Relay Communication Basics

Copyright © SEL 2011

Communications –

Basic

Overview

• Serial Communications • Ethernet • Fiber-Optic • SCADA Protocols • Peer-to-Peer Protocols • Ethernet Protocols • Comm Architectures

Communications Architectures

Serial Communications

Serial is the simplest form of communication between two devices

Serial Standards

• RS–232

• EIA–485

• Universal Serial Bus (USB)

• RS–422

• G.703

Serial Standards

• RS–232

• EIA–485

• Universal Serial Bus (USB)

• RS–422

• G.703

So What is RS–232?

RS–232 is a ‘Recommended’ Standard by which two devices communicate

♦ General practice recommends distances no

greater than 50 feet over copper media

♦ Standard does not define protocol, only physical

RS–232 Wiring

• The original RS–232 specification denotes usage of a 25 pin cable

• Modern RS-232 devices use DB9, including SEL serial products

RS-232 Flow Control (Handshaking)

• Software (XON / XOFF)

• Hardware (RTS / CTS)

• Important to consider when transmission

medium can require careful timing (wireless radios)

RS-232 Connector Types

Two different connectors are associated with two major types of hardware

♦ Data Terminal Equipment, or DTE; SEL relays,

meters (IEDs, in general) etc. are DTE

♦ Data Communications Equipment or DCE; SEL

communications devices such as transceivers, media converters, etc. can be DTE or DCE

RS-232 Connector Types (cont)

• DTE will transmit on pin 2 and receive on pin 3

• DCE will transmit on pin 3, and receive on pin 2

• Null modem allows DTE-DTE or DCE-DCE

RS–232 DB9 Pin-Out (DTE)

DB–9M Function Abbreviation

Pin #1 Data Carrier Detect CD

Pin #2 Receive Data RD or RX or RXD

Pin #3 Transmitted Data TD or TX or TXD

Pin #4 Data Terminal Ready DTR

Pin #5 Signal Ground GND

Pin #6 Data Set Ready DSR

Pin #7 Request To Send RTS

Pin #8 Clear To Send CTS

RS–232 DB9 Pin-Out (DCE)

DB–9M Function Abbreviation

Pin #1 Data Carrier Detect CD

Pin #2 Transmitted Data TD or TX or TXD

Pin #3 Receive Data RD or RX or RXD

Pin #4 Data Terminal Ready DTR

Pin #5 Signal Ground GND

Pin #6 Data Set Ready DSR

Pin #7 Clear To Send CTS

Pin #8 Request To Send RTS

“SEL IED” RS-232 DB9 Pin-Out

(DTE connector)

DB–9M Function Abbreviation

Pin #1 5 Vdc n/a

Pin #2 Receive Data RD or RX or RXD

Pin #3 Transmitted Data TD or TX or TXD

Pin #4 + IRIG–B n/a

Pin #5 Signal Ground GND

Pin #6 - IRIG–B n/a

Pin #7 Request To Send RTS

Pin #8 Clear To Send CTS

DTE->DCE Communications

• In serial cable terms, a “straight-thru” cable is used

DTE->DTE Communications

• In serial cable terms, a “null-modem” cable is used

Transmitting Data – How does it

work?

• RS–232 communication is dependent on a set timing speed at which both pieces of

hardware communicate

• The hardware knows how long a bit should be high or low

• RS–232 also specifies the use of “start” and “stop” bits

To Talk the Talk…

• Both devices must have the same data rate to communicate, but they must also know to handle problems

• Baud rate is the number of changes in the signal per second, also known as bits per second, or bps

Common Serial Settings

Most serial communications port settings are read in the following form:

♦ Bits per second (baud, or speed)

♦ Number of data bits

♦ Parity

Speed Limitations

• All serial devices have

an “UART” controller

• SEL devices are

typically limited to 57600 baud

• Older SEL products may

be limited to 38400, or even 9600 baud

What is RS–485?

Communications interface using a ‘balanced’ or differential signal process to support point–to–point, point–to–multi–point, and

Physical Media: Twisted Pair

Network Topology: Point-to-point,

Multi-dropped, Multi-point

Maximum Devices: 32 drivers/receivers

Maximum Distance: 4000 feet

Mode of Operation: Differential

Maximum Baud: 100 kbit/s - 10 Mbit/s

Voltage Levels: -7 V to +12 V

RS-485 Has Better Noise Immunity

Opposing polarities and twisted pair

conductors for

transmit and receive signals provides

immunity to magnetically– induced noise

RS–485 Full–Duplex

• “4-Wire” Standard

• All device connections are consistent

• Only first and last devices in chain connect the

reference wire

RS–485 Half–Duplex

• “2-Wire” Standard

• Only one device can talk at a time

• Rx and Tx matching polarities are tied together (+

to + and - to -)

RS–485 Half–Duplex

• Half-Duplex Comms imply that receive/transmit be

accomplished on same data lines.

• Two methods to switch rx/tx mode:

♦ - RTS Line “High” on 232 Connector (HW+SW) ♦ - “SDC” – Send Data Control (SW-only)

RS–485 Termination Resistors

• Used to match impedance of 485 TX node to

communication cabling in use.

• If mismatch is in place, portion of message

reflected back at transmitter, data is truncated.

• Connect +/- (or A/B) pairs of Transmitter /

Receiver, only at extreme ends of network

Serial

Physical media

Fiber-Optic Serial

• Dual-Transceivers encode serial data over

Universal Serial Bus (“USB”)

• Developed as open standard for interconnection

of computing peripheral devices.

• Software Drivers required to determine behavior

USB/RS232 Converters

• Connect a PC with no physical RS232 ports to

legacy IEDs.

Network Communications

• OSI Model

• Physical media

♦ copper/twisted pair

What is a ‘Network’?

A collection of two or more elements linked together for the purposes of sharing

information, resources, etc.

♦ ARPANET was the world’s first ‘packet

switching’ network

♦ ARPANET successfully passed the first

The (OSI) Reference Model

Layer Function

Layer 7 Application _{Interface between NOS}

and user’s application software

Layer 6

Presentation

Data representation

Layer 5 Session Name to address translation,

access security

Layer 4 Transport Reliability of transmission

from end to end

Layer 3 Network End-to-end addressing

(specific to the protocol)

Layer 2 Data Link Media access and addressing

(on the same physical wire)

Layer 1 Physical Cables, connectors, wires and

signaling issues Application Data

Wire/Fiber

• Top 3 layers are application-oriented

• Responsible for presenting the

application to the user

• Unaware of how data get to the application

• Lower 4 layers deal with packaging & delivery of data

• How it is transmitted

• How it is reliably received

Ethernet

• Establishes direct connection between sender and receiver

Ethernet Devices - Hubs

Hub: Simple Muxing Device That Redistributes all Data that it Receives to all Connections

• Physical Layer

• Lowest cost

Ethernet Devices - Switches

Switch: Intelligent Muxing Device Monitors and Redistributes Data to Appropriate

Connections; will not Redistribute Detected Bad Data

• Uses Data Link layer (MAC address filtering)

Ethernet Devices - Switches

• Can be used to interconnect different

Ethernet cabling mediums (Copper, Fiber, etc)

Ethernet Devices – Managed Switches

• Advanced Functions provided by managed switches include:

♦ Port security (disabling, VLAN, priority)

♦ Network Monitoring (SNMP, web interface)

Ethernet Devices - Routers

Router: Interconnects Two Networks Such as Substation LAN and Utility WAN

• Uses Network Layer/Transport layers

• Commonly used for Network Security

Ethernet Media Types

• CAT5E / CAT6 Twisted Pair Cable, RJ45 Connectors

♦ Most common interface standard, cables are

relatively easy to manufacture.

♦ Cable provides acceptable EMI shield for most

industrial installations.

♦ Maximum cable limit of 300 ft.

Ethernet Media Types cont.

• Fiber optic cable, multi-mode (MM) or single-mode (SM)

♦ Common in substation installations, due to EMI

immunity.

♦ Maximum lengths of 15km (MM) and 110km

(SM)

Protocols – What are they?

• “A formal, defined set of digital message formats and rules for exchange of data messages between computing systems”

• Frequently include signaling, authentication and error detection/correction capabilities

SCADA Protocols

• Follow Master/Slave (or Client/Server) relationship

• SEL Protocol

• Modbus

SEL Protocol

• Supported by all SEL IEDs

• Combination of ASCII/Binary data transfer modes.

• Supports auto-configuration of tag data

• Time-stamps supported in target data range if target is in SER configuration.

SEL Protocol – Auto Configuration

• “CAS” Command – Return Meter and Event

Report Configuration Data

• “DNA X” Command – Return complete

SEL Protocol – Fast Op. Commands

• Two main styles of bits can be written to SEL IEDs – Remote Bits (RBs) and

Breaker Bits (BRs)

• Breaker Bits correspond to OC and CC targets in Relay Logic

• Remote Bits typically used for additional logic.

Modbus Protocol

• Referred to as “Modbus/RTU”

• Developed by Modicon for their PLCs

• Simple Protocol Used in Many RTUs, PLCs, and Other IEDs

Modbus Register Mapping

• Register map defined by manufacturer

• Hard-coded and configurable map are possible

• All boolean data types are single-bit registers

Modicon Addressing

• Modicon Addressing

• 0X Discrete Output / Coils

• 1X Discrete Input

• 3X Input Register

Modbus Message Framing

• Data Request and Response

♦ 1 byte Slave address

♦ 1 byte Function code

♦ n bytes Data bytes

Read Coil Status (01h)

• Reads Status of Various Bits

• Read Up to 1000 Bits per Request

• Technically classified as 'Digital Output' status data type

Read Input Status (02h)

• Read Input Status (02h)

• Identical Operation as Read Coil Status (01h)

• Functionally used as 'Digital Input' data type

Read Holding Register (03h)

• Used to Read From Database Directly

• Data Response Is Entire Register

Read Input Register (04h)

• Functionally identical to Read Holding register op-code.

• Many devices will only have a single

register map and will return the same value whether op-code 0x03 or 0x04 is used.

Force Single Coil (05h)

• On SEL equipment, Operate Remote and

Breaker Bits

• Clear Archive Records

Preset Single Register (06h)

• Write 16-bit value (2 Bytes) Directly to a Database Register

• Technically corresponds with Input Register data map.

Preset Multiple Registers (10h)

• Write Multiple 16-bit Words of Data to Contiguous Database Registers

Modbus Error Responses

• 01 - Illegal Function

• 02 - Illegal Data Address

• 03 - Illegal Data Value

• 04 - Failure in Associated Device

Modbus Decoding - Poll

• Ex: 01 03 00 00 00 10 DA FC

• 01 = Address of Remote Slave IED

• 03 = “Read Holding Reg” Op-Code

• 00 00 = Start a Holding Reg Addr 00

• 00 10 = Return 16 x 16-bit Registers

Modbus Decoding - Response

• Ex: 01 03 20 <DATA> DA FC

• 01 = Address of Remote Slave IED

• 03 = Holding Register Data Type

• 20 = Number of Data Bytes Returned

• <DATA> = Raw Holding Register Data

Modbus Protocol Types

• 4 Distinct Flavors of Modbus

♦ Modbus ASCII

♦ Modbus RTU

♦ Modbus RTU over TCP

Modbus Register-Encoding

• How to use 16-bit registers for advanced data?

♦ 16 Packed Boolean statuses

♦ 32-bit Integers

Modbus Packed Booleans

• 16-bit Register is used to store 16 individual Bit states:

♦ Given: 0x0A1F = 0000 1010 0001 1111

 Bit 0 = IN101 = 1

 Bit 5 = IN106 = 0

Modbus 32-bit Integers

• Combine 2 x 16-bit registers into a single 32-bit Register:

♦ Host requests 2 registers, combines into 1.

♦ High and Low 16-bit register (order?)

♦ Signed or unsigned?

Modbus 32-bit Floating Point

• Combine 2 x 16-bit registers into a single 32-bit IEEE754 Floating point Register:

♦ Host requests 2 registers, combines into 1.

♦ High and Low 16-bit register (order?)

♦ 32-bit broken down into sign (1 bit), exponent

www.binaryconvert.com

• Free web-site for converting raw binary/hex quantities into formatted data.

DNP3 Protocol

• Master/Slave (Client/Server)-style Protocol

• Overcomes many limitations of earlier SCADA protocols

• Open standard, free for implementation by any vendor

DNP3 Introduction

• DNP Intent

♦ Telecontrol

♦ Read / write of database data

♦ SCADA information

 SOE (time-stamp retrieval)

 COS (state-change report)

 time synchronization

DNP3 Introduction

• Event Based

♦ Binary change of state

 multiple change detection

 SOE

♦ Analog % change

♦ Event classes

DNP3 Introduction

• Object Based

♦ Data specification

♦ No direct memory access

♦ Object types

 value

 change

 frozen

DNP3 Reporting Mechanisms

• A classic example of a Modbus-style polling request

Master requests specific  memory area from slave

Slave responds with all data  in region

DNP3 Reporting Mechanisms

• DNP3 can perform a ‘Static’ or ‘Integrity’ Poll

Slave responds with all data  of type or all Classes

Master requests all data of a  type of Class 0

DNP3 Reporting Mechanisms

• The master process can also utilize class polling to use Report-By-Exception and improve performance Master performs periodic  Class 0 poll for sync refresh Master performs regular  Class 1,2,3 poll Slave responds to Class 0  poll with all data Slave reports event data

DNP3 Reporting Mechanisms

• For extremely low-bandwidth connections, unsolicited reporting can be used.

Master performs occasional  Class 0 poll for sync refresh Slave reports unsolicited  event data Slave responds to Class 0  poll with all data

DNP3 Reporting Mechanisms

• Quiescent polling can also be used, where-by the master process never polls for data and relies entirely on the slave process to report changes.

Master does not poll

Slave reports unsolicited  event data

DNP3 Protocol Benefits

• Optimized Communication

♦ Event-driven polling

 class 0

 class 1, 2, 3

DNP3 Protocol Benefits

• High Data Integrity

♦ 16-Bit CRC every 16 bytes

♦ Hamming distance of 6

♦ Data link confirmations

DNP3 Protocol Benefits

• Structured Evolution ♦ Subset definitions ♦ Object definitions ♦ Standard documentation ♦ Conformance testing ♦ User’s group ♦ Technical committee

DNP3 Recent Developments

• ‘Recent’ is defined as 2000-era

• Ethernet LAN/WAN Support

• Virtual Terminal Applications

DNP3 Protocol Structure

•

DNP Structure

♦ Modified 3 Layer OSI model

Application Presentation Session Transport Network Data Link Physical Application Data Link Physical

DNP3 Message Structure

• Typical DNP3 Message Frame

05 64

DNP3 Message Structure

• Data-Link Header, every message starts with this.

• 0x0564

• Length

• Control Byte

• Destination and Source Addresses

• 16-bit CRC LEN 05 64 LSB MSB SOURCE LSB MSB CRC DESTINATION DLC

DNP3 Message Structure

• Transport and Application Layer includes actual data. • Transport Header • Application Header • Object Header • Data Block • CRC APP Header

DNP3 Message Structure

• Application-Layer Object Data

• Object Header ♦ Group ♦ Variation ♦ Qualifier ♦ Range Data Object Header

DNP3 Message Structure

• Common Application Layer Function Codes:

♦ 01 – Read

♦ 02 – Write

♦ 03 – Select, 04 – Operate, 05-Direct-Operate

♦ 23 – Delay Meas, 24 - Record Current Time

♦ 129 – Response

DNP3 Message Structure

• Common DNP3 Default Object Types and

Variations:

♦ Binary Inputs – Obj 1,2 Var 2

♦ Binary Outputs – Obj 10 Var 2, Obj 12 Var 1

♦ Counters – Obj 20, 22 Var 5

♦ Frozen Counter – Obj 21,23 Var 1

♦ Analog Inputs – Obj 30 Var 4, Obj 32 Var 2

♦ Analog Outputs – Obj 40,41 Var 2

♦ Time/Date Objects – Obj 50 Var 1

DNP3 Class Data

• Reports “Change Event” data from an IED

• Q: What does Class 1, 2 and 3 data represent?

• A: Whatever the IED defines it as!

• Typically: Binary = 1, Analog = 2, Counter = 3

DNP3 Static vs. Event Data

• Static data from Class 0 object poll

♦ “Current” (snapshot) Value

♦ Does not contain timestamp information

• Event data from Class 1,2,3 object poll

♦ “New Value” from IED event buffer

DNP3 Message Structure - Options

• Object Type Optional Components

♦ Time-Tag (Change events-only)

♦ Status Flag

 Value, Forces, Restart, Online

 Point Force (Local or Remote)

DNP3 Message Structure - IIN

• IED Responses will include 2-bytes of IIN (internal indications) bits.

♦ Device trouble, re-start, in-local, corrupt

♦ Time Sync Required

♦ Class 1, 2 or 3 data available

♦ Event Buffer Overflow

DNP3 Commands

• Use “Control Relay Output Block” (CROB) from host to write to Binary Output Index.

• Supported styles of commands:

♦ Pulse On, Pulse Off

♦ Pulse w/ Trip or Close Qualifier

DNP3 Commands – IED Interpretation

• IEDs will have different interpretations of DNP3 command codes

• Check the device-specific DNP3 appendix

Peer–to–Peer Protocols

• Serial: Mirrored Bits®

SEL M

IRRORED

B

ITS

Review

Relay-to-Relay Logic Communication

Proprietary µ Wave ... ... ... ... Relay 1 DB9 Connectors Audio Radio Other . . . . . . Fiber SEL-28xx Relay 2 Fiber SEL-28xx Other

SEL M

IRRORED

B

ITS

Communications

• EIA-232 Asynchronous Message (6-O-1)

• 8 Bits of Bidirectional Status or Control

Channel Interfaces and Communications Equipment Relay 1 Relay 2 RMB1 .  .  . RMB8 RMB1 .  .  . RMB8 Transmit Receive Transmit Receive TMB1 .  .  . TMB8 TMB1 .  .  . TMB8 Channel 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8

Transmit “Mirrored” to Receive

Relay 1 Relay 2 T R A N S M I T R E C E I V E T R A N S M I T R E C E I V E TMB1 TMB2 ... TMB8 RMB1 RMB2 ... RMB8 TMB1 TMB2 ... TMB8 RMB1 RMB2 ... RMB8 1 0 ... 0 0 0 ... 0 0 0 ... 0 1 0 ... 0

Communications Media Requirements

• Full-Duplex Communications

• EIA-232 Serial Port Interface

♦ Up to 38400 bps

• Immune to Power System Fault Generated Transients

Ethernet Protocols

• Telnet • FTP • Web / HTTP • DNP3 / IP • IEC 61850

Telnet Protocol

• Provide Virtual “Terminal” session on remote host

• Command-line session supported

• No built-in authentication

FTP Protocol

• FTP = “File Transfer Protocol”

• Use to read/write files to/from remote devices (IEDs, relays, etc).

• Simple Authentication supported

Web / HTTP Protocol

• “HyperText Transfer Protocol”

• Supports HTML Text-file encoding

language that provides formatted data information from a server to a client.

• Simple Authentication supported

DNP3/IP Protocol

• “DNP3 over IP”

• 99.9% Identical to serial SCADA protocol

• Differs only in Time-synchronization function codes and objects used.

IEC-61850 Protocol(s)

• Vendor-neutral

• MMS – Classic Client/Server protocol

♦ “Tag-Based” Protocol Language

♦ Standardized Naming

• GOOSE – Peer-to-Peer messaging

Communications Architectures

• Star Topology

• Bussed/Daisy-Chain Topology

• Ring Topology

• Hybrid Ethernet Topologies

Star Topology

• Benefits:

♦ Flexible for Serial/Ethernet hardware

♦ Independent Data Path to end devices

♦ Quick Concurrent polling of end devices

• Draw-Backs:

♦ Additional Comms Cable, More $$$

♦ Occasional use of repeaters required

Bussed / Daisy-Chain Topology

• Benefits:

♦ Inexpensive communications to many devices

(minimal cabling)

• Draw-Backs:

♦ Round-robin polling delays (slow data updates)

♦ Devices must be addressable (no SEL protocol)

Ring Topology

• Benefits:

♦ Less cost of cabling

• Draw-Backs:

♦ Extra Configuration

♦ Some devices do not support (for Ethernet,

Managed Switches required)

Hybrid Ethernet Topologies

• Benefits:

♦ Redundant, self-healing Architectures

• Draw-Backs:

♦ Extra $$$ for additional cabling/switches

♦ Extra Configuration

♦ Some devices do not support (Managed

“Classic” SEL Topology

• Communications processor concept

• SEL-2032 vs. SEL-3530 RTAC

Classic Comm. Processor System

Non-SEL Relay SEL-2407 GPS Clock Modem PC Local HMI SCADA Master Me te ri n g Ev e n ts Al a rm s Co n tr o ls T im e S y nc hr on iz a ti o n Co n fi g u ra ti o n SEL Relay SEL Relay SEL Relay SEL Relay Wireless Device SEL-3021 Satellite SEL-2032