Agenda 1 Data type

2 What is Modbus

3 Modbus RTU

4 Modbus TCP/IP

5 Modbus TCP

6 Modbus TCP

Confidential Property of Schneider Electric | Page 1

Internal
Market Requirements
1 Mbps 1 Level 3
minute Company Information System
PC - Servers
Data bus
Files in N x seconds
1 Kbps
Level 2
1s Process Production management
AMOUNT PAC’s, PLCs, HMIs
Field bus
OF DATA TO N
BEx 10 words in N x 100 ms
TRANSMITTED
RESPONSE Level 1
TIME
Monitoring and control
Machines Variable speed drives
REQUIRED
Device bus Automation islands
N x words in N x 10 ms

Level 0 Reaction detection

1 bit 1 ms Components Digital actuators sensors
Sensor bus
N x bits in N x ms

Internal
Positioning of The Main Networks
Sensor Machine
AS-i* Sercos,…
Respons time

*core networks for Schneider Electric

Interbus S

CANopen*

DeviceNet Process

Fipio Fipway

Modbus +
Management
Modbus*

Profibus DP / PA

Profibus FMS

Ethernet TCP/IP*

1 bit byte K byte Internal M byte Exchange volume

Industrial Communication Protocols

Confidential Property of Schneider Electric | Page 4

Internal
 Apps, Analytics
& Services
Power Advisor Cybersecurity Machine Advisor Plant Advisor
Digital Services Global Services Digital Services Digital Services

Power SCADA
Edge Control Operation GeoSCADA MachineSCADA PlantSCADA
(PSO)

Connected
Products PowerProtective RTUs, Breakers,
Meters Relays PLCs Trip
FD
Breakers, Variable UPSs BCPMs
Water,
Air,
Speed
Units, Sensors, Gas,
Gateways Gateways Drives Steam

Confidential Property of Schneider Electric | Hossam Embaby | Page 5

Internal
Confidential Property of Schneider Electric | Page 6
Internal
Language

Medium
Speakers
(Transmitter and Receiver)

Internal
 • Transmit by Air
• Same Frequency
• Radio must be Switched on
• Same Language
• Do not speak at the same time
• Acknowledge the message

Internal
Internal
Internal
Internal
Internal
Twisted Pairs Coaxial Cable Optical fiber Cable

Internal
Common Medium
Twisted pair(s) wires
Easy to install, and the least expensive. Low
Cost of
Coaxial cable the
The coaxial cable has excellent electrical medium
properties and is suitable for high speed
transmission.

Optical fiber
This is suitable for use in harsh industrial
environments. The transmission is reliable over long
distances. High
The choice of the MEDIUM affects the transmission quality :
✓ Speed
✓ Length of the bus
✓ Electromagnetic immunity

Internal
RJ45
Internal
RJ45
Internal
RJ45
Internal
 Patch
Cord

Internal
Internal
 Twisted Pairs
RS-232
● Point to Point (P2P)
● Distance < 15 meters , Speed < 20
Kbps
● Logic High : -3V ~ -15V
● Logic Low: +3V ~ +15V

Internal
Twisted Pairs
RS-422A
● Full Duplex , 4 Wires (2 Transmission,2
Reception)
● Distance < 1200 meters , Speed < 100
Kbps
● High Logic: Voltage difference +2V ~ +6V
● Low Logic: Voltage difference -2V ~ -6V
Internal
RS-422A

Internal
 Twisted Pairs
RS-485
● Half Duplex , 2 Wires
● Distance < 1200 meters , Speed < 100
Kbps
● High Logic: Voltage difference +2V ~ +6V
● Low Logic: Voltage difference -2V ~ -6V
● Max Speed 10 Mbps at distance 12m
Internal
Twisted Pairs

Internal
Internal
Internal
 Frame
011101010101 011000010101 111110001101 010111010101 11011010101 0111010101 010111110101

Internal
Data Types
How Data is structured

Name Type No. of bits

Binary Digital “True or False” 1
Byte Analog “10001000” 8
Word Analog “FFFD” “Hex” 16
DWord Analog “FFFD FFFD” 32
Real Analog “145.432” Mantissa/ 32
Multiplication
Unsigned Integer Analog “Max 65535” 16
Signed Integer Analog “-32767~+32767” 16
Long Integer Analog > “65535” 32
Confidential Property of Schneider Electric | Page 28
Internal
Communication Protocol Specifications
Baud Rate

Confidential Property of Schneider Electric | Page 29

Internal
Baud Rate effect on Frames

Confidential Property of Schneider Electric | Page 30

Internal
 Medium Access Methods
1) Master/Slave

Internal
 Medium Access Methods
1) Master/Slave

Internal
Communication Protocol Specifications
Master Slave Vs Peer to Peer

Single Master Single Slave

Single Master Multi Slave
Multi Master Single Slave
Multi Master Multi Salve

Confidential Property of Schneider Electric | Page 33

Internal
 Medium Access Methods
2) Token Ring

Internal
 Medium Access Methods
3) Random Access

1- CSMA\CD

2- CSMA\CA

Internal
CSMA\CA

Internal
Random Access with Non-Destructive Collisions

Stop

Dominant Recessive

Dominant Recessive

Dominant Recessive

Internal
Random Access with Non-Destructive Collisions
The message remains valid, due to a system of dominant and recessive bits
● the device with the lower priority stops its transmission (recessive bit)
● the device with the higher priority completes its transmission
● the device with the lower priority tries to send its message again as soon
as the medium is free

Dominant Stop
Recessive

Principle used by CANopen and DeviceNet and known as CSMA-CA

CSMA-CA = Carrier Sense Multiple Access - Collision Avoidance

Internal
Random Access with Destructive Collisions

Stop Stop

Waiting time 15s Waiting time 10s

Waiting time 5s

Internal
Random Access with Destructive Collisions
Step-by-step operation in the event of a collision:
● any messages in the course of transmission are stopped
● a scrambling frame is sent: the frame is lost
● a random wait time is observed
● the message is resent

Stop

Principle used by Ethernet and known as CSMA-CD

CSMA-CD = Carrier Sense Multiple Access - Collision Detection

Internal
CSMA\CD

Internal
Question

Internal
What is Modbus?
1. Modbus is a request-reply messaging protocol.
2. some documentation describe this technology as a request-response or
command-respond messaging protocol.
3. The device that initiates the communication, the client ”Master”, sends a request
message.
4. the addressed device, the server “Slave”, sends a reply message.

Confidential Property of Schneider Electric | Page 43

Internal
Modbus Master Slave Communication Protocol

Modbus Over Serial: (1)Modbus RTU .

(2)Modbus ASCII.
Modbus TCP/IP.

Confidential Property of Schneider Electric | Page 44

Internal
1- Device Address
2- Data Address (Register)
3- Function Code
Write digital
Read digital
Write analog
01110101010
1
01100001010
1
11111000110
1
01011101010
1
11011010101 0111010101
Read analog
01011111010
1

01110101010
01110101010 01100001010
01100001010 11111000110
11111000110 01011101010
01011101010 11011010101
11011010101 0111010101
0111010101 01011111010
01011111010
11 11 11 11 11

1 2 3

Address Data Address Data Address Data

0001 10001 0001 5500 0001 23000

0002 500 0002 0000 0002 0001

0004 500 0004 500 0004 0054

0004 500 0004 500 0004 0025

Internal
Modbus Frame
011101010101 011000010101 111110001101 010111010101 11011010101 0111010101 010111110101

Internal
Modbus Frame

Internal
 Modbus Frame
1 ~ 247
• Request
• A master addresses a slave by placing the slave address in the address field of the
message.

• Response
• When the slave sends its response, it places its own address in this address field of
the response to let the master know which slave is responding.

Internal
Modbus Frame
Register starts with Meaning Range

0X Coil 00001-09999
1X Discrete Input 10001-19999
3X Analog input Registers 30001-39999
4X Holding Registers 40001-49999

Internal
Function Codes
Code Function
01 (0x01) Read n consecutive output bits
02 (0x02) Read n consecutive input bits
03 (0x03) Read n consecutive output words
04 (0x04) Read n consecutive input words
05 (0x05) Write 1 output bit
06 (0x06) Write 1 output word
07 (0x07) Read exception status
08 (0x08) Access diagnostic counters
15 (0x0F) Write n output bits
16 (0x10) Write n output words
23 (0x17) Read/Write n output words
43 (0x2B) Read identification

http://www.modbus.org
Internal
Modbus Frame
XXXXXX Modbus register list

XXXXXX Modbus address list

Internal
Data Types
4000 0 1 2 3 4 5 6 7
1
Bit 0 Bit 1 Bit 2 Bit 3 Bit 4 Bit 5 Bit 6 Bit 7
4000
2
Byte 0
4000
3
word 0
8 9 10 11 12 13 14 15
Bit 8 Bit 9 Bit 10 Bit 11 Bit 12 Bit 13 Bit 14 Bit 15

9999 Byte 1
9
Confidential Property of Schneider Electric |
Internal
Exercise
IA
IB
IC Speed Setpoint

Motor Torque

Motor temperature sensor

Thermal capacity level

Internal
Modbus Frame
Register starts with Meaning Range

0X Coil 00001-09999
1X Discrete Input 10001-19999
3X Analog input Registers 30001-39999
4X Holding Registers 40001-49999

Internal
 Modbus Frame
Dev Add. Func. Code Regi s. Number Regi s. Count
1
1 4 0002 3

Address Data

0001 10001

0002 500

0003 500

0004 500

0005 1234

Internal
 Modbus Frame
Parity Check
Even, Odd, none

CRC

• Modbus RTU uses CRC

• Cyclical Redundancy Check (2 bytes)

• Modbus ASCII uses LRC

• Longitudinal Redundancy Check (1 byte)

Internal
Modbus Frame
Dev Add. Func. Code Regi s. Number Regi s. Count
1
1 4 0002 3

Address Data

0001 10001

0002 500

0003 500

0004 500

0005 1234

Internal
Request Frame

Internal
Response Frame

Internal
Example of Read Request

Request
1 byte 1 byte 2 bytes 2 bytes 2 bytes
Slave Function First word Number of
CRC16
Address code = 3 address words to read

Response
1 byte 1 byte 2 bytes 2 bytes 2 bytes 2 bytes
Slave Function Number of Value of the Value of the
CRC16
Address code = 3 bytes read first word last word

Internal
Modbus RTU
Modbus RTU Frame Description

Confidential Property of Schneider Electric | Page 61

Internal
Modbus RTU
Modbus RTU Frame Description

Confidential Property of Schneider Electric | Page 62

Internal
Ethernet

Internal
Ethernet Modbus TCP/IP
• Modbus Frames over Ethernet
• Modbus Serial

• Ethernet Modbus TCP/IP

Internal
OSI Model: Encapsulation Principle

Clothes Suitcase Name Tag Dest. tag Airplane

Internal
OSI Model Data Packet
Open System Interconnection

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
BOOTP Server

Server Has a Populated List of Devices

• Devices identified with their MAC address

Device #1 My MAC address is 00.80.F4.FF.00.D5, Master (Server)

Can I get an IP Address?
00.80.F4.FF.00.D5 192.168.0.23
Sure! You are listed in my address 00.80.F4.FF.44.21 192.168.0.81
table.
Take this address: 192.168.0.23 00.80.F4.FF.F2.15 192.168.0.40

My MAC address is 45.80.F4.FF.33.12,

Device #2 Can I get an IP Address?

Sorry, you are not listed into my address

table. Use your default IP address

Internal
BOOTP Server (cont.)

Example in EcoStruxure Control Expert

Limitation: Device Cannot Be Changed without Reconfiguration

• As each device has a unique MAC address, replacing a failed device needs a reconfiguration of the
BootP Address Server table.
Internal
DHCP Server

Same As BOOTP but Based on Role Name

• User configurable names used instead of MAC Addresses

Device #1 My name is STBNIP2212_023, Master (Server)

Can I get an IP Address?
STBNIP2212_023 192.168.0.23
Sure! You are listed in my address TesysT_046 192.168.0.87
table.
Take this address: 192.168.0.23 ATV71_555 192.168.0.21

My name is TesysT_072,
Device #2 Can I get an IP Address?

Sorry, you are not listed into my address

table. Use your default IP address

Internal
DHCP Server Examples
Example with M580

Example with M340

Advantage: Ease of Replacement

• Compared to the BOOTP method, replacing a faulty device with DHCP doesn’t need to reconfigure the PLC application.
Internal
FDR Server
Additional Feature of DHCP Server.
• Send the stored configuration inside a replaced device
Device #1 Master (Server)
My name is TesysT_072,
TesysT_072 192.168.0.87
Save my settings now!
Saved Config. of TesysT_072

Device #1

My name is TesysT_072,
Can I get an IP Address?
Master (Server)
New Device Sure! You are listed in my table. TesysT_072 192.168.0.87
Take this address: 192.168.0.87

Moreover, I found a
configuration corresponding to
your role name. Here is your Saved Config. of TesysT_072
new configuration.

Internal
ARP

• Address Resolution Protocol

• Request to obtain IP address
• Duplicate Address Check
– Device issues ARP for the IP address it intends to take
– If no response, the device assumes the IP address

– If there is a response, the device should not assume the IP (duplicate address)

• Once the IP has been determined to be available

• Device issues a Gratuitous ARP (Includes Source IP and MAC address information)
– Used to populate device list in the other devices and routers
• Advertises to others its availability on the network
– Allows devices wishing to communicate with it that it is available

Internal
OSI Model
Open System InterconnectionNTP

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
TCP (Transport Control Protocol)

• Port and socket concept

• Server devices may be running multiple services (Modbus, Web, Bootp,etc )

• These services listen on different TCP port for a request

• Client device sends an IP message which includes the source port number and destination port number
to establish a connection between two devices (Socket connection).

Ports Client Server

Source Port number x Ports number
80
Destination Port 502 23 Telnet
50
50 SMTP
Destination Port 80 67 DHCP
Source Port number y 80 HTTP
502
HTTP 172.16.4.2 502 Modbus

SMTP 172.16.4.1
Modbus TCP

Internal
TCP (cont.)

• Socket management multiple connections

• A Client can have multiple connections to the same Server service

• A Server can have multiple Clients connected to the same service

Client x
Client has a 2
connections to the Socket Source port Dest port
same server. Server
1 3000 502
2 3001 80
Server has 2 clients
connected to the same
172.16.4.1 service (502).

Client y
Socket Source port Dest port 172.16.4.3
1 3003 502

172.16.4.2
Internal
TCP Connections
• Point to point messaging protocol
• Uses a handshake process to establish a connection

• Accounts for each byte of sent and received to guarantee delivery

• Connection is managed by setting bits in the TCP message to request (SYN), acknowledge (ACK), terminate or abort
the connection (FIN)

Client O
P Server
E
N

C
L
O
S
E
Internal
UDP (User Datagram Protocol)
• Transport protocol like TCP but without Acknowledgement
• Provides an unreliable mechanism to transport data

• Messages can be lost (not acknowledgment of the packet)

• Retries and data integrity can be provided by the application layer

• Requires less processing overhead that TCP

• Without ordering messages and managing connections. it is faster than TCP

• The network interface does not have as much work to do as with TCP

• Allows the Broadcast message, unlike TCP that requires a dedicated socket between the end
device. Applications example using UDP :
• Simple Network Management Protocol (SNMP)
• Network Time Protocol (NTP)

• BootP and DHCP

• Global Data (Real Time Publish Subscribe)

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
OSI Model
Open System Interconnection

Confidential Property of Schneider Electric |

Internal
 Subnetting
Making use of flexible topologies

Confidential Property of Schneider Electric | Hossam Embaby | Page 91

Internal
Network Design: Routers
• Routing data between different sub networks
• Act as a Gateway (IP address to be defined)

• A router has an interface for each different networks. A table of those interfaces tells the router on which interface to send
the packet

PLC

Router

172.16.4.254 172.16.5.254
172.16.5.1
172.16.4.1

172.16.4.2 Each router interface is the default Remote Subnet

Local Subnet
gateway for that subnet

Nota : If there is not a router on the local network, the default gateway can be left blank or 0.0.0.0
Internal
Revision Questions
- How is Float data read in 16 bit register?
- I find address 40001:7 , what does it mean?
- Least significant bit and the most significant bit
- If you need one bit, do you must read all the register ?
- What is Modbus TCP/IP?
- What are the layers supporting TCP\IP
- Difference between CSMA\CA and CSMA\CD
- What does Baud Rate mean ?
- What is the range for Modbus device addressees
- Main Difference between RS232 and RS485
- What should I do to connect Modbus RTU devices to Modbus TP\IP master

Confidential Property of Schneider Electric | Page 93

Internal
Revision Questions
- What is NTP ?
- What is RSTP ?
- Can I connect RS485 Device to RS422 Network ?
- What is DHCP ?

Confidential Property of Schneider Electric | Page 94

Internal
Internal