Prepared by: Ahmed Saleh

Senior SCADA Engineer

15/2/2022 1
 Introduction
 Transmission procedures
 Network configuration
 Protocol structure
 Frame format
 Frame structure
 ASDU structure

15/2/2022 2
 Is a standard for power system monitoring, control & associated
communications for telecontrol, teleprotection, and associated
telecommunications for electric power systems. The standard is
suitable for multiple configurations like point-to-point, star, multidrop
etc.
 Supports unbalanced (only master initiated message) & balanced
(can be master/slave initiated) modes of data transfer

15/2/2022 3
Controlling Station Controlled Station
IEC60870-5-101
SCADA RTU

15/2/2022 4
15/2/2022 5
Unbalanced transmission
➢ Unbalanced transmission procedures are used in supervisory
control and data acquisition (SCADA) systems in which a
master station controls the data traffic by polling outstations
sequentially.

➢ In this case the master station (master) is the primary station

that initiates all message transfers while outstations are
secondary stations (slaves) that may transmit only when they
are polled.

➢ The unbalanced mode procedure can be used generally, but

must be used in party line configuration.

15/2/2022 6
Balanced transmission
➢ If balanced transmission procedures are used, each
station may initiate message transfers.

➢ The balanced mode procedure is restrict to “point to

point or multiple point to point”.

➢ In due to unbalanced mode is balanced mode the most

effective way of communication on «point to point or
multiple point". Balanced transmission can be used in
full duplex mode

15/2/2022 7
Link layer supports the following network
structure:

 Point -to- point

 Multi point-to-point
 Party line
 Redundant line

15/2/2022 8
15/2/2022 9
15/2/2022 10
 The companion standard specifies recommendations which define
the interfaces between data circuit terminating equipment (DCE)
and data terminating equipment (DTE) of the controlling and the
controlled station (see figure 2).

15/2/2022 11
 IEC 870-5-2 offers a selection of link transmission procedures using
a control field and the optional address field
 Links between stations may be operated in either an unbalanced or
a balanced transmission mode.
 If the links from a central control station (controlling station) to
several outstations (controlled stations) share a common physical
channel, then these links must be operated in an unbalanced mode
to avoid the possibility of more than one outstation attempting to
transmit on the channel at the same time. The sequence in which
the various outstations are granted access to
transmit on the channel is then determined by an application layer
procedure in the controlling station.

15/2/2022 12
 The application user layer contains a number of “Application
Functions” that involve the transmission of APPLICATION SERVICE
DATA UNITs (ASDUs) between source and destination.

15/2/2022 13
 Frame with variable length: Frame is used for data transmission of user data
between controlling and controlled station.

 Frame with fixed length: Frame with fixed length is normally used for link layer
services

 Single character: Single character is normally used to confirm data on link

services and to confirm user data.

In special cases can frame with fixed length be used as a confirm frame instead of
single character.

15/2/2022 14
15/2/2022 15
 Application protocol data unit (APDU) consists of
Application services data unit (ASDU) ,start frame
bytes, checksum byte and stop byte.
APDU=start + ASDU +checksum + stop

 Max. length of frame= 253 byte

15/2/2022 16
15/2/2022 17
➢ Start frame
One octet start character
Two octets Frame length
One octet Start character
One octet control field
One (or two) octet Link address

➢ ASDU consists of a variable numbers of octets.

➢ Stop frame
One octet checksum
One octet stop character

15/2/2022 18
 Start character mark limits between two frames.
Frames with variable length : 68 HEX
Frames with fixed length: 10 HEX

15/2/2022 19
 Length field range : 0 - 255.

Length specifies the number and subsequent user data octets including the

control and address fields.

Range up to 255 octets have to be a parameter in controlled station .

15/2/2022 20
 The control field is the first octet of user data and it contains
information about message direction, the type of service provided
and controls for detecting losses or duplications of messages.
 The control field is different for balanced and unbalanced mode

15/2/2022 21
➢ RES: not used.

➢ PRM: primary message; always set to 1 in a message from the primary to the
secondary station.

➢ FCB: frame count bit; alternates between 0 to 1 for successive

SEND/CONFIRM or REQUEST/ RESPOND transmission procedures.
➢ This bit is used to detect losses and duplications of information transfers.
➢ The primary (master) station alternates this bit for each new transmission to the
same secondary (slave) station. The master station also keeps a copy of the last
FCB bit sent
to the slave station, and if an error occurs in the current transmission
procedure, the transmission is repeated with the same FCB.
In case of a reset command, the FCB bit will always be set to 0. When the
secondary station receives this kind of command, it is set to wait for the next
frame from primary to secondary station with a valid FCV bit to qualify the
previously received reset command.

➢ FCV: frame count bit valid; 0 = FCB bit is invalid, 1 = FCB bit is valid.
Note: For SEND / NO REPLY service and broadcast messages FCV is
always set to 0.

15/2/2022 22
 ACD: access demand; There are two data classes: Class 1 and Class 2. Values of
ACD:
0 = no access demand for class 1 data transmission,
1 = access demand for class 1 data transmission.
Access demand for class 1 data transfer is indicated by the secondary (slave) station.

Note: Class 1 data is typically used for events and for high-priority data.
Class 2 data is typically used for cyclic transmission and low-priority data.

 DFC: data flow control; The secondary (slave) station uses this bit to indicate to
the primary (master) station that the transmission of the next message may
cause a buffer overflow. Values of DFC:
0 = further messages are acceptable,
1 = further messages may cause data overflow.

15/2/2022 23
 The following transmission services, initiated by the primary
station, are supported by the link:
- Send/reply: mainly used for global messages and for cyclic
setpoints in control loops.
- Send/confirm: mainly used for control commands and
setpoint commands
-Request/respond: used for polling sequences of this service
may be used for cyclic updating

15/2/2022 24
15/2/2022 25
15/2/2022 26
15/2/2022 27
 If blanched transmission procedures are used, each
station may initiate message transfers. Because such
stations may act simultaneously as primary and
secondary stations, they are called combined stations. In
the following, the combined stations is called either
primary or secondary station according to its described
functions.

 The balanced transmission procedure is restricted to

point to point and multiple point to point

15/2/2022 28
15/2/2022 29
15/2/2022 30
15/2/2022 31
 Link transmission procedures using a control field and the optional
address field.
Link - address field could be either one or two octets, or none
 If the links from a central control station (controlling station) to
several outstations (controlled stations) share a common physical
channel, then these links must be operated in an unbalanced mode
to avoid the possibility of more than one outstation attempting to
transmit on the channel at the same time.

15/2/2022 32
 Octet 1, TYPE IDENTIFICATION defines structure, type and format
of the following INFORMATION OBJECT(s).
 TYPE IDENTIFICATION defines structure, type and format of the
following INFORMATION OBJECT(s).
 The value <0> is not used. The range of values (numbers) 1 to 127
is defined in this user convention. The range of numbers 128 to 255
is not defined. Full interoperability would be obtained only when
using ASDUs having TYPE IDENTIFICATION numbers in the range
1 to 127.

15/2/2022 33
15/2/2022 34
15/2/2022 35
15/2/2022 36
15/2/2022 37
15/2/2022 38
 Octet 2 of the DATA UNIT IDENTIFIER of the ASDU defines the
VARIABLE STRUCTURE QUALIFIER

 VSQ define number of information objects attached to ASDU

 Max number of information object in one ASDU =127

15/2/2022 39
 The SQ bit specifies the method of addressing the following INFORMATION
OBJECTs or ELEMENTs.
➢ SQ = 0: Each single element or a combination of elements is addressed by
the INFORMATION OBJECT ADDRESS. The
ASDU may consist of one or more than one equal INFORMATION OBJECTs.
The number N is binary coded and defines
the number of the INFORMATION OBJECTs.

➢ SQ = 1: A sequence of equal INFORMATION ELEMENTs (e.g. measured values

of identical format) is addressed (see
5.1.5 of IEC 870-5-3) by the INFORMATION OBJECT ADDRESS. The
INFORMATION OBJECT ADDRESS specifies the
associated address of the first INFORMATION ELEMENT of the sequence. The
following INFORMATION ELEMENTs are
identified by numbers incrementing continuously by +1 from this offset. The
number N is binary coded and defines
the number of the INFORMATION ELEMENTs. In case of a SEQUENCE OF
INFORMATION ELEMENTs only one INFORMATION
OBJECT per ASDU is allocated

15/2/2022 40
15/2/2022 41
 The CAUSE OF TRANSMISSION directs the ASDU to a specific
application task (program) for processing.
 It define the cause of transmission of ASDU
 T (test) bit defines ASDUs which were generated during test conditions
and not intended to control the process or change the system state.
T=0 (no test), T=1 (test)
 P/N (positive/negative) bit indicates the positive or negative
confirmation of an activation requested by a primary application
function.
 o P/N = 0 (positive confirm), P/N = 1 (negative confirm).
o P/N is meaningful when used with control commands. The bit is
used when the control command is mirrored in the monitor direction,
and it provides indication of whether the command was executed or
not. When the PN bit is not relevant, it is set to zero.

15/2/2022 42
➢ The originator address is optional on a system basis. It provides a means for
a controlling station to explicitly identify itself. This is not necessary when
there is only one controlling station in a system, but is required when there is
more than one controlling station, or some stations are dual-mode stations.
In this case the originator address can be used to direct command
confirmations back to the particular controlling station rather than to the
whole system.
➢ The originator address directs mirrored ASDUs and interrogated ASDUs in
monitor direction (e.g. interrogated by a general interrogation) to the source
that activated the procedure.

15/2/2022 43
15/2/2022 44
15/2/2022 45
 The address is called common address because it is associated with all objects contained within
the ASDU. This is normally interpreted as a station address, however it can be structured to
form a station/sector address where individual stations are broken up into multiple logical units.

 COA is either one or two octets in length, fixed on a per-system basis.

 The global address is a broadcast address directed to all stations of a specific system (broadcast
address). ASDUs with a broadcast address in control direction have to be answered in monitor
direction by the address that is the specific defined common address (station address).
According to the standard this parameter consists of 2 octets.

 Value 0 is not used, range 1 – 65 534 means a station address, value 65 535
(0xFFFF) means global address.

 Global address is used when the same application function must be initiated
simultaneously. It is restricted to the following ASDUs: Type=100 (Interrogation
command): reply with particular system data snapshot at common

15/2/2022 46
 ASDU transmits information objects within its structure. Each information object is addressed
by Information Object Address (IOA) which identifies the particular data within a defined
station.
 The third byte of IOA is only used in case of structuring the information object address in order
to define unambiguous addresses within a specific system. In all cases the maximum number of
different object addresses is limited to 65 535 (as for two bytes).

 If the information object address is not relevant (not used) in some ASDUs, it is set to zero

15/2/2022 47
 Single-point information without time tag (Type ident = 1)

15/2/2022 48
Quality descriptor

OV = OVERFLOW/NO OVERFLOW
The value of the INFORMATION OBJECT is beyond a predefined range of value
(mainly applicable to analogue values)
BL = BLOCKED/NOT BLOCKED
The value of the INFORMATION OBJECT is blocked for transmission; the value
remains in the state that was acquired before it was
blocked. Blocking and deblocking may be initiated e.g. by a local lock or a local
automatic cause

15/2/2022 49
 SB = SUBSTITUTED/NOT SUBSTITUTED The value of the INFORMATION OBJECT is
provided by input of an operator (dispatcher) or by an automatic source

 NT = NOT TOPICAL/TOPICAL A value is topical if the most recent update was

successful. It is not topical if it was not updated successfully during a specified
time interval or it is unavailable.

 IV = INVALID/VALID A value is valid if it was correctly acquired. After the acquisition

function recognizes abnormal conditions of the information source (missing or non
operating updating devices) the value is then marked invalid. The value of the
INFORMATION OBJECT is not defined under this condition. The mark INVALID is used
to indicate to the destination that the value may be incorrect and cannot be used.

15/2/2022 50
15/2/2022 51
THANK
YOU!
15/2/2022 52