SCADA Telecommunications

Data Integrity

Michael L. Watson

Rapid Technologies Intl, Ltd

Michael L. Watson

• B.S.E.E. Texas ASU

• 20+ Years Industry experience

• Teaching AGA Measurement, Communications, and Microsoft Windows courses since 1998

• Full partner Rapid Technology Intl

• Currently consulting in 5 Countries

• Committee service for GPA, ANB, ONIP

Definitions

• 1. Telephone (Dialup/Lease), Cellular, Radio,MicrowavePhysical mediums for data transmission.

• 2. Radio The wireless transmission through space of electromagnetic waves in the approximate

frequency range from 10 kilohertz to 300,000 megahertz.

• 3. Modem A device for transmitting usually digital data over telephone wires by modulating the data into an audio signal to send it and demodulating an audio signal into data to receive it.

• 4. ProtocolsA standard procedure for regulating data

transmission between computers.

Modems

Modulation

Radios

Satellite

Telemetry Methods• Conventional Radio• Trunking Radio• SpreadSpectrum Radio• Motorola DataTAC• Serial Cable• Dial Up• Serial Multi-Drop• Leased-Line• Internet IP• Ethernet TCP/IP, UDP/IP• TCP Pooling• TCP Listen• Terminal Server (TCP/IP, UDP/IP)• Satellite• VSAT• PSTN• CDPD• CDMA• GPRS

Definitions• Baud rate Pronounced bawd, the number of signaling elements

that occur each second. The term is named after J.M.E. Baudot, the inventor of the Baudot telegraph code. Actually BPS. For a more true indication of baud rate, the rule of thumb is to divide bps by 10

• Parity The quality of being either odd or even. The fact that all numbers have a parity is commonly used in data communications to ensure

the validity of data. This is called parity checking. • CRC Cyclic Redundancy Check, another common technique for

detecting data transmission errors. Data is checked against a known fomula.

• Checksum A simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message.

9600,8,N,1What does it mean ?

• Baud rate 1200, 2400, 4800, 9600, 19200,…115200

• Word bits 7 or 8

• Parity Even, Odd, None

• Stop bits 0, 1, or 2

Baud Rate

Parity

Checksum

CRC

Definitions

• DTE Data Terminal Equipment

• DCEData Communications Equipment

• DTE’s PC, EFM, RTU, PLC, DCS…

• DCE’s Modem, Radio, CDPD, GPS, SAT…

DTE to DCE

Bits and Bytes

• Bit = 0 or 1 (One of only two values)• Byte = 8 bits (Max. number = 255)• Character = Any 8 bit or 1 byte value• Word = 8 bit CPU = 8 bit word

16 bit CPU = 16 bit word• Float = Can be 16 bit (1 byte) or 32 bit (2 byte)

Normally 32 bit int. = HB/LB HW/LW

• Rev. Float = Can be 16 bit or 32 bit

Normally 32 bit int. = HB/LB LW/HW

Byte and word ordering

• Each 16-bit register - two 8-bit bytes– High byte/Low byte– Low byte/High byte

• Each 32-bit number - two 16-bit registers (called words)– High word/Low word– Low word/High word

Byte and word ordering

• 32-bit integer (4 bytes - 2 words)

• decimal 2,309,737,967

• hex 89 AB CD EF

• binary

10001001 10101011 11001101 11101111

- Most significant comes first- High byte/Low byte- High word/Low word- Big Endian (big end first)

Byte and word ordering

• 32-bit integer (4 bytes - 2 words)

• decimal 2,309,737,967

• hex EF CD AB 89

• binary

11101111 11001101 10101011 10001001

- Most significant comes last- Low byte/High byte- Low word/High word- Little Endian (little end first)

Big-Endian and Little-Endian

• Terms derived from the Lilliputians of Gulliver's Travels

• their major political issue was whether soft-boiled eggs should be opened on the big end or the little end.

• Likewise, the big-/little-endian computer debate has much more to do with political issues than technological merits.

Common Big Endian file formats

Motorola Adobe Photoshop -- Big Endian

IMG (GEM Raster) -- Big Endian

JPEG -- Big Endian

MacPaint -- Big Endian

SGI (Silicon Graphics) -- Big Endian

Sun Raster -- Big Endian

WPG (WordPerfect Graphics Metafile) -- Big Endian (on a PC!)

TIFF -- Both, Endian identifier encoded into file

DXF (AutoCad) -- Variable

Common Little Endian file formats

Intel BMP (Windows and OS/2 Bitmaps) -- Little Endian

GIF -- Little Endian

FLI (Autodesk Animator) -- Little Endian

PCX (PC Paintbrush) -- Little Endian

QTM (Quicktime Movies) -- Little Endian (on a Mac!)

Microsoft RTF (Rich Text Format) -- Little Endian

TGA (Targa) -- Little Endian

Microsoft RIFF (.WAV & .AVI) -- Both

XWD (X Window Dump) -- Both, Endian identifier encoded into file

Protocol Defined• A standard procedure for regulating data transmission between

computers. • An agreed-upon format for transmitting data between two devices.

The protocol determines the following: • the type of error checking to be used • data compression method, if any • how the sending device will indicate that it has finished sending a

message • how the receiving device will indicate that it has received a message • There are a variety of standard protocols from which programmers

can choose. Each has particular advantages and disadvantages; for example, some are simpler than others, some are more reliable, and some are faster.

• From a user's point of view, the only interesting aspect about protocols is that your computer or device must support the right ones if you want to communicate with other computers.

• The protocol can be implemented either in hardware or in software.

Native Protocols• ABB Totalflow • Allen Bradley DF1 • Amocams AINET • Barton ScanCom • Bristol Babcock BSAP • Bytel • Cutler Hammer IMPACC   • Control Microsystems SCADAPack • Daniels DSI • DNP 3.0 • Eagle Research   • Emerson (Fisher) FloBoss   • Emerson (Fisher) ROC • Galvanic Gas Micro • GE 90 Series SNPX, Ethernet & Multilin • Hewlett Packard 48000 • Kimray • Mercury Instruments • Motorola MOSCAD • OMNI Flow Computers • Opto 22 • Reynolds Equipment • Siemens 505 • Siemens CAMP • Siemens TIWAY • Teledyne CANet • Teledyne CSNet • Teledyne TGP Module • Thermo Automation  

Modbus ProtocolsABB TotalFlow  

• Baker CAC 8800    • Barton   ScanMod• Bristol   • Control Microsystems SCADAPack   • Daniels   • Enron   • Emerson (Fisher) FloBoss   • Emerson (Fisher) ROC   • Flow Automation   • GE 90 Series SNPX, Ethernet & Multilin • Halliburton • Lufkin Automation DXREM 

MODBUS BasicsModbus Request: read 40006 to 40009

01 03 0005 0004 5408 | | | | |

| | | | CRC (cyclic redundancy check)

| | | |

| | | # registers to read

| | |

| | 1st register to read (40001 offset)

| |

| function code (03=read 40000 series registers)

|

Modbus address

MODBUS BasicsModbus Reply:

01 03 08 42E7 676C 4340 F4E6 CC34 | | | | | | | |

| | | | | | | CRC

| | | | | | 40009

| | | | | 40008

| | | | 40007

| | | 40006

| | data bytes to follow

| |

| function code (03=read 40000 series registers)

|

Modbus address

Data Types

• Discretes

• Integers

• Real Numbers

• ASCII Strings

• Time and Date types

Data Types - Integers

• 16-bit Integers (one register each)0 to 65535 (unsigned)

-32768 to 32767 (signed)

• 32-bit Integers (two registers each)0 to 4294967295 (unsigned)

-2147483648 to 2147483647 (signed)

Data Types - Real Numbers

• IEEE Floating Point

• 32 bit (two registers each)

Numeric Data TypesBOOLEAN 1 bit 0 or 1

INTEGER 16 bitsHB LB (-32768 to 32767)

UINTEGER 16 bitsHB LB (0 to 65535)

LONG1 32 bitsHB LB / HW LW (-2.1 to 2.1 billion)

LONG2 32 bitsHB LB / LW HW (-2.1 to 2.1 billion)

ULONG1 32 bitsHB LB / HW LW (0 to 4.2 billion)

ULONG2 32 bitsHB LB / LW HW (0 to 4.2 billion)

FLOAT1 32 bitsHB LB / HW LW - IEEE Floating point

FLOAT2 32 bitsHB LB / LW HW - IEEE Floating point

- reverse float

Data Types - ASCII StringsEach character is one 8-bit byte

Two characters per register

Name size attributes

STRING432 bitsString of 4 chars (2 registers)STRING864 bitsString of 8 chars (4 registers)

STRING12 96 bitsString of 12 chars (6 registers)STRING16 128 bits String of 16 chars (8 registers)

STRING124 992 bits String of 124 chars (62 registers)STRING128 1024 bits String of 128 chars (64 registers)

Time and Date Types

Name size attributesCCYY 16 bitsYear as two 8-bit integers

MMDD 16 bitsDate as two 8-bit integers

HHMM 16 bitsTime as two 8-bit integers

YEAR 16 bitsYear as one 16-bit integer

MONTH 16 bitsMonth as one 16-bit integer (1-12)

DAY 16 bitsDay as one 16-bit integer (1-31)

HOUR 16 bitsHour as one 16-bit integer (0-23)

MINUTE 16 bitsMinute as one 16-bit integer (0-59)

SECOND16 bitsSecond as one 16-bit integer (0-59)

Time and Date Types

Name size -type description

DAY1970 32 bit int HW LW Days since Jan 1, 1970

DAY1970_R 32 bit int LW HW Days since Jan 1, 1970

MSECMID 32 bit int HW LW Milliseconds since midnight

MSECMID_R 32 bit int LW HW Milliseconds since midnight

TIME1970 32-bit Float HW LW Days since Jan 1, 1970

TIME1970_R 32-bit Float LW HW Days since Jan 1, 1970

- decimal is time of day ± 1.4 minutes

TIME1900 32-bit Float HW LW Days since Jan 1, 1900

TIME1900_R 32-bit Float LW HW Days since Jan 1, 1900

- decimal is time of day ± 5.6 minutes

Enron MODBUS Basics• Register Addresses: (and function codes)

– 1000 - 1999 (discrete input coils - function code 2 to read)

– 1000 - 1999 (discrete output coils - 1read, 5write, 15 write multiple)

– 3001 - 3999 (16-bit output holding registers - 3 r, 6 w, 16 wm)

– 4001 - 4999 (16-bit analog input registers - fc 4 to read )

– 5001 - 5999 (32-bit INT holding registers - 3 read, 16 w/mult)

– 7001 - 7999 (32-bit FLOAT holding registers - 3 read, 16 wm)

– 0032 Event Archives (function code 3 to read)

– 0701-0702 History, Daily/Hourly Archives (function code 3 to read)

Enron MODBUS Basics

Modbus Request: read 7006 to 7008

01 03 1B5E 0003 62FD | | | | |

| | | | CRC

| | | # registers to read

| | 1st register to read (7006 no offset)

| function code (03 = read holding registers)

Modbus address

Enron MODBUS Basics

Modbus Reply:

01 03 0C 42E7676C 4340F4E6 676CF4E6 CC34 | | | | | | | | | | | | | CRC | | | | | 7008 | | | | 7007 | | | 7006 | | data bytes to follow (0C hex = 12 dec) | function code (03 = read holding registers) Modbus address

EFM Numeric Data Types

BOOLEAN 1-bit 0 or 1

INTEGER 16-bit HB LB (-32768 to 32767)

UINTEGER 16-bit HB LB (0 to 65535)

ENRON_LONG 32-bitsigned INT HB LB / HW LW

ENRON_FLOAT 32-bit HB LB / HW LW

ENRON_DATE 32-bit float HB LB / HW LW

whole number MMDDYY

Dec 3, 2004 = 120304.00

ENRON_TIME 32-bit float HB LB / HW LW

whole number HHMMSS

2:16:34 PM = 141634.00

EFM String Data Types

Name size attributes

ENRON_STRING432 bits String of 4 chars

ENRON_ STRING8 64 bits String of 8 chars

ENRON_ STRING12 96 bits String of 12 chars

ENRON_ STRING16 128 bits String of 16 chars

ENRON_ STRING124 992 bits String of 124 chars

ENRON_ STRING128 1024 bits String of 128 chars

Enron MODBUS Events

Events are changes to mapped items.Modbus Request: read 1 event

01 03 0020 0001 85C0 | | | | | | | | | CRC (cyclic redundancy check) | | | number of events to read | | read events (0020 hex = 0032 decimal) | function code (03 = read holding registers) Modbus address

Enron MODBUS EventsModbus Reply:

01 03 14 0201 1B5F 483366C0 47EAF800

| | | | | | |

| | | | | | Date of change 32

| | | | | Time of change 32-bit Float

| | | | Register that changed (7007)

| | | operator/alarm bit map

| | data bytes to follow (14 hex = 20 decimal)

| function code (03 = read holding registers)

Modbus address

407FFFFF 40200000 7990

| | |

| | CRC

| new value 32-bit float (2.5)

old value 32-bit float (4.0)

Enron MODBUS HistoryModbus Request: read 1 event

01 03 02BE 001E A45E | | | | | | | | | CRC (cyclic redundancy check) | | | | | | | record number (1E hex = 30 decimal) | | | | | read history (02BE hex = 0702 decimal) | | | function code (03 = read holding registers) | Modbus address

Enron MODBUS HistoryModbus Reply:

01 03 14 04DBBC00 47EAF800 43C8EEAD

| | | | | |

| | | | | 1st item logged (401.86)

| | | | Record Time 32-bit Float

| | | Record Date 32-bit float

| | data bytes to follow (14 hex = 20 decimal)

| function code (03 = read holding registers)

Modbus address

4400436B 4287FFFF 221C

| | |

| | CRC

| 3rd item logged (68.00)

2nd Item logged (513.05)

DCS, SCADA, MMI, HMIWhat does it all mean?

• DCS Direct Control System (Full Control of a system)

• SCADA Supervisory Control And Data Acquisition (Supv. Control of a system)

• MMI Man Machine Interface

• HMI Human Machine Interface

A machine interface is just the layer that separates the user (human) from the machine (Computer).

Man vs. Human is simply a political issue.

COM1

RS232

EFM

PCHMI

HistoricalDatabase

COM1

COM2

RS232

RS232

EFM

RS232

RS485

RS485/232

RADIO

EFM

EFM

EFM

EFM

PCHMI

HistoricalDatabase

RADIO

COM1

COM2

RS232

RS232

EFM

RS232

RS485

RS485/232

RADIO

EFM

EFM

EFM

EFM

PC

AES

Ser ver

HistoricalData

HostProgram

DDE

Rea l TimeData

HMI Softwareor

Excel

TextFiles

ImporterHistoricalDatabase

RADIO

COM1

COM2

RS232

RS232

EFM

RS485

RS232

RS485/232

Fiber Con

EFM

EFM

EFM

EFM

PC

Proprietary

AUTOSOLSer ver

HistoricalData

HMI

DDE

Rea l TimeData Flow-Cal

Edit Soft ware

TextFiles

ImporterHistoricalDatabase

Fiber Con

(Enron Mod)

Converter

HistoricalDatabase

SCADA / HMI Software

• Wonderware• Intellution• Lookout• Iconics• Software Horizons• I-SCADA• CiTech• SD-SCADA

76 June, 2002

Excel – The Poor mans HMI / MMI

71 June, 2002

67 June, 2002

69 June, 2002

68 June, 2002

70 June, 2002

Water Distribution SCADA System Architecture

Remote Sites

Remote Tank / Tower Station

W ell Pum p

Radio /PhoneM odem

Well Station

SM C F lexSolid State

M otorContro ller w ithPum p Contro l

Subm ersib le M otor

I/O

1769-L35 Com pactLogix

BoosterPum p

Pow erFlex 70VFD

AC M otor

Remote Booster Pum p Station

BoosterPum p

Pow erFlex 70VFD

AC M otor

M icroLogix 1500

Radio /Ethernet

Ethernet Sw itch

ID Card Reader

SLC-5/05

IP VideoSecurity Cam era

1769-L35 Com pactLogix

M icroLogix 1500

M otion Sensor

Pow erM onitor3000

Site Security OptionsRadio /Ethernet

Ethernet Sw itch

RS-232

RS-232

HM I Port

Scanport

1761-NET -ENI

RS-232

Flow M eter

I/O

I/O

PanelViewPlus 600

PanelViewPlus 600

PanelViewPlus 600

ENet to DNetInterface

Local ControlPanel

DeviceNet

FVNRStarterw ith E3

PlusO verload

SM C DialoguePlus

Pow erF lex 70VFD

M icroLogix 1000/1200R/1500

6/21/2004

Data Integrity

Data Integrity starts at Installation…

Ends in Final Reports

Let’s Review

• Installation

• Calibration

• Certification

• Hardware maintenance

• Quality Data Downloads

• Quality Data Transfers

• Final Validation / Reporting Software

DATA INTEGRITYRefers to the validity of data.

Data integrity can be compromised in a number of ways:

Human errors when data is enteredErrors that occur when data is transmitted to another computerSoftware bugs or virusesHardware malfunctions, such as disk crashesNatural disasters, such as fires and floods

There are many ways to minimize these threats to data integrity. These include:

Backing up data regularlyControlling access to data via security mechanismsDesigning user interfaces that prevent the input of invalid dataUsing error detection and correction software when transmitting

data

EFM Validation SoftwareABB WinCCU Enterprise

• Flow-Cal CFX • Flow-Cal Transaction Queue • MBS##-Flow Automation • MIPS • PGAS 5.1 • PGAS XM • Quorum • Telvent GMAS• NuFlo ScanWin