Modbus is a popular low-speed serial communication protocol widely used in the automation industry. The protocol was developed by Modicon (now acquired by Schneider Electric) in 1979 for its own programmable logic controllers. The protocol served as a link between PLCs and intelligent automation devices. Now an open protocol maintained by Modbus Organization, the Modbus was very popular among automation engineers since its inception. The protocol is widely used for industrial monitoring and control, particularly with PLCs.
The serial protocol is based on master-slave configuration and is capable of setting up the communication of a Modbus client with up to 247 Modbus servers. The physical interface is facilitated at the devices by standard RS-485 or RS-232 ports. The bus is a shielded or non-shielded twisted pair cable terminated in 150 ohms at both ends. The cable can be easily connected to the devices using a 9-pin D-shell, screw terminals, or RJ-45 connectors.
The Modbus is a point-to-point or multi-drop network using either a daisy chain or taps. The entire communication in a Modbus network is controlled and managed by the master (i.e. the Modbus client). Modbus is widely used to connect instrumentation and control devices with a controller or data-gathering devices. Usually, the data-gathering device or the Modbus client is a supervisory computer within a human machine interface (HMI) or Supervisory Control and Data Acquisition (SCADA) system. The remote terminal units (RTU) including sensor modules, programmable logic controller (PLC) or programmable automation controller (PAC) are the Modbus servers. Modbus is supported by almost every commercial HMI, SCADA, OPC server, and data acquisition software enabling a hassle-free integration of Modbus-compatible equipment with any Industrial Automation System (IAS) or Building Management System (BMS).
Why Modbus is so popular
Modbus is used by manufacturers in many different industries and has become quite popular due in part to its simplicity. It is an open standard; therefore, manufacturers can build the RTU version of Modbus into their equipment without paying any royalty. The protocol can be implemented even on the prototyping boards like Arduino. In fact, the communication protocol can be easily implemented on any microcontroller or computer. The data communication is carried out through request-response and the messages have a fixed frame format.
Initially developed as an application layer protocol to transfer data over the serial layer, there are currently three versions of Modbus protocol: two for serial lines— the Modbus RTU and the Modbus ASCII; and one for Ethernet (TCP/IP and UDP) — the Modbus TCP. While relatively simplistic, the protocol still enables message checking and with an accuracy of more than 99 percent. Modbus RTU has Cyclic Redundant Checksums (CRC) and Modbus ASCII has Longitudinal Redundancy Checks (LRC) for error checking.
Despite its inception in the 1970s, the implementation of the protocol required minimal RAM and memory resources. In the 1970s when computer technology, as well as embedded technologies, were not as highly advanced as today, a lightweight protocol like Modbus was especially attractive. The popularity of Modbus has never declined.
Range and data rate
The standard data rate of Modbus is 9600 b/s or 19.2 kb/s. Usually, 19.2 kb/s is the default rate. The data rate can be lowered to 4800 b/s, 2400 b/s, etc. The maximum data rate is 115.2 kb/s. At a standard data rate of 9600 b/s, the Modbus can have a maximum range of 1000 meters. If the data rate is increased, the range is reduced. The tap length should be always less than 20 meters.
On a Modbus, a binary 0 is represented by a voltage level of +2 to +6V. The binary 1 is represented by a voltage level of -2 to -6V.
Initially, Modbus was a single protocol implemented over the serial layer. Application data units were introduced to enable implementation over serial as well as TCP/IP and UDP networks when the protocol was implemented for Ethernet. The protocol now divides into two layers — the core layer and the network layer. The core layer defines Protocol Data Unit (PDU), while the network layer defines Application Data Unit (ADU). The PDU can be transmitted over the UDP network even without defining any application data unit.
The serial versions of Modbus (i.e. Modbus RTU and Modbus ASCII) only require PDU, while the Ethernet version (i.e. the Modbus TCP) requires both PDU and ADU.
Network and communication
Modbus is a request-response protocol implemented in a master-slave configuration. There are two types of devices — Modbus Client and Modbus Server. Modbus Client is the master and is often a supervisory computer within a SCADA system or HMI. The Modbus Server are slaves and are often remote terminal units like sensor modules, PLCs, and PACs.
The serial versions of Modbus support communication of a single client with up to 247 Modbus servers. As both RS-485 and RS-232 ports are common for Modbus implementation, if the RS-232 port is used, the maximum number of Modbus servers can be up to 247, but if RS-485 ports are used, the maximum number of Modbus servers is limited to 32 because of the practical limitations of the RS-485 standard. There can be multiple clients and unlimited servers as the Ethernet version of Modbus has an additional 6-byte header for internet routing
The entire data communication is controlled by the Modbus client through request-response. In Modbus, data is transferred into bytes. In the RTU version, each byte is encoded in an 11-bit asynchronous frame consisting of a start bit, the data byte, even parity, and one stop bit. In the ASCII version, each byte is encoded in a 10-bit frame consisting of a start bit, 7-bit data, 1 bit of even or odd parity or no bit if no parity, and 1 stop bit if parity is used otherwise 2 stop bit.
A message communicated between the master/client and the slave/server is called Protocol Data Unit (PDU). The PDU consists of the slave address, the function code (command), the data, and the checksum (CRC or LRC).
The master sends a request to one of the slaves identified by the slave’s address. The slave address is one byte long and can have a value between 0 and 255. According to the protocol, the slave address 0 is reserved for the broadcast messages and the slave addresses identifying slave devices cannot exceed 247. The function code is again one byte long and it tells the addressed slave device what kind of action has to be taken. The function codes within the range of 1 to 255 are valid, of which 128 to 255 are reserved for exception responses. The action is a read or a write operation whereby the data in a request provides additional information required to perform the action. For example, it may specify where to start reading and how much data must be read. The CRC is applied for error checking in the RTU version, while LRC is applied for error checking in the ASCII version.
When the master makes a request to an addressed slave, it sends back a response. The slave address and function code are echoed in the same response. The data contains the values requested by the master. If an error occurs while performing the requested action, the function code is modified and the data contains a code describing the error. Again, CRC or LRC depending upon RTU or ASCII framing respectively is used to ensure the integrity of the message or PDU.
In RTU framing, each byte represents two 4-bit hexadecimal characters in an 11-bit frame. The PDU consists of a 1-byte long slave address, 1-byte long function code, 0 to 252 bytes long data, and 2-byte long CRC.
In ASCII framing, each byte represents two ASCII characters in a 10-bit frame. The PDU consists of a 1-character long Start character, 2-character long slave address, 2-character long function code, 0 to 504 character long data, 2-character long LRC, and 2-character long End character. The start character is always a colon (:) or ASCII 3A hexadecimal. The end character is always a carriage return with a line feed (ASCII 0D and 0A hexadecimal). Each PDU in RTU as well as the ASCII version is separated by 28 bits or 3.5 characters.
Both RTU and ASCII versions of Modbus are almost similar except few differences. In RTU framing, the bytes are presented in binary form while in ASCII framing, the bytes are presented as readable 4-bit ASCII characters. The ASCII framing has a start-of-text and end-of-text characters, while in RTU framing the 28-bit separation between PDUs/messages is interpreted to detect the start and end of the frame. As RTU framing uses shorter messages, it is faster than the ASCII version. The ASCII version does have an advantage in that intervals of up to one second can elapse between characters within the message. If the interval exceeds one second, the equipment takes it as a transmission error.
The PDU in the TCP version of Modbus consists of a 2-byte long transaction ID, a 2-byte long protocol field, a 2-byte long length field, a 1-byte long slave address, and a 1 to 252-byte long message field.
The transaction ID identifies the transaction and the protocol is always set to 0 to indicate Modbus. The length indicates the number of the following bytes. This is followed by a 1-byte-long slave address. The message field is an RTU version similar to the Modbus frame consisting of function code and the data. The maximum size of the message field can be 253 bytes (i.e. 1 byte for function code and a maximum of 252 bytes for data like in the RTU frame).
The least significant bit is sent first in all versions — RTU, ASCII, and TCP, The Modbus-compatible equipment cannot automatically detect the baud rate so the same baud rate needs to be explicitly set at the client and the server ends of the bus. The Modbus PDU supports a format that can only send data with no capability to send parameters across communicating devices.
There are two types of data in Modbus — Coils and Registers. Coils are single bits that can be either 0 (OFF) or 1 (ON). The coils could be discrete output coils or discrete input contacts. The discrete input contacts are the status of a physical discrete input as either ON or OFF. The discrete output coils are the status of the physical discrete output signal as either ON or OFF.
The registers are 16-bit unsigned registers that may contain a value representing a floating point number, ASCII text, a queue, or a table. A register by itself only stores positive values in the range from 0 to 65535 i.e. 0x0000 to 0xFFFF hexadecimal. A 16-bit data stored in registers could be interpreted as a 16-bit unsigned integer, 16-bit signed integer, 2-character ASCII string, or a discrete ON/OFF value by the Modbus client. A 32-bit data stored in registers could be interpreted as a 32-bit unsigned integer, a 32-bit signed integer, a 4-character ASCII string, or a 32-bit double precision floating point number by the Modbus client.
There are two types of registers — analog input registers and analog output holding registers. Like the discrete input contacts (coils), input registers store the status of an external input as a value between 0 and 65535 (0x0000 and 0xFFFF). In the past, the input registers were generally used for storing digital representations of the value of analog inputs that could be voltage or current signals. The output holding registers are used to store data on the device. Now, as most of the Modbus-compatible equipment is not input/output devices, input registers are also used to store data.
How the server store data
On a Modbus server such as a sensor module, PLC, or PAC, the data is organized into four tables or data banks. There are two data banks to store discrete on/off values or coils. These data banks store discrete output coils and discrete input contacts separately. Then, there are two data banks to store numerical values or registers which store analog input registers and analog output holding registers separately.
Each data bank can store 9999 values. For example, the data banks for discrete output coils and discrete input contacts can store 9999 bits each in the range from 0000 to 270E. The data banks for analog input registers and analog output holding registers can store 9999 words each in the range from 0000 to 270E where each word is 16-bit long.
The data banks for discrete output coils and analog output holding registers are of read-write type, while the data banks for discrete input contacts and analog input registers are read-only type.
The values in the data banks are accessed by location names. The data bank for discrete output coils, discrete input contacts, analog input registers, and analog output holding registers have locations in the range 1~9999, 10001~19999, 30001~ 39999, and 40001~49999 respectively. The structure and nature of four data banks on a Modbus server are summarized in the following table.
Modbus is a widely used industrial communication protocol, which is often used with PLCs. The protocol has three versions — RTU, ASCII, and Modbus. The RTU version being open-standard and fastest is most commonly used by manufacturers. With shorter messages, RTU-framed Modbus messages can be updated at an interval of 100 milliseconds. Modbus is supported by almost every commercial HMI, SCADA, OPC server, and data acquisition software making it easy to integrate Modbus-compatible equipment into any industrial automation system or building management system.
You may also like:
Filed Under: Tech Articles, What Is
Questions related to this article?
👉Ask and discuss on EDAboard.com and Electro-Tech-Online.com forums.
Tell Us What You Think!!
You must be logged in to post a comment.