Industrial Networks & Databases

(1)

Industrial Networks & Databases

Protocols and Networks - Device Bus -

- Field Bus - - Data Bus -

Protocols and Networks

Recall

An Industrial Communication Network(control network) - any group of devices (computers, controllers, meters etc.) working in a peer-to-peer fashion to monitor sensors, control actuators, communicate reliably, manage network operation, and provide complete access to network data.

Type of LAN (Local Area Network) with a greater demands on

reliability, immunity to interferenceand determination(knowledge of response time).

A communications protocolis the set of standard rules for data representation, signaling, authentication and error detection required to send information over a communications channel.

(2)

2008-10-27 Protocols and Networks Dr inż. Janusz Hajda

3

Modbus Protocol

MODBUS protocolis a messaging structure created by MODICON company (now part of Schneider Electric concern) in 1979 to connect PLC to programming tools.

Today, this protocol is mainly used to set up master/client type communications with slaves/servers between intelligent devices.

MODBUS is independent of the physical layer.

It can be implemented on RS232, RS422, or RS485links as well as on a wide variety of other media(e.g.: optical fibre, radio, etc.).

Modbus serial link and the OSI model

MODBUS on a serial link is operating at 1200 to 56 Kbps with a master/slave access method.

APPLICATION

PRESENTATION

SESSION

TRANSPORT

NETWORK

LINK

PHYSICAL 7

6

5

4

3

2

1

Modbus

EMPTY

Master/Slave Master/Slave

RS485 RS485 EMPTY

EMPTY

(3)

5

Modbus ASCII and RTU

The MODBUS protocol comes in 2 versions :

ASCII transmission mode

Each eight-bit byte in a message is sent as 2 ASCII characters.

RTU transmission mode

Each eight-bit byte in a message is sent as two four-bit hexadecimal characters.

The main advantage of the RTU mode is that it achieves higher throughput.

ASCII mode allows time intervals of up to 1 second to occur between characters without causing an error.

Modbus Frame Structure

Address Function Data Checksum

The Modbus frame structure is the same for requests (master to slave messages) and responses (slave to master messages).

Modbus ASCII Modbus RTU

: CR LF

3A

^Hex

0D

Hex

0A

Hex

Address Function Data Checksum

silence silence

Silence >= 3,5 characters

(4)

7

Modbus Address Field

Address Function Data Checksum

Valid slave device addresses are in the range of 0 ... 247 decimal.

The individual slave devices are assigned addresses in the range of 1 ... 247.

Value 0 is reserved for broadcastmessages (no response).

Request :

A master addresses a slave by placing the slave address in the address field of the message.

Response :

When the slave sends its response, it places its own addressin this address field of the response to let the master know which slave is responding.

Modbus Function Field

Valid codes are in the range of 1 ... 255 decimal.

Request :

The function code field tells the slave what kind of action to perform.

Response :

For a normal response, the slave simply echoes the original function code.

For an exception response, the slave returns a code that is equivalent to the original function code with its most significant bit set to a logic 1.

Address Function Data Checksum

0000 0011 (Hexadecimal 03)

1000 0011 (Hexadecimal 83

(5)

9

Modbus Function Field

Code Function

01 (0x01) Read n consecutive output bits 02 (0x02) Read n consecutive input bits 03 (0x03) Read n consecutive output words 04 (0x04) Read n consecutive input words 05 (0x05) Write 1 output bit

06 (0x06) Write 1 output word 07 (0x07) Read exception status 08 (0x08) Access diagnostic counters 15 (0x0F) Write n output bits

16 (0x10) Write n output words 23 (0x17) Read/Write n output words 43 (0x2B) Read identification

The complete description of all Modbus request is freely available on the Modbus.org web site : http://www.modbus.org

And also: http://kss.ia.polsl.pl/(materials to IN&D)

Modbus Data Field

Request :

The data field contains additional information which the slave must use to take the action defined by the function code. This can include items like register addresses, quantity of items to be handled, etc...

Response :

If no error occurs, the data field contains the data requested.

If an error occurs, the field contains an exception codethat the master application can use to determine the next action to be taken.

(6)

11

Modbus Data Field

A possible exception codes:

The slave attempted to read extended memory, but detected a parity error in the memory. The master can retry the request, but service may be required on the slave device.

MEMORY PARITY ERROR 08

The slave cannot perform the program function received in the query. This code is returned for an unsuccessful programming request using function code 13 or 14 decimal. The master should request diagnostic or error information from the slave.

NEGATIVE ACKNOWLEDGE 07

The slave is engaged in processing a long–duration program command. The master should retransmit the message later when the slave is free.

SLAVE DEVICE BUSY 06

The slave has accepted the request and is processing it, but a long duration of time will be required to do so. This response is returned to prevent a timeout error from occurring in the master. The master can next issue a Poll Program Complete message to determine if processing is completed.

ACKNOWLEDGE 05

An unrecoverable error occurred while the slave was attempting to perform the requested action.

SLAVE DEVICE FAILURE 04

A value contained in the query data field is not an allowable value for the slave ILLEGAL DATA

VALUE 03

The data address received in the query is not an allowable address for the slave.

ILLEGAL DATA ADDRESS 02

The function code received in the query is not an allowable action for the slave. If a Poll Program Complete command was issued, this code indicates that no program function preceded it.

ILLEGAL FUNCTION 01

Meaning Name

Code

Modbus Checksum Field

Modbus RTU uses CRC : Cyclical Redundancy Check (2 byte) Modbus ASCII uses LRC : Longitudinal Redundancy Check (1 bytes) Request :

The checksum is calculated by the master and sends to the slave.

Response :

The checksum is re-calculated by the slave and compared to the value sent by the master.

If a difference is detected, the slave will not construct a response to the master.

(7)

13

Modbus Error Checking Methods

Parity checking

Even or odd can be optionally applied to each character.

Frame checking

LRC or CRC is applied to the entire message.

Continuous stream

The entire message frame must be transmitted as a continuous stream.

If a silent interval (more than 1.5 character times RTU mode or 1 second ASCII mode) occurs before completion of the frame, the receiving device flushes the incomplete message and assumes that the next byte will be the address field of a new message.

Modbus Error Checking Methods

The master is configured by the user to wait for a predetermined timeout interval before aborting the transaction.

This interval is set to be long enough for any slave to respond normally.

If the slave detects a transmission error, the message will not be acted upon. The slave will not construct a response to the master.

Thus the timeout will expire and allow the master's program to handle the error.

(8)

15

Modbus Frame Exemple in RTU Mode

Request :

Function code = 3: Read n words

Slave

Address First word CRC16

address Function

code = 3

Number of words to read

1 byte 1 byte 2 bytes 2 bytes 2 bytes

Response :

Slave

Address Number of CRC16

bytes read Function

code = 3

Value of the first word

Value of the last word

2 bytes

Modbus Frame Exemple in RTU Mode

Request :

Function code = 6: Write one word

Slave

Address Word CRC16

address Function

code = 6

Value of word

Response :

Slave

Address Word CRC16

address Function

code = 6

Value of word

(9)

17

Modbus Frame Exemple in RTU Mode

Request :

Function code = 16 (decimal): Write n words

Slave

Address First word CRC16

address Function

code = 16

Number of words to write

Response :

Slave

Address Function CRC16

code = 16

Value of the first word Number of

bytes

1 byte 2 bytes

First word address

Number of words to write

Modbus RS485 Physical Layer

RS485 is the most common physical layer used on Modbus.

The RS485 standard allows variants of different characteristics :

polarisation

line terminator

distribution of a reference potential

number of slaves

length of the bus

Maximum length of bus 1000 m at 19200 bps

Maximum number of stations (without repeater) 32 (31 slaves) Maximum length of tap links 20 m for one tap link

40 m divided by the number of tap links

Bus polarisation 650 Ω at 5V and common for the master

Line terminator 120 Ω - 0,25Wm in series with 1nF 10V

Common polarity Yes (Common) connected to the PG

Master

Slave 1 Slave 2

D1

D0 Common

5 V 650 ΩΩΩΩ 650 ΩΩΩΩ

120 ΩΩΩΩ 1 nF

(10)

19

Modbus RS485 Physical Layer

Topology: Bus with line terminations

Maximum distance: 1300 m without repeater

Data rate: 19200 bits/s maximum

Max. no. of devices: 32 master included Method of accessing the medium: Master - slave Transmission method: Messaging Max. useful data size: 120 words Transmission security: LRC or CRC

Start and stop delimiters Parity bit

Continuous stream

Modbus Application Example

The XXMIT (Transmit) function blocksends Modbus messages from a ”master”

PLC to a slave PLC or sends ASCII character strings from the PLC’s Modbus serial port#1 (on Momentum PLCs port#2 is also supported) to ASCII printers and terminals. XXMIT sends these messages over telephone dialup modems, radio modems, or simply direct connections.

This EFB can be found in the COMM library in the RTU subgroup.

Remember, the Modbus protocol is a ”master/slave” protocol. Modbus is designed to have only one master polling multiple slaves. Therefore, when using the XXMIT block in a network with multiple masters, contention resolution and collision avoidance is your responsibility and may easily be addressed through user logic programming.

(11)

21

Modbus Application Example

The following Modbus Master operation is a read request to a slave device

connected to port 1 of the master: read slave’s 4:0001 to 4:00010 into local 4:00011 to 4:00020

The Slave must be set up with the following port parameters:

9600 baud 8 data bits 1 stop bit even parity (2)

The Master uses settings from the XXMIT function block

INT ModbusMstrDoneCounter

INT ModbusMstrErrorCounter

Enter Slave address WORD

ModbusMstrNode INT ModbusMstrStatus

Modbus Code: Read multiple registers Amount of Registers to read Slave Modbus address Source register Destination Register not used 3

10 X 1 11 WordArr9 ModbusMstrSettings

ModbusMstrSettings[1]

BOOL ModbusMstrError

BOOL ModbusMstrDone

Bit 8 set 16#0100 WORD ModbusMstrCommand

BOOL ModbusMstrActive

BOOL StartModbusMstr

Comment Initial

Value Data Type Variable Name

Strengths - Weaknesses

Strengths

• Low implementation cost

•Number of devices connected in the world

• Level of integration in PLC software

Weaknesses

• A program has to be written in order to access a variable

• Relatively slow

•No direct communication from slave to slave

(12)

23

Modbus Plus

MODBUS PLUSis an industrial networking system that uses token-passing peer-to- peer communications at data transfer rates of one megabits per second; uses the MODBUS messaging structure.

APPLICATION

PRESENTATION

SESSION

TRANSPORT

NETWORK

LINK

PHYSICAL 7

6

5

4

3

2

1

Modbus

EMPTY

802.4 Token passing

RS485 RS485 EMPTY

EMPTY

Modbus Plus Flexibility

Data communications

Modbus compatibility enhances application solutions

High speed host and operator interface connectivity

Event driven peer to peer communications

Reliable interlocking between controllers makes distributed control easy

Bridges and repeaters allow flexible architectures

Connectivity with complementary ModConnect products

Programming

Upload, download, and verify programs

Up to eight programmers on a network enhances productivity

I/O Servicing with Quantum DIO and Momentum I/O

(13)

25

Modbus Plus Specifications

Deterministic token passing bus

Based on the de facto industry standard Modbus protocol

1 Megabits/Second network speed

CRC-16 error detection

Number of nodes

32 without repeaters

64 with repeater(s)

Choice of media

1,500’ to 6,000’ on inexpensive shielded twisted pair

9,000’ to 45,000’ on noise immune fiber optics

Modbus Plus Terminology

Network:The grouping of nodes on a common signal path that is accessed by the passing of a token. It consists of one or more cable sections

Section:A series of nodes that are joined only by cable segments. The section’s signal path does not pass through any kind of node device. Sections are all part of one network, sharing the same token and address sequence.

In example above, the Repeater joins two sections. Each section can be up to 450 m long, and can contain up to 32 physical node connections.

(14)

27

Modbus Plus Terminology

Cable Segment:A single length of trunk cable between two taps. Taps are passive devices that provide connections for the trunk cable segments.

The cable connection between the nodes at addresses 10 and 5 is through one cable segment. Another cable segment connects nodes 5 and 64.

Node:Any device that is physically connected to the Modbus Plus cable. The term applies to any device, whether it is addressable or not. Some nodes, like programmable controllers, have addresses and can serve as sources or destinations for messages. The Bridge Plus is a separately addressable node on each of its two networks. The Repeater is a node on each of two sections, but has no address, serving only to extend the network.

The minimum cable length between any pair of nodes must be at least 3 m.

The maximum cable length between two nodes is the same as the maximum section length of 450 m.

Modbus Plus Terminology

Token:A grouping of bits that is passed in sequence from one device to another on a single network, to grant access for sending messages. If two networks are joined by a Bridge Plus, each network has its own token that is passed only among the devices on that network.

(15)

29

Modbus Plus - Installation

MB+ TAP

MB+ Drop Cable Modbus Plus Trunk Cable

Nodes are connected to the cable by means of a tapdevice, supplied by Modicon.

This provides ‘through’ connections for the network trunk cable, ‘drop’ connections for the cable to the node device, and a grounding terminal.

The tap also contains a resistive termination that is connected by two internal jumpers. The tap at each end of a cable section requires both of its jumpers to be connected to prevent signal reflections. All of the taps that are inline on the cable section require their jumpers to be removed (open).

Why is Modbus Plus compatible with Modbus?

Modbus, the de facto industry standard since 1979

Master/slave polling protocol

19.2 kbaud maximum speed

Supports up to 247 devices on a single network

Read/write, programming commands

Modbus can run over virtually any media enabling a wide range of applications

RS-232, RS-422, RS-485

Copper, infra-red, radio, telephone lines, microwave, spread spectrum...

Any device with a serial port can implement Modbus

Built into every Modicon controller

Integrated into products from over 300 industrial suppliers

(16)

31

How is Modbus Plus compatible with Modbus?

Modbus Plus supports full Modbus Protocol including read/write and programming

Quantum, Compact, and 984 controllers have built-in Modbus to Modbus Plus Bridge

BM 85 Bridge Mux

Attach four individual Modbus master or slave devices, or entire Modbus networks

Integrate existing Modicon 384s, 484s, 584s, 884s, 984s

Modbus Plus Modbus

BM 85

Modbus to Powermeter, Inductel, and Altivar 66

Magelis

Modbus Plus Applications

Three types of communication are available to the application program for exchanging messages between networked nodes:

The MSTR function blockcan be used for transferring, reading and clearing statistics, and accessing the network’s global database. The MSTR is a general function for transacting messages with any type of networked node. It is programmed into the user logic program of the controller.

Peer Coptransfers can be used to move data both globally and with specific nodes. Such transfers are specified in the controller’s Peer Cop table during its initial configuration.

Distributed I/O transferscan be used to move data with DIO Drop Adapter nodes. Such transfers are specified in the controller’s DIO Map table during its initial configuration.

(17)

33

Modbus Plus Applications

Simple instructions for event driven communications

MSTR function block (possible to select one of 12 available network communication operations)

Read/write up to 100 registers

Read/write the network global database

Get/clear local/remote statistics

Up to 4 MSTR blocks active on any scan, with automatic queuing for additional MSTRs

Same MSTR block works on the native CPU or Quantum network option module ports

Other function blocks:

CREADREG: Continuous register reading

CWRITREG: Continuous register writing

READREG: Read register area once (rising edge of the REQ input)

WRITEREG: Write register area once (rising edge of the REQ input)

Modbus Plus Routing Path

Message Frame Routing Path Field

Routing Path Data

START END

ROUTING ADDRESS 1 = 22 ROUTING ADDRESS 2 = 20

ROUTING ADDRESS 3 = 5 ROUTING ADDRESS 4 = 0

ROUTING ADDRESS 5 = 0 NODE 1 NODE 3 BRIDGE

PLUS

NODE 9

BRIDGE PLUS

NODE 1 NODE 2

NODE 1 NODE 5

NODE 22

NODE 25

NODE 20

NODE 3 ZERO MEANS

NO FURTHER ROUTING

NETWORK A

NETWORK B

NETWORK C

Each network has got its own token

(18)

35

Modbus Plus - Peer Cop Transactions

Point to point data can be transacted while a node holds the token and during its token pass with Modbus Plus Peer Cop. Up to 500 words (16 bits each) can be directed to specific data references in node devices prior to release of the token, and up to 32 words can be globally broadcast to all nodes as part of the token frame.

Nodes can be configured to send two kinds of Peer Cop data:

Global Output

Up to 32 words of data can be broadcastglobally from each node to all nodes. Source data references are specified in the node configuration.

Specific Output

Up to 32 words of data can be transmitted to any specific node. Multiple node destinations can be specified, up to the maximum of 500 data words. Any nodes on the network can be specifically addressed as destinations. A unique block of references can be specified as the data source for each targeted node.

Modbus Plus - Peer Cop Transactions

Nodes can be configured to receive two kinds of Peer Cop data:

Global Input

Up to 32 words of global data can be received by each node from each other node on the network. Destination references are specified in the receiving node’s configuration. Up to eight blocks of references can be specified, giving up to eight separate destinations for the data received from each source node.

The incoming data can be indexed to establish the starting point and length of each block of data to be extracted from the message and delivered to each destination.

Specific Input

Up to 32 words of data can be received from any specific node. Each node on the network can be specifically defined as a data source, up to the maximum of 500 data words.

(19)

37

Modbus Plus - Peer Cop Transactions

Secure, configurable communications

Data protection feature provides secure read only integrity

Configure time critical communications with Peer Cop

Read/write Global Database

Broadcast up to 32 words out to all network nodes

Pick from up to 2016 words in from other nodes

Map inputs to whatever data type you like

Map specific inputs and outputs between nodes

Up to 32 words in and out per node

Up to 500 words in and 500 words out per port

Data length of outputs and node address of source controller must match with config table entries on the destination controller before data is moved to inputs

Map inputs to whatever data type you like

Modbus Plus - Peer Copping Example

Node #1 Specific Outputs 400101 - 400120 Specific Inputs 100001- 100064 Global Data Out 400500 - 400510 Node #2

Specific Outputs 000001 - 000064 Specific Inputs 300001 - 300020 Global Data Out 401000 - 401020

Node # 1

Node # 3

Node # 2

Node #1 Specific Outputs 400001 - 400032 Specific Inputs 100001- 100064 Global Data Out 400200-400231 Node #3

Specific Outputs 400001 - 400004 Specific Inputs 100001- 100512 Global Data Out 401000-401020

Node #2 Specific Outputs 000001 - 000064 Specific Inputs 300001 - 300020 Global Data Out 400200-400231

Node #3 Specific Outputs 400001 - 400020 Specific Inputs 100001 - 100064 Global Data Out 400500-400510

(20)

39

Modbus Plus - Peer Cop Transactions

Because Peer Cop data is transacted as part of the token pass, it applies to each network independently of any other networks that are part of the Modbus Plus system.

Tokens are not exchanged between networks, because they are not passed through Bridge Plus devices.

Each network maintains its own Peer Cop database, with its own system of global broadcasting and specific node addressing.

Modbus Plus Applications

0 2000 4000 6000 8000 10000

2 4 10 20 30

Network Throughput

Nodes Reg/Sec per Node

4 MSTR's Always On

Modbus Plus has excellent performance

Predictable performance

As fast as hardwired I/O

Typical token rotation time of 2 milliseconds per node

Transfer of 100 registers per activation MSTR instruction

Maximum network throughput of 20,000 registers/Sec

(21)

41

Modbus Plus – Concept Example

Modbus Plus - Example of Architecture

(22)

43 TAP4

Modbus Plus - Example of Architecture

XBT-P021010

BUDYNEK WIELOFUNKCYJNY

DYSPOZYTORNIA

170INT11000 170ADM35010 Interbus -S

Modbus/RS232

POMPOWNIA WODY SUROWEJ

170INT11000 170AAI14000 170INT11000

170AAI14000 170INT11000

170ADI35000 171CCC76010

172PNN21022 170ADO35000

Interbus -S

170INT11000 170ADO35000 170INT11000

170ADI35000 171CCC76010

172PNN21022 170AAI14000

TSX3721 TSXMBP100 TSXMBPCE030 iFIX2.6

Modbus Plus

TAP3 TAP2 TAP1

MB+4 MB+2

MB+3

MB+1