-
ro
El
arja
ede 22
emohelfunfunmomm
2007 Elsevier B.V. All rights reserved.
A Programmable Logic Controller (PLC) is microprocessor-
Robustness. High degree of scalability: modern PLC families have
a wide
come with a cross development environment that support
illustrates a common architecture used in industry. As
shown,PLCs are connected to the network through a computer. The
PLCsystem is usually interfaced to this computer using the serial
Portor Profibus. These types of systems are disadvantaged by
the
Available online at www.sciencedirect.com
cesspectrum of CPU types that allows easy scalability in
func-tionality and performance.based control system that can be
programmed to sense, activateand control industrial equipment and
therefore incorporates anumber of input/output terminals for
interfacing to an industrialprocess. A control program stored in
the PLC memory de-termines the relationship between the inputs and
outputs of thePLC. PLCs are intelligent automation stations that
possesshighly useful and desirable features such as [3]:
different languages for programmability, allows semi-graphical
hardware configuration and offer strong debuggingmechanisms.
Remote access to control and monitor various devices in
anindustrial setting is of value to engineers and automation
facilities.Current implementations of remote PLC monitor and
control usededicated PCs or web servers connected to the PLC. Fig.
11. Introduction
The recent growth of networks technology and specially thewide
spread of the Internet have promoted the development ofdistributed
measurement systems for a variety of industrial ap-plications.
These distributed measurement systems can be usedin the monitoring
and control of various instruments in thenetwork [1,2].
Extensibility: the modular design of PLCs enables theextension
with a wide range of digital and analog I/Omodules. Also, various
integrated technology modules areavailable for various application
areas.
Sophisticated communication capabilities: modern PLCshave
communication ports that provide for centralized ordistributed
connectivity.
Powerful development environment: modern PLC familiesKeywords:
PLC; TCP/IP; GSM; Remote monitoringDevelopment of a monitoring and
cont
S. Da'na, A. Sagahyroon , A.
American University of Sh
Received 21 February 2006; received in revisAvailable onlin
Abstract
This paper discusses the design and implementation of a platform
to rthe GSM network. The platform is built using industry-standard
off-the-sbe used for connectivity to the network and to a GSMmodem.
The comman industrial compatible protocol over TCP/IP that achieves
the sameAdditionally, a mobile-based communication protocol that
facilitates redeveloped. The intent here is to provide system users
with a back-up co
Computer Standards & Interfa Corresponding author.E-mail
address: [email protected] (A. Sagahyroon).
0920-5489/$ - see front matter 2007 Elsevier B.V. All rights
reserved.doi:10.1016/j.csi.2007.08.008l platform for PLC-based
applications
rayes, A.R. Al-Ali, R. Al-Aydi
h, United Arab Emirates
form 6 June 2007; accepted 10 August 2007August 2007
tely monitor and control PLC-based processes over TCP/IP or by
usingPLCs. Integrated with each PLC are communication processors
that canication processor module (Ethernet module) used in this
work, providesctionality as Profinet but at a much higher bandwidth
(10/100 Mbps).te monitoring and control of PLCs using SMS messages
has also beenunication mechanism in case of a network failure.
30 (2008) 157166www.elsevier.com/locate/csidedicated use of a PC
to access the PLC system. The architecturealso does not make use of
the advents and strides made in areassuch as telecommunications and
web technology.
-
rem
rdsFig. 1. PC-based
158 S. Da'na et al. / Computer StandaIn recent years and due to
the ever increasing capabilities of PCcomputing and the influx of
network protocols and standards,there has been a surge in the
design and implementation ofdistributed measurement and control
systems for industrialapplications. Typically, these systems are
based on the client-server architecture while securing
communication using the TCP/IP protocol [46]. Modern PLCs come with
embedded webservers that provide open access to useful real time
informationand diagnostics that can be viewed via any standard web
browser.This remote accessibility provides several advantages over
moretraditional solutions. For example, a problem can easily
bediagnosed and perhaps fixed remotely; also engineers can
haveremote access to the PLC CPU configuration tools and
henceallowing for remote upload/download and configurability via
theintranet or internet.
In this paper we will discuss the design and implementation ofa
networked platform for remote monitoring and control of PLCs.The
platform is built around the Siemens S7 series of PLCs. ThesePLCs
have an integrated communication processor that can beused to
provide accessibility to the internet. The monitoring andcontrol
can be accomplished in a wired or wireless environment,via an
intranet or internet hence providing for a complete solutionfor the
remote monitoring and control of industrial processes. Wewill also
discuss the utilization of the GSM network and theoperation of a
communication protocol that uses SMS messagingto communicate with
the PLC stations and a Database Serverintegrated with the
system.
The paper is organized as follows: in Section 2 we describe
theoverall system architecture; section three includes a discussion
ofthe software aspects of the system. Sections 4 and 5 present
theote accessibility.
& Interfaces 30 (2008) 157166communications methodology
followed in this project and thepaper is concluded in Section
6.
2. System architecture
The proposed system architecture is illustrated in Fig. 2.The
system consists of the following components:
Simatic S7 200/300 PLC systems and CommunicationProcessors
(CPs). Each CP has an integrated communicationinterface (hardware
and software) that allows the PLC tocommunicate in a LAN, WAN or
via a GSM network.
Clients and administrator are connected to the process via
thenetwork (or wirelessly). Privileges can be set or reset
byadministrators to allow for or to limit the various clients'
options.
A Database Server connected to the process via the networkfor
data logging and event recording.
A variety of network options including
GSM-basedaccessibility.
The PLC system Ethernet module is a communicationprocessor for
the S7 family used to connect the PLC to thenetwork. An additional
communication processor is used to allowcommunication between the
PLC and the GSM modem over theserial port (RS232).
In the proposed implementation, the PLC system reportsremotely
the status of the process to the Database Server. TheDatabase
Server records the status of the PLC in time-based tablesand
performs any required data analysis. The system also receivesand
executes commands from administrators and clients to
-
control the process. GSM connectivity is also implemented to
functions. Ethernet and GSM connectivity of the PLCs is
Fig. 2. System architecture.
159S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166allow users with different privileges to access the
status of themandatory functions of the PLC and allow them to
control theseFig. 3. System softwimplemented using the CP343, and
the CP340 communicationprocessors [7].are components.
-
The System software was implemented mainly using SimaticManager
[7] and Java. The Simatic Manager environment is usedfor
communication with the PLC system. The proposedarchitecture allows
for programming, reprogramming, and config-uring the system
remotely.
The Java application is developed using the S7-APIs
(S7-Application Programming Interfaces) to establish the
communica-tion between the Database Server and PLC station [8].
Forexample, using these APIs, we can instantiate objects that
willconnect theDatabase Server to the PLC station by specifying the
IPAddress and the S7 address of the CPU contained in the PLC
unit.
The PLC is connected to the process sensors and actuatorsusing
I/O modules.
After the Java application running on the server side
establishesthe connection to PLC using the S7-APIs, it then uses
the JavaDatabase Connector Technology (JDBC) to store the
retrieveddata that reflects the status of various PLC parameters in
theDatabase Tables. JDBC is a technology that allows Java to
connectto Database servers. It contains the required Java libraries
thatinclude all the necessary methods required to connect to
theDatabase Server and execute SQL statements.
The overall system allows users to set process values using
the
architecture is scalable with the ability to monitor a
completenetwork of PLCs spreading around the Intranet or
Internet.
3. System software architecture
The systems' software used in this project is divided intothree
components:
A database management system Application modules (data
manipulation modules, PLCcommunication modules and GSM modem
modules)
A user interface.
Fig. 3 depicts the systems' software major components andthe
directions of communication between them. A descriptionof each
component is provided in the following subsections.
3.1. An overview of the database system
The database was created using Oracle 9i. It consists of a setof
inter-related tables. Fig. 4 illustrates the database schemaused in
this work. For the sake of brevity a brief description of
160 S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166PLC. For example, users can set an output (actuate a
motor) orchange the value of a memory cell (memory bit, byte, word,
flag,etc.). The system environment also provides for obtaining
thereadings of input values (sensors' readings) as well as
capturingthe status of the PLC. A Chart plotter can be used to
convertreadings from the PLCs into charts. An error
reportingmechanismthat provides administrators with useful
diagnostic information isalso included in the complete environment.
System administratorscan also query the status of the process using
the GSM network inthe form of SMS messages. Finally, the proposed
systemFig. 4. Database tableach table is provided below:
A Station table that contains the entire information
associatedwith the PLC such as station IP address, station name,
etc.
A Pointers table that contains information about each
Input,Output or, Memory that the system is using. Pointers
rep-resent addresses for Input, Output or, Memory.
A Pointers reading table used to store the values read fromitems
pointed to by the various pointers. This table is similarto a log
table that holds the various stations activities.es
relationships.
-
GU
rds An Admin table contains all the information on system
users.A Rank attribute indicates the security level for each
admin-istrator, such as, Main Admin, Supervisor, and
Trainee.Additional information include login name, password, a
Hintattribute for password recovery, etc.
A Client table contains all the information pertaining to
eachclient that is using the system such as user
identification,password and phone.
Admin_PLC and Client_PLC tables used to set thecorresponding
admin or client to a specific station id, andpointer id.
Fig. 5. A
S. Da'na et al. / Computer Standa3.2. Application modules
Thesemodules are at the heart of the software components of
theoverall system. They manage the communication between the
userinterface and the DBMS. They initiate the connection to the
PLCsystem and contain the needed objects for GSM communication.
The application modules consist of following three
sub-modules:
A data manipulation module: this module has several classesthat
are called from within the user interface (GUI) toperform various
data manipulation tasks within the databasesuch as: insert, update,
and delete. For example, the insertclass is responsible of
inserting any new data receivedthrough the user interface.
A PLC communication module: this module consists of
threeclasses; they are used to perform tasks such as
acceptingstations ID from users, verifying that each station has
apointer associated with it, establishing connection to the
PLCstation, etc.
A GSM module: this module provides for the communicationbetween
the GSMmodem and the communication ports. Thejava communication
package is used. This package allowsjava to recognize both the
serial and the parallel ports that arepart of the system. It
contains the necessary functionsrequired to send and receive AT
commands and SMS mes-sages through the GSM modem.
3.3. The user interface
The user interface used in this work allows users
(admin-istrators and clients) to access and manipulate the
databasetables and to issue basic control commands to the different
PLCstations. For database manipulation the administrator
dependingon his/her rank can insert, update, or perform different
queries.Administrators can also perform other activities using
this
I display.
161& Interfaces 30 (2008) 157166GUI such as sending SMS
massages to different clients andadministrators. Depending on his
or her rank, an administratorcan enter the configuration area, and
perform activities such asviewing admin logs, viewing help
documents, viewing tutorialsof how to use the user interface as
well as controlling someactivities in the station.
Fig. 5 shows one of the GUI screens of the system. Thefigure
shows the different fields that correspond to the stationtable
attributes. Users can enter various values pertaining to
aparticular station such as its IP address, its location, number
ofinputs and maximum number of outputs. As shown on the leftpanel
of the GUI interface, users have the ability to search,
view,configure, and update the information of a particular
station.Fig. 5 depicts a GUI screen for the Update command. Users
mayuse this command to modify particular station information suchas
its IP address, or location. Fig. 6 is a snap shot of the GUIwhere
the user is embarking on a search task. In the shownsearch screen
the user is searching for a PLC station by location.The response to
his search request is shown in Fig. 7.
4. Using TCP/IP to communicate with the PLC
The CP module is a communication processor for the S7family that
allows PLCs to connect to an Intranet or the Internet
-
le G
162 S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166in any LAN setup. The module supports the following
TCP/IPcommunication services [7]:
Secure FTP (File Transfer Protocol) and HTTP (Hyper TextTransfer
Protocol) server login with user IDs and password
Send E-mail messages with embedded PLC data to standardSMTP mail
server
FTP client services for file transfer to a remote server FTP
server services for file transfer to/from an internal 8 MBflash
memory file system by a remote FTP client
Fig. 6. Samp HTTP server services for remote Internet browser
access S7 series program instructions for Internet
communication.
In addition the module also has the following features:
Communication based on TCP/IP and ISO standards Factory
installed MAC address
Fig. 7. Response screen t Peer-to-peer communication
capabilities with other S7devices
Multiple (up to 8) connections Ethernet client or server
configuration options Program instructions for initialization,
reconfiguration, anddata transfer.
A PLC can be programmed locally or remotely to sense,activate
and control industrial equipment and therefore,incorporates a
number of input/output terminals that are used
UI display.to interface the PLC to the environment or process.
Each inputand output connection point on a PLC module has a
uniqueaddress that identifies it. Using the TCP/IP protocol, the
IPaddress of the PLC, command type and the address of the item(I/O
point) that is referenced are all contained in the IP packet.The IP
address of the PLC is included in the header field. Thepayload
field of the IP packet is allocated to carry various PLC
o a Station Search.
-
te w
163S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166related parameters and commands. Fig. 8 shows the
contents ofthe frames that are sent and received from the PLC
system.
The Memory Parameters field contains information, such asthe
address of the item to be monitored and/or controlled. Thisitem can
be any of the following:
Input Output Memory area Data block.
It also contains other parameters such as data type
(Boolean,integer, etc.), bit or byte offsets and so on.
The Command Type field contains any of the
followingcommands:
Set Value Get Value Get Status.
The Status field of the frame returns the status of theaddressed
item. The value field contains the value of theaddressed item.
5. GSM accessibility
Foreseeing the potential of GSM services for low volumedata
transmission and acquisition [911] we decided toincorporate these
services in our system. The idea here isallow administrators and
clients to access the PLC system viathe GSM network if needed, and
also to be able to retrieve vitalstatus information through it. The
Java communication packagewas used to allow for the communication
between the GSMmodem and the various ports of the PLCs and the
server. For the
Fig. 8. Frames used to communicaGSM modem that is connected to
the PLC, ladder diagrams areused to send ATA commands as strings to
the modem. Similarly
Fig. 9. Messaging format
Fig. 10. Messaging format fthe received SMS messages are read as
strings. A messagingcommunication protocol that uses the public GSM
services andis suitable for this project was developed. The
protocol usesvarious frames to communicate with the system. Fig. 9
depictsthe format used for Query frames.
A brief description of the various fields included in the
aboveframe is given below.
Type of Frame (TOF): this is a 1 byte field. The
user(administrator or customer) should know what type of frame
he/she is sending. For the query frame, the Type of Frame
fieldshould be set to the value 1.
C/A (Customer/Administrator): this field indicates whether
theuser is a customer by writing c or an administrator by writinga.
This field has a size of 1 byte.
User ID: this field contains an ID for each user. The length
ofthe field is 4 bytes.
Password: this field indicates whether the password belongs toan
administrator or a client. Administrators have full accessibilityto
change sensors status by using the set function, for example.The
maximum length of this field will be 10 bytes which meansthe
password can't exceed 10 characters.
Station ID: this field contains the Station ID number. In
thiswork, station IDs are assumed to be in the range of 1 to
9999.The length of this field is 4 bytes.
Pointer ID: this field has the pointer ID number. Thepointers'
IDs will be in the range of 1 to 9999. The length of thisfield is 4
bytes.
The Query response frame: the response frame will be sentfrom
the Database to the administrator or client with the statusof a
specific sensor. A frame illustration is shown in Fig. 10.
The Station ID and Pointer ID have the same meaning asdescribed
above. The Value field contains the returned value ofthe item whose
status is interrogated in the Query frame.
Note that the first 8 bytes in the response frame are used
to
ith the PLC system using TCP/IP.store the following string: The
Query Results for PLC/PointerReading is. Fig. 11 shows an SMS
response to a query.
for the Query frame.
or the Response frame.
-
164 S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166The query error frame: this frame will be sent to
theAdministrator or the customer via the GSM network to
indicatethat an error has occurred. This error can be either in
specifyingthe password, for example, or the Station ID doesn't
exist, or thePointer ID doesn't exist. The Error frame format is
given inFig. 12.
The first 8 bytes are used to store the string: Error:. TheType
of Error field will state or clarify the origin of the error,
forexample, a command type is not correct, or the PLC ID does
notexist.
Command frame: the command frame can be sent from
theadministrator to the Database Server or PLC seeking to changethe
status of a specific pointer using a set function. The dif-ferent
frame fields are shown in Fig. 13.
A brief description of each field is provided below.TOF (Type of
Frame): For the command frame, the Type of
Frame field is set to the value 2.Value: this field will contain
the value that the administrator
wants to set the specific addressed item to. For example,
theBoolean which is used to set inputs and outputs sensors willhave
the value of 0 (false) and 1 (true).
The rest of the fields carry the same meaning as discussed
Fig. 11. A sample response.previously. Fig. 14 is snap shot of a
mobile screen containing acommand in the form of an SMS message
using the frameformat discussed above.
We also implemented a Reporting mechanism by whichSMS messages
are automatically generated and sent to theadministrator
periodically or in case of an emergency. These
Fig. 12. Messaging forma
Fig. 13. Messaging format fmessages contain specific critical
status information about anyPLC station that might require
immediate attention. Theimplementation of this mechanism is
detailed below.
The report frame: these frames are sent from the DatabaseServer
to the administrator. There are two types of ReportsFrames:
Periodical Reports: sent periodically (for example weekly)and
are used only to inform the administrator about the statusof a
Station. Periodical Report Frames have the formatdepicted in Fig.
15.
The first 8 bytes represent a normal String which is
Report.Time: the time field includes the date, day and the time
the
report frame is generated.Status of Station: this field contains
the status of the station that
has been defined by the administrator or the customer in
theQueryusing Station ID. The status will be either 0 (OFF) or 1
(ON).
Emergency Report Frames: these kinds of report fames aresent by
the system only on emergency cases, and it informsthe administrator
of a specific Pointer Status (overflow or
Fig. 14. An SMS PLC command.underflow) and the corresponding
station ID. These types offrames have the format shown in Fig. 16.
A description of thevarious fields is provided below.
Pointer Status: this field will identify the specific
Pointerstatus (according to the specific Pointer ID). The length of
this
t for the Error frame.
or the Command frame.
-
field is 1 byte. If the Pointer Status field contains 1, it
means thePointer status is overflow (its value is over the limited
range).But, if the Pointer Status field contains 2, it means the
Pointer isunderflow (its value is under the limited range).
Finally, if thePointer Status field contains 3, it means the
Pointer status iswithin range.
Communication between the mobile client and the PLC sys-tem is
implemented using the CP340 communication processorand the GSM
modem as illustrated in Fig. 2. The GSM modemcan be polled for
messages but an Event Interrupt mechanism can
also be used. The polling processmay be initiated by
sendingATAcommands to the GSM modem checking for new messages.
IfEvent Interrupts are used, the GSM modem sends a signal(message)
to the Server or PLC System through the serial portindicating that
it has received a new SMS message. An interruptservice routine will
perform the necessary tasks of reading andparsing the message and
eventually executing the command em-bedded in the message.
In addition to the SMS built-in emergency reportingmechanism,
administrators on the server side will also be notified
Fig. 15. Messaging format for the Report frame.
Fig. 16. Messaging format for the Emergency Report frame.
Erro
165S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166Fig. 17.Fig. 18. Adding secr report.urity
features.
-
of any error or failures that might occur in the CPU or
thecommunication processor. For example if the CPU or the
TCP/IP
new technologies in automation and process control.
TCP/IPprovides the needed flexibility and scalability in control
plantsdesign. In this work, we discussed the design and
implementationof a monitoring and control system for PLC-controlled
processes.The proposed architecture and results demonstrate the
feasibilityof using TCP/IP and GSM protocols to communicate
effectivelywith PLCs with respect to both functions, of monitoring
andcontrol. The systemwas tested using an industrial
sortingmachinein a laboratory set us and had a very satisfactory
performance.Wehave also tested the proposed architecture in a
wireless
166 S. Da'na et al. / Computer Standards & Interfaces 30
(2008) 157166values from the PLC station, and generate an error
report ormessage that can assist administrators in identifying the
source ofthe error. Fig. 17 shows an example of failure in the
station CPU.
6. Enhancing the security aspects
Security is critical to the remote access of industrial
automationnetworks, as emphasized in recent articles in the
industrialinformatics field [12,13]. The introduction of
internet-basedaccessibility within the process controls industry
has increased thevulnerability of these processes. The figure below
depicts theearlier architecture with added security measures
allowing securecommunication over the internet (Fig. 18).
The firewall is used to isolate the internal industrial
networkfrom the internet at large, allowing specific connections to
passwhile blocking others and therefore protecting the PLCs
fromunauthorized accesses. Administrators on the process side
canconfigure the firewall to act as a VPN (Virtual Private
Network)concentrator. This can be accomplished by issuing the
properaccess credentials (tunnel name, tunnel password, user
name,user password, etc.) to the authorized personnel. A VPN
clienttool on the client side permits an authorized client to
remotelyaccess the processes.
In typical industrial setups, the above secure architecture can
beimplemented using devices such as or similar to the SCALANCES6xx
security switch [7]. For example, the SCALANCE S612provides a
combination of securitymeasures such asVPN throughan IPSec tunnel.
It protects individual devices or even entireautomation cells in
the industry against:
Data reconnaissance Data manipulation Automatic break-in
attempts. Unauthorized access.
It allows this protection flexibly, without
consequences,protocol-independent (as of Layer 2 according to IEEE
802.3)and without complicated handling.
On the GSM side, the security aspects embedded in thestandard
[14] provide adequate measures of protection for theproposed
application. Additionally, any security shortcomings inthe present
GSM standard (such as the false base station attack)have been
addressed in the emerging 3G standards [15].
7. Conclusion
Incorporating TCP/IP based implementations in processcontrol
plants provides a natural and modern way to exploitenvironment and
it did perform to our satisfaction.
References
[1] M. Bertocco, F. Ferraris, C. Offelli, M. Parvis, A
client-server architecturefor distributed measurement systems, IEEE
Transactions on Instrumenta-tion and Measurement 47 (5) (1998)
11431148.
[2] K. Kalaitzakis, et al., Development of a data acquisition
system for remotemonitoring of renewable energy systems,
Measurement Journal 34 (2003)7583.
[3] H. Kleines, J. Sarkadi, F. Suxdorf, K. Zwoll, Measurement or
real-timeaspects of Simatic PLC operation in the context of physics
experiments,IEEE Transactions on Nuclear Science 51 (3) (2004).
[4] F. Pianegiani, D. Macii, P. Carbone, An open distributed
measurementsystem based on an abstract client-server architecture,
IEEE Transactionson Instrumentation and Measurement 52 (3)
(2003).
[5] S. Mylvaganam, H. Waerstad, L. Cortvriendt, From sensor to
web usingPLCwith embedded web server for remote monitoring of
process, Sensors,Proceedings of IEEE, vol. 2, Oct. 2003.
[6] F. Radwan, T. Martin, Real-time monitoring and controlling
of an Allen-Bradley SLC 500 through the internet, IEEE ICIT,
2003.
[7] www.siemens.com.[8] support.automation.siemens.com.[9] B.K.
Siang, et al., SMS gateway interface remote monitoring and
controlling
via GSM SMS, Proceedings. 4th National Conference on
Telecommunica-tion Technology, 2003.
[10] Jia Haitao, Cao Li, A remote data acquisition system based
on SMS, IEEEinternational conference on systems, Man and
Cybernetics, 2004.
[11] A.R. Al-Ali et al., Implementation of experimental
communicationprotocol for health monitoring of patients, Journal of
Computer Standards& Interfaces, (in press) currently available
at www.sciencedirect.com.
[12] D. Dzung, et al., Security for industrial communication
systems,Proceedings of IEEE 93 (6) (2005).
[13] C. schwaiger, Security in automation networks, in: R.
Zurawski (Ed.), TheIndustrial Information Technology Handbook, CRC
Press, 2005.
[14] European Telecommunications Standards Institute (ETSI)),
GSM 02.09:Security Aspects.
[15] M. Zhang, Y. Fang, Security analysis and enhancements of
3GPP au-thentication and key agreement protocols, IEEE Transactions
on WirelessCommunications 4 (2) (2005).modules are not running
probably the systemwill stop reading the
Development of a monitoring and control platform for PLC-based
applicationsIntroductionSystem architectureSystem software
architectureAn overview of the database systemApplication
modulesThe user interface
Using TCP/IP to communicate with the PLCGSM
accessibilityEnhancing the security aspectsConclusionReferences