Modbus
Modbus is a simple master-slave communications protocol originally developed by Modicon in 1979. Its longevity is remarkable. Modbus RTU, over RS-485 serial and Modbus TCP, over Ethernet are still ubiquitous in industrial automation as the lingua franca for connecting third-party devices, packaged skids, and legacy equipment to modern control systems.
Read one of your own drawings.
Drop a P&ID, instrument index, or schedule. Tagsight reads it to the tag and opens a workspace you keep when you sign in.
PDF · DWG · DXF · TIFF · PNG · XLSX
Modbus was published by Modicon in 1979 to allow its PLCs to communicate with operator terminals. There was no standards body, no license, and no patent. The spec was a simple document that anyone could implement. That openness made it the protocol every microcontroller-based device maker reached for when they needed to expose data to an external host. By the time industrial Ethernet arrived in the 1990s, Modbus had accumulated an installed base of hundreds of millions of devices worldwide. Modbus TCP, 1999 moved the same register model to Ethernet, removing the RS-485 distance and node-count limits. Modbus now runs on serial, Ethernet, radio, cellular, and fiber. Any combination of physical layer and Modbus framing works as long as master and slave agree on the register map. The data model is extremely simple. Registers, 16-bit unsigned integers, addressed 0-65535, input registers, read-only analogs, coils, single-bit outputs, and discrete inputs, single-bit read-only status. That simplicity is the protocol's enduring strength. Every device that supports Modbus describes its data in the same few register types. The weakness is that simplicity. No data types beyond 16-bit integer, floating-point requires two registers with an agreed byte order, no device description, no diagnostic layer, no security, and no timestamping. Modern protocols like MQTT Sparkplug B or OPC UA address these gaps. They run alongside Modbus rather than replacing it in the installed base.
Why Modbus refuses to die.
It is open, royalty-free, trivial to implement, and supported by every PLC, DCS, RTU, and packaged-skid controller on the market. When a chiller manufacturer ships a skid with its own controller and the customer asks 'how do we read the alarm summary,' the answer is almost always Modbus. The protocol is unsophisticated, no security, no native diagnostics, no device discovery but the simplicity is the feature. It interoperates.
Modbus RTU vs Modbus TCP.
Modbus RTU runs on RS-485 serial at typical baud rates of 9600-115200, up to 32 nodes per segment, with a master polling slaves in turn. Modbus TCP runs the same register-and-coil model over standard Ethernet without the master-slave timing constraints, supporting many simultaneous client connections. Modbus over TCP is the modern default for new packaged equipment. Modbus RTU survives in retrofit and very-low-cost-device scenarios.
Modbus function codes and data types.
Modbus requests and responses are structured around function codes. FC 01 reads coils, single-bit outputs. FC 02 reads discrete inputs, single-bit read-only. FC 03 reads holding registers, 16-bit read-write. FC 04 reads input registers, 16-bit read-only. FC 05 and 06 write single coil and register. FC 15 and 16 write multiple coils and registers. Floating-point values require two consecutive holding registers, FC 03 with a byte-order convention, big-endian or little-endian agreed between master and slave. The skid vendor's Modbus register map document specifies the register addresses, data types, scaling factors, and byte order for every variable. Without it the master cannot interpret the raw register values correctly.
Modbus in the I/O list and controls architecture.
Instruments connected via Modbus, package-skid controllers, compressor units, analyser shelves, variable-frequency drives, power meters typically appear in the I/O list as a block rather than as individual AI, AO, DI, DO rows. The block entry references the Modbus register map document and specifies the physical connection, serial COM port or Ethernet IP address and port. Some projects expand the block into individual rows, one per register, to give the commissioning team a loop-by-loop sign-off format. Either approach is acceptable. The important thing is that the I/O list is the complete record of what the control system reads and from where, including Modbus sources alongside hardwired signals.
What goes wrong with Modbus integrations.
The register map is the only documentation between master and slave. If the skid vendor provides the wrong revision, the master reads wrong values. Byte-order confusion, big-endian vs little-endian float packing produces plausible but wrong engineering values that pass a superficial check. Modbus RTU bus collisions cause CRC errors that most masters silently retry without raising an alarm to the operator. Modbus TCP connections dropped by a network switch go undetected if the master has no connection-health check configured. All of these produce intermittent bad data rather than a clean instrument fault, making them harder to diagnose than a simple 4-20 mA open circuit.
Frequently asked.
Is Modbus secure.
No. Modbus has no authentication, no encryption, and no integrity protection at the protocol level. Modbus over TCP exposed to a network is a security gap. Hardening relies on network segmentation, firewalls, VLANs, OT DMZs rather than protocol-level controls. Modbus Secure, the evolving secure variant is gaining traction but penetration is low.
What's the difference between Modbus and Modbus Plus.
Modbus Plus is a separate proprietary token-passing network from Modicon, distinct from Modbus RTU, TCP. It survives in legacy Modicon installations but is not a current product. When people say Modbus today, they mean RTU or TCP.
How does a package-skid vendor typically hand Modbus data to the main PLC.
The skid controller acts as a Modbus slave, server. The main PLC acts as master, client. The skid vendor supplies a Modbus register map listing every analog input, setpoint, status bit, and alarm at its register address. The main PLC polls the map on a configurable scan rate, typically one to five seconds, and maps the registers into its own tag database for HMI display and interlock logic.
How does Modbus differ from OPC UA.
Modbus exposes raw registers. The meaning of each register is documented only in the vendor's register map, outside the protocol. OPC UA exposes a self-describing namespace where every node has a name, data type, engineering unit, and description that a generic client can read. Modbus is point-to-point polling. OPC UA is subscription-based with configurable deadband. Modbus survives as the field-device layer. OPC UA aggregates and normalizes the data northbound. Many modern systems run both. Modbus at the device, OPC UA gateway at the controller.
What is the Modbus register map and who provides it.
The register map is a document, often an Excel table that the device or skid vendor provides with their product. It lists every Modbus holding register or input register by address, with the parameter name, engineering unit, scaling factor, data type, and read, write access. Without the register map the master PLC has a set of numbered 16-bit integers with no way to know which is pressure, which is temperature, and which is a status byte. The register map is a critical project document. It must be obtained before the controls-configuration phase and reconciled with the I/O list.