Manual de instrucoes protocolo MODBUS _ PN 4416 527_V11

Prévia do material em texto

Instruction manual Modbus Protocol Page 1TM
Instruction manual
Modbus ProtocolTM
Version 1.1
June 2000
Part no.: 4416.527
Enraf B.V.
P.O. Box 812
2600 AV Delft
Netherlands
Tel.: +31 15 2698600, Fax: +31 15 2619574
Email: Info@enraf.nl
http://www.enraf.com
Offices in: Netherlands - France - Germany - Russia - UK - USA - China - Singapore
 
Page 2
Copyright 2000 Enraf B.V. All rights reserved.
Reproduction in any form without the prior consent of Enraf B.V. is not allowed.
This instruction manual is for information only. The contents, descriptions and specifications are
subject to change without notice. Enraf B.V. accepts no responsibility for any errors that may
appear in this instruction manual.
The warranty terms and conditions for Enraf products applicable in the country of purchase are
available from your supplier. Please retain them with your proof of purchase.
Preface
Instruction manual Modbus Protocol Page 3TM
A Note points out a statement deserving more emphasis than the
general text.
Preface
This manual has been written for the technicians involved with the
communication with the Enraf series 880 communication interface
units via Modbus .TM
For installation and commissioning of the CIU Prime/Plus, please refer
to the related installation guide and instruction manual Ensite Pro.
This manual describes the communication between a CIU Prime/Plus
and higher layered systems. The communication is based on
emulation of the Modbus protocol (Schneider Automation ModiconTM
Modbus Protocol Reference Guide, PI-MBUS-300, Rev. B).
Safety and prevention of damage
"Notes " have been used throughout this manual to bring special
matters to the immediate attention of the reader.
Legal aspects The information in this instruction manual is copyright property of Enraf
B.V., Netherlands.
Enraf B.V. disclaims any responsibility for personal injury or damage to
equipment caused by:
• Deviation from any of the prescribed procedures;
• Execution of activities that are not prescribed;
Additional information
Please do not hesitate to contact Enraf or its representative if you
require additional information.
Table of contents
Page 4
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Communication parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Communication procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Memory structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Coils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Input status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Input registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Holding registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Function codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Function code 01: Read coil status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Function code 02: Read input status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Function code 03: Read holding registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Function code 04: Read input registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Function code 05: Force single coil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Function code 06: Preset single register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Function code 08: Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Function code 15: Force multiple coils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Function code 16: Preset multiple registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Modbus exception response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Function code field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Data field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Error code 01: illegal function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Error code 02: illegal data address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Error code 03: illegal data value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Error code 04: slave device failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Error code 06: slave device busy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table of contents
Instruction manual Modbus Protocol Page 5TM
Enraf implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1 bit Coil area (Read/Write) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tank (Gauge) command area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1 bit Discrete Input area (read only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
CIU status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Gauge status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Gauge level alarm status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
External contact status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
16 bit area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
User tank data area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
User CIU data area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Example Enraf implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appendix A: Related documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Introduction
Page 6
Introduction
Modbus is the name given to a set of ‘rules’ (procedures) to follow
when transferring data from one computer to another. Like two people
communicating with each other, they both must use the same language
and grammar to understand each other. Such a set of computer
communication rules is commonly called a ‘protocol’.
Modbus protocol defines the format of the data and the techniquesused to control the flow of data. Modbus communication can take place
on virtually any physical platform: RS-232, RS-485, modem-to-modem,
etc.
Modbus protocol also specifies that the flow of data between two
devices uses a Master/Slave type arrangement. Multiple Modbus
devices may exist on the same common cable forming a Modbus
network, but only two devices will communicate at any one time, a
master and a slave.
There can be between 2 and 248 devices on a Modbus network, one
master and up to 247 slaves. In Modbus communication you must
always have one master and at least one slave. The master always
initiates a communication exchange.
Each slave device on a Modbus network has its own unique address.
This address is sent by the master as part of every message. All slave
devices on the network see the message, but only the slave device with
the matching address will respond to the message.
A message sent to a slave from the master is called a query, the
answer sent back to the master is called a response. Query and
response messages are also called packets or frames.
There are actually different versions of Modbus: Standard Modbus,
Extended Modbus, Modbus Plus.
There may be more, but what is used by Enraf is Standard Modbus
(RTU mode), as defined in the Schneider Automation Modicon Modbus
Protocol Reference Guide, (PI-MBUS-300, Rev. B). This is by far the
most universal and most widely used version of the Modbus protocol.
Communication parameters
Instruction manual Modbus Protocol Page 7TM
Communication parameters
Controllers can be set up to communicate on standard Modbus
networks using RTU (Remote Terminal Unit) transmission mode.
It defines the bit contents of message fields transmitted serially on
those networks. It determines how information will be packed into the
message fields and decoded.
The following communication parameters are supported:
Transmission mode RTU mode (RS-232/485 only asynchronous)
Baudrate 1200, 2400, 4800, 9600, 19200, 38400
Parity None, Odd, Even, Mark or Space
Start bit 1
Data bits 8
Stop bit(s) 1 (if parity = ‘odd’ or ‘even’)
2 (if parity = ‘none’)
TX/RX mode Full duplex: RTS and DSR are set
Half duplex: Full support of RTS, CTS, DTR, DSR and DCD
Turn around delay Adjustable in msec.
Break detection When selected
Data flow type arrangement
Slave only
Communication procedure
Page 8
Communication procedure
A Modbus message is placed by the transmitting device into a frame
that has a known beginning and ending point. This allows receiving
devices to begin at the start of the message, read the address portion
and determine which device is addressed, and to know when the
message is completed. Partial messages can be detected and errors
can be set as a result.
RTU mode is a binary mode of data representation. Messages start
with a silent interval of at least 3.5 character times. This is most easily
implemented as a multiple of character times at the baud rate that is
being used on the network (shown as T1T2T3T4 in the figure below).
The first field then transmitted is the device address.
Networked devices monitor the network bus continuously, including
during the silent intervals. When the first byte (the address byte) is
received, each device decodes it to find out if it is the addressed device.
Following the last transmitted byte, a similar interval of at least 3.5
character times marks the end of the message. A new message can
begin after this interval.
The entire message frame must be transmitted as a continuous stream.
If a silent interval of more than 3.5 character times occurs before
completion of the frame, the receiving device flushes the incomplete
message and assumes that the next byte will be the address field for a
new message.
Similarly, if a new message begins earlier than 3.5 character times
following a previous message, the receiving device will consider it a
continuation of the previous message. This will set an error, as the
value in the final CRC field will not be valid for the combined messages.
A typical message frame is shown below:
start address function data CRC end
check
T1T2T3 8 bits 8 bits n * 8 2 * 8 T1T2T3
T4 bits bits T4
Communication procedure
Instruction manual Modbus Protocol Page 9TM
All modbus memory addresses in this document are given with their
hexadecimal value.
start synchronisation 3.5 character time elapsed
address The address field of a message frame contains eight bits. The
individual slave devices are assigned addresses in the range of 01...F7
(address 00 is NOT allowed). A master addresses a slave by placing
the slave address in the address field of the message. When the slave
sends its response, it places its own address in this address field of the
response to let the master know which slave is responding.
function The function code field of a message frame contains eight bits. Valid
codes are in the range of 01...FF. When a message is sent from a
master to a slave device the function code field tells the slave what kind
of action to perform.
When the slave responds to the master, it uses the function code field
to indicate either a normal (error-free) response or that some kind of
error occurred. For a normal response, the slave simply echoes the
original function code. For an exception response, the slave returns a
code that is equivalent to the original function code with its most
significant bit set to a logic ‘1’.
data The data field is constructed using sets of two 8 bit bytes (16 bit
registers), in the range of 0000...FFFF. The data field of messages sent
from a master to slave devices contains additional information which
the slave must use to take the action defined by the function code.
If no error occurs, the data field of a response from a slave to a master
contains the data requested. If an error occurs, the field contains an
exception code that the master application can use to determine the
next action to be taken.
The data field can be non-existent (of zero length) in certain kinds of
messages. The function code alone specifies the action.
CRC check The CRC check field contains a 16-bit value implemented as two
eight-bit bytes. The error check value is the result of a CRC (Cyclical
Redundancy Check) calculation performed on the message contents.
The CRC field is appended to the message as the last field in the
message.
end synchronisation 3.5 character time elapsed
Memory structures
Page 10
In the table above, the number between brackets indicates an internal
Modbus address area. These area numbers are only used for
clarification by Modbus users.
Memory structures
Along with the slave address, the Modbus function code is another
piece of data that is in every query or response packet. This piece of
data specifies an action to be carried out by a Modbus slave device and
the memory range (coils, input registers, etc.) affected.
The following table defines the supported function codes:
Code Name Memory area Description Comments
01 Read coil status (0)0000...(0)FFFF 1 bit status information Read / write
02 Read input status (1)0000...(1)FFFF 1 bit status information Read only
03 Read holding registers (4)0000...(4)FFFF 16 bit value information Read / write
04 Read input registers (3)0000...(3)FFFF 16 bit value information Read only
05 Force single coil (0)0000...(0)FFFF 1 bit status information Read / write
06 Pre-set single register (4)0000...(4)FFFF 16 bit value information Read / write
08 Diagnostics - - -
15 Force multiple coils (0)0000...(0)FFFF 1 bit status information Read / write
16 Pre-set multiple registers (4)0000...(4)FFFF 16 bit value information Read / write
The standard address range runs from 0000...270F; Enraf extended
this range from 0000...FFFF for use within their systems.
In general there are four types of memory images that the Modbus host
can request:
• Coils
• Status inputs
• Input registers
• Holding registers
Coils
All coils are located in the memory range (0)0000...(0)FFFF. The value
of coils can be 1 = ON or 0 = OFF. Coilshave read/write properties.
The address space of the coils and the discrete inputs are combined in
one 1 bit area occupying the addresses (0)0000...(0)7FFF. The data
can be read by using Modbus function code 01. Data for tank
commands can be written using the Modbus 05 and 15 commands.
Memory structures
Instruction manual Modbus Protocol Page 11TM
Specifications for storing decimal (real, floating point, etc.) numbers
and negative numbers are not part of the original Modbus
documentation, although most vendors today have developed
schemes for storing these numbers. The Modbus specification also
does not address a way to store or send characters like ‘a’, ‘-’ or ‘X’.
For this reason, transfer of complete tank names using Modbus is not
possible unless the tank name is made up of all numbers.
Input status
Input statuses are located in the memory range (1)0000...(1)FFFF.
The value of input statuses can be 1 = ON or 0 = OFF. Input statuses
are considered to be discrete inputs. Input statuses are used to store
tank alarm conditions. Input statuses are read-only.
The address space of the coils and the discrete inputs are combined in
one 1 bit area occupying the addresses (1)0000...(1)7FFF. The data
can be read by using Modbus function code 02.
Input registers
Input registers are located in the memory range (3)0000...(3)FFFF.
Register values can range from 0000...FFFF since all registers are 16
bits long. Input registers are used for analog inputs or to store values
collected from the field and calculated values (level, temperature,
volume, etc.). Input registers are read-only.
In the 16 bit registers space both the holding registers and the input
registers are combined in one address space occupying the standard
area from 0000...270F and the extended memory area from 2710
onwards. Data can be retrieved via Modbus function code 04.
Holding registers
Holding registers are located in the memory range (4)0000...(4)FFFF.
Register values can range from 0000...FFFF since all registers are 16
bits long. Holding registers are used for analog outputs. Holding
registers have read/write properties.
In the 16 bit registers space both the holding registers and the input
registers are combined in one address space occupying the standard
area from 0000...270F and the extended memory area from 2710
onwards. Data can be retrieved via the Modbus function code 03. Via
Modbus commands 06 and 16 writing can be done to some registers.
Function codes
Page 12
Function codes
Function code 01: Read coil status
Reads the ON/OFF status of discrete outputs ((0)xxxx references, coils)
in the slave. Broadcast is not supported. The maximum number of coils
that can be requested in one request is 7D0 (2000 ).DEC
Query The query message specifies the starting coil and quantity of coils to be
read:
Slave Function 01 Starting Number of CRC check
address address points
8 bits 8 bits 16 bits 16 bits 16 bits
Response The coil status in the response message is packed as one coil per bit of
the data field. Status is indicated as: 1 = ON, 0 = OFF. All coils are
default OFF.
Slave Function 01 Byte count Data CRC check
address (N)
8 bits 8 bits 8 bits (N) * 8 bits 16 bits
Function code 02: Read input status
Reads the ON/OFF status of discrete inputs ((1)xxxx references) in the
slave. Broadcast is not supported. The maximum number of coils
requested in one request is 7D0 (2000 ).DEC
Query The query message specifies the starting input and quantity of inputs to
be read:
Slave Function 02 Starting Number of CRC check
address address points
8 bits 8 bits 16 bits 16 bits 16 bits
Function codes
Instruction manual Modbus Protocol Page 13TM
Response The input status in the response message is packed as one input per
bit of the data field. Status is indicated as: 1 = ON, 0 = OFF. All status
inputs are default OFF.
Slave Function 02 Byte count Data CRC check
address (N)
8 bits 8 bits 8 bits (N) * 8 bits 16 bits
Function code 03: Read holding registers
Reads the binary contents of holding registers ((4)xxxx references) in
the slave. Broadcast is not supported. The maximum number of
registers requested in one message is 7D (125 ).DEC
Query The query message specifies the starting register and quantity of
registers to be read:
Slave Function 03 Starting Number of CRC check
address address registers
8 bits 8 bits 16 bits 16 bits 16 bits
Response The register data in the response message is packed as two bytes per
register, with the binary contents right-justified within each byte:
Slave Function 03 Byte count Data CRC check
address (N)
8 bits 8 bits 8 bits (N) * 8 bits 16 bits
The response is returned when the data is completely assembled. The
amount of bytes N is double the amount of requested registers,
because each register occupies 2 bytes.
Function codes
Page 14
Function code 04: Read input registers
Reads the binary contents of input registers ((3)xxxx references) in the
slave. Broadcast is not supported. The maximum number of registers
requested in one message is 7D (125 ).DEC
Query The query message specifies the starting register and quantity of
registers to be read:
Slave Function 04 Starting Number of CRC check
address address registers
8 bits 8 bits 16 bits 16 bits 16 bits
Response The register data in the response message is packed as two bytes per
register, with the binary contents right-justified within each byte:
Slave Function 04 Byte count Data CRC check
address (N)
8 bits 8 bits 8 bits (N) * 8 bits 16 bits
The response is returned when the data is completely assembled. The
amount of bytes N is double the amount of requested registers,
because each register occupies 2 bytes.
Function code 05: Force single coil
Forces a single coil ((0)xxxx reference) to either ON or OFF.
When broadcast, the function forces the same coil reference in all
attached slaves.
Query The query message specifies the coil reference to be forced:
Slave Function 05 Coil Force data CRC check
address address
8 bits 8 bits 16 bits 16 bits 16 bits
Function codes
Instruction manual Modbus Protocol Page 15TM
Response The normal response is an echo of the query, returned after the coil
state has been forced:
Slave Function 05 Coil Force data CRC check
address address
8 bits 8 bits 16 bits 16 bits 16 bits
Function code 06: Preset single register
Presets a value into a single holding register ((4)xxxx reference).
When broadcast, the function presets the same register reference in all
attached slaves.
Query The query message specifies the register reference to be preset:
Slave Function 06 Register Preset data CRC check
address address
8 bits 8 bits 16 bits 16 bits 16 bits
Response The normal response is an echo of the query, returned after the register
contents have been preset:
Slave Function 06 Register Preset data CRC check
address address
8 bits 8 bits 16 bits 16 bits 16 bits
Function code 08: Diagnostics
This function provides a series of tests for checking the communication
system between master and slave or for checking various internal error
conditions within the slave. Broadcast is not supported.
Query
Slave Function 08 Sub- Data CRC check
address function
8 bits 8 bits 16 bits 16 bits 16 bits
Function codes
Page 16
Only loopback test sub-function (0) is supported. This function is
sometimes used to see if the addressee is awake.
Response The normal response is an echo of the query:
Slave Function 08 Sub- Data CRC check
address function
8 bits 8 bits 16 bits 16 bits 16 bits
Function code 15: Force multiple coils
Forces each coil ((0)xxxx reference) in a sequence of coils to either ON
or OFF. When broadcast, the function forces the same coil references
in all attached slaves. Any addresses that are not allowed to overwrite
generate an error code.
The maximum number of addresses that can be downloaded with one
command is 3C (60 ). Byte Count means the number of bytesDEC
following until the checksum (Number of registers * 2).
Query The query message specifies the coil references to beforced:
Slave Function 15 Coil Number of Byte count Force data CRC check
address (0F ) address coilsHEX
8 bits 8 bits 16 bits 16 bits 8 bits 16 bits 16 bits
Response The normal response returns the slave address, function code, starting
address, and quantity of coils forced:
Slave Function 15 Coil Number of CRC check
address (0F ) address coilsHEX
8 bits 8 bits 16 bits 16 bits 16 bits
Function codes
Instruction manual Modbus Protocol Page 17TM
Function code 16: Preset multiple registers
Presets values into a sequence of holding registers ((4)xxxx reference).
When broadcast, the function presets the same register references in
all attached slaves. Any addresses that are not allowed to overwrite
generate an error code.
The maximum number of addresses that can be downloaded with one
command is 3C (60 ). Byte Count means the number of bytesDEC
following until the checksum (Number of registers * 2).
Query The query message specifies the register reference to be preset:
Slave Function 16 Starting Number of Byte count Data CRC check
address (10 ) address registersHEX
8 bits 8 bits 16 bits 16 bits 8 bits 16 bits 16 bits
Response The normal response returns the slave address, function code, starting
address, and quantity of registers preset:
Slave Function 16 Starting Number of CRC check
address (10 ) address registersHEX
8 bits 8 bits 16 bits 16 bits 16 bits
Modbus exception response
Page 18
Modbus exception response
Except for broadcast messages, when a master device sends a query
to a slave device it expects a normal response. One of four possible
events can occur from the master's query:
• If the slave device receives the query without a communication
error, and can handle the query normally, it returns a normal
response;
• If the slave device does not receive the query due to a communi-
cation error, no response is returned. The master program will
eventually process a time-out condition for the query;
• If the slave device receives the query, but detects a communication
error (parity or CRC), no response is returned. The master program
will eventually process a time-out condition for the query;
• If the slave device receives the query without a communication
error, but cannot handle it (for example, if the request is to read a
non-existent coil or register), the slave will return an exception
response informing the master of the nature of the error.
The standard error response is as follows:
Slave Function Error code CRC check
address code
8 bits 8 bits 8 bits 16 bits
The exception response message has two fields that differentiate it
from a normal response:
• function code field
• data field
Modbus exception response
Instruction manual Modbus Protocol Page 19TM
The Function code returned in an error is the function code of the
received function with the high order bit of the function set to ‘1’.
Function code field
In a normal response, the slave echoes the function code of the original
query in the function code field of the response. The master's
application program can recognise the exception response and can
examine the data field for the exception code.
Data field
In a normal response, the slave may return any information that was
requested in the query. In an exception response, the slave returns an
exception code in the data field. This code defines the slave's condition
that caused the exception.
Error code 01: illegal function
The function code received in the query is not an allowable action for
the slave. This error code is generated in the following case:
• when an illegal function code is requested
Error code 02: illegal data address
The data address received in the query is not an allowable address for
the slave. This error code is generated in one of the following cases:
• as reply on function code 01, 02 or 04: start register does not
correspond to any tank;
• as reply on function code 05: coil must correspond to a tank;
• a change in the field scan for a system without Hot-Standby.
Modbus exception response
Page 20
Error code 03: illegal data value
A value contained in the query data field is not an allowable value for
the slave. This error code is generated in one of the following cases (as
reply on function codes 06 and 16):
• illegal tank commands (e.g. 'X');
• illegal downloads (e.g. TCF-value for product code A);
• unknown tank requested.
Error code 04: slave device failure
An unrecoverable error occurred while the slave was attempting to
perform the requested action. This error code is generated in one of the
following cases (as reply on function codes 06 and 16):
• block, test commands if no servo gauge;
• dipping commands if not allowed;
• illegal downloads because e.g. level is available from hardware;
• engineer command if destination station or port does not make
sense.
Error code 06: slave device busy
The slave is processing a long-duration program command. The master
should re-transmit the message later when the slave is free. This error
code is generated in one of the following cases:
• when the system is busy;
• when the system is not able to generate an answer;
• when the system is not able to reply with the correct data in the
required time-out period;
• when a request for a scan change in a Hot-Standby station is still
performed, and a new request is received.
Enraf implementation
Instruction manual Modbus Protocol Page 21TM
All modbus memory addresses in this chapter are in hexadecimal
format.
All address references in the modbus messages are numbered
relative to zero.
E.g. the first holding register on a DCS would be register 40001 and
would be referenced as 0000.
Similarly coil 00016 would be 000F (0015 )DEC
Gauge comands via Coil commands is available in CIU Prime and
CIU Plus
Firmware version must be 1.100 or higher.
Enraf implementation
1 bit Coil area (Read/Write)
• The addresses are fixed per port
• The data can be read by using the Modbus function code 01
• Data for CIU- or gauge-commands can be written by using the
Modbus function code 05 and 15
A graphical overview of the 1 bit address coil area is as follows:
1 bit address Area name Detailed name Description
000A- 1 bit Tank (gauge) In this area a command to a Tank
address command (gauge) can be given
coil area area
Grey areas are read-only
Enraf implementation
Page 22
Tank (Gauge) command area
Tank gauge commands can be given by setting coils (Modbus function
05). Commands are only accepted when the required command is
enabled for the addressed instrument. First coil address for Tank gauge
commands is address 000A (10 ).DEC
The sequence how the tanks are ordered in the modbus memory map
defines the address sequence where the tank gauge command must be
given. In the table below a Relative address is given from which the
actual coil address can be calculated by using formula:
Actual Coil address = 10 + [(n - 1) * 7] + relative address.
In which n = tank_sequence_nr in modbus memory map.
The setting of a coil is interpreted as a “push button”. Reading the
status of a coil will always result in “0"
Relative Read/ Function Description
Address Write
0 R/W Unlock Writing “1" will abort all active operational
commands.
1 R/W Test Writing “1" will result in repeatability test command.
2 R/W Locktest Writing “1" will result in Lock command
3 R/W Block Writing “1" will result in Block command
4 R/W Density dip Writing “1" will result in Density dip command
5 R/W Water dip Writing “1" will result in Water dip command
6 R/W Combined dip Writing “1" will result in Combined (water/density)
dip command
1 bit Discrete Input area (read only)
• The addresses are fixed per port
• The data can be read by using the Modbus function code 02
Enraf implementation
Instruction manual Modbus Protocol Page 23TM
Statusses via discrete inputs is available in CIU Prime and CIU Plus.
Firmware version must be 1.100 or higher.
1 bit address Area name Detailed name Description
 
0000 - 0009 CIU status area In this area the statusof the CIU is
represented
 
000A 1bit Gaugestatus In this area the status of the tank is
: discrete area represented
depending input 
number of area Gauge level In this area the status of the gauge
tanks in alarms area level alarms is represented
modbus
memory External alarms In this area the status of the external
map area alarms is represented
Grey areas are read-only
CIU status
The CIU status can be read.
Address Read/ Function Description
Write
0000 R CIUHotStandbyMode “1" indicates CIU is passive member of Hot
Stand-by pair
0001 .. R future reserved for future
..0009
Gauge status
The Gauge status can be read. The total number of tanks and the
sequence how the tanks are ordered in the modbus memory map
defines the address sequence where the status can be read. In the
tables below a relative address is given from which the actual coil
address can be calculated by using a formula. The discrete input
address is calculated with formula:
address = 10 + [(n - 1) * 2] + relative address.
In which n = tank_sequence_nr in modbus memory map.
Enraf implementation
Page 24
Relative Read/ Function Description
Address Write
0 R Measuring level “1" indicates level gauge is measuring level
1 R Failure “1" indicates level gauge is in failure
Gauge level alarm status
The Gauge level alarm status can be read.
The total number of tanks and the sequence how the tanks are ordered
in the modbus memory map defines the address sequence where the
status can be read. In the tables below a relative address is given from
which the actual coil address can be calculated by using a formula. The
discrete input address is calculated with formula: 
address = 10 + (N * 2) + [(n - 1) * 3] + relative address.
In which N = total number of tanks in memory map.
n = tank_sequence_nr in modbus memory map.
Relative Read/ Function Description
Address Write
0 R Low alarm “1" indicates low level alarm is active
1 R High alarm “1" indicates high level alarm is active
2 R Alarm failure “1" indicates alarm status failure
External contact status
The External contact status can be read. The total number of tanks and
the sequence how the tanks are ordered in the modbus memory map
defines the address sequence where the status can be read. In the
tables below a relative address is given from which the actual coil
address can be calculated by using a formula.
The discrete input address is calculated with formula: 
address = 10 + (N * 5) + [(n - 1) * 4] + relative address.
In which N = total number of tanks in memory map.
n = tank_sequence_nr in modbus memory map.
Enraf implementation
Instruction manual Modbus Protocol Page 25TM
Direct overwrite of data on the modbus register is available on the
CIU Plus only.
Firmware version of CIU Plus must be 1.100 or higher.
Relative Read/ Function Description
Address Write
0 R External contact 1 “1" indicates ext. contact 1 of gauge is active
1 R External contact 2 “1" indicates ext. contact 2 of gauge is active
2 R External contact fail “1" indicates ext. contacts status failure
3 R External contact not “1" indicates ext. contactsnot available in gauge.
available
16 bit area
In the 16 bit registers space both the holding registers and the input
registers are combined in one address space.
• The address occupation is on a ‘per port’ basis, each port can be
configured inside the restrictions
• The data can be retrieved by using the Modbus commands 03
(holding registers) and 04 (input register)
• Data can be written to holding registers by using the Modbus
commands 06 and 16. The same address as where the data is read
must be used.
A graphical overview of the 16 bit register area is as follows:
Register Area name Detailed name Description
address
0000.. User tank data In this area the user can request for
..1F3F user area tank data.
data
251C.. area User CIU data General data of CIU Prime/Plus
..2647 area
Grey areas are read-only
Enraf implementation
Page 26
User tank data area
A selection can be made which data must be presented in the user
defined tankdata area. This because of the lot of information which can
be retrieved. See the related Instruction manual CIU Prime or CIU Plus
for a list of selectable data.
One tank data reply packet is selected which is used for all tanks
available to the modbus host.
The sequence how the tanks are organized in the user defined modbus
map is programmable.
There are two methods possible to organize the user defined modbus
memory map:
1. Tank oriented.
Data in the modbus memory map is grouped per tank.
Start address of memory map is programmable. Default start address is
0000. The startaddress-interval between the tankrecords is
programmable.
2. Data oriented.
Data in the modbus memory map is grouped per selected entity.
Start address of memory map is programmable. Default start address is
0000.
User CIU data area
A number of CIU data registers are available to the user.
Register Read/ Entity Function CIU Description
Address Write Prime/Plus
2520 R/W 521 Years (yyyy) Prime/Plus CIU year (max 16383)
2521 R/W 522 Months (mm) Prime/Plus CIU month (max 12)
2522 R/W 523 Days (dd) Prime/Plus CIU day (max 31)
2523 R/W 524 Hours (hh) Prime/Plus CIU hour (max 23)
2524 R/W 525 Minutes (mm) Prime/Plus CIU minute (max 59)
2525 R/W 526 Seconds (ss) Prime/Plus CIU second (max 59)
2526 R/W 527 DayLightSaving Prime/Plus CIU DayLightSaving
(0 = off; 1 = on)
The above 7 registers (2520 (9504 ) up to 2526 (9510 )) must be DEC DEC
written in one message using modbus function code 16.
Example Enraf implementation
Instruction manual Modbus Protocol Page 27TM
Example Enraf implementation
Database with total 3 tanks in modbus memory area of Host Port CIU Plus for which Product level,
Product level status, Product temperature, Product temperature status must be retrieved.
Observed density including the related Observed temperature will be downloaded from the host.
Tank oriented modbus map. Start address of memory map 16 bit area: 0000.
Tank record interval: 10
Modbus memory map 16 bit area:
Adress Data description Tank Scaling Offset Type
0000 40 Product level (mm) 1 1 0 16bit Unsigned Integer
0001 41 Product level status 1 Not a number
0002 44 Product Temperature (°C) 1 10 1000 16bit Unsigned Integer
0003 45 Product Temperature status 1 Not a number
0004 50 Density Observed (kg/m3) 1 10 0 16bit Unsigned Integer
0005 118 Temperature Observed (°C) 1 10 1000 16bit Unsigned Integer
0006 empty
0007 empty
0008 empty
0009 empty
000A 40 Product level (mm) 2 1 0 16bit Unsigned Integer
000B 41 Product level status 2 Not a number
000C 44 Product Temperature (°C) 2 10 1000 16bit Unsigned Integer
000D 45 Product Temperature status 2 Not a number
000E 50 Density Observed (kg/m3) 2 10 0 16bit Unsigned Integer
000F 118 Temperature Observed 2 10 1000 16bit Unsigned Integer
0010 empty
0011 empty
0012 empty
0013 empty
0014 40 Product level (mm) 3 1 0 16bit Unsigned Integer
0015 41 Product level status 3 Not a number
0016 44 Product Temperature (°C) 3 10 1000 16bit Unsigned Integer
0017 45 Product Temperature status 3 Not a number
0018 50 Density Observed (kg/m3) 3 10 0 16bit Unsigned Integer
0019 118 Temperature Observed (°C) 3 10 1000 16bit Unsigned Integer
Example Enraf implementation
Adress Data description Tank Scaling Offset Type
Page 28
001A empty
001B empty
001C empty
001D empty
Overwrite Observed density and Observed temperature (direct overwrite on CIU Plus only).
To overwrite the Observed density (800 kg/m3) including related observed temperature (15 °C) for
tank 2, registers 000E and 000F must be overwritten by using function code 06 or function code 16.
The data will be used for internal calculations provided that it is not automatically measured.
Via function code 16:
29 10 00 0E 00 02 04 1F 40 04 7E +CRC
in which
29 RTU address (41 )DEC
10 Function code (16 ) DEC
00 0E Start address (15 )DEC
00 02 Number of registers (2 )DEC
04 Byte Count (4 ) DEC
1F 40 Observed density [8000 = (800* 10) + 0] DEC 
04 7E Observed temperature [1150 = (15 * 10) + 1000] DEC 
CRC
Download new Date and Time: 
To download date and time: 14h 03m 23s, 24 September 1999 + DayLightSaving.
Via function code 16 (multiple registers) the download can be done:
29 10 25 20 00 07 0E 07 CF 00 09 00 18 00 0E 00 03 00 17 00 01 +CRC
in which
29 RTU address (41 )DEC
10 Function code (16 ) DEC
25 20 Start address (9504 )DEC
00 07 Number of registers (7 )DEC
0E Byte Count (14 ) DEC
07 CF Year (1999 ) DEC
00 09 Month (9 ) DEC
00 18 Day (24 ) DEC
00 0E Hour (14 ) DEC
00 03 Minutes (3 ) DEC
00 17 Seconds (23 ) DEC
00 01 DayLightSaving on (1 ) DEC
CRC
Example Enraf implementation
Instruction manual Modbus Protocol Page 29TM
After downloading the Date&Time the received data will be used to set the internal CIU clock as
required.
The operation can be verified by reading the same registers and interpret the contents. 
Coil addresses for Tank (Gauge) commands. 
address Description Tankname
000A Unlock command 1
000B Test command 1
000C Lock-test command 1
000D Block command 1
000E Density dip command 1
000F Water dip command 1
0010 Combined dip command 1
0011 Unlock command 2
0012 Test command 2
0013 Lock-test command 2
0014 Block command 2
0015 Density dip command 2
0016 Water dip command 2
0017 Combined dip command 2
0018 Unlock command 3
0019 Test command 3
001A Lock-test command 3
001B Block command 3
001C Density dip command 3
001D Water dip command 3
001E Combined dip command 3
Discrete inputs (status) 
CIU status
address Description
0000 CIU Hot Standby Mode
Example Enraf implementation
Page 30
Gauge status
address Description Tankname
000A Gauge measuring level status 1
000B Gauge failure status 1
000C Gauge measuring level status 2
000D Gauge failure status 2
000E Gauge measuring level status 3
000F Gauge failure status 3
Gauge level alarm status
address Description Tankname
0010 Low alarm 1
0011 High alarm 1
0012 Alarm failure 1
0013 Low alarm 2
0014 High alarm 2
0015 Alarm failure 2
0016 Low alarm 3
0017 High alarm 3
0018 Alarm failure 3
External contact status
address Description Tankname
0019 External contact 1 1
001A External contact 2 1
001B External contact fail 1
001C External contact not available 1
001D External contact 1 2
001E External contact 2 2
001F External contact fail 2
0020 External contact not available 2
0021 External contact 1 3
0022 External contact 2 3
0023 External contact fail 3
0024 External contact not available 3
Appendix A
Instruction manual Modbus Protocol Page 31TM
Appendix A: Related documents
Title Part no.
Schneider Automation Modicon Modbus Protocol Reference Guide, PI-MBUS-300, Rev. B
Installation guide 880 CIU Prime/Plus 4416.524
Instruction manual 880 CIU Prime 4416.525
Instruction manual 880 CIU Plus 4416.526
Instruction manual Ensite Pro Configuration Tool 4416.593
: +31 15 2698600
: info@enraf.nl
: http://www.enraf.com
We at Enraf are committed to excellence.
Enraf is a registered trademark Enraf B.V. Netherlands
Your Enraf distributor
Information in this publication is subject to change without notice.
Röntgenweg 1
2624 BD, Delft
Tel.
E-mail
Website
P.O. Box 812
2600 AV, Delft
Netherlands
Page 32
	Preface
	Table of Contents
	Introduction
	Communication parameters
	Communication procedure
	Memory structures
	Coils
	Input status
	Input registers
	Holding registers
	Function codes
	Function code 01: Read coil status
	Function code 02: Read input status
	Function code 03: Read holding registers
	Function code 04: Read input registers
	Function code 05: Force single coil
	Function code 06: Preset single register
	Function code 08: Diagnostics
	Function code 15: Force multiple coils
	Function code 16: Preset multiple registers
	Modbus exception response
	Function code field
	Data field
	Error code 01: illegal function
	Error code 02: illegal data address
	Error code 03: illegal data value
	Error code 04: slave device failure
	Error code 06: slave device busy
	Enraf implementation
	1 bit Coil area (Read/Write)
	Tank (Gauge) command area
	1 bit Discrete Input area (read only)
	CIU status
	Gauge status
	Gauge level alarm status
	External contact status
	16 bit area
	User tank data area
	User CIU data area
	Example Enraf implementation
	Appendix A: Related documents