 1 Adr 2 Adr 3 Adr 4 Adr 5 Adr n

Response
Funct.
5 Code
Response data CRC

9
Broadcast Addressing Mode
Address = 0
Request
Funct.
0 Code
Request data CRC

Adr 1 Adr 2 Adr 3 Adr 4 Adr 5 Adr n

No response from slaves

Used only with write functions

10
Transmission Modes

● ASCII transmission mode

● Every data item is encoded in two ASCII characters (7 bits)
● allows time intervals of up to 1 second to occur between characters without
causing an error.
● Used with Modem / Barcodes

● RTU transmission mode

● Every data item is encoded in one byte (8 bits)
● Achieves higher throughput & reliability
● Used with PLC / SCADA

11
Modbus Serial Frame
Modbus PDU
PDU = Protocol Data Unit

Function
Address Data CRC or LRC
Code

= 0 to 247 = 1 to 127 Additional data depending Validity

Identifies the Action to on the Function Code check
addressee perform

Unicast Address field = 1 to 247

Two
addressing Broadcast Address field = 0
modes:
(used in write only mode)

12
Address Field

Address Function Data Checksum

Valid device addresses : 0 to 247 decimal. Value 0

reserved for broadcast message (no reponse)

● Request
● A master addresses a slave by placing the slave address in the address
field of the message.

● Response
● When the slave sends its response, it places its own address in this address
field of the response to let the master know which slave is responding.

13
Function Field

Address Function Data Checksum

Valid codes are in the range of 1

to 255 decimal.

● Request
● The function code field tells the slave what kind of action to perform.

● Response
● For a normal response, the slave simply echoes the original function code.
● For an exception response, the slave returns a code that is equivalent to the
original function code with its most significant bit set to a logic 1.

14
Data Field

Address Function Data Checksum

● Request
● The data field contains additional information which the slave must use to
take the action defined by the function code. This can include items like
register addresses, quantity of items to be handled, etc...

● Response
● If no error occurs, the data field contains the data requested.
● If an error occurs, the field contains an exception code that the master.
Application used to determine the next action to be taken.

15
Checksum Field
Address Function Data Checksum

● Modbus RTU uses CRC

● Cyclical Redundancy Check (2 bytes)
● Modbus ASCII uses LRC
● Longitudinal Redundancy Check (1 byte)

● Request
● The checksum is calculated by the master and sends to the slave.

● Response
● The checksum is re-calculated by the slave and compared to the value sent
by the master. If a difference is detected, the slave will not construct a
response to the master.

16
Function Codes

Code Function

01 (0x01) Read n consecutive output bits

02 (0x02) Read n consecutive input bits
03 (0x03) Read n consecutive output words
04 (0x04) Read n consecutive input words
05 (0x05) Write 1 output bit
06 (0x06) Write 1 output word
07 (0x07) Read exception status
08 (0x08) Access diagnostic counters
15 (0x0F) Write n output bits
16 (0x10) Write n output words
23 (0x17) Read/Write n output words
43 (0x2B) Read identification

http://www.modbus.org

17
Example of Read Request

Request
1 byte 1 byte 2 bytes 2 bytes 2 bytes
Slave Function First word Number of
CRC16
Address code = 3 address words to read

Response
1 byte 1 byte 2 bytes 2 bytes 2 bytes 2 bytes
Slave Function Number of Value of the Value of the
last word CRC16
Address code = 3 bytes read first word

18
Registers & Index

● Registers
● Memory variable located in a device
● Word, Bit, Byte, etc…
● Can be reached thanks to its Index

● Inputs Registers: read only (status)

● Outputs Registers: read / write (commands)

19
Programming Modbus with Unity Pro

20
1 Platform, 3 Target

● 3 PLC Targets
● M340, Premium, Quantum

● Same Philosophy

● Different Function Blocks

21
BMXNOM0200

● Safety screw (1)

● Display block with 4 LEDs: (2)
● RUN (green) and ERR (red): Module status
● SER COM (green): Activity on the serial link (lit) or
fault (flashing).
● Channel 0 (3a & 3b)
● RS 232C connection, marked COM Port 0 RS232
● RS 485 connection, marked COM Port 0 RS485
● Channel 1 (4)
● RS 485 connection, marked COM Port 1 RS485

22
BMXNOM0200 Configuration

23
Request Programming
● Dedicated Function Blocks for M340
● ADDM
●Address Conversion

● READ_VAR
●Execute a read request

● WRITE_VAR
●Execute a write request

● DATA_EXCH
●Execute a user defined request

● OUT_IN_MBUS
●Change from Slave to Master mode

24
ADDM FB

● IN:
● String variable: ‘r.m.c.e.MBS’
● Out
● Converted table of words, to be used in the others FB

● ‘r.m.c.e.MBS’
● r = the rack number where the Modbus module is located,
● m = the slot number of the Modbus module,
● c = the channel used
● e = the equipment address (slave address) of the target
● “MBS” = used to indicates to use Modbus Serial (optional)

25
READ_VAR FB

● IN:
● ADR: to be linked to the output of the ADDM block.
● OBJ: defining object to read (in the case of Modbus register: ‘%MW’)
● NUM: starting register to read
● NB: number of consecutive register to read
● OUT
● RECP: reception zone of the block, delivering the value read (table of
words)
● IN/OUT
● GEST: table of 4 words to manage the communication block (errors,
timeout, length, etc..)

26
WRITE_VAR FB

● IN:
● ADR: to be linked to the output of the ADDM block.
● OBJ: defining object to read (in the case of Modbus register: ‘%MW’)
● NUM: starting register to read
● EMIS: source table to write from the PLC

● IN/OUT
● GEST: table of 4 words to manage the communication block (errors,
timeout, length, etc..)

27
GEST Variable

● Structured Variable
● Table of 4 words

Most Significant Byte Least Significant Byte

GEST[1] Exchange number (updated Activity bit: 1 = exchange in

each time the request is progress, 0 = exchange
executed) terminated.

GEST[2] Operation report Communication Report

GEST[3] Timeout

GEST[4] Length

28
Exercise

● Add & Configure Modbus Module (p 2-13)

– Add a module
– Configure the channel
– Set the Modbus Slave
– Insert the ADDM block
– Create the READ_VAR request
– Test the application

29
Optimizing Communication

● Beware of Communication Buffer Overload

● Usage of the Activity Bit (GEST[1].X0)

30
Optimizing Communication (Example)

● Conditioning with the Activity Bit

● Avoid buffer overload
● Ensure that the next block is send when the previous is finished.

31
Optimizing Communication (Cont.)

● Device Timeout
● Mean to know if the Master is lost
● After a defined time without receiving request, Slave goes to fallback mode

Allo, anybody
still there?

● Fallback Mode
● Mode activated when communication is lost
● Behaviour to define (start a motor, stop a process, switch off outputs..)

No
answers…
great, let’s go
party!

32
Exercise

● Optimizing the Communication (2-16)

– Insert the Activity Bit as condition
– Insert the WRITE_VAR function
– Test the communication

● Testing the TimeOut (2-20)

– Use WRITE_VAR to change the Timeout parameter
– Test the communication

33
Modbus Serial RTU

● Main Features Reminder:

● Up to 1200m whatever the baud rate value
● Performance: Depends on the PLC application and how it’s managed.
● Up to 32 Slaves
● Baudrates: 1,2kbit/s... 19,2kbit/s
● max 240 bytes per telegram
● No separate ground wire
● Good error detection (CRC)

34