Professional Documents
Culture Documents
Modbus TCP Communication User's Manual
Modbus TCP Communication User's Manual
GENERAL 3
Functionality 3
Application 3
Advantages 3
Characteristics 3
COMMUNICATION MODULE 4
Main menu 4
GPRS parameters 5
Modbus TCP/IP parameters 6
Alarm parameters 7
Equipment state 8
MODBUS analyser 9
GENERAL 10
Identification / configuration zone 12
Time synchronization zone 12
Test zone 13
Event zone 13
TC / TSD / TSS zone 15
Telemetering zone 17
Diagnostic counter reading 21
MODBUS TCP protocol 22
Report by exception TCP 23
Report Slave ID: function n°17 23
Read N bits: functions n°1 and 2 24
Read N words: functions n°3 and 4 24
Write a bit: function n°5 25
Write a word: function n°6 25
Read diagnostic counters: function n°8 26
Write N consecutive words: function n°16 27
Functionality
Application
- GPRS access does not provide a static IP to the RTU in all cases. So
the SCADA can not establish the TCP connection.
- GPRS fees are based on amount of data exchanged so a permanent
polling is very expensive.
It means that the F200C and SCADA can both initiate the TCP
connection. When the polling is over, the connection is released.
For dynamic IP, each time F200C is changing its IP address, an alarm
can be activated. F200C is establishing a connection on this alarm to
provide its new IP address to the SCADA.
Advantages
Characteristics
type of transmission IP
protocol Modbus TCP(enhanced function
available)
speed 9600 bauds
Schneider Electric 3
Communication module
Main menu
Modbus Address:
The value is fixed to 255 as in MODBUS
╔═════════ MERLIN GERIN - Configuration and Diagnostic - ALT+F4=Exit ══════════╗
TCP specification ║ Easergy Flair 200C Modbus IP ║
║ PROM v1.00, PIC v2.08, Type: A ║
║ ║
GPRS parameters: ║ PARAMETERS SETUP ║
Displays the GPRS configuration screen. ║ Equipment name : Measurement and fault detection ║
║ Alarm parameters ║
║ MODBUS address : 255 Setup Time ║
Modbus TCP/IP parameters: ║ Energy Preset ║
║ ║
Displays the TCP/IP configuration screen. ║ Modem type : GPRS TCP/IP mode : Non Permanent ║
║ GPRS parameters Modbus TCP/IP parameters ║
║ ║
Alarm parameters: ║ ║
Displays the alarm configuration screen. ║ SAVE CONFIGURATION : ║
║ OK . ║
║ Cancel ║
Modbus Analyser: ║ ║
║ ║
Displays the trace of exchanges between ║ DIAGNOSIS ║
the equipment and the modem ║ Display events Erase events ║
Displays the trace of exchanges between ║ Display analog MODBUS analyser ║
║ Equipment states ║
the equipment and the control station ║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
GPRS parameters
PIN code: ╔═════════ MERLIN GERIN - Configuration and Diagnostic - ALT+F4=Exit ══════════╗
║ GPRS parameters ║
• Setting of the PIN into the SIM card (default ║ ║
║ SIM CARD PARAMETERS ║
value is 0000) ║ PIN code : 0000 ║
• In case a wrong PIN is entered, "SIM card ║ ║
║ GPRS COMMUNICATION PARAMETERS ║
failure" is underlined in the screen ║ APN Server (Max 30 Digits) : ║
"Equipment states" ║ APN Login (Max 30 Digits) : ║
║ APN Password (Max 30 Digits) : ║
║ ║
APN Server: ║ Time between connection attempt: 1mn ║
║ ║
• Enter the APN (Access Point Name) given ║ Specific Ping IP Address : 0.0.0.0 Test ║
by your GPRS network provider ║ Ping time : 1h ║
║ Ping delay(s) : 5 ║
APN Login and Password: ║ Ping number : 3 ║
║ ║
• Enter the login and the password provided ║
║
Daily disconnect : 0 h 0 min ║
║
with your GPRS account ║ ║
║ ║
Note: in most cases, login and password are not ║ ║
║ Escape=Exit ║
required for GPRS access. ╚══════════════════════════════════════════════════════════════════════════════╝
Ping delay:
• Enter the delay for waiting answer to ping
request
• We recommend 5 s for GPRS network if
more than one request is configured
otherwise 10 s
• A test can be done to check it
Ping number:
• Enter the number of ping request
• We recommend 3 attempt
Schneider Electric 5
Communication module
Alarm parameters
╔═════════ MERLIN GERIN - Configuration and Diagnostic - ALT+F4=Exit ══════════╗
This menu is used to set automatic calls to ║ Alarm Parameters ║
║ ║
the supervisor ║ ║
║ Alarm message enabled : yes ║
║ ║
Alarm message enabled: ║ Digital input 1 : yes Dial up test : no ║
Yes: If an alarmed change of state ║ Digital input 2 : no ║
║ Digital input 3 : yes Cyclic dial up : yes ║
occurs a TCP/IP connection is ║ Digital input 4 : yes Starting time(min): 30 ║
established to the SCADA ║ Digital input 5 : no (hour): 15 ║
║ Digital input 6 : yes Period(hours) : 1 ║
No: F200C does not initiate any TCP/IP ║ Flair 200C fault : no ║
connection. ║ ║
║ Alarm on AC supply off detection: no ║
║ Alarm on phase fault detection: no ║
║ Alarm on earth fault detection : no ║
║ ║
║ Alarm on F200C IP address change : yes ║
Alarm: on F200C IP address change: ║ ║
║ ║
When F200C IP address changes, ║ ║
F200C establishes a TCP/IP ║ ║
║ Escape=Exit ║
connection to the SCADA. ╚══════════════════════════════════════════════════════════════════════════════╝
This feature must be activated when:
F200C IP address is dynamic
With this feature, L500 is able to
refresh F200C IP address
Schneider Electric 7
Communication module
Equipment state
MODBUS analyser F200C provides a protocol analyser (with a Modbus frame specific decoder).
This feature is accessible from the MODBUS analyser menu on the PC
connected to the configuration plug. The exchange between the modem and
the CPU are also analysed for manufacturer diagnostic only.
Use: Display:
The "SPACE" key is used to stop scrolling, The first column gives the time of the message in minutes, seconds and
thereby facilitating analysis of the frames 100ths of seconds.
received.
The second column indicates the type of frame. Upper case characters are
The "C" key clears the screen. used for frames transmitted by the F200C. This is confirmed by the double
chevron '>>' in column 3. On the other hand, all the lower case characters
The "S" key activates the storage of the pertain to frames received by the remote control station (confirmed by a single
exchanges (only when the modbus analyser chevron '<' in column 3).
is opened).
The last column displays the frame in hexadecimal form. The "+" and ' * '
The ‘’F’’ key changes the filtering method. signs may precede the display of the frame:
Display all received frames The '+' sign indicates frames not intended for the equipment,
Display only frames addressed to this The ' * ' sign indicates an erroneous frame (incomplete frame, faulty
F200C. construction,...).
Schneider Electric 9
MODBUS data addresses and encoding
GENERAL
Modbus TCP
Standard Modbus TCP framing is used. See Annex for protocol
details.
RTU identification
To identify a RTU, a SCADA can use its IP address (if the network
provided fix IP address) or its Slave ID if the IP address is dynamic.
Reply messages
Upon receipt of a request recognised by the equipment (read or write),
transmission of the data corresponding to the MODBUS TCP
specifications.
Read zone
The number of words read may not exceed the size of the checked
zone.
Notes
Values followed by the letter "h" are in hexadecimal form (e.g. 0003h).
In the charts describing the data exchanged between the master and
the F200C, the hatched strips in the "authorised function" columns
indicate the zones that are accessible as a whole.
Terminology
TCD: remote control (digital output encoded in 2 bits)
Schneider Electric 11
MODBUS data addresses and encoding
Identification /
configuration
zone
word address access mode authorized
0000h to 0001h function
Software version 0000h read 3,4
Status 0001h read/write 3,4,6
This zone contains the internal date The zone may only be read or written
Time synchronization and time of the equipment for time- as a whole.
zone stamping of events.
0 Year (0 to 99)
b15 b8 b7 b0
millisecond (0 to 59999)
b15 b8 b7 b0
The test zone contains 9 words that The contents of the zone do not have
Test zone can be read or written. It is recorded in any effect on the FLAIR 200C
saved RAM and is available to users functions.
to facilitate final adjustment tests.
Schneider Electric 13
MODBUS data addresses and encoding
Each event is encoded with 4 words To inform the FLAIR 200C that it has
related to the event, followed by 4 correctly received the frame it has
words containing the event time- read, the master must :
stamping data:
write the number of the last
word 1: 0800h /2048 exchange it has received in the
"exchange number" byte
word 2: event bit address
reset the "number of events" byte of
001Fh /31: the exchange word to zero.
Event loss bit ( set only on
appearance)
After acknowledgment, the FLAIR
0310h to 031Fh: TSD 1 to 8
200C erases the events that have
0320h to 032Fh : code CR already been transmitted and replaces
them by new ones when applicable.
0330h to 034Fh : TSS 1 to 32
Remark: until the exchange word
word 3: 0 written by the master becomes "X,0"
(with X = number of the previous
word 4: exchange that the master wishes to
downward face = 0000h/0 acknowledge), the exchange word in
rising face = 0001h/1 the table remains at "X, number of
previous events".
words 5 to 8: time-stamping with
same format as date zone. If the number is equal to zero, the
master is not required to acknowledge
a message with no event.
Schneider Electric 15
MODBUS data addresses and encoding
Each TSD word is encoded as follows:
TSS16 TSS15 TSS14 TSS13 TSS12 TSS11 TSS10 TSS9 TSS8 TSS7 TSS6 TSS5 TSS4 TSS3 TSS2 TSS1
b15 b8 b7 b0
Telemetering zone
Schneider Electric 17
MODBUS data addresses and encoding
Alarm message set up: A bit is used to set up the alarm mechanism: if
the bit is written with "1" by the master MODBUS, The alarm mechanism is
set up. If the bit is written with "0" by the master MODBUS, no alarm neither
cyclic dialup will be do by the equipment
Each time when data is written in the this zone (76h-77h) automatic call is
Re-initialize
IP address
F200C IP address: IP address of the F200C (read only zone)
SCADA IP address: IP address of the SCADA
Possible values:
Each byte can be: 0 <byte < 255
68 / 0x44 byte 1
9 / 0x09 byte 2
251 / 0xFB byte 3
193 / 0xC1 byte 4
TCP port
Schneider Electric 19
MODBUS data addresses and encoding
Fault Detection parameters.
Configuration bits: bits used to configure Boolean parameters:
The most significant bit of the sub-function code should be assigned with
the sub-address of the F200C to be accessed.
sub-function code = 0B
CRC16
Reading: 01 08 00 0B 00 00 91 8D
Reply: 01 08 00 0B 00 04 90 4E
G200 address = 1
Function code = 8
Schneider Electric 21
Appendix
5: write a bit.
6: write a word.
Plus:
Transaction identifier: in the reply frame, the RTU sets the transaction
identifier to the same value as the one in the request frame.
Protocol identifier value is 0x0000.
Length: it is the length of all the following data of the frame (including
unit identifier and the function code)
Unit identifier is the modbus address field of main menu of the
communication module. Should be let to default value.
Except from the check zone that is suppressed in modbus TCP, the
following of the field Length is treated the same way as in standard
modbus.
In the following, the function codes will be described as used in standard
modbus. To use them in modbus TCP, one only need to add transaction
identifier, protocol identifier and length at the beginning of the frame and
to cut the CRC at the end of it.
F200C again tries to make connection with the SCADA after the ‘TCP/IP
connect. delay / second attempt’’ and eventually tries again after the ‘TCP/IP
connect. delay/ third attempt’’.
2 – Connection is successful:
The control center system sends a broadcast message (Slave address = 0)
with the function code = 17 (identification frame)
F200C answers this frame providing the control center with its own modbus
address and its slave ID.
The control center system can then initiate a standard Modbus Master/Slave
TCP communication.
This function code is used in the case F200C doesn’t have a fix IP address on
the network. It makes it possible to identify the equipment calling.
F200C will always answer with Status to on (0xFF in last byte of frame)
Request
Reply
Transaction Protocol Length Unit 11h 0x02 Slave Id OxFF
identifier identifier identifier (Byte (MSB+LSB) (Status à
count) ON)
2 bytes 2 bytes 2 bytes 1 byte 1 byte 1 byte 2 bytes 1 byte
Example
The request is addressed to all equipment connected (Unit identifier = 0x00)
which corresponds to the only F200C that has created TCP connection. The
F200C answers with Modbus address to 255 and slave ID to 1.
Schneider Electric 23
Appendix
Read N bits:
functions n°1 and
2
Function 1: read output bits.
Function 2: read input bits.
Request
Slave 1 or 2 address of 1st bit number of bits
number (MSB+LSB)
1 byte 1 byte 2 bytes 2 bytes
Reply
Slave 1 or 2 number of 1st byte read last byte
number bytes read read
1 byte 1 byte 1 byte 1 byte N bytes 1 byte
Example
Reading of 16 bits, bit address 300h of slave n°1
Request: 01 01 03 00 00 10 36 42
Reply:01 01 02 00 00 B9 FC
Read N words:
functions n°3 and
4
The number of words to be read should be less than or equal to 125.
Request
Slave 3 or 4 address of 1st word number of words
number (MSB+LSB) (MSB+LSB)
1 byte 1 byte 2 bytes 2 bytes
Reply
Slave 3 or 4 number of 1st word read last word
number bytes read (MSB+LSB) read
(MSB+LSB)
1 byte 1 byte 2 bytes 1 byte 1 byte
Example
Reading of words 40h to 43h of slave n°1,
Request: 01 03 00 40 00 04 45 DD
Reply:01 03 08 00 00 80 00 80 00 80 00 C2 17
Write a bit:
function n°5
Request
Slave 5 address of bit bit value 0
number (MSB+LSB)
1 byte 1 byte 2 bytes 1 byte 1 byte
Reply
The reply is an echo of the request indicating that the slave has acknowledged
the value contained in the request.
Example
Writing of bit to 1, bit address 301h of slave n°1,
Request: 01 05 03 01 FF 00 D6 7E
Reply:01 05 03 01 FF 00 D6 7E
Write a word:
function n°6
Request
Slave 6 address of word value of word
number (MSB+LSB) (MSB+LSB)
1 byte 1 byte 2 bytes 2 bytes
Reply
The reply is an echo of the request indicating that the slave has acknowledged
the value contained in the request.
Example
Writing of word 30h of slave n°1, at the value 0001 h
Request: 01 06 00 30 00 01 48 05
Reply:01 06 00 30 00 01 48 05
Schneider Electric 25
Appendix
Read diagnostic
counters:
function n°8
Each slave is assigned diagnostic counters. There are 5 counters in all per slave.
The counters are 16-bit words. When they reach FFFFh, they go back to 0000h.
When a request is sent by the master, the most significant byte in the sub-
function code is assigned by the F200C equipment offset to access and the data
are at 0000h.
When the slave sends a reply, the data contain the value of the counter
concerned.
Request / reply
Slave 8 sub-function code data (MSB+LSB)
number (MSB+LSB)
1 byte 1 byte 2 bytes 2 bytes
sub-function data
code
the slave should send the echo of the request xx00 XXXX
resetting of diagnostic counters xx0A 0000
reading of total number:
of frames received with no CRC errors (CPT1) xx0B XXXX
of frames received with CRC errors (CPT2) xx0C XXXX
of the number of exception replies (CPT3) xx0D XXXX
of frames addressed to the station (CPT4) xx0E XXXX
(excluding broadcast)
of broadcast requests received and correctly executed xx0F XXXX
(CPT5)
Sub-function n°0 is used to test transmission. The slave sends back the echo of
the data received.
Examples
Resetting of counters for slave n°1,
Request: 01 08 00 0A 00 00 C0 09
Reply:01 08 00 0A 00 00 C0 09
Write N
consecutive
words:
function n°16
The number of words to be written is between 1 and 123 and the number of bytes
is between 2 and 246.
Words are written in increasing order of addresses.
Request
Reply
Slave 10h address of 1st word number of words written
number written (MSB+LSB) (MSB+LSB)
1 byte 1 byte 2 bytes 2 bytes
Example
Writing of words 0302h to 0305h of slave n°1, (addr esses 02h to 05h) with the
values 0060h, 0A10h, 0B33h, 1662h
Request: 01 10 03 02 00 04 08 00 60 0A 10 0B 33 16 62 96
B3
Reply: 01 10 03 02 00 04 60 4E
Schneider Electric 27
Schneider Electric SA Postal address As standards, specifications and designs change from time to time please ask for
F-38050 Grenoble Cedex 9 confirmation of the information given in this publication.
Tel.: +33 (0)4 76 57 60 60
Telex: merge 320842 F Published by: Schneider Electric SA
http:\\www.schneider- Printed by: Hewlett Packard
electric.com