e le ct rical-e ngine e ring-po rt al.

co m
http://electrical-engineering-po rtal.co m/using-mo dbus-fo r-pro cess-co ntro l-and-auto matio n-2

Using MODBUS for Process Control and Automation (2)

by Edvard

The Sc hne id e r Ele c tric Mo d ic o n Q uantum is a ve rs atile PLC

Continued from first part of article Using MODBUS for Process Control and Automation (1)

MODBUS RTU Basics

To communicate with a slave device, the master sends a message containing:
• Device Address
• Function Code
• Data
• Error Check

T he Device Address is a number f rom 0 to 247. Messages sent to address 0 (broadcast messages) can be
accepted by all slaves, but numbers 1-247 are addresses of specif ic devices. With the exception of
broadcast messages, a slave device always responds to a MODBUS message so the master knows the
message was received.

Figure 2 – Funct ion Codes

Command Function Code

01 Read Coils
 02 Read Discrete Inputs

03 Read Holding Registers

04 Read Input Registers

05 Write Single Coil

06 Write Single Register

07 Read Exception Status

08 Diagnostics

xx Up to 255 f unction codes, depending on the device

T he Function Code def ines the command that the slave device is to execute, such as read data, accept
data, report status, etc. (Figure 2). Function codes are 1 to 255. Some f unction codes have sub-f unction
codes.

T he Data def ines addresses in the device’s memory map f or read f unctions, contains data values to be
written into the device’s memory, or contains other inf ormation needed to carry out the f unction requested.
T he Error Check is a 16-bit numeric value representing the Cyclic Redundancy Check (CRC). T he CRC is
generated by the master (via a complex procedure involving ORing and shif ting data) and checked by the
receiving device. If the CRC values do not match, the device asks f or a retransmission of the message. In
some systems, a parity check can also be applied.

When the slave device perf orms the requested f unction, it sends a message back to the master. T he
returning message contains the slave’s address and requested f unction code (so the master knows who is
responding), the data requested, and an Error Check value.

MODBUS Memory Map

Each MODBUS device has memory, where process variable data is stored. T he MODBUS specif ication
dictates how data is retrieved and what type of data can be retrieved. However, it does not place a
limitation on how and where the device vendor maps this data in its memory map.

Below would be a common example of how a vendor might logically map dif f erent types of process variable
data. Discrete inputs and coils are one-bit values, and each has a specif ic address. Analog inputs (also
called “Input Registers”) are stored in 16-bit registers. By utilizing two of these registers MODBUS can
support the IEEE 32-bit f loating point f ormat. Holding Registers are also 16-bit internal registers that can
support f loating point.

Figure 3

The literature or operation manuals of most MODBUS compatible devices, such as this TMZ Temperature
Transmitter from Moore Industries, publish the addresses of key variables in the MODBUS Memory Map. The
TMZ’s addresses conform to the MODBUS spec.

Table Addresses Type Table Name

1-9999 Read or Write Coils

10001-19999 Read Only Discrete Inputs

 30001-39999 Read Only Input Registers

40001-49999 Read or Write Holding Registers

Data in the memory map is def ined in the MODBUS specif ication. Assuming that the device vendor f ollowed
the MODBUS specif ication (not all do), all data can easily be accessed by the MODBUS master, which
f ollows the specif ication. In many cases, the device vendor publishes the memory locations (Figure 3),
making it easy f or the person programming the master to communicate with the slave device.

Reading and Writ ing Dat a

MODBUS has up to 255 f unction codes, but 01 (read coils), 02 (read discrete inputs), 03 (read holding
registers) and 04 (read input registers) are the most commonly used read f unctions that are used to collect
data f rom MODBUS slaves. For example, to read three 16-bit words of analog data f rom device 5’s memory
map, the master sends a command that looks something like this:

5 04 2 3 CRC

Where 5 is the device address, 04 says to read input registers, 2 is the starting address (address 30,002),
3 means to read three contiguous data values starting at address 30,002, and CRC is the error check value
f or this message.

T he slave device, upon receiving this command, sends back a response that looks something like this:

5 04 aa bb cc CRC

Where 5 is the device’s address; 04 is the repeated read command; aa, bb and cc are the three 16-bit data
values; and CRC is the error check value f or this message.

Reading and writing digital inputs and outputs is done in a similar manner using dif f erent read and write
f unctions.

Assuming that the device f ollows the MODBUS specif ication, it is a simple programming task to set up the
master to read and write data, check status, obtain diagnostic inf ormation and perf orm various control and
monitoring f unctions.

Connecting MODBUS Devices

One of the easiest ways to bring f ield devices into a process control system, PLC or industrial computer is
to simply connect digital and analog I/O into a distributed I/O system that has MODBUS communication
capability.

For example, the NCS (NET Concentrator System) f rom Moore Industries allows a user to connect analog
and digital signals remotely, which can then be connected to a MODBUS master via twisted pair cable.

Multiple NCS systems can be installed in several locations throughout the plant, all linked by MODBUS
(Figure 4).
 Fig ure 4 - Ho me Run Wiring vs MO DBUS

Figure 4 – In most plants, f ield instruments connect to the control system with individual “home
run” twisted pairs (below). When the instruments are wired into a distributed I/O system, such as the NCS
f rom Moore Industries (center), more devices can be added, but only a single twisted pair is needed to
transmit all the data to the MODBUS master. Multiple NCS systems can be networked (bottom) over the
same MODBUS network, so the entire plant can be converted f rom home run wiring to MODBUS.
T his solution works f or both new and existing plants. In many existing plants, f ield instruments typically
connect to the DCS or PLC via “home run wiring,” where each device is connected with individual twisted
pairs that carry analog signals. With the NCS, one of those twisted pairs can be used f or the MODBUS
signal. T his is particularly usef ul if the plant wants to add additional f ield instruments, but does not want to
run more wiring (at an installed cost of $100 per f oot). A distributed I/O system can accommodate all of the
existing I/O, or it can be used just to send data f rom all the new f ield instruments.

In some cases, the control system is not able to deal with a MODBUS signal. It may be that the legacy
control system is accustomed to dealing with 4-20mA analog I/O and directly wired digital I/O, and
reprogramming the old system to accommodate MODBUS data would be dif f icult. Of ten, users would like to
add new remote signals to their system without having to run wire or buy expensive MODBUS interf ace
cards that require extensive re-programming. In that case, a peer-to-peer solution works best.

For example, the CCS (Cable Concentrator System) and the NCS (NET Concentrator System) f rom Moore
Industries both have peer-to-peer communication abilities. T he NCS and CCS are similar to a distributed I/O
module, but have more built-in intelligence and can be set up in either a peer-to-peer or peer-to-host
conf iguration.

Fig ure 5 - Pe e r-to -Pe e r Wiring

Figure 5 - In some cases, the control system is not able to deal with a MODBUS signal. In that case, a peer-to
peer solution with two NCS systems simply replaces all the home run wiring with a single MODBUS cable.
Analog outputs from the control room NCS are then wired directly into the host system’s I/O card.

With a peer-to-peer NCS system (Figure 5), two concentrators are used: one in the f ield and one in the
control room. Field instruments connect to the remote NCS, which connects to the control room NCS via a
single twisted pair wire. T hen, outputs f rom the control room NCS are wired into the control system’s
existing analog I/O panel. In this way, the analog signals f rom the new f ield transmitters can be seen in their
original analog state through the plant’s existing analog I/O cards. T his makes programming and
commissioning of the new signals less dif f icult than programming new digital interf ace cards.

T hese peer-to-peer solutions can also accommodate bi-directional communication in which both sides of
the system can have inputs and outputs.

To be continued…

Resource: Using MODBUS for Process Control and Automation – Moore Industries