IEC 60870-5-104 : Telegram structure

The LIAN 98 manual can and may not contain the complete IEC documentation, caused by legal position. Only all knowledge that is essential necessary for the LIAN 98 software operation is specified in parts in this manual.

Detailed information to the protocol you will find in the IEC-Standard-Documentation
<IEC 60870-5-104 : Telecontrol equipment and systems>
( English version EN 60870-5-104:2006 ).

 

Telegram format with fixed length

 

 

Telegram format with variable length

 

 

APCI

Application Protocol Control Information

APDU

Application Protocol Data Unit 

ASDU

Application Service Data Unit

 

Types of control field formats

Three types of control field formats are used to perform numbered information transfer ( I-format ), numbered supervisory functions ( S-format ) and unnumbered control functions ( U-format ).

 

I-Format ( Frame with variable length ) :

Bit 0 = 0 of the 1. octets of the control field defines the I-Format. I-Format APDUs contains always an  ASDU.

 

S-Format ( Frame with fixed lengt ) :

Bit 0 = 1 and bit 1 = 0 of the 1. octets of the control field define the S-Format. S-Format APDUs always consist of one APCI only.

 

U-Format ( Frame with fixed length ) :

Bit 0 = 1 and bit 1 = 1 of the 1. octets of the control field define the U-Format. U-Format APDUs always consist of one APCI only. Only one function TESTFR, STOPDT or STARTDT can be active at the same time.

 

Structure of the  ASDU

 

 

Type identifikation ( TypeID ) :

The TypeID <0> is not used. The range of numbers 1 to 127 is used for standard definitions from IEC 60870-5-101standard. The range 128 to 135 is reserved for routing of messages. The numbers 136 up to 255 are for special use.

The range of numbers 128 up to 255 is private and not defined in the standard, but it is recommended that the data unit identifier fields of private ASDUs have the same format as standard ASDUs.

The following table shows the definition of type identification numbers for process and system information in monitor and control direction.

 

Process information in monitoring direction :

 

1 Single point information M_SP_NA_1
2 Single point information with time tag M_SP_TA_1
3 Double point information M_DP_NA_1
4 Double point information with time tag M_DP_TA_1
5 Step position information M_ST_NA_1
6 Step position information with time tag M_ST_TA_1
7 Bit string of 32 bit M_BO_NA_1
8 Bit string of 32 bit with time tag M_BO_TA_1
9 Measured value, normalized value M_ME_NA_1
10 Measured value, normalized value with time tag M_ME_TA_1
11 Measured value, scaled value M_ME_NB_1
12 Measured value, scaled value with time tag M_ME_TB_1
13 Measured value, short floating point value M_ME_NC_1
14 Measured value, short floating point value with time tag M_ME_TC_1
15 Integrated totals M_IT_NA_1
16 Integrated totals with time tag M_IT_TA_1
17 Event of protection equipment with time tag M_EP_TA_1
18 Packed start events of protection equipment with time tag M_EP_TB_1
19 Packed output circuit information of protection equipment with time tag M_EP_TC_1
20 Packed single-point information with status change detection M_PS_NA_1
21 Measured value, normalized value without quality descriptor M_ME_ND_1

 

Process telegrams with long time tag ( 7 octets ) :

 

30 Single point information with time tag CP56Time2a M_SP_TB_1
31 Double point information with time tag CP56Time2a M_DP_TB_1
32 Step position information with time tag CP56Time2a M_ST_TB_1
33 Bit string of 32 bit with time tag CP56Time2a M_BO_TB_1
34 Measured value, normalized value with time tag CP56Time2a M_ME_TD_1
35 Measured value, scaled value with time tag CP56Time2a M_ME_TE_1
36 Measured value, short floating point value with time tag CP56Time2a M_ME_TF_1
37 Integrated totals with time tag CP56Time2a M_IT_TB_1
38 Event of protection equipment with time tag CP56Time2a M_EP_TD_1
39 Packed start events of protection equipment with time tag CP56time2a M_EP_TE_1
40 Packed output circuit information of protection equipment with time tag CP56Time2a M_EP_TF_1

 

Process information in control direction :

 

45 Single command C_SC_NA_1
46 Double command C_DC_NA_1
47 Regulating step command C_RC_NA_1
48 Setpoint command, normalized value C_SE_NA_1
49 Setpoint command, scaled value C_SE_NB_1
50 Setpoint command, short floating point value C_SE_NC_1
51 Bit string  32 bit C_BO_NA_1

 

Command telegrams with long time tag ( 7 octets ) :

 

58 Single command with time tag CP56Time2a C_SC_TA_1
59 Double command with time tag CP56Time2a C_DC_TA_1
60 Regulating step command with time tag CP56Time2a C_RC_TA_1
61 Setpoint command, normalized value with time tag CP56Time2a C_SE_TA_1
62 Setpoint command, scaled value with time tag CP56Time2a C_SE_TB_1
63 Setpoint command, short floating point value with time tag CP56Time2a C_SE_TC_1
64 Bit string 32 bit with time tag CP56Time2a C_BO_TA_1

 

System information  in monitoring direction :

 

70 End of initialization M_EI_NA_1

 

System information in control direction :

 

100 (General-) Interrogation command C_IC_NA_1
101 Counter interrogation command C_CI_NA_1
102 Read command C_RD_NA_1
103 Clock synchronization command C_CS_NA_1
104 ( IEC 101 ) Test command C_TS_NB_1
105 Reset process command C_RP_NC_1
106 ( IEC 101 ) Delay acquisition command C_CD_NA_1
107 Test command with time tag CP56Time2a C_TS_TA_1

 

Parameter in control direction :

 

110 Parameter of measured value, normalized value P_ME_NA_1
111 Parameter of measured value, scaled value P_ME_NB_1
112 Parameter of measured value, short floating point value P_ME_NC_1
113 Parameter activation P_AC_NA_1

 

File transfer :

 

120 File ready F_FR_NA_1
121 Section ready F_SR_NA_1
122 Call directory, select file, call file, call section F_SC_NA_1
123 Last section, last segment F_LS_NA_1
124 Ack file, Ack section F_AF_NA_1
125 Segment F_SG_NA_1
126 Directory F_DR_TA_1
127 QueryLog Request archive file F_SC_NB_1

 

LIAN 98 is able to process user defined messages of non standard types from 127 up to 255, provided they have the same general telegram format as IEC 60870-5-101/104 standard.   

 

Variable structure qualifier :

The SQ bit specifies the method of addressing of the following information objects or elements.

SQ = 0

Each single element or a combination of elements is addressed by the information object address. The ASDU may consist of one or more than one equal information object. The number of objects is binary coded ( number of objects ) and defines the number of the information objects.

SQ = 1

A sequence of equal information objects ( e.g. measured values of identical format ) is addressed by the information object address. The information object address specifies the associated address of the first information element of the sequence. The following information elements are identified by numbers continuously by + 1 from this offset. The number of objects is binary coded ( number of elements ) and defines the number of the information elements. In case of a sequence of information elements only one information object per ASDU is allocated.

number objects/
elements

= 0 : ASDU contains no information object
> 0 : ASDU contains one or more ( number ) information objects or elements

 

Cause of transmission ( COT ) :

The cause of transmission directs the ASDU to a specific application task ( program ) for processing. ASDUs in control direction are confirmed application services and may be mirrored in monitor direction with different causes of transmission. The value ZERO is not used.

 

P/ N

The P / N bit indicates the positive or negative confirmation of an activation requested by a primary application function. In the case of irrelevance the P / N bit is zero.

T

In addition to the cause the test bit defines ASDUs which were generated during test conditions. The test bit is used e.g. to test transmission and equipment without controlling the process.

 

...    
1 periodic, cyclic  
2 background interrogation  
3 spontaneous  
4 initialized init
5 interrogation or interrogated req
6 activation act
7 confirmation activation actcon
8 deactivation deact
9 confirmation deactivation deactcon
10 termination activation actterm
11 feedback, caused by distant command  
12 feedback, caused by local command  
13 data transmission  
...    
20 interrogated by general interrogation inrogen
21 interrogated by interrogation group 1  
22 interrogated by interrogation group 2  
23 interrogated by interrogation group 3  
24 interrogated by interrogation group 4  
25 interrogated by interrogation group 5  
26 interrogated by interrogation group 6  
27 interrogated by interrogation group 7  
28 interrogated by interrogation group 8  
29 interrogated by interrogation group 9  
30 interrogated by interrogation group 10  
31 interrogated by interrogation group 11  
32 interrogated by interrogation group 12  
33 interrogated by interrogation group 13  
34 interrogated by interrogation group 14  
35 interrogated by interrogation group 15  
36 interrogated by interrogation group 16  
37 interrogated by counter general interrogation  
38 interrogated by interrogation counter group 1  
39 interrogated by interrogation counter group 2  
40 interrogated by interrogation counter group 3  
41 interrogated by interrogation counter group 4  
...    
44 type-Identification unknown  
45 cause unknown  
46 ASDU address unknown  
47 Information object address unknown  
...    

 

Originator address :

The originator address directs mirrored ASDUs and interrogated ASDUs in monitor direction ( e.g. interrogated by a general interrogation ) to the source that activated the procedure. ( in case of redundant systems ).

If the originator address is not used and there is more than one single source in a system defined, the ASDUs in monitor direction have to be directed to all relevant sources of the system. In this case the specific affected source has to select its specific ASDUs..

 

Common address of ASDU :

The common address is associated with all objects in an ASDU. The global address is a broadcast address directed to all stations of a specific system ( broadcast address ). ASDUs with a broadcast address in control direction have to be answered in monitor direction by the address that is the specific defined common address ( station address ). According to the standard this parameter consists of 2 octets.

 

information object address :

The information object address is used as destination address in control direction and as source address in monitor direction.

The third octet is only used in case of structuring the information object address in order to define unambiguous addresses within a specific system. In all cases the maximum number of different object addresses is limited to 65 535 ( as for two octets ). If the information object address is not relevant ( not used ) in some ASDUs, it is set to zero.

 


IEC 60870-5-104 : Ethernet-frame

 

Link layer ( Layer 2 )

 

Ethernet v.2.0 MAC Header

 

I/ G = 0

Individual address

I/ G = 1

Group address

U/ L = 0

Global administered address

U/ L = 1

Local administered address

 

Preamble

7 Bytes
The preamble is needed, that the recipient or recipients ( network card ) synchronize with the transmitter ( network card ) and therefore the start frame delimiter and the following Ethernet data frame can be interpreted correctly.

These fields are not forwarded to the software by the network card !

Start Frame Delimiter

Start Frame Delimiter is 1 octet long and is the sequence 10101011 binary.
It immediately follows the preamble pattern and indicates the start of a frame.

This field is not forwarded to the software by the network card !

Destination address

Receiver address for which the frame is intended.

Source address

Identifies the station from which the frame is initiated.

Ethernet
Length- / Type Field

Internet Protocol ( IPv4 ) = 0800 HEX

For IEC 60870-5-104 this field is used as type field with a fixed value of 0800 HEX. This field indicates the nature of the MAC client protocol ( IPv4 ).

MAC Client Data

The data consist of :
. IPv4 header
. TCP header
. User data IEC 60870-5-104

. PAD fields ( Trailer ), if available

The client data must have a minimum length, so that the Ethernet data frames starting with the destination address and including the trailer, has a minimum frame length of 60 bytes. If the frame length is less than 60 bytes, the client data have to be filled with PAD fields ( padding bits ) up to the required minimum length. This will be done automatically by the network card.

Frame Check Sequence

4 Bytes
The content of the Ethernet data frames starting with the destination address and including the client data is secured with a block checksum. The receiver ( network card ) recognizes therefore each transmission failure.

These fields are not forwarded to the software by the network card !

 

Netzwork Layer ( Layer 3 )

 

IPv4 Header

For more detailed information about the IPv4 header, check the document RFC 791 "Internet Protocol" on the IETF Website. <RFC 791 : Internet Protocol>.

 

 

Version

Internet Protocol Version = 4 ( IPv4 ), see [ RFC 791 ].
This field indicates the format of the IP header and has a fixed value of 4 for IPv4.

IHL

The Internet Header Length is the length of the IP header counted in double words ( 32 bit units ), and thus points to the beginning of the data area. The minimum value for a correct header is 5 ( = 20 bytes ).

Type of service

bit 0 : reserved
bit 1 : reserved
bit 2 : R ( Reliability )
bit 3 : T ( Throughput )
bit 4 : D ( Delay )
bit 5 - 7 : PRECEDENCE

The type of service describes the indication of the abstract parameters of the desired service. These parameters are used in order to indicate the selection of the actual service parameters when transmitting a datagram through a particular network. Several networks offer service precedence, which somehow treats high precedence traffic as more important than other traffic ( generally by accepting only traffic above a certain precedence at time of high load ). The major choice is a three way tradeoff between low-delay, high-reliability, and high-throughput.

R : 0 = normal Reliability,  1 = high Reliability
T : 0 = normal Throughput, 1 = high Throughput
D : 0 =normal Delay, 1 = low delay

Total length

Total Length is the length of the datagram, measured in octets, including internet header and data.

Identification

An identifying value assigned by the sender in order to indicate to which datagram the fragments are allocated.

Flags

Bit 5 : MF ( more fragments )
Bit 6 : DF ( don't fragment )
Bit 7 : reserved, must be 0

Various control flags

MF : 0 = last fragment, 1 = more fragments
DF : 0 = may fragmented, 1 = don't fragment

Fragment offset

This field indicates where in the datagram this fragment is placed. The fragment offset is measured in units of 8 octets ( 64 bits ). The first fragment has offset zero.

Time to live

This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value zero, then the datagram must be destroyed. This field is modified in internet header processing. The time is measured in units of seconds, but since every module that processes a datagram must decrease the TTL by at least one even if it processes the datagram in less than a second.

Protocol

Transmission Control Protocol = 6 ( TCP ), see [ RFC 793 ].
This field indicates the next level protocol used in the data portion of the internet datagram and has a fixed value of 6 for TCP ( Transmission Control Protocol ).

Header checksum

The checksum is only valid for the header. Since some header fields change ( e.g. time to live ) the checksum has to be new calculated after each pass through the rooter.

Source address

This parameter identifies the IP address of the transmitting host. ( Sender )

Destinatin address

This parameter defines the IP-address of the receiving host ( Receiver )

Options ( variable )

The option field is variable in length
Options may appear or not in datagrams. They must be implemented by all IP modules ( host and gateways ). Optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.

Padding ( variable )

The padding field is variable in length
The internet header padding is used to ensure that the internet header ends on a 32 bit boundary. The padding is composed of zeros.

 

Transport layer ( layer 4 )

 

TCP Header

For more detailed information about the TCP Header please read on the IETF Website
the document <RFC 793 : Transmission Control Protocol>.

 

 

Source port

Identifies the PORT from which the frame is initiated.

Destination port

Destination PORT for which the frame is intended.

Sequence number

The sequence number of the first data octet in this segment, except the SYN bit is set. If SYN is present the sequence number is the initial sequence number ( ISN ) and the first data octet is ISN + 1.

Acknowledgement number

If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. As soon as a connection is established this is always sent.

Data offset

The number of double words ( 32 bit units ) in the TCP Header. This indicates where the data begin. The TCP header ( even one including options ) is an integral number of 32 bits long.

reserved

Reserved for later use and must be zero.

Control field

URG : Urgent Pointer
ACK : Acknowledgment
PSH : Push function
RST : Reset the connection
SYN : Synchronize sequence numbers
FIN  : No more data from the sender

Window

The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.

Checksum

The checksum is used for all 16 bit units in the header and in the data. If a segment contains un odd number of header- and data bytes to be checked, the last byte on the right is replenished with noughts in order to built a 16 bit word for the check. The block is not transmitted as part of the segment. The check field itself is replenished with nougths while the checksum is calculated.

Urgent pointer

This field transmits the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only interpreted in segments with the URG control bit set.

Options ( variable )

The option field is of variable length.
Options may occupy space at the end of the TCP header and are a multiple of octets in length. All options are included in the checksum. An option may begin on any octet boundary.

Padding ( variable )

The padding field is of variable length.
The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding character is always zero.

 

User data

IEC 60870-5-101/ 104 Data frames

 

 


MAYR Software

Wuerzburger Ring 39,  D 91056 Erlangen

Manual LIAN 98


LIAN 98 Protocol Router, Simulator and Analyzer
© Copyright 2001, 2006, 2011 by Werner Mayr. All Rights reserved.