BASE DOCUMENTATION S600 MODBUS FUNCTIONALITY.

DOC
SYSTEM OVERVIEW

FLOW COMPUTER DIVISION

OUTGANG LANE, PICKERING,
NORTH YORKSHIRE
YO18 7JA

BASE DOCUMENTATION

MODBUS COMMUNICATIONS

Prepared by Geoff Lowther Title Application EngR Date 04 Jan 2002

Checked by Mike Rawlings Title S/W Engineer Date 04 Jan 2002

Authorised Title Date

Rev Date Sections Changed

0 05/09/00 First Issue
1 04-Jan-01 Updated
2
3
4

Proprietary Statement
This document, submitted in confidence contains proprietary information which shall not be reproduced or
transferred to others for the purpose of manufacture, tender or any other purpose without prior written
permission of Daniel Europe Limited.
Copyright (C) Daniel Europe 2002

Modbus Communications Revision 1 Page 1 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

TABLE OF CONTENTS

SECTION CONTENT PAGE

1. INTRODUCTION 3

2. PHYSICAL TRANSPORT OF DATA 3

2.1 TCP Socket 3
2.2 Modbus TCP 3
2.3 Serial 3
2.4 Serial Port types and capability 3

3. NETWORK INTERFACE 3

4. MODBUS 3
4.1 Configuration 3
4.2 Master 3
4.3 Slave 3

5. RTU/ASCII PROTOCOL 3

6. IMPLEMENTED MODBUS FUNCTIONS 3

7. MESSAGE LENGTH MODE 3

8. REGISTER FORMATS 3
8.1 Background 3
8.2 Addresses per Item 3

9. ENRON FUNCTIONS (US CONFIGS ONLY) 3

9.1 Enron Modbus map 3
9.2 Special Enron functions for events 3
9.3 Special Enron functions for Data Log Collection 3

10. S600 MODBUS CONFIGURATION FILES 3

10.1 Config File Title 3
10.2 Config File Master Section 3
10.3 Config File Slave N Section 3
10.4 Config File Data 3
10.5 Config File Data Coil 3
10.6 Config File Data Input 3
10.7 Config FIle Data Registers 3
10.8 Discrete Data Point Format 3
10.9 Numeric Data Point Format 3

Modbus Communications Revision 1 Page 2 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

1. INTRODUCTION

This document describes the Modbus communications protocol on the FloBoss S600
flow computer.

The flow computer has 10 user definable communication tasks.

Each of the links may be individually configured.

Modbus Communications Revision 1 Page 3 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

2. PHYSICAL TRANSPORT OF DATA

2.1 TCP Socket

TCP/IP stream socket support is provided for master and slave links.

If the unit is the slave on the link it creates a server socket and listens for clients to
connect. The TCP/IP address of the slave link is the TCP/IP address of the flow
computer.

If the unit is the master it acts as a client and attempts to connect to a remote server
machine. The TCP/IP address of the slave which the master must communicate with
is specified when the link is configured.

The S600 supports communication between networks using a gateway.

Other communication parameters are independent of the mode of data transfer.

ASCII and RTU are supported over stream sockets and the Modbus map is
independent of the transport mechanism.

2.2 Modbus TCP

This protocol is based on the Modicon Modbus/TCP Specification. The connection

mechanism is TCP/IP which secure data atransfer between any machines connected on
a network. The Modbus protocol is encapsulated into the TCP/IP frame.

The data transfer within the Modbus part of the protocol is standard Modbus. The
only significant difference is that the Modbus CRC is not use. Instead the CRC used
with the TCP/IP protocol is used.

2.3 Serial

In serial mode the links communicate over standard serial lines.

2.3.1 Baud rates

300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600

Note that 57600 is not available on all ports.

2.3.2 Data bits

7 (ASCII), 8 (RTU)

Note that 7 bit must be used for Modbus ASCII and 8 bit must be used for Modbus
RTU

2.3.3 Stop bits

1, 2

Modbus Communications Revision 1 Page 4 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

2.3.4 Parity

None, Even, Odd

2.4 Serial Port types and capability

2.4.1 Com. Port 1

Reserved for the front panel display and keypad.

2.4.2 Com. Port 2

Reserved for the Config 600 interface. Actually a Modbus slave link.

2.4.3 Com. Port 3, Port 4

RS 232, with RTS-CTS handshaking capability

2.4.4 Com. Port 5, Port 6, Port 7

RS485/RS422 capability. RTS line is controlled automatically by the P152’s UART

and rapid turnaround is possible on 485 links.

2.4.5 Com. Port 8

Reserved for I/O board communication.

Modbus Communications Revision 1 Page 5 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

3. NETWORK INTERFACE

The S600 includes a single 10Mbit/s Ethernet interface and the system provides a full
TCP/IP stack implementation on this interface.

Standard features supported.

• Telnet

• FTP

• Socket based Modbus communication

Modbus Communications Revision 1 Page 6 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

4. MODBUS

The standard interface to the S600 is Modbus. The protocol is based on

Gould/Modicon Modbus.

The Config 600 interface to the flow computer is via Modbus. In this case the link
uses the special function code 65, with specially defined (S600 specific) sub- functions
to provide file transfer, system edit commands and other specialised functionality.
The flow computer is the slave on this link.

4.1 Configuration

The system supports up to ten communication links. These links may all be
individually configured if required or may share common parameters or configuration.

Configuration is effectively split into two parts:

The link configuration; which port or socket to use, master or slave, RTU or Modbus.
This information is entered using Config 600 when the link is assigned. It may be
modified later if required.

The map configuration; assignment of database points and fields to Modbus coils,
inputs and registers. This is accomplished using a text file that is initially created
using the Config 600’s map builder utilities. The map may be subsequently edited as
required.

4.2 Master

In master mode, the unit communicates with up to 10 slaves on a single multi-drop

link. Several masters may be configured if required.

4.3 Slave

In slave mode the unit waits for polls from an external master. It responds to polls as
requested. Several slaves may be configured if required.

The slave address is configurable per link so a single flow computer may have several
slave addresses if required.

Modbus Communications Revision 1 Page 7 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

5. RTU/ASCII PROTOCOL

RTU Modbus and ACSII Modbus are fully supported. A single configuration switch
selects one or other. Other communication parameters are independent of the
ASCII/RTU switch.

In RTU mode, the link must be configured for 8 data bits. No message header or
trailers are included. The checksum is the 16-bit CRC specified in the Gould Modbus
specification.

In ASCII mode, the link should normally be configured for 7 data bits, however 8 is
also supported by the S600. The message starts with the ASCII Modbus start
character ‘:’. The checksum is the 8-bit LRC defined in the Gould Modbus
specification. The message is terminated with the ASCII Modbus trailer characters
CR then LF.

Important note:
The unit is not strictly RTU compliant. Small inter-character gaps on received
messages will not cause the unit to think that a new message has arrived.

Modbus Communications Revision 1 Page 8 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6. IMPLEMENTED MODBUS FUNCTIONS

6.1.1 FUNCTION 1 - READ OUTPUT STATUS 3

6.1.2 FUNCTION 2 - READ INPUT STATUS 3
6.1.3 FUNCTION 3 - READ OUTPUT REGISTERS 3
6.1.4 FUNCTION 4 - READ INPUT REGISTERS 3
6.1.5 FUNCTION 5 - WRITE SINGLE COIL 3
6.1.6 FUNCTION 6 - WRITE SINGLE REGISTER 3
6.1.7 FUNCTION 8 - LOOPBACK 3
6.1.8 FUNCTION 15 - WRITE MULTIPLE COILS 3
6.1.9 FUNCTION 16 - WRITE MULTIPLE REGISTERS 3
6.1.10 FUNCTION CODE 65 3
6.1.11 FUNCTION CODE 66 3
6.1.12 FUNCTION CODE 67 3
6.1.13 FUNCTION CODE 68 3

The message formats are detailed below. Note that these exclude the message header
(ASCII only), the CRC/LRC and the message trailer (ASCII only) as these are specific
to the data transfer mode.

Modbus Communications Revision 1 Page 9 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.1 Function 1 - Read Output Status

Function Code 01

Reads output coils (e.g. 00001 – 09999), up to 2040 coils can be read per poll in non-
extended mode.

Poll Format
Address 1 byte
Function 1 byte
Start Coil 2 bytes
Num Coils 2 bytes

Response Format
Address 1 byte
Function 1 byte
Byte count (see note) 1 or 2 bytes
Data byte 1 1 byte(coils 0..7)
Data byte 2 1 byte(coils 8..15)
..
Data byte N 1 byte(coils ….)
Note:
Byte count may be: 8 bit byte count
16 bit byte count

Modbus Communications Revision 1 Page 10 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.2 Function 2 - Read Input Status

Function Code 02

Reads input coils (e.g. 10001 – 19999), up to 2040 coils can be read per poll in non-
extended mode.

Poll Format
Address 1 byte
Function 1 byte
Start Input 2 bytes
Num Inputs 2 bytes

Response Format
Address 1 byte
Function 1 byte
Byte count (see note) 1 or 2 bytes
Data byte 1 1 byte(inputs 0..7)
Data byte 2 1 byte(inputs 8..15)
..
Data byte N 1 byte(inputs ….)

Note: Byte count may be:8 bit byte count

16 bit byte count

Modbus Communications Revision 1 Page 11 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.3 Function 3 - Read Output Registers

Poll Format
Address 1 byte
Function 1 byte
Start Item 2 bytes
Num Items 2 bytes

Response Format
Address 1 byte
Function 1 byte
Length (see note) 1 or 2 bytes
Data item 1 2, 4 or 8 bytes
Data item 2 2, 4 or 8 bytes
..
Data item N 2, 4 or 8 bytes

Note: Length may be:8 bit byte count

8 bit item count
16 bit byte count
16 bit item count

Modbus Communications Revision 1 Page 12 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.4 Function 4 - Read Input Registers

Function Code 04

Reads input registers (e.g. 30001 - 39999). Data can be configured at every address

Poll Format
Address 1 byte
Function 1 byte
Start Item 2 bytes
Num Items 2 bytes

Response Format
Address 1 byte
Function 1 byte
Length (see note) 1 or 2 bytes
Data item 1 2, 4 or 8 bytes
Data item 2 2, 4 or 8 bytes
..
Data item N 2, 4 or 8 bytes

Note: Length may be:8 bit byte count

8 bit item count
16 bit byte count
16 bit item count

Modbus Communications Revision 1 Page 13 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.5 Function 5 - Write Single Coil

Function Code 05

Writes a single coil, either on (1) or off (0). Any valid coil address can be written to
(e.g. 00001 - 09999)

Poll Format
Address 1 byte
Function 1 byte
Coil Number 2 bytes
Coil Value 2 bytes

Response Format
Address 1 byte
Function 1 byte
Coil Number 2 bytes
Coil Value 2 bytes

Modbus Communications Revision 1 Page 14 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.6 Function 6 - Write Single Register

Function Code 06 - Modicon

Writes a value to a single holding register in standard Modicon Modbus format. Any
valid holding register address can be written to (e.g. 40001 - 49999)

Poll Format
Address 1 byte
Function 1 byte
Item Number 2 bytes
Value 2 bytes

Response Format
Address 1 byte
Function 1 byte
Item Number 2 bytes
Value 2 bytes
Note: The write single register function is only applicable to simple 16-bit
registers. The float and double formats are not supported.

Modbus Communications Revision 1 Page 15 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.7 Function 8 - Loopback

Function Code 08

Performs a loopback test. There are no variable parameters available on this function
code, if successful a loopback test will return the poll received.

Poll Format
Address 1 byte
Function 1 byte
Value 1 2 bytes
Value 2 2 bytes

Response Format
Address 1 byte
Function 1 byte
Value 1 2 bytes
Value 2 2 bytes

Modbus Communications Revision 1 Page 16 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.8 Function 15 - Write Multiple Coils

Function Code 15

Writes multiple coils on (1) or off (0). Data should be entered as a string of up to 8
characters (1’s and 0’s), the RHS entry representing the LSB. Data can be written to
any valid coil address (e.g. 00001 - 09999)

Poll Format
Address 1 byte
Function 1 byte
Start Coil 2 bytes
Num Coils 2 bytes
Byte count (See note) 1 or 2 bytes
Data byte 1 1 byte(Coils 0..7)
Data byte 1 1 byte(Coils 8..15)
…
Data byte N 1 byte(Coils …)

Note: Byte count may be:8 bit byte count

16 bit byte count
Response Format
Address 1 byte
Function 1 byte
Coil Number 2 bytes
Coil Value 2 bytes

Modbus Communications Revision 1 Page 17 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.9 Function 16 - Write Multiple Registers

Poll Format
Address 1 byte
Function 1 byte
Start Item 2 bytes
Num Items 2 bytes
Byte count (See note) 1 or 2 bytes
Data item 1 2, 4 or 8 bytes
Data item 2 2, 4 or 8 bytes
..
Data item N 2, 4 or 8 bytes

Note: Byte count may be:8 bit byte count

16 bit byte count
Response Format
Address 1 byte
Function 1 byte
Item Number 2 bytes
Num Items 2 bytes

Modbus Communications Revision 1 Page 18 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

6.1.10 Function Code 65

Daniel user defined function code, used to read multiple holding registers in IEEE
single precision format. The valid address range is 0 - 65535, data can be configured at
every address.

NOTE:
The Config 600 interface to the flow computer is via Modbus. In this case the link
uses the special function code 65, with specially defined (S600 specific) sub- functions
to provide file transfer, system edit commands and other specialised functionality.
The flow computer is the slave on this link.

6.1.11 Function Code 66

Daniel user defined function code, used to write multiple holding registers in IEEE
single precision format. The valid address range is 0 - 65535, data can be configured at
every address.

6.1.12 Function Code 67

Daniel user defined function code, used to read multiple holding registers in IEEE
double precision format. The valid address range is 0 - 65535, data can be configured
at every address.

6.1.13 Function Code 68

Daniel user defined function code, used to write multiple holding registers in IEEE
double precision format. The valid address range is 0 - 65535, data can be configured
at every address.

Modbus Communications Revision 1 Page 19 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

7. MESSAGE LENGTH MODE

Using standard Modbus, all variable length messages include a 8-bit byte count field
which allows the receiver to determine the amount of data in the message.

In some applications, the use of this field is not the actual byte count but the number
of data items in the message. This variation only applies to register messages.

Daniel has added a further extension to this, primarily for communication with the
DMS supervisory; the field may be extended to a 16-bit value. This simply allows
more data to be transferred on the link. Note that this functionality is no longer
Modbus

The available message length modes are:

7.1.1 8-bit byte count

The message contains a single byte, which determines the number of data bytes in the
message.

7.1.2 8-bit item count

The message contains a single byte, which determines the number of data items in the
message.

7.1.3 16-bit byte count

The message contains a pair of bytes, which determines the number of data bytes in
the message.

7.1.4 16-bit item count

The message contains a pair of bytes, which determines the number of data items in
the message.

Modbus Communications Revision 1 Page 20 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

8. REGISTER FORMATS

8.1 Background

The Gould Modicon Modbus Protocol Reference Guide does not specify how numbers
greater than 16 bits (eg 32-bit integers and single and double precision real numbers)
should be transferred.

The Modbus protocol has 16-bit elements (called registers), and as such is only
suitable for transferring 16-bit integer data. Since no standard exists,

Daniels have developed the following formats suitable for transferring numerial data
to third parties, and offers these as a standard solution.

8.1.1 REGISTER - FLOAT 3

8.1.2 REGISTER - ROSEMOUNT 3
8.1.3 REGISTER - DOUBLE 3
8.1.4 REGISTER - PHILLIPS FLOAT 3
8.1.5 REGISTER - PHILLIPS DOUBLE 3
8.1.6 REGISTER - UINT 3
8.1.7 REGISTER – LONG 3
8.1.8 REGISTER - LONG_UINT 3
8.1.9 REGISTER - SCALED NNNN 3
8.1.10 REGISTER - MODICON 3

8.2 Addresses per Item

[ADDRESSES PER ITEM ssssssss]

8.2.1 Register - Float

[FORMAT FLOAT]

[FORMAT ENRON FLOAT]

Holding registers as IEEE format single precision floating point numbers, MSB first.
For each point required, one address is requested in the modbus message, 4 bytes are
returned, data is configurable at every address (e.g. 40001 - 49999)

8.2.2 Register - Rosemount

[FORMAT ROSEMOUNT]

Holding registers as IEEE format single precision floating point numbers, LSB first
(used on Rosemount DCS system). For each point required, two addresses are
requested in the modbus message, 4 bytes are returned, data is configurable at every
other address (e.g. 40001, 40003 ...... 49999)

Modbus Communications Revision 1 Page 21 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

8.2.3 Register - Double

[FORMAT DOUBLE]

Holding registers as IEEE format double precision floating point numbers. For each
point required, one address is requested in the modbus message 8 bytes are returned,
data is configurable at every address.(e.g. 40001 - 49999)

8.2.4 Register - Phillips Float

[FORMAT PHILLIPS FLOAT]

Holding registers as IEEE format single precision numbers, MSB first. For each point
required, two addresses are requested in the modbus message, 4 bytes are returned.
Data is configurable at alternate addresses. (e.g. 40001, 40003 ..... 49999)

8.2.5 Register - Phillips Double

[FORMAT PHILLIPS DOUBLE]

Holding registers as IEEE format double precision numbers, MSB first. For each point
required, four addresses are requested in the modbus message, 8 bytes are returned.
Data is configurable at every fourth addresses. (e.g. 40001, 40005 ..... 49997)

8.2.6 Register - INT

[FORMAT ENRON 16 BIT]

Holding registers as 16 bit SIGNED integers, range -32767 (Hex 8001) to 32767
(Hex 7FFF). Data can be configured at every address (e.g. 40001 - 49999)

8.2.7 Register – LONG_INT

[FORMAT ENRON 32 BIT]

Holding registers as SIGNED long integers. For each point required one is requested
and two registers (4 bytes) are returned in the modbus message. Data can be
configured at every address (e.g. 40001, 40002, …. 49999).

Modbus Communications Revision 1 Page 22 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

8.2.8 Register - SCALE 0 nnnn

[FORMAT SCALE 0 999]

[FORMAT SCALE 0 4096]
[FORMAT SCALE 0 9999]

Holding registers as integers, scaled between 0 and nnnn. In master mode the value
returned will be displayed in terms of the selected scaling. For example 500 would
represent 50% on 999 scaling or 5% on 9999 scaling. Data can be configured at every
address (e.g. 40001 - 49999)

Scaled 16 bit integer between 0....9999 (or any other integer combination) where each
real is scaled within this range based upon preconfigured zero and full scales.

i.e.

 (Actualvalue - Zero scale) x Range + 0.5 

Scaled Integer Value = Trunc  
 Full scale - Zero Scale 

e.g. A flowrate of 300 m3 /hr has a zero scale of 0m3 /hr and a full scale of 1000 m3 /hr

 (300 - 0) x 9999 + 0.5 

Scaled Integer = Trunc  
 1000 

Scaled Integer = Trunc [2999 . 7 + 0.5]

Scaled Integer = 3000

Thus the supervisory would send 3000 to represent the flowrate 300 m3 /hr if integer
range was 0…9999.

8.2.9 Register - Modicon

[FORMAT ENRON 16 BIT]

Integer holding registers (16 bits, valid data 0 - 65535) using Modicon Modbus
formatting. Any valid holding register can be written to (e.g. 40001 - 49999)

8.2.10 Register - LONG_UINT

Not Yet Supported

Holding registers as UNSIGNED LONG integers, negative numbers are not allowed.
Data can be configured at every address (e.g. 40001 - 49999)

Modbus Communications Revision 1 Page 23 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

9. ENRON FUNCTIONS (US CONFIGS ONLY)

The Enron Modbus protocol has been implemented as part of the Modbus slave
application. The design is based on:

Enron [Link] and Requirement for an Electronic Flow Measurement

Remote Terminal Unit (Enron spec)

Daniel EFM1000 v 1.00 Software Functional Specification (EFM spec)

9.1 Enron Modbus map

Detailed below are the data areas defined in the Enron Modbus specification. The
S600 Modbus map builder will generate a map, which corresponds to this format.
The settings may be changed when the map is generated or by editing the Modbus
configuration file but this is not recommended.

Coil data (accessed using Modbus function 1, 5 and 15)

9.1.1 AddressDescription

0032 Event log clear command.

1000 Boolean variables

Input data (accessed using Modbus function 2)

9.1.2 AddressDescription

1000 Boolean variables

Register data (accessed using Modbus function 3, 4 and 16)

9.1.3 AddressDescription

0032 Event/alarm log register (see following sections)

0701..0720 Report log configuration registers(see following sections)

0721..0740 Report log data registers (see following sections)

3000 Short integer variable

5000 Long integer variables(Not used on S600)

Modbus Communications Revision 1 Page 24 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

7000 Floating point variables

9.2 Special Enron functions for events

The Enron implementation provides a special set of registers and coils used to allow
transfer of alarm and event log data to a supervisory computer.

9.2.1 Clear/Acknowledge Modbus Event Log

The normal base address for this data is 32

A coil write with the data value set, to this address will clear the event log.

A coil write with the data value clear, to this address will acknowledge the event log.

9.2.2 Event Count register

The normal base address for this value is 7001. It will be returned as a floating point
value.

A register read from this address will return the number of events available for
collection.

9.2.3 Alarm Count Register

The normal base address for this value is 7002. It will be returned as a floating point
value.

A register read from this address will return the number of alarms available for
collection.

9.2.4 Read Modbus Alarm/event log functions

The normal base address for this value is 32. Data will be returned as a series of
registers as described below.

Poll Format

Address 1 to 2551 byte

Function 31 byte

Modbus Communications Revision 1 Page 25 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

Start Item 00322 bytes

Num Items ignored2 bytes

Response Format

Address as poll1 byte

Function 31 byte

Length <N * 20>1 byte

Alarm/event 1 See below20 bytes

Alarm/event 1 See below20 bytes

Alarm/event N See below20 bytes

N is up to 12, depending on the number of events available in the buffer

Each alarm or event will consist of:

BITMAP UNSIGNED SHORT 2 BYTES

Data point Id Unsigned short 2 bytes

Time stamp Float 4 bytes

Date stamp Float 4 bytes

Value 1 Float 4 bytes

Value 2 Float 4 bytes

20 bytes total

Bitmap

Bit 9 of this register determines whether the data is an alarm or an event.

Event/change type bitmap

Modbus Communications Revision 1 Page 26 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

Bit 0 - Fixed value Set when the keypad (override) value is

changed

Bit 1 - Zero scale Set when the low scale value of

an analog is changed

Bit 2 - Full scale Set when the full scale value of an analog
is changed

Bit 3 - Operator Entry Work Value Not used

Bit 4 - Boolean Fixed Bit Not used

Bit 5 - Fixed/Variable flag 1 if item is in keypad/override mode, 0 if

the item is in live mode.

Bit 6 - Table entry change Not used

Bit 7 - System command change Not used

Bit 8 - Spare

Bit 9 - Change/Alarm flag Set for event/change, clear for alarm

Bit 10 - Lolo Limit Set when the LL limit is changed

Bit 11 - Lo LimitSet when the L limit is changed

Bit 12 - Hi Limit Set when the H limit is changed

Bit 13 - Hihi Limit Set when the HH limit is changed

Bit 14 - Rate of change limit Set when the ROC limit is changed

Bit 15 - Spare

Alarm type bitmap

Bit 0...8 - Not used

Bit 9 - Change/Alarm flag Set for event/change, clear for alarm

Bit 10 - Lolo Limit Set when the LL alarm is set/clr

Bit 11 - Lo Limit Set when the L alarm is set/clr

Bit 12 - Hi Limit Set when the H alarm is set/clr

Bit 13 - Hihi Limit Set when the HH alarm is set/clr

Modbus Communications Revision 1 Page 27 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

Bit 14 - Rate of change limit Set when the ROC alarm is set/clr

Bit 15 - Set Reset Alarm 1 for alarm set, 0 for alarm clear

Data Point id

This is a unique id number which identifies the data point in the S600 database.

Time stamp

This floating point number represents the time associated with the alarm or event, the
value is:

(10000 * hh) + (100 * mm) + (ss)

Date stamp

This floating point number represents the date associated with the alarm or event, the
value is:

(10000 * yy) + (100 * mm) + (dd)

Value 1 and Value 2

For event/change messages these are old and new value (i.e. from/to). For alarm
messages, the current value is in item five and the alarm limit is in item six.

Both are floating point format.

9.3 Special Enron functions for Data Log Collection

Enron defines a pair of registers for reading a pair of reports logs from the flow
computer. The S600 supports this functionality with a number of enhancements:

• More than two logs are available

• The report format may be queried

The S600 support the following log periods:

Modbus Communications Revision 1 Page 28 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

INDEX REPORT PERIOD

1 Fixed hourly Hourly

2 Maint On demand

3 Batch On demand

4 Basetime 1 period 1 Configurable

5 Basetime 1 period 2 Configurable

6 Basetime 1 period 3 Configurable

7 Basetime 1 period 4 Configurable

8 Basetime 2 period 1 Configurable

9 Basetime 2 period 2 Configurable

10 Basetime 2 period 3 Configurable

11 Basetime 2 period 4 Configurable

12 Basetime 3 period 1 Configurable

13 Basetime 3 period 2 Configurable

14 Basetime 3 period 3 Configurable

15 Basetime 3 period 4 Configurable

16 Proof report On demand

Note that the configurable report periods may be selected from 1, 2, 3, 4, 6, 8 hourly,
daily, weekly or monthly.

Any combination of reports may be active in the S600 but even if gaps are present, the
indices remain the same.

The Enron specification states that all data will be presented in float format. The
S600 uses an improved method whereby there is a pair of polls for each log. One
(read configuration) returns the format of the data in the log, the other (read data)
return the data in the log, the items may be float or long int format.

9.3.1 Read Report log configuration

To read the report log configuration data is it necessary to poll for Modbus registers at
one of the addresses in the Modbus log configuration area of the map.

Modbus Communications Revision 1 Page 29 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

This data is normally placed at register address 701 to 720. Each address corresponds
to a particular report period. The response defines the format of the report.

Poll Format

Address 1 to 2551 byte

Function 31 byte

Start Item 0701..07202 bytes

Num Items 12 bytes

Response Format

Address as poll1 byte

Function 31 byte

Byte count <4 * N * 8>1 byte

Report interval minutes2 bytes

Number of points N2 bytes

Point 1 data See belowN * 8 bytes

Point 2 data See belowN * 8 bytes

Point N data See belowN * 8 bytes

Each data point consists of

Action Snapshot, Average

Or totalise2 bytes

Data point id S600 database

Point id2 bytes

Type 0 - long, 1 - float2 bytes

Unit Unit index2 bytes

Modbus Communications Revision 1 Page 30 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

9.3.2 Read report log data

To read the actual report log data it is necessary to poll for Modbus registers in at one
of the addresses which corresponds to a report log.

This data is normally placed at register address 721..740. Each address corresponds
to a particular report period. The response contains the data from the report.

Poll Format

Address 1...2551 byte

Function 31 byte

Start Item 0721...07402 bytes

Num Items Record number2 bytes

Record number defines which report to extract from the archive.

Response Format

Address as poll1 byte

Function 31 byte

Byte count <4 * N * 8>1 byte

Date 10000*m + 100*d + y4 bytesfloat

Time 10000*h + 100*m + s4 bytesfloat

Value1 First point4 bytesfloat/long

Value2 Second point4 bytesfloat/long

Value N Nth point4 bytesfloat/long

Summary of default report config and data Modbus addresses

Modbus Communications Revision 1 Page 31 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

Addr Function Addr Function

701 Fixed Hourly config 721 Fixed Hourly data

702 Maintenance config 722 Maintenance data

703 Batch config 723 Batch data

704 Base 1 period 1 config 724 Base 1 period 1

data

705 Base 1 period 2 config 725 Base 1 period 2

data

706 Base 1 period 3 config 726 Base 1 period 3

data

707 Base 1 period 4 config 727 Base 1 period 4

data

708 Base 2 period 1 config 728 Base 2 period 1

data

709 Base 2 period 2 config 729 Base 2 period 2

data

710 Base 2 period 3 config 730 Base 2 period 3

data

711 Base 2 period 4 config 731 Base 2 period 4

data

712 Base 3 period 1 config 732 Base 3 period 1

data

713 Base 3 period 2 config 733 Base 3 period 2

data

714 Base 3 period 3 config 734 Base 3 period 3

data

715 Base 3 period 4 config 735 Base 3 period 4

data

716 Proof config 736 Proof data

717 Spare 737 Spare

Modbus Communications Revision 1 Page 32 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

718 Spare 738 Spare

719 Spare 739 Spare

720 Spare 740 Spare

Modbus Communications Revision 1 Page 33 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

10. S600 MODBUS CONFIGURATION FILES

Whenever a Modbus communication task is started, it is passed the name of a

configuration file. This file defines the map to be used for the link. It effectively links
Modbus addresses to S600 database points

All configuration files are ASCII text files which may be created manually if required.
However, the Config 600 program includes Modbus configuration file generators for
most common applications. These builders should always be used. The generated files
may then be edited manually if required.

There are two basic file types, master and slave. Both share many common features,
the slave file being a subset of the master configuration file.

The # symbol is used to indicate a comment. When a line is read, any characters
following a # symbol are ignored.

The overall layout of the configuration files depend on whether the file is for master or
slave use:

Master Configuration File:

• Title

• Header Section

• Master Section

• Slave 1 Data

• Slave 2 Data

• …

• ..

• Slave N Data

Slave Configuration File

• Title

• Header Section

• Slave 1 Data

10.1 Config File Title

This is simply a comment at the start of the file describing its function and version
history etc. It is ignored by the S600.

Modbus Communications Revision 1 Page 34 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

10.1.1 Config File Header

This block is mandatory and is used by both master and slave links. Four
commands are supported: All commands are enclosed in square brackets.
[TX BUFF SIZE <NNNN>]

[RX BUFF SIZE <NNNN>]

These lines determine the size (in bytes) of the message transmit and receive
buffers. For normal Modbus operation they should both be set to 256 as this is
the maximum message size supported by Modbus. The valid range is 256-
65535.
[MSG LENGTH MODE <mode>]

This field determines how the message length part of the Modbus message is
handled. The basic Modbus specification defines this field as a single byte
which defines the number of bytes of data in the message. However many
implementations change this field to be an item count, i.e. the number of data
items in the message.

Additionally, in order to increase the amount of data which may be transferred,

the S600 support a 16-bit value for this field. Note however that this is not
compatible with standard Modbus. It is only used when communicating with
the DMS.
The available values for <mode> are:

• BYTE_8

• BYTE_16

• ITEM_8

• ITEM_16

Note that if either of the 16-bit formats are used, the messages may be longer
than 256 bytes and the tx and rx buffer sizes should be adjusted accordingly.
[CHECKSUM <status>]

This field is used to enable or disable checksum checking on received data. It

is intended for test purposes only.

The available values for <status> are

• TRUE

• FALSE

Example header section

Modbus Communications Revision 1 Page 35 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

[TX BUFF SIZE 256]

[RX BUFF SIZE 256]

[MSG LENGTH MODE BYTE_8]

[CHECKSUM TRUE]

10.2 Config File Master Section

This section is only required for the master task. It defines the master’s poll loop
settings, the list of slave machines with which the master will communicate and a
series of poll to perform. Six commands are supported. All commands are
enclosed in square brackets.
[POLL DELAY <NNN>]

This specifies the delay between polls. The value is in system ticks (a tick is
1/60 of a second)
[LOOP DELAY <NNN>]

This specifies the delay at the end of the poll loop. The value is in system ticks
(a tick is 1/60 of a second)
[RETRY LIMIT <NNN>]

This specifies the number of retries the master should perform for a single
message before classing it as failed.
[TIMEOUT <NNN>]

This specified the amount of time the master will wait for a response from the
slave. The value is in seconds
[SLAVES <A> <B> <C> <D>]

This command specifies a list of up to 10 slave addresses which the master

task will communicate with.
[SLAVE STATUS OBJ <kp int array number>]

This command is only used by the prover master link and specifies the
KPINT_ARRAY used to indicate the status of the link to each stream.

For each stream, the Modbus master task will update the KPINT_ARRAY
with:

Valve Description

0 Link OK

Modbus Communications Revision 1 Page 36 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

1 Link disabled

2 Telemetry failed

[MESSAGE ADDR:<addr> FUNC:<func> START:<start> NUM:<num>

TRIGGER:KPINT <n>]

The message command is used to define a single message which the master
will perform. Any number of messages may be included. The master task will
perform them in the order they appear in the file. The trigger field is optional.
If it not present, the poll will always be performed. If it is present it defines a
KPINT object in the database which is used to control the poll. If the object is
non zero, the poll will be performed. It will not be performed if the object is
zero. The object will be set back to zero at the and of the poll loop.

• <addr> is the Modbus slave address (0..255)

• <func> is the Modbus function code code for the message

• <start> is the data start address for the message

• <num> is the number of data items in the message

• <n> is the database index for the KPINT object used to control the poll

Example Master Section

# MASTER SECTION
[POLL DELAY 5]

[LOOP DELAY 5]

[RETRY LIMIT 3]

[TIMEOUT 5]
# LIST OF SLAVES

[SLAVES 1 ]

# SLAVE STATUS OBJECT

[SLAVE STATUS OBJ 22]

# NORMAL POLLS

[MESSAGE ADDR:1 FUNC:03 START:9000 NUM:9]

[MESSAGE ADDR:1 FUNC:03 START:9020 NUM:7]

[MESSAGE ADDR:1 FUNC:16 START:9009 NUM:2]

Modbus Communications Revision 1 Page 37 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

[MESSAGE ADDR:1 FUNC:16 START:9027 NUM:3]

# END OF MASTER SETTINGS

10.3 Config File Slave N Section

For each slave which the master talks to, a slave data block is required. The block
start with the command:
[SLAVE ADDRESS <N>]
<N> may be from 1..255, i.e. a valid Modbus slave address value.

Following on from this statement will be the data map for the slave.

10.4 Config File Data

This section applies to both master and slave links. It defines the relationship
between Modbus addresses and S600 database points.

For the slave there will be a single map section. For the master there will be up to
10 slave sections, preceeded by the [SLAVE ADDRESS N] command.

The map is sub-divided into coil, input and register sections each of which form
independent blocks of data. Within each of these blocks there may be any number
of further sub-blocks.

The major blocks in the map section are:

[SECTION COILS]

The start of the Modbus coil data

[SECTION INPUTS]
The start of the Modbus Input data

[SECTION REGISTERS]

The start of the Modbus Register data

10.5 Config File Data Coil

Within the coil section there may be any number of blocks of coil data. Each block
starts with the command:

[BASE ADDRESS <NNNN>]

This command determines the base address of the block of data.

Modbus Communications Revision 1 Page 38 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

<NNNN> must be in the range 0...65535.

The base address command will be followed by a list of data points each of which will
occupy successive coil addresses.

Each of these commands will be a discrete data base point identifier.

10.6 Config File Data Input

Within the input section there may be any number of blocks of coil data. Each block
starts with the command:

[BASE ADDRESS <NNNN>]

This command determines the base address of the block of data.

<NNNN> must be in the range 0..65535.

The base address command will be followed by a list of data points each of which will
occupy successive input addresses.

Each of these commands will be a discrete data base point identifier.

10.7 Config FIle Data Registers

Within the register section there may be any number of blocks of register data. The
way in which data is packed into registers is controlled by three commands:

[BASE ADDRESS <NNNN>]

This command determines the base address of the block of data. It will be followed by
a list of data points each of which will occupy successive registers.

<NNNN> must be in the range 0…65535.

[FORMAT <format>]
Each block of register data may represent numeric data in a different format.

Register addressing is probably the most confusing aspect of configuring a Modbus

link. The original Modbus specification defines a register as a 16-bit integer value and
strictly speaking this is the only register data format supported. However most users
map a value over several registers so that a single data item occupies 1, 2 or 4 registers
(2, 4 or 8 bytes). Using this mechanism, longer ints, floats or doubles may be packed
into the Modbus message.

Supported formats are:

• SCALE

Modbus Communications Revision 1 Page 39 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

• SCALE 0 999

• SCALE 0 4096

• SCALE 0 9999

• FLOAT

• DOUBLE

• ENRON 16 BIT

• ENRON 32 BIT

• ENRON FLOAT

• ROSEMOUNT

• PHILLIPS FLOAT

• PHILLIPS DOUBLE

[ADDRESSES PER ITEM <N>]

This command determines the number of Modbus addresses which each data item
corresponds to. For 16-bit (2 byte) data it is always 1.

For 32-bit (4 byte) and 64-bit (8 byte) data it controls the way Modbus register
addressing is performed. It is closely related to the FORMAT command (or more
accurately the number of bytes per data item) and the number of addresses field
contained in the poll.

If the data is 32 bit, the addresses per item must be set to 1 or 2. If it is set to 1, the
number of addresses contained in the poll is the number of data items (ie 32 bit
entities) rather than the number of modbus registers. If the number of addresses per
item is 2, the number of addresses contained in the poll is the number of modbus
registers

If the data is 64 bit, the addresses per item must be set to 1 or 4. If it is set to 1, the
number of addresses contained in the poll is the number of data items (ie 64 bit
entities) rather than the number of modbus registers. If the number of addresses per
item is 4, the number of addresses contained in the poll is the number of modbus
registers.

ADDRESSES PER ITEM may be set to -1 for some special data formats. This
informs the modbus message building code to ignore the number of registers
requested. It is typically used for ENRON report data where the number of registers is
used to define the report number, but the number of registers to be transmitted is
actually determined by the report layout.

Combinations of FORMAT and ADDRESSES PER ITEM should allow most

commonly used register formats to be supported.

Modbus Communications Revision 1 Page 40 of 41

BASE DOCUMENTATION S600 MODBUS [Link]
SYSTEM OVERVIEW

The addresses per item command will be followed by a list of data points each of
which will occup y successive register addresses.

Each of these commands will be a numeric data base point identifier.

10.8 Discrete Data Point Format

All of the data which makes up a block is defined using a series of consecutive lines in
the configuration file which refer to objects in the S600 database.

Each line represents a point in the database. Any number of lines may be added to a
block. Each will refer to successive coils or inputs.

The format of the line is:

<OBJECT_TYPE> <OBJECT_INDEX> <OBJECT_FIELD> < OBJECT_BITNO>

<OBJECT_TYPE> <OBJECT_INDEX> and <OBJECT_FIELD> define a unique

point in the database us ing the object naming format used by the reports, display and
communication configuration files.

<OBJECT_BITNO> is the bit within the specified database point which will be
mapped to the coil or input.

See the exa mple slave configuration file for many examples of the format used.

10.9 Numeric Data Point Format

All of the data which makes up a block is defined using a series of consecutive lines in
the configuration file whic h refer to objects in the S600 database.

Each line represents a point in the database. Any number of lines may be added to a
block. Each will refer to successive registers.

<OBJECT_TYPE> <OBJECT_INDEX> and <OBJECT_FIELD> define a unique

point in the database using the object naming format used by the reports, display and
communication configuration files.

See the example slave configuration file for many examples of the format used.

Modbus Communications Revision 1 Page 41 of 41