OEMax wins

Download Report

Transcript OEMax wins 

TM
SM
Maximum Value for OEMs
From Rockwell Automation
Using Modbus Protocol with OEMax
Products
Feb 26 ~ Mar 2, 2007
K.J Kim
RAK OBB Strategic Marketing
Maximum Value for OEMs
SM
What is Modbus ?
Introduced by Modicon ,1979
Modbus communication interface for a multidrop network based on a
master/client architecture
Connection Type: RS-232, RS-485, TCP/IP
Message based Communication
Field
Description
Device Address
Address of Receiver
Function Code
Code defining Message Type
Data
Data Block with additional information
Error Check
Numeric Check value to test for communication errors
(LRC / CRC)
Coil : Discrete Output Value
2
Modbus Communication Stack
Only, explain
Modbus RS-232C
In this training
3
Modbus Network Architecture
4
Modbus Serial Transmission Modes
Two Modbus Serial Modes
Modbus/ASCII ASCII Code Format
Modbus/RTU (Remote Terminal Unit)  Binary Format
Modbus/ASCII
Modbus/RTU
Characters
ASCII 0~9, A~F
Binary 0 ~ 255
Error Check
LRC(Longitudinal Redundancy Check)
CRC(Cyclic Redundancy Check)
Frame Start
Characters [:]
Frame End
Characters [CR][LF]
Gaps in
Message
1 Sec
Start Bit
1
1
Data Bits
7
8
Parity
Stop Bits
Even/Odd
None
Even/Odd
None
1
2
1
2
5
General Modbus Frame
General Modbus Frame
PDU (Protocol Data Unit)
Additional Address
Function Code
Data
Error Check
ADU (Application Data Unit)
6
Modbus Addressing
Device and Modbus address ranges
Device Address
Modbus Address
Description
1 … 10000
Address – 1
Coils (Outputs)
10001 … 20000
Address – 10001
Inputs
40001 …50000
Address - 40001
Holding Registers
 Maximum Value is device dependent.
All Registers will be assigned a number between 1 and 10000
Modbus message addresses are used a number between 0 and 9999
So, To access correctly, You must subtract -1 (or -10001 or -40001)
[Example] If you want to read Output coil 18, You must use value 17 in
Modbus message
7
Modbus Function Code
Common Modbus Function Code
Code
Description
Code
Description
01
Read Coil Status
16
Preset Multiple Registers
02
Read Input Status
17
Report Slave ID
03
Read Holding Register
20
Read File Record
04
Read Input Register
21
Write File Record
05
Force Single Coil
22
Mask Write Register
06
Preset Single Register
23
Read/Write Multiple Registers
07
Read Exception Status
24
Read FIFO Queue
08
Diagnostics
43
Encapsulated Interface Transport
11
Get Comm. Event Counter
43/13
CANopen General Reference Request
and Response
12
Get Comm Event Log
43/14
Read Device Identification
15
Force Multiple Coils
NX Series PLC supports these kinds of Functions which are blue color.
8
Function 01 : Read Coil Status
Function 01 : Query Structure
Byte
Value
1
1 … 247
2
1
3
Description
Function 01 : Answer Structure
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
1
0 … 255
Starting address, High byte
3
0 … 255
Number of data bytes N
4
0 … 255
Starting address, Low byte
4..N+3
0 … 255
Bit pattern of coil values
5
0 … 255
Number of coils, High byte
N+4(..N+5)
LRC/CRC
6
0 … 255
Number of coils, Low byte
7(..8)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Read Coils 20 (0x14) to 56 (0x38) from device 17 ((0x11)”
Field Name
Field Name
Example (Hex)
Example (Hex)
Slave Address
11
Function
01
Byte Count
05
Data (Coil 27-20)
CD
13
Data (Coil 35-28)
6B
No. of Points High
00
Data (Coil 43-36)
B2
No. of Points Low
25
Data (Coil 51-44)
OE
Error Check
--
Data (Coil 56-52)
1B
Error Check
--
Slave Address
11
Function
01
Starting Address High
00
Starting Address Low
The Address will be 0013H because 20-1=19=13H.
9
Function 02 : Read Input Status
Function 02 : Query Structure
Byte
Value
1
1 … 247
2
2
3
Function 02 : Answer Structure
Description
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
2
0 … 255
Starting address, High byte
3
0 … 255
Number of data bytes N
4
0 … 255
Starting address, Low byte
4..N+3
0 … 255
Bit pattern of coil values
5
0 … 255
Number of coils, High byte
N+4(..N+5)
LRC/CRC
6
0 … 255
Number of coils, Low byte
7(..8)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Read Inputs 10197 ~ 10218 from device 17”
Field Name
Field Name
Example (Hex)
Example (Hex)
Slave Address
11
Function
02
Byte Count
03
Data (Inputs 10204~10197)
AC
C4
Data (Inputs 10212~10205)
DB
No. of Points High
00
Data (Inputs 10218~10213)
35
No. of Points Low
16
Error Check
--
Error Check
--
Slave Address
11
Function
02
Starting Address High
00
Starting Address Low
The Address will be 00C4H because 10197-10001=196 =C4H .
10
Function 03 : Read Holding Registers
Function 03 : Query Structure
Byte
Value
1
1 … 247
2
3
3
Description
Function 03 : Answer Structure
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
3
0 … 255
Starting address, High byte
3
0 … 255
Number of data bytes N
4
0 … 255
Starting address, Low byte
4..N+3
0 … 255
Bit pattern of coil values
5
0 … 255
Number of coils, High byte
N+4(..N+5)
LRC/CRC
6
0 … 255
Number of coils, Low byte
7(..8)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Read Register 40108 ~ 40110 from device 17”
Field Name
Field Name
Example (Hex)
Example (Hex)
Slave Address
11
Function
03
Byte Count
06
Data High (Register 40108)
02
6B
Data Low (Register 40108)
2B
No. of Points High
00
Data High (Register 40109)
00
No. of Points Low
03
Data Low (Register 40109)
00
Error Check
--
Data High (Register 40110)
00
Data Low (Register 40110)
64
Error Check
--
Slave Address
11
Function
03
Starting Address High
00
Starting Address Low
The Address will be 006BH because 40108-40001=107=
6BH.
11
Function 04 : Read Input Registers
Function 04 : Query Structure
Byte
Value
1
1 … 247
2
4
3
Description
Function 04 : Answer Structure
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
4
0 … 255
Starting address, High byte
3
0 … 255
Number of data bytes N
4
0 … 255
Starting address, Low byte
4..N+3
0 … 255
Bit pattern of coil values
5
0 … 255
Number of coils, High byte
N+4(..N+5)
LRC/CRC
6
0 … 255
Number of coils, Low byte
7(..8)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Read Register 30009 from device 17”
Field Name
Example (Hex)
Field Name
Example (Hex)
Slave Address
11
Slave Address
11
Function
04
Function
04
Starting Address High
00
Byte Count
02
Starting Address Low
08
Data High (Register 30009)
00
No. of Points High
00
Data Low (Register 30009)
0A
No. of Points Low
01
Error Check
--
Error Check
--
The Address will be 0008H because 30009-30001=8.
12
Function 05 : Force Single Coil
Function 05 : Query Structure
Byte
Value
1
1 … 247
2
5
3
Description
Function 05 : Answer Structure
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
5
0 … 255
Starting address, High byte
3
0 … 255
Number of data bytes N
4
0 … 255
Starting address, Low byte
4..N+3
0 … 255
Bit pattern of coil values
5
0 … 255
Number of coils, High byte
N+4(..N+5)
LRC/CRC
6
0 … 255
Number of coils, Low byte
7(..8)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Request to Force Coil 173 ON in Slave Device 17”
Field Name
Example (Hex)
Field Name
Example (Hex)
Slave Address
11
Slave Address
11
Function
05
Function
05
Coil Address High
00
Coil Address High
00
Coil Address Low
AC
Coil Address Low
AC
Force Data High
FF
Force Data High
FF
Force Data Low
00
Force Data Low
00
Error Check
--
Error Check
--
The Address will be 0xAC because 173-1=172=0xAC
FF00  ON, 0000OFF
13
Function 06 : Preset Single Register
Function 06 : Query Structure
Byte
Value
1
1 … 247
2
6
3
Description
Function 06 : Answer Structure
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
6
0 … 255
Starting address, High byte
3
0 … 255
Number of data bytes N
4
0 … 255
Starting address, Low byte
4..N+3
0 … 255
Bit pattern of coil values
5
0 … 255
Number of coils, High byte
N+4(..N+5)
LRC/CRC
6
0 … 255
Number of coils, Low byte
7(..8)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Request to preset register 40002 to 00 03 in Slave Device 17”
Field Name
Example (Hex)
Field Name
Example (Hex)
Slave Address
11
Slave Address
11
Function
06
Function
06
Register Address High
00
Register Address High
00
Register Address Low
01
Register Address Low
01
Preset Data High
00
Preset Data High
00
Preset Data Low
03
Preset Data Low
03
Error Check
--
Error Check
--
The Address will be 0001H because 40002-40001=1.
14
Function 07 : Read Exception Status
Function 07 : Query Structure
Byte
Value
1
1 … 247
2
7
7(..8)
LRC/CRC
Description
Function 07 : Answer Structure
Byte
Value
Slave device address
1
1 … 247
Function Code
2
7
Error check value
3
0 … 255
N+4(..N+5)
LRC/CRC
Description
Slave device address
Function Code
Coil Data
Error check value
This sample is “Request to Read Exception Status in Slave Device 17”
Field Name
Example (Hex)
Field Name
Example (Hex)
Slave Address
11
Slave Address
11
Function
07
Function
07
Error Check
--
Coil Data
6D
Error Check
--
15
Function 15 : Force Multiple Coils
Function 15 : Query Structure
Byte
Value
1
1 … 247
2
15
3
Function 15 : Answer Structure
Description
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
15
0 … 255
Coil Address, High byte
3
0 … 255
Coil Address, High byte
4
0 … 255
Coil Address, Low byte
4
0 … 255
Coil Address, Low byte
5
0 … 255
Quantity of coils, High byte
5
0 … 255
Quantity of Coils, High Byte
6
0 … 255
Quantity of coils, Low byte
6
0 … 255
Quantity of Coils, Low Byte
7
0 … 255
Byte Count
7(..8)
LRC/CRC
8
0 … 255
Force Data, High Byte
9
0 … 255
Force Data, Low Byte
10(..11)
LRC/CRC
Slave device address
Function Code
Error check value
Error check value
This sample is “Request to Force 10 Coils starting at coil 20 in Slave Device 17”
Field Name
Example (Hex)
Field Name
Example (Hex)
Slave device address
11
Slave device address
11
Function Code
0F
Function Code
0F
Coil Address, High byte
00
Coil Address, High byte
00
Coil Address, Low byte
13
Coil Address, Low byte
13
Quantity of coils, High byte
00
Quantity of Coils, High Byte
00
Quantity of coils, Low byte
0A
Quantity of Coils, Low Byte
0A
Byte Count
02
Error check value
--
Force Data, High Byte
CD
Force Data, Low Byte
01
Error check value
--
16
Function 16 : Preset Multiple Registers
Function 16 : Query Structure
Function 16 : Answer Structure
This sample is “Request to preset two registers starting at 40002 to 00 0A and 01 02 in Device 17
Byte
Value
Description
1
1 … 247
2
16
3
Field Name
Example (Hex)
Slave device address
Slave device address
11
Function Code
Function Code
10
0 … 255
Starting Address, High byte
Starting Address, High byte
00
4
0 … 255
Starting Address, Low byte
Starting Address, Low byte
01
5
0 … 255
No. of Registers, High byte
No. of Registers, High byte
00
6
0 … 255
No. of Registers, Low byte
No. of Registers, Low byte
02
7
0 … 255
Byte Count
Byte Count
04
8
0 … 255
Data, High Byte
Data, High Byte
00
9
0 … 255
Data, Low Byte
Data, Low Byte
0A
10
0 … 255
Data, High Byte
Data, High Byte
01
11
0 … 255
Data, Low Byte
Data, Low Byte
02
12(..13)
LRC/CRC
Error check value
Error check value
--
Byte
Value
1
1 … 247
2
16
3
Description
Field Name
Example (Hex)
Slave device address
Slave device address
11
Function Code
Function Code
10
0 … 255
Starting Address, High byte
Starting Address, High byte
00
4
0 … 255
Starting Address, Low byte
Starting Address, Low byte
01
5
0 … 255
No. of Registers, High Byte
No. of Registers, High Byte
00
6
0 … 255
No. of Registers, Low Byte
No. of Registers, Low Byte
02
7(..8)
LRC/CRC
Error check value
Error check value
--
17
Function 17 : Report Slave ID
Function 11 : Query Structure
Byte
Value
1
1 … 247
2
17
3(..4)
LRC/CRC
Description
Function 11 : Answer Structure
Byte
Value
Description
Slave device address
1
1 … 247
Function Code
2
17
Error check value
3
0 … 255
Byte Count
4
0 … 255
Slave ID
5
Run Indicator Status
6
Additional Data
N+7(..N+8)
LRC/CRC
Slave device address
Function Code
0x00=OFF, 0xFF=ON
Device Specific
Error check value
This sample is “Request to Report ID and Status of Slave Device 17”
Field Name
Example (Hex)
Field Name
Example (Hex)
Slave Address
11
Slave device address
11
Function
11
Function Code
11
Error Check
--
Byte Count
Device Specific
Slave ID
Device Specific
0x00=OFF, 0xFF=ON
Device Specific
Error check value
0x00 or 0xFF
Additional Data
--
18
Samples
Master Query with ASCII/RTU
Framing
Slave Response with ASCII/RTU
Framing
19
Communication with NX Series PLC
To operate Modbus RTU, Must Enable F12.2 (Port1) or F12.9 (Port2)
Addresses Map for Modbus
Registe
r
Range
Bit Address
Word Address
Remark
R
R0 ~ R127 , 128 Words
0000 ~ 2047
0 ~ 127
External Relay Contact
L
L0 ~ L63 , 64 Words
2048 ~ 3071
128 ~ 191
Link Register
M
M0 ~ M127 , 128 Words
3072 ~ 5119
192 ~ 319
Internal Register
K
K0 ~ K127 , 128 Words
5120 ~ 7167
320 ~ 447
Keep Register
F
F0 ~ F15 , 16 Words
7168 ~ 7423
448 ~ 463
Flag Register
TC
TC0 ~ TC255 , 256 Bits
7424 ~ 7679
464 ~ 511
Timer/Counter Contact
W
W0 ~W2047 , 2048 Words
Not Available
512 ~ 2559
Word Register
SV
SV0 ~ SV255 , 256 Words
Not Available
2560 ~ 2817
Timer/Counter Setting Value
PV
PV0 ~ PV255 , Words
Not Available
2818 ~3071
Timer/Counter Current Value
SR
SR0 ~ SR511 , 512 Words
Not Available
3072 ~ 3583
System Register
NX7(S) : Port 1 – Slave , Port2 – Slave & Master
20
Communication with NX Series PLC
Let’s see Modbus/RTU Communication Sample Program which is
programmed by Visual Basic.Net 2005.
21
Configuration Flag in NX Series PLC
Flag Bit
Function Description
State Description
Flag Word F11
F11.0
F11.1
F11.2
F11.3
F11.4
F11.5
F11.6
F11.7
F11.8
F11.9
F11.10
F11.11
F11.12
F11.13
F11.14
F11.15
Request Transmission
Indicates Transmission Failure
Enables the Start Code in ASCII mode
Enables the End Code in ASCII mode
Indicates that a message has been received
Clears the Receive Buffer
Indicates a Port Overrun Failure
Indicates a Receive Failure (e.g. bad CRC)
Enable Conversion of ASCII data to Binary
Ignore Receive Errors
Enable Parity Setting
Select ODD or EVEN Parity
Select the Number of Data Bits
Select ASCII or Binary Communications
Reserved
Enable Automatic CRC mode
0: No operation
0: Normal
0: No Start Code
0: No End Code
0: No message
0:
0: Normal
0:
0: Enabled
0: Signal Error
0: Disabled
0: ODD
0: 7 Bits
0: ASCII
0: Disabled
1: Start Transmission
1: Transmission Error
1: Start Code Enabled
1: End Code Enabled
1: Message Received
1: Clear Receive Buffer
1: Overrun Error
1: Receive Error
1: Disabled
1: Ignore Error
1: Enabled
1: EVEN
1: 8 Bits
1: Binary
Do not use
1: Enabled
Flag Word F12
F12.0
F12.1
F12.2
F12.3
F12.5
F12.7
F12.8
F12.9
F12.10
F12.11
F12.12
F12.13
F12.14
Indicates RTC existence
Indicates Remote Map enable/disable
Enable Port 1 MODBUS RTU Communications (MODBUS)
Indicates Flash Memory existence
Indicates Battery Error
Indicates constant cycle scan error
Enable User-Defined Communications (UD)
Enable Port 2 MODBUS RTU Communications (MODBUS)
Indicates RTC setting error
Indicates successful saving of program to Flash memory and
booting
EEPROM backup check
RTC Setting 1
RTC Setting 2
F12.15
Saving program to Flash memory
0: No RTC
1 : RTC exist
ON when remote I/O map is enabled
0: Disabled
1: Enabled
0: Not Exist
1: Exist
0: Normal
1: Error
0: Normal
1: Error
0: Disabled
1: Enabled
0: Disabled
1: Enabled
0: Normal
1: Error
OFF when the program is normally saved to Flash memory by
setting F12.15 to ON
ON when the program in EEPROM is the same with that in RAM
ON when change the year, month, day or day of week
ON when change the hour, minute, or second.
OFF when data setting is done normally
ON when save program to Flash memory
When F12.2 or F12.9 are set, Port1 or 2 of CPU will be configured to support Modbus RTU slave protocol.
22
Communication System Register
Special Register (SR298 ~ SR373) is provided for holding the data
transmitted and received
System Registers
Description
Explanation
SR298 ~ SR333
Transmit Data Buffer
Holds up to 36 words of data to be transmitted
SR334 ~ SR369
Receive Data Buffer
Holds up to 36 words of received data
SR370
Transmit Data Length
Number of Bytes to be transmitted
SR371
Receive Data Length
Number of Bytes that have been received
SR372
Start Code
Start code for ASCII Comm.– one byte, high byte unused
SR373
End Code
End code for ASCII Comm. – one byte, high byte unused
23
Calculation CRC
Slave
Address
Function
Code
CRC Calculation Scope
Data
CRC L
CRC H
2 Byte CRC
CRC = 65535
For i = 0 To PL - 1
CRC = Int(CRC / 256) Xor CRCTable((CRC Xor DATABLOCK(i)) And 255)
Next i
CRC : Cyclic Redundancy Check
24
Communication with NXIO-MNA/232
25
Communication with AC Drive MSD
26
TM
Maximum Value for OEMs
SM
27
28