Hi Guys,

I am almost new in Modbus protocol. I have some questions about Function Codes used in Modbus.
We have Inputs & Outputs in Slave that should be read or written by master. but I have misunderstanding of what is Output and what is Input. Are they INPUTS and OUTPUTs of Slave device? If they are , what is meaning of WRITING OUTPUT (FC 5,6,15 & 16) ?
Do we have an example of such outputs in real world? I supposed that we WRITE INPUTS of SLAVE an READ OUTPUTS of SLAVEs. why we should WRITE OUTPUTS of SLAVE? Is not supposed that these outputs generated by SLAVE to read by MASTER?
I am really confused about this WRITE OUTPUT concept in Modbus and will thankful if someone help me about this issue.

Thanks

 

In Modbus, inputs and outputs are relative to the slave device, being the slave's input or the slave's output. Inputs can be discrete or analog. Outputs likewise, can be discrete or analog.

The reason to use Modbus to write a value to an output is to force that output to a given value. Coils are outputs in a PLC or a digital controller. Function Code 05, "write to a coil", writes a value to a single coil and forces that coil to that state. The coil might be an enable bit for some function. A Modbus master can then enable or disable that function with a discrete status bit.

Function Code 15, "write multiple coils", writes, in one transaction, a bit packed 16 bit word where each bit is a coil in a contiguous sequence of numbered coils and the function can write multiple 16 bit words in one transaction.

Function Code 06, "write a single register value", writes one 16 bit value to a Holding Register memory area that uses (4)xxxxx register addresses, assuming that register is read/write (Holding registers can be read/write or read-only). Modbus does not define what the value is or does, Modbus just transfers the data value, but typically FC06 is used to write an analog value, like a setpoint. An example might be to tell the VFD to go to 1060 Hz by writing the value 1060 to the appropriate holding register.

Function Code 16, "write multiple register values", writes one or more 16 bit values to sequentially addressed Holding Registers. That allows sending a number of analog values in one Modbus transaction.

It is typical that neither discrete inputs nor analog inputs can be overwritten by Modbus. Function Code 03, read Input Registers is, by definition, read only, because what would happen if a device's input is momentarily overwritten by a Modbus value? What happens next, does it revert to whatever the input state or value is? It makes little sense to write to an input.

Likewise Function Code 02 "reads discrete inputs", but there is no Modbus Function Code for "write discrete inputs"

 

Dear David,
Thank you so much for comprehensive and easy to understand explanation. I have been very confused about this FCs.
I have be attached visualization of your explanations, I would be thankful if you confirm that my understanding is correct ,based on what you have mentioned.

Appreciate it

 

That's a nice graphical representation of Modbus data transfer. I might steal it.

A couple points:

One minor point, for whatever reason, one usually sees the leading zero used with the low order Function Codes: FC01, FC03, FC04. Maybe because when they're listed numerically they appear 'in order', but that's the convention.

A couple corrections or suggestions below. It's your document so you can use whatever language you're comfortable with and ignore my comments as you see fit:

FC03 as found: Read up to 125 digital output of Slave
should read: Read up to 125 analog values from Slave analog inputs (read-only Input Registers)

FC04 as found: Read up to 125 digital input of Slave
should read: Read up to 125 analog values from Slave (Holding Registers) (analog, not "digital")

FC05 as found: force 1-bit of digital output of Slave, by changing output of PLC and send it output of Slave
suggested: force 1-bit of discrete value in Slave

FC 05 is used when the PLC master/client writes a binary 0 or 1 value to the slave and the slave executes whatever that change in status means as defined by the 'target' slave register. The slave might have I/O so the Modbus would change the slave's I/O state, but as often as not, the discrete value enables or disables or is used in logic internally, it's not a hard digital output. So I would call it a discrete value, not a digital output (which to me is hard I/O).

The way I read your statement 'as found' is that the PLC changes its I/O and then sends that discrete status to the Slave.

To be clear, the PLC client/master does not have to change any of its I/O to involve Modbus. The PLC might do so and Modbus might be used to inform the slave of that change, but the use of Modbus is not dependent on client/master I/O, in fact a lot of Modbus uses a client/master that has no hard I/O of its own (historian database).

FC15, as found: force multiple-bit of digital output of Slave, by changing output of PLC and send them output of Slave
suggested: force multiple-bit of digital values in Slave

Same reasons as with FC05. I read digital output as meaning hard I/O. "by changing output of PLC" infers that the PLC master/client changes its hard I/O state(s) in order to send Modbus data to the slave. It might, but it's not required. Modbus data can be entirely independent of resident I/O status, or it can reflect I/O status. It depends on what Modbus is being used for.

FC06, as found: force 1 analog values of input of Slave
Suggested: force 1 analog value of Slave

Reason: an FC06 "single register" write will not directly write over a device's analog input value (like a flow meter or pressure transmitter analog input). FC06 will write an analog value to a Holding register, which although that Modbus value is an 'input' to the Slave, it is not over-writing over a wired analog input value. There might logic to switch between a hard analog input and a Modbus value, but Modbus is never used to overwrite hard analog input values.

The Slave device is responsible for handling the Modbus value, but that's inherent in the what the Holding register id defined as, like the register for a speed setpoint on a VFD. Or an HMI writing a totalizer value to a stand-alone digital indicator.

FC16 as found: force multiple analog values of input of Slave
suggested : force multiple analog values of Slave

Same reason as FC06, analog inputs are not overwritten by Modbus. Analog are sent to Holding registers are used as needed, but analog inputs are always reported as analog inputs, not as Modbus data.

 

Dear David,
You are more than welcome to have it. I have just tried to visualize all the things that I have read to clarify more.
Sorry for maitakes and any ambiguous explanation, as English is not my first language.

Please correct me if I am wrong:
we have functions FC01,02,03,04 to READ memory of slave.

FC01 & FC03 : is to read OUTPUTs of SLAVE. (Memory area named Coil & Holding Register respectively).
for example :
A binary sensor when it is ON or OFF. These ON or OFF will be READ by FC01.
An analogue value such as temperature or pressure value will be READ by MASTER by FC03.

FC02 & FC04: These are to READ INPUTS of SLAVE. The main question is why we need to read INPUTs? We generally WRITE inputs. Is this only for to be aware of which value applied to INPUTs of SLAVE?
Lets consider an example, we have a temperature sensor, it sends TMEP Value to PLC(MASTER) and PLC decided to change the TEMP. How PLC can apply new value to MODBUS SLAVE device?
we are READING OUTPUTS by MASTER, but how MASTER change OUTPUTS(both digital & Analogue) after processing received values?

FC 05,06,15,16: are used to FORCE to change values of OUTPUTs(both Digital & Analogue) regardless of what are OUTPUTs of SLAVE.

Thanks

 

As found:
FC01 & FC03 : is to read OUTPUTs of SLAVE. (Memory area named Coil & Holding Register respectively).
for example :
A binary sensor when it is ON or OFF. These ON or OFF will be READ by FC01.
An analogue value such as temperature or pressure value will be READ by MASTER by FC03.

Should be:
FC02 & FC04 : is to read INPUTs of SLAVE. (Memory area named Discrete Inputs & Input Registers respectively).
for example :
A binary sensor when it is ON or OFF. These ON or OFF will be READ by FC02.
An analogue value such as temperature or pressure value will be READ by MASTER by FC04.
FC03 is a read function for Holding Registers, which are registers that are whatever the slave defines them as. Analog input values (hard I/O values) are very frequently put in Holding registers, but as designated as read-only values. Holding registers are usually analog values. Analog output values are in Holding registers. Results of calculations, like a totalizer, is a common holding register value. serial numbers and firmware revisions are values in Holding Registers. Holding registers can have any value represented by binary bits.

should be:
FC01: is to read OUTPUTs of SLAVE. (Memory area named Read Coils).
for example :
A PLC coil is ON or OFF. These ON or OFF states will be READ by FC01.

>The main question is why we need to read INPUTs? We generally WRITE inputs. Is this only for to be aware of which value applied to INPUTs of SLAVE?

No. No. No. Let's look at what "control" is, before grappling with Modbus reads.

Inputs are signals from field devices, either a discrete input (proximity switch) or an analog input (flow meter or temperature). Inputs to a controller are hard inputs, from hard I/O, things that are wired.

Logic in the controller determines what to do or what happens as a result of all the inputs.

The logic decisions made by the controller change the controller's OUTPUTs. The controller DOES NOT CHANGE its INPUTS, ever. The inputs are signals from the field.

The controller's outputs are either discrete outputs and/or analog outputs which are signals to final control elements, things like VFD's, valve actuators, SCRs, solenoid valves, motor contactors, whatever.

The final control elements put energy or mass into or take energy or mass out of the process which in turn changes the process variable that is the object the control process. The field sensors then report those changes back to the PLC as PLC inputs.

An input to a control system changes because the process is changing, not because controller changes the input value. The value or state of an input is NEVER changed by a communications protocol (Modbus) because if you can't trust the field sensor, why would you trust someone whispering in your ear that the temperature is really something other than what the sensor reports that it is? Modbus might report the value of a 2nd sensor that is compared to the first sensor, but values from the sensors that are inputs are what they are, they are never overwritten, they are always read-only.

The concept of overwriting an input state (discrete) or an input value (analog) makes no sense. That's what field sensors are for - for reporting what's going on in the process. The discrete state or the analog value is what it is; it is NEVER overwritten by a communications value.

Inputs can be read and their values shared with other devices, which makes a lot sense, because other devices or controllers might need to know what is going on and reporting that information in digital makes a lot of sense.

>we have a temperature sensor, it sends TMEP Value to PLC(MASTER) and PLC decided to change the TEMP. How PLC can apply new value to MODBUS SLAVE device?

When PLC decides to change the temperature, the PLC changes its OUTPUT which drives a final control element which changes the mass or energy involved which changes the temperature which is reported by a sensor that is an input to the PLC.

The PLC does NOT change the INPUT directly, unless it's a George Orwell 1984 model PLC with O'Brien logic where 2+2=5, or whatever O'Brien says the sum is.

Now to Modbus

Let's differentiate between a controller and Modbus

Modbus is not a controller. Modbus is communications protocol used to transfer binary bits which can be interpreted as numbers or value. So a Modbus master does not make decisions about inputs or outputs or logic. Modbus merely transfers binary bits from master to slave or slave to master. It is up to the application layer,in your case, a PLC, to do something with the bits that are values or numbers.

>we are READING OUTPUTS by MASTER, but how MASTER change OUTPUTS(both digital & Analogue) after processing received values?

You are confusing a Modbus "MASTER" functions with the PLC's logic functions, even though both functions reside in the physical PLC. The PLC can have Modbus master functions that allow it to read from or write to a Modbus slave. But that Modbus master is not responsible any logic decisions, the Modbus master is only responsible for getting data from a slave or sending data to the slave. The Modbus Master is not responsible for "changing an output".

The PLC can use data it receives from the slave via Modbus, just like it uses any of its hardwired I/O logic signals. Nowadays signal data is 'tagged'. Modbus data can be tagged and the tag used as needed just like any other tagged data from hard I/O.

>FC 05,06,15,16: are used to FORCE to change values of OUTPUTs(both Digital & Analogue) regardless of what are OUTPUTs of SLAVE.

Answer: maybe, sort of, it depends.

A 'coil' is frequently a hard discrete output, but the state of a coil can be used in logic, So the writing a discrete value to a 'coil' in the slave depends on how and where the coil is used in the logic.

Same with an 'analog' value. The written analog value might be the Specific Gravity of a liquid used by the slave to display level from a hydrostatic level transducer. The Specific Gravity value is not an Output in the slave; the slave uses the value in a calculation.

The certainty of a write function is that the value in the register in the slave is changed by the master's write transaction. How that slave register value is used by the slave is determined by the slave's logic, which might or might not be a direct physical output.

 

Dear David,

Thanks for your comprehensive explanations. very helpful. I have been tried to visualize what I have got from your explanations.
That would be great if you confirm the drawing and if I understnd them correctly.

The only vague part is what is INPUT. You mentioned INPUT is from FIELD DEVICEs to PLC/RTU or other MASTER devices.
for example measured TEMPERATURE by Thermometer is OUTPUT of field device(SALVE), but this signal is INPUT for PLC(MASTER). As we mentioned OUTPUT is defined referring SLAVE, in this case measured temperature will be OUTPUT of (SLAVE) or INPUT of (PLC/RTU/MASTR)?

OUTPUT that is used as OUTPUT of PLC/RTU..... is clear and meaningful. OUTPUTS are generated after logical operation in PLC/RTU and SEND Through MODBUS to MASTER (HMI,SCADA,....). if we need to change them ourselves we use WRITE functions.

 

1. measured TEMPERATURE by Thermometer is OUTPUT of field device(SALVE), but this signal is INPUT for PLC(MASTER).

Correct.
A temperature transmitter's input is an RTD or thermocouple sensor.
A temperature transmitter's output is a scaled 4-20mA signal proportional to temperature.
A PLC's 4-20mA analog input reads the analog output of the temperature transmitter
The PLC might be programmed to put the reported temperature value in its 3xxxxx Slave/Server Modbus Input Register, or 4xxxxx a Slave/Server Modbus Holding Register as a read-only value.

An RTU or HMI Modbus client/Master would read the 3xxxx value using Function Code 04
An RTU or HMI Modbus client/Master would read the 4xxxx value using Function Code 03
An RTU or HMI Modbus client/master that reads the temperature value via Modbus uses the temperature value as needed. I suppose that the temperature data is an input to the HMI or the RTU because it comes from elsewhere.

The input of a level switch is some sensor element (float). The output of the level switch is a binary voltage state.
A PLC's discrete input reads the state of the level switch.
The PLC might be programmed to put the reported level state in its 1xxxxx Slave/Server Modbus Discrete Input register.
A Modbus Master/client would read the the 1xxxxx value with Function Code 02

2. (PLC) OUTPUTS are generated after logical operation in PLC/RTU and SEND Through MODBUS to MASTER (HMI,SCADA,....).

Yes, PLC outputs are generated as result of logic operations. But Modbus does not 'send' data. The master/client requests data and the slave/server replies with the data. Or the master/client writes data to the slave/server and the slave/server executes the action and sends a reply message echoing the request.

 

Thanks David,
Master (PLC,RTU,....) can READ values by using 2 functions and this 2 functions can be used to READ the same value.
E.g.: TEMP is 27C.
Master( PLC,RTU...) can read this TEMP from 4xxx memory of SLAVE( TRANSMITTER) by using FC03.

 

Thanks David,
After all of your explanation and what I have read, I noticed that I am confusing INPUT and OUTPUT concept.
Is my understanding correct, as follows?
For example:

TEMP is 27C.

1. Master( PLC,RTU...) can read 27 from 4xxxx of SLAVE( TRANSMITTER) by using FC03.(27 is OUTPUT of SLAVE(TRANSMITTER)).
2. Master( HMI,SCADA...) can read 27 from 3xxxx of SLAVE( PLC/RTU) by using FC04.( 27 is INPUT of MASTER(PLC/RTU)).
3. We cannot use FC01 and FC02 as we do not have any DIGITAL data sent from SLAVE.
4. 27 is INPUT(of PLC/RTU) & OUTPUT (of TRANSMITTER) and its value in both 3xxx and 4xxxx is identical. The difference is only which FC (04 or 03) will be used to read ANALOG VALUE.
5. TRANSMITTER is SLAVE for PLC/RTU (MASTER).
6. PLC is SLAVE is for HMI (MASTER).

Level switch is On/Off:

1. Master( PLC,RTU...) can read On/Off from address 1xxxx of SLAVE( TRANSMITTER) by using FC02.( On/Off is OUTPUT of SLAVE(TRANSMITTER)).
2. Master( HMI,SCADA...) can read On/Off from address 2xxxx of MASTER( PLC/RTU) by using FC01.( On/Off is INPUT of SLAVE(PLC/RTU)).

• We cannot use FC03 and FC04 as we do not have any ANALOG data sent from SLAVE.
• ON/Off is INPUT(TO PLC/RTU) & OUTPUT (FROM TRANSMITTER) and its value in both 0xxx and 1xxxx is identical. The difference is only which FC (01 or 02) will be used to read DIGITAL VALUE.
• Level-Switch is SLAVE for PLC/RTU (MASTER).
• PLC is SLAVE is for HMI (MASTER).

After data received by PLC/RTU and doing LOGICAL Operation, PLC/RTU will change process in a way that OUTPUT(SLAVE)/INPUT(MASTER) be equal with DESIRED VALUE.

Thanks