AUTI255 - Industrial Networks 1

ACE University
MODBUS™

• Modbus Protocol
Modbus is a serial communication protocol
published by Modicon in 1979 for use with its
Programmable Logic Controllers (PLCs).
– It is openly published and royalty-free
– Relatively easy industrial network to deploy
– It moves raw bits or words without placing
many restrictions on vendors
– 7 million Modbus nodes in North America and
Europe alone.
Modbus - Open Standard

• Modbus.org
MODBUS - Serial Line

• Definition Modbus SL
– Physical Layer uses RS-232, RS422, RS-485
asynchronous serial data transmission and is
called Modbus over Serial Line (Modbus SL)
– Master-slave/client-server communications
between intelligent devices.
– Fits within the OSI/ISO reference model as an
application layer messaging protocol
– Modbus serial is typically used for monitoring
rather than process or control.
MODBUS - Serial Line

ISO/OSI Reference Model Modbus SL

Modbus was designed as a Layer 7 –Communication Application

Protocol that executes at a Layer 2 -Data Link Serial Line Protocol and
finally over a Layer 1 - Physical EIA/TIA Standard RS-232, RS-422, or
RS-485 connection.
Modbus - RS 232

• RS-232 point-to-point
– Used primarily for short point-to-point data
transmission between DTE and DCE

DTE DCE
Modbus - RS 232

• RS-232 point-to-point
Modbus - RS 485

• RS-485 Standard
– Standard published by Telecommunications
Industry Association/Electronic Industries
Alliance (TIA/EIA)
– RS-485, also known as TIA/EIA-485, EIA-485
– Inexpensive local networks and multi-drop
communications links.
– Only specifies electrical characteristics of the
driver and the receiver.
Modbus - RS 485

• Physical Media
– Shielded cable recommended
– Uses twisted pair and at least a third conductor,
the ‘so-called’ common
– Maximum Length 1200 meters (4000 ft) without
repeaters
– Maximum Length of Tap Links 20 m, (65 ft)
– Transmission Speed: 9.2 Kbps and 19.2 Kbps
are standards (other speeds selectable)
Modbus - RS 485

• Topology

– Point-to-point
(Daisy chain)

– Multi-dropped
or
Multi-point
Modbus - RS 485

• Master/Slave
– Master should be as close to middle of bus as
possible.

Master
Modbus - RS 485

• Repeaters
– Repeaters can be incorporated for additional
distance and node count.
– By using "Repeaters" and "Multi-Repeaters"
very large RS-485 networks can be formed.
– Star Configurations… Not recommended
Modbus - RS 485

• 2-Wire application
– Master/Slave
– Half Duplex operation
– Sometimes called ‘3-wire’ connection even
though data is transmitted over 2-wire twisted
pair bus.
– Third conductor, the so-called Common,
should be available to interconnect all devices
on the bus.
Modbus - RS 485

• 2-Wire diagram
Master

Slave1 Slave 2…32

Modbus - RS 485

• 4-Wire applications
– Full duplex operation
– Data on the master wire pair must only be
received by the slaves and the data on the
slave wire pair must only be received by the
master.
– Fifth conductor, the so-called Common,
should be available to interconnect all devices
on the bus.
Modbus - RS 485

• 4-Wire
diagram
Modbus - RS 485

• Polarization
– Voltage range between +12 and -7V
– Higher voltages may
damage network devices
Modbus - RS 485

• Grounding 2-wire common

Modbus - RS 485

• Grounding 4-wire common

Modbus - RS 485

• Why Line Termination?

– Eliminates reflections on the transmission line
• Without termination resisters, faster data rates can
create multiple data reflections
– Multiple data reflections can be misread and
cause corrupt data on the line.
– Reduces electrical noise sensitivity due to the
lower impedance
Modbus - RS 485

• When Line Termination?

– Reflections disturbances that occur on a line
settle after about 3 round trip delays.
– Cable length: Short cables have short round
trip delays
– Transmission rate: Low data rates have long
unit intervals.
Modbus - RS 485

• 2-Wire termination
– Termination resistors of 120 Ohms at each
end of the bus.
Modbus - RS 485

• 4-Wire termination
Modbus - RS 485

• 2-Wire ‘fail-safe’ bias.

– Pull-up or pull-down resistors established fail-
safe bias for each data line
– Typically designed in Master
Modbus - RS 485

• Isolation Devices
Modbus - RS 485

• Cable Length is dependent on:

– Transmission rate
– Cable type (gauge, capacitance or
characteristic impedance)
– Number of loads that are directly connected
(daisy chaining)
– Network configuration (2-wire or 4-wire)
– Derivation cable must not exceed 20 m (65 ft).
Modbus - RS 485

• Cable Length Example

– 19,200 bits/s
– AWG26 (or wider)
– 1000 m (3280ft) maximum
• Repeaters
– 3 repeaters per system
– 4000 m (13,123 ft) maximum
Modbus - RS 485

• Transmission Rates
1,200 bit/s
2,400 bit/s
4,800 bit/s
9600 bit/s
19,200 bit/s (default)
38,400 bit/s
56 kbit/s
115 kbit/s
128 kbit/s
256 kbit/s
Modbus - RS 485

• Connectors
– Screw terminals
– RJ-45 connectors
– SUB-D9 connectors
– M12 connectors
Modbus - RS 485

• Screw Terminals
– Trunk interface only (not for use as taps)
– Called open style connectors
– 5-position with VP (standard version)

Devices Network cables

MALE FEMALE
Modbus - RS 485

• RJ-45 Connector
– RJ (Registered Jack)
– Physical (ANSI/TIA-1096 and ISO-8877)
– Wiring pinouts (TIA/EIA-568)
Modbus - RS 485

• 2-Wire RJ-45 PLC socket

Modbus - RS 485

• 4-Wire RJ-45 PLC socket

Modbus - RS 232

• RJ-45 PLC socket

– NOTE: On DTE devices (e.g. a PC) the

pinouts are crossed.
Modbus - RS 485

• SUB-DE9 Connectors
– 2-Wire RS 485 Applications
Modbus - RS 485

• SUB-DE9 Connectors
– 4-Wire RS 485 Applications
Modbus - RS 232

• SUB-DE9 Connectors
– RS 232 Applications
Modbus – RS 485 4 3 3 4
5 5
1 2 2 1

• M12 Connectors
Male Female

– Pin assignment M12 socket for 2-wire

Power Supply via Modbus SL

– Connectors provide a specific pin for power

supply from PLCs, drives etc. to small HMI or
PC connection accessories like, for example,
RS 232/RS 485 converter cables.
Modbus Data Link Layer

• Characteristics Master / Slave

– Only one master is connected to the bus at a
time.
– One or several slave nodes can be connected
to the same serial bus.
– Only the master is allowed to initiate
communication, (i.e. to send requests to the
Slave nodes.)
– The master can only initiate one Modbus
transaction at the same time.
Modbus Data Link Layer

• Characteristics Master / Slave

– The master can address each slave node
individually (unicast mode) or all slaves
simultaneously (broadcast mode).
– The slave nodes can only answer requests
from the master.
– The slave nodes are not allowed to initiate
communication, neither to the master nor to
any other slave nodes.
Modbus - Master / Slave Protocol

• Unicast Stages
1. The master sends a request to an individual slave
2. This slave processes the request from the master
3. The slave sends a response message to the master

Master

Slave 1 Slave 2
Modbus - Master / Slave Protocol

• Broadcast Stages
– Master Broadcast messages uses address 0
– Master Broadcast mode sends a request to all
slave nodes
– All slave nodes in the network must accept
broadcast messages identified as address 0
– Slave nodes only accept broadcast messages
but do not reply to them.
Modbus - Master / Slave Protocol

• Broadcast Stages
Modbus - Master / Slave Protocol

• Addressing Rules
– Modbus SL supports up to 256 (0...255)
different addresses.
– Each slave node must be assigned a slave
address that is unique on the serial bus.
– The master node is not assigned a specific
address.
Modbus - Timeout Values

• Response Timeout
– Unicast Mode
• Configured in Modbus devices for unicast mode
• Minimum of 3.5 characters (2 ms at 19,200 bit/s)
• Should provide the slave nodes enough time to:
– Receive the request from the master
– Process this request
– Send a response back to the master
Modbus - Timeout Values

• Turnaround Delay
– Broadcast Mode
• Configured in Modbus devices for broadcast mode
• Should provide the slave nodes enough time to:
– Process the current request
– Be able to receive a new request.
• Shorter response timeout than for unicast mode.
• Typically select a value between 100 and 200 ms
Modbus - Communication Time Diagram

Unicast Unicast
Master

Broadcast

Slave 1

Slave… N

Physical Line
Modbus – Transmission Modes

• Transmission Mode
– Modbus SL serial data transmission can be
performed in the following two different modes
• RTU mode
–RTU mode is default in most Modbus
devices
• ASCII mode
–ASCII mode can additionally be
implemented for specific applications.
Modbus – Transmission Modes

• RTU Transmission Mode

– Byte Format
• Each byte (11 bits) has the following format
Modbus – Transmission Modes

• RTU Transmission Mode

– Serially Transmitting Characters
• In serial data transmission each character or byte
is sent as follows (left to right):
Least Significant Bit (LSB) > Most Significant Bit (MSB)
Bit sequence in RTU mode with parity checking

Bit sequence in RTU mode without parity checking

Modbus – Transmission Modes

• RTU Framing
– RTU Modbus message consists of a
maximum of 256 characters or bytes.
• slave address
• function code
• data to be transmitted
• Cyclic Redundancy Checking (CRC) checksum
Modbus – Transmission Modes

• Separating Message Frames

– Individual frames are separated by a silent
interval, also called interframe delay

1 2 3

1 Frame 1
2 Frame 2
3 Frame 3
Modbus – Transmission Modes

• RTU message frame

– Complete Modbus RTU message frame with
start and end silent times
Modbus – Transmission Modes

• Detecting Incomplete Frames

– Transmitted as continuous stream of characters
– Silent times larger than 1.5 characters between 2
characters will be interpreted by the receiving device
as incomplete frame
– Receiver will discard this frame.
1 2

1 Frame 1 OK
2 Frame 2 Not OK
Modbus – Transmission Modes

• ASCII Transmission Mode

– American Standard Code for Information Interchange
– ASCII mode provides a less data throughput than the
default RTU mode.
– Only 7 data bits per 10-bit asynchronous character
frame
– Each byte needs 2 characters
7 Bit sequence in ASCII mode with parity checking
Modbus – Transmission Modes

• ASCII Framing
– Start bit
– Slave address (1 byte)
– Function code (1 byte)
– Longitudinal Redundancy Checking (LRC) field
– End CR (carriage return), LF (line feed)

Maximum size of an ASCII frame is 513 bytes

Modbus – Transmission Modes

• Separating ASCII Message Frames

– ASCII mode includes special characters
indicating the start and the end of a frame.

:
Modbus – Transmission Modes

• LRC Error Checking In ASCII Mode

– The LRC process is as follows:
1. Sending device calculates the LRC value.
2. Sending device appends the LRC as last field of the
message.
3. Receiving device recalculates the LRC and compares
the calculated value with the value integrated in the
LRC field by the master.
4. If the two LRC values are identical, the receiving
device processes the message.
If the LRC value of the receiving device differs from
the value in the LRC embedded message field, the
message is regarded to be faulty. The receiving
device will not process the message.
Modbus Protocol – Modbus Frame

• Modbus Frame Description

– The basic Modbus frame consists of:
Protocol Data Unit (PDU)
– PDUs may be extended by additional fields,
depending on the specific application.
– This extended frame is called the
Application Data Unit (ADU).
•
Modbus Protocol – Modbus Frame

• Request PDU
– the function code
– the request data
Modbus Protocol – Modbus Frame

• Response PDU
– the function code
– the request data
Modbus Protocol – Modbus Frame

• Exception Response PDU

– the error code
– the exception data
Modbus Protocol – Modbus Frame

• Application Data Unit (ADU)

– RS 232 / RS 485 the PDU is extended by the
following two frame segments:
• Additional address
• Error check
Modbus Protocol - Function Code

• Function Code Field

– Part of the PDU
– Size is always 1 byte
– Contain valid codes between 1 and 127
decimal
– Code 128 to 255 are reserved for exception
responses, The code 0 is invalid
Modbus Protocol – Data Field

– Modbus normal (error-free) transaction

Modbus Protocol – Data Field

– Modbus exception (error) transaction

Modbus Protocol – Function Codes

• Categories
127 different function codes
are divided into two groups:

• Public
• User-defined
Modbus Protocol – Function Codes

• Public Function Codes

– Public function codes are defined by the
following characteristics:
• Well-defined
• Guaranteed to be unique
• Validated by the Modbus-IDA.org community
• Publicly documented
• Have conformance testing
Public Function Code Table
Modbus Protocol – Function Codes

• Bit Access Function Codes

– 02 Read Physical Discrete Inputs
– 01 Read Coil
– 05 Write Single Coil
– 15 Write Multiple Coils
Public Function Code Table
Modbus Protocol – Function Codes

• 16-Bit Access Function Codes

– 03 Read Holding Register
– 06 Write Single Register
– 16 Write Multiple Registers
– 23 Read/Write Multiple Registers
Public Function Code Table
Modbus Protocol – Registers

The Modbus protocol enables Master and Slave

devices to exchange data between their memories.
• Register – object containing data in the memory of
the device.
• Index – Register position within memory table
Modbus Protocol – Registers

• Master point of view

– Input register
• a read-only register (most of the time
represents the status of the slave device)
– Output register
• a write register in a slave (most of the time
represents commands and configuration
registers)
Modbus Protocol – Data Field

• Data field can include information

or it can be empty.
– Can provide slave with additional information
concerning the specific requested function
code and may contain:
• Discrete and register addresses
• Quantity of items to be handled
• Count of actual data bytes in the field, etc…
Modbus Protocol – Data Field

• Response – No Error
Modbus Protocol – Data Field

• Response – Error
Programming Communication

• Unity PLC’s
– Premium
– M340
– Quantum
Programming Communication

• Three Hardware Types

– In the CPU: For example, the BMX M340
CPU has a RJ45 Modbus port
– As an in rack module: Separate module to
plug into the PLC rack (BMXNOM0200 for
M340, TSXSCY11601 for Premium…)
– As a PCMCIA card: To be plugged into the
CPU or external module (TSX SCP 114 for
Premium only)
Programming Communication

• Configuring Modbus Module

Programming Communication

• BMXNOM0200 serial parameters

Slave
Number
Physical
Type
Line
Number Data
Transmittion
of Retries
Speed
Parity
Answer
Delay Delay
between
Frames
Signal
RTS/CTS
delay
Programming Communication

• Sending Requests
Modbus function blocks in Unity Pro
M=M340, P=Premium, Q=Quantum
• ADDM: Address Conversion: provides the target address for
others function blocks (M)
• ADDR: Address Conversion: provides the target address (P)
• DATA_EXCH: Exchanging Data (M,P)
• OUT_IN_MBUS: Only useful when the two modes Modbus
master and slave are operating concurrently (M,P)
• READ_VAR: Reading variables (M, P)
• SEND_REQ: Sending a request for specific function code (P)
• WRITE_VAR: Writing variables (M, P)
Exchanging Data with M340

Modbus input string ‘r.m.c.e.MBS”

– r is the rack number location of the module
– m is the slot number of the Modbus module
– c is the channel used (normally 0)
– e is the equipment address (slave address) of
the target
– MBS is used to indicate Modbus Serial
READ_VAR (function code 4)

ADR: must be linked to ADDM output

OBJ: defines read object (Modbus register: ‘%MW’)
NUM: starting register
NB: number of consecutive registers
GEST: table of 4 words managing communications
RECP: reception zone containing value read
Programming Communication

• WRITE_VAR (function code 16)

– ADR: This must be linked to the output of the
ADDM block.
– OBJ: Defines the object to read (in the case of
Modbus register: ‘%MW’)
– NUM: Starting register to write inside the device
– NB: Number of consecutive registers to write
inside the device
– EMIS: Source table to write from the PLC
– GEST: Table of 4 words to manage the
communication block (errors, timeout, length, etc)
Programming Communication

• GEST manage the communication

Exercise

• Description of hardware
Exercise - READ_VAR

• Add and Configure BMXNOM0200

Exercise – Add WRITE_VAR

• Optimizing the Communication