Instruction Manual Modbus Protocol: October 2013 Part No.: 4416.527 Rev. 4

Instruction manual
ModbusTM Protocol
October 2013
Part no.: 4416.527
Rev. 4
Honeywell Enraf
P.O. Box 812
2600 AV Delft
Netherlands
Tel.: +31 15 2701 100,

Fax: +31 15 2701 111
Email: hfs-tac-support@honeywell.com
Website: http://www.honeywellenraf.com
Instruction manual ModbusTM Protocol Page 1

Copyright 2005 - 2013 Enraf B.V. All rights reserved.
Reproduction in any form without the prior consent of Enraf B.V. is not allowed.
This instruction manual is for information only. The contents, descriptions and specifications are
subject to change without notice. Enraf B.V. accepts no responsibility for any errors that may appear
in this instruction manual.
The warranty terms and conditions for Enraf products applicable in the country of purchase are
available from your supplier. Please retain them with your proof of purchase.
Page 2 Instruction manual ModbusTM Protocol

Preface
Preface
This manual has been written for the technicians involved with the
communication with the Honeywell Enraf series 880 communication
interface units via ModbusTM.
For installation and commissioning of the CIU Prime/Plus, please refer

to the related installation guide and instruction manual Ensite Pro.
This manual describes the communication between a CIU Prime/Plus

and higher layered systems. The communication is based on emulation
of the ModbusTM protocol (Schneider Automation Modicon Modbus
Protocol Reference Guide, PI-MBUS-300, Rev. B).
Safety and prevention of damage

"Notes" have been used throughout this manual to bring special matters
to the immediate attention of the reader.
A Note points out a statement deserving more emphasis than the

general text.
Legal aspects The information in this instruction manual is copyright property of Enraf
B.V., Netherlands.
Enraf B.V. disclaims any responsibility for personal injury or damage to
equipment caused by:
 Deviation from any of the prescribed procedures;

 Execution of activities that are not prescribed;
Additional information
Please do not hesitate to contact Honeywell Enraf or its representative if
you require additional information.

Table of contents
Table of Contents
Preface .................................................................................................................................................. 3
Introduction ............................................................................................................................................ 6
Communication parameters ................................................................................................................... 7
Communication procedure ..................................................................................................................... 8
Memory structures ............................................................................................................................... 10

Coils ............................................................................................................................................. 10
Input status ................................................................................................................................... 11
Input registers............................................................................................................................... 11
Holding registers .......................................................................................................................... 11
Function codes..................................................................................................................................... 12
Function code 01: Read coil status .............................................................................................. 12
Function code 02: Read input status ............................................................................................ 12
Function code 03: Read holding registers .................................................................................... 13
Function code 04: Read input registers........................................................................................ 14
Function code 05: Force single coil.............................................................................................. 14
Function code 06: Preset single register ...................................................................................... 15
Function code 08: Diagnostics ..................................................................................................... 15
Function code 15: Force multiple coils ......................................................................................... 16
Function code 16: Preset multiple registers ................................................................................. 17
Modbus exception response ................................................................................................................ 18

Function code field ....................................................................................................................... 19
Data field ...................................................................................................................................... 19
Error code 01: illegal function....................................................................................................... 19
Error code 02: illegal data address .............................................................................................. 19
Error code 03: illegal data value ................................................................................................... 20
Error code 04: slave device failure .............................................................................................. 20
Error code 06: slave device busy................................................................................................. 20

Table of contents
Enraf implementation ........................................................................................................................... 21

1 bit Coil area (Read/Write) ......................................................................................................... 21
Tank (Gauge) command area ............................................................................................ 22
1 bit Discrete Input area (read only) ............................................................................................. 22
CIU status .......................................................................................................................... 23
Gauge status ..................................................................................................................... 23
Gauge level alarm status ................................................................................................... 24
External contact status....................................................................................................... 24
16 bit area .................................................................................................................................... 25
User tank data area ........................................................................................................... 26
User CIU data area ........................................................................................................... 26
Example Enraf implementation ............................................................................................................ 27
Appendix A: Related documents .......................................................................................................... 31

Introduction
Introduction
Modbus is the name given to a set of “rules” (procedures) to follow when
transferring data from one computer to another. Like two people
communicating with each other, they both must use the same language
and grammar to understand each other. Such a set of computer
communication rules is commonly called a “protocol”.
Modbus protocol defines the format of the data and the techniques used
to control the flow of data. Modbus communication can take place on
virtually any physical platform: RS-232, RS-485, modem-to-modem, etc.
Modbus protocol also specifies that the flow of data between two
devices uses a Master/Slave type arrangement. Multiple Modbus devices
may exist on the same common cable forming a Modbus network, but
only two devices will communicate at any one time, a master and a slave.
There can be between 2 and 248 devices on a Modbus network, one

master and up to 247 slaves. In Modbus communication you must always
have one master and at least one slave. The master always initiates a
communication exchange.
Each slave device on a Modbus network has its own unique address.
This address is sent by the master as part of every message. All slave
devices on the network see the message, but only the slave device with
the matching address will respond to the message.
A message sent to a slave from the master is called a query, the answer
sent back to the master is called a response. Query and response
messages are also called packets or frames.
There are actually different versions of Modbus: Standard Modbus,

Extended Modbus, Modbus Plus.
There may be more, but what is used by Enraf is Standard Modbus

(RTU mode), as defined in the Schneider Automation Modicon Modbus
Protocol Reference Guide, (PI-MBUS-300, Rev. B). This is by far the
most universal and most widely used version of the Modbus protocol.

Communication parameters
Communication parameters
Controllers can be set up to communicate on standard Modbus networks
using RTU (Remote Terminal Unit) transmission mode.
It defines the bit contents of message fields transmitted serially on those

networks. It determines how information will be packed into the message
fields and decoded.
The following communication parameters are supported:
Transmission mode RTU mode (RS-232/485 only asynchronous)
Baudrate 1200, 2400, 4800, 9600, 19200, 38400
Parity None, Odd, Even, Mark or Space
Start bit 1
Data bits 8
Stop bit(s) 1 (if parity = “odd” or “even”)

2 (if parity = “none”)
TX/RX mode Full duplex: RTS and DSR are set

Half duplex: Full support of RTS, CTS, DTR, DSR and DCD
Turn around delay Adjustable in msec.
Break detection When selected
Data flow type arrangement

Slave only

Communication procedure
A Modbus message is placed by the transmitting device into a frame that
has a known beginning and ending point. This allows receiving devices to
begin at the start of the message, read the address portion and
determine which device is addressed, and to know when the message is
completed. Partial messages can be detected and errors can be set as a
result.
RTU mode is a binary mode of data representation. Messages start with

a silent interval of at least 3.5 character times. This is most easily
implemented as a multiple of character times at the baud rate that is
being used on the network (shown as T1T2T3T4 in the figure below). The
first field then transmitted is the device address.
Networked devices monitor the network bus continuously, including during

the silent intervals. When the first byte (the address byte) is received,
each device decodes it to find out if it is the addressed device.
Following the last transmitted byte, a similar interval of at least 3.5

character times marks the end of the message. A new message can
begin after this interval.
The entire message frame must be transmitted as a continuous stream. If

a silent interval of more than 3.5 character times occurs before
completion of the frame, the receiving device flushes the incomplete
message and assumes that the next byte will be the address field for a
new message.
Similarly, if a new message begins earlier than 3.5 character times

following a previous message, the receiving device will consider it a
continuation of the previous message. This will set an error, as the value
in the final CRC field will not be valid for the combined messages.
A typical message frame is shown below:
CRC
start address function data end
check
T1T2T3T4 8 bits 8 bits n * 8 bits 2 * 8 bits T1T2T3T4
All Modbus memory addresses in this document are given with their
hexadecimal value.

start synchronisation 3.5 character time elapsed
address The address field of a message frame contains eight bits. The individual
slave devices are assigned addresses in the range of 01...F7 (address 00
is NOT allowed). A master addresses a slave by placing the slave
address in the address field of the message. When the slave sends its
response, it places its own address in this address field of the response
to let the master know which slave is responding.
function The function code field of a message frame contains eight bits. Valid
codes are in the range of 01...FF. When a message is sent from a
master to a slave device the function code field tells the slave what kind
of action to perform.
When the slave responds to the master, it uses the function code field to
indicate either a normal (error-free) response or that some kind of error
occurred. For a normal response, the slave simply echoes the original
function code. For an exception response, the slave returns a code that is
equivalent to the original function code with its most significant bit set to a
logic “1”.
data The data field is constructed using sets of two 8 bit bytes (16 bit
registers), in the range of 0000...FFFF. The data field of messages sent
from a master to slave devices contains additional information which the
slave must use to take the action defined by the function code.
If no error occurs, the data field of a response from a slave to a master

contains the data requested. If an error occurs, the field contains an
exception code that the master application can use to determine the next
action to be taken.
The data field can be non-existent (of zero length) in certain kinds of
messages. The function code alone specifies the action.
CRC check The CRC check field contains a 16-bit value implemented as two
eight-bit bytes. The error check value is the result of a CRC (Cyclical
Redundancy Check) calculation performed on the message contents. The
CRC field is appended to the message as the last field in the message.
end synchronisation 3.5 character time elapsed

Memory structures
Memory structures
Along with the slave address, the Modbus function code is another piece
of data that is in every query or response packet. This piece of data
specifies an action to be carried out by a Modbus slave device and the
memory range (coils, input registers, etc.) affected.
The following table defines the supported function codes:
Code Name Memory area Description Comments

01 Read coil status (0)0000...(0)FFFF 1 bit status information Read / write
02 Read input status (1)0000...(1)FFFF 1 bit status information Read only
03 Read holding registers (4)0000...(4)FFFF 16 bit value information Read / write
04 Read input registers (3)0000...(3)FFFF 16 bit value information Read only
05 Force single coil (0)0000...(0)FFFF 1 bit status information Read / write
06 Pre-set single register (4)0000...(4)FFFF 16 bit value information Read / write
08 Diagnostics - - -
15 Force multiple coils (0)0000...(0)FFFF 1 bit status information Read / write
16 Pre-set multiple registers (4)0000...(4)FFFF 16 bit value information Read / write
The standard address range runs from 0000...270F; Enraf extended this
range from 0000...FFFF for use within their systems.
In the table above, the number between brackets indicates an internal

Modbus address area. These area numbers are only used for clarification
by Modbus users.
In general there are four types of memory images that the Modbus host
can request:
 Coils
 Status inputs
 Input registers
 Holding registers
Coils
All coils are located in the memory range (0)0000...(0)FFFF. The value of
coils can be 1 = ON or 0 = OFF. Coils have read/write properties.
The address space of the coils and the discrete inputs are combined in
one 1 bit area occupying the addresses (0)0000...(0)7FFF. The data can
be read by using Modbus function code 01. Data for tank commands can
be written using the Modbus 05 and 15 commands.

Memory structures
Input status
Input statuses are located in the memory range (1)0000...(1)FFFF.
The value of input statuses can be 1 = ON or 0 = OFF. Input statuses are
considered to be discrete inputs. Input statuses are used to store tank
alarm conditions. Input statuses are read-only.
The address space of the coils and the discrete inputs are combined in
one 1 bit area occupying the addresses (1)0000...(1)7FFF. The data can
be read by using Modbus function code 02.
Input registers
Input registers are located in the memory range (3)0000...(3)FFFF.
Register values can range from 0000...FFFF since all registers are 16 bits
long. Input registers are used for analog inputs or to store values
collected from the field and calculated values (level, temperature, volume,
etc.). Input registers are read-only.
In the 16 bit registers space both the holding registers and the input
registers are combined in one address space occupying the standard
area from 0000...270F and the extended memory area from 2710
onwards. Data can be retrieved via Modbus function code 04.
Holding registers
Holding registers are located in the memory range (4)0000...(4)FFFF.
Register values can range from 0000...FFFF since all registers are 16 bits
long. Holding registers are used for analog outputs. Holding registers
have read/write properties.
registers are combined in one address space occupying the standard
area from 0000...270F and the extended memory area from 2710
onwards. Data can be retrieved via the Modbus function code 03. Via
Modbus commands 06 and 16 writing can be done to some registers.
Specifications for storing decimal (real, floating point, etc.) numbers and
negative numbers are not part of the original Modbus documentation,
although most vendors today have developed schemes for storing these
numbers. The Modbus specification also does not address a way to store
or send characters like “a”, “-” or “X”. For this reason, transfer of complete
tank names using Modbus is not possible unless the tank name is made up
of all numbers.

Function codes
Function codes
Function code 01: Read coil status
Reads the ON/OFF status of discrete outputs ((0)xxxx references, coils)
in the slave. Broadcast is not supported. The maximum number of coils
that can be requested in one request is 7D0 (2000DEC).
Query The query message specifies the starting coil and quantity of coils to be
read:
Slave Function 01 Starting Number of CRC check

address address points
8 bits 8 bits 16 bits 16 bits 16 bits
Response The coil status in the response message is packed as one coil per bit of
the data field. Status is indicated as: 1 = ON, 0 = OFF. All coils are
default OFF.
Slave Function 01 Byte count Data CRC check

address (N)
8 bits 8 bits 8 bits (N) * 8 bits 16 bits
Function code 02: Read input status

Reads the ON/OFF status of discrete inputs ((1)xxxx references) in the
slave. Broadcast is not supported. The maximum number of coils
requested in one request is 7D0 (2000DEC).
Query The query message specifies the starting input and quantity of inputs to
be read:

address address points

Function codes
Response The input status in the response message is packed as one input per bit
of the data field. Status is indicated as: 1 = ON, 0 = OFF. All status inputs
are default OFF.

address (N)
Function code 03: Read holding registers

Reads the binary contents of holding registers ((4)xxxx references) in the
slave. Broadcast is not supported. The maximum number of registers
requested in one message is 7D (125DEC).
Query The query message specifies the starting register and quantity of
registers to be read:

address address registers
Response The register data in the response message is packed as two bytes per
register, with the binary contents right-justified within each byte:

address (N)
The response is returned when the data is completely assembled. The

amount of bytes N is double the amount of requested registers, because
each register occupies 2 bytes.

Function codes
Function code 04: Read input registers

Reads the binary contents of input registers ((3)xxxx references) in the
slave. Broadcast is not supported. The maximum number of registers
requested in one message is 7D (125DEC).
Query The query message specifies the starting register and quantity of
registers to be read:

address address registers
Response The register data in the response message is packed as two bytes per
register, with the binary contents right-justified within each byte:

address (N)
The response is returned when the data is completely assembled. The

amount of bytes N is double the amount of requested registers, because
each register occupies 2 bytes.
Function code 05: Force single coil

Forces a single coil ((0)xxxx reference) to either ON or OFF.
When broadcast, the function forces the same coil reference in all
attached slaves.
Query The query message specifies the coil reference to be forced:
Slave Function 05 Coil Force data CRC check

address address

Function codes
Response The normal response is an echo of the query, returned after the coil state
has been forced:
Slave Function 05 Coil Force data CRC check

address address
Function code 06: Preset single register

Presets a value into a single holding register ((4)xxxx reference).
When broadcast, the function presets the same register reference in all
attached slaves.
Query The query message specifies the register reference to be preset:
Slave Function 06 Register Preset data CRC check

address address
Response The normal response is an echo of the query, returned after the register
contents have been preset:
Slave Function 06 Register Preset data CRC check

address address
Function code 08: Diagnostics

This function provides a series of tests for checking the communication
system between master and slave or for checking various internal error
conditions within the slave. Broadcast is not supported.
Query
Slave Function 08 Sub- Data CRC check
address function

Function codes
Response The normal response is an echo of the query:
Slave Function 08 Sub- Data CRC check

address function
Only loopback test sub-function (0) is supported. This function is

sometimes used to see if the addressee is awake.
Function code 15: Force multiple coils

Forces each coil ((0)xxxx reference) in a sequence of coils to either ON
or OFF. When broadcast, the function forces the same coil references in
all attached slaves. Any addresses that are not allowed to overwrite
generate an error code.
The maximum number of addresses that can be downloaded with one

command is 3C (60DEC). Byte Count means the number of bytes following
until the checksum (Number of registers * 2).
Query The query message specifies the coil references to be forced:
Slave Function 15 Coil Number of Byte count Force data CRC check
address (0FHEX) address coils
8 bits 8 bits 16 bits 16 bits 8 bits 16 bits 16 bits
Response The normal response returns the slave address, function code, starting
address, and quantity of coils forced:
Slave Function 15 Coil Number of CRC check

address (0FHEX) address coils

Function codes
Function code 16: Preset multiple registers

Presets values into a sequence of holding registers ((4)xxxx reference).
When broadcast, the function presets the same register references in all
attached slaves. Any addresses that are not allowed to overwrite
generate an error code.
The maximum number of addresses that can be downloaded with one

command is 3C (60DEC). Byte Count means the number of bytes following
until the checksum (Number of registers * 2).
Query The query message specifies the register reference to be preset:
Slave Function 16 Starting Number of Byte count Data CRC check

address (10HEX) address registers
8 bits 8 bits 16 bits 16 bits 8 bits 16 bits 16 bits
Response The normal response returns the slave address, function code, starting
address, and quantity of registers preset:

address (10HEX) address registers

Modbus exception response

Except for broadcast messages, when a master device sends a query to
a slave device it expects a normal response. One of four possible events
can occur from the master's query:
 If the slave device receives the query without a communication

error, and can handle the query normally, it returns a normal
response;
 If the slave device does not receive the query due to a communi-
cation error, no response is returned. The master program will
eventually process a time-out condition for the query;
 If the slave device receives the query, but detects a
communication error (parity or CRC), no response is returned.
The master program will eventually process a time-out condition
for the query;
 If the slave device receives the query without a communication
error, but cannot handle it (for example, if the request is to read a
non-existent coil or register), the slave will return an exception
response informing the master of the nature of the error.
The standard error response is as follows:
Slave Function Error code CRC check

address code
8 bits 8 bits 8 bits 16 bits
The exception response message has two fields that differentiate it from
a normal response:
 function code field

 data field

Function code field

In a normal response, the slave echoes the function code of the original
query in the function code field of the response. The master's application
program can recognise the exception response and can examine the data
field for the exception code.
The Function code returned in an error is the function code of the received
function with the high order bit of the function set to “1”.
Data field
In a normal response, the slave may return any information that was
requested in the query. In an exception response, the slave returns an
exception code in the data field. This code defines the slave's condition
that caused the exception.
Error code 01: illegal function

The function code received in the query is not an allowable action for the
slave. This error code is generated in the following case:
 when an illegal function code is requested
Error code 02: illegal data address

The data address received in the query is not an allowable address for
the slave. This error code is generated in one of the following cases:
 as reply on function code 01, 02 or 04: start register does not

correspond to any tank;
 as reply on function code 05: coil must correspond to a tank;
 a change in the field scan for a system without Hot-Standby.

Error code 03: illegal data value

A value contained in the query data field is not an allowable value for the
slave. This error code is generated in one of the following cases (as reply
on function codes 06 and 16):
 illegal tank commands (e.g. 'X');

 illegal downloads (e.g. TCF-value for product code A);
 unknown tank requested.
Error code 04: slave device failure

An unrecoverable error occurred while the slave was attempting to
perform the requested action. This error code is generated in one of the
following cases (as reply on function codes 06 and 16):
 block, test commands if no servo gauge;

 dipping commands if not allowed;
 illegal downloads because e.g. level is available from hardware;
 engineer command if destination station or port does not make
sense.
Error code 06: slave device busy

The slave is processing a long-duration program command. The master
should re-transmit the message later when the slave is free. This error
code is generated in one of the following cases:
 when the system is busy;

 when the system is not able to generate an answer;
 when the system is not able to reply with the correct data in the
required time-out period;
 when a request for a scan change in a Hot-Standby station is
still performed, and a new request is received.

Enraf implementation
All Modbus memory addresses in this chapter are in hexadecimal format.
All address references in the Modbus messages are numbered relative to

zero. E.g. the first holding register on a DCS would be register 40001 and
would be referenced as 0000. Similarly coil 00016 would be 000F
(0015DEC)
1 bit Coil area (Read/Write)

 The addresses are fixed per port
 The data can be read by using the Modbus function code 01
 Data for CIU- or gauge-commands can be written by using the
Modbus function code 05 and 15
A graphical overview of the 1 bit address coil area is as follows:
1 bit address Area name Detailed name Description
000A- 1 bit Tank (gauge) In this area a command to a Tank

address command (gauge) can be given
coil area area
Grey areas are read-only
Gauge commands via Coil commands are available in CIU Prime and
CIU Plus.
Firmware version must be 1.100 or higher.

Tank (Gauge) command area
Tank gauge commands can be given by setting coils (Modbus function

05). Commands are only accepted when the required command is
enabled for the addressed instrument. First coil address for Tank gauge
commands is address 000A (10DEC).
The sequence how the tanks are ordered in the Modbus memory map
defines the address sequence where the tank gauge command must be
given. In the table below a Relative address is given from which the actual
coil address can be calculated by using formula:
Actual Coil address = 10 + [(n - 1) * 7] + relative address.

in which n = tank_sequence_nr in Modbus memory map.
The setting of a coil is interpreted as a ‘push button’. Reading the status

of a coil will always result in “0”
Relative Read/ Function Description

Address Write
0 R/W Unlock Writing “1” will abort all active operational

commands.
1 R/W Test Writing “1” will result in repeatability test command.
2 R/W Locktest Writing “1” will result in Lock command
3 R/W Block Writing “1” will result in Block command
4 R/W Density dip Writing “1” will result in Density dip command
5 R/W Water dip Writing “1” will result in Water dip command
6 R/W Combined dip Writing “1” will result in Combined (water/density) dip
command
1 bit Discrete Input area (read only)

 The addresses are fixed per port
 The data can be read by using the Modbus function code 02

1 bit address Area name Detailed name Description
0000 - 0009 CIU status area In this area the status of the CIU is
represented
000A 1bit Gauge status In this area the status of the tank is
: discrete area represented
depending input
number of area Gauge level In this area the status of the gauge level
tanks in alarms area alarms is represented
modbus
memory External alarms In this area the status of the external
map area alarms is represented
Statuses via discrete inputs are available in CIU Prime and CIU Plus.
Firmware version must be 1.100 or higher.
CIU status
The CIU status can be read.
Address Read/ Function Description

Write
0000 R CIUHotStandbyMode “1” indicates CIU is passive member of Hot

Stand-by pair
0001 .. R future reserved for future

..0009
Gauge status
The Gauge status can be read. The total number of tanks and the
sequence how the tanks are ordered in the Modbus memory map defines
the address sequence where the status can be read. In the tables below a
relative address is given from which the actual coil address can be
calculated by using a formula. The discrete input address is calculated
with formula:
address = 10 + [(n - 1) * 2] + relative address.
in which n = tank_sequence_nr in modbus memory map.


Address Write
0 R Measuring level “1” indicates level gauge is measuring level
1 R Failure “1” indicates level gauge is in failure
Gauge level alarm status
The Gauge level alarm status can be read.

The total number of tanks and the sequence how the tanks are ordered in
the Modbus memory map defines the address sequence where the status
can be read. In the tables below a relative address is given from which
the actual coil address can be calculated by using a formula. The discrete
input address is calculated with formula:
address = 10 + (N * 2) + [(n - 1) * 3] + relative address.
in which N = total number of tanks in memory map.

n = tank_sequence_nr in modbus memory map.

Address Write
0 R Low alarm “1” indicates low level alarm is active
1 R High alarm “1” indicates high level alarm is active
2 R Alarm failure “1” indicates alarm status failure
External contact status

The External contact status can be read. The total number of tanks and
the sequence how the tanks are ordered in the Modbus memory map
defines the address sequence where the status can be read. In the tables
below a relative address is given from which the actual coil address can
be calculated by using a formula.
The discrete input address is calculated with formula:
address = 10 + (N * 5) + [(n - 1) * 4] + relative address.
in which N = total number of tanks in memory map.

n = tank_sequence_nr in modbus memory map.


Address Write
0 R External contact 1 “1” indicates ext. contact 1 of gauge is active
1 R External contact 2 “1” indicates ext. contact 2 of gauge is active
2 R External contact fail “1” indicates ext. contacts status failure
3 R External contact not “1” indicates ext. contacts not available in gauge.
available
16 bit area
registers are combined in one address space.
 The address occupation is on a “per port” basis, each port can

be configured inside the restrictions
 The data can be retrieved by using the Modbus commands 03
(holding registers) and 04 (input register)
 Data can be written to holding registers by using the Modbus
commands
 06 and 16. The same address as where the data is read must be
used.
A graphical overview of the 16 bit register area is as follows:
Register Area name Detailed name Description

address
0000.. User tank data In this area the user can request for
..1F3F user area tank data.
data
251C.. area User CIU data General data of CIU Prime/Plus
..2647 area
Direct overwrite of data on the Modbus register is available on the

CIU Plus only.
Firmware version of CIU Plus must be 1.100 or higher.

User tank data area
A selection can be made which data must be presented in the user defined
tankdata area. This because of the lot of information which can be retrieved.
See the related Instruction manual CIU Prime or CIU Plus for a list of
selectable data.
One tank data reply packet is selected which is used for all tanks available to
the Modbus host.
The sequence how the tanks are organized in the user defined Modbus map is
programmable.
There are two methods possible to organize the user defined Modbus memory
map:
1. Tank oriented.
Data in the Modbus memory map is grouped per tank.
Start address of memory map is programmable. Default start address is 0000.
The startaddress-interval between the tankrecords is programmable.
2. Data oriented.
Data in the Modbus memory map is grouped per selected entity.
Start address of memory map is programmable. Default start address is 0000.
User CIU data area

A number of CIU data registers are available to the user.
Register Read/ Entity Function CIU Description

Address Write Prime/Plus
2520 R/W 521 Years (yyyy) Prime/Plus CIU year (max 16383)
2521 R/W 522 Months (mm) Prime/Plus CIU month (max 12)
2522 R/W 523 Days (dd) Prime/Plus CIU day (max 31)
2523 R/W 524 Hours (hh) Prime/Plus CIU hour (max 23)
2524 R/W 525 Minutes (mm) Prime/Plus CIU minute (max 59)
2525 R/W 526 Seconds (ss) Prime/Plus CIU second (max 59)
2526 R/W 527 DayLightSaving Prime/Plus CIU DayLightSaving

(0 = off; 1 = on)
The above 7 registers (2520 (9504DEC) up to 2526 (9510DEC)) must be

written in one message using Modbus function code 16.

Example Enraf implementation

Database with total 3 tanks in Modbus memory area of Host Port CIU Plus for which Product level,
Product level status, Product temperature, Product temperature status must be retrieved.
Observed density including the related Observed temperature will be downloaded from the host.
Tank oriented Modbus map. Start address of memory map 16 bit area: 0000.
Tank record interval: 10
Modbus memory map 16 bit area:

Adress Data description Tank Scaling Offset Type
0000 40 Product level (mm) 1 1 0 16bit Unsigned Integer
0001 41 Product level status 1 Not a number
0002 44 Product Temperature (C) 1 10 1000 16bit Unsigned Integer
0003 45 Product Temperature status 1 Not a number
0004 50 Density Observed (kg/m3) 1 10 0 16bit Unsigned Integer
0005 118 Temperature Observed (C) 1 10 1000 16bit Unsigned Integer
0006 empty
0007 empty
0008 empty
0009 empty
000A 40 Product level (mm) 2 1 0 16bit Unsigned Integer
000B 41 Product level status 2 Not a number
000C 44 Product Temperature (C) 2 10 1000 16bit Unsigned Integer
000D 45 Product Temperature status 2 Not a number
000E 50 Density Observed (kg/m3) 2 10 0 16bit Unsigned Integer
000F 118 Temperature Observed 2 10 1000 16bit Unsigned Integer
0010 empty
0011 empty
0012 empty
0013 empty
0014 40 Product level (mm) 3 1 0 16bit Unsigned Integer
0015 41 Product level status 3 Not a number
0016 44 Product Temperature (C) 3 10 1000 16bit Unsigned Integer
0017 45 Product Temperature status 3 Not a number
0018 50 Density Observed (kg/m3) 3 10 0 16bit Unsigned Integer
0019 118 Temperature Observed (C) 3 10 1000 16bit Unsigned Integer
001A empty
001B empty

Adress Data description Tank Scaling Offset Type

001C empty
001D empty
Overwrite Observed density and Observed temperature (direct overwrite on CIU Plus only).
To overwrite the Observed density (800 kg/m3) including related observed temperature (15 C) for
tank 2, registers 000E and 000F must be overwritten by using function code 06 or function code 16.
The data will be used for internal calculations provided that it is not automatically measured.
Via function code 16:
29 10 00 0E 00 02 04 1F 40 04 7E +CRC
in which
29 RTU address (41DEC)
10 Function code (16 DEC)
00 0E Start address (15DEC)
00 02 Number of registers (2DEC)
04 Byte Count (4 DEC)
1F 40 Observed density [8000 DEC = (800 * 10) + 0]
04 7E Observed temperature [1150 DEC = (15 * 10) + 1000]
CRC
Download new Date and Time:

To download date and time: 14h 03m 23s, 24 September 1999 + DayLightSaving.
Via function code 16 (multiple registers) the download can be done:
29 10 25 20 00 07 0E 07 CF 00 09 00 18 00 0E 00 03 00 17 00 01 +CRC
in which
29 RTU address (41DEC)
10 Function code (16 DEC)
25 20 Start address (9504DEC)
00 07 Number of registers (7DEC)
0E Byte Count (14 DEC)
07 CF Year (1999 DEC)
00 09 Month (9 DEC)
00 18 Day (24 DEC)
00 0E Hour (14 DEC)
00 03 Minutes (3 DEC)
00 17 Seconds (23 DEC)
00 01 DayLightSaving on (1 DEC)
CRC

After downloading the Date&Time the received data will be used to set the internal CIU clock as
required.
The operation can be verified by reading the same registers and interpret the contents.
Coil addresses for Tank (Gauge) commands.

address Description Tankname
000A Unlock command 1
000B Test command 1
000C Lock-test command 1
000D Block command 1
000E Density dip command 1
000F Water dip command 1
0010 Combined dip command 1
0011 Unlock command 2
0012 Test command 2
0013 Lock-test command 2
0014 Block command 2
0015 Density dip command 2
0016 Water dip command 2
0017 Combined dip command 2
0018 Unlock command 3
0019 Test command 3
001A Lock-test command 3
001B Block command 3
001C Density dip command 3
001D Water dip command 3
001E Combined dip command 3
Discrete inputs (status)

CIU status
address Description
0000 CIU Hot Standby Mode

Appendix A
Gauge status
000A Gauge measuring level status 1
000B Gauge failure status 1
000C Gauge measuring level status 2
000D Gauge failure status 2
000E Gauge measuring level status 3
000F Gauge failure status 3
Gauge level alarm status

0010 Low alarm 1
0011 High alarm 1
0012 Alarm failure 1
0013 Low alarm 2
0014 High alarm 2
0016 Low alarm 3
0017 High alarm 3
External contact status

0019 External contact 1 1
001A External contact 2 1
001B External contact fail 1
001C External contact not available 1
001D External contact 1 2
001E External contact 2 2
001F External contact fail 2
0020 External contact not available 2
0023 External contact fail 3
0024 External contact not available 3

Appendix A
Appendix A: Related documents

Title Part no.
Schneider Automation Modicon Modbus Protocol Reference Guide, PI-MBUS-300, Rev. B
Installation guide 880 CIU Prime/Plus 4416.524
Instruction manual 880 CIU Prime 4416.525

Instruction manual 880 CIU Plus 4416.526
Instruction manual Ensite Pro Configuration Tool 4416.593

Honeywell Enraf
Delftechpark 39
2628 XJ Delft
Tel. : +31 15 2701 100

E-mail : hfs-tac-support@honeywell.com
Website : http://www.honeywellenraf.com
P.O. Box 812

2600 AV Delft
Netherlands
We at Honeywell Enraf are committed to excellence.
Your Honeywell Enraf distributor:
Information in this publication is subject to change without notice.

® Enraf is a registered trade mark. © Enraf B.V. Netherlands

Instruction Manual Modbus Protocol: October 2013 Part No.: 4416.527 Rev. 4

Uploaded by

Copyright:

Available Formats

Instruction Manual Modbus Protocol: October 2013 Part No.: 4416.527 Rev. 4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Instruction Manual Modbus Protocol: October 2013 Part No.: 4416.527 Rev. 4

Uploaded by

Copyright:

Available Formats

Instruction manual

Tel.: +31 15 2701 100,

Instruction manual ModbusTM Protocol Page 1

Page 2 Instruction manual ModbusTM Protocol

For installation and commissioning of the CIU Prime/Plus, please refer

This manual describes the communication between a CIU Prime/Plus

Safety and prevention of damage

A Note points out a statement deserving more emphasis than the

 Deviation from any of the prescribed procedures;

Instruction manual ModbusTM Protocol Page 3

Communication parameters ................................................................................................................... 7

Communication procedure ..................................................................................................................... 8

Memory structures ............................................................................................................................... 10

Modbus exception response ................................................................................................................ 18

Page 4 Instruction manual ModbusTM Protocol

Enraf implementation ........................................................................................................................... 21

Example Enraf implementation ............................................................................................................ 27

Appendix A: Related documents .......................................................................................................... 31

Instruction manual ModbusTM Protocol Page 5

There can be between 2 and 248 devices on a Modbus network, one

There are actually different versions of Modbus: Standard Modbus,

There may be more, but what is used by Enraf is Standard Modbus

Page 6 Instruction manual ModbusTM Protocol

It defines the bit contents of message fields transmitted serially on those

The following communication parameters are supported:

Transmission mode RTU mode (RS-232/485 only asynchronous)

Baudrate 1200, 2400, 4800, 9600, 19200, 38400

Parity None, Odd, Even, Mark or Space

Stop bit(s) 1 (if parity = “odd” or “even”)

TX/RX mode Full duplex: RTS and DSR are set

Turn around delay Adjustable in msec.

Break detection When selected

Data flow type arrangement

Instruction manual ModbusTM Protocol Page 7

RTU mode is a binary mode of data representation. Messages start with

Networked devices monitor the network bus continuously, including during

Following the last transmitted byte, a similar interval of at least 3.5

The entire message frame must be transmitted as a continuous stream. If

Similarly, if a new message begins earlier than 3.5 character times

A typical message frame is shown below:

Page 8 Instruction manual ModbusTM Protocol

start synchronisation 3.5 character time elapsed

If no error occurs, the data field of a response from a slave to a master

end synchronisation 3.5 character time elapsed

Instruction manual ModbusTM Protocol Page 9

The following table defines the supported function codes:

Code Name Memory area Description Comments

In the table above, the number between brackets indicates an internal

Page 10 Instruction manual ModbusTM Protocol

Instruction manual ModbusTM Protocol Page 11

Slave Function 01 Starting Number of CRC check

8 bits 8 bits 16 bits 16 bits 16 bits

Slave Function 01 Byte count Data CRC check

8 bits 8 bits 8 bits (N) * 8 bits 16 bits

Function code 02: Read input status

Slave Function 02 Starting Number of CRC check

8 bits 8 bits 16 bits 16 bits 16 bits

Page 12 Instruction manual ModbusTM Protocol

Slave Function 02 Byte count Data CRC check