4th International Conference on Electrical Engineering (ICEE 2015)

IGEE, Boumerdes, December 13th -15th, 2015

The implementation of SCADA open protocol

IEC60870-5-101 on ARDUINO UNO board
S.SMAIAH, A.KHELLAF

T.CHERIFI

Ecole Nationale Suprieur de Technologie

Rouiba, Alger, Algrie
Smaiah.sarah@gmail.com
khellafahmed@hotmail.fr

Laboratoire Signal et Communication

Ecole Polytechnique dAlger
Alger, Algrie
Charifi.tarek@gmail.com

Abstract As the choice of the communications protocol for a

given application represents one of the most significant tasks in
the development of information technical solutions, this article
focuses on the high level open protocol of SCADA systems: IEC
60870-5-101 as well as its implementation and the design of a
RTU TESTER and the conception of a RTU.

interface between the Data Terminal Equipment and Data

Circuit Equipment: RS 232, RS 485 or RS 422. It defines a
companion standard that makes interoperability between
systems possible. It is confined to the electrical distribution
industry and it is strongly supported in the European region. [1]

KeywordsSCADA protocols; IEC60870-5-101; RTU; RTU

TESTER.

A. Transmission system topology

The network architecture in the IEC 6087-5-101 or also
called T101 standard may be a point- to-point or multipoint
architecture, where the transmission is in series with a low
bandwidth. It offers two modes of communication: master
master and master-slave mode (balanced and unbalanced
mode).

I. INTRODUCTION
The electric power has become an essential asset for
economic competitiveness of nations. Indeed, the level of its
consumption characterizes for a good part the development
level of companies. In this context, its convenience of use, in
other words the maintenance of a balance between supply and
demand, proves to be a decisive key factor to maintain in
"operating state" the economy and the social life.

Point to point connections - on dedicated lines (e.g.

phone line). There is a logical connection between the
control station and each controlled station, based on an
exclusive physical link between the two devices.

In order to better manage this electric power and to reduce

times of cut, the electrical supply networks have been
automated by taking into account the importance or the utility
of posts and branches to be controlled by calling upon the
Supervisory, Control and Data Acquisition system (SCADA).
Today, the most critical infrastructures use SCADA
systems, because they provide more effective control tools that
allow remote management, data acquisition and processing in
real time, the improvement of the safety of the factory and the
personnel and the reduction of operating costs.
The three most important parts of a SCADA system are the
Master Terminal Unit (MTU), the Remote Terminal Units
(RTU) and the connection between them which is ensured by
a communication system via specific protocols used to
function effectively and to optimize the transmission power.

Multipoint Link on open channel (e.g. radio). All units

are open towards each other. The protocol ensures that
only the destination unit treats the message.
B. Protocol architecture
The protocol was defined in terms of the OSI model using
the EPA three -layer model "Enhanced Performance
Architecture": the physical layer, data link, and application
layer as shown in Figure 1. An additional layer, known as the
user layer was added to the top in order to represent the
different functions or processes that need to be defined to
provide remote control operations.

This paper presents a thorough study of the high level open

protocol, the IEC 60870-5-101 and its implementation because
it is dedicated to the industry of electricity and widely used in
the European area in order to design a RTU.
II. THE IEC60870-5-101 PROTOCOL
The IEC 60870-5-101 or T101 is an open high level
transmission protocol that was designed specifically for remote
control applications using standard asynchronous serial channel

2015 IEEE

Fig. 1. The IEC60870-5-101 architecture

C. Message structure
Two types of messages exist between the master station and
the remote terminals. The first type of frame is formed by a
data link provided with the address of the controlled station and
control information. The size of this message is variable
according to the number of information sent. It is used to
transport user information and for remote supervision.
The second type is used for supervision and flow control.
In this case, the central station communicates with a fixed
frame size in order to minimize the transmission time. This
frame comprises either the address of the remote terminal or a
control signal to check the status of the controlled station. [2]
An FT1.2 frame, as illustrated in Fig 2, is composed of
different codes in hexadecimal and each code has a meaning
as follow:
Start 0x10: the 10 in hexadecimal indicates that it is a
fixed length frame which carry 5 or 6 bytes only.
Start 0x68: The hexadecimal 68 indicates a variable
length frame. This last can carry up to 253 bytes of
user data, and its maximum length is 261 bytes.
C: is the function code.
A: is the RTU address.
Checksum: is modulo 256. It is a check byte that
contains the sum between the address and the function
code.
L: is the length of the frame. It is repeated twice and
the two values must be equal to accept the frame.
End 0x16: the16 in hexadecimal indicates the end of
the frame.

Fig. 3. Overall message structure

D. Addressing
The addressing in this standard is done at the application
and transmission medium level. At the support, the address is
1 or 2 bytes for master-slave configuration, and from 0 to 2
bytes for master - master configuration.
At the application level, the ASDU, encoded on 1 or 2
bytes, contains the remote station address and the information
to be transmitted.
E. Data link procedures
Transmission
procedures:
Send/no
answer,
Send/Confirmation
"asymmetric
transmission"
and
Request/Response "symmetric transmission" must be used
according to demand. The interface between the link layer and
the user service is not defined in this standard.
1) Asymmetric transmission: In an asymmetric transmission
system, the remote stations are always secondary stations
(slaves). The control center is a primary station (master).

Fig. 2. Frame format under the standard IEC 60870-5-101

The application layer shows how Application Service Data

Unit ASDU is carried by the data link layer in the standard
IEC 60870-5-101. It is important to note that a maximum of
one ASDU is allowed per frame. The structure of the ASDU is
shown in two main sections: the data unit identifier and the
data itself composed of one or more information objects. The
data unit identifier defines the specific type of data, provides
the addressing to identify the specific identity data and
includes additional information for the transmission field.

This procedure uses the function code '9' of REQUEST /

RESPONSE service (request the link status). Remote stations
must respond to requests by the function code '11 ' to indicate
that the demand is confirmed, then the master ask for link
reset by the code '00' , in this case the slaves must respond
with the code ' 00 ' . The request for data class 1 is performed
by the code '10' and the slave responds with the code "9" to
indicate that data not available. Class 2 data is requested by
the code ' 11'.
2) Symmetric transmission: Demands from the primary
station by function codes (0 to 4 and 9) must receive a positive
or negative response. In the case of an unused link, the
secondary station should respond with the function code 15 to
inform that the connection is not used.
The address field A consists of one or two bytes. In a
balanced transmission system, there is no diffusion control.

III.

THE COMPARISON OF THE IEC 60870-5-101 WITH THE

TWO OPEN SCADA PROTOCOLS: PUR2.4 AND THE DNP3.0

The three SCADA protocols: IEC60870-5-101, PUR2.4

and DNP3 are open protocols that have been designed
specifically for the telecontrol applications and have emerged
over a similar period of time. The IEC60870-5-101 and the
PUR2.4 protocols are confined to the electrical distribution
industry and they are strongly supported in the European
region, whereas DNP3 has found wider industry applications
in the oil and gas, water/waste water and security industries in
North America, South America, South Africa, Asia and
Australia.
After a comparative and a thorough study of the three
protocols, we find that the IEC60870-5-101 and the PUR
protocols offer greater flexibility in routing messages because
they use both link and application addresses than DNP3 which
uses only link addresses. The IEC60870-5-101 and PUR use
variable address lengths which allow saving communications
bandwidth.
They use
unbalanced
and
balanced
communications compared to DNP3 which uses balanced
communications only.
The balanced communication in IEC60870-5-101 protocol
is limited to point-to-point, however, in the PUR it is extended
to multipoint thanks to the CDMA/CD approach added to the
protocol and in DNP a multidrop configuration is supported.
This means, in a situation where a large number of outstations
are connected to a limited bandwidth, PUR and DNP protocols
would be the better choice because the IEC60870-5-101
protocol presents a significant limitation since polling
configuration requires an unacceptable bandwidth.
From a point of view frame format, IEC60870-5-101 and
PUR protocols use an FT1.2, fixed and variable length frames,
whereas DNP3 uses an FT3 frames, variable length only. The
fixed length option reduces communications overheads
significantly.

IV.

THE DESIGN AND THE REALIZATION OF RTU TESTER OF

THE T 101 PROTOCOL

The major problem with the SCADA systems is the

location of the failure in the absence of communication
between the master and slaves because of the impossibility of
determining the source of the failure.
Our primary mission is to solve this problem through
tracking device anomalies in the SCADA system. For this, we
have implemented the protocol interrogation frames: T101 on
an Arduino board to design an RTU tester. This tester uses
serial communication and simulates even a MTU or a RTU to
conduct research defects with greater confidence and speed, to
locate them with more precision and to ensure service
continuity.

Fig. 4. Overview of the RTU TESTER

The principle of the implementation is explained below.

RTU Tester : Protocol IEC60870-5-101
Primary Station
App
Link
SEND
PRM=1
FC =09

Request
Link Status

In application functions, the IEC60870-5-101 and the PUR

allow only one control point per message, but DNP3 allows
control over multiple points in one message.
The IEC60870-5-101 and PUR protocols are limited in
their baud rate because they use the serial transmission.
However, the DNP3 uses Ethernet also which offers high baud
rate possibilities. Also, nowadays, from a point of view
interface, the RS232 tends to disappear and to be rare which
makes it expensive so the cost of PUR and IEC60870-5-101
protocols tends to rise with time. But it stays the appropriate
interface for the extremely noisy industrial environments.

ACK

ACK
SEND

PRM=1
FC = 10:

Request User
Data class 1
PRM=1
FC = 11:

Request User
Data class 2

PRM=0
FC = 11

SEND

PRM=1
FC = 00

Reset Link

The IEC60870-5-101 uses one byte checksum for a frame

length up to 255 bytes; the PUR uses two bytes CRC and one
byte checksum for a frame length of 255 bytes to the
maximum and DNP3 uses two bytes CRC for a frame length
up to 255 bytes. As a consequence, error checking is stronger
in PUR and DNP3 protocols.

Secondary Station
Link App

PRM=0
FC = 00

NACK
PRM=0
FC = 09

SEND
NACK

PRM=0
FC = 09

Fig. 5. Implementation principal of the RTU tester of the protocol T101

When the operator launches the tester, first of all, he must

set the serial communication parameters: the baud rate and
parity. Then he selects the communication mode: master or
slave mode according to the test that he wants to perform.
Finally, the appropriate test is launched.
To better explain the principle of this communication
between a MTU and the RTU of address 27 = 0x1B, we took
the following example: T1b: 10 96 16 1B 7B.
10 : Fixed Frame
7B: Function Code Request User Data class 2 .
1B: RTU Address in Hexadecimal.

the number of information objects or elements, and

how they are addressed.

96: The checksum Address + Function Code .

16: The end of the frame.

If it is about a sequence of several information objects,

the most significant bit is set to 0 and the seven other
bits represent the number of these objects.
But in the case of a sequence of several information
elements of a single object, the most significant bit is
set to "1" and the others represent the number of these
elements.

The response of the RTU will be thus by the frame: R1b:

10 09 1B 24 16, the data are not available. Final results are
illustrated in the figure below:

TABLE II.

4.
Fig. 6. Test of the results with the simulator Docklight

V. THE IMPLEMENTATION OF THE IEC60870-5-101 PROTOCOL

ON THE ARDUINO UNO BOARD

This implementation consists in using moreover fixed

frames, the variable length frames to design an embedded
system cable to act as an RTU to send the acquired
information of different Programmable Logic Controllers
PLCs and field devices to the control station using the serial
communication.
This implementation is based on real traces taken from
several RTUs equipment installed on the electrical distribution
network of the SDA Socit de Distribution dlectricit
dAlger filiale Sonelgaz and the electric transmission
network of the GRTE socit de Gestion du Rseau de
Transport dElectricit filiale Sonelgaz and on a precise
decoding of all the ASDU fields in order to assign to each
request its own answer.

THE SQ FIELD

Select the cause of transmission to control the routing

of messages on the transmission network, and in a
station, while directing the ASDU towards the correct
program or the task to be treated.

The other fields of the frame will be defined according to

these information keys.
To better explain these steps, here is an example of a frame
with the suitable decoding.
T18:10 7b 1b 96 16: frame of the Master to ask for
User Data Class 2.
The response frame generated by the RTU is:

To do this, we followed the following steps:

1. Analyze the type of the request and to specify the
adequate frame for the answer.
2. Define the corresponding type identification. Only the
range < 1...127 > is used by the standard. Currently
there are 58 specific types defined, grouped as
illustrated in table below.
TABLE I.

3.

GLOBAL GROUPS OF ID TYPES DEFINED BY THE STANDARD

IEC60870-5-101 [3]

To form, according to the available data, the byte of

the variable structure qualifier: a simple-byte indicates

68: shows the start code of the variable length frame,

repeated twice.
AB: is the length "L" of the frame. This field is
repeated twice in the frame.
08: represents the function code of the frame. In this
case, it means that it is a message from a secondary
station transmitting user data.
1B: is the station address. In this case, it is a RTU of
address 27.
01: is the type ID of the message. 01 means "single
point information" without time tag.
37: is the variable structure qualifier. This value in
binary is (0011 0111) and 55 in decimal, SQ = 0, which
means that this frame is a sequence of 55 information
objects.
4: equal to 20 in decimal and represents the cause of
transmission, Interrogated by station interrogation.

1B: shows the common address of the ASDU which is

the same as that of the RTU.
10 00: represents the address of the 1st object on two
bytes. The least significant byte is placed first in the
frame and the most significant byte is placed in second
place. So the address of this object is (00 10)H = (8) 10.
41: represents the information of the 1st object "not
topical, state ON".
9D 00: represents the address of the 55th object = (00
9d)H = (157) 10
00: is the information of the 55me object "state OFF".
97: is the checksum of the frame.
16: is the end of the frame.
The flowchart below explains the principle of this
implementation.
Start

Reset Link

Request User Data class 1

Sending all the analog
measurements
Request User Data class 2
Sending all the digital
signals

VI.

The deep study of the protocol, the analysis of several real

traces of T101 communication obtained from the equipment
installed on electrical networks and the decoding of the
various fields of these traces showed that we can loop the
MTU instructions by using 4 interrogation frames, plus two
variable length frames for synchronization and activation.
After the simulation and the implementation of the
protocol in the Arduino Uno board, we test the system with
SCADA software "Protocol Test System (IEC 60870-5-101)
"provided by the IEC specifically for this protocol. This
software simulates the Master and communicates with the
ARDUINO board which acts as a RTU with a serial link.
The results are illustrated in Fig. 7.
VII.

The design of the RTU TESTER explores the interrogation

frames "fixed" of the T101 protocol in order to conduct the
research of defects with more insurance and speed, to locate
them with even more precision and to ensure service
continuity because it simulates the MTU and RTU.
The thorough study and the decoding of the variable length
data frames of the high level SCADA system protocol, T101,
has facilitated to us its implementation in an ARDUINO UNO
board. This enabled us to conceive a RTU that communicates
with the control station through a serial link, in order to
transmit the acquired data of different PLCs and report any
change of events.
This RTU presents a true reliable and deterministic
embedded system, including a calculator, analog and digital
inputs/outputs and an RS232 communication port.

References
[1]

Sending any modified

analog measurements

[2]

Data class 1 not

available

Request User Data Class 2

[3]

[4]
[5]
[6]

Signal
changed

Sending any changed

digital signal

[7]

Data Class 2 not

available
Error

CONCLUSION

IEC 60870-5-101 is an open protocol dedicated to the

electrical distribution industry. It was designed specifically for
remote control applications, and strongly supported in the
European region.

Request User Data class 1

Mesure
changed

SIMULATION AND TEST OF THE RESULTS

GORDON Clarke, Deon Reynders, Practical Modern SCADA Protocols,

IDC Technologies, 2 Ed, Linacre House, Jordan Hill, Oxford OX2 8DP,
Great Britain: 004.
Supervisory control and data acquisition (SCADA) systems, National
Communications System, Technical Information Bulletin 04-1, Oct.
2004. [Online]. Available: http://www.ncs.gov/library/tech bulletins/
2004/tib 04 1.pdf.
IEC 870-5-101: 1995, Telecontrol equipment and systems - Part 5:
Transmission protocols Section 101: Companion standard for basic
telecontrol tasks, IEC Central Office, GENEVA, SWITZERLAND.
Fernando Xavier, Spcification du Protocole PUR2.4, N
ASDV03000116, EFACEC, 29-09-2004.
DNP3 Application Note AN2013-004a/ Validation of Incoming DNP3
Data/ http://www.dnp.org.
Gaushell, D.J., Block, W.R., SCADA communication techniques and
standards, Computer Applications in Power, IEEE, Volume: 6, Issue: 3,
July 1.
Bruce, A.G., Reliability analysis of electric utility SCADA systems,
Power Systems, IEEE Transactions on, Volume13, Issue: 3, Aug. 1998.

[8]

[9]

Bruce, A., Lee, R., A framework for the specification of SCADA data
links, Power Systems, IEEE Transactions on, Volume: 9, Issue: 1, Feb.
1994.
David Baily, Edwin Wright, Practical SCADA for Industry, IDC
Technologies, 2003.

[10] Ronald L. Krutz, Securing SCADA Systems, Wiley Publishing, Inc,

2006.
[11] www.arduino. (Tutorials, Playground, References and Forum).

Fig. 7. The results of the implementation with SCADA software "Protocol Test System (IEC 60870-5-101)