P. 1
RS 485

RS 485

|Views: 131|Likes:
Published by Michal Cousins

More info:

Published by: Michal Cousins on Dec 23, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less





RS 485

RS-485 (also known as EIA-485) is an OSI Model physical layer electrical specification of a two-wire, half-duplex, multipoint serial connection. The standard specifies a differential form of signalling. The difference between the wires¶ voltages is what conveys the data. One polarity of voltage indicates a logic 1 level, the reverse polarity indicates logic 0. The difference of potential must be at least 0.2 volts for valid operation, but any applied voltages between +12 V and -7 volts will allow correct operation of the receiver. Figure 3.2. RS-485 bus

EIA-485 only specifies electrical characteristics of the driver and the receiver. It does not specify or recommend any data protocol. EIA-485 enables the configuration of inexpensive local networks and multidrop communications links. It offers high data transmission speeds (35 Mbit/s up to 10 m and 100 kbit/s at 1200 m). Since it uses a differential balanced line over twisted pair. In contrast to EIA-422, which has a single driver circuit which cannot be switched off, EIA-485 drivers need to be put in transmit mode explicitly by asserting a signal to the driver. This allows EIA-485 to implement linear topologies using only two lines. The equipment located along a set of EIA-485 wires are interchangeably called nodes, stations and devices.

The recommended arrangement of the wires is as a connected series of point-to-point (multidropped) nodes, a line or bus, not a star, ring, or multiply-connected network. Ideally, the two ends of the cable will have a termination resistor connected across the two wires. Without termination resistors, reflections of fast driver edges can cause multiple data edges that can cause data corruption. Termination resistors also reduce electrical noise sensitivity due to the lower impedance, and bias resistors are sometimes required. The value of each termination resistor should be equal to the cable impedance (typically, 120 ohms for twisted pairs). Star and ring topologies are not recommended because of signal reflections or excessively low or high termination impedance. Converters from RS232 to RS485, USB to RS485, Ethernet to RS485 are available to allow a PC to communicate with remote devices. By using repeaters and multi-repeaters very large RS485 networks can be formed. Using an RS485 multi-repeater can allow for star configurations with home runs (or multi-drop) connections similar to Ethernet star implementations (with greater distances). Star systems (with multi-repeaters) allow for very maintainable systems, without violating any of the RS485 specifications. Repeaters can also be used to extend the distance and/or number of nodes on a network. Bias resistors are sometimes used to bias data lines when the lines are not being driven by any device. This way, the lines will be biased to known voltages and nodes will not interpret the noise from undriven lines as actual data; without biasing resistors, the data lines float in such a way that electrical noise sensitivity is greatest when all device stations are silent or unpowered. Often in a master-slave arrangement when one device dubbed "the master" initates all communication activity, the master device itself provides the bias and not the slave devices. In this configuration, the master device is typically centrally located along the bus so it would be two slave devices located at the physical end of the wires that would provide the termination. The master device would provide termination if it itself was located at a physical end of the wires. Note that it is not a good idea to apply the bias at multiple node locations, because, by doing so, the effective bias resistance is lowered, which could possibly cause a violation of the EIA-485 specification and cause communications to malfunction. By keeping the biasing with the master, slave device design is simplified and this situation is avoided. EIA-485, like EIA-422 can be made full-duplex by using four wires, however, since EIA-485 is a multi-point specification, this is not necessary in many cases. EIA-485 and EIA-422 can interoperate with certain restrictions.


EIA-485 does not specify any connector. The following table lists some typical RS-485 signal pin assignments (RS-232, another serial standard, listed here for comparison): Figure 3.3. RS-485 pinout


Pin assignment The RS485 differential line consists of two pins:
o o

A '-' (TxD-/RxD-) inverting pin which is negative (compared to B) when the line is idle (ie data is 1). B '+' (TxD+/RxD+) non-inverting pin which is positive (compared to A) when the line is idle (ie data is 1).

The RS-485 signalling specification states that signal A is the inverting or '-' pin and signal B is the non-inverting or '+' pin. This is in conflict with the A/B naming used by a number of differential transceivers manufacturers, including the Texas Instruments application handbook on RS422/485 communications (A=non-inverting, B=inverting). These manufacturers are incorrect, but their practice is in a widespread use. Therefore, care must be taken when using A/B naming. In addition to the A and B connections, the EIA standard also specifies a third interconnection point called C, which is the common ground.

Waveform example The graph below shows potentials of the '+' and 'í' pins of an RS-485 line during transmission of an RS-485 byte: Figure 3.4. RS-485 signals

The standard does not define protocols for error detection or algorithms for data compression. and 115.400 bit/s making occasional appearances) while still using RS-232 compatible signal levels. Standard subsets of interface circuits for selected telecom applications. start/stop bits. The Electronic Industries Alliance (EIA) standard RS-232-C[1] as of 1969 defines: y y y y Electrical signal characteristics such as voltage levels.RS 232 RS-232 is a standard for serial binary data signals connecting between a DTE (Data terminal equipment) and a DCE (Data Circuit-terminating Equipment). The voltage swing requirement also limits the upper speed of a compatible interface. A typical serial port includes specialized driver and receiver integrated circuits to convert between internal logic levels and RS-232 compatible signal levels. Many modern devices can exceed this speed (38. signaling rate. pluggable connectors and pin identification. Baudot or EBCDIC). Single-ended signaling referred to a common signal ground limit the noise immunity and transmission distance. shortcircuit behavior. parity). successor standards have been developed to address the limitations. Functions of each circuit in the interface connector. The standard does not define bit rates for transmission. maximum stray capacitance and cable length. The standard does not define such elements as character encoding (for example. Details of character format and transmission bit rate are controlled by the serial port hardware. Interface mechanical characteristics. although the standard says it is intended for bit rates lower than 20. .000 bits per second. It is commonly used in computer serial ports. ASCII. Issues with the RS-232 standard include: y y The large voltage swings and requirement for positive and negative supplies increases power consumption of the interface and complicates power supply design. A similar ITU-T standard is V.24. or the framing of characters in the data stream (bits per character. often a single integrated circuit called a UART that converts data from parallel to serial form.200 and 230. timing and slew-rate of signals. Because the application of RS-232 has extended far beyond the original purpose of interconnecting a terminal with a modem.600 bit/s being common.400 and 57. voltage withstand level.

the standard defines a number of control circuits used to manage the connection between the DTE and DCE. and has the functional significance of OFF. while multi-drop "work-arounds" have been devised. Valid signals are plus or minus 3 to 15 volts.±12V. While the standard recommends a connector and pinout. logic one is defined as a negative voltage. Each data or control circuit only operates in one direction. Because both ends of the RS-232 circuit depend on pin seven the ground being zero volts. y Voltage levels The RS-232 standard defines the voltage levels that correspond to logical one and logical zero levels. Both synchronous and asynchronous transmissions are supported by the standard.y y y y Multi-drop (meaning a connection between more than two devices) operation of an RS-232 compatible interface is not defined. The standard does not define character framing within the data stream. the interface can operate in a full duplex manner. RS-232 drivers and receivers must be able to withstand indefinite short circuit to ground or to any voltage level up to +/-25 volts. or character encoding. and ±15V are all commonly seen depending on the power supplies available within a device. a condition that is commonly referred to as a ground loop. the connector is large by current standards. and pin seven on the other is not zero i. or how fast the signal changes between levels. The handshaking and control lines of the interface are intended for the setup and takedown of a dial-up communication circuit. the use of handshake lines for flow control is not reliably implemented in many devices.±10V. The range near zero volts is not a valid RS-232 level. they have limitations in speed and compatibility. signal levels of ±5V. the signal condition is called marking. In addition to the data circuits. Logic zero is positive. The standard specifies a maximum open-circuit voltage of 25 volts. In RS-232. the designer must decide on either a DTE-like or DCE-like interface and which connector pin assignments to use. . is also controlled. signaling from a DTE to the attached DCE or the reverse.e. Because the voltage levels are higher than logic levels used by integrated circuits. supporting concurrent data flow in both directions. problems will occur when connecting machinery and computers where the voltage between pin seven on one end. that is. special intervening circuits are required to translate logic levels. Asymmetrical definitions of the two ends of the link make the assignment of the role of a newly developed device problematic. the signal condition is spacing. in particular. Since transmit data and receive data are separate circuits. and to protect circuitry internal to the device from short circuits or transients that may appear on the RS-232 interface. The slew rate. and has the function ON. data is sent as a time-series of bits.

Since most devices use only a few signals. and modems have female connectors with DCE pin functions. The standard specifies 20 different signal connections. In general. For example.1. The standard recommended but did not make mandatory the common Dsubminiature 25 pin connector. y Pinouts (DTE relative) Figure 3. More recently. but the female D-sub connector was used for a parallel Centronics printer port. this defines at each device which wires will be sending and receiving each signal. and has been standardized as TIA574. For example. the 9 pin DE-9 connector was used by most IBM-compatible PCs since the IBM PC AT.y Connectors RS-232 devices may be classified as Data Terminal Equipment (DTE) or Data Circuit termination Equipment (DCE). RS-232 pinouts . a male D-sub was an RS-232C DTE port (with a non-standard current loop interface on reserved pins). on the original IBM PC. smaller connectors can be used. Most common are 8 pin RJ-45 connectors. Other devices may have any combination of connector gender and pin definitions. terminals have male connectors with DTE pin functions. Some personal computers put non-standard voltages or signals on their serial ports. modular connectors have been used. Presence of a 25 pin D-sub connector does not necessarily indicate an RS-232C compliant interface.

TD. The ground signal is a common return for the other connections. CTS. and RI are generated by the DCE.The signals are labeled from the standpoint of the DTE device. and RTS are generated by the DTE and RD. DSR. it appears on two pins in the Yost standard but is the same signal. DTR. Connection of pin 1 (protective ground) and pin 7 (signal reference ground) is a common practice but not . DCD.

If the two pieces of equipment are far enough apart or on separate power systems. o Received Data (RxD) Data sent from DCE to DTE. transmitting a carrier or reversing the direction of a half-duplex line. the ground will degrade between them and communications will fail. Use of a common ground is one weakness of RS-232. If the DCE is a modem. . o Clear To Send (CTS) Asserted by DCE to acknowledge RTS and allow DTE to transmit.recommended. o Data Terminal Ready (DTR) Asserted by DTE to indicate that it is ready to be connected. this is a difficult condition to trace. e. If this signal is de-asserted. y Signals Commonly-used signals are: o Transmitted Data (TxD) Data sent from DTE to DCE. it should go "off hook" when it receives this signal.g. o Request To Send (RTS) Asserted (set to 0) by DTE to prepare DCE to receive data. the modem should respond by immediately hanging up. This may require action on the part of the DCE.

One feature of the Yost standard is that a null modem cable is a "rollover cable" that just reverses pins 1 through 8 on one end to 8 through 1 on the other end. o Ring Indicator (RI) Asserted by DCE when it detects a ring signal from the telephone line. it can be simulated by connecting DSR and DCD internally in the connector. possibly by a jumper to another signal. or using a cable wired to do this. this signal should be permanently asserted (set to 0). "Gender changers" are available to solve gender mismatches between cables and connectors.o Data Set Ready (DSR) Asserted by DCE to indicate an active connection. If DCE is not a modem (e. it is often necessary to consult documentation. . Connecting devices with different types of connectors requires a cable that connects the corresponding pins according to the table above. thus obtaining CD from the remote DTR signal. and manufacturers of equipment with RJ-45 connectors usually provide a cable with either a DB-25 or DE-9 connector (or sometimes interchangeable connectors so they can work with multiple devices). This can be done with a separate device and two cables. Connecting a fully-standard-compliant DCE device and DTE device would use a cable that connects identical pin numbers in each connector (a so-called "straight cable").g. y Cables Since the standard definitions are not always correctly applied. or use trial and error to find a cable that works when interconnecting two devices. test connections with a breakout box. If devices require Carrier Detect. a null-modem cable or other equipment). Cables with 9 pins on one end and 25 on the other are common. and RTS-CTS). DTR-DSR. o Carrier Detect (CD) Asserted by DCE when a connection has been established with remote equipment. Connecting two DTE devices together requires a null modem that acts as a DCE between the devices by swapping the corresponding signals (TD-RD.

a "breakout box" may be used.For configuring and diagnosing problems with RS-232 cables. a device's transmit pin connected to its receive pin will result in the device receiving exactly what it transmits. For example. however the limit is actually defined by total capacitance. leading to potential crosstalk problems. y Handshaking The standard RS-232 use of the RTS and CTS lines is asymmetrical. The reason that a minimal two-way interface can be created with only 3 wires is that all the RS-232 signals share a common ground return. RS232 also has relatively poor control of signal rise and fall times. and ground. This device normally has a female and male RS-232 connector and is meant to attach in-line. and must transmit a synchronization preamble to the receiver when they are re-enabled. There is no way for the DTE to indicate that it is unable to accept data from the DCE. When only flow control is required. Moving this looping connection to the remote end of a cable adds the cable to this . y 3-wire and 5-wire RS-232 A minimal "3-wire" RS-232 connection consisting only of transmit data. is commonly used when the full facilities of RS-232 are not required. A hardware loopback is simply a wire connecting complementary pins together in the same connector. the RTS and CTS lines are added in a 5-wire version. y Loopback testing A commonly used version of loopback testing doesn't involve any special capability of either end. receive data. A non-standard symmetrical alternative is widely used: CTS indicates permission from the DCE for the DTE to transmit. This allows for half-duplex modems that disable their transmitters when not required. The DTE asserts RTS to indicate a desire to transmit and the DCE asserts CTS in response to grant permission. The use of unbalanced circuits makes RS-232 susceptible to problems due to ground potential shifts between the two devices. it then has lights for each pin and provisions for interconnecting pins in different configurations. The "request to transmit" is implicit and continuous. RS-232 was recommended for short connections (15 meters or less). and RTS indicates permission from the DTE for the DCE to transmit.

20 mA current loop uses the absence of 20 mA current for high. Connection of a current-loop device to a compliant RS-232 port requires a level translator. current-loop devices are capable of supplying voltages in excess of the withstand voltage limits of a compliant device.test. and the presence of current in the loop for low. Moving it to the far end of a modem link extends the test further. this signaling method is often used for long-distance and optically isolated links. which was never emulated by other suppliers of plug-compatible equipment. The original IBM PC serial port card implemented a 20 mA current-loop interface. Other serial interfaces similar to RS-232: y y RS-422 (a high-speed system similar to RS-232 but with differential signaling) RS-485 (a descendant of RS-422 that can be used as a bus in multidrop configurations) . This is a common troubleshooting technique and is often combined with a Bit Error Rate Tester (BERT) that sends specific patterns and counts any errors that come back.

This isn't feasible with USB which requires some form of receiver to decode the serial data. and automatically looked after the timing and framing of data. and often don't even have a serial port connection. USB is more complex than the RS 232 standard. intended to interface with a modem or with a similar communication device. requiring more software to support the protocol used. Mice. For the most part. While the RS-232 standard originally specified a 25-pin D-type connector. since the control lines of the interface could be easily manipulated by software. The IBM PC. data transfer through serial ports connected the computer to devices such as terminals or modems. FireWire. Operating systems usually use a symbolic name to refer to the serial ports of a computer. and is considered to be a legacy port. Throughout most of the history of personal computers. Unix-like operating systems usually label the serial port devices /dev/tty* where * represents a string identifying the terminal device. and USB all send data as a serial stream. The serial port is omitted for cost savings. has lower voltage levels. keyboards. Compared with RS-232. such as relays or lamps. The Microsoft MS-DOS and Windows environments refer to serial ports as COM ports: COM1. USB is faster. and has connectors that are simpler to connect and use. Both protocols have software support in popular operating systems. Serial ports of personal computers were also often used to directly control various hardware devices. used an integrated circuit called a UART. the USB interface has replaced the serial port as of 2007. COM2.PC serial port A serial port is a serial communication physical interface through which information transfers in or out one bit at a time in contrast to a parallel port. the term "serial port" usually identifies hardware more or less compliant to the RS-232 standard. However. the syntax of that string depends on the operating system and the device. USB is designed to make it easy for device drivers to communicate with hardware. many designers of personal computers chose to implement only a subset of the full standard: they traded off compatibility with the standard against the use of less costly and more compact connectors (in particular the DE-9 version used by the original IBM PC-AT). and other peripheral devices also connected in this way. that converted characters to (and from) asynchronous serial form. most modern computers are connected to devices through a USB connection. While such interfaces as Ethernet. etc. . there is no direct analog to the terminal programs used to let users communicate directly with serial ports.

Unlike the standard physical serial port the virtual one can be assigned any name (COM255. two popular substitutes are USB adapters and PCMCIA cards. USB adapters often fail to work with older "legacy" devices.000 bits per second. Virtual serial port emulation can be useful in case there is a lack of available physical serial ports or they do not meet the current requirements. Virtual serial port emulates all serial port functionality.200 bits per second. Common bit rates per second for asynchronous start/stop communication are 300. serial ports on popular personal computers allow settings up to 115. The only limitation is the computer performance. including Baud rate.) and so the effective data rate is lower than the bit transmission rate.When a laptop does not have a serial port. as it may require a substantial amount of resources to emulate large numbers of serial ports.Though the RS -232 standard is formally limited to 20. If communication with RS 232 devices is critical. The speed includes bits for framing (stop bits. etc. so the data rate in bits per second is equal to the symbol rate in baud. Additionally it allows controlling the data flow. 2400. A virtual serial port is an emulation of the standard serial port. For instance. y Data bits . VSP33. This port is created by special software products which enable extra serial ports in operation system without additional hardware installation (such as expansion cards. You can establish connection between two computers or applications via emulated null-modem link. 1200. Data bits.). virtual serial ports can help you share data between several applications from one GPS device connected to serial port. 9600. Parity bits. Another option is to communicate with any other serial devices via internet or LAN as if they are locally connected to computer (Serial-over-Ethernet technology). etc. the capability to set a bit rate does not imply that a working connection will result. etc. Setting up a serial port requires the following parameters to be configured on both the transmitter and the receiver: y Baud rate Serial ports use two-level (binary) signalling. etc. a physical RS 232 port will generally provide better compatibility with "legacy" software. two more framing bits are sent). It is possible to create unlimited number of virtual serial ports in your PC. parity. For example for 8-N-1 encoding only 80% of the bits are available for data (for every eight bits of data. 19200 baud. Stop bits. emulating all signal lines (DTR/DSR/CTS/RTS/DCD/RI) and customizing pinout. A more expensive PCMCIA card provides a real (hardware) serial port. etc.).

If a byte is received with the wrong number of 1 bits. since it ensures that at least one state transition occurs. however. If parity is correct there may have been no errors or an even number of errors. even (E). Occasionally. which makes it more reliable. is "none". Also possible. including the parity bit. and communication protocols working over serial data links may have higher-level mechanisms such as checksums to ensure data validity and request retransmission of data that has been incorrectly received. is always odd or always even. as it adds very little error detection information. or space (S). The most common parity setting. but rarely used. Mark parity means that the parity bit is always set to the mark signal condition (logical 1) and likewise space parity always sends the parity bit in the space signal condition. y Stop bits Stop bits are sent at the end of every byte transmitted in order to allow the receiving signal hardware to resynchronise. or 9 (rarely used). arranged so that the number of 1 bits in each character. y Conventional notation . then it must have been corrupted. This standard is also referred to as "little endian". y Parity Parity is a method of detecting some errors in transmission. Odd parity is more common than even. Where parity is used with a serial port. and especially if slow electromechanical devices are used.The number of data bits can be 5 (for Baudot Code). 7 (for true ASCII). 6 (rarely used). one-and-one half or two stop bits are required. odd (O). as this matches the size of a byte). Most serial communications designs send the data bits within each byte LSB (Least Significant Bit) first. 8 (for any kind of data. None means that no parity bit is sent at all. The parity of the serial can be set to none (N). an extra data bit is sent with each data character. is "big endian" or MSB (Most Significant Bit) first serial communications. Mark or space parity is uncommon. mark (M). 8 data bits are almost universally used in newer applications. with error detection handled at higher layers of the protocol. Electronic devices usually use one stop bit. A single parity bit does not allow implementation of error correction on each character.

a slow printer might need to handshake with the serial port to indicate that data should be paused while the mechanism advances a line. 7/E/1 (7E1) means that an even parity bit is added to the seven data bits for a total of eight bits between the start and stop bits. they must be sent as part of an escape sequence to prevent data from being interpreted as flow control. The most common usage on microcomputers is 8/N/1 (8N1). . DTR/DSR signal circuits. The XOFF character tells the sender to stop sending characters until the receiver is ready again. Another method of flow control may use special characters such as XON/XOFF to control the flow of data. For example. that is. The XON character tells the sender that the receiver is ready for more data. the parity bit is not included in the data bits.The D/P/S conventional notation specifies the framing of a serial connection. Common hardware handshake signals use the RS-232 RTS/CTS. The XON/XOFF characters are sent by the receiver to the sender to control when the sender will send data. these characters go in the opposite direction to the data being sent. If the control characters are part of the data stream. XON/XOFF flow control can be done on a 3 wire interface. no parity. This specifies 8 data bits. 1 stop bit. Since no extra signal circuits are required. In this notation. y Flow control A serial port may use signals in the interface to pause and resume the transmission of data.

and is now the most commonly available means of connecting industrial electronic devices. Modbus is often used to connect a supervisory computer with a PLC or a RTU in supervisory control and data acquisition (SCADA) systems. Modbus network . Figure 3. It has become a de facto standard communications protocol in industry. Modbus allows for communication between many devices connected to the same network.5. Versions of the Modbus protocol exist for serial port and Ethernet. The main reasons for the extensive use of Modbus over other communications protocols are that it is a published protocol that is royalty-free and easy to implement.Modbus protocol Modbus is a serial communications protocol published by Modicon in 1979 for use with its programmable logic controllers (PLCs).

It requires a dedicated co-processor to handle fast HDLC-like token rotation. binary representation of the data. which makes it transition/edge triggered instead of voltage/level triggered. and the reverse.6. while the ASCII format uses a longitudinal redundancy check checksum. Modbus ASCII is human readable. Both of these variants use serial communication. with different representations of numerical data and slightly different protocol details. but transmits the protocol packets within TCP/IP data packets. An extended version. Modbus RTU is a compact. but remains proprietary to Modicon. Nodes configured for the RTU variant will not communicate with nodes set for ASCII. The RTU format appends the commands/data with a cyclic redundancy check checksum. Modbus Plus (Modbus+ or MB+). also exists. It uses twisted pair at 1 Mbit/s and includes transformer isolation at each node. Special interfaces are required to connect Modbus Plus to a computer. and more verbose. Modbus/TCP is very similar to Modbus RTU.Two variants of Modbus exist. Figure 3. Modbus application layer .

Some of them were specifically designed for this protocol. as well as commanding the device to send back one or more values contained in its registers. Different implementations use wires. There are many modems that support Modbus. Typical problems the designers have to overcome include high latency and timing problems. The basic Modbus commands can instruct an RTU to change a value in one of its registers. Any device can send out a Modbus command. wireless communication and even SMS or GPRS.Each device intended to communicate using Modbus is given a unique address. A Modbus command contains the Modbus address of the device it is intended for. Different varieties may not communicate correctly between different suppliers equipment. Only the intended device will act on the command. All Modbus commands contain checking information. even though other devices might receive it. ensuring that a command arrives undamaged. although usually only one master device does so. Some of the most common variations are: Data Types * Floating Point IEEE * 32 bit integer . Almost all implementations have variations from the official standard.

Since Modbus is a master/slave protocol. such as over a low-bit-rate radio link. No standard way exists for a node to find the description of a data object. This consumes bandwidth and network time in applications where bandwidth may be expensive. Modbus is usually deployed in a master-slave polling configuration.the master node must routinely poll each field device.) * word swapped data Modbus was designed in the late 1970's to communicate to programmable logic controllers and sufers from limitations by modern standards. and look for changes in the data. Modbus transmissions must be contiguous which limits the types of remote communications devices to those that can buffer data to avoid gaps in the transmission. to determine if a register value represents a temperature between 30 and 175 degrees. Modbus is restricted to addressing 254 devices on one data link.7. for example. Large binary objects are not supported. Modbus is an application layer protocol. Modbus is a stateless client-server protocol similar to HTTP based on transactions. Modbus client/server .* 8 bit data * mixed data types * bit fields in integers * multipliers to change data to/from integer. Protocol extensions * 16 bit slave addresses * 32 bit data size (1 address = 32 bits of data returned. To prevent confusion "master-slave" in terms of the "client-server" paradigm is related as follows: * the master is a client * the slave is a server Figure 3. there is no way for a field device to "report by exception" . which limits the number of field devices that may be connected to a master station. A transaction consists of a request (issued by the client) and a response (issued by the server). The number of data types are limited to those understood by PLCs at the time.

Modbus Protocol Data Units . (Error Code. 1 byte) o a code specifying the exception (Exception Code. 1 byte) o function specific data (Function Data. that is called Protocol Data Unit (PDU).8. consisting of: o the function code corresponding to the request (Function Code. 1 byte) Figure 3. consisting of: o a code specifying a function (Function Code.The stateless communication is based on a simple package. varying number of bytes) Exception Response PDU. varying number of bytes) Response PDU. consisting of: o the function code corresponding to the request + 0x80 (128). 1 byte) o response specific data (Response Data. The protocol specification defines three types of PDU's: y y y Request PDU.

Categories of function codes are the following: y Public Guaranteed to be unique and specify well defined functions that are publicly documented. These are validated by the community and a conformance test exists. y User-Defined Available for user-defined functions. The specification defines the code ranges 65-72 and 100-110 for user-defined functions.255(127+128) represents the range of error codes.The Modbus specification defines a certain number of functions. y Reserved Currently used by some companies for legacy products and are not available for public use. These are in the range 1-127 (decimal). thus their codes might not be unique. Modbus function codes . as 129(1+128). each of which is assigned a specific function code.9. Figure 3.

Exception Response PDU. Assigned Function Code. Response PDU. Request PDU.The documentation for a function consists of: y y y y y Description of the function. it's parameters and return values (including possible exceptions). .

Figure 3. The primary identification of an exception response is the error code (function code + 128). Modbus error codes . the response from a slave will be an exception. which is further specified by the exception code.In certain cases.10.


However. Modbus device mapping . The specification does not define the ways of organizing the related data in a device. Modbus data types The Modbus application protocol defines precisely PDU addressing rules. The device's documentation must always be consulted to learn about device specific addressing conventions for basic access functions. The Modbus data model has to be bound to the device application. It also defines clearly a Modbus data model composed of 4 blocks that comprises elements numbered from 1 to n.The basic public functions have been developed for exchanging data typical for the field of automation.11. the organization has a direct influence on the addresses used in basic access functions. Figure 3. Figure 3. The pre-mapping between the Modbus data model and the device application is totally vendor device specific.12. In a Modbus PDU each data is addressed from 0 to 65535.

13.Examples of Modbus messages: y Read coil Figure 3. Modbus read coil .

Modbus read input .14.y Read discrete input Figure 3.

15. Modbus read holding register . Modbus read input example y Modbus read holding register Figure 3.Figure 3.16.

17. Modbus read input register .y Modbus read input register Figure 3.

y Modbus write single coil Figure 3.18. Modbus write single coil example .19. Modbus write single coil Figure 3.

y Modbus write single register Figure 3.20. Modbus write single register .

including the address field (i. The most common ones are on the RS232 and RS485 physical layers.e. For transmission the Modbus message (i.e. header). There exist two transmission modes. framing and checksum: y ASCII . The application level protocol operates directly on top of a serial interface and serial communication standards.Modbus has been implemented and used over all types of physical links (wire. The Modbus header is composed of an address field (1 byte) and the tail is an error checksum over the whole package. ADU) is placed into a frame that has a known beginning and ending point. fiber and radio) and various types of lower level communication stacks. allowing detection of the start and the end of a message and thus partial messages. which differ in encoding. Modbus started it's life in form of an implementation for asynchronous serial network communication.

0x3A). 2 byte) and messages start and end with a silent interval of at least 3. The error checksum is represented by a longitudinal redundancy check (LRC.F). representing the hexadecimal notation of the byte (i. The maximum pause that may occur between two bytes is 1.e. 1 byte) and messages start with a colon (':'. A . Pauses of 1 second between characters can occur.5 character times. characters 0 . The error checksum is represented by a cyclic redundancy check (16 bit CRC.9. This is most easily implemented as a multiple of character times at the baud rate that is being used on the network. .5 character times. 0x0D0A). y RTU Frames are transmitted binary to achieve a higher density.Frames are encoded into two ASCII characters per byte. and end with a carriage return-line feed ("CRLF".

in 1993. Usage in other industries is not common. Remote Terminal Units (RTUs). Its main use is in utilities such as electric and water companies. It plays a crucial role in SCADA systems. aging components (their expected lifetimes may stretch into decades). ICCP. and Intelligent Electronic Devices (IEDs). Specifically. and poor transmission mediums. The DNP3 protocol is also referenced in IEEE Std. which recommends a set of best practices for implementing modern SCADA Master-RTU/IED communication links. While IEC 60870-5 was still under development and had not been standardized. Figure 3. The protocol is designed to allow reliable communications in the adverse environments that electric utility automation systems are subjected to. Thus. It is used only for communications between a master station and RTUs or IEDs. although technically possible. there was a need to create a standard that would allow interoperability between various vendors SCADA components for the electrical powergrid. DNP3 protocol stack .21. the Inter-Control Centre Protocol. where it is used by SCADA Master Stations (Control Centers). it was developed to facilitate communications between various types of data acquisition and control equipment. is used for inter-master station communications. 1379-2000.DNP3 protocol (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. being specifically designed to overcome distortion induced by EMI. GE-Harris Canada used the partially completed IEC 60870-5 protocol specifications as the basis for an open and immediately implementable protocol that specifically catered to North American requirements.

. Thus. it was not designed to be secure from attacks by hackers and other malevolent forces that could potentially wish to disrupt control systems to disable critical infrastructure.Although the protocol was designed to be reliable. much work is currently being done to provide security for the systems that use the DNP3 protocol.

in standard networking terms. error checking. It provides multiplexing. Many modern applications can now carry DNP3 messages over TCP/IP. link control. and layer 2 addressing services for user data. At the top is a simple one-on-one system having one master station and one outstation deployed on a RS232 physical layer typically over dial-up telephone line. in an attempt to deal with the very noisy environments in which it is typically used. data fragmentation. a layer 7 (application) and a layer 2 (data link) protocol. ³DNP3 protocol stack´. DNP3 architecture Common DNP3 network architectures are depicted in Figure 3. It makes particularly heavy use of Cyclic Redundancy Checks (CRCs) embedded in its data packets. prioritization. One master station communicates with multiple outstation devices with a master-slave polling communication routine.DNP3 consists of. Figure 3. . The second figure shows a configuration known as a multi-drop design over RS485 physical layer.22.21.

23. An important feature of DNP3's link layer is the ability for the transmitter of the frame to request the receiver to confirm that the frame arrived. not including CRC check octets. and it is often not employed because there are other methods for confirming receipt of data. The data payload in the link frame contains a pair of CRC octets for every 16 data octets.A DNP3 frame consists of a header and data section. Using this feature is optional. and the source address identifies which DNP3 dev sent the ice message. Three destination addresses are reserved by DNP3 to denote a broadcast message. The maximum number of octets in the data payload is 250. The length specifies the number of octets in the remainder of the frame. 65520 individual addresses are available. The maximum length link layer frame is 292 octets if all the CRC and header octets are counted. Every DNP3 device must have a unique address within the collection of devices sending and receiving messages to and from each other. Figure 3. contains data link control information and identifies the DNP3 source and destination device addresses. The header specifies the frame size. This provides high resolution in detecting errors. A frame begins with two sync bytes that help the receiver determine where the frame begins. The link layer sends and receives frames. the frame should be processed by all receiving DNP3 devices. The destination address specifies which DNP3 device should process the data. not including CRC octets. Having both destination and source addresses satisfies at least one requirement for peer-to-peer communications because the receiver knows where to direct its responses. that is. DNP3 data frame The link layer has the responsibility of making the physical link reliable by providing error detection and duplicate frame detection. It provides an extra . The data section contains data or payload passed down from the application layers above.

The link layer can handle only 250 data octets. DNP3 events are also supported for state changes. Note that an application layer fragment of size 2048 must be broken into 9 frames by the transport layer. The term "static" is used with data and refers to the "current value". and. For example. Data updates are more rapidly when the master spends most of its time polling for events from the outstation and only occasionally asks for static data as an integrity measure. It provides standardized functions and data formatting with which the user layer above can interact. If a confirmation is not received. The pseudo transport layer (level 7) has the responsibility of breaking long application layer messages into smaller packets sized for the link layer to transmit. DNP3 data is represented in various formats. The user layer can request the application layer to poll for class 1. values exceeding some threshold. 2 or 3 events or any combination of them. each link layer frame can therefore hold as many as 249 application layer octets. snapshots of varying data. Some disadvantages to using link layer confirmation are the extra time required for handshaking over slow data links and waiting for multiple timeouts when retries are configured. to reassemble frames into longer application layer messages. an event is triggered when a binary input changes from an on to an off state or when an analog value changes by more than its configured deadband limit. Updates are faster because the number of events generated between outstation interrogations is small and. and one of those is used for the transport function. when receiving.degree of assurance of reliable communications. therefore less data needs to be send back to the master station. In DNP3 the transport layer is incorporated into the application layer. The normal range is 2048 to 4096 bytes. As an example: analog data can be represented as follows: . the link layer may retry the transmission. The application layer works together with the pseudo transport and link layers to enable reliable communications. Application layer messages are broken into fragments. Events are classified into three classes. Communications in noisy environments are more successful if the fragment size is significantly reduced. Static analog input data contains the value of an analog at the instant it is transmitted. The transport layer requires only a single octet of overhead data to perform its duty. DNP3 allows requests for some or all of the static data in an outstation device. transient data and newly available information. and a fragment size of 4096 needs 17 frames. Thus static binary input data refers to the present on or off state of a bi-state device. Fragmenting messages is the responsibility of the application layer. The user layer can be configured to request events. Events can be generated with and without time stamps so that the master will have the information to generate a time sequence report. Maximum fragment size is determined by the size of the receiving device¶s buffer.

When an outstation transmits a message containing response data. group 30. can be formatted in one of 8 variations.* 32-bit integer value with flag * 16-bit integer value with flag * 32-bit integer value * 16-bit integer value * 32-bit floating point value with flag * 64-bit floating point value with flag The flag referred to is a single octet describing the state or quality of the data i. DNP3 supports slave initiated responses i. When data from an index is transmitted the sender must encode the information to enable a receiving device to parse and interpret the data. Besides the reading of data the DNP3 protocol is designed to handle other functions. such as reading. Rather than waiting for a master station polling cycle to get around to it. Static analog values. The user layer specifies the amount of objects required as a range of objects from index number X through index number Y. binary inputs. transmit requests for control operations and setting of analog output values. the data source restarted. controls and analog outputs. and by specifying the data types required. Data values are assigning by group numbers. Before configuring a system for unsolicited messages special attention must be paid to bus contention issues such as the following: . The application layer then passes the request down through the transport layer to the link layer for transmission to the out stations. can be formatted in one of 6 variations. All valid data types and formats are identified by group and variation numbers.e. The user layer formulates requests for data from outstations by specifying what function to perform. a slave sends information without being polled for it . the data is forced or the value is over range. whether the source is on-line. For example: the master can set the time in the outstation. Group and variation numbers are also assigned for counters. Static analog values are assigned as group 30. the message identifies the group number and variation of every value within the message.also referred to as unsolicited messages.e. the outstation simply transmits the change.e. communications are lost with a downstream source. The data for each index appearing in the message are encoded as binary objects i. and event analog values are assigned as group 32. and event analog values. group 32. the objects are classified according to the group and variation number chosen.

At the lowest level. groups and variations. and level 3 is more sophisticated. DNP3 provides for complexity levels. only very basic functions must be provided and all others are optional. The DNP3 organization recognizes that supporting every feature of DNP3 is not necessary for every device. .y y Spontaneous transmissions should generally occur infrequently. otherwise. level 1. Level 2 handles more functions. too much contention can occur. Some devices are limited in memory and speed and do not need specific features. and controlling media access via master station polling should be used. DNP3 leaves specification of algorithms to the system implementer. while other devices must have more advanced features to accomplish their task. The outstation should have some way of knowing whether it can transmit without stepping on another outstation¶s message. Within each level a minimal subset of request formats and response formats is specified.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->