Using the Modbus Protocol Library

STEP 7–Micro/WIN Instruction Libraries makes communicating to Modbus master devices easier by
including pre-configured subroutines and interrupt routines that are specifically designed for Modbus
communications. With the Modbus Slave Protocol Instructions, you can configure the S7-200 to act as a
Modbus RTU slave device and communicate to Modbus master devices.

You find these instructions in the Libraries folder of the STEP 7–Micro/WIN instruction tree. With these
new instructions you can make the S7-200 act as a Modbus slave. When you select a Modbus Slave
instruction, one or more associated subroutines are automatically added to your project.

In This Chapter
Requirements for Using the Modbus Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Initialization and Execution Time for the Modbus Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Modbus Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Using the Modbus Slave Protocol Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Instructions for the Modbus Slave Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

329
 S7-200 Programmable Controller System Manual

Requirements for Using the Modbus Protocol

The Modbus Slave Protocol instructions use the following resources from the S7-200:

- Initializing the Modbus Slave Protocol dedicates Port 0 for Modbus Slave Protocol communications.
When Port 0 is being used for Modbus Slave Protocol communications, it cannot be used for any
other purpose, including communications with STEP 7–Micro/WIN. The MBUS_INIT instruction
controls assignment of Port 0 to Modbus Slave Protocol or PPI.
- The Modbus Slave Protocol instructions affect all of the SM locations associated with Freeport
communications on Port 0.
- The Modbus Slave Protocol instructions use 3 subroutines and 2 interrupts.
- The Modbus Slave Protocol instructions require 1857 bytes of program space for the two Modbus
Slave instructions and the support routines.
- The variables for the Modbus Slave Protocol instructions require a 779-byte block of V memory. The
starting address for this block is assigned by the user and is reserved for Modbus variables.

Tip
To change the operation of Port 0 back to PPI so that you can communicate with STEP 7-Micro/WIN,
use another MBUS_INIT instruction to reassign Port 0.
You can also set the mode switch on the S7-200 to STOP mode. This resets the parameters for Port 0.

Initialization and Execution Time for the Modbus Protocol

Modbus communications utilize a CRC (cyclic redundancy check) to insure the integrity of the
communications messages. The Modbus Slave Protocol uses a table of precalculated values to decrease
the time required to process a message. The initialization of this CRC table requires about 425
milliseconds. This initialization is done inside the MBUS_INIT subroutine and is normally done in the first
scan of the user program after entering RUN mode. You are responsible for resetting the watchdog timer
and keeping the outputs enabled (if required for expansion modules) if the time required by the
MBUS_INIT subroutine and any other user initialization exceeds the 500 millisecond scan watchdog. The
output module watchdog timer is reset by writing to the outputs of the module. See the Watchdog Reset
Instruction in Chapter 6.

The scan time is extended when the MBUS_SLAVE subroutine services a request. Since most of the time
is spent calculating the Modbus CRC, the scan time is extended by about 650 microseconds for every
byte in the request and in the response. A maximum request/response (read or write of 120 words)
12 extends the scan time by approximately 165 milliseconds.

330
 Using the Modbus Protocol Library Chapter 12

Modbus Addressing
Modbus addresses are normally written as 5 or 6 character values containing the data type and the offset.
The first one or two characters determine the data type, and the last four characters select the proper
value within the data type. The Modbus master device then maps the addresses to the correct functions.
The following addresses are supported by the Modbus Slave instructions:
- 000001 to 000128 are discrete outputs mapped to Q0.0 - Q15.7
- 010001 to 010128 are discrete inputs Table 12-1 Mapping Modbus Address to the S7-200
mapped to I0.0 - I15.7
Modbus Address S7-200 Address
- 030001 to 030032 are analog input 000001 Q0.0
registers mapped to AIW0 to AIW62
000002 Q0.1
- 040001 to 04xxxx are holding registers
000003 Q0.2
mapped to V memory.
... ...
All Modbus addresses are one-based.
Table 12-1 shows the mapping of Modbus 000127 Q15.6
addresses to the S7-200 addresses. 000128 Q15.7

The Modbus Slave Protocol allows you to limit 010001 I0.0

the amount of inputs, outputs, analog inputs, 010002 I0.1
and holding registers (V memory) accessible to
010003 I0.2
a Modbus master.
... ...
The MaxIQ parameter of the MBUS_INIT
010127 I15.6
instruction specifies the maximum number of
discrete inputs or outputs (Is or Qs) the Modbus 010128 I15.7
master is allowed to access. 030001 AIW0
The MaxAI parameter of the MBUS_INIT 030002 AIW2
instruction specifies the maximum number of 030003 AIW4
input registers (AIWs) the Modbus master is
allowed to access. ... ...
030032 AIW62
The MaxHold parameter of the MBUS_INIT
instruction specifies the maximum number of 040001 HoldStart
holding registers (V memory words) the 040002 HoldStart+2
Modbus master is allowed to access.
040003 HoldStart+4
See the description of the MBUS_INIT ... ...
instruction for more information on setting up
the memory restrictions for the Modbus slave.
04xxxx HoldStart+2 x (xxxx–1) 12
Configuring the Symbol Table
After you enter an address for the first symbol, the table automatically calculates and assigns the
remainder of the symbols in the table.

You should assign a starting V location for the table which occupies 779 bytes. Be sure that the
assignment of the Modbus Slave symbols do not overlap with the V memory assigned to the Modbus
holding registers with the HoldStart and MaxHold parameters on the MBUS_INIT instruction. If there is any
overlap of the memory areas, the MBUS_INIT instruction returns an error.

331
 S7-200 Programmable Controller System Manual

Using the Modbus Slave Protocol Instructions

To use the Modbus Slave Protocol instructions in your S7-200 program, follow these steps:

1. Insert the MBUS_INIT instruction in your program and execute the MBUS_INIT instruction for one
scan only. You can use the MBUS_INIT instruction either to initiate or to change the Modbus
communications parameters.
When you insert the MBUS_INIT instruction, several hidden subroutines and interrupt routines are
automatically added to your program.
2. Assign a starting address for the 779 bytes of consecutive V memory required for Modbus Slave
Protocol instructions.
3. Place only one MBUS_SLAVE instruction in your program. This instruction is called every scan to
service any requests that have been received.
4. Connect the communications cable between Port 0 on the S7-200 and the Modbus master devices.

Caution
Interconnecting equipment with different reference potentials can cause unwanted currents to flow
through the interconnecting cable. These unwanted currents can cause communications errors or
damage equipment.
Ensure that all equipment that is connected with a communications cable either shares a common
circuit reference or is isolated to prevent unwanted current flows.

The accumulators (AC0, AC1, AC2, AC3) are utilized by the Modbus slave instructions and appear in the
Cross Reference listing. Prior to execution, the values in the accumulators of a Modbus Slave instruction
are saved and restored to the accumulators before the Modbus Slave instruction is complete, ensuring
that all user data in the accumulators is preserved while executing a Modbus Slave instruction.

The Modbus Slave Protocol instructions support the Modbus RTU protocol. These instructions utilize the
Freeport utilities of the S7-200 to support the most common Modbus functions. The following Modbus
functions are supported:

Table 12-2 Modbus Slave Protocol Functions Supported

Function Description
1 Read single/multiple coil (discrete output) status. Function 1 returns the on/off status of any number of
output points (Qs).

12 2 Read single/multiple contact (discrete input) status. Function 2 returns the on/off status of any number of
input points (Is).
3 Read single/multiple holding registers. Function 3 returns the contents of V memory. Holding registers are
word values under Modbus and allow you to read up to 120 words in one request.
4 Read single/multiple input registers. Function 4 returns Analog Input values.
5 Write single coil (discrete output). Function 5 sets a discrete output point to the specified value. The point
is not forced and the program can overwrite the value written by the Modbus request.
6 Write single holding register. Function 6 writes a single holding register value to the V memory of the
S7-200.
15 Write multiple coils (discrete outputs). Function 15 writes the multiple discrete output values to the Q image
register of the S7-200. The starting output point must begin on a byte boundary (for example, Q0.0 or
Q2.0) and the number of outputs written must be a multiple of eight. This is a restriction for the Modbus
Slave Protocol instructions. The points are not forced and the program can overwrite the values written by
the Modbus request.
16 Write multiple holding registers. Function 16 writes multiple holding registers to the V memory of the
S7-200. There can be up to 120 words written in one request.

332
 Using the Modbus Protocol Library Chapter 12

Instructions for the Modbus Slave Protocol

MBUS_INIT Instruction
The MBUS_INIT instruction is used to enable and initialize, or to
disable Modbus communications. Before the MBUS_SLAVE
instruction can be used, the MBUS_INIT instruction must be
executed without errors. The instruction completes and the Done
bit is set immediately, before continuing to the next instruction.
The instruction is executed on each scan when the EN input is on.
The MBUS_INIT instruction should be executed exactly once for
each change in communications state. Therefore, the EN input
should be pulsed on through an edge detection element, or
executed only on the first scan.
The value for the Mode input selects the communications protocol:
an input value of 1 assigns port 0 to Modbus protocol and enables
the protocol, and an input value of 0 assigns port 0 to PPI and
disables Modbus protocol.
The parameter Baud sets the baud rate at 1200, 2400, 4800, 9600,
19200, 38400, 57600, or 115200.
The parameter Addr sets the address at inclusive values between 1
and 247.

Table 12-3 Parameters for the MBUS_INIT Instruction

Inputs/Outputs Data Type Operands
Mode, Addr, Parity BYTE VB, IB, QB, MB, SB, SMB, LB, AC, Constant, *VD, *AC, *LD
Baud, HoldStart DWORD VD, ID, QD, MD, SD, SMD, LD, AC, Constant, *VD, *AC, *LD
Delay, MaxIQ, MaxAI, MaxHold WORD VW, IW, QW, MW, SW, SMW, LW, AC, Constant, *VD, *AC, *LD
Done BOOL I, Q, M, S, SM, T, C, V, L
Error BYTE VB, IB, QB, MB, SB, SMB, LB, AC, *VD, *AC, *LD

The parameter Parity is set to match the parity of the Modbus master. The accepted values are:

- 0-no parity 12
- 1-odd parity
- 2-even parity
The parameter Delay extends the standard Modbus end-of-message timeout condition by adding the
specified number of milliseconds to the standard Modbus message timeout. The typical value for this
parameter should be 0 when operating on a wired network. If you are using modems with error correction,
set the delay to a value of 50 to 100 milliseconds. If you are using spread spectrum radios, set the delay to
a value of 10 to 100 milliseconds. The Delay value can be 0 to 32767 milliseconds.

The parameter MaxIQ sets the number of I and Q points available to Modbus addresses 00xxxx and
01xxxx at values of 0 to 128. A value of 0 disables all reads and writes to the inputs and outputs. The
suggested value for MaxIQ is 128, which allows access to all I and Q points in the S7-200.

333
 S7-200 Programmable Controller System Manual

The parameter MaxAI sets the number of word input (AI) registers available to Modbus address 03xxx at
values of 0 to 32. A value of 0 disables reads of the analog inputs. The suggested value for MaxAI to allow
access to all of the S7-200 analog inputs, is as follows:

- 0 for CPU 221

- 16 for CPU 222
- 32 for CPU 224, 226, and 226XM
The parameter MaxHold sets the number of word holding registers in V memory available to Modbus
address 04xxx. For example, to allow the master to access 2000 bytes of V memory, set MaxHold to a
value of 1000 words (holding registers).

The parameter HoldStart is the address of the start of the holding registers in V memory. This value is
generally set to VB0, so the parameter HoldStart is set to &VB0 (address of VB0). Other V memory
addresses can be specified as the starting address for the holding registers to allow VB0 to be used
elsewhere in the project. The Modbus master has access to MaxHold number of words of V memory
starting at HoldStart.

When the MBUS_INIT instruction completes, the Done output is turned on. The Error output byte contains
the result of executing the instruction. Table 12-5 defines the error conditions that could result from
executing the instruction.

12

334
 Using the Modbus Protocol Library Chapter 12

MBUS_SLAVE Instruction
The MBUS_SLAVE instruction is used to service a request from the
Modbus master and must be executed every scan to allow it to
check for and respond to Modbus requests.
The instruction is executed on each scan when the EN input is on.
The MBUS_SLAVE instruction has no input parameters.
The Done output is on when the MBUS_SLAVE instruction
responds to a Modbus request. The Done output is turned off if
there was no request serviced.
The Error output contains the result of executing the instruction.
This output is only valid if Done is on. If Done is off, the error
parameter is not changed. Table 12-5 defines the error conditions
that could result from executing the instruction.

Table 12-4 Parameters for the MBUS_SLAVE Instruction

Parameter Data Type Operands
Done BOOL I, Q, M, S, SM, T, C, V, L
Error BYTE VB, IB, QB, MB, SB, SMB, LB, AC, *VD, *AC, *LD

Table 12-5 Modbus Slave Protocol Execution Error Codes

Error Codes Description
0 No Error
1 Memory range error
2 Illegal baud rate or parity
3 Illegal slave address
4 Illegal value for Modbus parameter
5 Holding registers overlap Modbus Slave symbols
6 Receive parity error
7 Receive CRC error
8 Illegal function request/function not supported 12
9 Illegal memory address in request
10 Slave function not enabled

335
 S7-200 Programmable Controller System Manual

Example of Programming the Modbus Slave Protocol

Network 1
//Initialize the Modbus Slave Protocol on the
//first scan. Set the slave address to 1, set
// port 0 to 9600 baud with even parity, all
//access to all I, Q and AI values, allow
//access to 1000 holding registers (2000
// bytes) starting at VB0.
LD SM0.1
CALL MBUS_INIT,1,1,9600,2,0,128,32,1000,
&VB0,M0.1,MB1
Network 2
//Execute the Modbus Slave Protocol on
//every scan.
LD SM0.0
CALL MBUS_SLAVE,M0.2,MB2

12

336