The purpose of this article is to provide a step by step directions for the development of the built-in Modbus driver settings in the SCADA system WinCC OA.

Unfortunately, the basic course, this connection is not checked and do not give step by step instructions, so I eliminate this gap.

Step by step instructions for connecting a standard station WinCC OA for Modbus TCP protocol. Use popular simulator Modbus TCP Modbus Tools protocol (

1. Must be pre-installed 64-bit operating system, or the key demo version Wincc OA (v3.14 or later)

2. Download the link above and install ModbusPollSetup64Bit.exe and ModbusSlaveSetup64Bit.exe. Install these components to simulate data flow (sending-receiving telegrams) on the Modbus TCP protocol

3. First run Modbus Slave (telegram generation) with the settings as shown in the figures, allowing work on the home network (upper tick)

Modbus Slave

Net agrid

4. Expose the slave on the emulator any number

Modbus Slave

5. Set up the emulator master in accordance with the pattern. Run Modbus Pool

Modbus Pool

6. We see ticks telegram counter (TX), we see received and transmitted data. By default, the function is set 03 Holding Register

Modbus Pool value

7. Create a new standard project Wincc OA. By choosing two languages for the interface, giving up a password.

Создание проекта WinCC OA

8. Run the created project «TestModbusTCP»

Admin WinCC OA

9. We wait until the launch of the Services console

Consol Wincc OA

10. Stop the emulation protocol driver (plug) and install a new master Modbus driver

Manager Wincc OA

11. Set the initialization string in the Modbus Manager

Инициализация менеджера

The console should look like this:

Консоль Wincc OA

12. Expose the configuration of the project file
tcpServerPort = 502
and restart all of our empty project

Использование в частной сети

13. We reaffirm access

Консоль Wincc OA

The console should look like this
14. Set up the driver as on the picture below and activate, click Apply and Active

Настройка драйвера

15. Try to run the emulator Slave
If you swear that the port is busy – GOOD SIGN
We reserve the idea without action and run Modbus Pool

Модбас пул

We see that the telegrams are (changing Tx) moves counter lights turn error, read error, then write. We take into account that until we have created a single tag and no survey was created.
16. Create a new data type, and a new data point. New definition point data type integer (Int)

Точка данных

Точка данных - канал

17. Adding to this variable aleas perefiriynogo address and click on Options

Выбор протокола

Setting of the Modbus protocol list

Задаем параметры опроса

18. Choose what we PLC, set the polling period. Important!!! wherever it comes to tick «Active»
19. It is necessary to correctly understand the network, start the exchange process and all should get
Start at the beginning you need to Modbus Slave (telegram receiver), only then the driver WinCC OA. By changing the value in the slave we see that WinCC OA reads / receiving data
Modbus Poll so you can run, for example, to replace the value in the register, but after the main driver WinCC OA

Request type:
1C 00 00 00 00 June 1 03 00 00 00 0A
00 1C – packet identifier.
00 00 – always a value
00 06 – length information of the 6-byte packet
01 – logical address controller / 1 is typically, but … /
03 – register read command
00 00 – with the address 0000
00 0A – just read ten registers (twenty bytes)

type A:
1C 00 00 00 17 00 March 1 14 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 1C – the identifier of the repeat request
00 00 – always a value
00 17 – length of an information part (twenty-three bytes)
01 – address of PLC / repeat from the request /
03 – function
02 – the number of bytes / registers are usually 16-bit, because the number of bytes is a multiple of two /
xxxx – register value

00 1C 00 00 00 06 01 03 00 00 00 0A
00 1C 00 00 00 17 01 03 14 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
If the Council does not go: reloads often when you set up the driver + unless there is an exchange or writes nonsense, then analyze, what is inside the package exchange
You can take a sniffer Handy for Modbus TCP are here:

Связь установлена

We see that the connection is working and data changes.

#step_by_step, #Instruction, #WINCCOA, #MODBUS, #drivers, #SCADA

Be the first to comment

You comment add

Back to the list