CAS Newsletter September 2010
|
IN THIS ISSUE
|
||
|
What about Scaling in ModbusModbus does not provide a method for transporting large or Floating Point numbers or a mechanism for scaling analog values. A 16 bit word can only contain values in the range 0-65535. Only whole numbers are permitted. To work around this many server device manufacturers use multipliers and document them in their manuals. For example to report a temperature of 58.5 the device reports a value of 585, and make a note in the manual that the master should scale by 10. This scaling is achieved by adopting a convention between the client and the server.
Modbus does not provide a mechanism but 3 important schemes are widely used. Long Integers – Two consecutive 16 bit words are interpreted as a 32 bit long integer. MK10 values – Two consecutive words are used. The 1st reports the number of units and the 2nd reports the number of 10,000’s. Floating Point Numbers – Two consecutive words are used and a scheme. (See section X) These schemes are conventions and not all servers or clients support them. The protocol does not identify these big numbers. Only the vendor docs do. What we mean by this is – if you look at the byte stream in a Modbus message there is no way of telling whether you are looking at two consecutive 16 bit words, or two consecutive words that should be interpreted as floating point, long or MK10 formats. Because of this you always have to look to the vendor docs. Read more in Appendix.
Modbus was not designed to transport floating point numbers. After the protocol was released and in use – some people came up with a scheme to using two consecutive 16 bit registers to transport one floating point number. The scheme is essentially a set of rules for interpreting the bits in the 2x registers as the elements of a floating point number(like a mini protocol). Other people came up with other schemes. One of these schemes has come to dominate. It is called standard IEEE754. Some devices (servers) do not support floating point numbers. Many clients (masters) do not support floating point numbers. A master and a server must use the same floating point scheme to work together. Read more in Appendix.
|
Modbus and GatewaysA gateway is a device that make data read using one protocol available using another protocol. For example you could read Modbus data from a power meter and serve that data using BACnet to a Building Automation System. What data must the gateway report if the Modbus is offline or the data cannot be read? It can report the last value read. How old is that value ? In this example, we can exploit a property of each BACnet data object called Reliability. When the validity of the data is unknown, like when a field device is offline, we mark the BACnet objects as unreliable. Now a consumer of that data has enough information – he knows the value and if it is reliable. It is his call whether to use the data. Modbus does not have an equivalent mechanism. If a gateway is doing the opposite, for example, reading BACnet data and serving that data using Modbus. If the BACnet link is broken the data validity is questionable. However, in Modbus there is not way of reporting this. The gateway can take one of two actions – serve the invalid data or – not serve the data – by not responding to the poll. This is the strategy FieldServer gateways use. If the Data is invalid, the Gateway does not respond to a request for that data and allows the client to time out. What about errors / exceptions. Modbus has a limited way of reporting errors. A server / slave device can respond to a message in a way that reports an error. These are called exception messages. If you are looking at a message byte stream, exceptions are easy to identify.
Code Name / Meaning The function code received in the query is not an allowable action for the slave. If a Poll Program Complete command was issued, this code indicates that no program function preceded it. 2 ILLEGAL DATA ADDRESS The data address received in the query is not an allowable address for the slave. 3 ILLEGAL DATA VALUE A value contained in the query data field is not an allowable value for the slave. 4 SLAVE DEVICE FAILURE An unrecoverable error occurred while the slave was attempting to perform the requested action. 5 ACKNOWLEDGE The slave has accepted the request and is processing it, but a long duration of time will be required to do so. This response is returned to prevent a timeout error from occurring in the master. The master can next issue a Poll Program Complete message to determine if processing is completed. 6 SLAVE DEVICE BUSY The slave is engaged in processing a long–duration program command. The master should retransmit the message later when the slave is free. There can only be one master on a Modbus Serial Trunk Modbus is a poll-response type of protocol. A master issues a message If the address in the message matches the address of a server device it will respond (if it can). All other devices remain quiet all the time until they are sent a message with a matching address. The master must wait long enough to process the response before sending the next message. If it doesn’t then its next poll and the response from the previous may overlap. When Modbus over Ethernet is used, more than one master can poll a server device for data. The number of queries that a server can process simultaneously is dependent on several factors – does the vendor support multiple simultaneous socket connections and how many do they allow. Vendors hardly ever publish this information. Multiple Clients of a Modbus slave We are frequently asked how you deal with a situation where you have more than one client for a slave(s). The Modbus spec does not support this but we have a solution. The essence of the solution is to use a multi-port FieldServer. Connect each client to its own port and the slave(s) to their own ports. Each client will see a single virtual slave(s) on its network. This not only solves the problem but is extremely efficient. Of course the FieldServer needs to be correctly configured. In a situation like this we exploit the FieldServer technology known as ‘Port Expansion’. Figure 1:
Figure 2:
Figure 3:
Figure 4:
Figure 5: If any client requests the same data (client#1 or #2) and the data has not expired then the FieldServer responds with data from the temporary storage.
Figure 6: If any client requests different data or if the temporary data has expired then the match and relay process is repeated requesting the new data.
Figure 7: The slave responds, the response is relayed to the client doing the polling (Client#2 in this case) and the data is stored temporarily so that it is available to the other client.
Old device – slow processors – limited capability Many older devices have old microprocessors that can’t do too much work at once. Often this microprocessor is used to run the device and handle the Modbus communication. It is not uncommon to see device with the following limitations.
Modbus Ascii, JBUS, Enron and other Variants There are several variants of Modbus. They are not interoperable. I.e. A Modbus RTU master cannot read a Modbus ASCII field device. ASCII – an attempt to make the Modbus message human readable but encoding the hex value of each byte in ascii. Stupid. Doubles the message length. Jbus – Highway robbery. A Modbus RTU variation that allows more than 9999 of each data type to be read. These days most vendors include this in their RTU drivers so you don’t have to pay extra. Enron – Came up with a way of carrying other data in the Modbus messages. They used multiple words to form data objects. Essentially a set of conventions. Both the client and server must support them. |
Modbus RS232, RS485 and TCP/IPThere are 3 main physical layers for Modbus.RS232 : One master and one slave. Typically a cable with 3 conductors with max length of approx a couple of hundred feet. Usually easy. Sometimes some jumpers are required at one end to defeat handshaking. RS485: One master and up to 128 slaves but take care to read more if you plan on more than 32. There are two wiring systems – so called 2-wore and so called 4-wire. They can be incompatible but usually 4-wire devices can be made to work on 2-wire systems. Each device must have a unique address and all devices must be set to the same baud rate, data bits, stop bits and parity. Usually easy to implement. The RS485 physical layer allows up to 128 devices to be installed on a single network with a max physical length of 4000ft and speeds up to 115k baud. Using repeaters allows the length to be increased. Compare to Ethernet where the spec allows a max of 100 meters (330ft) on a single unrepeated segment. TCP/IP: All devices are essentially peers. A single device can be a master and a server. Routers can be used to connect sub-nets together. Broadcasts are almost ever used so are not an issue. RS232 requires a minimum of 3 conductors to connect the two devices. Rx, Tx and Ground. Some devices implement hardware handshaking. This means that before they send a message some voltage must be applied to one of the other pins on the port. If hardware handshaking is active on the device, then you will never get a response until you bypass it or implement it. We recommend bypassing it because there are often differences in the ways that vendors implemented it. Here are typical jumper schemes that can be applied to defeat handshaking. Connect these pins together on the 9 Pin D-Type connector connected to the server device. Pin Function And Pin Function
Search the Internet on RS485 you will find Bob Perrins’s article called the “THE ART AND SCIENCE OF RS-485”. It is his reference to Art that makes RS485 bad. What he means is that RS485 is often non-trivial and getting a network working can rely more on experience and experimentation. Here is our simplified advice:
Advice #1 RS485 is a 3 conductor network. You take a huge risk by not installing the 3rd conductor. You risk blowing 485 ports, you risk unstable operation (works sometimes and doesn’t work other times) and finally you risk re-installation. For a more detailed discussion read this article http://www.chipkin.com/articles/rs485-cables-why-you-need-3-wires-for-2-two-wire-rs485. The more power sources used to power devices, the greater the physical separation of devices, the less well grounded devices and power sources are the greater the risk. Remember this statement: The so called Ground Terminal on a RS485 interface is not a connection to ground. It is a common reference signal. The voltage level on the Tx/Rx conductors are measured relative to this voltage level. You can (if you must) use a shield drain wire as the 3rd conductor (ground reference conductor).
Advice #2 Always connect the ground reference conductor first if you are connecting a device that is powered up or you are connecting your laptop an operating network. OR Always choose devices that have optical isolation – this almost always will protect the RS485 transmitter / receivers.
Advice #3 You can get away without the shield. The twisted pair used for Tx and Rx is more effective at noise cancellation than the shield.
Advice #4 Take care where you run your cables. It seems obvious not to wind your cable around other cables or sources of electricity / magnetism. People are often surprised to find that the worst source of induced noise are switching DC loads. Another big culprit are Variable Frequency drives.
Advice #5 Cable selection does make a difference. All cables offer impedance (resistance). Some cables are designed so that the impedance is relatively independent of distance. You want one of these cables. A clue to knowing if you selected one is to look at the cable’s Nominal Impedance. If they quote a number such a 100Ohms you have a good cable. If they quote an impedance per meter/foot you have chosen the wrong kind. Wrong in the sense – to determine the value of terminating resistors now requires measurements and calculations. Choose low capacitance cables. Can you use Cat5 cable? Yes. Use one pair for Tx,Rx and a conductor from another pair for the ground reference signal. We recommend these two cables. Belden 3106A
Multi-Conductor – EIA Industrial RS-485 PLTC/CM 22 AWG stranded (7×30) tinned copper conductors, Datalene® insulation, twisted pairs, overall Beldfoil® shield (100% coverage) plus a tinned copper braid (90% coverage), drain wire, UV resistant PVC jacket. Belden 3107A
Multi-Conductor – EIA Industrial RS-485 PLTC/CM 22 AWG stranded (7×30) tinned copper conductors, Datalene® insulation, twisted pairs, overall Beldfoil® shield (100% coverage) plus a tinned copper braid (90% coverage), drain wire, UV resistant PVC jacket.
Advice #6 How do you put more than 32 devices on a single RS485 trunk? The simple answer is use a repeater but in practice one isn’t always necessary. The RS485 standard is based on 32 devices. Since the standard was developed most RS485 chips present less than the full unit load originally specified. Today you get half and quarter load devices. Thus to see how many devices you can install you simply get the data sheets and add the loads. Look for “UL” on the data sheet. It stands for Unit Load.
Advice #7 Cable Lengths and Baud Rates Practically speaking you can go up to 4000 feet at baud rates up to 76800 baud. Above that you need to do a little math and reduce the length. For example, at 115k baud your cable should not be much longer than 2500 feet. However, the higher the baud rate the more sensitive the cable is to the quality of installation – issues like how much twisted pair is unwound at each termination start to become very very important. Our advise: For longer networks with lots of devices, choose 38k400 baud over 76k800 baud and optimize using COV, separate networks and by setting the Max Master to a lower number.
Source: Ten Ways to Bulletproof RS-485 Interfaces National Semiconductor Application Note 1057 John Goldie October 1996
Advice #8 How many devices to install on a single RS485 Trunk (Bandwidth Issues). There are non electrical considerations to determine how many devices you put on a Modbus trunk network. It’s not possible to provide a calculator to work out how many devices to install on a single network but the following list provides some help in assessing bandwidth considerations. Consider the following factors.
If you need to read 40001 and 40003 you must either: read 40001 length=3
The more dispersed the Modbus points you are reading the more messages and responses you will need. For example. If you need to read 40001 and 40128 then you will need at least two messages because all the data cannot be read in one message. Some devices have more severe limits. For example Crestron can only read 8 registers at a time.
If you need to read a coil and a holding register you will need at last one message for each.
Some devices take up to 1 seconds between receiving a message and responding. Some devices can only be polled once per x seconds.
Divide the baud rate by 10 to get approx characters per second. Divide the result by 2 to get approx number of words per second. Thus at 19200 baud it takes approx to read 125 registers. Poll = 10 bytes at 1920 per sec
Server latency Response = 125 words at 960 per sec. Client Latency (delay in storing response and sending next) Approx 0.15 secs to .35 secs with typical latencies.
Advice #9 What can go wrong with 485?
Without a scope and expertise you won’t know this is a factor. It is easy and cheap to eliminate. Look at the cable spec. Find the nominal impedance. Buy two resistors of the same value. At each end of the trunk install the resistors between the Tx and Rx terminals. If you don’t have obvious ends of the trunk (because you created a star) then we recommend re-cabling to form a linear trunk or we wish you luck.
Some devices have terminating resistors built into them. If the vendor did a poor job, the default is to have the resistor active and they must be disabled unless they are the terminating devices on the network. Read vendor doc.
There are a whole string of terms uses as synonyms to describe this phenomenon. To use two wires ( as opposed to full duplex 4 wire) for RS485 each devices transmitter and receiver must be set to an idle state to release the line for others use. Releasing the line means allowing it to ‘float’. It must not be allowed to float at any voltage level so devices have pull up/down resistors to pull the line to an allowable ‘floating’ voltage. (the floating state is also known as the tri-state. ) The load presented by other devices on the network affects this floating so the resistor values may need to be changed depending on the number of devices installed and the values of the pull up/down resistors they are using. (You can imagine how tricky it is going to be to resolve this). If a device floats out of the specified range then to other devices it will look like the floating devices isn’t floating at all. The other devices will think that it is transmitting or receiving and thus blocking the line. The simplest way of knowing if this is a factor – Does the device work properly when it is the only device on the network ?. When you install it in the full network other devices or this device stops working properly. This device and/or the pull up/down resistors of other devices are candidates for investigation. A number of vendors have a range of pull up/down resistors installed and allow you to change the selection using software or jumpers.
To use two wires for RS485 each devices transmitter and receiver must be set to an idle state to release the line for others use. When a device wants to send it must grab the line. When it has finished sending it must release the line. You can see there are potential problems here. What happens if one device waits too long after sending its last bit before releasing the line – its possible that the other devices will miss some bits of data.
Advice #10 Take care with the topology. The best topology is a single trunk that in-outs on the terminal blocks of each device it connects. What do we mean by best ? We mean the choice which is least likely to cause problems.
Best arrangement. (Showing TX conductor for reference only)
Getting worse. Making the connections to the RS485 terminals, drops instead of connections starts to give the electrical signals all kinds of complicated paths for reflections and harmonics. It is obvious that if the drops are long and are not twisted then you also have more chance to induce noise. (Showing TX conductor for reference only)
Worst. Avoid Star configurations. They are so much harder to debug when it gets tricky. (Showing TX conductor for reference only)
|
MODBUS RESOURCES, TESTING AND TROUBLE SHOOTINGWHAT TO TAKE TO SITE WITH YOU1. USB->485 converter 2. USB->232 Converter. Any will do. 3. Laptop 4. Wireshark packet sniffer software – free download www.wireshark.org/download.html 5. CAS Modbus Scanner – free download CAS Modbus Scanner is a utility to retrieve coils, inputs, holding registers, and input registers from a Modbus enabled device. Values retrieved from the device can be viewed in many different formats including Binary, HEX, Uint16, Int16, Uint32, Int32, and Float32. 6. CAS Modbus Parser – free download Have you ever needed to analyze a Modbus RTU message? The CAS Modbus RTU parser can analyze a Modbus RTU message and tell you if there are any errors in the message, what type of messages it is, what data is being written or read from your device, what device the message came from, and more… 7. Serial Break out box
8. Lcom DB9-Terminal blocks (or similar)
9. DB9 and DB25 make and female connector make-up kits (Solder free) 10. Rx / TX cross cross over.
It is useful to be able to swap the conductors connected to pins 2 and 3. Take a module with you. It is easier than changing the wires. EG. Ziotek Null Modem Adapter DB25 11. Terminating Resistors Take 52.3, 75, 100, 120 and 150 Ohm resistors with you. 0.25 Watt is usually more than enough. 12. Gender Benders
13. Ethernet Patch cables 14. Hub A hub is not a switch. A hub can be used for trouble shooting whereas only as ‘supervised’ switch can. Most switches are not supervised. For more information read Appendix. TROUBLE SHOOTING MODBUS TCP/IP Hub or Supervised Switch Wireshark – Free Download http://www.wireshark.org/download.html
Tip #1 – Use a hub: You might not capture the traffic if you don’t use a hub. Read the article on hub and switches to understand why.
Tip #2 – Capture filter: You can select the packets you capture to reduce log file size by defining a capture filter before you start the capture.
Tip #3 – Display Filter: You can select which packets you view from the total log by defining a display filter.
Tip #4 – Save: You can select which packets to save in the log files.
Tip #5 – Search: You can search for particular packets.
Add a connection
Choose from Serial or Ethernet
Add devices. The device number is the Modbus Device Number.
You can add multiple connections. More than one of each type. Each connection can have one ore more device. Each device can have one or more requests.
Once connections, devices and requests have been defined you can scan for data, exit or edit the settings. To scan for data – Double click a request. It will be executed once. You can have the request auto repeat by checking the Auto Update box. You will not get a response every time you poll. You may be polling the wrong device with the wrong IP address or wrong baud rate. You could be polling for points that don’t exist … there are many reasons. If you don’t get a response this is called a timeout.
|
Converting Modbus 16 bit numbers to 32 bit numbersOften the Vendor documentation does not report the byte order in which registers are served or the order in which words must be combined to form 32 bit numbers. For this reason FieldServer provides 4 functions to convert Modbus 16 bit numbers to 32 bit numbers. 2.i16-1.i32 Each of these functions takes 2x 16 bits numbers to form a 32 bit number. Each processes the bytes in a different order.
Practical Tip: The easiest way to determine which function to use is to experiment. Look at the values in the FieldServer Data Arrays. If the values are obviously wrong try the other move functions. (Don’t forget that some numbers may be scaled so the number you see in the Data Array may 10x or 100x too big / small). Example: In the move below if DA_B01_REG[21] == 1 and Then DA_B01_INT32[21] == 131073 Explanation 1 + 65536* 2 = 131073 Or In Hexadecimal 0×0001 + 0×0002 * 0×10000 = 0×20001 Moves Source_Data_Array ,Source_Offset ,Target_Data_Array ,Target_Offset ,Length ,Function By the way, the length is 2 because the move must process two values from the source. Example: DA_B01_REG[21] == 1 and
|
How Real (Floating Point) and 32-bit Data is Encoded in Modbus RTU MessagesThe article discusses some of the typical difficulties encountered when handling 32-bit data types via Modbus RTU and offers practical help for solving these problems. The point-to-point Modbus protocol is a popular choice for RTU communications if for no other reason that it’s basic convenience. The protocol itself controls the interactions of each device on a Modbus network, how device establishes a known address, how each device recognizes its messages and how basic information is extracted from the data. In essence, the protocol is the foundation of the entire Modbus network. Such convenience does not come without some complications however, and Modbus RTU Message protocol is no exception. The protocol itself was designed based on devices with a 16-bit register length. Consequently, special considerations were required when implementing 32-bit data elements. This implementation settled on using two consecutive 16-bit registers to represent 32 bits of data or essentially 4 bytes of data. It is within these 4 bytes of data that single-precision floating point data can be encoded into a Modbus RTU message. Modbus itself does not define a floating point data type but it is widely accepted that it implements 32-bit floating point data using the IEEE-754 standard. However, the IEEE standard has no clear cut definition of byte order of the data payload. Therefore the most important consideration when dealing with 32-bit data is that data is addressed in the proper order. For example, the number 123456.00 as defined in the IEEE 754 standard for single-precision 32-bit floating point numbers appears as follows:
The affects of various byte orderings are significant. For example, ordering the 4 bytes of data that represent 123456.00 in a “B A D C” sequence in known as a “byte swap”. When interpreted as an IEEE 744 floating point data type, the result is quite different:
Ordering the same bytes in a “C D A B” sequence is known as a “word swap”. Again, the results differ drastically from the original value of 123456.00:
Furthermore, both a “byte swap” and a “word swap” would essentially reverse the sequence of the bytes altogether to produce yet another result:
Clearly, when using network protocols such as Modbus, strict attention must be paid to how bytes of memory are ordered when they are transmitted, also known as the ‘byte order’. The Modbus protocol itself is declared as a ‘big-Endian’ protocol, as per the Modbus Application Protocol Specification, V1.1.b: “Modbus uses a “big-Endian” representation for addresses and data items. This means that when a numerical quantity larger than a single byte is transmitted, the most significant byte is sent first.”
Big-Endian is the most commonly used format for network protocols – so common, in fact, that it is also referred to as ‘network order’. Given that the Modbus RTU message protocol is big-Endian, in order to successfully exchange a 32-bit datatype via a Modbus RTU message, the endianness of both the master and the slave must considered. Many RTU master and slave devices allow specific selection of byte order particularly in the case of software-simulated units. One must merely insure that both all units are set to the same byte order. As a rule of thumb, the family of a device’s microprocessor determines its endianness. Typically, the big-Endian style (the high-order byte is stored first, followed by the low-order byte) is generally found in CPUs designed with a Motorola processor. The little-Endian style (the low-order byte is stored first, followed by the high-order byte) is generally found in CPUs using the Intel architecture. It is a matter of personal perspective as to which style is considered ‘backwards’. If, however, byte order and endianness is not a configurable option, you will have to determine the how to interpret the byte. This can be done requesting a known floating-point value from the slave. If an impossible value is returned, i.e. a number with a double-digit exponent or such, the byte ordering will most likely need modification. Practical Help The following table shows the FieldServer function moves that copy two adjacent 16-bit registers to a 32-bit integer value.
The following table shows the FieldServer function moves that copy two adjacent 16-bit registers to a 32-bit floating point value:
The following table shows the FieldServer function moves that copy a single 32-bit floating point value to two adjacent 16-bit registers:
Given the vairous FieldServer function moves, the correct handling of 32-bit data is dependent on choosing the proper one. Observe the following behavior of these FieldServer function moves on the known single-precision decimal float value of 123456.00:
Notice that different byte and word orderings require the use of the appropriate FieldServer function move. Once the proper function move is selected, the data can be converted in both directions. Of the many hex-to-floating point converters and calculators that are available in the Internet, very few actually allow manipulation of the byte and word orders. One such utility is located at www.61131.com/download.htm where both Linux and Windows versions of the utilities can be downloaded. Once installed, the utility is run as an executable with a single dialog interface. The utility presents the decimal float value of 123456.00 as follows:
One can then swap bytes and/or words to analyze what potential endianness issues may exist between Modbus RTU master and slave devices. |
HUBS VS SWITCHES – USING WIRESHARK TO SNIFF NETWORK PACKETS
Gotcha #1 : Use a hub not a switch Why: Switches don’t copy all messages to all ports. They try and optimize traffic so when they learn which port a device is connected to they send all messages intended for that device to that port and stop copying to all ports. (The jargon they use for this function is ‘learning mode’) How do you know it’s a hub: Just because it calls itself a hub doesn’t mean it is one.
Gotcha #2 : Mixing 10 and 100 mbits/sec can cause problems. Not all hubs copy 10mbit messages to 100mbit ports and vice versa. Use a 10mbit/sec hub if you are on a mixed network – almost all other faster devices are speed sensing and will downgrade themselves to 10mbits/sec and thus you will see all the packets. This is not true of some building automation engines where the speed of the port is configured. You can work around this problem by connecting higher speed devices to a self sending switch/hub and then connect that switch/hub to the 10mbit hub. Recommended Hubs
|
Google Search FeaturesDo you need to track your UPS, Fedex or USPS shipment without going through their websites? Wondering what is today’s currency conversion rate? Are you an automation professional who always converts the engineering units? If the answer is yes, then Google Search will definitely make your life easier.
Package Tracking: As simple as it looks, just enter your tracking number into the search box and Google will show you the results with links to the status of your shipment.
Currency Conversion: If you are dealing with multiple currencies, this may be of help. Just type in the currencies you would like to convert and Google will show you the results in seconds.
Unit Conversion: No more ruler and calculator. Simply key in the units into the search box and get them converted fast and accurately – no muss, no fuss. Google Search features at a glance www.google.com/help/features.html |
