1 category

— Configuration & Programming

(Module 5 · Development & Implementation – Bringing Modbus to Life)

Learning objectives

  1. Configure three flagship PLC families (Siemens S7-1500, Rockwell ControlLogix, Beckhoff CX/TwinCAT3) as Modbus masters and slaves.
  2. Map internal tags/variables to Modbus register space without off-by-one mistakes.
  3. Write Ladder, Structured Text (ST), and Function-Block code that reads/writes coils and registers safely.
  4. Balance scan-cycle time, polling cadence, and watchdogs so Modbus never starves machine logic.
  5. Diagnose vendor-specific pitfalls (license bits, endian quirks, buffer limits) with a repeatable checklist.

18.1 Architecture patterns

PatternWhen usedNotes
PLC = MasterPLC orchestrates drives, RTUs, smart sensors80 % of brown-field retrofits
PLC = SlaveSCADA/HMI or upper-layer DCS polls PLCKeep write masks tight
PLC = Gateway (Master+Slave)PLC bridges OEM equipment to plant networkSeparate tasks, two ports

(Fig-18-1 placeholder: topology variants.)

18.2 Siemens S7-1500 (TIA Portal V18)

18.2.1 Hardware & licensing

  • CPU 1511-1 PN or higher.
  • CM 1241 RS-485 (for RTU) or inherent PROFINET port (for TCP).
  • No extra license for Modbus TCP; Modbus RTU requires open-user-communication blocks (free).

18.2.2 Master (Client) — Modbus TCP

  1. Project > Devices & Networks > Add new “Modbus TCP Connection”.
  2. Assign Remote IP.
  3. Drag a “MB_CLIENT” instruction into Cyclic OB1 or dedicated OB35 (10 ms).
    • REQ = TRUE every scan.
    • MB_MODE = 0 (Holding).
    • RECVD_LEN = MD10.
    • DATA_PTR = P#DB1.DBX0.0 BYTE 12.
  4. Build Register Map: create DB1 with array HR[0..125] : WORD.
  5. Download; watch DONE/ERROR bits.

Scan-cycle caveatMB_CLIENT uses ~2 ms CPU time per 125-reg read; place in lower-priority OB if logic is time-critical.

18.2.3 Slave (Server) — Modbus TCP

  1. Modbus TCP Server” object → enable on PN port.
  2. Add Holding area size (e.g., 200 WORDS).
  3. Map tags: MotorSpeedDB2.DBD0 (float, swap CDAB).
  4. Run; external master polls Unit ID = 1 (Siemens always “1”).

18.2.4 RTU over CM 1241

  • Load FB “MB_COMM_LOAD” once (hardware init).
  • Use FB “MB_MASTER” inside OB35.
  • Respect CM buffer = 240 bytes ⇒ max 60 registers per telegram.

(Listing 18-S7-ST : ST snippet reading HR40001..40006.)

18.3 Rockwell ControlLogix (Studio 5000 v35)

18.3.1 Hardware

  • 1756-EN2Tx (TCP) or 1756-MVI56E-MB ProSoft card (RTU & TCP).

18.3.2 Master via AOI “MSG_MODBUS”

  1. Add MSG instruction in rung.
  2. Configuration tab:
    • Type: Modbus TCP.
    • Func Code: 03.
    • Starting Address: 16#10 (for 40017).
    • Size: 6.
  3. Create a CIP‐DINT[6] tag for data; result auto-swaps BADC.
  4. Trigger MSG every 50 ms via TON done bit.

Rockwell quirk Word order is BADC; fix in SCADA or swap in code:

MOV   MyData[0]    FloatData[1]
MOV   MyData[1]    FloatData[0]
COP   #FloatData   Target 1

18.3.3 Slave (ProSoft MVI56E)

  • Import Add-On Profile; configure 10,000 HR, 2,000 Coils.
  • PLC tags map via MCM.CH0.HoldingReg[0] array.
  • Remember: ProSoft index 0-based = HR40001.

18.4 Beckhoff TwinCAT 3 (CX, IPC)

18.4.1 Project setup

  1. Add TF6250 Modbus TCP Server license (free runtime for 2 hrs without key).
  2. Insert Modbus TCP Server under “I/O”.

18.4.2 Slave mapping

  • Double-click server → “Tab Register”.
  • Example mapping:
    • HR0GVL.fSetpoint (TYPE REAL).
    • Endian: Big-endian word / little-endian byte (“DCBA”) toggle on column.

18.4.3 Master (Function-Block)

PROGRAM MAIN
VAR
    fbRead  : FB_MBMaster;
    dataArr : ARRAY[0..9] OF WORD;
END_VAR

fbRead(
    sNetId       := '',
    ipAddr       := '10.0.30.55',
    uiPort       := 502,
    eFunction    := eMBFunc_ReadHolding,
    uiQuantity   := 10,
    uiAddress    := 0,
    pData        := ADR(dataArr)
);

Call every task cycle (2 ms).

18.5 Generic tag-to-register mapping strategy

  1. Create spreadsheet: Tag, Type, Units, Direction, Suggested Reg.
  2. Sort by poll frequency → group contiguous.
  3. Keep 4X for writable params, 3X for pure inputs.
  4. Align float32 on even addresses (HR 40002, 40004…).

(Fig-18-2 placeholder: screenshot of mapping spreadsheet.)

18.6 Watchdogs & scan-rate balancing

PLC brandRecommended Modbus task periodWhen logic scan ≤
S7-150040 ms (OB 35)10 ms
ControlLogix50 ms (Periodic Task)5 ms
TwinCAT (CX)10 ms Task + ADS priority2 ms

Best-practice: keep Modbus task at logic scan or higher so network hiccups never block safety rungs.

Watchdog coil (0X00001): toggle TRUE/FALSE every successful cycle; SCADA alarms if unchanged > 1 s.

18.7 Troubleshooting matrix

SymptomVendor-specific clueFix
All zeros / 0x0202 exceptionS7: forgot MB_COMM_LOAD callAdd LOAD in OB100
Data reversedLogix float 1000× biggerSwap words (BADC)
Writes ignoredBeckhoff server default ROSet “Register Access = RW” column
Occasional timeout every 10 sControlLogix MSG buffer 10 → 5Increase socket buffer; stagger polls
Slave busy (0x06)Siemens CPU in RUN-STOP toggleLower polling to 250 ms; check PLC load

18.8 Security considerations

  • Disable writes (FC05/06/15/16) in PLC firewall when not needed.
  • Use separate VLAN for Modbus vs programming port.
  • Activate Controller Access Protection (Siemens) or FactoryTalk Access Control (Rockwell) → Modbus still works but config protected.

18.9 Best-practice checklist

✔︎Rule
Use periodic task (not continuous) for Modbus blocks.
Map multi-word data as big-endian; document if swapped.
Keep one MSG buffer per remote device (Logix).
Toggle watchdog coil/register—SCADA alarm if stale.
Version-control TIA/ACD/TwinCAT projects; include register spreadsheet.
Simulate with your lab (Chapter 14) before wiring to the real network.

Chapter recap

  • Three popular PLC families can be Modbus masters and slaves with built-in or add-on tools.
  • Core steps: enable protocol, size register area, map tags, schedule cyclic block.
  • Word-order quirks (Siemens standard, Rockwell BADC, Beckhoff selectable) demand explicit documentation.
  • Keep polling tasks slower than main logic; watchdog coils catch network stalls early.
  • Vendor IDEs offer conformance checks—run them before plant FAT.

Assets to create

IDVisual / file
Fig-18-1PLC integration topology variants
Fig-18-2Sample tag-to-register spreadsheet
Listing-S7ST code snippet
Listing-LogixLadder rung with MSG
Listing-TwinCATST FB example
PDFStep-by-step TIA Portal screen-caps

Next: Module 6 – Troubleshooting & Diagnostics begins with Chapter 19 – Systematic Troubleshooting Approaches, where we build a layered flowchart to resolve physical, configuration and protocol issues in minutes, not hours.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Chapter 19 – Systematic Modbus Troubleshooting

— Layer-by-Layer from Wire to Application (Module 6 · Troubleshooting & Diagnostics – Mastering Modbus Problem Solving) Learning objectives Recognise the tell-tale symptoms of the most frequent Modbus failures. Apply a structured,…

Read More