Modbus TCP Communication User's Manual

Electrical network management
MV substation control unit
Merlin Gerin Easergy Range

F200C
Modbus TCP Communication
User's manual
Contents
GENERAL 3
Functionality 3
Application 3
Advantages 3
Characteristics 3
COMMUNICATION MODULE 4
Main menu 4
GPRS parameters 5
Modbus TCP/IP parameters 6
Alarm parameters 7
Equipment state 8
MODBUS analyser 9
GENERAL 10
Identification / configuration zone 12
Time synchronization zone 12
Test zone 13
Event zone 13
TC / TSD / TSS zone 15
Telemetering zone 17
Diagnostic counter reading 21
MODBUS TCP protocol 22
Report by exception TCP 23
Report Slave ID: function n°17 23
Read N bits: functions n°1 and 2 24
Read N words: functions n°3 and 4 24
Write a bit: function n°5 25
Write a word: function n°6 25
Read diagnostic counters: function n°8 26
Write N consecutive words: function n°16 27
2 NT00173-02-GB.doc Schneider Electric

General
Functionality
The FLAIR 200C communication board allows the connection of MV/LV

substation to a telecontrol system by using a MODBUS TCP protocol. It
includes advanced telecommunication function and manages GPRS type
of transmission modems.
Application
F200 Modbus IP can be used as any MODBUS TCP slave in permanent

TCP link
But an enhanced specification has been added to adapt MODBUS TCP to

GPRS communication constraints:
- GPRS access does not provide a static IP to the RTU in all cases. So
the SCADA can not establish the TCP connection.
- GPRS fees are based on amount of data exchanged so a permanent
polling is very expensive.
Consequently, a non-permanent mode has been developed. In this

mode, SCADA system and F200C can be both TCP client and server.
It means that the F200C and SCADA can both initiate the TCP
connection. When the polling is over, the connection is released.
For dynamic IP, each time F200C is changing its IP address, an alarm
can be activated. F200C is establishing a connection on this alarm to
provide its new IP address to the SCADA.
This mode has been implemented in the L500 system.
Moreover, a ping feature has been implemented in order to check the IP

connection.
Advantages
Type of transmission modem : GPRS

Permanent mode and non permanent mode available
Advanced telecommunication functions
Configuration by PC computer
Built-in protocol analyzer
Characteristics
type of transmission IP
protocol Modbus TCP(enhanced function
available)
speed 9600 bauds
Schneider Electric 3
Communication module
Main menu
Modbus Address:
The value is fixed to 255 as in MODBUS
╔═════════ MERLIN GERIN - Configuration and Diagnostic - ALT+F4=Exit ══════════╗
TCP specification ║ Easergy Flair 200C Modbus IP ║
║ PROM v1.00, PIC v2.08, Type: A ║
║ ║
GPRS parameters: ║ PARAMETERS SETUP ║
Displays the GPRS configuration screen. ║ Equipment name : Measurement and fault detection ║
║ Alarm parameters ║
║ MODBUS address : 255 Setup Time ║
Modbus TCP/IP parameters: ║ Energy Preset ║
║ ║
Displays the TCP/IP configuration screen. ║ Modem type : GPRS TCP/IP mode : Non Permanent ║
║ GPRS parameters Modbus TCP/IP parameters ║
║ ║
Alarm parameters: ║ ║
Displays the alarm configuration screen. ║ SAVE CONFIGURATION : ║
║ OK . ║
║ Cancel ║
Modbus Analyser: ║ ║
║ ║
Displays the trace of exchanges between ║ DIAGNOSIS ║
the equipment and the modem ║ Display events Erase events ║
Displays the trace of exchanges between ║ Display analog MODBUS analyser ║
║ Equipment states ║
the equipment and the control station ║ ║
╚══════════════════════════════════════════════════════════════════════════════╝

GPRS parameters
PIN code: ╔═════════ MERLIN GERIN - Configuration and Diagnostic - ALT+F4=Exit ══════════╗
║ GPRS parameters ║
• Setting of the PIN into the SIM card (default ║ ║
║ SIM CARD PARAMETERS ║
value is 0000) ║ PIN code : 0000 ║
• In case a wrong PIN is entered, "SIM card ║ ║
║ GPRS COMMUNICATION PARAMETERS ║
failure" is underlined in the screen ║ APN Server (Max 30 Digits) : ║
"Equipment states" ║ APN Login (Max 30 Digits) : ║
║ APN Password (Max 30 Digits) : ║
║ ║
APN Server: ║ Time between connection attempt: 1mn ║
║ ║
• Enter the APN (Access Point Name) given ║ Specific Ping IP Address : 0.0.0.0 Test ║
by your GPRS network provider ║ Ping time : 1h ║
║ Ping delay(s) : 5 ║
APN Login and Password: ║ Ping number : 3 ║
║ ║
• Enter the login and the password provided ║
║
Daily disconnect : 0 h 0 min ║
║
with your GPRS account ║ ║
║ ║
Note: in most cases, login and password are not ║ ║
║ Escape=Exit ║
required for GPRS access. ╚══════════════════════════════════════════════════════════════════════════════╝
Time between connection attempts:

If no answer is received from ping request, the connection to the IP
• If a GPRS connection loss occurs, F200C network will be released and re-established.
will wait this time before establishing a new
GPRS connection
If at least one answer is received, the link is considered as UP.
• Default value: 1 min
Ping Test:
Ping process:
• When a configuration has been saved and the product is connected to the IP
One of the special features of GPRS operation is network (see "modem state" in equipment state menu), a ping test can be
that in some cases of network unavailability, the performed using this control.
F200C does not detect this link break. As a • Possible answer:
consequence, without a means of forcing • "In progress ": a ping test is in progress
automatic disconnection/reconnection, the • "OK ": ping succeeded
F200C will not by itself be able to restore • "NOK": ping failed
connection to the network. The F200C will try, • "Not available": Modem is not IP connected or a periodic ping is
every x minutes configured in the “Ping time” already in progress or the modem is Tcp connected to the SCADA. (See
field, to send a ping to the specified IP address. "modem stat" on equipment state menu)
If no IP data flow reaches the F200C, the modem
F200C performs a daily modem reset to improve robustness.
will be reinitialized
Specific Ping IP address: Daily disconnect
• Enter an Internal Pingable IP address (if • Set hour and minutes of the daily modem reset time
available) in order to monitor the IP
connection
• If "0.0.0.0" IP is configured, the ping process
is disabled
Ping time:
• Enter the frequency of ping request
Ping delay:
• Enter the delay for waiting answer to ping
request
• We recommend 5 s for GPRS network if
more than one request is configured
otherwise 10 s
• A test can be done to check it
Ping number:
• Enter the number of ping request
• We recommend 3 attempt
Modbus TCP/IP parameters

Slave ID: ║ Modbus TCP/IP parameters ║
• The slave Id is used when the F200C has ║
║
║
║
a dynamic IP. In this case, SCADA ║ F200C PARAMETERS ║
system can not identified the product by ║ Slave ID : 1 ║
║ Local port : 502 ║
its IP address. ║ Heartbeat timeout : 1mn ║
• The Slave Id can be read by the SCADA ║
║ TCP connect. delay - 1st try : 1s
║
║
using the Identification frame (see below ║ (0s = random value) - 2nd try : 1mn ║
on Appendix for description). ║ - 3rd try : 2mn ║
║ ║
• This mode is implemented in the L500 ║ SCADA PARAMETERS ║
system ║ IP address : 83.206.106.173 ║
║ Remote port : 502 ║
• The slave Id must be different for each ║ ║
equipment ║ ║
║ ║
• Value is from 0 to 65534 ║ ║
║ ║
║ ║
║ ║
║ Escape=Exit ║
╚══════════════════════════════════════════════════════════════════════════════╝
Local Port:
• Enter the TCP port of the product • third attempt: configurable from 0 to 10 min, by steps of 1 min. Setting it
• The product is listening to incoming TCP to ‘’0’’ selects a random time between 0 and 10 min
connection on this port
• Value is from 1 to 65535. Note: The 2nd and 3rd sends are only done if the preceding ones did not
• Default value: 502 (Modbus TCP port) succeed.
Check with GPRS provider for open port

availability.
Scada parameters
Heartbeat Timeout: IP address :

• During a TCP/IP connection, if no • Enter the destination IP address of the SCADA
• Modbus TCP exchange occurs before • This IP address must be static
the timeout expiry (silence), the TCP/IP
connection is closed Remote port:
• Every time the product receives a • Enter the port number on which the SCADA is reachable.
Modbus TCP frame the timer is re- • Default value: 502 (Modbus TCP port)
armed.
TCP/IP connect. delay:

Time before the establishment of a TCP/IP
connection if occurrence of an alarm:
• First attempt: adjustable from 0 to

1min. by steps of 1s. Setting it to ‘’0’’
selects a random time between 0 and 1
min.
• Second attempt: configurable from 0 to

5min. by steps of 1min. Setting it to ‘’0’’
selects a random time between 0 and 5
min.

Alarm parameters
This menu is used to set automatic calls to ║ Alarm Parameters ║
║ ║
the supervisor ║ ║
║ Alarm message enabled : yes ║
║ ║
Alarm message enabled: ║ Digital input 1 : yes Dial up test : no ║
Yes: If an alarmed change of state ║ Digital input 2 : no ║
║ Digital input 3 : yes Cyclic dial up : yes ║
occurs a TCP/IP connection is ║ Digital input 4 : yes Starting time(min): 30 ║
established to the SCADA ║ Digital input 5 : no (hour): 15 ║
║ Digital input 6 : yes Period(hours) : 1 ║
No: F200C does not initiate any TCP/IP ║ Flair 200C fault : no ║
connection. ║ ║
║ Alarm on AC supply off detection: no ║
║ Alarm on phase fault detection: no ║
║ Alarm on earth fault detection : no ║
║ ║
║ Alarm on F200C IP address change : yes ║
Alarm: on F200C IP address change: ║ ║
║ ║
When F200C IP address changes, ║ ║
F200C establishes a TCP/IP ║ ║
║ Escape=Exit ║
connection to the SCADA. ╚══════════════════════════════════════════════════════════════════════════════╝
This feature must be activated when:
F200C IP address is dynamic
With this feature, L500 is able to
refresh F200C IP address
If this option is activated, it is not necessary

to configure a call once a day. It will be
done at modem reset. Check with GPRS
provider for open port availability.
For other parameters, please refer to

F200C user manual.
Equipment state
SIM card failure:

If underlined, F200C has detected the ╔═════════ MERLIN GERIN - Configuration and Diagnostic - ALT+F4=Exit ══════════╗
embedded GSM modem card, but ║ Equipment states ║
║ Fault passage indicator: ║
cannot read the SIM card or PIN code ║ Phase fault Digital outputs: ║
is wrong. ║ Earth fault -----[-]-----> DO1 ║
║ -----[-]-----> DO2 ║
║ Equipment state: ║
║ Flair 200C fault DO Controle: Select ║
Received signal: ║ Local conf Confirm command ║
Indicates the Received Signal Strength ║ Remote conf cAncel command ║
║ Config. fault ║
Indication of the modem. Should be ║ Alarm processing... Digital inputs: ║
above 16. ║ AC supply off DI 1 ║
║ DI 2 ║
║ Communication state: Modem state : DI 3 ║
║ Modem not identified TCP Listened ! DI 4 ║
IP address: ║ SIM card failure Ip address : DI 5 ║
Indicates the current IP address of the ║ 80.10.17.164 DI 6 ║
F200C. ║ GSM signal quality: ║
║ The signal must be between 17 and 31 (0 at start, 99 is faulty) ║
║ 0 Max(31) ║
║ received signal: 18 █████████░░░░░░░ ║
║ ║
Modem state: ║ Escape=Exit ║
Indicates the status of the modem ╚══════════════════════════════════════════════════════════════════════════════╝
See description below

PDP corresponds to a PPP
connection. This is a GPRS PPP.
Modem state Comments
Modem Init... F200C is configuring the modem
Entering code pin... -
Code pin error! Wrong PIN code
Network registration... IMSI registration
GPRS registration...
PDP Init... Open a PDP session
PDP Closing... Close the PDP session
PDP Status... Check the PDP status
PDP Connected! Modem is connected to IP network
Ping… A ping is in progress
Closing TCP listened Close the listen port
TCP Closing... Disconnection from the SCADA
TCP Listening... Opening the listen port
Standby state. The modem is ready to accept
TCP Listened!
incoming TCP connection
TCP Connecting... Try to connect to the SCADA
TCP Connected! Connected to the SCADA
Modem failure! A error has occurred, the modem will be reset
GSM registration IMSI registration is refused by the operator (check
denied! your SIM card right with your provider)
GPRS registration or PDP activation is refused by
GPRS registration
the operator (check your SIM card right with your
denied!
provider)

MODBUS analyser F200C provides a protocol analyser (with a Modbus frame specific decoder).
This feature is accessible from the MODBUS analyser menu on the PC
connected to the configuration plug. The exchange between the modem and
the CPU are also analysed for manufacturer diagnostic only.
GPRS version only

║ Modbus analyser ║
║ ║
The frames are decoded as Modbus TCP ║ ║
║ESCAPE=Exit, SPACE=Pause, C=Clear, S=Save trace, F=Toggle filtering ║
frames ║54:24.69 read tc < 00 0E 00 00 00 06 0A 04 00 30 00 01 ║
║54:24.69 READ TC >> 00 0E 00 00 00 05 0A 04 02 00 00 ║
║54:27.18 read cr < 00 0F 00 00 00 06 0A 04 00 31 00 01 ║
║54:27.18 READ CR >> 00 0F 00 00 00 05 0A 04 02 00 00 ║
║54:41.17 read ts < 00 10 00 00 00 06 0A 04 00 32 00 06 ║
║54:41.17 READ TS >> 00 10 00 00 00 0F 0A 04 0C 3F 00 00 28 00 00 00 00 00 ║
║ 00 00 00 ║
║55:00.53 read tm < 00 11 00 00 00 06 0A 04 00 40 00 12 ║
║55:00.55 READ TM >> 00 11 00 00 00 27 0A 04 24 00 38 00 38 00 39 00 08 00 ║
║ 64 80 00 80 00 80 00 80 00 80 00 00 00 80 00 80 00 80 ║
║ 00 80 00 80 00 00 00 80 00 ║
║55:46.45 read param < 00 12 00 00 00 06 0A 04 00 90 00 1D ║
║55:46.45 READ PARAM >> 00 12 00 00 00 3D 0A 04 3A DF 0F 00 05 00 00 10 03 00 ║
║ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ║
║ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 ║
║ 18 50 0A 35 06 53 CE 6A AD 09 64 09 64 ║
║55:54.57 read state < 00 13 00 00 00 06 0A 04 00 01 00 01 ║
║55:54.57 READ STATE >> 00 13 00 00 00 05 0A 04 02 00 69 ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Use: Display:
The "SPACE" key is used to stop scrolling, The first column gives the time of the message in minutes, seconds and
thereby facilitating analysis of the frames 100ths of seconds.
received.
The second column indicates the type of frame. Upper case characters are
The "C" key clears the screen. used for frames transmitted by the F200C. This is confirmed by the double
chevron '>>' in column 3. On the other hand, all the lower case characters
The "S" key activates the storage of the pertain to frames received by the remote control station (confirmed by a single
exchanges (only when the modbus analyser chevron '<' in column 3).
is opened).
The last column displays the frame in hexadecimal form. The "+" and ' * '
The ‘’F’’ key changes the filtering method. signs may precede the display of the frame:
Display all received frames The '+' sign indicates frames not intended for the equipment,
Display only frames addressed to this The ' * ' sign indicates an erroneous frame (incomplete frame, faulty
F200C. construction,...).
The "ESCAPE" key is used to exit the

analyser function.
MODBUS data addresses and encoding
GENERAL
Modbus TCP
Standard Modbus TCP framing is used. See Annex for protocol
details.
TCP Connection Management Policy

F200C can be both TCP client and server.
It can be used as a standard Modbus TCP slave: SCADA initiates the

TCP connection and polls the equipment at a frequency inferior to the
heartbeat timeout to maintain the connection
F200C also initiates TCP connection on alarm if the SCADA system is

able to accept incoming connection and identify the equipment.
RTU identification
To identify a RTU, a SCADA can use its IP address (if the network
provided fix IP address) or its Slave ID if the IP address is dynamic.
To read the SlaveId, use the identification frame describe in Appendix.

The addressing range is from 0 to 65534.
On change of IP, the equipment can initiate a connection if the

associated alarm is enabled. The SCADA after reading the SLAVEID can
update the new IP address of the equipment to be able to connect to it
afterwards.
Reply messages
Upon receipt of a request recognised by the equipment (read or write),
transmission of the data corresponding to the MODBUS TCP
specifications.
Upon receipt of a request not recognised by the equipment,

transmission of an exception message (type 1, 2 or 3 only).
Read zone
The number of words read may not exceed the size of the checked
zone.
Some zones may only be accessed as a whole.
Notes
Values followed by the letter "h" are in hexadecimal form (e.g. 0003h).
In the charts describing the data exchanged between the master and
the F200C, the hatched strips in the "authorised function" columns
indicate the zones that are accessible as a whole.

Terminology
TCD: remote control (digital output encoded in 2 bits)
TSS: single-state remote indication (digital input encoded in 1 bit)
TM: remote metering (analog input encoded in 16 bits)
Identification /
configuration
zone
word address access mode authorized
0000h to 0001h function
Software version 0000h read 3,4
Status 0001h read/write 3,4,6
Bit 0 to 7 of status indicates the type Bit 15 of status indicates:

of the equipment. (read only)
0 = No events loss
=94 decimal (5Eh) for FLAIR 200C
Modbus 1 = Loss of events
When the pile of event is full, the oldest

event is crushed and the bit "loss event"
is put at one.
When all the pile of event is read, the bit

"loss event " will be given has zero. This
change of state will not cause event.
This zone contains the internal date The zone may only be read or written
Time synchronization and time of the equipment for time- as a whole.
zone stamping of events.
Binary date word address access mode authorized

0002h to 0005h function
Year 0002h read/write 3,4,16
month+day 0003h read/write 3,4
Hours+minutes 0004h read/write 3,4
milliseconds 0005h read/write 3,4
0 Year (0 to 99)
b15 b8 b7 b0
0 month (1 to 12) 0 day (1 to 31)

b15 b8 b7 b0
0 hour 0 minute (0 to 59)

b15 b8 b7 b0
millisecond (0 to 59999)
b15 b8 b7 b0

The test zone contains 9 words that The contents of the zone do not have
Test zone can be read or written. It is recorded in any effect on the FLAIR 200C
saved RAM and is available to users functions.
to facilitate final adjustment tests.
Test zone word address access mode authorized

function
9 words 0006h to 000Eh read/write 1,2,3,4,5,6,16
This zone contains the time stamp

Event zone events.
Event zone word address access mode authorized

function
exchange word 000Fh read/write 3,4,6,16
event 1 0010h to read 3,4
0017h
001Fh
0027h
002Fh
Only the exchange word may be The exchange word comprises 2

written. bytes:
It is possible to read the exchange
zone as a whole or the exchange word Most significant byte = exchange
only. number which identifies each event
frame. It is preset to zero when the
The exchange word is used to FLAIR 200C is switched on; when it
manage a specific protocol to be sure reaches its maximum value (FFh), it
not to lose events as a result of a automatically goes back to 0. The
MODBUS communication problem; FLAIR 200C numbers the exchanges
the event table is numbered for that and the master acknowledges the
purpose. numbering.
Least significant byte = number of

valid events in the event zone
(maximum 4).
Encoding of events Acknowledgment of events
Each event is encoded with 4 words To inform the FLAIR 200C that it has
related to the event, followed by 4 correctly received the frame it has
words containing the event time- read, the master must :
stamping data:
write the number of the last
word 1: 0800h /2048 exchange it has received in the
"exchange number" byte
word 2: event bit address
reset the "number of events" byte of
001Fh /31: the exchange word to zero.
Event loss bit ( set only on
appearance)
After acknowledgment, the FLAIR
0310h to 031Fh: TSD 1 to 8
200C erases the events that have
0320h to 032Fh : code CR already been transmitted and replaces
them by new ones when applicable.
0330h to 034Fh : TSS 1 to 32
Remark: until the exchange word
word 3: 0 written by the master becomes "X,0"
(with X = number of the previous
word 4: exchange that the master wishes to
downward face = 0000h/0 acknowledge), the exchange word in
rising face = 0001h/1 the table remains at "X, number of
previous events".
words 5 to 8: time-stamping with
same format as date zone. If the number is equal to zero, the
master is not required to acknowledge
a message with no event.

TC / TSD / TSS zone

TCD / TSD / TSS word address access mode function
authorized
TCD 1-8 0030h write 1,2,3,4,5,6
TSD 1-8 0031h read 1,2,3,4
CR 0032h read 1,2,3,4,5,6
TSS 1-16 0033h read 1,2,3,4
TSS 17- 32 0034h read 1,2,3,4
Each TCD word is encoded as follows:
TCD Single remote indications Word bit

1 Digital output n°1 30h 0-1
2 Digital output n°2 30h 2-3
3 Preset NRJ 30h 4-5
4 Reset FPI 30h 6-7
TCD8 TCD7 TCD6 TCD5 TCD4 TCD3 TCD2 TCD1

C O C O C O C O C O C O C O C O
b15 b8 b7 b0
A remote control TCD is encoded in The CR code (result code) gives
2 bits: information on the processing of the
remote control order carried out by the
01 = open order FLAIR 200C:
10 = closing order
The TCDs are assigned as follows:
bit 0: Remote control in progress.
TCD 1 and 2 : digital ouput 1 and 2.
bit 1: Fault concerning the initial
TCD 3: Loading of the meter Energy remote control order
with the value preset energy (32 Bits)
by closing order. bit 2: Serious fault detected during
internal check.
TCD 4: Reset Fault passage

bit 3: not used
indicator by close order
bit 4: not used.
Writing a TCD word performs remote
bit 5: Failure to execute for an
control orders. Only one remote
unknown reason.
control order at a time may be
requested.
Each change of state of one of this bit
will produce a MODBUS event.
The control order zone ( TCD) may be
read with bit and word read function
code. As it contains no information the The telecontrol center system may
data is 0. reset these codes by writing a 0 to the
relevant address.
Each TSD word is encoded as follows:
TSD8 TSD7 TSD6 TSD5 TSD4 TSD3 TSD2 TSD1

C O C O C O C O C O C O C O C O
b15 b8 b7 b0
A TSD is encoded in 2 bits, F,O The assignment of the TSD is as

follows:
01 = open. TSD1: Digital ouput 1
10 = closed. TSD2: Digital ouput 2
00 or 11 = undetermined. TSD3: Preset NRJ (always to 01)

TSD4: Reset FPI (always to 01)
Each TSS word is encoded as follows:
TSS16 TSS15 TSS14 TSS13 TSS12 TSS11 TSS10 TSS9 TSS8 TSS7 TSS6 TSS5 TSS4 TSS3 TSS2 TSS1
b15 b8 b7 b0
Single remote indications Word Single Word

bit remote bit
indication
s
TSS1 : Digital input 1. 33h 0 TSS17 Reserved 34h 0
TSS2 : Digital input 2. 33h 1 TSS18 : Reserved 34h 1
TSS7 : Reserved 33h 6 TSS23 : Earth fault 34h 6
TSS8 : Reserved 33h 7 TSS24 : Fug. Earth fault 34h 7
TSS9 : Reserved 33h 8 TSS25 : AC supply off phase 1 34h 8
TSS10 : Reserved 33h 9 TSS26 : Reserved 34h 9
TSS11 : Flair 200C Fault 33h10 TSS27: Reserved 34h10
TSS12 : Local configuration 33h11 TSS28: Reserved 34h11
TSS13 : Remote configuration 33h12 TSS29: Phase fault 34h12
TSS14 : Configuration in progress 33h13 TSS30 : Fast. Phase fault 34h13
TSS15 : Configuration fault 33h14 TSS31 : Reserved 34h14
TSS16: Reserved 33h15 TSS32 : Reserved 34h15

Telemetering zone
Units Word address function

TM 16 bits Hexa. decimal mode authorized
Phase current I1 0.1 A 0040h 64 read 3,4
Current I0 0.1 A 0043h 67 read 3,4
Imean 0.1 A 0044h 68 read 3,4
Power factory 0.001 0045h 69 read 3,4
Frequency 0.01 Hz 0046h 70 read 3,4
Reserved - 0047h to 71 to 79 read 3,4
004Fh
Units Word address function
TM 32 bits Hexa. decimal Mode authorized
V1 0.1 V 0050h-1 80 to 81 read 3,4
P 10 W 0052h-3 82 to 83 read 3,4
Q 10 VAR 0054h-5 84 to 85 read 3,4
S 10 VA 0056h-7 86 to 87 read 3,4
NRJ KWh 0058h-9 88 to 89 read 3,4
Reserved - 005Ah to 88 to 95 read 3,4
005Fh
Each TM 16 bit value is a signed value encoded in 2's complement 16-bit

word.
Each TM 32 bits value is a signed value encoded in 2's complement 32-bit
word ( LSB then MSB)
Invalid or non-declared measurements are encoded with the value 8000h (-

32768) ( 80000000h for 32-bits)
Word address access function

Remote 16 parameters Hexa. decimal mode authorized
parameters Alarms on TSS 0060h 96 Read/write 1,2,3,4,5,6
Reserved 0061h to 0065h 97 to 101 Read/write 1,2,3,4,5,6
zone Reserved 0066h to 0069h 102 to 105 Read/write 1,2,3,4,5,6
Reserved 006Ah to 006Dh 106 to 109 Read/write 1,2,3,4,5,6
Reserved 006Eh to 0071h 110 to 113 Read/write 1,2,3,4,5,6
Reserved 0072h to 0075h 114 to 117 Read/write 1,2,3,4,5,6
Cyclic dial up period 0076h to 0077h 118 to 119 Read/write 1,2,3,4,5,6
F200C IP address 0078h to 0079h 120 to 121 Read 3,4
SCADA IP address 007Ah to 007Bh 122 to 123 Read/write 1,2,3,4,5,6
F200C local port 007Ch 124 Read/write 1,2,3,4,5,6
SCADA remote port 007Dh 125 Read/write 1,2,3,4,5,6
Reserved 007Dh to 007Fh 120 to 127 Read/write 1,2,3,4,5,6
Configuration bits 0080h 128 Read/write 1,2,3,4,5,6
Primary voltage TP 0081h 129 Read/write 1,2,3,4,5,6
Secondary voltage TP 0082h 130 Read/write 1,2,3,4,5,6
Reserved 0083h 131 Read/write 1,2,3,4,5,6
Nominal voltage 0084h 132 Read/write 1,2,3,4,5,6
Power off threshold 0085h 133 Read/write 1,2,3,4,5,6
Power on threshold 0086h 134 Read/write 1,2,3,4,5,6
Imax threshold 0088h 136 Read/write 1,2,3,4,5,6
I0 threshold 0089h 137 Read/write 1,2,3,4,5,6
Validation time 008Ah 138 Read/write 1,2,3,4,5,6
Inrush time 008Bh 139 Read/write 1,2,3,4,5,6
Reset fault time 008Ch 140 Read/write 1,2,3,4,5,6
Imax fault ack. time 008Dh 141 Read/write 1,2,3,4,5,6
Quick Imax fault ack. 008Eh 142 Read/write 1,2,3,4,5,6
time
I0 fault ack. time 008Fh 143 Read/write 1,2,3,4,5,6
Voltage on ack. time 0090h 144 Read/write 1,2,3,4,5,6
Volatge off ack. time 0091h 145 Read/write 1,2,3,4,5,6
Primary current TC 0092h 146 Read/write 1,2,3,4,5,6
Preset NRJ (LSB) 0094h 148 Read/write 1,2,3,4,5,6
Preset NRJ (MSB) 0095h 149 Read/write 1,2,3,4,5,6
Reserved 0096h to 009Fh 150 to 159 Read/write 1,2,3,4,5,6
A TSS Alarm is alarmed with 1 bit :

1 = Alarm is ON if the TSS is ON
0 = Alarm is not used
ALARM Single remote indications Word bit
1 Digital input 1. 60h 0
7 Flair200C Fault 60h 6
8 Test alarm 60h 7
9 Short message system enabled 60h 8
10 reserved 60h 9
11 AC supply OFF 60h 10
12 Phase fault 60h 11
13 Earth fault 60h 12
14 Alarm message set up 60h 13
15 reserved 60h 14
16 reserved 60h 15

Test alarm: A bit is used to test the alarm mechanism: if the bit is written
with "1" by the master MODBUS, an alarm signal will set off one minute later.
The bit will then be set to 0 by the FLAIR 200C if the alarm is acquitted.
Alarm message set up: A bit is used to set up the alarm mechanism: if
the bit is written with "1" by the master MODBUS, The alarm mechanism is
set up. If the bit is written with "0" by the master MODBUS, no alarm neither
cyclic dialup will be do by the equipment
Cyclic dial up period.

The equipment may periodically initiate a TCP connection. This function can
be used to verify that FLAIR 200C is alive and to download measurements.
Hour of the first dialup during the day (0076h)
Set 0 Hour (0 to 24) 0 minute (0 to 59)

b15 b8 b7 b0
Set = 1: Cyclic dial up mechanism is ON (only if "Alarm message set up"=1)

= 0: Cyclic dial up mechanism is OFF
Hour and minute are the time in the day when the dial up function is started
Period of the dialup (0077h)
0 Period (Hour 0 to 255)

b15 b8 b7 b0
Period (number of hours) between to dial up
Each time when data is written in the this zone (76h-77h) automatic call is
Re-initialize
IP address
F200C IP address: IP address of the F200C (read only zone)
SCADA IP address: IP address of the SCADA
Possible values:
Each byte can be: 0 <byte < 255
For instance, 193.251.9.68 is converted as follows:
68 / 0x44 byte 1
9 / 0x09 byte 2
251 / 0xFB byte 3
193 / 0xC1 byte 4
TCP port
F200C port : local port on which F200C is listening to incoming

connections (only if listen mode is <ON>)
SCADA port : remote port on which the SCADA is listening to incoming
connections from F200C
Possible values: 1 to 65535
Fault Detection parameters.
Configuration bits: bits used to configure Boolean parameters:
Boolean parameter Word bit Allowed

value
Homopolar wiring 80h 1 0, 1
Reset / power on 80h 2 0, 1
Reserved 80h 3
U cable 80h 4-5-6 0 : U21,
3 : V1
Reserved 80h 7
Reserved 80h 8
Reserved 80h 9
Active Inrush 80h 10 0.1
Reserved 80h 11
Frequency 60hz 80h 12 0, 1
Reserved 80h 13-15
Parameters: used to configure measurements and fault passage indicator
Refer to the user's manual for the parameter definition.
Parameters Min Max Incremental Details

value
Primary voltage TP 100 3200 1 NA
Secondary voltage TP 0 15 1 0 : 100
1 :110
2 :115
3 :120
4:100/sqrt(3)
5110sqrt(3)
6:115/sqrt(3)
7:120/sqrt(3)
8 : 200
9 : 210
10 : 230
11 : 240
12 200/sqrt(3)
13 210/sqrt(3)
14: 230/sqrt(3)
15: 240/sqrt(3)
Nominal voltage (V) 20 32000 1 NA
AC Power off threshold (%) 5 95 1 NA
Power on threshold (%) 70 120 1 NA
Residual Volt threshold(%) 5 95 1 NA
Imax threshold (A) 40 750 1 NA
I0 threshold(A) 20 160 1 NA
Validation time(s) 1 70 1 NA
Inrush time (s) 0 70 1 NA
Reset fault Time (h) 1 12 1 NA
Imax fault ack. Time (ms) 40 800 1 NA
Quick Imax. fault ack. Time 20 800 1 NA
(ms)
I0 fault ack. Time (ms) 20 800 1 NA
Voltage on ack. Time (ms) 10 18000 1 NA
Voltage off ack. Time (ms) 10 18000 1 NA
Primary current TC 50 2500 1 NA
Preset Energy (LSB) (kwh) 0 65535 1 NA
Preset Energy (MSB) 0 65535 1 NA

The sub-function codes recognised by 000Ch: reading of the number

Diagnostic counter the F200C are: frames received with CRC errors
reading (CPT2).
0000h: return query data.
000Dh: reading of the number of
000Ah: clear counters and exception replies (CPT3).
diagnostic register.
000Eh: reading of the number of
000Bh: reading of the number of frames addressed to the station
frames exchanged. (CPT4).
000Fh: reading of broadcast

requests received (CPT5).
The most significant bit of the sub-function code should be assigned with
the sub-address of the F200C to be accessed.
sub-function code = 0B
CRC16
Reading: 01 08 00 0B 00 00 91 8D
Reply: 01 08 00 0B 00 04 90 4E
G200 address = 1
Function code = 8
Appendix
MODBUS TCP protocol
Modbus TCP protocol is based on the standard modbus TCP protocol.
Same functions, as standard modbus are available:
1: read n output bits.
2: read n input bits.
3: read n output words.
4: read n input words.
5: write a bit.
6: write a word.
8: read diagnostic counters.
16: write several words.
Plus:
17: report slave ID.
Structure of frames exchanged
Modbus TCP and its corresponding standard Modbus frame:

Transaction Protocol Unit function
Length data zone
identifier identifier identifier code
2 bytes 2 bytes 2 bytes 1 byte 1 byte
Slave function data zone check zone

Corresponding standard Modbus frame :
number code CRC16
Transaction identifier: in the reply frame, the RTU sets the transaction
identifier to the same value as the one in the request frame.
Protocol identifier value is 0x0000.
Length: it is the length of all the following data of the frame (including
unit identifier and the function code)
Unit identifier is the modbus address field of main menu of the
communication module. Should be let to default value.
Except from the check zone that is suppressed in modbus TCP, the
following of the field Length is treated the same way as in standard
modbus.
In the following, the function codes will be described as used in standard
modbus. To use them in modbus TCP, one only need to add transaction
identifier, protocol identifier and length at the beginning of the frame and
to cut the CRC at the end of it.

Appendix
Report by exception TCP

In case of alarm, F200C can initiate a TCP connection to the SCADA if alarm
mode is enabled.
Two cases can occur:
1 - The control center system isn’t reachable:
F200C again tries to make connection with the SCADA after the ‘TCP/IP
connect. delay / second attempt’’ and eventually tries again after the ‘TCP/IP
connect. delay/ third attempt’’.
2 – Connection is successful:
The control center system sends a broadcast message (Slave address = 0)
with the function code = 17 (identification frame)
F200C answers this frame providing the control center with its own modbus
address and its slave ID.
The control center system can then initiate a standard Modbus Master/Slave
TCP communication.
41:12.42 identf < 00 00 00 00 00 02 00 11

41:12.42 IDENTF >> 00 00 00 00 00 06 FF 11 03 00 01 FF
41:13.81 write date < 00 01 00 00 00 0F FF 10 00 02 00 04 08
00 07 04 0B 08 29 38 44
41:14.00 WRITE DATE >> 00 01 00 00 00 06 FF 10 00 02 00 04
41:15.35 read event < 00 02 00 00 00 06 FF 03 00 0F 00 21
41:15.35 READ EVENT >> 00 02 00 00 00 45 FF 03 42 …
Report Slave ID:

function n°17
This function code is used in the case F200C doesn’t have a fix IP address on
the network. It makes it possible to identify the equipment calling.
F200C will always answer with Status to on (0xFF in last byte of frame)
Request
Transaction Protocol Length Unit 11h

identifier identifier identifier
2 bytes 2 bytes 2 bytes 1 byte 1 byte
Reply
Transaction Protocol Length Unit 11h 0x02 Slave Id OxFF
identifier identifier identifier (Byte (MSB+LSB) (Status à
count) ON)
2 bytes 2 bytes 2 bytes 1 byte 1 byte 1 byte 2 bytes 1 byte
Example
The request is addressed to all equipment connected (Unit identifier = 0x00)
which corresponds to the only F200C that has created TCP connection. The
F200C answers with Modbus address to 255 and slave ID to 1.
41:12.42 identf < 00 00 00 00 00 02 00 11

41:12.42 IDENTF >> 00 00 00 00 00 06 FF 11 03 00 01 FF
Appendix
Read N bits:
functions n°1 and
2
Function 1: read output bits.
Function 2: read input bits.
Request
Slave 1 or 2 address of 1st bit number of bits
number (MSB+LSB)
1 byte 1 byte 2 bytes 2 bytes
Reply
Slave 1 or 2 number of 1st byte read last byte
number bytes read read
1 byte 1 byte 1 byte 1 byte N bytes 1 byte
Example
Reading of 16 bits, bit address 300h of slave n°1
Request: 01 01 03 00 00 10 36 42
Reply:01 01 02 00 00 B9 FC
Read N words:
functions n°3 and
4
The number of words to be read should be less than or equal to 125.
Function 3: read output words.

Function 4: read input words.
Request
Slave 3 or 4 address of 1st word number of words
number (MSB+LSB) (MSB+LSB)
Reply
Slave 3 or 4 number of 1st word read last word
number bytes read (MSB+LSB) read
(MSB+LSB)
1 byte 1 byte 2 bytes 1 byte 1 byte
Example
Reading of words 40h to 43h of slave n°1,
Request: 01 03 00 40 00 04 45 DD
Reply:01 03 08 00 00 80 00 80 00 80 00 C2 17

Appendix
Write a bit:
function n°5
Request
Slave 5 address of bit bit value 0
number (MSB+LSB)
Reply
The reply is an echo of the request indicating that the slave has acknowledged
the value contained in the request.
Slave 5 address of bit bit value 0

number (MSB+LSB)
Example
Writing of bit to 1, bit address 301h of slave n°1,
Request: 01 05 03 01 FF 00 D6 7E
Reply:01 05 03 01 FF 00 D6 7E
Write a word:
function n°6
Request
Slave 6 address of word value of word
Reply
The reply is an echo of the request indicating that the slave has acknowledged
the value contained in the request.
Slave 6 address of word value of word

Example
Writing of word 30h of slave n°1, at the value 0001 h
Request: 01 06 00 30 00 01 48 05
Reply:01 06 00 30 00 01 48 05
Appendix
Read diagnostic
counters:
function n°8
Each slave is assigned diagnostic counters. There are 5 counters in all per slave.
The counters are 16-bit words. When they reach FFFFh, they go back to 0000h.
When a request is sent by the master, the most significant byte in the sub-
function code is assigned by the F200C equipment offset to access and the data
are at 0000h.
When the slave sends a reply, the data contain the value of the counter
concerned.
Request / reply
Slave 8 sub-function code data (MSB+LSB)
number (MSB+LSB)
sub-function data
code
the slave should send the echo of the request xx00 XXXX
resetting of diagnostic counters xx0A 0000
reading of total number:
of frames received with no CRC errors (CPT1) xx0B XXXX
of frames received with CRC errors (CPT2) xx0C XXXX
of the number of exception replies (CPT3) xx0D XXXX
of frames addressed to the station (CPT4) xx0E XXXX
(excluding broadcast)
of broadcast requests received and correctly executed xx0F XXXX
(CPT5)
Sub-function n°0 is used to test transmission. The slave sends back the echo of
the data received.
Examples
Resetting of counters for slave n°1,
Request: 01 08 00 0A 00 00 C0 09
Reply:01 08 00 0A 00 00 C0 09
Reading of broadcast requests received (CPT5) for slave n°1, offset 3

(300h in storage space)
Request: 01 08 03 0F 00 00 D0 4C
Reply:01 08 03 0F 00 05 10 4F

Appendix
Write N
consecutive
words:
function n°16
The number of words to be written is between 1 and 123 and the number of bytes
is between 2 and 246.
Words are written in increasing order of addresses.
Request
Slave 10h address of number of number of values of

number 1st word to words to bytes to write words to
write write write
1 byte 1 byte 2 bytes 2 bytes 1 byte N bytes
Reply
Slave 10h address of 1st word number of words written
number written (MSB+LSB) (MSB+LSB)
Example
Writing of words 0302h to 0305h of slave n°1, (addr esses 02h to 05h) with the
values 0060h, 0A10h, 0B33h, 1662h
Request: 01 10 03 02 00 04 08 00 60 0A 10 0B 33 16 62 96
B3
Reply: 01 10 03 02 00 04 60 4E
51:26.43 read state < 00 16 00 00 00 06 FF 04 00 01 00 01

51:26.43 READ STATE >> 00 16 00 00 00 05 FF 04 02 00 69
Schneider Electric SA Postal address As standards, specifications and designs change from time to time please ask for
F-38050 Grenoble Cedex 9 confirmation of the information given in this publication.
Tel.: +33 (0)4 76 57 60 60
Telex: merge 320842 F Published by: Schneider Electric SA
http:\\www.schneider- Printed by: Hewlett Packard
electric.com
Rcs nanterre B 954 503 439

Modbus TCP Communication User's Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modbus TCP Communication User's Manual

Uploaded by

Copyright:

Available Formats

Electrical network management

MV substation control unit

Merlin Gerin Easergy Range

2 NT00173-02-GB.doc Schneider Electric

The FLAIR 200C communication board allows the connection of MV/LV

F200 Modbus IP can be used as any MODBUS TCP slave in permanent

But an enhanced specification has been added to adapt MODBUS TCP to

Consequently, a non-permanent mode has been developed. In this

This mode has been implemented in the L500 system.

Moreover, a ping feature has been implemented in order to check the IP

Type of transmission modem : GPRS

4 NT00173-02-GB.doc Schneider Electric

Time between connection attempts:

Modbus TCP/IP parameters

Check with GPRS provider for open port

Heartbeat Timeout: IP address :

TCP/IP connect. delay:

• First attempt: adjustable from 0 to

• Second attempt: configurable from 0 to

6 NT00173-02-GB.doc Schneider Electric

If this option is activated, it is not necessary

For other parameters, please refer to

SIM card failure:

See description below

8 NT00173-02-GB.doc Schneider Electric

GPRS version only

The "ESCAPE" key is used to exit the

TCP Connection Management Policy

It can be used as a standard Modbus TCP slave: SCADA initiates the

F200C also initiates TCP connection on alarm if the SCADA system is

To read the SlaveId, use the identification frame describe in Appendix.

On change of IP, the equipment can initiate a connection if the

Upon receipt of a request not recognised by the equipment,

Some zones may only be accessed as a whole.

10 NT00173-02-GB.doc Schneider Electric

TSS: single-state remote indication (digital input encoded in 1 bit)

TM: remote metering (analog input encoded in 16 bits)

Bit 0 to 7 of status indicates the type Bit 15 of status indicates:

When the pile of event is full, the oldest

When all the pile of event is read, the bit

Binary date word address access mode authorized

0 month (1 to 12) 0 day (1 to 31)

0 hour 0 minute (0 to 59)

12 NT00173-02-GB.doc Schneider Electric

Test zone word address access mode authorized

This zone contains the time stamp

Event zone word address access mode authorized

Only the exchange word may be The exchange word comprises 2

Least significant byte = number of

Encoding of events Acknowledgment of events

14 NT00173-02-GB.doc Schneider Electric

TC / TSD / TSS zone

Each TCD word is encoded as follows:

TCD Single remote indications Word bit

TCD8 TCD7 TCD6 TCD5 TCD4 TCD3 TCD2 TCD1

TCD 4: Reset Fault passage

TSD8 TSD7 TSD6 TSD5 TSD4 TSD3 TSD2 TSD1

A TSD is encoded in 2 bits, F,O The assignment of the TSD is as

10 = closed. TSD2: Digital ouput 2

00 or 11 = undetermined. TSD3: Preset NRJ (always to 01)

Each TSS word is encoded as follows:

Single remote indications Word Single Word

16 NT00173-02-GB.doc Schneider Electric