The MODBUS Serial Communication Protocol

Introduction

MODBUS is an open source serial communication protocol meant for the communication of multiple industrial electronic devices within the same network. Modicon introduced it in 1979 for use with its Programmable Logic Controllers (PLCs). It is now a standard method for the transfer of discrete input, analog I/O information, as well as register data between industrial control and monitoring devices.

Overview

MODBUS is an application layer protocol suitable for both peer-to-peer and broadcast communication. Depending on the physical layer used, the MODBUS is categorized into two types:

• MODBUS Serial: MODBUS devices connect over serial communication links at standard baud rates such as 9600 or 19200bps using one of two transmission modes:

                     I. MODBUS RTU (Remote Terminal Unit): In RTU mode the data is represented in binary format.

                     II. MODBUS ASCII: The data is in a readable American Standard Code for Information Interchange (ASCII) format.

• MODBUS TCP/IP: MODBUS TCP/IP clients and servers communicate over Ethernet via port 502.

System Architecture

MODBUS is a client-server communication protocol that can use RS232/RS422/RS485 in a serial communication network or Ethernet. A standard MODBUS network can have one or many servers along with multiple clients. One server can communicate with up to 247 clients. Figure 1 shows the MODBUS serial communication network:

Figure 1: MODBUS network

Server: The server can be a PLC, SCADA (supervisory control and data acquisition system), or an SBC such as a Raspberry Pi. This device includes a Human Machine Interface (HMI) and requires a software tool to manage the communication process. The server requests and receives the data from the client.

Client: The client devices can be controllers, PLCs, or intelligent I/O devices (sensors, relays or actuators). Each client has a unique device address. These devices are equipped with a MODBUS interface to send a response to the server. MODBUS client devices store environmental variables such as temperature, pressure, stress, strain, motor speed, and rotor position values in an array or block of registers. There are four register types:

• Discrete Input: A single-bit read-only register used as inputs.
• Coil (Discrete Output): Coils are single-bit read-write registers. They are used to control discrete outputs such as a relay, a valve, or an actuator.
• Input Register: These are read-only 16-bit registers used for input. These registers are used to represent analog-input, integer values.
• Holding Register: These are the universal 16-bit registers. They are used to represent a variety of things, including inputs, outputs, configuration data, or any requirement for "holding" data.

Message Framing

The message frame format is independent of the type of physical layer used in a MODBUS network. The MODBUS serial and Ethernet-based MODBUS frame structure is given below:

ASCII frame format (American Standard Code for Information Interchange): The frame begins with a colon “:” character and ends with a CR/LF (carriage return-line feed) combination. In this method frame, seven bits are used to represent ASCII characters. Table 1 shows the MODBUS ASCII frame format.

Table 1: MODBUS ASCII frame format

RTU frame format: In this method, a single byte includes two hexadecimal characters. The server inserts a silent interval of at least 3.5 character times at the beginning and end of the frame. Table 2 shows the MODBUS RTU frame format.

Table 2: MODBUS RTU frame format

The standard field in ASCII frame and RTU frames are:

• Device Address

• Function Code

• Data

• Error Check

Device Address: In the MODBUS frame, the first byte consists of a device (client) address. Usable client addresses are in the range of 0 to 247 decimals, and other addresses kept reserved.  The server requests the client by placing the client address in the device address field, and a client device responds by setting its address in the same field in the response message frame.

Function Code: The Function Code field defines the type of action required by the client. The function field consists of one byte and two characters in an ASCII frame. There are 255 function codes in the MODBUS standard. The manufacturer defines the function codes based on their products.

Data: The data field contains the requested or response data:

• The request frame data field contains the information about the client, which register to start at, and how many registers to read.

• The response data field contains the data collected by the client, such as register values or status.

Error Check: All MODBUS messages contain a numeric check value, which allows the recipient to detect transmission errors. Every byte in the frame is used to calculate the numeric check value. The receiving device also calculates the received bits and compares it to the numeric check value from the sending device.

In ASCII mode, the error-checking field contains two ASCII characters called a Longitudinal Redundancy Check (LRC). These characters consist of frame information exclusive of the beginning and end of the frame. In RTU mode, the error-checking field contains a 16-bit CRC (cyclic redundancy check) value.

The MODBUS TCP/IP frame includes the Ethernet frame information along with the MODBUS message information, since it does not consist of the checksum calculation field.

MODBUS TCP/IP frame format: The MODBUS TCP message consists of a 7-byte MODBUS Application Header information, one-byte function code, and n bytes of data.

Table.3: MODBUS TCP/IP frame format

• Transaction ID: The client sets the 2-byte identifier. When multiple messages share the same TCP connection, the transaction identifier helps in transaction pairing.
• Protocol ID: The client sets 2 bytes for intra-system multiplexing. This value is always zero for MODBUS services.
• Length: The 2-bytes of value represent the remaining field counts that include the Unit Identifier, Function Code, and Data fields.
• Unit ID: The MODBUS Client sets the 1-byte Unit Identifier in the request message, and the server must return with the same value. It is used to identify a remote server located on a non-TCP/IP network like on a serial line or other buses.

Function Code and Data fields are similar to the MODBUS serial mode.

How does it work?

After power-up, the server sends a request and releases the idle state. The server initiates a MODBUS transaction and waits for a response. The transaction message consists of the Client Address, Function Code, Data, and CRC.

The client devices receive the error-free request and act as specified in the function field. The client devices will give a successful response, with the same function code to the server. If there is an error in response, the server repeats the same request.

In a broadcast communication mode, the server assigns zero in the device address field and sends a common message to all network devices; it will not wait for a response. All client devices receive the broadcast message, and they do not return the response message to the server.

On detection of an illegal function, data address, or data, client device failure, or busy, the client responds with an exception code and sets the most significant bit in the function code to indicate the exception response.