Scada Systems Introduction

8/13/2019 Scada Systems Introduction

1/15


2/15

SCADA SYSTEMS Introduction, architecture, functionality, and

other aspects.

SCADA stands for Supervisory Control and Data acquisition which is a process control system

that enables a site operator to monitor and control process that is distributed among various

remote sites. As such, it is a purely software package that is Positioned on top of hardware to

which it is interfaced, in general via Programmable Logic Controllers (PLCs), or other

commercial hardware modules. SCADA systems are combination of computers, controllers,

instruments; actuators, networks and interfaces that manage the control of automated and allow

analysis of those system by data collection and processing. They are used in most industrial

processes: e.g. steel making, power generation (conventional and nuclear) and distribution,

chemistry, but also in some experimental facilities such as nuclear fusion. The size of such plants

ranges from a few 1000 to several 10 thousands input/output (I/O) channels.

However, SCADA systems evolve rapidly and are now penetrating the market of plants with a

number of I/O channels of several 100 K: we know of two cases of near to 1 M I/O channels

currently under development. SCADA systems used to run on DOS, VMS and UNIX; in recentyears allSCADA vendors have moved to NT. One product was found that also runs under Linux.

ARCHITECTURE:

A SCADA System usually consists of the following subsystems:

A Human-Machine Interface or HMI is the apparatus which presents process data to a human

operator, and through this, the human operator monitors and controls the process.

A supervisory (computer) system, gathering (acquiring) data on the process and sending

commands (control) to the process.

Remote Terminal Units (RTUs) connecting to sensors in the process, converting sensorsignals to digital data and sending digital data to the supervisory system.

Programmable Logic Controller (PLCs) used as field devices because they are more

economical, versatile, flexible, and configurable than special-purpose RTUs.

Communication infrastructure connecting the supervisory system to the Remote Terminal

Units.

FIRST GENERATION: MONOLITHIC

In the first generation, computing was done by mainframe computers. Networks did not exist at

the time SCADA was developed. Thus SCADA systems were independent systems with no

connectivity to other systems. Wide Area Networks were later designed by RTU vendors to

communicate with the RTU. The communication protocols used were often proprietary at that

time. The first-generation SCADA system was redundant since a back-up mainframe system was

connected at the bus level and was used in the event of failure of the primary mainframe system.


3/15

SECOND GENERATION: DISTRIBUTED

The processing was distributed across multiple stations which were connected through

aLAN and they shared information in real time. Each station was responsible for a particular task

thus making the size and cost of each station less than the one used in First Generation. The

network protocols used were still mostly proprietary, which led to significant security problemsfor any SCADA system that received attention from a hacker. Since the protocols were

proprietary, very few people beyond the developers and hackers knew enough to determine how

secure a SCADA installation was. Since both parties had invested interests in keeping security

issues quiet, the security of a SCADAinstallation was often badly overestimated, if it was

considered at all.

THIRD GENERATION: NETWORKED

These are the current generation SCADA systems which use open system architecture rather than

a vendor-controlled proprietary environment. The SCADA system utilizes open standards andprotocols, thus distributing functionality across a WAN rather than a LAN. It is easier to connect

third party peripheral devices like printers, disk drives, and tape drives due to the use of open

architecture. WAN protocols such as Internet Protocol (IP) are used for communication between

the master station and communications equipment. Due to the usage of standard protocols and

the fact that many networked SCADAsystems are accessible from the Internet; the systems are

potentially vulnerable to remote cyber-attacks. On the other hand, the usage of standard

protocols and security techniques means that standard security improvements are applicable to

the SCADAsystems, assuming they receive timely maintenance and updates.

I am discussing here more advanced form of SCADA system which was used at CERN.

SCADAArchitecture
http://s.eeweb.com/members/purnendu_kumar/blog/2011/07/28/flow1-1311856337.jpg


4/15

Hardware Architecture

Basic layers in a SCADA system can be classified in two parts generally: the client layer

which caters for the man machine interaction and the data server layer which handles most of

the process data control activities. The data servers communicate with devices in the field

through process controllers.

Hardware Architecture Diagram

Process controllers, e.g. PLCs, are connected to the data servers either directly or via networks or

fieldbuses. Data servers are connected to each other and to client stations via an Ethernet LAN.

The data servers and client stations are NT platforms but for many products the client stationsmay also be W95 machines.

Remote Terminal Unit (RTU); The RTU connects to physical equipment. Typically,

anRTU converts the electrical signals from the equipment to digital values such as the

open/closed status from a switch or a valve, or measurements such as pressure, flow, voltage or

current. By converting and sending these electrical signals out to equipment the RTU can control

equipment, such as opening or closing a switch or a valve, or setting the speed of a pump.

Supervisory Station; The term Supervisory Station refers to the servers and software

responsible for communicating with the field equipment (RTUs, PLCs, etc), and then to

the HMI software running on workstations in the control room, or elsewhere. In

smallerSCADA systems, the master station may be composed of a single PC. In

larger SCADAsystems, the master station may include multiple servers, distributed software

applications, and disaster recovery sites. To increase the integrity of the system the multiple

servers will often be configured in a dual-redundant or hot-standby formation providingcontinuous control and monitoring in the event of a server failure.


5/15

Software ArchitectureThe products are multi-tasking and are based upon a real- time database (RTDB) located in one

or more servers. Servers are responsible for data acquisition and handling.

(E.g. polling controllers, alarm checking, calculations, logging and archiving) on a set of

parameters, typically those they are connected to. However, it is possible to have dedicated

servers forparticular tasks,

e.g. data logger

a SCADA archite

cture that is

generic for the

products that were

evaluated.

Software Architecture Diagram
http://s.eeweb.com/members/purnendu_kumar/blog/2011/07/28/SCADA-SA-1311856345.JPG


6/15

OMRAN General Specifications

Type AC power supply models DC power supply models

ModelCP1E-[][][]S[]D[]-A

CP1E-[][][]D[]-A

CP1E-[][][]S[]D[]-D

CP1E-[][][]D[]-D

Enclosure Mounted in a panel

Dimensions (H D W)

E/N/NA[][]-typeCPU Unit with 10 I/O points (CP1E-E10D[]-[]): 90mm *1 85mm *2 66

mmCPU Unit with 14 or 20 I/O points (CP1E-[]14D[]-[]/[]20D[]-[]): 90mm *1 85mm *2

86 mmCPU Unit with 30 I/O points (CP1E-[]30D[]-[]): 90mm *1 85mm *2 130

mmCPU Unit with 40 I/O points (CP1E-[]40D[]-[]): 90mm *1 85mm *2 150mm

CPU Unit with 60 I/O points (CP1E-N60D[]-[]): 90mm *1 85mm *2 195mm

CPU Unit with 20 I/O points and built-in analog (CP1E-NA20D[]-[]): 90mm*1 85mm*2 130 mm

E/N/[][]S(1)-typeCPU Unit with 14 or 20 I/O points (CP1E-[]14SD[]-[]/[]20SD[]-[]): 90mm *1

79mm

*2 86 mmCPU Unit with 30 I/O points (CP1E-[]30S(1)D[]-[]): 90mm *1 79mm *2 130 mmCPU Unit with 40 I/O points (CP1E-[]40S(1)D[]-[]): 90mm *1 79mm *2

150 mmCPU Unit with 60 I/O points (CP1E-[]60S(1)D[]-[]): 90mm *1 79mm *2

195 mm

Weight

CPU Unit with 10 I/O points (CP1E-E10D[]-[]): 300g max.

CPU Unit with 14 I/O points (CP1E-[]14(S)D[]-[]): 360g max.CPU Unit with 20 I/O points (CP1E-[]20(S)D[]-[]): 370g max.CPU Unit with 30 I/O points (CP1E-[]30(S[])D[]-[]): 600g max.

CPU Unit with 40 I/O points (CP1E-[]40(S[])D[]-[]): 660g max.CPU Unit with 60 I/O points (CP1E-[]60(S[])D[]-[]): 850g max.

CPU Unit with 20 I/O points and built-in analog (CP1E-NA20D[]-[]): 680gmax.

Elec-

trical

spec-

Supply voltage 100 to 240 VAC 50/60 Hz 24 VDC

Operating

voltage

85 to 264 VAC 20.4 to 26.4 VDC


7/15

ifica-

tions

range

Power

consumption

15 VA/100 VAC max.

25 VA/240 VAC max.(CP1E-E10D[]-A/[]14(S)D[]-A/

[]20(S)D[]-A)

9 W max. (CP1E-E10D[]-D)

13 W max. (CP1E-N14D[]-D/N20D[]-D)

50 VA/100 VAC max.

70 VA/240 VAC max.(CP1E-NA20D[]-A/[]30(S[])D[]-A/

[]40(S[])D[]-A/N60(S[])D[]-A)

20 W max.(CP1E-NA20D[]-D/N30(S[])D[]-D/

N40(S[])D[]-D/N60(S[])D[]-D) *4

Inrush current

120 VAC, 20 A for 8 ms max. for

cold startat room temperature240 VAC, 40 A for 8 ms max. for

cold startat room temperature

24 VDC, 30 A for 20 ms max. for

cold startat room temperature

External power

supply *3

Not provided.

(CP1E-E10D[]-A/[]14(S)D[]-A/[]20(S)D[]-A)24 VDC, 300 mA

(CP1E-NA20D[]-A/[]30(S[])D[]-A/[]40(S[])D[]-A/N60(S[])D[]-A)

Not provided

Insulation

resistance

20 M min. (at 500 VDC) betweentheexternal AC terminals and GR

terminals

Except between DC primary currentand DCsecondary current

Dielectric

strength

2,300 VAC 50/60Hz for 1 minbetween AC

external and GR terminals Leakagecurrent:5 mA max.

Except between DC primary currentand DC

secondary current

Power OFF

detection time

10 ms min. 2 ms min.

Appli-

cationenvi-

ron-

ment

Ambient

operating

temperature

0 to 55 C

Ambient

humidity

10% to 90%

Atmosphere No corrosive gas.

Ambient storage

temperature

-20 to 75 C (excluding battery)

Altitude 2,000 m max.

Pollution degree 2 or less: Conforms to JIS B3502 and IEC 61131-2.

Noise resistance 2 kV on power supply line (Conforms to IEC61000-4-4.)


8/15

Overvoltage

category

Category II: Conforms to JIS B3502 and IEC 61131-2.

EMC Immunity

Level

Zone B

Vibration

resistance

Conforms to JIS 60068-2-6.5 to 8.4 Hz with 3.5-mm amplitude, 8.4 to 150 Hz

Acceleration of 9.8 m/s2for 100 min in X, Y, and Z directions (10 sweeps of

10 min each= 100 min total)

Shock resistanceConforms to JIS 60068-2-27.147 m/s

2, 3 times in X, Y, and Z directions

Terminal block Fixed (not removable)

Terminal screw size M3

Applicable standards Conforms to EC Directive

Grounding method Ground to 100 or less.* 1 Total of 110 mm with mounting brackets.* 2 Excluding cables.

* 3 Use the external power supply to power input devices. Do not use it to drive output devices.* 4 This is the rated value for the maximum system configuration. Use the following formula to calculate

powerconsumption for CPU Units with DC power.

Formula: DC power consumption = (5 V current consumption5 V/70% (internal power

efficiency) + 24V current

consumption)1.1 (current fluctuation factor)

The above calculation results show that a DC power supply with a greater capacity is required.

Performance Specifications

ItemCP1E-E[][]SD[]-[]

CP1E-[][]D[]-[]

CP1E-N[][]S[]D[]-[]

CP1E-N[][]D[]-[]

CP1E-NA[][]D[]-[]

Program capacity

2 K steps (8 Kbytes)includingthe symbol table,

comments,and program indices of

theCX-Programmer

8 K steps (32 Kbytes) including thesymboltable, comments, and program

indices ofthe CX-Programmer

Control method Stored program method

I/O control method Cyclic scan with immediate refreshing

Program language Ladder diagram

Instructions Approximately 200


9/15

Proc-

essing

speed

Overhead processing time 0.4 ms

Instruction execution timesBasic instructions (LD): 1.19 s min.

Special instructions (MOV): 7.9 s min.

Number of CP1W-series Expansion

Units connected

CP1E-E10D[]-[]/[]14(S)D[]-[]/[]20(S)D[]-[]: NoneCP1E-[]30(S[])D[]-[]/[]40(S[])D[]-[]/[]60(S[])D[]-[]/NA20(S[])D[]-[]: 3 units

Maximum number of I/O points

CP1E-E10D[]-[]: 10CP1E-[]14(S)D[]-[]: 14CP1E-[]20(S)D[]-[]: 20CP1E-[]30(S[])D[]-[]: 150 (30 built in, 40 3 expansion)

CP1E-[]40(S[])D[]-[]: 160 (40 built in, 40 3 expansion)CP1E-[]60(S[])D[]-[]: 180 (60 built in, 40 3 expansion)CP1E-NA20D[]-[]: 140 (20 built in, 40 3 expansion)

Built-in I/O

CP1E-E10D[]-[]: 10 (6 inputs, 4 outputs)

CP1E-[]14(S)D[]-[]: 14 (8 inputs, 6 outputs)CP1E-[]20(S)D[]-[]: 20 (12 inputs, 8 outputs)

CP1E-[]30(S[])D[]-[]: 30 (18 inputs, 12 outputs)CP1E-[]40(S[])D[]-[]: 40 (24 inputs, 16 outputs)CP1E-[]60(S[])D[]-[]: 60 (36 inputs, 24 outputs)

CP1E-NA20D[]-[]: 20 (12 inputs, 8 outputs)

Built-in

input

func-

tions

High-

speed

counters

High-speed

counter mode/

maximum

frequency

Incremental Pulse Inputs10 kHz:6 counters5 counters (only for 10

I/Opoints)Up/Down Inputs10 kHz: 2 countersPulse + Direction Inputs

10 kHz: 2 countersDifferential Phase Inputs

(4x)5 kHz: 2 counters

Incremental Pulse Inputs100 kHz: 2 counters, 10 kHz: 4countersUp/Down Inputs

100 kHz: 1 counters, 10 kHz: 1countersPulse + Direction Inputs100 kHz: 2 countersDifferential Phase Inputs (4x)

50 kHz: 1 counter, 5 kHz: 1counter

Counting modeLinear modeRing mode

Count value 32 bits

Counter reset

modes

Phase Z and software reset (excluding increment pulse input)

Software reset

Control methodTarget MatchingRange Comparison

Input interrupts6 inputs (4 inputs only for 10 I/O points)

Interrupt input pulse width: 50 s min.

Quick-response Inputs6 inputs (4 inputs only for 10 I/O points)

Input pulse width: 50 s min.

Normal Input constants Delays can be set in the PLC Setup (0 to 32 ms, default: 8


10/15

input ms).Set values: 0, 1, 2, 4, 8, 16, or 32 ms

Built-in

output

func-

tions

Pulse

outputs

(Models

with

transistor

outputsonly)

Pulse output

method and

output frequency

Pulse output function not

included

Pulse + Direction Mode

1 Hz to 100 kHz: 2 outputs

Output mode

Continuous mode (for speedcontrol)Independent mode (for positioncontrol)

Number of

output pulses

elative coordinates: 0000 0000 to

7FFFFFFF hex (0 to 2147483647)

Absolute coordinates: 8000 0000to 7FFFFFFF hex (-2147483647 to

2147483647)

Acceleration/

deceleration

curves

Trapezoidal acceleration anddeceleration(Cannot perform S-curve

acceleration anddeceleration.)

Changing SVs

during

instruction

execution

Only target position can bechanged.

Origin searches Included

Pulse

outputs

(Models

with

transistor

outputs

only)

Frequency

PWM output functionnotincluded

2.0 to 6,553.5 Hz (in increments of0.1 Hz)with 1 output or 2 Hz to 32,000 Hz(inincrements of 1 Hz) with 1 output

Duty factor

0.0% to 100.0% (in increments of0.1%)Accuracy: +1%/-0% at 2 Hz to

10,000 Hzand +5%/-0% at 10,000 Hz to

32,000 kHz

Output mode Continuous Mode

Built-in analog

Analog inputAnalog function not

included

Setting range: 0 to 6,000 (2

channels onlyfor NA-type)

Analog outputSetting range: 0 to 6,000 (1channels onlyfor NA-type)


11/15

Analog adjustersE/N/NA[][]-type: 2 adjusters (Setting range: 0 to 255)

E/N[][]S(1)-type: None

Com-

muni-

cations

B-type Peripheral USB Port Conforming to USB 2.0 B type connector

Transmission

distance

5 m max.

Built-in RS-232C portNo built-in RS-232C port Interface: Conforms to EIA RS-

232C.

Communications

method

Half duplex

synchronization Start-stop

Baud rate1.2, 2.4, 4.8, 9.6, 19.2, 38.4, 57.6,or 115.2kbps

Transmission

distance

15 m max.

Supported

protocol

Host Link 1:N NT Link No-protocol mode Serial PLC Links (master, slave)

Modbus-RTU Easy Master

Built-in RS-485 port

No built-in RS-485 port N30/40/60S1-type only

Interface: Conforms to EIA RS-485. 2-wire

sensorsNo isolation

Communications

method

Half duplex

synchronization Start-stop

Baud rate1.2, 2.4, 4.8, 9.6, 19.2, 38.4, 57.6,or 115.2

kbps

Transmission

distance

50 m max.

Supportedprotocol

Host Link 1:N NT Link

No-protocol mode Serial PLC Links (master, slave) Modbus-RTU Easy Master

Serial Option portOption Board cannot bemounted.

N30/40/60 and NA20-type only1 port

Mountable

Option Boards

One RS-232C port: CP1W-CIF01

One RS-422A/485 port (not


12/15

isolated):

CP1W-CIF11One RS-422A/485 port (isolated):CP1W-CIF12One Ethernet port: CP1W-CIF41

Communications

method

Depends on Option Board.

synchronization Depends on Option Board.

Baud rate1.2, 2.4, 4.8, 9.6, 19.2, 38.4, 57.6,

or 115.2kbps

Compatible

protocols

Host Link 1:N NT Link

No-protocol mode Serial PLC Links (master, slave)

Modbus-RTU Easy Master

Number of tasks

17

One cyclic execution task One scheduled interrupt task (always interrupt task 1) Six input interrupt tasks (interrupt tasks 2 to 7)

Sixteen high-speed counter interrupt tasks (interrupt tasks 1to 16)

Maximum subroutine number 128

Maximum jump number 128

Scheduled interrupt tasks 1 interrupt task

Clock

Clock function notincluded.The time of error

occurrencedisplays 01-01-01

01:01:01Sunday

Included.Accuracy (monthly deviation):-4.5 min to -0.5 min at ambient

temperature of 55C,-2.0 min to +2.0 min at ambient

temperature of 25C,-2.5 min to +1.5 min at ambienttemperature of 0C

Memory

backup

Built-in EEPROM

Ladder programs and parameters are automatically saved tobuilt-in EEPROM

A section of the Data Memory Area can be saved to the built-

in EEPROM.

Battery backup With

CP1W-BAT01 Battery

(Sold separately)

Battery cannot bemounted.

CP1W-BAT01 can be used.Maximum battery service life: 5yearsBackup Time

Guaranteed value (ambienttemperature:55C): 13,000 hours (approx. 1.5


13/15

years)

Effective value (ambienttemperature:25C): 43,000 hours (approx. 5years)

CIO

Area

Input Bits 1,600 bits (100 words): CIO 0.00 to CIO 99.15 (CIO 00 toCIO 99)

Output Bits1,600 bits (100 words): CIO 100.00 to CIO 199.15 (CIO 100to CIO 199)

Serial PLC Link Words1,440 bits (90 words): CIO 200.00 to CIO 289.15 (words CIO200 to CIO 289)

Work Area (W) 1,600 bits (100 words): W0.00 to W99.15 (W0 to W99)

Holding Area (H)

800 bits (50 words): H0.00 to H49.15 (H0 to H49)Bits in this area maintain their ON/OFF status when operating

mode is

changed.

Auxiliary Area (A)Read-only: 7,168 bits (448 words) A0 to A447Read/write: 4,896 bits (306 words) in words A448 to A753

Temporary Relay Area (TR) (TR

Area)

16 bits: TR0 to TR15

Timer Area (T) 256 timer numbers (T0 to T255 (separate from counters))

Counter Area (C) 256 counter numbers (C0 to C255 (separate from timers))

Data Memory Area (D)

2 Kwords: D0 to D2047Of these, 1,500 wordscan be

saved to the backupmemory

(built-in EEPROM)usingsettings in the Auxiliary

Area.

8 Kwords: D0 to D8191Of these, 7,000 words can be savedto the

backup memory (built-in EEP-ROM) using

settings in the Auxiliary Area

Operating modes

PROGRAM mode:Program execution is stopped.Preparations can be executed prior to program execution inthis mode.MONITOR mode:

Programs are executed.Some operations, such as online editing, and changes to

present values in

I/O memory, are enabled in this mode.RUN mode:Programs are executed.This is the normal operating mode.


14/15

AB General Specif ications

These specifications cover the base unit, the processor module, real-time-clock/memory module, and data access tool.

NonoperatingTemperature

-4085 C (-40185 F)

Operating Temperature 055 C (32131 F)

Operating Humidity 595% (without condensation)

Operating Altitude 2,000 m (6,561 ft) max.

Vibration

Operating 10500 Hz, 5g, 0.030 inch maximum peak-to-peak

Relay Operation 2g

Shock (Without Data Access Tool installed)

Operating 30g panel mounted (15g DIN Rail mounted)

Relay Operation 7.5g panel mounted (5g DIN Rail mounted)

Non-Operating 40g panel mounted (30g DIN Rail mounted)

Shock (With Data Access Tool installed)

Operating 20g panel mounted (15g DIN Rail mounted)

Relay Operation 7.5g panel mounted (5g DIN Rail mounted)

Non-Operating 30g panel mounted (20g DIN Rail mounted)

Weight 0.9 kg (2.0 lb)

Agency Certification C-UL certified (under CSA C22.2 No. 142)UL 508 listed

CE compliant for all applicable directives

Hazardous EnvironmentClass

Class I, Division 2, Hazardous Location, Groups A, B, C, D(UL 1604, C-UL under CSA C22.2 No. 213)

Radiated and ConductedEmissions

EN50081-2 Class A

Electrical and EMC: The module has passed testing at the following levels:


15/15

ESD Immunity (IEC1000-4-2)

4 kV contact, 8 kV air, 4 kV indirect

Radiated immunity(IEC1000-4-3)

10V/m, 801000 MHz, 80% amplitude modulation, +900MHz keyed carrier

Fast Transient Burst(IEC1000-4-4)

2 kV, 5 kHz

Surge Immunity (IEC1000-4-5)

2 kV common mode, 1 kV differential mode

Conducted Immunity(IEC1000-4-6)

10V, 0.1580 MHz

Conducted immunity frequency range may be 150 kHz30 MHz if the radiated

immunity frequency range is 30 MHz1000 MH

Documents

Scada Systems Introduction