Wilamowski B.M., Irwin J.D. The Industrial Electronics Handbook. Second Edition: Industrial Communication Systems
Подождите немного. Документ загружается.
35-8 Industrial Communication Systems
noted,.however,.that.because.FISCO.power.conditioners.are.also.repeaters,.if.desired.it.is.possible.to.install.
up.to.four.FISCO.power.conditioners.in.a.single.eldbus.network..Because.FISCO.uses.IS-equivalent.
circuitry.throughout,.the.resulting.segment.is.similar.to.that.shown.in.Section.35.6.with.simple.eld.
device.couplers.in.the.eld.junction.boxes.
35.9.2 High-Energy trunk–Fieldbus Barrier Solution
For.those.cases.in.which.longer.trunk.length.is.required.without.the.need.for.live.working.of.the.
trunk.cable,.the.high-energy.trunk–eldbus.barrier.solution.is.oen.used..As.mentioned.earlier,.in.
this.conguration,.the.individual.spurs.from.the.eldbus.barrier.are.IS.or.IS.equivalent.as.the.energy-
limiting
.circuitry.is.contained.in.the.eldbus.barrier.devices..As.shown.in.Figure.35.5,.this.technol-
ogy
.has. a.high-voltage.“conventional”. FF. power.conditioner.at.one.end.of.the. trunk,.and. then.a.
number.of.spurs.from.each.eldbus.barrier..Each.of.these.spurs.can.be.the.full.120.m.specied.by.the.
Foundation.documents.
35.10 Project Documentation
Because.FF.technology.is.based.on.segments.rather.than.individual.loops;.the.traditional.“loop.diagram”.
should.be.replaced.with.a.segment.diagram,.as.shown.in.Figure.35.6.
e
.reason.to.use.network.or.segment.diagrams.rather.than.single-loop.diagrams.is.so.that.you.can.
see.on.one.drawing.all.the.equipment.that.is.interconnected..is.is.important.especially.when.doing.
maintenance,.so.that.in.the.event.of.some.unexpected.happening,.you.are.aware.of.what.other.devices.
and.control.loops.will.be.aected.
35.11 Installations and Commissioning
By.now,.readers.should.have.realized.that.FF.is.dierent.from.traditional.analog.systems..e.same.is.
true.for.the.installation.and.commissioning.procedures..Unfortunately,.for.those.projects.that.do.expe-
rience
.troubles.with.their.eldbus.system.during.start-up,.the.majority.of.the.time.this.occurs.is.because.
of.the.eldbus.network..Fortunately,.these.errors.are.easily.xed.through.the.use.of.good.practices.
Power supply
default with
28 V @ 500 mA
EEx e wiring
Classied zone 1
Field
barrier
EEx ia IIC Outputs in accordance with
FISCO and Entity models
FISCO intrinsically safe barriers on eld
FIGURE 35.5 Intrinsically.safe.barriers.
© 2011 by Taylor and Francis Group, LLC
Foundation Fieldbus 35-9
during.construction.with.simple.procedures.such.as.insuring.that.all.connections.are.properly.tightened.
and.checking.that.wires.are.properly.terminated,.without.short.circuits.and.so.on..However,.below.are.
some.recommendations.to.help.you.get.your.system.operational.faster.and.start.making.prots.
. 1..Electrical.commissioning
. a.. .Inspect.the.FF.cable.coil,.check.if.the.ends.are.protected.against.water.leaks.or.rain..Measure.
the.isolation.and.conrm.if.it.matches.the.value.of.the.commissioning.report.
. b.. .Before.connecting.the.home.run.cable.to.any.electronics,.conrm.isolation.and.the.capaci-
tance
.measurements.and.record.the.values.in.the.commissioning.report.
. c.. .Repeat.this.procedure.for.each.section.of.the.trunk.and.for.all.its.spurs.and.record.the.readings.
in.the.electrical.commissioning.report.
. 2.. Electronic.commissioning
. a.. .Connect.the.trunk.to.the.coupler.installed.in.the.cabinet.of.the.control.system.and.in.
all.the.field.junction.boxes..Confirm.the.continuity.of.the.conductor.wires.and.the.cable.
shield.
. b.. .Check.the.power.for.each.input.and.output.of.the.trunk.of.the.eld.junction.boxes;.record.the.
values.in.the.commissioning.report.
. c.. .Connect.the.instruments.to.the.eld.junction.boxes,.taking.care.to.isolate.the.shield.at.the.
instrument.
. d.. .For.each.spur,.check.the.power.at.the.eld.junction.box.terminals.and.at.the.instrument.terminals;.
record.these.values.in.the.report.
. 3..Conguration.download
. a.. .Contact. the. people.in. charge.of.the. conguration.of. the. control. system.and.ask. for.the.
download.of.the.conguration.to.all.the.instruments.in.the.segment.
. 4.. Digital.communication.certication
. a.. .Aer.the.download.of.the.conguration.to.all.the.instruments.of.the.segment,.conrm.digital.
communications.using.a.eldbus.diagnostic.tool..Record.results.for.each.segment.
. b.. .Create.a.digital.and.paper.le.of.the.diagnostic.tool.reports.for.each.segment.and.complete.the.
delivery.of.the.segment.certication.report.to.the.plant.commissioning.team.
Typical network diagram
Field
Junction boxInstrument
N
N
B
N
B
7+
8
6+
3+
2–
1
5
9–
9121
X
X
X
X
X
X
Slotnum
UCN
Modnum
JX
JX
File
card
File
card
X
X
10
X
X
Power
supply
–
+
T
4–
PR #
PR #
X
B
N
X
T 4
5
6
7
8
1
2
3
T
B
Control room
Marsh Cab. Barrier Control logic
Segment No.
ModuleI/O terminal
Terminator
FIGURE 35.6 Typical.project.diagram.
© 2011 by Taylor and Francis Group, LLC
35-10 Industrial Communication Systems
35.12 Maintenance
Aer.the.installation.and.the.commissioning.of.a.segment,.the.facility.and.network.digital.communication.
are.typi
cally
.in.good.cond
ition;
.like
ly
.the.best.stat
e
.they.will.ever.be.in..is.is.why.it.is.reco
mmended
.that.as.
part.of.the.commi
ssioning
.proc
ess,
.a.base
line
.meas
urement
.be.capt
ured
.and.archi
ved.
As
.the.netw
ork
.is.a.crit
ical
.comp
onent
.of.the.oper
ating
.syst
em,
.it.is.impo
rtant
.that.like.the.cont
rol
.
syst
em,
.it.too.be.main
tained.
.Main
tenance
.impl
ies
.the.need.for.meas
urement
.and.anal
ysis
.of.the.sys-
t
em
.to.reco
rd
.chan
ges
.over.time
.
.Fort
unately,
.in.addi
tion
.to.hand
held
.diag
nostic
.tools
,
.ther
e
.are.now.a.
numbe
r
.of.onli
ne
.H1.netw
ork-monitoring
.devi
ces
.avai
lable.
.ese.moni
toring
.devi
ces
.are.able.to.com-
m
unicate
.with.the.faci
lity’s
.asse
t-management/maintenance
.sow
are
.to.assis
t
.with.the.moni
toring
.and.
diag
nosis
.of.any.con
ditions
.tha
t
.may.ari
se.
Typical
.mea
surements
.tak
en
.and.ana
lyzed
.by.the
se
.dia
gnostic
.tool
s
.inc
lude
•
. Tren
ding/history
•
. Unba
lance/ground
.fau
lt
.det
ection
•
. Segm
ent
.vol
tage
•
. Segm
ent
.cur
rent
•
. Segm
ent/instrument
.noi
se
•
. Segm
ent/instrument
.sign
al
.lev
el
•
. Fiel
dbus
.ter
minator
•
. Segm
ent
.and.dev
ice
.com
munication
.err
or
.sta
tistics
•
. Segm
ent
.FF.wav
e
.for
m
us,
.for.the.reas
ons
.stat
ed
.abov
e
.that.your.H1.netw
ork
.is.part.of.your.cont
rol
.syst
em,
.it.is.stro
ngly
.
recom
mend
.that.eld
bus
.proj
ects
.incl
ude
.diag
nostic
.tool
s
.in.orde
r
.to.moni
tor
.the.digi
tal
.comm
unication
.
duri
ng
.the.lif
e
.cyc
le
.of.the.pla
nt.
references
[BE01].Berge,.J..Process Fieldbuses: Engineering, Operation and Maintenance..ISA.Press,.New.York,.2001,.
ISBN.1-55617-760-7.
[FA00]
.Fayad,.C..A..Proces
s
.contr
ol
.perfo
rmance
.on.a.found
ation
.eldbu
s
.system..Proc
eedings, ISA Expo
2000,
.Hou
ston,
.TX,.Nov
ember
.2000.
[HP07]
.Husem
ann,
.R..and.Pereira,.C..E..A.mult
i-protocol
.real-t
ime
.monit
oring
.and.validat
ion
.system.for.
distr
ibuted
.eldbu
s-based
.auto
mation
.applic
ations.
.Cont
rol Engineering Practice,
.15,.955–968,.2007.
[IEC00a]
.Inter
national
.Elect
rotechnical
.Commis
sion
.(IEC).61158.3..Fieldbu
s
.Specic
ation,
.Data.Link.
Layer.Serv
ice
.Denit
ion,
.Gene
va,
.Swi
tzerland,
.2000.
[IEC00b]
.Inter
national
.Elect
rotechnical
.Commis
sion
.(IEC).61158.4..Fieldbu
s
.Specic
ation,
.Data.Link.
Layer.Pro
tocol
.Denit
ion,
.Gene
va,
.Swi
tzerland,
.2000.
[PF03]
.Pereira,.C..E..and.Franco
,
.L..R..Real-t
ime
.charac
teristics
.of.the.found
ation
.eldbu
s
.prot
ocol.
.In:.
N..P..Maha
lik
.(Ed.),.Fiel
dbus Technology: Industrial Network Standards for Real-Time Distributed
Control.
.Spr
inger
.Verl
ag,
.Berlin,.Germ
any,
.2003,.pp..57–94.
[PN09]
.Pereira,.C..E..and.Neuman,.P..Indu
strial
.communica
tion
.prot
ocols.
.In:.S..Y..Nof.(Ed.),.Spri
nger
Handbook of Automation.
.Spr
inger,
.Berlin,.Germ
any,
.2009,.Cha
pter
.56,.pp..981–999.
[VP02]
.Verha
ppen,
.I..and.Pereira,.A..Foun
dation Fieldbus: A Pocket Guide, ISA—e Instrument, Systems
and Automation Society,
.ISA.Pres
s,
.Rese
arch
.Tri
angle
.Par
k,
.NC,.2002.
© 2011 by Taylor and Francis Group, LLC
36-1
36.1 Introduction
e.Modbus.protocol.was.created.in.1979.by.Modicon*.as.a.means.of.sharing.data.between.their.PLCs.
(pro
grammable
.logi
c
.cont
rollers).
.Modi
con
.took.the.appr
oach
.of.open
ly
.publ
ishing
.its.spec
ication
.and.
allo
wing
.its.use.by.anyo
ne
.with
out
.aski
ng
.for.roya
lties.
.ese.fact
ors,
.alon
g
.with.the.simp
licity
.of.the.pro-
t
ocol
.itse
lf,
.allo
wed
.it.to.beco
me
.the.rst.wide
ly
.acce
pted
.de f
acto
.stan
dard
.for.indu
strial
.comm
unication.
Although
.init
ially
.a.prop
rietary
.proto
col
.cont
rolled
.only.by.Modi
con,
.it.is.since.2004.cont
rolled
.by.
a.comm
unity
.of.user
s
.and.supp
liers
.of.autom
ation
.equi
pment,
.know
n
.as.Modb
us-IDA.
.is.nonp
rot
.
orga
nization
.over
sees
.the.evol
ution
.of.the.proto
col
.and.seek
s
.to.driv
e
.its.adopt
ion
.by.cont
inuing
.to.
open
ly
.dist
ribute
.the.proto
col
.spec
ications
.[1–4
]
.and.prov
iding
.an.infr
astructure
.for.devi
ce
.comp
at-
ibility
.cer
tication.
Currently,
. Modb
us
. is. used. in. equi
pment
. rang
ing
. from. the. smal
lest
. netw
ork-enabled
. sens
ors
. and.
.
actu
ators
.to.comp
lex
.auto
mation
.cont
rollers
.and.SCAD
A
.(sup
ervisory
.cont
rol
.and.data.acqu
isition)
.sys-
t
ems.
.Addi
tionally,
.many.impl
ementations
.are.free
ly
.avai
lable
.in.sour
ce
.code.form.in.a.grea
t
.vari
ety
.of.pro-
g
ramming
.lang
uages.
.Read
ers
.inte
rested
.in.obta
ining
.the.Modb
us
.stan
dards
.or.one.of.the.many.avai
lable
.
impl
ementations
.of.the.prot
ocol
.are.sugg
ested
.to.acce
ss
.the.Modb
us-IDA
.Web.site.at.http
://www.mobus.org.
36.2 Modbus Interaction and Data Models
e.Modbus.communication.protocol.provides.a.means.whereby.one.device.may.read.and.write.data.
to.memo
ry
.area
s
.loca
ted
.on.anot
her
.remo
te
.devi
ce.
.e.typi
cal
.exam
ple
.of.a.remo
te
.devi
ce
.is.an.RTU.
(rem
ote
.term
inal
.unit
)
.prov
iding
.a.physi
cal
.inte
rface
.(inp
uts
.and.outp
uts)
.to.an.indu
strial
.proc
ess,
.with.
*
.
At.the.time,.Modicon.was.a.PLC.Manufacturer..It.is.now.a.brand.of.Schneider.Electric.
36
Modbus
36.1. Introduction.....................................................................................36-1
36.2
. Modb
us
.Int
eraction
.and.Dat
a
.Mod
els.........................................36-1
36.3
. Modb
us
.Pro
tocol
.Arc
hitecture......................................................36-3
36.4
. Modb
us
.App
lication
.Lay
er.............................................................36-4
Data.Access.Functions. •. Diagnostic.Functions. •. .
DeviceClasses. •. Error.Handling
36.5. Modbus.Serial...................................................................................36-8
Frames. •. RTU.Mode. •. ASCII.Mode. •. Error.Detection. •. .
PhysicalLayer
36.6. Modbus.TCP...................................................................................36-12
Frames
36.7. Example...........................................................................................36-13
Acronyms...................................................................................................36-15
References...................................................................................................36-16
Mário de Sousa
University of Porto
Paulo Portugal
University of Porto
© 2011 by Taylor and Francis Group, LLC
36-2 Industrial Communication Systems
little.to.no.processing.capability,.whereas.the.device.taking.the.initiative.to.read.and.write.data.is.usually.
a.PLC..ese.two.devices.interact.over.the.Modbus.protocol.using.the.client–server.interaction.model.
(Figure.36.1)..e.client.(PLC).takes.the.initiative.of.asking.the.server.(RTU).to.write.and.read.data.that.
is.present.in.the.RTU..e.server.merely.responds.to.these.requests,.never.taking.the.initiative.to.start.
a.data.exchange.
A
.client.may.make.requests.to.several.distinct.Modbus.servers,.usually.one.at.a.time..Likewise,.the.
server.may.respond.to.requests.coming.from.several.clients..Whether.or.not.the.server.is.capable.of.
processing.simultaneous.requests.coming.from.several.clients.depends.on.the.server,.although.typically.
these.are.processed.one.aer.the.other.
e
.organization.of.the.memory.areas.on.the.server.to.which.the.client.may.write.to.or.read.from.is.
dened.by.the.Modbus.protocol.itself..ere.are.four.distinct.memory.areas.(Table.36.1);.two.of.them.
are.organized.as.16.bit.registers,.whereas.the.other.two.are.composed.of.arrays.of.single.bits..Likewise,.
two.of.the.memory.areas.provide.read.and.write.access.permissions,.while.the.other.two.may.only.be.
read.from.
Typically,
.an.RTU.acting.as.a.Modbus.server.will.allow.its.physical.digital.inputs.to.be.read.through.
the.“discrete.inputs”.memory.area,.the.digital.outputs.to.be.read.and.written.to.through.the.“coils”.
memory.area,.the.status.of.any.analog.inputs.will.be.read.using.the.“input.registers”.memory.area,.and.
the.values.of.any.analog.outputs.will.be.read.and.changed.through.the.“holding.registers”.memory.
area..Nevertheless,.it.is.completely.up.to.the.server.manufacturer.to.decide.the.semantics.attributed.to.
the.data.located.in.these.memory.areas..In.other.words,.the.Modbus.protocol.does.not.dene.what.will.
happen.on.the.server.when.a.specic.memory.address.is.written.with.some.determined.value..How.the.
memory.areas.are.organized,.and.where.the.data.are.actually.stored,.will.depend.on.the.type.of.device.
acting.as.a.Modbus.server.
An
.example.would.be.a.variable.speed.drive.that.controls.the.rotation.speed.of.an.electrical.motor..
When.acting.as.a.Modbus.server,.it.may.map.the.holding.registers.memory.area.to.the.area.where.the.
drive.stores.its.conguration.parameters.(maximum.and.minimum.motor.voltage,.motor.speed,.etc.),.
and.the.input.registers.memory.area.to.the.speed.drive.internal.status.registers.(current.speed,.current.
output.voltage,.etc.).
Another
.example.would.be.a.graphical.HMI.(human–machine.interface).terminal,.which.graphically.
displays.a.representation.of.the.current.state.of.an.industrial.process.and.permits.an.operator.to.modify.
operating.parameters.using.specic.buttons.and.dials..e.HMI.terminal,.acting.as.a.Modbus.client,.
obtains.the.data.values.corresponding.to.the.industrial.process’.state.from.the.controlling.PLC,.which.
acts.as.the.Modbus.server..is.PLC.might.use.the.holding.register.memory.area.to.store.the.current.
state.of.a.continuous.variable.of.the.process.under.control.(e.g.,.volume.of.liquid.in.a.tank),.and.the.coil’s.
memory.area.to.store.the.ags.indicating.which.on-screen.buttons.the.operator.is.currently.pressing.
Client
Server
Re
quest
Reply
FIGURE 36.1 Client–server.interaction.model.
TABLE 36.1 Memory.Areas.of.the.Modbus.Data.Model
Memory.Area.Name Address—Range Register.Size.(Bits) Access.Permissions
Input
.registers 1–65,536 16 Read
Holding
.registers 1–65,536 16 Read/write
Discrete
.inputs 1–65,536 1 Read
Coils 1–65,536 1 Read/write
© 2011 by Taylor and Francis Group, LLC
Modbus 36-3
e.devices.acting.as.Modbus.servers.may.even.decide.to.map.several.Modbus.memory.areas.to.the.
same.internal.physical.memory..In.these.cases,.the.Modbus.memory.areas.may.overlap,.and.writing.to.
a.holding.register,.for.example,.may.also.change.the.state.of.the.corresponding.input.register.residing.
on.the.same.physical.memory.
Note,
.however,.that.although.the.Modbus.Data.Model.species.that.elements.in.each.memory.area.
are.addressed.using.values.ranging.from.1.to.65,536,.unfortunately.these.address.values.are.in.actual.
fact.encoded.on.the.frames.sent.over.the.“wire”.between.the.client.and.server.as.ranging.from.0.to.
65,535..is.usually.leads.to.many.errors.of.“o.by.one,”.as.the.manuals.of.some.device.manufactur-
ers
.specify.how.the.Modbus.memory.areas.are.mapped.onto.to.the.device’s.internal.architecture.
assuming.the.1–65,536.addressing.range,.whereas.other.device.manufacturers.assume.the.0–65,535.
addressing.range..When.reading.a.manual.one.can.never.be.sure.which.addressing.range.is.being.
used,.unless.this.is.explicitly.stated,.which.is.rare..However,.if.the.manual.makes.any.reference.to.an.
address.value.of.“0,”.then.usually.one.may.safely.assume.that.the.0–65,535.addressing.range.is.being.
considered.
36.3 Modbus Protocol architecture
e.Modbus.protocol.is.organized.as.a.two-layer.protocol.(Figure.36.2).
e
.upper.layer,.called.the.“Modbus.application.layer,”.denes.the.functions.or.services.that.a.Modbus.
client.may.request.of.a.Modbus.server,.and.how.these.requests.are.encoded.onto.a.message.or.APDU.
(application.layer.protocol.data.unit)..It.also.denes.how.the.servers.have.to.reply.to.each.function,.and.
the.actions.they.should.take.on.behalf.of.the.client..is.layer.is.further.explained.in.Section.36.4.
e
.lower.layer.denes.how.the.upper.layer.APDUs.are.encapsulated.and.encoded.onto.frames.to.
be.sent.over.the.wire.by.the.underlying.physical.layer,.and.how.the.server.devices.are.addressed..ere.
are.three.distinct.versions.of.this.lower.layer..e.ASCII.(American.Standard.Code.for.Information.
Interchange).version.encodes.the.upper.layer.APDU.as.ASCII.characters,.whereas.the.RTU.and.TCP.
versions.use.direct.byte.representation..e.RTU.and.ASCII.versions.are.expected.to.be.sent.over.EIA/
TIA-232
.or.EIA/TIA-485. (commonly. known. as. RS232. and.RS485)..e.TCP. version,.as. the.name.
implies,.is.sent.over.TCP.connections.established.over.the.IP.protocol..Although.it.is.common.that.the.
IP.protocol.frames.are.then.sent.over.an.Ethernet.LAN.(local.area.network),.there.is.no.reason.that.they.
may.not.use.any.other.underlying.network,.including.the.global.Internet.
As
.the.RTU.and.ASCII.versions.are.very.similar,.they.are.both.described.in.the.same.Section.36.5..
Section.36.6.will.explain.the.TCP.version.
Underlying protocols and physical media
Modbus family protocols
Modbus application layer
Modbus RTU Modbus ASCII Modbus TCP
EIA/TIA/232 EIA/TIA/485
TCP
IP
Ethernet ...
FIGURE 36.2 Organization.of.Modbus.protocols.
© 2011 by Taylor and Francis Group, LLC
36-4 Industrial Communication Systems
36.4 Modbus application Layer
e.Modbus.protocol.denes.three.distinct.APDUs.(Figure.36.3).used.in.the.Modbus.application.layer..
All.three.APDUs.start.with.a.single-byte.value.indicating.the.Modbus.function.being.requested.or.to.
which.a.reply.is.being.made..Following.the.“function”.byte.value.come.all.data.and.parameters.of.that.
specic.function..Data.and.parameters.have.a.variable.number.of.bytes,.depending.on.the.function.in.
question,.and.the.number.of.memory.registers.that.are.being.accessed.
All
.APDUs.are,.however,.limited.in.size.to.a.maximum.of.253.bytes,.due.to.limitations.imposed.by.
the.underlying.EIA/TIA-485.layer..e.Modbus.protocol.also.species.that.all.16.bit.addresses.and.data.
items.are.encoded.using.big-endian.representation..is.means.that.when.a.numerical.quantity.larger.
than.a.single.byte.is.transmitted,.the.most.signicant.byte.is.sent.rst..Nevertheless,.some.device.manu-
facturers
.allow.the.user.to.specify.whether.the.device.should.use.big.or.little-endian.encoding.
e
.request.APDU.is.sent.by.the.client.to.the.server..Upon.successful.completion.of.the.desired.
function,.the.server.replies.with.a.response.APDU..If.the.server.encounters.an.error,.the.server.noties.
the.client.with.an.exception.response.APDU.
36.4.1 Data access Functions
e.Modbus.protocol.denes.a.large.list.of.functions..e.most.oen.used.functions.are.those.associated.
with.accessing.the.memory.areas.(Table.36.2).
All
.functions.listed.in.Table.36.2,.with.the.exception. of. functions.0x14,. 0x15,. 0x16,. and. 0x18,.
.
simply.request.that.some.data.be.read.or.written.to.a.specic.memory.area..Function.codes.0x05.and.
0x06.are.used.to.write.to.a.single.element.(coil.or.holding.register,.respectively)..e.remaining.func-
tions
.allow.the.client.to.read.from.or.write.to.multiple.contiguous.elements.of.the.same.memory.area.
TABLE 36.2 Functions.Used.for.Data.Access
Memory.Area Function.Name
Function.
Code.(Hex)
Addressable.
Elements
Possible.Response.
Error.Codes
Discrete
.Inputs Read.discrete.inputs 0x02 1–2000 01,.02,.03,.04
Coils Read
.coils 0x01 1–2000 01,.02,.03,.04
Coils Write
.single.coil 0x05 1 01,.02,.03,.04
Coils Write
.multiple.coils 0x0F 1–1976 01,.02,.03,.04
Input
.registers Read.input.registers 0x04 1–125 01,.02,.03,.04
Holding
.registers Read.holding.registers 0x03 1–125 01,.02,.03,.04
Holding
.registers Write.single.register 0x06 1 01,.02,.03,.04
Holding
.registers Write.multiple.registers 0x10 1–123 01,.02,.03,.04
Holding
.registers Read/write.multiple.registers 0x17 1–121.(write) 01,.02,.03,.04
1–125
.(read)
Holding
.registers Mask.write.register 0x16 1 01,.02,.03,.04
Holding
.registers Read.FIFO.queue 0x18 1–32 01,.02,.03,.04
Files Read
.le.record 0x14 01,.02,.03,.04,.08
Files Write
.le.record 0x15 01,.02,.03,.04,.08
Function code (F) Reply data
Exception function code (F + 0 × 08)
Function code (F) Request data
Exception code
Request APDU
Response APDU
Exception response APDU
FIGURE 36.3 General.format.of.APDU.frames.
© 2011 by Taylor and Francis Group, LLC
Modbus 36-5
Note.that.the.maximum.number.of.addressable.elements.is.limited.by.the.maximum.size.of.the.
APDU..For.example,.for.function.code.0x0F,.the.request.APDU.starts.o.with.6.bytes.containing.the.
function.code.and.respective.parameters.(see.Figure.36.4),.leaving.a.maximum.of.247.(equal.to.253.−.6).
available.bytes.in.which.to.send.the.data..e.data,.consisting.of.1.bit.elements,.are.packed.8.per.byte,.
resulting.in.a.maximum.of.1976.(247.×.8).addressable.elements.
Function
.0x16.(Mask.Write.Register).changes.the.value.stored.in.a.single.holding.register..However,.
unlike.the.other.functions,.the.new.value.is.not.obtained.directly.from.the.data.sent.in.the.APDU,.but.
rather.is.obtained.by.applying.a.logical.operation.using.the.current.value.of.the.holding.register.with.
two.masks,.an.AND.mask.and.an.OR.mask,.sent.with.the.APDU.
.
New_value = (Current_value AND And_mask) OR (Or_mask AND (NNOT And_mask))
Using
.this.function.the.client.can.switch.o.certain.bits.and.set.other.bits.of.the.holding.register,.
while.simultaneously.leaving.the.remaining.bits.unchanged,.in.a.single.atomic.operation.
Function
.0x18.(Read.FIFO.Queue).allows.the.client.to.request.reading.a.FIFO.queue.from.the.server..
e.FIFO.queue.must.be.stored.within.the.holding.registers.memory.area.in.the.server.and.consists.of.
a.rst.register.containing.the.number.of.elements.in.the.queue.(queue.count.register),.followed.by.the.
values.of.each.element.in.the.queue.in.the.following.registers.(queue.data.registers)..e.client.merely.
02 Ah Al Ch C l 02 B D ... D
01 Ah Al Ch Cl 01 B D ... D
03 Ah Al Ch Cl 03 B ...Dh Dl
04 Ah Al Ch Cl 04 B ...Dh Dl
05 Ah Al Dh Dl 05 Ah Al Dh Dl
06 Ah Al Dh Dl 06 Ah Al Dh Dl
0F Ah Al Ch Cl B ...Dh Dl 0F Ah Al Ch Cl
10 Ah Al Ch Cl B ...Dh Dl 10 Ah Al Ch Cl
Dh Dl
Dh Dl
Dh Dl
Dh Dl
16 16 Ah Al
17 ... 17 B ...
18 18 ...Dh Dl Dh DlAh Al
Xl – Low byte of 16 bit value X
Xh – High byte of 16 bit value X
A –Starting bit/register address
C – Number (count) of referenced bit/register
B – Number of remaining bytes in frame
D–Data values
M
A
– AND mask
M
o
– OR mask
X
R
– Parameters for reading
X
W
– Parameters for writing
Bh Bl
Request APDU
Response APDU
Ah
A
R
h A
R
l C
R
h C
R
l A
W
hA
W
l C
W
h C
W
l D
W
lD
W
h D
W
l
D
W
h
M
A
h
D
R
h D
R
hD
R
l D
R
l
M
A
l M
o
h M
o
l
Al
M
A
lM
A
h M
o
h M
o
l
FIGURE 36.4 Format.of.data.access.functions.APDUs.
© 2011 by Taylor and Francis Group, LLC
36-6 Industrial Communication Systems
indicates.in.the.request.APDU.the.address.of.the.queue.count.register,.and.the.server.will.reply.with.
the.valu
e
.cont
ained
.in.this.queu
e
.coun
t
.regi
ster,
.foll
owed
.by.the.valu
e
.of.each.queu
e
.data.regi
ster,
.up.to.
a.max
imum
.of.31.dat
a
.reg
isters.
For
.each.func
tion,
.the.form
at
.of.the.requ
est
.APDU.sent.by.the.clie
nt,
.and.the.resp
ective
.resp
onse
.
APDU.with.whic
h
.the.serv
er
.repl
ies,
.may.be.foun
d
.in.Figu
re
.36.4
.
.Note.that.in.the.func
tions
.acce
ssing
.
bit-
sized
.memo
ry
.area
s
.(i.e
.,
.func
tions
.0x01
,
.0x02
,
.0x05
,
.0x0F
),
.the.bits.are.sent.pack
ed
.8.per.byte
.
.For.
exam
ple,
.a.func
tion
.read
ing
.or.writ
ing
.20.bits.will.resu
lt
.in.the.stat
e
.of.the.rst.16.bits.bein
g
.pack
ed
.into.
2.byt
es,
.and.the.rem
aining
.4.bit
s
.sen
t
.on.the.lea
st
.sign
icant
.bit
s
.of.the.thi
rd
.dat
a
.byt
e.
e
.Modb
us
.proto
col
.incl
udes
.two.addi
tional
.func
tions
.for.data.acce
ss.
.ese.func
tions
.(0x1
4
.for.
read
ing
.and.0x15.for.writ
ing)
.are.refe
rred
.to.in.the.base.Modb
us
.spec
ication
.docu
ments
.as.“Rea
d
.File.
Reco
rd”
.and.“Wri
te
.File.Reco
rd,”
.but.in.the.spec
ication
.of.the.Modb
us/TCP
.versi
on
.are.call
ed
.“Rea
d
.
Gene
ral
.Refe
rence”
.and.“Wri
te
.Gene
ral
.Refe
rence.”
.A.le.cont
ains
.10,0
00
.reco
rds
.(add
ressed
.from.0.to.
9,99
9),
.each.reco
rd
.bein
g
.a.16.bit.elem
ent.
.Each.le.is.refe
renced
.by.its.numbe
r,
.rang
ing
.from.0.to.65,5
35.
.
Note.that.the.memo
ry
.refe
renced
.by.thes
e
.les.is.inde
pendent
.from.the.memo
ry
.area
s
.den
ed
.in.Tabl
e
.
36.1
.
.For.deta
ils
.rega
rding
.thes
e
.func
tions,
.whic
h
.are.seld
omly
.impl
emented
.by.Modb
us
.serv
ers,
.inte
r-
ested
.rea
ders
.are.enc
ouraged
.to.con
sult
.the.fre
ely
.ava
ilable
.Mod
bus
.spe
cications
.[1–
4].
36.4.2 Diagnostic Functions
e.second.large.group.of.Modbus.functions.allows.the.client.to.obtain.diagnostic.information.from.
the.serv
er
.(Tab
le
.36.3
).
.ese.func
tions
.are.only.avai
lable
.on.seri
al
.line.devi
ces,
.and.many.comm
ercially
.
avai
lable
.Mod
bus
.ser
vers
.do.not.imp
lement
.som
e
.or.all.of.the
se
.fun
ctions.
With
.func
tion
.0x07.(Rea
d
.Exce
ption
.Statu
s)
.the.clie
nt
.may.read.8.bits.of.devi
ce-specic
.exce
ption
.
stat
us
.info
rmation.
.Func
tion
.0x08.(Dia
gnostic)
.is.used.to.obta
in
.diag
nostic
.info
rmation
.from.the.serv
er,
.
or.to.have.the.serv
er
.exec
ute
.some.auto-
diagnostic
.rout
ines
.that.shou
ld
.not.aec
t
.the.norm
al
.oper
ation
.
of.the.serv
er.
.e.func
tion
.is.foll
owed
.by.a.subf
unction
.code.indi
cating
.whic
h
.diag
nostic
.info
rmation
.
is.bein
g
.requ
ested
.(bus.mess
age
.coun
t,
.comm
unication
.erro
r
.coun
t,
.etc.
),
.or.whic
h
.diag
nostic
.rout
ine
.
shou
ld
.be.exe
cuted
.(re
start
.com
munication,
.for
ce
.lis
ten
.onl
y
.mod
e,
.etc
.).
With
.func
tion
.0x0B.(Get.Comm
unication
.Even
t
.Coun
ter)
.the.clie
nt
.can.obta
in
.a.stat
us
.word.as.well.
as.an.even
t
.coun
t
.of.the.serv
er’s
.comm
unication
.even
t
.coun
ter.
.is.even
t
.coun
ter
.is.incr
emented
.once.
for.each.succ
essful
.mess
age
.comp
letion.
.Func
tion
.0x0C.(Get.Comm
unication
.Even
t
.Log).retu
rns
.the.
same.data.as.func
tion
.0x0B
,
.plus.the.mess
age
.coun
t
.(numb
er
.of.mess
ages
.proc
essed
.since.last.rest
art)
.
and.a.eld.of.64.even
t
.byte
s.
.ese.even
t
.byte
s
.cont
ain
.the.stat
us
.resu
lt
.of.the.last.64.mess
ages
.that.were.
eith
er
.sen
t
.or.rec
eived
.by.the.ser
ver.
With
.func
tion
.0x11.(Rep
ort
.Slav
e
.ID),.a.clie
nt
.may.obta
in
.the.run.stat
us
.of.the.serv
er
.devi
ce
.(run
/
stop),
.a.dev
ice-specic
.ide
ntication
.byt
e,
.and.som
e
.add
itional
.dev
ice-specic
.249.byt
es
.of.dat
a.
The
.Modb
us
.spec
ification
.incl
udes
.one.addi
tional
.func
tion,
.0x2B
,
.with.two.subf
unctions.
.One.
subf
unction
.(0x0
E)
. allo
ws
. the.clie
nt
. to. obta
in
. devi
ce
. iden
tification
. (Mand
atory:
. vend
or
. name
,
.
product.code,.major.and.minor.revision;.Optional:.vendor.URL,.product.name,.model.name,.user.
appl
ication
.name
)
.all.in.ASCI
I
.stri
ng
.form
at.
.The.seco
nd
.subf
unction
.may.be.used.to.tunn
el
.othe
r
.
comm
unication
.prot
ocols
.insi
de
.a.Modb
us
.conn
ection.
TABLE 36.3 Modbus.Function.Codes.for.Diagnostic.Purposes
Function.Name Function.Code.(Hex) Possible.Response.Error.Codes
Read
.except
ion
.sta
tus 0x07 01,
.04
Diag
nostic 0x08 01,
.03,.04
Get
.communic
ation
.even
t
.count
er 0x0B 01,
.04
Get
.communic
ation
.even
t
.log 0x0C 01,.04
Repo
rt
.sla
ve
.ID 0x11 01,.04
© 2011 by Taylor and Francis Group, LLC
Modbus 36-7
For.more.details.regarding.these.functions,.as.well.as.their.corresponding.frame.formats,.the.inter-
ested
.rea
der
.is.onc
e
.aga
in
.enc
ouraged
.to.con
sult
.the.Mod
bus
.spe
cication
.[1]
.
36.4.3 Device Classes
Modbus.server.and.client.devices.are.classified.into.classes.[3],.depending.on.which.of.the.above.
func
tions
.the
y
.imp
lement.
Class
.0.inc
ludes
.the.min
imum
.use
ful
.set.of.fun
ctions:
•
. Read.hol
ding
.reg
isters
.(0x
03)
•
. Writ
e
.mul
tiple
.reg
isters
.(0x
10)
Class
.1.de
nes
.a.mor
e
.com
plete
.set.of.the.mos
t
.com
monly
.use
d
.fun
ctions:
•
. Read.coi
ls
.(0x
01)
•
. Read.dis
crete
.inp
uts
.(0x
02)
•
. Read.inp
ut
.reg
isters
.(0x
04)
•
. Writ
e
.sing
le
.coi
l
.(0x
05)
•
. Writ
e
.sing
le
.reg
ister
.(0x
06)
•
. Read.exc
eption
.sta
tus
.(0x
07)
Class
.2.dev
ices
.sup
port
.all.dat
a
.tra
nsfer
.fun
ctions:
•
. Writ
e
.mul
tiple
.coi
ls
.(0x
0F)
•
. Read.le.rec
ord
.(0x
14)
•
. Writ
e
.le.rec
ord
.(0x
15)
•
. Mask.write.register.(0x16)
•
. Read
/write
.mul
tiple
.reg
isters
.(0x
17)
•
. Read.FIF
O
.que
ue
.(0x
18)
36.4.4 Error Handling
Error.checking.starts.as.soon.as.the.server.receives.a.request.APDU..At.this.time.it.will.start.o.by.veri-
fying
.the.vali
dity
.of.the.func
tion
.code
,
.addr
ess
.valu
es,
.and.data.valu
es
.(in.this.orde
r)
.and,.upon.the.rst.
erro
r
.enco
untered,
.will.repl
y
.with.an.exce
ption
.resp
onse
.APDU.with.erro
r
.code
s
.1,.2,.or.3,.resp
ectively
.
(Tab
le
.36.4
).
.Aer.passi
ng
.thes
e
.init
ial
.test
s,
.the.acti
ons
.corr
esponding
.to.the.func
tion
.indi
cated
.in.the.
requ
est
.APDU.are.exec
uted.
.If.an.erro
r
.occu
rs
.duri
ng
.this.proc
essing,
.addi
tional
.erro
r
.code
s
.may.be.
gene
rated
.and.sen
t
.to.the.cli
ent
.usin
g
.the.exc
eption
.res
ponse
.APD
Us.
TABLE 36.4 Modbus.Exception.Codes
Code.(Hex) Name Comments
0x01 Illegal
.func
tion
0x02 Illegal
.dat
a
.address
0x03
Illegal
.dat
a
.value
0x04
Slave
.device.fail
ure
0x05 Acknowledge Not
.commo
nly
.use
d.
.Indic
ates
.tha
t
.the.
slav
e
.wil
l
.repl
y
.lat
er
.to.the.req
uest.
0x06 Slave
.device.busy
0x08
Memory
.par
ity
.erro
r Used
.onl
y
.in.func
tion
.codes.0x14.and.0x15.
0x0A Gat
eway
.pat
h
.unava
ilable Only
.use
d
.by.gate
ways.
0x0B Gateway
.tar
get
.device.faile
d
.to.resp
ond Only
.use
d
.by.gate
ways.
© 2011 by Taylor and Francis Group, LLC