2.

Highway Addressable Remote Transducer (HART) protocol

• Explain the operations of a HART Network; MAC and FSK.
• Types and examples of HART commands.
• Sketch a HART Network in different topologies.
• Explain Device description and its purpose.
• HART packet structure and function of fields.
• Applications of IS, Zenner barriers and galvanic isolator.
• The benefits of HART communication.
• Explain the wiring and installation considerations for HART – analyse the
loop circuit.
• Devices in a Wireless HART network; Gateway (Network manager,
Security manager & access point), adapter, WirelessHART Device,
mobile terminal
• Configuration and formation of WirelessHART.
• Understand media access control in Wireless HART.

The HART (Highway Addressable Remote Transducer) protocol is an open standard owned by the more
than 100 member companies in the HART Communication Foundation (HCF). It is primarily used in
5 SCADA applications. It can be used to monitor the primary value (PV) communicated through the 4-20mA
as wells as additional digital information in order to reduce scheduled field trips for preventive
maintenance. This results in less downtime and less employment of manpower.

The HART digital signal contains information such as Device Status, Diagnostics, Additional measured
10 or calculated values. For instance, a mass-flow meter can have a PV of mass flow rate, Secondary value
(SV) of static pressure, Tertiary value (TV) cumulative sum of mass; where the SV and TV are
communicated digitally. SCADA applications of HART include inventory management, automated meter
reading and remote monitoring of petrochemical pipelines.

15 2.1. Network topologies

The HART protocol can be configured in both Point-to-point and bus/Multi-drop topologies. HART is used
in point-to-point mode for commissioning, maintenance, and diagnostic purposes as illustrated in Figure
2.1.1.

20
Figure 2.1.1: Point-to-point HART configuration.

13
 The multi-drop mode of operation requires only a single pair of wires and, and an auxiliary power supply
for up to 15 field devices as illustrated in Figure 2.1.2. It is used when devices are widely spaced. All field
device polling addresses are greater than 0, and the current through each device is fixed to a minimum
value (typically 4 mA).
5

Figure 2.1.2: Multidrop HART configuration.

Hand-Held Communicator device: is widely used for configuration and commissioning of HART
10 devices. It is available from major instrumentation suppliers around the globe and is supported by all
member companies in the HCF. Using HART Device Description Language (DDL, the communicator
can fully communicate with and configure any HART device for which it has a DD installed. If the
communicator does not have the DD for a particular network device installed, it can still communicate
with that device using the universal and common practice commands
15

Figure 2.1.3: HART hand-held field communicator.

2.2 HART Communication modes

20 HART is a master-slave communication protocol, which means that communication is initiated by the
master. The Master device will make a request by sending a command to each slave (field device) and
the slave will then respond with to the requested data. Two masters can connect to each HART loop. The
primary master is generally a distributed control system (DCS), programmable logic controller (PLC), or
a personal computer (PC). The secondary master can be a handheld terminal or another PC. Slave
25 devices include transmitters, actuators, and controllers that respond to commands from the primary or
secondary master.

14
 Some HART devices support the optional burst communication mode. Burst mode enables faster
communication (3–4 data updates per second). In burst mode, the master instructs the slave device to
continuously broadcast a standard HART reply message (e.g., the value of the process variable). The
5 master receives the message at the higher rate until it instructs the slave to stop bursting.

2.3. HART protocol stack

The original HART implements layers 1, 2 and 7 of the OSI model. The digital output of Layer 1 operates
at a frequency of 1.2kbps.

10 Physical layer: The HART communication protocol uses the frequency shift keying (FSK) principle. The
digital signal is made up of two frequencies; 1.2 kHz and 2.2 kHz representing bits 1 and 0, respectively.
Sine waves of these two frequencies are superimposed on the direct current (dc) analog signal cables to
provide simultaneous analog and digital communications as shown in Figure 2.3.1. Because the average
value of the FSK signal is always zero, the 4–20 mA analog signal is not affected. The digital
15 communication signal has a response time of approximately 2–3 data updates per second without
interrupting the analog signal. A minimum loop impedance of 230 Ω is required for communication.

Figure 2.3.1: Frequency shift keying (FSK) modulated digital communication over the analogue signal.
20
Cable run lengths of upto 3 km for single pair cable and 1.5 km for multi-conductor cables is typical.
Actual length depends on the number of multi-dropped field devices and the quality of the cable used.
Low capacitance shielded twisted pair cable is strongly recommended. HART has been successfully used
over poor quality, unshielded wiring. Linear power supplies recommended.
25
Data link layer: HART is a Master/Slave protocol. The slaves responds only when the master requests.
The hard device communicate by exchanging HART frames with the structure shown in Figure 2.3.2

30 Figure 2.3.2: HART Frame – for layer 2 communication.

HART devices communicating using frames at layer 2. The frame is structures as shown in Figure 2.3.2.
It is made up of the following fields;

15
 Delimiter – [1 byte] Tells message framer where the Byte Count is and Indicates the Message Type.
Address – [5 bytes] Indicates the master and slave conversing.
Expansion – [0-3 bytes] reserved for protocol enhancements.
Command - Tells the Application Layer what information is being transferred or action being performed.
5 Byte Count - Tells message framer where the Check Byte is and the Application Layer how much
information is being transferred.
Data – [0-24 bytes] The message "Payload".
Check Byte - An XOR of all message bytes starting with the delimiter. Used for error detection.

10 Each HART device is addressed using a 1-byte short format address or a 38-bit unique address
consisting of manufacturer ID, device type code, and a device unique identifier. The master must know
the address of a field device in order to communicate successfully.

Establishing communication
15 A unique 38-bit address is encoded in each device at the time of manufacture. A master can learn the
address of a slave device by issuing one of two commands that cause the slave device to respond with
its address:
• (Command 0) Read Unique Identifier— is the preferred method for initiating communication with
a slave device because it enables a master to learn the address of each slave device without
20 user interaction. Each polling address (0–15) is probed to learn the unique address for each
device.

• (Command 11) Read Unique Identifier by Tag - is useful if there are more than 15 devices in the
network or if the network devices were not configured with unique polling addresses.
25 (Multidropping more than 15 devices is possible when the devices are individually powered and
isolated.) Command 11 requires the user to specify the tag numbers to be polled.

Application layer: The communication routines of HART master devices and operating programs are
based on HART commands that are defined in the application layer of the HART protocol. These
30 command set provides a uniform and consistent way of communication for all field devices. A
comprehensive set of commands is given in Table 4.2. The commands set are divided into 3 classes:
• Universal commands – recognized and supported by all HART devices. They provide access
to information during normal operation, e.g. read PV and units
• Common practice – implemented by many but not all HART devices.
35 • Device specific – unique to each field device and manufacturer-specific.

Table 2.3: Typical HART commands

Universal Common practice Device-specific
Peer-to-peer Broadcast Multicast
• Read manufacturer and • Read selection of up to four • Read or write low-flow cut-off
device type dynamic variables • Start, stop, or clear totalizer
• Read primary variable (PV) • Write damping time constant • Read or write density
and units • Write device range values calibration factor
• Read current output and • Calibrate (set zero, set span) • Choose PV (mass, flow, or
percent of range • Set fixed output current density)
• Read up to four predefined • Perform self-test • Read or write materials or
dynamic variables • Perform master reset construction information
• Read or write eight-character • Trim PV zero • Trim sensor calibration
tag, 16-character descriptor, • Write PV unit • PID enable
date • Trim DAC zero and gain • Write PID setpoint

16
 Device description
Some HART host applications use device descriptions (DD) to obtain information about the variables
and functions contained in a HART field device. The DD includes all of the information needed by a host
application to fully communicate with the field device. HART Device Description Language (DDL) is used
5 to write the DD, that combines all of the information needed by the host application into a single structured
file. The DD identifies which common practice commands are supported as well as the format and
structure of all device-specific commands.

A DD for a HART field device is roughly equivalent to a printer driver for a computer. DDs eliminate the
10 need for host suppliers to develop and support custom interfaces and drivers. A DD provides a picture of
all parameters and functions of a device in a standardized language. HART suppliers have the option of
supplying a DD for their HART field product. If they choose to supply one, the DD will provide information
for a DD-enabled host application to read and write data according to each device’s procedures. DD
source files for HART devices resemble files written in the C programming language.

15 2.4. Benefits of HART communication

Benefits outlined in this section include:
I. Improved plant operations
• If uploaded to a software application, digital data can be used to automate record keeping for
regulatory compliance (e.g., environmental, validation, ISO9000, and safety standards).
20 • The HART protocol provides access to all information in multivariable devices. In addition to the
analog output (primary variable), the HART protocol provides access to all measurement data
that can be used for verification or calculation of plant mass and energy balances.
II. Increase operational flexibility
• The HART protocol ensures interoperability among devices through universal commands that
25 enable hosts to easily access and communicate the most common parameters used in field
devices. The HART DDL extends interoperability to include information that may be specific to a
particular device.
III. Lowering maintenance costs
• The HART protocol communicates diagnostic information to the control room, which minimizes
30 the time required to identify the source of any problem and take corrective action. Trips into the
field or hazardous areas are eliminated or reduced.

IV. Lowering the cost of installation and commissioning

• A HART network can be installed and commissioned in a fraction of the time required for a
35 traditional analog-only system. Operators who use HART digital communications can easily
identify a field device by its tag and verify that operational parameters are correct.

• Use HART multidrop mode to connect multiple instruments to a single cable and reduce
installation costs.
40
• Multivariable devices reduce the number of instruments, wiring, spare parts, and terminations
required. Some HART field instruments embed PID control, which eliminates the need for a
separate controller, and results in significant wiring and equipment cost savings.

2.5. Installation and Intrinsic safety

45 In general, the installation practice for HART communicating devices is the same as conventional 4-20mA
instrumentation. Individually shielded twisted pair cable, either in single-pair or multi-pair varieties, is the

17
 recommended wiring practice. Unshielded cables may be used for short distances if ambient noise and
cross-talk will not affect communication. The minimum conductor size is 0.51 mm diameter (#24 AWG)
for cable runs less than 1,500 m and 0.81 mm diameter (#20 AWG) for longer distances. Most installations
are well within the 3,000 meter theoretical limit for HART communication.
5
Consider the following wiring connecting a PLC controller with an analogue input, to a transmitter and
controller in the field using three segments of wiring as shown in Figure 2.5.1. If the #18 AWG (1.02 mm
diameter) with a resistance of 22.9Ohms per kilometre is used, the loop resistance, and variations on
the transmitter voltage can be calculated. For circuit analysis purposes a transmitter is taken to be an
10 ideal current source.

Figure 2.5.1: PLC, transmitter and Field controller wiring.

The loop resistance is the sum of the analogue input resistance, loop isolator resistance, field-controller’s
15 analogue input resistance and the resistance of wiring. The wiring is 305m meters long thus it has a
resistance of 22.9*0.305 = 7 ohms in each wire. Thus, the loop resistance is = 250+100+7+7+250 = 614
ohms well above the 230 ohms required for HART.

The equivalent circuit for the loop is shown in Figure 2.5.2 in the case where the transmitter output is at
20 a minimum of 4mA. In this circuit we know that the voltage drop in the loop must add-up to 24Volts. i.e.
24v = 4mA*(100 + 7+7+250+250) +Vxmtr. Thus, Vxmtr = 21.54Volts.

Figure 2.5.2: Equivalent loop circuit.

In the case where the transmitter output is maximum- a similar calculation can show that the voltage
25 across the transmitter becomes 11.72volts. This may not be enough to drive the transmitter from certain
manufactures that typically require a voltage above 12volts. Thus, the wiring may need to be either
shortened or replaced with a lower resistance (thicker) alternative.

18
 Figure 2.5.3: Intrinsic safety barrier.

5 Intrinsic safety (IS) is a method of providing safe operation of electronic process-control instrumentation
in hazardous areas. An IS barrier is placed between the safe are and the hazardous area. It used to limit
the electrical energy flowing into the hazardous area of the plant to avoid flow of excess energy that may
lead to ignition within hazardous atmosphere. No single field device or wiring is intrinsically safe by itself
(except for battery-operated, self-contained devices), but is intrinsically safe only when employed in a
10 properly designed IS system.

HART-communicating devices work well in applications that require IS operation. IS devices (e.g.,
barriers) are often used with traditional two-wire 4–20 mA instruments to ensure an IS system in
hazardous areas. With traditional analog instrumentation, energy to the field can be limited with or without
15 a ground connection by installing one of the following IS devices:

• Shunt-diode (zener) barriers that use a high-quality safety ground connection to bypass excess
energy (Figure 2.5.4)
• Galvanic Isolators, which do not require a ground connection, that repeat the analog
20 measurement signal across an isolated interface in the safe-side load circuit (Figure 2.5.5)

2.5.1. Zener barriers

Both zener barriers and isolators can be used to ensure an IS system with HART-communicating devices,
but some additional issues must be considered when engineering the HART loop.

25 Figure 2.5.4: Zenner barrier.

Zener barriers are passive devices that contain zener diodes, resistors and fuse to limit excess
voltage and current. The zener diodes in the zener barrier are connected in the reverse direction.
The breakdown voltage of the diode is not exceeded in normal operation. If this voltage is exceeded

19
 due to a fault in non-hazardous area, the diode starts to conduct, causing the fuse to blow, thus
preventing the transfer of unacceptable high energy into the hazardous area.

2.5.2. Galvanic Isolator

Galvanic isolators are active devices, these provides galvanic isolation between the hazardous and
5 safe area using transformers, opto-isolators or relays. Galvanic isolation of two circuits generally
means ‘there is no direct path of current flow’ between the two circuit.

Figure 2.5.5: Working principle of an opto-coupler Galvanic Isolator barrier.

10 An Optocoupler, is an electronic component that interconnects two separate electrical circuits by means
of a light sensitive optical interface. It consists of an LED that produces infra-red light and a semiconductor
photo-sensitive device that is used to detect the emitted infra-red beam. Both the LED and photo-sensitive
device are enclosed in a light-tight body.

2.6. WirelessHART
15 The latest release of HART, release 7, contains an implementation of both the network and transport
layer. This has allowed for the implementation of WirelessHART aimed at connecting remote points in a
mesh topology as shown in Figure 2.5.6. It provides a secure, reliable and robust method of connecting
devices wirelessly for industrial applications.

20 Wireless HART is a self-organizing wireless mesh network technology based on the IEEE 802.15.4
standard. It operates within the 2.4Ghz ISM band and has a data rate of 250kbps. This is much faster
than the 1.2kbps in the traditional FSK-based HART. WirelessHART provides 3 main advantages over
its wired counterpart;
• Lowers cost – no cabling cost are involved since it wireless.
25 • Easy installation – It is possible to mount instruments in environmentally difficult positions.
• Flexible – The nodes can be moved around without the need to reconfigure the network.

20
 Figure 2.5.6: WirelessHART mesh network.

A basic wirelessHART network consists of WirelessHART field devices, at least one gateway, a
5 network manager and security manager. These components are connected into a wireless mesh
network supporting bidirectional communication

The roles and descriptions of the WirelessHART network are;

A Gateway device connects the wireless network to the plant host application situated in the wired plant’s
10 automation network. The gateway connects the wireless devices via an in-build access point – Moreover
the gateway also tends to incorporate the network and security manager functions.

The Network manager is a software application that manages the mesh network and devices. It connects
new devices, forms redundant routing paths of the mesh network, set the communications schedule for
15 the devices and monitors the network for any changes.

The Security manager is also a software application that works in close association with the network
manager. It allows only authorized devices to join the network and ensures that that data is securely
transmitted within the network by using encryption and authorization keys. There can be only one security
20 manager per network and one security manager can serve multiple networks.

A WirelessHART field device is a battery-powered low power field device with build-in capability of
receiving, transmitting and relaying data messages in radio frequency.

25 A WirelessHART adapter allows existing traditional HART devices to be integrated into the
WirelessHART network. It provides an alternative communication path for the HART device’s existing 4-
20mA current loop.

A WHART router is used to extend the WHART’s network coverage. It is thus used for message
30 forwarding.

Occasionally the WHART can have a mobile terminal device used for commissioning, monitoring and
maintenance of the devices.

35 WirelessHART’s physical layer is based on the IEEE 802.15.4 operating in the 2.4 GHz ISM band,
which includes 15 of 16 possible Radio frequency channels. To avoid signal jamming WHART uses FHSS
(Frequency Hopping Spread Spectrum) technique. All 15 channels are used in parallel- as the transmitter

21
 “hops” across these channels as shown in Figure 2.5.7. Channels that are already in use are blacked out
to avoid collisions with other wireless communication systems.

Figure 2.5.7: WirelessHART mesh network.

5
The WirelessHART data link layer (DLL) is also based on the IEEE 802.15.4-2006 Media Access
Control protocol. WHART uses both the CSMA/CA and TDMA for arbitration. TDMA (Time Division
Multiple Access) synchronizes the network participants using 10ms timeframes / time-slots as indicated
in Figure 2.5.7. The two communicating nodes can each transmit and the other acknowledge receipt of
10 message in one time slot. This enables a very reliable (collision-free) network and reduces the lead and
lag times during which a station must be active.

Figure 2.5.7: WirelessHART mesh network.

15 Forming a WirelessHART network – The network manager is initially pre-configured with the network
ID and password. On the factory floor the field devices are configured with the networks ID and password
for them to be part of the network.

Following this, the network manager sends an ‘advertisement’ to the newly configured device and the
20 device will respond with a ‘join request’.

In the third step, the network manager authorizes the network device, gives it a unique key from the
security manager, schedules its data transmitting in the TDMA frame and updates its routing paths. After
this, the field device can then begin to send/publish data using the network.
25

22
 3. Modbus
• Describe Modbus Protocols and their differences; Common version ASCII, RTU,
TCP (number of nodes, transmission speeds, media access control & error
checking).
• Understand the variations and characteristics of Modbus wiring; RS232, RS485,
Ethernet-UTP/Fibre.
• Be able to sketch Modbus network wiring; point-to-point or multidrop.
• Understand the need for bus termination and its different types.
• Explain the use of registers and the query-response cycle.
• Know the structure and describe Modbus serial frame fields; reserved addresses &
function codes.
• Understand data exchange under ASCII and RTU and use of exception responses.
• Know that Modbus TCP’s protocol stack & client-server paradigm.
• Relate Modbus-RTU message with Modbus TCP data packet; know MBAP fields.
• Understand the TCP/IP protocol encapsulation of Modbus messages.
• Understand the performance challenges for Modbus TCP in industrial networks.
• Design network configurations with different Modbus variants.

MODBUS is a serial communication protocol initially developed by AEG-Modicon (now Schneider

Electric). It was initially designed to connect programmable logic controllers (PLCs). It remains one of
5 the most implemented industrial communication technologies. There are currently three common version
of the Modbus protocol;
• Modbus ASCII – The slowest version of the three. Message bytes are coded in 4-bit ASCII
codes, using two messages to transmit 1 byte of information. It is thus, twice slower than
Modbus RTU. It is suitable for slow physical connections such as modems or noisy radio
10 frequency links.
• Modbus RTU – The most widely used version. It uses binary encoding of messages in bytes.
This makes it ideal for RS232 & RS485 physical links. The most common speeds are 9.6kB
to 192kBuad.
• Modbus TCP – This is MODBUS over Ethernet using the TCP/IP protocol stack. This version
15 uses IP addresses instead of device addresses to identify devices. Transmission speeds
coincide with standard copper cable Ethernet of 10/100 Mbit/s or the 1Gbit/s when fibre is
used.

Figure 3.0.1 shows protocol stacks for different variants of the Modbus technology. Both Modbus ASCII
20 and RTU are commonly known as Modbus serial.

23
 Figure 3.0.1: Protocol stack for variants of MODBUS

3.1: MODBUS Physical layer and topologies

5
Physical Layer: The Modbus physical layer protocol is dependent on the version of the protocol used as
explained above. The user has the option of choosing between serial communications standards (RS232,
RS-422, or RS-485) over a copper cables for ASCII/RTU or twisted pair cabling (UTP/STP) and fibre
cabling for Modbus-TCP. The number of slaves that can be connected on the Modbus serial network
10 depends on the wiring standard used. It is 1, 9, 31(247) and unlimited for RS232, RS422, RS485 and
Ethernet, respectively. With the use of repeaters on RS485 can connect up to 248 devices – i.e. one
master and 247 slaves,

Table 3.1: Performance comparison for RS232 and RS485

Property RS-232 RS-485
Signalling technique Single-ended, Differential,
Unbalanced Balanced
Cabling Point-to-point Multi-drop
Maximum cable 15 meters @ 1.2km @100kbps
length 19.2 kbps
Maximum data rate 19.2 kbps @ 10Mbps @ 15m
(Original Standard) 15m
Signal voltage 5-15 volts 1.5-5 Volts
Minimum voltage 3 volts 0.2 Volts
level
15
Compared to RS232, the advantage of the RS485 connection is that signals can be transmitted at a faster
data rate and over greater distances and connect more than one slave with a single wire. A summary of
capabilities is listed in Table 3.1.

24
 Figure 3.1.1: RS-232 point-to-point connection for a MODBUS network

Figure 3.1.1 shows the cross-over cable point-to-point Modbus network connection based on RS232.
5 The RS485 connection can be a half-duplex 2-wire connection or the full duplex 4-wire connection as
shown in Figures 3.1.2 and Figure 3.1.3, respectively. It is worth noting that the receiving terminal of the
Master is connected to the transmitting terminal of the slave and vice versa. RS485 uses differential
balanced signalling. With RS-485, a logical '1' is defined by A>B by more than 200 mV, and a logical '0'
by B>A by more than 200 mV, where A&B are the two differential lines. Thus, two lines are required to
10 transmit each signal.

Figure 3.1.2: RS-485 multi-drop 2-wire connection for a MODBUS network

25
 Figure 3.1.3: RS-485 multi-drop 4-wire connection for a MODBUS network

The advantage of the 4-wire connection is that all devices only see commands from the Master, and no
5 slave device sees the responses from other slaves. However, in MODBUS the full-duplex capability of
the 4-wire connection cannot be utilized because MODBUS operates on a strict query-response cycle.
RS485 interfaces are ideally terminated using 120-Ohms resistors, as shown in Figure 3.1.4(a), to
prevent signal reflection and ‘ringing’ – but for relatively short network segments with low data rate
termination is unnecessary.

10
Figure 3.1.4: RS-485 (a) ordinary termination and (b) termination in noisy environments

Applications in noisy environments often add common-mode noise filtering by replacing the 120 resistors
with two R-C low-pass filters (Figure 3.1.4(b)). In this case, it remains important to match the resistor
15 values of the two filters (preferably with precision resistors) to ensure similar frequencies response
characteristics of both filters.

26
 3.2: MODBUS Registers and datalink layer

MODBUS Registers

5 Communication in Modbus occurs through exchange of data in the registers. The master writes data to
a slave device’s registers and reads data from a slave device’s registers. A register address or register
reference is always in the context of the slave’s registers.

Information is stored in the slave device in four different tables. Two tables store on/off discrete values
10 (coils) and two store numerical values (registers). The coils and registers each have a read-only table
and read-write table as shown in Table 3.2.

Table 3.2: Modbus Device register map

Coil / Register Data Addresses Type (Master’s Description
number (Hexadecimal) point of view)
0XXXX 0000 to 270E Read-Write Discrete Output Coils
1XXXX 0000 to 270E Read-Only Discrete Input Contacts
3XXXX 0000 to 270E Read-Only Analog Input Registers
Analog Output Holding
4XXXX 0000 to 270E Read-Write
Registers
Each table has 9999 values. Each coil or contact is 1 bit and assigned a data address
15 between 0000 and 270E. Each register is 1 word = 16 bits = 2 bytes and has data address
between 0000 and 270E.

Data-link layer: The MODBUS serial communication protocol is based on the master-slave principle,
with the master initiating a communication transaction – i.e. it is a polling MAC protocol. The protocol
20 provides for one master and up to 247 slaves using 8-bit addresses for the each of the slaves. This
limitation does not apply to Modbus-TCP where the devices use IP addresses that can be as many as
the physical media can take.

25 Figure 3.2.1: MODBUS query-response cycle

27
 Modbus works on a strict query-response cycle; a master (usually a controller) originates a message and
expects a response from a slave (usually a field device). Similarly, when a slave receives a message it
constructs a response and returns it to the originating master as illustrated in Fig. 3.2.1.

5 The Modbus-Serial (message) frame has a Start field, Address field, Function code, Data field, Error
checking and End fields. A description of the fields is;

• Address Field – Used to uniquely identify devices in the network. This is 8-bits long (able to
represent 256 possibilities). Modbus is designed to have a maximum of 247 slaves. One of the
10 reasons is that Modbus networks normally have a list of reserved addresses. For example,
Addresses number 0 and 248 to 255.

Address “0” is reserved for broadcasting. All slaves read messages addressed to “0”, but do not
provide any response to such query from the master. Address “248-255” are reserved for
15 protocol extension and sometimes manufacturer specific functions. Address “248” is reserved for
point-to-point communication when the slave address is not known. This address is not
supported by all devices.

20 • Function code Field - It specifies the request made by the Master. Function codes are in the
range of 1-255, although not all the function codes are supported by all the devices. The function
code implements the application command that is needed for control and monitoring services.
The 8-bit function code tells the slave which register table to access and whether to read from or
write to the table. For example, a function code may tell the slave to read register content or
25 operate a relay coil. Table 3.3 list some of the common function codes.
Table 3.3: Modbus function codes
Function code Function Reference
01 (x01) Read Coil (Output) Status 0xxxx
02 (x02) Read Input Status 1xxxx
03 (x03) Read Holding Registers 4xxxx
04 (x04) Read Input Registers 3xxxx
05 (x05) Force Single Coil (Output) 0xxxx
06 (x06) Pre-set Single Register 4xxxx
15 (x0F) Force Multiple Coils (Outputs) 0xxxx
16 (x10) Pre-set Multiple Registers 4xxxx
17 (x11) Report Slave ID Hidden

• The Data Field contains data exchanged between master and slaves. Data received by a slave
30 in the query from the master may typically include a register value, a register address, or a
register range. Some functions do not require the data field and, thus it may not be included in
the query from the master. If no error has occurred, the data field of the response is used by the
in the slave’s response with data requested by the master. When an error occurs, the data field
from the slave passes on more information, informing the master about the nature of the error
35 detected.

• Error Check Field – Used for error detection. It may be cyclic redundancy check (CRC) for the
Remote Terminal Unit (RTU) mode or longitudinal redundancy check (LRC) for the ASCII mode
of transmission.
40

28
 3.3: MODBUS Application layer
Application layer: The implementation of this layer is done by the systems designer’s use of appropriate
function codes and MODBUS device registers where process variable data is stored.

5 Figure 3.3.1 shows an example of a Modbus query message. Figure 3.3.2 is an example of a normal
response. Both examples show the field contents in hexadecimal, and how a message could be framed
in either ASCII or in RTU mode.

The master query is a “Read Holding Registers” request to slave device address 06,i.e. 06
10 03 006B0003 CRC. The message requests data from three holding registers, 40108 through 40110.
Note that the message specifies the starting register address as 0107 (006B hex) and it reads 3 registers.
Note that the holding register addresses are always the offset minus one. The slave response echoes
the function code, indicating this is a normal response. The ‘Byte Count’ field specifies how many bytes
(8–bits) of data are being returned.
15
Byte count shows the count of bytes to follow in the data, for either ASCII or RTU. With ASCII, this value
is one–half the actual count of ASCII characters in the data. In ASCII, each 4–bit hexadecimal value
requires transmission of one ASCII character or 1 byte.

20 For example, the value x06, encoding address, is sent as one 8–bit byte in RTU mode (01100011). The
same value sent in ASCII mode requires two bytes, for ASCII ‘0’ (XXX0000) and ‘6’ (XXX0110). The bits
labled ‘X’ are used to indicate message start and for parity checking.

Figure 3.3.1: Sample MODBUS query

25

29
 Figure 3.3.2: Sample MODBUS response

3.3.1 Exception response

For a normal response, the slave simply echoes the original function code and slave address, as shown
5 in Figure 3.3.2, i.e. 06 03 0602B00000063 CRC. When a slave is unable to fulfil the master’s
request – due to communication error or being required to read/write a non-existing register – it replies
with an exception response. For an exception response, the slave returns a function code that is
equivalent to the original function code but with its most–significant bit set to a logic 1, i.e. 06 83 XX
CRC.
10
In addition to its modification of the function code for an exception response, the slave places a unique
code into the data field of the response message, i.e. XX. This tells the master what kind of error occurred,
or the reason for the exception.

15 The master device’s application program has the responsibility of handling exception responses. Typical
processes are to post subsequent retries of the message, to try diagnostic messages to the slave, and
to notify operators.

3.4: MODBUS-TCP
20 Modbus TCP/IP (also Modbus-TCP) is simply the Modbus RTU protocol with a TCP interface that runs
on Ethernet. Unlike the ASCII and RTU, Modbus-TCP will allow multiple masters (clients) to poll the same
slave (server) device simultaneously. This is because, over Ethernet using TCP/IP, multiple messages
can be sent, buffered and delivered without the requirement of total bus control, which is often the case
with Modbus-serial (RTU or ASCII).
25
Note that the TCP and IP combination are merely transport and networking protocols, and do not define
what the data means or how the data is to be interpreted (this is the job of the application protocol,
Modbus in this case). Thus, Modbus -TCP implements usual layers 1, 2 & 7 of Modbus-Serial and an
additional layer 3 (IP) and 4 (TCP).
30
In summary, Modbus-TCP uses TCP/IP and Ethernet to carry the data of the Modbus message structure
between compatible devices. That is, Modbus-TCP combines a physical network (Ethernet), with a
networking standard (TCP/IP), and a standard method of representing data (Modbus as the application

30
 protocol). In practice, Modbus-TCP embeds a standard Modbus data frame into a TCP frame, without
the Modbus checksum, as shown in the following Figure 3.4.1.

5 Figure 3.4.1: MODBUS TCP data packet

Thus, the Modbus-TCP packet is made-up of the Modbus-RTU protocol data unit (PDU) and the Modbus
Application Protocol (MBAP) Header. The standard Ethernet data-link layer checksum methods are
instead used for transmission error checking, in place of the Modbus-RTU’s CRC bytes. On the Data-link
10 layer (Ethernet) the whole Modbus-TCP data packet is encapsulated as shown in Figure 3.4.2.

Figure 3.4.2: Layer 2 Modbus-TCP message, showing (MODBUS TCP data packet) encapsulation

15 Modbus-TCP uses a client-server communication paradigm allowing for multiple messages to be sent
out without waiting for the response. Modbus-TCP clients and servers listen and receive Modbus data
via TCP port 502. In the context of Modbus-serial, the slaves are serves and the clients are masters.

The MBAP shown in Figure 3.4.1 is 7 bytes long and is composed of;
20 • Transaction Identifier (2 Bytes): This identification field is used to uniquely identify each
request, whenever it is sent out as multiple messages by client.
• Protocol Identifier (2 bytes): This field is mend for future protocol extensions. It is always 0 for
Modbus services.
• Length (2 bytes): This field is a byte count, it identifies the number of bytes in the rest of the
25 message, i.e. the byte count of the unit identifier plus function code plus the data fields.
• Unit Identifier (1 byte): This field is used to identify a remote server located on a non-TCP/IP
network (for serial bridging). In a typical Modbus-TCP server application, the unit ID is set to 00
or FF, ignored by the server, and simply echoed back in the response.

30 Determinism is very important to industrial networks since they facilitate time-critical control application.
Determinism is a term that is used here to describe the ability of the communication protocol to guaranty
that a message is sent or received in a finite and predictable amount of time. Ethernet’s Carrier Sense
Multiple Access with Collision Detect (CSMA/CD) is inherently non-deterministic because it allows device
access to the network randomly only when the medium is free.
35

31
 Modbus-TCP is implemented using fast switched Ethernet switches to interconnect devices. These
switches increase the bandwidth of large networks by sub-dividing them into several smaller networks or
separate “collision domains”. The use of switched Ethernet thus ensures determinism in Modbus-TCP.

5 It is however worth mentioning that the ‘store-and-forward’ approach used by switches is a potential
weakness in real-time because there is a high risk of packet losses when network traffic is high.

3.5: Interoperability of Modbus variants

Devices implementing different variants of Modbus can communicate together with the help of a gateway
10 (bridge) that provides protocol translation services, as Shown in Figure 3.5.1.

Figure 3.5.1: MODBUS connections – showing gateway for protocol translation

15 Modbus can also work with new smart devices that support HART. An appropriate bridge device called
the HART Interface module can be used to act as a HART master while extracting field-device data and
then act as a Modbus slave to supply this data to the Modbus master.

Modbus Plus and Modbus II are extensions of the standard Modbus-Serial to allow multiple masters on
20 the same network. These new versions can be connected to standard Modbus networks using an
appropriate bridge devices. These versions are however, rarely applied.

The prevalence of Ethernet in modern industrial networks means increasing use of Modbus-TCP.
Similarly, the controllers like PCs and PLCs can be interfaces using client gateway devices, while the
25 field devices are interfaced via server gateway devices offering protocol translation between serial and
TCP versions of Modbus. Figure 3.5.2 shows a Modbus network with Modbus-RTU and Modbus-TCP
devices and network segments.

32
 Figure 3.1.8: Interfacing Modbus-RTU on a Modbus-TCP network.

10

15

20

25

30

35

33
 5. Profibus
• Be able to explain the differences in between Profibus FMS, DP and PA.
• Be able to compare similarities between Foundation Fieldbus and Profibus.
• Understand the operation of Profibus devices; number of devices, data-rates, active
vs passive stations.
• Describe the DP/PA segment coupler and its role.
• Understand the three device classes in Profibus.
• Understand the Profibus protocol stack layers.
• Know the different physical media used by Profibus DP/PA networks, their criteria
for application, termination requirements and intrinsic Safety versions; MBP,
RS485, Fibre-optic, wireless.
• Be able to sketch a network layout involving different types of media to satisfy
connection requirements.
• Understand network media arbitration, message sizes and addressing in the FDLL
layer.
• Be able to explain the purpose of GSD files in Profibus.
• Know the roles of user profiles like PROFIdrive and PROFIsafe.
• Know about Profibus slave redundancy and wiring considerations.
• Be able to verify Profibus-PA wiring installation

PROFIBUS (PROcess FieldBUS) is an open fieldbus standard initiated in 1989 by Seimens to cater to
the needs of both process automation and factory manufacturing automation. It is suitable for both fast,
5 time-critical applications and complex communication tasks. Profibus can connect a maximum of 126
devices on a single network segment.

The initial release of PROFIBUS specified a complex version of the protocol called PROFIBUS-FMS
(Field bus Message Specification). This is being replaced by the following two alternatives:
10 • PROFIBUS-DP (Decentralized Peripherals) - A Low cost, high speed field-level
communications version applied at the control level of the industrial network hierarchy.
Generally designed for internal use – for cabinet mounting. The general PROFIBUS supports
networks speeds ranging from 9.6kbps to 12Mbps. It usually uses RS485 over copper wiring
or sometimes fibre optical cables.
15 • PROFIBUS-PA (Process Automation) - Developed specifically for the process industry to
replace 4-20mA transmission, at the field level of the industrial network hierarchy. It uses the
same two-wire analogue loop copper connection carrying both power and data. Generally
designed for external use – for connecting field devices. It is slower than PROFIBUS DP and
runs at fixed speed of 31.2Kbps using the Manchester coded bus powered (MBP)
20 transmission technology.

A PROFIBUS network can have both DP and PA segments interfaced using a DP/PA segment coupler
to facilitate communication between different wiring standards (See Figure 5.0.1). DP/PA segment
couplers are used like repeaters. They do not have their own bus address and are transparent for the DP
25 master station controlling the PA network. When DP/PA segment couplers are used, every PA device will
have its own station address, which must be unique within the overall PROFIBUS network.

PROFIBUS supports two types of devices: master device and slave device. The former is called an
“active station”, while the latter is called a “passive station”. A master device has the right to control the
30 bus when it has bus access. Then it can transmit messages without any remote request. Transmitters,

42
 sensors, and actuators are examples of slave devices. A slave device acknowledges any received
message upon receiving a request from a master and they can send messages to that master.

PROFIBUS-DP handles fast communication processes such as drives, remote inputs/outputs (I/Os)
5 normally encountered in factory automation. In this mode, multi-masters are also used in which case a
slave is assigned to one master only. It means that multiple masters can read inputs from a specific
device but only one master can write outputs to that device.

10 Figure 5.0.1: Profibus PA/DP– showing the link device (or coupler)

PROFIBUS devices can be classified into three device types: class 1 PROFIBUS-DP master (DPM1),
class 2 PROFIBUS-DP master (DPM2), and PROFIBUS slaves. Class 1 masters are usually used for
cyclic data exchange with the slaves connected to it. They are normally PLCs or PCs programmed for
15 data exchange with the slaves on a precise time-sharing basis. Class 1 masters have the following
characteristics: tokens are passed between the masters; can write data into the slaves assigned to it and
can read data from a slave in the network; sets the data rate; and the connected slaves detect the same
data automatically.

20 Class 2 masters have the following characteristics: act as supervisory masters, used for diagnostic
purposes and slave commissioning, control slaves at any given point of time, and can only read slaves
but do not have write access. For example, a PC can be used as a class 2 master.

PROFIBUS slave devices respond to master polling by sending device data. The slaves are field
25 devices such as transducers, valves, and remote I/Os.

30

35

43
 5.1 Protocol stack
The PROFIBUS protocol stack implements layers 1, 2 and 7 of the OSI model and an additional layer 8
as shown in Figure 5.1.0.

5
Figure 5.1.0: Profibus protocol stack.

Physical layer: Different transmission technologies are used for PROFIBUS, which can be Manchester
coded bus powered (MBP), RS-485, Fiber Optic and wireless (See Figure 5.0.1). The latter 3 are for
10 PROFIBUS-DP. All versions have a maximum of 126 network devices. However, MBP carries a
maximum of 32 devices. The most used is RS-485, which uses a shield twisted pair cable with
transmission rates up to 12 Mbps. The bus structure used allows the addition and disconnection of a
station without affecting other stations. For RS-485, there can be up to 32 devices per segment (including
the total of the master and slave devices) and a maximum of 9 repeaters. The 4-wire RS485-IS has also
15 been recently specified for use in hazardous areas.

Industries having high electromagnetic interference or device spaced at considerable distances apart
employ fiber optic transmission schemes, as illustrated in Figure 5.0.1. For the Fibre Optic connections,
the number of repeaters is only limited by the propagation delay. Obviously, devices in the network must
20 be able to integrate with the fiber optic transmission technology using a coupler.

Profibus-PA is implemented using the MBP defined in IEC 61158-2, providing power to connected and
intrinsic safety, on the existing analogue loop wiring. This is the similar to the H1 link in Foundation
Fieldbus. The intrinsically safe option for the MBP is the MBP-IS.

25
Figure 5.1.1: Profibus segment termination for both RS-485 (left) and MBP (right)

For a good signal transmission, it is necessary to terminate PROFIBUS segments by a bus terminators.
The Profibus PA segment shown in Figure 5.0.1 is terminated at both ends. For PROFIBUS with RS 485

44
 a bus termination consists of a combination of three resistors as shown in Figure 5.1.1. For PROFIBUS
MBP (PA), the bus termination consists of a resistor and a capacitor (see Figure 5.1.1).

Fieldbus Data link (FDL) layer: Handles Data framing, media access control and security of the
5 communication between transmitter and receiver. Typical message sizes vary in length from 4 to 249
bytes and error handling is done by a frame check sequence (FCS) that uses Hamming Code. Profibus
frames have multiple fields including length, function code as wells as source and destination address. A
variable length messages has the structure shown in Figure 5.1.2.

SD LE & LEr SD DA SA FC PDU FCS ED

10
Figure 5.1.2: Variable length message format.

The fields have the following meanings, SD = Start Delimiter: Marks beginning of frame/message; DA =
Destination Address: Destination address. SA = Source Address: Source address.; LE & LEr = Length &
15 Length repeated: Specify message length; FC = Function Code: Specifies request or response; ED =
End Delimiter: Marks end of frame/message; PDU = payload data.

PROFIBUS protocol supports addresses from 0 to 127. However, addresses 126 and 127 have special
uses and may not be assigned to operational devices. Address 127 is normally used as a broadcast
20 address. Address 0 has become something of a default address that vendors assign to network
configuration and/or programming tools attached to the bus. Addresses maybe set in software using
configuration tools but they are often set using DIP switches as shown in Figure 5.1.3.

Figure 5.1.3: DIP switch setting of the address.

25
Besides the data integrity and data framing, the FDLL handles media access control. The data link layer
manages the communication procedure using a master-slave polling method in combination with the
token-passing method for the multi-master system, as shown in Figure 5.1.4.

45
 Figure 5.1.4: Profibus media access control

The token passing procedure is used to allocate media access between masters;
5 • Each master is allocated media for a fixed time interval.
• The token message; a special telegram is passed from one master to the next master.
When an active station receives the token telegram, it can perform the master role and communicate with
all slave and master stations. The Master-Slave polling procedure is used by the master presently
allocated media access to communicate with slave devices;
10 • It enables the master to send message to or retrieve information from the slaves.

Application layer: The application layer, acts as an interface between the user layer programs and
FDLL. The original PROFIBUS V0 offers cyclic exchange of data and diagnostic information. Profibus V0
has been improved, first to offer acyclic data exchange (V1) and then later to facilitate direct slave-to-
15 slave communication (V2).

The DP master must be configured before it can start its communication. It must know which DP slaves
it has to control on the PROFIBUS and which data are to be exchanged. It needs the description of the
communications characteristics of connected devices. With PROFIBUS, this is supplied in electronic
20 format as the general station description in the general station description (GDS). By reading in this
GSD file, a configuration tool can become familiar with the communications characteristics of a DP slave,
it becomes an electronic datasheet.

User layer: The user layer is made-up of application profiles. These describe functions and
25 characteristics of application devices. Profiles can cover simple devices such as encoders by defining
how signals are used and how they are physically connected. However, profiles are increasingly
covered more complex systems or requirements. Profiles such as PROFIdrive and PROFIsafe deliver
active functionality as well. Profiles guarantee quicker system design and they support faster device
interchange, promoting competition amongst vendors, increased choice for users and full interoperability.
30
For example, PROFIsafe defines how fail-safe devices such as emergency pushbuttons communicate
with controllers over PROFIBUS. PROFIdrive defines behaviour and how to transmit data to and from
electric drives on Profibus.

35

46
 5.2 Topologies and wiring
Profibus provides slave redundancy to improve reliability – a slave has two different Profibus interfaces
called the primary and backup. Under normal operation the primary interfaced is used for data exchange
and exchange of diagnostic information on the backup interface. Upon failure of the primary, the backup
5 readily takes over. During installation, care must be taken to separately route cables from the different
interfaces independently as shown in Figure 5.2.1. Thus, route redundant PROFIBUS cables must be on
separate cable racks to avoid damage of both cables by a common cause.

Figure 5.2.1: Cable routing redundancy

10 5.3 Planning MBP (PA wiring)

The design rules for a PROFIBUS MBP (PA) segment are defined in IEC 61158-2. For planning, they
can be simplified and summarized as follows:
• Number of nodes ≤ 32
• Total segment length ≤ 1 900 m
15 • Maximum current of the segment < maximum current of power supply unit.
• Voltage on field device > 9 V ± 10%

The maximum spur length is related to the number of nodes on the segment. It can be derived from Table
5.1:
20 Table 5.1: Spur length as a function of the number of fieldbus nodes
Number of nodes Max. spur length
1-12 120m
13-14 90m
15-18 60m
19-24 30m
25-32 1m

Thus, a wiring plan exercise must ensure that the above conditions are met. Consider the example below
for a tanks storage facility SCADA system shown in Figure 5.2.1 with the layout plan information
summarised in Table 5.2.
25 Table 5.2: Storage tank facility wiring plan information
Number of nodes Max. spur length
Trunk length Larger than or equal to 600m
Topology Tree
Wiring resistance 22 /km
Non-redundant power supply unit 24 V / 360 mA
Current consumption per field device 20 mA

47
 Figure 5.2.1: Example calculation for Profibus PA on MBP

The components can be checked if they meet the fieldbus physical layer specification (standard: IEC
5 61158-2).
• Number of nodes = number of field devices (6) + number of masters (1) = 7 ≤ 32.
• Segment length = 600 + 20 + 80 + 60 + 100 + 70 + 30 = 960m ≤ 1900m.
• Maximum spur length = 100m ≤ 120m.
• Current consumption of segment = 6 * 20mA ≤ 360mA.
10 • Voltage on fieldbus coupler = voltage on source - voltage drop along trunk.
o 24 V – 2*(120 mA * 22 ohms / km * 0.6 km) = 20.83 > 9V
• Voltage on field device = voltage on fieldbus coupler – voltage drop on spur. Consider the
voltage on the furthest spur.
o 20.83 V – 2*(20 mA * 22 ohms / km * 0.1 km) = 20.3 > 9V
15

20

25

30

35

48
 4. Foundation Fieldbus
o Know the architecture and two variants of Foundation Fieldbus (FF) networks –
data rates, protocol stacks and intended design.
o Understand the FF’s physical layer – Manchester coding, data rates, physical
media options.
o Understand the FF’s datalink layer – device types, media access control
mechanism, link active scheduler.
o Understand the FF’s application and user layers – FMS and FAS sub-layers, VCRs,
functional blocks and device model.
o Be able to use sequence diagrams and flow charts to explain the functions of the
LAS in – maintaining a ‘live list’, adding new nodes, network synchronization and
transmission of unscheduled data.
o Be able to explain the three types of VCRs and the role of VFDs.
o Understand the different roles of resource, transducer and function blocks – know
examples of function blocks.
o Be able to understand the configuration and analyse the performance of a control
loop on an FF network – function block connection, process data scheduling and
unscheduled data slots.

Foundation fieldbus was developed by the ISA standard committee SP50 1985 to replace the analog
current transmission with a digital communication link for the instrumentation and automation sector.
5 The standards committee recommended and defined two different network requirements: a fairly
low-speed H1 was recommended to be installed at the plant floor level (sensor level) to replace the
40-20 mA current transmission retaining the existing plant wiring. Second, a higher-speed H2/
HSE was recommended, which acts as a backbone to the H1 segments as shown in Figure 4.0.1.

10
Figure 4.0.1: Typical industrial network based on the Foundation Fieldbus.

The Foundation Fieldbus H1 technology implements layers 1, 2 and 7 of the OSI model. It also
implements a layer above layer 7-called the “user application layer” as shown in Figure 4.0.2. This
15 is layer 8 of the Fieldbus model, although it is absent in the OSI reference model.

34
 Figure 4.0.2: Foundation Fieldbus’s segment protocol stack.

4.1 Overview
A brief explanation of the layers is as follows;
5
Physical layer: H1 is a serial communication link in half-duplex mode that uses the Manchester Bi-phase
coding scheme. H1’s maximum segment length is 1.9km and can connect at most 32 devices at the data
rate of 31.2kbps. The transmitting device delivers ±10 mA at 31.25 kbit/s into a 50-Ohm equivalent load
to create a 1.0 volt peak-to-peak voltage modulated on top of the direct current (DC) supply voltage. The
10 DC supply voltage can range from 9 to 32 volts. Bus-powered devices on the network typically require
10-30 mA of current.

HSE is based on 10/100 Mbps standard Ethernet/IP/TCP/UDP protocols and supports the same functions
as H1, but at a much higher bandwidth (10/100 Mbps). It supports interoperability, i.e., devices from
15 different manufacturers can be seamlessly connected. HSE uses standard Ethernet cables, interface
cards, and networking hardware, which are available very cheaply. Ethernet communication can be
wireless, over fiber-optics, or twisted pair.

Data link layer: each device is configured with a physical device tag, an address, and a device ID. The
20 ID is unique to the fieldbus system and the address unique to the segment. A device can be of any of
the following three type; basic, link master and bridge. Media access of a communication segment is
controlled by a link active scheduler (LAS). A Link master device is capable of becoming an LAS. Typical
examples are PC interface cards. A basic device cannot be an LAS. A bridge device connects multiple
H1 segments and it forwards data between the links. Foundation fieldbus has LAS redundancy- i.e. a
25 segment has more than one link master; If the LAS fails the next link master becomes the LAS.

Application layer: it is divided into two sub-layers: Fieldbus Message Specification (FMS) and Fieldbus
Access Sub-layer (FAS). The FMS defines the messaging format that enable (layer-8) user applications
to communicate to each other on the fieldbus. The FAS provides defined communication services to the
30 FMS. These FAS services are described as Virtual Communication Relationships (VCR).

User layer: The user layer is standardized by the Fieldbus Foundation based on blocks. Function of
blocks are software abstraction of physical field devices and controllers that enable users to easily create

35
 control strategies. The different blocks in the user layer are resource block, function block, and
transducer block. Devices on the fieldbus are configured within their resource and transducer blocks,
while control strategy is built using function block. Figure 4.4.1 summarizes the FF device model

5
Figure 4.1.1: Foundation Fieldbus’s (a) protocol stack and (b) device model.

4.2 Data link layer

10
LAS controls the periodic/process data transfer (1) from a publisher (source of data) to subscribers
(data link) using a network schedule. The LAS maintains a ‘live list’ of all devices on the segment with
transmit times for all data. When it is time for a device to send data, the LAS issues a Compel Data (CD)
message to the device.
15
Upon receipt of the CD, the device broadcasts or “publishes” the data in the buffer to all subscriber
devices on the fieldbus. Any device configured to receive the data is called a “subscriber”. Scheduled
data transfers are typically used for the regular, cyclic transfer of control loop data between devices on
the fieldbus.
20
Live list maintenance (2): Each device on the ‘live list’ is granted access to the media by circulating a
token to all devices one at a time. A device may also go off the list if it goes bad. It is the responsibility
of LAS to maintain and update the list of live devices on the list. New devices may be added to the fieldbus
at any time. The LAS periodically sends Probe Node (PN) messages to the addresses not in the Live
25 List. If a device is present at the address and receives the PN, it immediately returns a Probe Response
(PR) message. If the device answers with a PR, the LAS adds the device to the Live List and confirms
its addition by sending the device a Node Activation message. This process is summarized by the
sequence diagram in Figure 4.2.1.

36
 Figure 4.2.1: Sequence diagram for a new node into a live list.

5 Unscheduled messages/data transfer (3): All of the devices on the fieldbus are given a chance to send
“unscheduled” messages between transmissions of scheduled messages. The LAS grants permission to
a device to use the fieldbus by issuing a pass token (PT) message to the device. When the device
receives the PT, it is allowed to send messages until it has finished or until the “token hold time” has
expired, whichever is the shorter time.
10
Time synchronization (4): The LAS periodically broadcasts a Time Distribution (TD) message on the
fieldbus so that all devices have exactly the same data link time. This is important because scheduled
communications on the fieldbus and scheduled function block executions in the User layer is based on
information obtained from these messages.
15
The overall operation of the LAS is summarized by Figure 4.2.2.

Figure 4.2.2: LAS operation algorithm.

20

37
 4.3 Application layer
The FAS sub-layer uses the data-link layer (DDL) to offer its services described as Virtual Communication
Relationships (VCRs) FMS sub-layer. These VCRs are communication methods that come in three
different types differentiated by communication paradigms – i.e. Client-server or publisher-subscriber or
5 report distribution type communication.

Client-Server VCR – is used for operator-initiated requests such as setpoint changes, tuning
parameter access and change, alarm acknowledgement, and device upload and download.

10 When a device receives a Pass Token (PT) from the LAS, it may send a request message to
another device on the fieldbus. The requester is called the “Client” and the device that received
the request is called the “Server.” The Server sends the response when it receives a PT from the
LAS.

15 Report distribution VCR – is used by fieldbus devices to send alarm notifications to the operator
consoles.

When a device with an event or a trend report receives a PT from the LAS, it sends its message
to a “group address” defined for its VCR. Devices that are configured to listen for that VCR will
20 receive the report.

Publisher-Subscriber VCR – is used by the field devices for cyclic, scheduled, publishing of
User Application function block input and outputs such as Process Variable (PV) and Primary
Output (OUT) on the fieldbus.
25
When a device receives the Compel Data (CD), the device will “Publish” or broadcast its message
to all devices on the fieldbus. Devices that wish to receive the Published message are called
“Subscribers.”

30 The upper sub-layer, FMS, allows user applications to exchange messages on the fieldbus. It defines;
message formats and protocol behaviour needed to build messages for user applications. For instance,
data is communicated in a form of an object description grouped together as Object Dictionary (OD). The
FMS services are provided to Virtual Field devices (VFDs) in the user layer.

35 The different types of FMS services are;

I. Context Management Service- It is used to establish and release Virtual Communications
Relationships (VCR) with VFD and determine the status of a VFD.
II. Object Dictionary Service- It allows the user Application to access and change the Object
Descriptions (OD) in a VFD.
40 III. Variable Access Service- It allows the user application to access and change variables
associated with an object description.
IV. Event Service- It allow the user application to report events and manage event processing.
V. Upload/Download Service- It allows the user application to upload and download a data in a
memory of a remote device.
45

4.4 User application layer

38
 Within the user application, Virtual Field devices (VFDs) are used as models of the physical devices and
each device has two VFDs – for network configuration and for control applications. The use of VFD
provides function blocks to implement control loops. A VFD is model of a physical field device used to
remotely view device data described in the Object Dictionary (OD). The use of VFDs allows the host to
5 configure devices even if not yet connected to user application.

A device is supplied with three device support files: two Device Description Files (DDFs) and one
Capability Files (CFs). A critical characteristic required of fieldbus devices is interoperability. The DDFs
act like drivers on the PC to describe each of the Virtual Field devices(VFDs). They also specify additional
10 diagnostic and calibration features a device may have. CFs tells the host what resources the device has
in terms of function blocks and VCRs etc.

User applications are configured using combinations of functional blocks; i.e. Resource, Transducer and
Function blocks. The Resource Block describes characteristics of the fieldbus device such as the device
15 name, manufacturer, and serial number. There is only one Resource Block in a device. Transducer
Blocks decouple Function Blocks from the local input/output functions required to read sensors and
command output hardware. They contain information such as calibration date and sensor type. Function
Blocks provide the control system behaviour. The input and output parameters of Function Blocks can
be linked over the fieldbus. The execution of each Function Block is precisely scheduled. The Fieldbus
20 Foundation has defined sets of standard Function Blocks with examples given in Table 4.1.

Table 4.1: FF standard function blocks

Name Symbol
Analog Input AI
Analog Output AO
Bias/Gain BG
Control Selector CS
Discrete Input DI
Discrete Output DO
Manual Loader ML
Proportional/Derivative PD
Proportional/Integral/Derivative PID
Ratio RA

Each block has a “Profile” (i.e. a code) that indicates the type of block (e.g. the standard PID block is
25 code 0108 in hexadecimal). Based on this code a host can tell if a block is a standard block, an enhanced
block or a manufacturer custom block. The engineering tool can build a control strategy completely
independent of the device you will eventually use. The process engineer can build the control strategy
and then let the instrument engineers assign the blocks to devices later.

4.4.1 Applying functional blocks

30 Consider an FF network in Figure 4.4.1 implemented to support flow control of a cooling fluid using a
control valve (Device 2) and based on the temperature reading from a transmitter (Device 1).

39
 Figure 4.4.1: Control loop using field devices FBs.

The temperature transmitter will have an AI function block. A control valve contains a PID function block
5 as well as the expected AO block. Thus, a complete control loop can be built using only a simple
transmitter and a control valve, as shown in Figure 4.4.2.

Figure 4.4.2: Control loop function block connections on the User layer.
10
After the system design is completed and the instruments have been selected, the device configuration
is performed by connecting Function Block inputs and outputs together in each device as required by the
control strategy. After all of the function block connections and other configuration items such as device
names, loop tags, and loop execution rate have been entered, the configuration device generates
15 information for each fieldbus device.

A stand-alone loop can be configured if there is a field device that is a Link Master. This will allow
continued operation of the loop without the configuration device or a central console. The system
becomes operational after the fieldbus devices have received their configurations.

20 4.4.2 Function scheduling

A schedule building tool is used to generate function block and Link Active Scheduler (LAS) schedules.
Consider building a schedule for the control loop described in Figure 4.4.2. The schedule should contain
the start time offset from the beginning of the “absolute link schedule start time” (See Figure 4.3.3).

25 Figure 4.4.3: Control loop schedule.

40
 The absolute link schedule start time is known by all devices on the fieldbus. A “macrocycle” is a single
iteration of a schedule within a device. Figure 4.4.4 shows the relationships between the absolute link
schedule start time, LAS macrocycle, device macrocycles, and the start time offsets.

5
Figure 4.4.4: Control loop execution sequence diagram.

In Figure 4.4.4, the transmitter AI function block will be executed at offset 0. At offset 20 the Link
10 Active Scheduler (LAS) will issue a Compel Data (CD) to the AI function block buffer in the transmitter
and data in the buffer will be published on the fieldbus.

At offset 30 the valve’s PID function block will be execute followed by execution of the AO function
block at offset 50. The pattern exactly repeats itself assuring the integrity of the control loop dynamics.
15
Note that during the function block execution, the LAS is sending the Pass Token message to all
devices so that they can transmit their unscheduled messages such as alarm notifications or operator
setpoint changes. For this example, the only time that the fieldbus cannot be used for unscheduled
messages is from offset 20 to offset 30 when the AI function block data is being published on the
20 fieldbus. On the HSE fieldbus the function blocks execute as shown but, since there is no LAS, the
communication is immediate instead of scheduled.

25

41
 6. ProfiNet
• Understand the Profinet protocol stack and its use of Ethernet, TCP and IP in the
Profinet protocol stack.
• Understand the use and implementation of two communication channels within
Profinet.
• Know the three device classes and network elements used in Profinet IO.
• Be able to sketch and explain different Profinet topologies and how PoE is used.
• Be able to calculate fibre-optic link budget for a Profinet link.
• Understand the motivation behind installing and potential challenges in wireless
links.
• Understand how device addressing, media access control and the communication
paradigm used by Profinet’s data link layer.
• Profinet and ISO/OSI 7-Layer Model
• Understand the scheduling of real-time communication in Profinet.
• Be able to do real-time communication performance calculations on Profinet.
• Understand the impact of device update time (or cycle time) on the network traffic.
• Be able to analyse network traffic for both real-time and nonreal-time data
transmission.
• Understand different ways of managing traffic within the Profinet networks.

Profinet is an Ethernet-based communication technology and has the following features fulfilling the
5 needs of automation technology;
• Standardised Industrial Fast Ethernet.
• High speed highly deterministic networking.
• Generally designed for internal use (just like PROFIBUS DP).

10 It makes use of the TCP/IP protocol stack for non-real-time communications (i.e. configuration and
parameters) and provides a tailor-made “real-time” channel protocol for time-critical communications
(i.e. process data) as shown in Figure 6.0.1. Profinet is NOT Profibus over Ethernet. Profinet can be
implemented as Profinet IO or Profinet CBA (Component Based Automation). The rest of the notes
shall focus on Profinet IO.
15

Figure 6.0.1: Profinet’s protocol stack.

49
 Profinet makes use of relevant TCP/IP protocols for (Non-Real-Time communications) setup,
configuration and maintenance functions. It also uses some of the typical TCP/IP protocols stack
application layer protocols, such as;
• DHCP – Dynamic Host Configuration Protocol,
5 • DNS – Domain Name Service,
• SNMP – Simple Network Management Protocol,
• ARP – Address Resolution Protocol,
• HTTP – Web page access.

10 The TCP/IP channel is used for non-time critical tasks (or nonreal-time data). These include;
Downloading of configuration, parameters, Diagnostics, and Device management information, etc.

The Real-Time channel is used for time-critical data which maybe;

• Cyclic process data,
15 • Alarms and critical messages,
• Communication monitoring

Profibus devices are widely used in many different application areas. Profinet provides a transparent
interface with Profibus via a standardised gateway or “Proxy” as illustrated in Figure 6.0.2. The Proxy
20 is a Profinet IO device on one side and a Profibus master on the other. Profibus Configuration is
integrated into the Profinet configurator and is downloaded via Ethernet.

Figure 6.0.2: Application of Profinet in an industrial network.

25 6.1. Device Classes

Three devices classes are defined to facilitate structuring of Profinet IO field devices; namely IO-
Controller, IO-Supervisor and IO-Device.

The IO-Controller is typically a PLC on which the automation program runs (corresponds to the
30 functionality of a class 1 master in PROFIBUS). The IO-Supervisor engineering station, for example
can be a programming device (PG), personal computer (PC), or human machine interface (HMI) device
for commissioning or diagnostic purposes. The IO-Device is a distributed I/O field device that is

50
 connected via Profinet IO (corresponds to the function of a slave in PROFIBUS). All field devices are
described in terms of their available technical and functional properties in a GSD file (General
Station Description) to be created by the field device developer.

5 A (plant unit) Profinet IO network must contains at least one IO-Controller and one or more IO-Devices.
An IO-Device can exchange data with multiple IO-Controllers. IO-Supervisors are usually integrated only
temporarily for commissioning or troubleshooting purposes.

Besides the three device classes, Profinet also uses Ethernet Switches and routers throughout its
10 networks. To enhances determinism, Profinet IO field devices are always connected via Ethernet
switches as network components. This takes the form of a star topology with separate multiport switches
or a line topology with switches integrated in the field device. Routers are also used for management
purposes such as to divide the network into sub-networks.

6.2. Physical layer

15 OSI-Model layers 1 and 2 of Profinet are implemented using 100-Mbps switched Ethernet. Thus, Profinet
can use 4-core Ethernet screened twisted pair copper cabling and RJ45 or Fibre cabling or WiFi
connections (IEEE 802.11). A typical network is in a form of a star topology by connecting multiple
devices to a central switch as shown in Figure 6.2.1. If a single PROFINET node fails or is removed, the
other PROFINET nodes will continue to operate. However, if the central switch fails, the communication
20 to all the connected nodes will be interrupted.

Figure 6.2.1: Profinet network topologies.

25 For larger networks in organisations with multiple functional units, the network can be in the form of a
tree topology as shown in Figure 6.2.1. A tree topology is created by combining several star-shaped
networks to one network. One switch operates as a signal distributor in the star point. Since the switch
routes messages to relevant ports based on MAC addresses, the peripheral switched will only see
messages intended for their devices, thus reducing the traffic.
30
Line topology is made possible with the use of Profinet device’s integrated switches and without using
additional switches. The challenge with this topology is that in case of a line interruption (e.g. outage of
a device), the devices located behind the failed device can no longer be contacted. This can be prevented
by extending the line to a ring structure topology.
35
Power over Ethernet (PoE, IEEE 802.3 Clause 33) allows low consumption devices to be powered
directly over the PROFINET cable. No separate power supply is therefore required. This may save

51
 installation costs. Typical devices that can receive PoE are; Access points, IP cameras and HMIs. PoE
is only possible when there is a direct link between the powered switch and the Profinet device like in the
star or tree topologies – however this is not possible for the line topology.

6.2.1 Copper & Fibre cabling

5 Copper cables and optical fibres are available for a wired connection of network nodes. The cable used
must meet the requirements of the planned automation project.

Usually a 4-core twisted pair cable is used with a maximum length of 100m per cable run from the switch.
To reduces interference in copper cables, correct grounding of the cabling as well as equipotential
10 bonding must be provided. This does not apply to optical fibres.

In areas where electromagnetic interference may be present and/or significant connection distances are
required, it is recommended that fiber optic (FO) connection is used. Fiber optic connection can
completely remove problems caused by electromagnetic interference (EMI). Media converted devices
15 are required to link FO cables with copper cables to form a single network segment. The most important
aspects of FO cabling is the specific attenuation value i.e. how badly the cable degrades the signal with
distance. Table 6.1 show the typical attenuations for different FO cables.

Table 6.1: attenuation in fibre cables

Fibre type Max. attenuation Light wavelength
Plastic optical fibre 230dB/km 650 nm
Glass multi-mode 1.5 dB/km 1300 nm
Glass single mode 0.4 dB/km 1300 nm
20
The attenuation limits the maximum possible distance of FO cables. These distances are also affected
by the wavelength and so there are maximum possible attenuation allowable for Profinet links for each
of the cable types. For example, 12.5dB, 11.3dB and 10.3dB for plastic, glass multi-mode and glass
single mode, respectively. Moreover, the junctions (or connector links where there is splicing) also cause
25 additional attenuation – e.g. a pair of connectors can cause 0.75dB of attenuation. For communication to
be successful, the power received at one end of the FO cable must be greater than the receiver’s
sensitivity; Transmit power - total attenuation ≥ receiver sensitivity

Consider the single-mode glass fibre link with two connectors, as shown in Figure 6.2.2. Calculate the
30 end-to-end link budget to check if the network will able to operate.

Figure 6.2.2:Fibre optical link.

The attenuation values are 0.25dB for the 500m FO, 1dB for 2km FO and 3x0.75dB for the three
35 connections, resulting into 3.5dB. This is an allowable value since 3.5dB<10.3dB.

At times the fibre cable has to splices an linked and this can result in splice losses of about 0.1dB per
splice. The networking equipment comes with transmit power of -3dBm to +3dBm, while the receiver
sensitivity can have typical values of -18dBm to -28dBm.

52
 6.2.2 Wireless link
The usage of wireless technology requires the consideration of certain factors that do not occur in
connection with wired transmission technology. All of the following have an impact on the signal strength
and quality of the wireless system:
5 • Line of sight attenuation with increasing distance between transmitter and receiver.
• Reflection of radio waves from obstacles, like walls, resulting in multipath attenuation.
• Interference with other radio transmitters on the same frequency.
• Interference from other signal sources that emit radio frequency.
• Scattering, diffraction and absorption of signals at surfaces and barriers.

10 6.3. Datalink layer

The PROFINET network exchanges standard Ethernet frame. PROFINET uses the Ethernets CSMA/CD
media access control methodology and both the MAC addresses and IP addresses. Figure 6.3.1 shows
a network that comprises two subnets. These are represented by the different network IDs (subnet mask).

15 Figure 6.3.1: Application of Profinet in an industrial network.

On the PROFINET network, field devices are identified by (1) easy to remember assigned symbolic
names, (2) assigned IP addresses and (3) unique MAC addresses. After the system is configured, the
engineering tool loads all information required for data exchange to the IO-Controller, including the IP
20 addresses of the connected IO-Devices. Based on the name (and the associated MAC address), an IO-
Controller can recognize the configured field devices and assign them the specified IP addresses using
the DCP protocol (Discovery and Configuration Protocol) integrated in PROFINET IO. Alternatively,
addressing can be performed via a DHCP server. At the data link layer IO device exchange messages
based on their unique MAC addresses.
25
PROFINET follows the Provider/Consumer model for data exchange. The provider (usually the field
device at the process level) provides process data to a consumer (normally a PLC with a processing
program). In principle, a PROFINET IO field device can contain any arrangement of functions (provider/
consumer).
30

53
 6.4 Application layer
Like PROFIBUS, PROFINET uses application profiles are specifications of certain properties,
performance features, and behaviour of devices and systems. In general, two groups of application
profiles are distinguished:
5 • General application profiles available for use in different applications e.g., the PROFIsafe profile.
• Specific application profiles developed for a very specific type of application, e.g., PROFIdrive,
Encoder, Identification systems, or PA devices.

6.5. Real-time communication

Every PROFINET device sequentially executes its program within a specific cycle time. The inputs are
10 read at the beginning and the outputs are set at the end of each cycle. The relative timing of these cycles
to each other has an impact on the response time in a processing chain. If data is received, the receiving
device must wait until the beginning of the next coming cycle-time to be processed it. It must then wait
for the end of the processing time to be ready for transmission over Profinet on to the next device. The
network will also have some delay, although a very small value in comparison to the cycle time. It is
15 important to understand this processing chain since it affects the response of the control application.

Consider an example process where a sensor’s (Device 1) input is used by a PLC (controller) to control
a motor (Device 2). Figure 6.4.1 shows a best-case scenario where the event occurring in Device 1 is
just in time for a cycle time about to begin.

20
Figure 6.4.1: Best-case scenario response time.
Suppose that the device cycle times are 15ms & 3ms, the processing times are 10ms & 2ms, for the
controller and devices 1&2, respectively. Take the network transmission speed to be 0.1ms. Then, in the
best-case scenario delay time from even to response is; TD1+ΔTPN1+ΔTC+ΔTPN2+TD2 =16.2ms.

54
 Figure 6.4.2:Worst- case scenario response time.

In the worst-case the data is received by the device just after the cycle/update time has passed and so
5 data has to wait for the next update time to be processed, as shown in Figure 6.4.2. Thus, the response
is; 2xTD1+TPN1+ΔTPN1+TC +ΔTC+ TPN2+ ΔTPN2+TD2 =41.2ms. This time can be reduced by largely by
selecting a smaller controller time update cycle. However, as a risk of increasing network traffic.

6.5.1. Network traffic

Controllers operate cyclically with a specified update time. The update time of all other PROFINET
10 devices must be defined as a function of the controller cycle time. With fast update times the data will be
updated at shorter intervals. As a result, they will be available for processing more quickly. However, the
data volume transmitted in a time period and, thus, the network loads are increased. Figure 6.5.1 shows
the network load for varying amounts of update time and the number of nodes.

15
Figure 6.5.1:Cyclic network traffic.
When the network load is increased by cyclic real-time communication, the bandwidth available to other
communications decreases.

20 Following the setting of update time, it is worth analysis the topology for expected network performance.
Each switch that is placed between a device and its controller introduces a delay in the data transfer
because the switched work by storing incoming data and forwarding it to the relevant port. Such delays
are worst per device in line topologies because of the used of integrated switched.

25 For illustration, consider a single-controller network with slaves each generating 1% traffic load on its link,
as shown in Figure 6.5.2. The controller’s link will experience 3% of the traffic.

55
 Figure 6.5.2:Cyclic network traffic analysis with topology

Such analysis is important for your planning to identify the critical locations in the topology, i.e. the
5 locations of maximum network load. Consider Profinet slave updating at 1ms compared to those with an
update time of 8ms operating on a 100Mbps network. Since the typical Profinet data packet is 108 bytes
long, the network traffic generated will be {108bytes x 8bits/byte x 1/1ms = 0.864Mbps} or 0.86%
bandwidth compared to 0.11% bandwidth.

10 In order to provide sufficient reserve for future extensions and especially for non-real-time
communication, it is recommended to observe the limit values rule of thumb whereby a traffic load of
between 20-50% should be closely monitored and action must be taken when the traffic exceeds 50%.
In this case, the options for reducing the traffic maybe;
• Increase update time while ensuring that response-time is not affected adversely.
15 • (For multi controller applications) Changing controller slave assignment to separate network
traffic.
• Using additional routers/switches to create new network paths to connect sub-networks so
that existing network links are relieved.
• Investing in additional controllers to distribute load evenly.
20

Figure 6.5.3:Integration with standard Ethernet devices

Communication relations not only exist between controllers and devices. Devices can also communicate
25 with each other. This type of communication often occurs between standard Ethernet nodes as illustrated
by the video camera streaming footage on the computer in Figure 6.5.3. This may result into high traffic
volumes like 50% traffic around the red circle.

To solve this problem the topology should be changed. In the example, the camera and the PC could be
30 directly connected to the switch as shown in Figure 6.5.4. As a result, the large data stream would no
longer represent a considerable load for the other sections of the network.

56
 Figure 6.5.4: Integration with standard Ethernet devices – new topology

10

15

20

25

30

35

57
 7. CAN, DeviceNet and CAN-Open
o Understand the development of CAN and its relationship with CANopen and DeviceNet.
o Know about the physical layer; transmission data rates, wiring connections, termination
requirements and topology.
o Understand the different CAN cabling options and be able to assess the impact of cable
length on data rates.
o Understand of the operation of CAN’s data link layer – bus arbitration, frame format and the
different treatment of Message IDs in DeviceNet versus CANopen.
o Understand DeviceNet’s protocol stack, limit on number of devices and different types of
messaging.
o Know the different DeviceNet’s hardware components and how to do basic troubleshooting.
o Understand CANopen’s protocol stack, limit on number of devices and different types of
protocols.
o Understand CANopen’s device model and the roles of each component.
o Be able to sketch and explain the CANopen state transition model

CAN or Controller Area Network is an advanced serial bus system that efficiently supports distributed
control systems. Figure 7.0.0 shows the advantage of using CAN in terms of managing wiring and
5 lowering wiring costs. The CAN protocol defines the Data Link Layer and the Physical Layer in the ISO
model. There are also several higher-level protocols (from the network to application layer) available for
use with CAN, such as SAE J1939,ODB-II, DeviceNet and CANopen.

Figure 7.0.0: CAN networks significantly reduce wiring.

10
Thus, CANOpen and DeviceNet are merely application layer protocols that are implemented on top of
the CAN layers 1 and 2.

The development of CAN began when more and more electronic devices were implemented into modern
15 motor vehicles and it became necessary for the different control systems (and their sensors) to exchange
information. The intention was to get more safety and more comfort for the driver, as well as reductions
in fuel consumption and exhaust emissions. Examples of such devices include engine management
systems, active suspension, ABS, gear control, lighting control, air conditioning, airbags and central
locking.
20
7.1. Physical layer in CAN:
CAN networks are implemented with two wires for data transmission and allow communication at transfer
rates up to 1 Mbit/s for high-speed CAN and 125 kbit/s for low-speed. High-speed CAN is by far the most

58
 common physical layer and it is typically used in applications like the antilock brake systems, engine
control modules, and emissions systems. Low-speed CAN is used for fault-tolerant devices in an
automobile such a comfort devices.

5 The devices on the network are linked together using a 4-wire cable, which allows separate connections
for data (CAN-high and CAN-low) and power (Vcc and Ground). Network nodes with limited power
requirements may thus be powered directly from the network (the trunk-line current rating is 8 amps).
Shielding is provided to give a degree of noise immunity.

10 The physical link is usually terminated with 121Ω resistors between CAN-high and CAN-low terminals at
each end of the trunk line as shown in Figure 7.01. The link speed depends on the length. Other media
such as Fibre-optics can be used with proprietary specifications.

15 Figure 7.0.1: Elements of a CAN devices.

A typical CAN node (Field Device or Controller device) needs both a CAN transceiver and CAN protocol
controller in order to be able to connect to a CAN network. The CAN controller provides a message buffer
that can be read by the CAN node’s microcontroller.

20 Figure 7.0.2: CAN trunk-line (hybrid) topology.

The topology employed in CAN networks is essentially a bus topology referred to in the specification as
a trunk-line/drop-line topology that provides separate twisted-pair buses for signal and power distribution.
Figure 7.0.2 shows how a CAN network topology might be configured.
25

59
 7.1.1 CAN Cabling options and sizing:
Wiring of a CAN network is usually accomplished using either round or KwikLink flat cables. Round cables
can either be the thick 12mm or thin 6.9 mm cables, both of which can be used for trunk and drop lines.
The KwikLink flat cables come with Insulation Displacement Connectors (IDCs) that lessen your
5 installation time and materials cost. It allows for the installation of nodes without cutting or striping of the
trunk line. Table 7.0 shows the allowed data rates for different cable lengths.

Table 7.0: CAN Cabling and data rate options

Data rate Maximum distance (Meters)
(kbps) Flat cable Thick Thin cable
cable
125 420 500 100
250 200 250 100
500 75 100 100

10 Usually, the maximum distance of the cable is measured between the trunk line terminating resistors.
However, if the maximum drop-line distance from the trunk is greater than the distance from the tap to
the nearest terminating resistor (TR), then the drop line distance must be included as part of the cable
length. Figure 7.1.1 shows two examples of cabling where the droop line is excluded and where it is
included in the maximum distance calculation.

15
Figure 7.1.1: Calculating maximum cable distance.

The network data rate is also restricted by the cumulative drop line length. It is the sum of all drop line
distances in a cabling system. The data rates of 125kbps, 250kbps and 500kbps are restricted to the
20 maximum cumulative dropline length of 156m, 78m and 39m, respectively. Figure 7.1.2 show a cabling
system with a cumulative drop line of 42 meters.

60
 Figure 7.1.2: Calculating maximum cable distance.

7.2. CAN Data-link layer:

5 CAN is a multi-master network where the number of nodes is limited by the upper layer protocols, like
CANopen & DeviceNet. In a CAN network, bus nodes do not have a specific address, the address
information is contained in the message identifiers indicating the message content and the priority of the
message.

10 CAN devices send data across the CAN network in packets called frames. A CAN frame consists of the
following sections; Start-of-frame, Message-ID or CAN-ID, Control, Data, Cyclic Redundancy Check sum,
Acknowledgement and End-of-Frame, as shown in Figure 7.2.1.

15 Figure 7.2.1. The standard CAN frame format.

• SOF (start-of-frame) bit – indicates the beginning of a message with a dominant (logic 0) bit.
• CAN-ID – identifies the message and indicates the message's priority. Frames come in two
formats -- standard, which uses an 11-bit message-ID, and extended, which uses a 29-bit ID.
20 • Control Field – This allows for the specification of the different types of CAN protocol used. For
example, the basic CAN with 8bytes data or improved CAN 2.0 or the flexible data CAN (CAN-
FD) with up to 64 bytes of data. Thus, this field indicates data length and identifies protocol
extension.
• Data – This stores the message data being exchanged. Up to 8-bytes for CAN, 64-bytes for
25 CAN-FD.
• CRC – This is used for error detection.
• ACK bit – any CAN controller that correctly receives the message sends an Acknowledgement
bit at the end of the message. The transmitting node checks for the presence of the ACK bit on
the bus and reattempts transmission if no acknowledge is detected.
30 • EOF (End-of-frame) bit – indicates the end of a message.

Bus arbitration: CAN implements the CAN protocol’s CSMA/NBA, i.e. Carrier Sense Multiple
Access/Non-distractive Bitwise Arbitration. Under this protocol, a node first listens to the media before
transmitting. If two or more nodes start transmitting at the same time, arbitration is based on the priority
35 level of the message ID (IDENTIFIER) and allows the message whose ID has the highest priority to be

61
 delivered immediately, without delay. This makes CAN ideal for real-time, priority-based systems. The
message with an ID that translates to a lower value of a binary number has a higher priority.

7.3. DeviceNet:
DeviceNet was originally developed by Allen Bradley and it now maintained by the Open DeviceNet
5 Vendors Association (ODVA). It is primarily made for operation at the field level of the industrial network
hierarchy and it can support up to 64 devices on the network.

7.3.1 DeviceNet protocol stack

The DeviceNet protocol stack is shown in Figure 7.3.1. The data-link layer is based on the CAN
(Control area Network) protocol. The object-oriented Common Industrial Protocol (CIP) protocol is
10 used for layers 5 to 8.

Figure 7.3.1: DeviceNet protocol stack.

15 DeviceNet uses the CIP upper layers protocols. The CIP is object-oriented, i.e a DeviceNet node is
modelled as a collection of Objects. Each object is simply a grouping of the related data values in a
device. For example, every CIP device is required to make an Identity object available to the network.
The identity object contains related identity data values called attributes. Attributes for the identity object
include the vendor ID, date of manufacture, device serial number and other identity data.

20 7.3.2. Devices and network

DeviceNet uses a master/slave communication paradigm to allow implementation using small
inexpensive microcontrollers. The devices (or nodes) on a DeviceNet network are configured either as
master devices, slave devices, or peer devices (in some cases, a device may engender all three modes
of operation simultaneously). Master devices (sometimes referred to as scanners or client devices) are
25 usually either programmable logic controllers (PLCs) or personal computers (PCs). Master devices "own"
any number of slave devices, but a slave device can only be "owned" by one master at any one time. A
master device receives input information from slave devices and sends output information to slave
devices. In order to establish ownership of a slave device, a master device must undertake an allocation
process involving a set of handshaking messages.

30 7.3.3. DeviceNet communication

DeviceNet is a connection-based network similar to Ethernet’s TCP/IP. When two devices establish a
connection, they exchange Connection ID Numbers. For most DeviceNet Messaging, messaging
between a Master Device and a Slave device, the Connection IDs are predefined enabling low resource
devices to optimize processing of these messages. The 11-bit message Identifier in every DeviceNet

62
 message is composed in part of the DeviceNet Address and the Connection ID for the message. The
lower the Connection ID/DeviceNet address combination the higher the priority of the message on the
network.

5 DeviceNet uses the publisher-subscriber paradigm. The sending node produces data message on the
network with proper identifier. All devices who needed data listen for messages. When devices recognize
the appropriate identifier, they consume the data. In this case a single message from one controller can
be used by multiple motor starters thus conserving bandwidth.

10 DeviceNet defines three different types of messaging.

• I/O Messaging - I/O Messages are for time-critical, control-oriented data. They provide a
dedicated, special-purpose communication path between a producing application and one
or more consuming applications. They are exchanged across single or multi-cast connectors
and typically use high priority identifiers.
15 • Explicit Messaging - Explicit Messages provide multi-purpose, point-to-point
communication paths between two devices. They provide the typical request/response-
oriented network communications used to perform node configuration and problem
diagnosis. Explicit Messages typically use low priority identifiers and contain the specific
meaning of the message right in the data field. This includes the service to be performed
20 and the specific object attribute address.
• Peer messaging - It is simply the exchange of messages from one DeviceNet device to
another over any non-Master Slave connection. Peer messages are unformatted messages
no implied structure or meaning to the bytes sent on a peer communication channel. They
are mostly used by devices manufactured by the same vendor, who then defines the format
25 and contents.

7.3.4. DeviceNet Hardware

DeviceNet vendors are required to provide some type of documentation specifying how their device is
configured – Electronic datasheets. An electronic listing of the Attributes that configure a DeviceNet
30 device is usually provided by a vendor.

DeviceNet masters, like PLCs, are interfaced to the network via a hardware interface card called the
DeviceNet Scanner. The Slaves use DeviceNet adapters.

35 For troubleshooting DeviceNet’s nodes hardware must have a set of indicators. Indicators assist
maintenance personnel in quickly identifying a problem unit. These can be in the form of a Module Status
LED and a Network Status LED able to produce red and green light. Table 7.3 below indicates some of
the typical meanings for Network status LEDs.

40 Table 7.3: Network status LED

LED status Indication
Solid green The device is normal operating conditions.
Flashes green The device has successfully joined the network but is not currently “owned” by
a DeviceNet Master device. OR
Messages have failed to arrive on one or more connections with the Master
device.
Solid red The device has detected an internal error and has removed itself from network
operation. This is typically a hardware failure in the device circuitry or when a
device has received a Duplicate ID response message.

63
 7.4. CANopen
A CANopen network has CANopen as the application layer protocol and running on top of the CAN layers
1 and 2, as shown in Figure 7.4.1. Each CANopen device supports 4 operating states; initialization, pre-
5 operational, operational and stopped. A ‘master’ device can use an appropriate communication protocol
to change the state of a CANopen device – for example resitting it to initialization state.

Figure 7.4.1: CANopen protocol stack.

10 CANopen support all three communication paradigms; client-server, master-slave and publisher-
subscriber. These communication paradigms are supported by difference CANopen protocols like; SDO
for node configuration, PDO for real-time data transmission, NMT, SYNC, EMCY, etc.

The CANopen standard divides the 11-bit CAN frame ID into a 4-bit function code and 7-bit CANopen
15 node ID. This limits the number of devices in a CANopen network to 127 (0 being reserved for broadcast).
An extension to the CAN bus standard (CAN 2.0 B) allows extended frame ids of 29 bits, but in practice
CANopen networks are not big enough to need the extended ID range. The first 4-bits function bits are
mapped onto function codes such as NMT, SYNC, EMCY, PDO and SDO.

7.4.1 CANopen device model

20 A CANopen device can be divided into three parts; (1) Communication interface, object dictionary(OD)
and Application-process interface. The communication interface has different types of protocols and it
provides communication services for objects in the OD to communicate over the CAN bus. The
communication interface allows producer-consumer or Client-server or Master-slave communication
models whose application depend on the protocol. The interface provides to CANOpen object protocols
25 are classified as;
• Process Data Objects (PDO) for real-time communication of process data.
• Service Data Object (SDO) for diagnostic and configuration access to the device.
• Special function object protocols for specific application like synchronization(SYNC), time
stamping and emergency message transmission (EMCY) etc.
30 • Network management (NMT) protocols for network initialization, error control and device status
control.

64
 Figure 7.4.2: CANopen device model.

The OD is a table containing entries that specify all parameters describing the behaviour of a CANopen
5 node. Each entry in the OD has an index, a data types, a name, etc.. Two CANOpen nodes communicate
by effectively reading and writing entries in each other’s ODs. Each CANopen devices also has an
Electronic data sheet(EDS). The EDS is a human readable description of the OD provided by the device
manufacturer.

10 The application-process interface provides standardised device profiles specifying how CANopen
devices are interfaced. E.g. an I/O modules or motion-controllers. This makes it easy to configure devices
from different vendors.

7.4.2 CANopen protocols

Service data objects (SDOs) enable access to all entries of a CANopen object dictionary for
15 transmission of parameters (configuration and diagnostic parameters). SDO messages has no length
restriction and can use multiple CAN frames if the payloads with different CAN-Identifiers if too big. This
is a confirmed communication service that requires acknowledgement by the receiver. SDO uses a peer-
to-peer communication model with each peer flexibly assuming the role of a client and the other a server.
The owner of the accessed object dictionary acts as a server of the SDO.
20
Process data objects (PDOs) are used in CANopen for broadcasting high-priority process data. E.g.
PDO would can be used to carry pressure data from a pressure transducer. A PDO consists of a single
CAN frame and communicates up to 8 byte of pure process data. The PDO supports a publisher-
subscriber communication paradigm. For example, a device can be configured to trigger PDO
25 transmission when temperature value exceeds a certain limit to alert other subscriber devices. PDO
communication is real-time and does not require acknowledgement, making it faster than SDO.

Network management (NMT) objects are used to change and monitor the status of CANopen devices.
NMT message has an identifier of 0, giving it the highest priority. The NMT message consists of two bytes
30 where the second byte is the node ID of node being addressed.

All CANopen devices must support the CANopen network management (NMT) slave state machine. The
NMT state machine defines the communication behaviour of a CANopen device. The CANopen NMT
state machine consists of an Initialization state, a Pre-operational state, an Operational state, and a
35 Stopped state. After power-on or reset, the device enters the Initialization state (see Figure 7.4.3).

65
 Figure 7.4.3 CANopen device state transitions

After the device initialization is finished, the device automatically transits to Pre-operational state
5 indicating that it is ready to work. A device that stays in Pre-operational state can start to synchronize
with the network. In the Pre-operational state, the device can communicate via SDO and not the disabled
PDO. PDO communication is only possible in the Operational state. After successful synchronization, the
device goes into the Operational state. During Operational state, the device can use all supported
communication objects. A device can be switched to a stopped stage or it may enter the stopped state
10 when it has a fault. A device that was switched to the Stopped state only reacts to received NMT
commands with no PDO or SDO. From any state, the device can be reset back to the initialization state.

The synchronization (SYNC) protocol is transmitted periodically by the SYNC publisher for time
synchronization with the subscribers. The time period between two consecutive SYNC messages is the
15 communication cycle period. The SYNC message is mapped to a single CAN frame with the identifier
x80 according to the predefined connection set. By default, the SYNC message does not carry any data.

The Emergency (EMCY) protocol can be used to inform other network participants about device-internal
errors. The Emergency messages are triggered by a device-internal error. An Emergency message is
20 transmitted only once per error event. As long as no new errors occur on a device, no further emergency
messages are transmitted. Zero or more Emergency consumers may receive these messages and may
initiate suitable, application-specific counter measures.

25

30

35

40

66