Добавил:

amanbayaybek Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Ташкентский государственный технический университет им. Беруни

Предмет:

Автоматизированные системы управления технологическим процессом

Файл:

Lessons In Industrial Instrumentation-6.pdf

Скачиваний:

Добавлен:

25.06.2023

Размер:

2.13 Mб

Скачать

☆

<<< < Предыдущая 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 / 3427 28 29 30 31 32 33 34 > Следующая >>>

15.11. MODBUS

1117

15.11.4Modbus relative addressing

An interesting idiosyncrasy of Modbus communication is that the address values speciﬁed within Modbus data frames are relative rather than absolute. Since each Modbus read or write function only operates on a limited range of register addresses, there is no need to specify the entire address in the data frame. For example, Modbus function code 02 reads discrete input registers in the device with an absolute address range of 10001 to 19999 (i.e. all the addresses beginning with the digit “1”). Therefore, it is not necessary for the “read” command function 02 to specify the ﬁrst digit of the register address. Instead, the read command only needs to specify a four-digit “relative address” specifying how far up from the beginning of the address range (in this case, from 10001) to go.

An analogy to aid your understanding of relative addressing is to envision a hotel building with multiple ﬂoors. The ﬁrst digit of every room number is the same as the ﬂoor number, so that the ﬁrst ﬂoor only contains rooms numbered in the 100’s, the second ﬂoor only contains rooms numbered in the 200’s, etc. With this very orderly system of room numbers, it becomes possible to specify a room’s location in more than one way. For example, you could give instructions to go to room 314 (an absolute room number), or alternatively you could specify that same room as “number 14 (a relative room number) on the third ﬂoor”. To a hotel employee who only works on the third ﬂoor, the shortened room number might be easier to remember.

In Modbus, relative addresses are just a little bit more complicated than this. Relative addresses actually span a range beginning at zero, while absolute addresses begin with “1” as the leastsigniﬁcant digit. This means there is an additional o set of 1 between a Modbus relative address and its corresponding absolute address. Returning to the hotel analogy, imagine the very ﬁrst room on the third ﬂoor was room 301 (i.e. there was no room 300) and that the relative address represented the number of rooms past that ﬁrst room. In this unintuitive scheme, room 314 could be speciﬁed as “the 13th room after the starting room on the third ﬂoor”. If this seems needlessly confusing, you are not alone. Welcome to Hotel Modbus.

A few examples are given here for illustration:

•Read the content of contact register 12440: Modbus read function 02; relative address 2439

•Read the content of analog input register 30050: Modbus read function 04; relative address 49

•Read the content of holding register 41000: Modbus read function 03; relative address 999

•Write multiple output coils in register 00008: Modbus write function 15; relative address 7

In each case, the pattern is the same: the relative address gets added to the ﬁrst address of that range in order to arrive at the absolute address within the Modbus device. Referencing the ﬁrst example shown above: 2439 (relative address) + 10001 (ﬁrst address of register range) = 12440 (absolute address).

Thankfully, the only time you are likely to contend with relative addressing is if you program a computer using some low-level language such as assembly or C++. Most high-level industrial programming languages such as Function Block or Ladder Diagram make it easy for the end-user by allowing absolute addresses to be directly speciﬁed in the read and write commands. In a typical PLC program, for example, you would read contact register 12440 by simply specifying the number 12440 within the address ﬁeld of a “read 02” instruction.

1118	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

The following listing shows code (written in the C language) utilizing the open-source libmodbus function library instructing a computer to access 16-bit integer data from four Modbus “holding” registers (absolute addresses 49001 through 49004) via Modbus/TCP. The device’s IP address is 192.169.0.10 and port 502 is used for the TCP connection:

C code listing

#include <s t d i o . h> #include <modbus . h>

modbus t D e v i c e ;

int main ( void )

{

int r e a d c o u n t ;

u i n t 1 6 t i n r e g w o r d [ 4 ] ;

D e v i c e = modbus new tcp ( ” 1 9 2 . 1 6 8 . 0 . 1 0 ” , 5 0 2 ) ;

m o d b u s s e t e r r o r r e c o v e r y ( Device , MODBUS ERROR RECOVERY LINK ) ;

r e a d c o u n t = m o d b u s r e a d r e g i s t e r s ( Device , 9 0 0 0 , 4 , i n r e g w o r d ) ;

p r i n t f ( ”Number

o f

r e g i s t e r s

r e a d

p r i n t f ( ” Value

o f

r e g i s t e r

49001

p r i n t f ( ” Value

o f

r e g i s t e r

49002

p r i n t f ( ” Value

o f

r e g i s t e r

49003

p r i n t f ( ” Value

o f

r e g i s t e r

49004

m o d b u s c l o s e ( D e v i c e ) ; m o d b u s f r e e ( D e v i c e ) ;

\n” , r e a d c o u n t ) ;

\n” ,	i n r e g	w o r d [ 0 ] ) ;
\n” ,	i n r e g	w o r d [ 1 ] ) ;

\n” ,	i n r e g	w o r d [ 2 ] ) ;
\n” ,	i n r e g	w o r d [ 3 ] ) ;

return r e a d c o u n t ;

}

Note how the starting address passed to the read function is speciﬁed in relative form (9000), when in fact the desired absolute starting address inside the device is 49001. The result of running this code is shown here, the Modbus device in question being an Emerson Smart Wireless Gateway at 4:00 PM (i.e. 16:00 military time) on March 22, 2016. These four registers (49001 through 49004) happen to contain date and time information (year, month, day, and hour) stored in the device:

Number of registers read = 4

Value of register 49001 = 2016

Value of register 49002 = 3

Value of register 49003 = 22

Value of register 49004 = 16

15.11. MODBUS

1119

This next listing shows similar code (also written in the C language79) accessing 16-bit integer data from three Modbus “analog input” registers (absolute addresses 30015 through 30017) via Modbus/TCP from the same device as before:

C code listing

#include <s t d i o . h> #include <modbus . h>

modbus t D e v i c e ;

int main ( void )

{

int r e a d c o u n t ;

u i n t 1 6 t i n r e g w o r d [ 3 ] ;

D e v i c e = modbus new tcp ( ” 1 9 2 . 1 6 8 . 0 . 1 0 ” , 5 0 2 ) ;

m o d b u s s e t e r r o r r e c o v e r y ( Device , MODBUS ERROR RECOVERY LINK ) ;

r e a d c o u n t = m o d b u s r e a d i n p u t r e g i s t e r s ( Device , 1 4 , 3 , i n r e g w o r d ) ;

p r i n t f ( ”Number

o f

r e g i s t e r s

r e a d

\n” ,

r e a d c o u n t ) ;

p r i n t f ( ” Value

o f

r e g i s t e r

30015

\n” ,

i n r e g

w o r d [ 0 ] ) ;

p r i n t f ( ” Value

o f

r e g i s t e r

30016

\n” ,

i n r e g

w o r d [ 1 ] ) ;

p r i n t f ( ” Value

o f

r e g i s t e r

30017

\n” ,

i n r e g

w o r d [ 2 ] ) ;

m o d b u s c l o s e ( D e v i c e ) ; m o d b u s f r e e ( D e v i c e ) ;

return r e a d c o u n t ;

}

Note once again how the relative starting address speciﬁed in the code (14) maps to the absolute Modbus register address 30015, since analog input registers begin with the address 30001 and relative addresses begin at 0.

79This C-language code is typed and saved as a plain-text ﬁle on the computer, and then a compiler program is run to convert this “source” code into an “executable” ﬁle that the computer may then run. The compiler I use on my Linux-based systems is gcc (the GNU C Compiler). If I save my Modbus program source code to a ﬁle named tony modbus.c, then the command-line instruction I will need to issue to my computer instructing GCC to compile this source code will be gcc tony modbus.c -lmodbus. The argument -lmodbus tells GCC to “link” my code to the code of the pre-installed libmodbus library in order to compile a working executable ﬁle. By default, GCC outputs the executable as a ﬁle named a.out. If I wish to rename the executable something more meaningful, I may either do so manually after compilation, or invoke the “outﬁle” option of gcc and specify the desired executable ﬁlename: (e.g. gcc -o tony.exe tony modbus -lmodbus). Once compiled, the executable ﬁle many be run and the results of the Modbus query viewed on the computer’s display.

1120	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

When using the libmodbus C/C++ library, the distinction between reading “analog input” registers (address range 30001 to 39999) and “holding” registers (address range 40001 to 49999) is made by the particular libmodbus function called. To read “analog input” registers in the 3XXXX address range, you use the modbus read input registers() function. To read “holding” registers in the 4XXXX address range, you use the modbus read registers() function. This subtle di erence in function names is important. Refer back to the two previous code examples to verify for yourself which function call is used in each of the register-reading applications.

15.11.5Modbus function command formats

Every Modbus data frame, whether ASCII or RTU mode, has a ﬁeld designated for “data.” For each Modbus function, the content of this “data” ﬁeld follows a speciﬁc format. It is the purpose of this subsection to document the data formats required for common Modbus functions, both the “Query” message transmitted by the Modbus master device to a slave device, and the corresponding “Response” message transmitted back to the master device by the queried slave device.

Since each Modbus data frame is packaged in multiples of 8 bits (RTU), they are usually represented in text as individual bytes (two hexadecimal characters). For example, a 16-bit “word” of Modbus data such as 1100100101011011 would typically be documented as C9 5B with a deliberate space separating the “high” (C9) and “low” (5B) bytes.

15.11. MODBUS

1121

Function code 01 – Read Coil(s)

This Modbus function reads the statuses of slave device discrete outputs (“coils”) within the slave device, returning those statuses in blocks of eight (even if the “number of coils” speciﬁed in the query is not a multiple of eight!). Relevant Modbus addresses for this function range from 00001 to 09999 (decimal) but the starting address is a hexadecimal number representing the (n −1)th register from the beginning of this range (e.g. decimal address 00100 would be speciﬁed as hexadecimal 00 63).

Query message (Function code 01)

Slave

Function

Data

Error

Start

address

code

Starting

Number

check

End

address

of coils

Start

Stop

Response message (Function code 01)

Slave

Function

Data

Error

Start

address

code

Number

First byte

Second byte

Third byte

check

End

of bytes

(8 coils)

Start

Stop

Note that the second and third bytes representing coil status are shown in grey, because their existence assumes more than one byte worth of coils has been requested in the query.

1122	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

Function code 02 – Read Contact(s)

This Modbus function reads the statuses of slave device discrete inputs (“contacts”) within the slave device, returning those statuses in blocks of eight (even if the “number of contacts” speciﬁed in the query is not a multiple of eight!). Relevant Modbus addresses for this function range from 10001 to 19999 (decimal), but the starting address is a hexadecimal number representing the (n−1)th register from the beginning of this range (e.g. decimal address 10256 would be speciﬁed as hexadecimal 00 FF).

Query message (Function code 02)

Slave

Function

Data

Error

Start

address

code

Starting

Number

check

End

address

of contacts

Start

Stop

Response message (Function code 02)

Slave

Function

Data

Error

Start

address

code

Number

First byte

Second byte

Third byte

check

End

of bytes

(8 contacts)

Start

Stop

15.11. MODBUS

1123

Function code 03 – Read Holding Register(s)

This Modbus function reads the statuses of “holding” registers within the slave device, with the size of each register assumed to be two bytes (16 bits). Relevant Modbus addresses for this function range from 40001 to 49999 (decimal), but the starting address is a hexadecimal number representing the (n −1)th register from the beginning of this range (e.g. decimal address 40980 would be speciﬁed as hexadecimal 03 D3).

Query message (Function code 03)

Slave

Function

Data

Error

Start

address

code

Starting

Number

check

End

address

of registers

Start

Stop

Response message (Function code 03)

Slave

Function

Data

Error

Start

address

code

Number

First

Second

Third

check

End

of bytes

Start

Stop

Note that since the query message speciﬁes the number of registers (each register being two bytes in size), and the response message replies with the number of bytes, the response message’s “number of bytes” ﬁeld will have a value twice that of the query message’s “number of registers” ﬁeld. Note also that the maximum number of registers which may be requested in the query message (65536) with “high” and “low” byte values grossly exceeds the number of bytes the response message can report (255) with its single byte value.

1124	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

Function code 04 – Read Analog Input Register(s)

This Modbus function is virtually identical to 03 (Read Holding Registers) except that it reads “input” registers instead: addresses 30001 through 39999 (decimal). As with all the Modbus relative addresses, the starting address speciﬁed in both messages is a hexadecimal number representing the (n − 1)th register from the beginning of this range (e.g. decimal address 32893 would be speciﬁed as hexadecimal 0B 4C).

Query message (Function code 04)

Slave

Function

Data

Error

Start

address

code

Starting

Number

check

End

address

of registers

Start

Stop

Response message (Function code 04)

Slave

Function

Data

Error

Start

address

code

Number

First

Second

Third

check

End

of bytes

Start

Stop

15.11. MODBUS

1125

Function code 05 – Write (Force) Single Coil

This Modbus function writes a single bit of data to a discrete output (“coil”) within the slave device. Relevant Modbus addresses for this function range from 00001 to 09999 (decimal) but the starting address is a hexadecimal number representing the (n −1)th register from the beginning of this range (e.g. decimal address 07200 would be speciﬁed as hexadecimal 1C 1F).

Query/Response message (Function code 05)

		Slave	Function		Data			Error
	Start	address	code	Coil		Force data		check	End
				address
		XX	05	Hi	Lo	Hi	Lo	XX
				Hi	Lo	Hi	Lo

Start									Stop

The “force data” for a single coil consists of either 00 00 (force coil o ) or FF 00 (force coil on). No other data values will su ce – anything other than 00 00 or FF 00 will be ignored by the slave device.

A normal response message will be a simple echo (verbatim repeat) of the query message.

Function code 06 – Write (Preset) Single Holding Register

This Modbus function writes data to a single “holding” register within the slave device. Relevant Modbus addresses for this function range from 40001 to 49999 (decimal) but the starting address is a hexadecimal number representing the (n − 1)th register from the beginning of this range (e.g. decimal address 40034 would be speciﬁed as hexadecimal 00 21).

Query/Response message (Function code 06)

		Slave	Function		Data			Error
	Start	address	code	Register		Preset		check	End
				address		data
		XX	06	Hi	Lo	Hi	Lo	XX
				Hi	Lo	Hi	Lo

Start									Stop

A normal response message will be a simple echo (verbatim repeat) of the query message.

1126	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

Function code 15 – Write (Force) Multiple Coils

This Modbus function writes multiple bits of data to a set of discrete outputs (“coils”) within the slave device. Relevant Modbus addresses for this function range from 00001 to 09999 (decimal) but the starting address is a hexadecimal number representing the (n − 1)th register from the beginning of this range (e.g. decimal address 03207 would be speciﬁed as hexadecimal 0C 86).

Query message (Function code 15)

Slave

Function

Data

Error

Start

address

code

Starting

Number of

Force data

check

End

address

coils

bytes

first word

second word

Start

Stop

Response message (Function code 15)

Slave

Function

Data

Error

Start

address

code

Starting

Number of

check

End

address

coils

Start

Stop

Note that the query message speciﬁes both the number of coils (bits) and the number of bytes.

15.11. MODBUS

1127

Function code 16 – Write (Preset) Multiple Holding Register

This Modbus function writes multiple words of data to a set of “holding” registers within the slave device. Relevant Modbus addresses for this function range from 40001 to 49999 (decimal) but the starting address is a hexadecimal number representing the (n − 1)th register from the beginning of this range (e.g. decimal address 47441 would be speciﬁed as hexadecimal 1D 10).

Query message (Function code 16)

Slave

Function

Data

Error

Start

address

code

Starting

Number of

Preset data

check

End

address

registers

bytes

first register

second register

Start

Stop

Response message (Function code 16)

Slave

Function

Data

Error

Start

address

code

Starting

Number of

check

End

address

registers

Start

Stop

Note that the query message speciﬁes both the number of registers (16-bit words) and the number of bytes, which is redundant (the number of bytes must always be twice the number of registers, given that each register is two bytes80 in size). Note also that the maximum number of registers which may be requested in the query message (65536) with “high” and “low” byte values grossly exceeds the number of bytes the response message can report (255) with its single byte value.

80Even for devices where the register size is less than two bytes (e.g. Modicon M84 and 484 model controllers have 10 bits within each register), data is still addressed as two bytes’ worth per register, with the leading bits simply set to zero to act as placeholders.

1128	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

15.11.6Floating-point values in Modbus

The ANSI/IEEE 754-1985 standard for ﬂoating-point data representation speciﬁes 32 bits for the most basic (“single-precision”) form of ﬂoating-point number. Modbus input and holding registers, however, are speciﬁed by the Modbus standard to be 16 bits each. Therefore, if we wish to read or write a ﬂoating-point value within a Modbus slave device, we must issue a Modbus command to read or write two 16-bit registers representing the one 32-bit ﬂoating-point value. The task of piecing together two 16-bit numbers into a single 32-bit number, or splitting apart one 32-bit number into two 16-bit numbers, is left to the master device. If the master device in question is a modern PLC or HMI unit, this 16/32 bit conversion is most likely handled by the Modbus read/write instruction, so that all you must do is specify the ﬁrst Modbus address for the pair of registers and the read/write instruction takes care of all other details. If, however, you are programming a computer using a low-level language, you must contend with these details in your own code.

A signiﬁcant problem here is a lack of standardization among Modbus device manufacturers regarding exactly how 32-bit ﬂoating-point numbers are to be split up into two 16-bit register values. Some manufacturers simply take the 32 bits of the ﬂoating-point number and break them up into two sequential 16-bit numbers in order (denoted “ABCD” ordering, with each letter representing one byte of the original 32-bit ﬂoating-point number). Others reverse the order of the ﬁrst and second 16-bit pieces (i.e. “CDAB” byte ordering). Others yet treat the 32-bit ﬂoating-point value as a set of four independent bytes which may be shu ed in any of several di erent orderings (e.g. “BADC”, “DCBA”, etc.). The Modbus standard o ers no guidance on this matter, leaving the choice up to device manufacturers.

When programming in the C or C++ computer languages, a convenient strategy for splicing or splitting these di erent bit-length numbers is to make use of the union structure. A “union” in these languages is a reserved space in the computer’s memory which may be addressed by elements of di erent bit-length. For example, the following snippet of C code shows how to declare a union called junk which is 32 bits in size, and which may be addressed as a single 32-bit ﬂoating-point value called junk.fp, or as two 16-bit integer values called junk.intg[0] and junk.intg[1], or as four 8-bit values called junk.by[0] through junk.by[3]:

C code listing

union {

f l o a t f p ;

u i n t 1 6 t i n t g [ 2 ] ; u i n t 8 t by [ 4 ] ;

} junk ;

This union could be written with 32 bits of data (in one step, as a ﬂoating-point value) and then read as either two 16-bit values and/or as four 8-bit values. The union structure gives any software developer the ability to reference a common area of computer memory as di erent number types.

15.11. MODBUS

1129

The following code is a complete program reading two consecutive 16-bit “analog input” registers at addresses 30020 and 30021 and combining them into a single 32-bit ﬂoating-point value with “CDBA” ordering. Both the original 16-bit register values as well as the ﬁnal ﬂoating-point value are displayed on the computer’s screen upon execution:

C code listing

#include <s t d i o . h> #include <modbus . h>

modbus t D e v i c e ;
int main ( void )
{
int r e a d c o u n t ;
union {
u i n t 1 6 t	word [ 2 ] ;
u i n t 8 t byte [ 4 ] ;
} i n ;
union {
f l o a t r e a l ;
u i n t 8 t byte [ 4 ] ;
} out ;
D e v i c e = modbus new tcp ( ” 1 9 2 . 1 6 8 . 0 . 1 0 ” ,			5 0 2 ) ;
m o d b u s s e t	e r r o r r e c o v e r y	( Device , MODBUS ERROR RECOVERY LINK ) ;
r e a d c o u n t	= m o d b u s r e a d	i n p u t r e g i s t e r s	( Device , 1 9 , 2 , i n . word ) ;

p r i n t f ( ” Value

o f

16− b i t

r e g i s t e r

30020

p r i n t f ( ” Value

o f

16− b i t

r e g i s t e r

30021

\n” , i n . word [ 0 ] ) ;

\n” , i n . word [ 1 ] ) ;

out . byte [ 0 ]	=	i n . byte [ 2 ] ;
out . byte [ 1 ]	=	i n . byte [ 3 ] ;

out . byte [ 2 ]	=	i n . byte [ 0 ] ;
out . byte [ 3 ]	=	i n . byte [ 1 ] ;

p r i n t f ( ” Value o f 32− b i t f l o a t i n g −p o i n t number = %f \n” , out . r e a l ) ;

m o d b u s c l o s e ( D e v i c e ) ; m o d b u s f r e e ( D e v i c e ) ;

return r e a d c o u n t ;

}

1130	CHAPTER 15. DIGITAL DATA ACQUISITION AND NETWORKS

This program utilizes a pair of 32-bit unions (one called in and the other called out) to do the byte-swapping. First, the two 16-bit registers read by the modbus read input registers() function are stored in the in structure as two 16-bit “words” addressed in.word[0] and in.word[1]. Then, those two words’ worth of data are addressed as four bytes, each one written to a di erent place within the out union by the four assignment statements. Note how out.byte[0] is assigned the value stored within in.byte[2] and so on: this is how the CDBA ordering is speciﬁed. One could specify ABCD ordering or DCBA ordering or any other combination of those four bytes by assigning the four out bytes to values of di erent in bytes, and the code would be just as straightforward to understand.

If you are fortunate enough, the Modbus library you are using will come complete with functions designed to take pairs of 16-bit registers and convert them into single ﬂoating-point numbers. At the time of this writing (2016), the free libmodbus library o ers such functions. One of those functions (modbus get float()) is shown here for illustrative purposes, reading the contents of analog input registers 32999 and 33000 and displaying the converted (“ABCD”-ordered) ﬂoating-point value:

C code listing

#include <s t d i o . h> #include <modbus . h>

modbus t

D e v i c e ;

int main ( void )

{

int r e a d c o u n t ;

u i n t 1 6

t word [ 2 ] ;

f l o a t

r e a l ;

D e v i c e

= modbus new tcp

( ” 1 9 2 . 6 8 . 0 . 1 0 ” ,

5 0 2 ) ;

m o d b u s s e t e r r o r

r e c o v e r y

( Device , MODBUS ERROR RECOVERY LINK ) ;

r e a d c o u n t =

m o d b u s r e a d

i n p u t

r e g i s t e r s ( Device ,

2 9 9 8 , 2 , word ) ;

p r i n t f ( ” Value

o f

16− b i t

r e g i s t e r

32999

\n” ,

word [ 0 ] ) ;

p r i n t f ( ” Value

o f

16− b i t

r e g i s t e r

33000

\n” ,

word [ 1 ] ) ;

r e a l =

m o d b u s g e t f l o a t ( word ) ;

p r i n t f ( ” Value

o f

32− b i t

f l o a t i n g −p o i n t

number

\n” , r e a l ) ;

m o d b u s c l o s e ( D e v i c e ) ;

m o d b u s f r e e ( D e v i c e ) ;

return r e a d c o u n t ;

}

<<< < Предыдущая 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 / 3427 28 29 30 31 32 33 34 > Следующая >>>

Соседние файлы в предмете Автоматизированные системы управления технологическим процессом

#
25.06.20234.32 Mб9Lessons In Industrial Instrumentation-17.pdf
#
25.06.20231.67 Mб5Lessons In Industrial Instrumentation-2.pdf
#
25.06.20232.69 Mб5Lessons In Industrial Instrumentation-3.pdf
#
25.06.20237.84 Mб7Lessons In Industrial Instrumentation-4.pdf
#
25.06.20233.92 Mб11Lessons In Industrial Instrumentation-5.pdf
#
25.06.20232.13 Mб6Lessons In Industrial Instrumentation-6.pdf
#
25.06.20234.71 Mб7Lessons In Industrial Instrumentation-7.pdf
#
25.06.20233.85 Mб7Lessons In Industrial Instrumentation-8.pdf
#
25.06.20235.66 Mб11Lessons In Industrial Instrumentation-9.pdf