Industrial automation relies heavily on seamless communication between devices. Modbus, a venerable protocol since 1979, remains a cornerstone for connecting PLCs, sensors, and HMIs. This guide demystifies Modbus for beginners, focusing on PLC integration.
What is Modbus?
Developed by Modicon (now Schneider Electric), Modbus is an open, master-slave protocol enabling devices to exchange data over serial (RS-232/485) or Ethernet networks. Its simplicity and adaptability have cemented its role in industrial settings.
Modbus Variants
- Modbus RTU: Compact binary format over serial, ideal for low-bandwidth environments.
- Modbus ASCII: Human-readable, less common due to inefficiency.
- Modbus TCP: Ethernet-based, using TCP/IP for modern, high-speed networks.
Protocol Structure
- Master-Slave Model: The master initiates requests; slaves respond. Each slave has a unique address (1–247).
- Request Frame: Slave address + function code + data + CRC (RTU/ASCII) or MBAP header (TCP).
- Response Frame: Echoes structure with data or error codes.
Example Read Request (Function Code 03):
复制
Slave Address: 0x01 Function Code: 0x03 Starting Address: 0x0000 (Holding Register 40001) Quantity: 0x0002 (2 registers) CRC: [Checksum]
Key Function Codes
| Code | Description |
|---|---|
| 01 | Read Coils |
| 02 | Read Discrete Inputs |
| 03 | Read Holding Registers |
| 04 | Read Input Registers |
| 05 | Write Single Coil |
| 06 | Write Single Register |
| 15 | Write Multiple Coils |
| 16 | Write Multiple Registers |
Addressing & Data Types
- Address Ranges: Coils (00001), Discrete Inputs (10001), Input Registers (30001), Holding Registers (40001).
- Data Representation:
- 16-bit integers: Single register.
- 32-bit floats: Two consecutive registers (note byte/word order).
- Strings: Multiple registers (ASCII encoded).
Error Handling
Slaves respond with exception codes (function code + 0x80) for errors:
01: Illegal function02: Invalid address03: Invalid data value
Implementing Modbus in PLCs
- Configure Communication:
- Serial: Set baud rate, parity, stop bits.
- TCP: Define IP/port and unit ID (slave address equivalent).
- Map Registers: Link Modbus addresses to PLC memory (e.g., %MW0 for Holding Registers).
- Use Built-in Libraries: Leverage PLC-specific functions (e.g., Siemens’
MB_CLIENT, Allen-Bradley’s MSG instructions).
Example: Reading a Temperature Sensor
Scenario: PLC (master) reads a float from sensor (slave ID 1).
- Request: Read 2 registers starting at 40001 (PDU address 0x0000).
- Response: Data bytes
[0x43 0x48 0x00 0x00](float 200.0 in big-endian). - PLC Code: Convert registers to float, adjusting byte order if needed.
structured
复制
// Example in Structured Text TEMP_REAL := REAL_TO_INT(REGISTER_0 SHL 16 OR REGISTER_1);
Troubleshooting Tips
- Check Physical Layer: Loose cables, incorrect termination (RS-485), or IP conflicts (TCP).
- Validate Parameters: Slave address, baud rate, function code compatibility.
- Simulate: Use tools like Modbus Poll or Wireshark to capture traffic.
Best Practices
- Document Register Maps: Clarify data types and addresses for each device.
- Secure Networks: Isolate Modbus TCP behind firewalls; use VPNs for remote access.
- Test Rigorously: Validate with simulators before deployment.
Conclusion
Modbus’s longevity stems from its simplicity and versatility. By mastering addressing, function codes, and data handling, you can seamlessly integrate PLCs into industrial networks. Dive deeper with the Modbus Organization specifications and practice using simulators to build confidence.
Takeaway: Modbus is your gateway to industrial communication—understand its nuances, and you’ll unlock robust automation solutions.
