ro

El

arja

ede 22

emohelfunfunmomm

2007 Elsevier B.V. All rights reserved.

A Programmable Logic Controller (PLC) is microprocessor-

Robustness. High degree of scalability: modern PLC families have a wide

come with a cross development environment that support

illustrates a common architecture used in industry. As shown,PLCs are connected to the network through a computer. The PLCsystem is usually interfaced to this computer using the serial Portor Profibus. These types of systems are disadvantaged by the

Available online at www.sciencedirect.com

cesspectrum of CPU types that allows easy scalability in func-tionality and performance.based control system that can be programmed to sense, activateand control industrial equipment and therefore incorporates anumber of input/output terminals for interfacing to an industrialprocess. A control program stored in the PLC memory de-termines the relationship between the inputs and outputs of thePLC. PLCs are intelligent automation stations that possesshighly useful and desirable features such as [3]:

different languages for programmability, allows semi-graphical hardware configuration and offer strong debuggingmechanisms.

Remote access to control and monitor various devices in anindustrial setting is of value to engineers and automation facilities.Current implementations of remote PLC monitor and control usededicated PCs or web servers connected to the PLC. Fig. 11. Introduction

The recent growth of networks technology and specially thewide spread of the Internet have promoted the development ofdistributed measurement systems for a variety of industrial ap-plications. These distributed measurement systems can be usedin the monitoring and control of various instruments in thenetwork [1,2].

Extensibility: the modular design of PLCs enables theextension with a wide range of digital and analog I/Omodules. Also, various integrated technology modules areavailable for various application areas.

Sophisticated communication capabilities: modern PLCshave communication ports that provide for centralized ordistributed connectivity.

Powerful development environment: modern PLC familiesKeywords: PLC; TCP/IP; GSM; Remote monitoringDevelopment of a monitoring and cont

S. Da'na, A. Sagahyroon , A.

American University of Sh

Received 21 February 2006; received in revisAvailable onlin

Abstract

This paper discusses the design and implementation of a platform to rthe GSM network. The platform is built using industry-standard off-the-sbe used for connectivity to the network and to a GSMmodem. The comman industrial compatible protocol over TCP/IP that achieves the sameAdditionally, a mobile-based communication protocol that facilitates redeveloped. The intent here is to provide system users with a back-up co

Computer Standards & Interfa Corresponding author.E-mail address: asagahyroon@aus.edu (A. Sagahyroon).

0920-5489/$ - see front matter 2007 Elsevier B.V. All rights reserved.doi:10.1016/j.csi.2007.08.008l platform for PLC-based applications

rayes, A.R. Al-Ali, R. Al-Aydi

h, United Arab Emirates

form 6 June 2007; accepted 10 August 2007August 2007

tely monitor and control PLC-based processes over TCP/IP or by usingPLCs. Integrated with each PLC are communication processors that canication processor module (Ethernet module) used in this work, providesctionality as Profinet but at a much higher bandwidth (10/100 Mbps).te monitoring and control of PLCs using SMS messages has also beenunication mechanism in case of a network failure.

30 (2008) 157166www.elsevier.com/locate/csidedicated use of a PC to access the PLC system. The architecturealso does not make use of the advents and strides made in areassuch as telecommunications and web technology.

rem

rdsFig. 1. PC-based

158 S. Da'na et al. / Computer StandaIn recent years and due to the ever increasing capabilities of PCcomputing and the influx of network protocols and standards,there has been a surge in the design and implementation ofdistributed measurement and control systems for industrialapplications. Typically, these systems are based on the client-server architecture while securing communication using the TCP/IP protocol [46]. Modern PLCs come with embedded webservers that provide open access to useful real time informationand diagnostics that can be viewed via any standard web browser.This remote accessibility provides several advantages over moretraditional solutions. For example, a problem can easily bediagnosed and perhaps fixed remotely; also engineers can haveremote access to the PLC CPU configuration tools and henceallowing for remote upload/download and configurability via theintranet or internet.

In this paper we will discuss the design and implementation ofa networked platform for remote monitoring and control of PLCs.The platform is built around the Siemens S7 series of PLCs. ThesePLCs have an integrated communication processor that can beused to provide accessibility to the internet. The monitoring andcontrol can be accomplished in a wired or wireless environment,via an intranet or internet hence providing for a complete solutionfor the remote monitoring and control of industrial processes. Wewill also discuss the utilization of the GSM network and theoperation of a communication protocol that uses SMS messagingto communicate with the PLC stations and a Database Serverintegrated with the system.

The paper is organized as follows: in Section 2 we describe theoverall system architecture; section three includes a discussion ofthe software aspects of the system. Sections 4 and 5 present theote accessibility.

& Interfaces 30 (2008) 157166communications methodology followed in this project and thepaper is concluded in Section 6.

2. System architecture

The proposed system architecture is illustrated in Fig. 2.The system consists of the following components:

Simatic S7 200/300 PLC systems and CommunicationProcessors (CPs). Each CP has an integrated communicationinterface (hardware and software) that allows the PLC tocommunicate in a LAN, WAN or via a GSM network.

Clients and administrator are connected to the process via thenetwork (or wirelessly). Privileges can be set or reset byadministrators to allow for or to limit the various clients' options.

A Database Server connected to the process via the networkfor data logging and event recording.

A variety of network options including GSM-basedaccessibility.

The PLC system Ethernet module is a communicationprocessor for the S7 family used to connect the PLC to thenetwork. An additional communication processor is used to allowcommunication between the PLC and the GSM modem over theserial port (RS232).

In the proposed implementation, the PLC system reportsremotely the status of the process to the Database Server. TheDatabase Server records the status of the PLC in time-based tablesand performs any required data analysis. The system also receivesand executes commands from administrators and clients to

control the process. GSM connectivity is also implemented to functions. Ethernet and GSM connectivity of the PLCs is

Fig. 2. System architecture.

159S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166allow users with different privileges to access the status of themandatory functions of the PLC and allow them to control theseFig. 3. System softwimplemented using the CP343, and the CP340 communicationprocessors [7].are components.

The System software was implemented mainly using SimaticManager [7] and Java. The Simatic Manager environment is usedfor communication with the PLC system. The proposedarchitecture allows for programming, reprogramming, and config-uring the system remotely.

The Java application is developed using the S7-APIs (S7-Application Programming Interfaces) to establish the communica-tion between the Database Server and PLC station [8]. Forexample, using these APIs, we can instantiate objects that willconnect theDatabase Server to the PLC station by specifying the IPAddress and the S7 address of the CPU contained in the PLC unit.

The PLC is connected to the process sensors and actuatorsusing I/O modules.

After the Java application running on the server side establishesthe connection to PLC using the S7-APIs, it then uses the JavaDatabase Connector Technology (JDBC) to store the retrieveddata that reflects the status of various PLC parameters in theDatabase Tables. JDBC is a technology that allows Java to connectto Database servers. It contains the required Java libraries thatinclude all the necessary methods required to connect to theDatabase Server and execute SQL statements.

The overall system allows users to set process values using the

architecture is scalable with the ability to monitor a completenetwork of PLCs spreading around the Intranet or Internet.

3. System software architecture

The systems' software used in this project is divided intothree components:

A database management system Application modules (data manipulation modules, PLCcommunication modules and GSM modem modules)

A user interface.

Fig. 3 depicts the systems' software major components andthe directions of communication between them. A descriptionof each component is provided in the following subsections.

3.1. An overview of the database system

The database was created using Oracle 9i. It consists of a setof inter-related tables. Fig. 4 illustrates the database schemaused in this work. For the sake of brevity a brief description of

160 S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166PLC. For example, users can set an output (actuate a motor) orchange the value of a memory cell (memory bit, byte, word, flag,etc.). The system environment also provides for obtaining thereadings of input values (sensors' readings) as well as capturingthe status of the PLC. A Chart plotter can be used to convertreadings from the PLCs into charts. An error reportingmechanismthat provides administrators with useful diagnostic information isalso included in the complete environment. System administratorscan also query the status of the process using the GSM network inthe form of SMS messages. Finally, the proposed systemFig. 4. Database tableach table is provided below:

A Station table that contains the entire information associatedwith the PLC such as station IP address, station name, etc.

A Pointers table that contains information about each Input,Output or, Memory that the system is using. Pointers rep-resent addresses for Input, Output or, Memory.

A Pointers reading table used to store the values read fromitems pointed to by the various pointers. This table is similarto a log table that holds the various stations activities.es relationships.

GU

rds An Admin table contains all the information on system users.A Rank attribute indicates the security level for each admin-istrator, such as, Main Admin, Supervisor, and Trainee.Additional information include login name, password, a Hintattribute for password recovery, etc.

A Client table contains all the information pertaining to eachclient that is using the system such as user identification,password and phone.

Admin_PLC and Client_PLC tables used to set thecorresponding admin or client to a specific station id, andpointer id.

Fig. 5. A

S. Da'na et al. / Computer Standa3.2. Application modules

Thesemodules are at the heart of the software components of theoverall system. They manage the communication between the userinterface and the DBMS. They initiate the connection to the PLCsystem and contain the needed objects for GSM communication.

The application modules consist of following three sub-modules:

A data manipulation module: this module has several classesthat are called from within the user interface (GUI) toperform various data manipulation tasks within the databasesuch as: insert, update, and delete. For example, the insertclass is responsible of inserting any new data receivedthrough the user interface.

A PLC communication module: this module consists of threeclasses; they are used to perform tasks such as acceptingstations ID from users, verifying that each station has apointer associated with it, establishing connection to the PLCstation, etc.

A GSM module: this module provides for the communicationbetween the GSMmodem and the communication ports. Thejava communication package is used. This package allowsjava to recognize both the serial and the parallel ports that arepart of the system. It contains the necessary functionsrequired to send and receive AT commands and SMS mes-sages through the GSM modem.

3.3. The user interface

The user interface used in this work allows users (admin-istrators and clients) to access and manipulate the databasetables and to issue basic control commands to the different PLCstations. For database manipulation the administrator dependingon his/her rank can insert, update, or perform different queries.Administrators can also perform other activities using this

I display.

161& Interfaces 30 (2008) 157166GUI such as sending SMS massages to different clients andadministrators. Depending on his or her rank, an administratorcan enter the configuration area, and perform activities such asviewing admin logs, viewing help documents, viewing tutorialsof how to use the user interface as well as controlling someactivities in the station.

Fig. 5 shows one of the GUI screens of the system. Thefigure shows the different fields that correspond to the stationtable attributes. Users can enter various values pertaining to aparticular station such as its IP address, its location, number ofinputs and maximum number of outputs. As shown on the leftpanel of the GUI interface, users have the ability to search, view,configure, and update the information of a particular station.Fig. 5 depicts a GUI screen for the Update command. Users mayuse this command to modify particular station information suchas its IP address, or location. Fig. 6 is a snap shot of the GUIwhere the user is embarking on a search task. In the shownsearch screen the user is searching for a PLC station by location.The response to his search request is shown in Fig. 7.

4. Using TCP/IP to communicate with the PLC

The CP module is a communication processor for the S7family that allows PLCs to connect to an Intranet or the Internet

le G

162 S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166in any LAN setup. The module supports the following TCP/IPcommunication services [7]:

Secure FTP (File Transfer Protocol) and HTTP (Hyper TextTransfer Protocol) server login with user IDs and password

Send E-mail messages with embedded PLC data to standardSMTP mail server

FTP client services for file transfer to a remote server FTP server services for file transfer to/from an internal 8 MBflash memory file system by a remote FTP client

Fig. 6. Samp HTTP server services for remote Internet browser access S7 series program instructions for Internet communication.

In addition the module also has the following features:

Communication based on TCP/IP and ISO standards Factory installed MAC address

Fig. 7. Response screen t Peer-to-peer communication capabilities with other S7devices

Multiple (up to 8) connections Ethernet client or server configuration options Program instructions for initialization, reconfiguration, anddata transfer.

A PLC can be programmed locally or remotely to sense,activate and control industrial equipment and therefore,incorporates a number of input/output terminals that are used

UI display.to interface the PLC to the environment or process. Each inputand output connection point on a PLC module has a uniqueaddress that identifies it. Using the TCP/IP protocol, the IPaddress of the PLC, command type and the address of the item(I/O point) that is referenced are all contained in the IP packet.The IP address of the PLC is included in the header field. Thepayload field of the IP packet is allocated to carry various PLC

o a Station Search.

te w

163S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166related parameters and commands. Fig. 8 shows the contents ofthe frames that are sent and received from the PLC system.

The Memory Parameters field contains information, such asthe address of the item to be monitored and/or controlled. Thisitem can be any of the following:

Input Output Memory area Data block.

It also contains other parameters such as data type (Boolean,integer, etc.), bit or byte offsets and so on.

The Command Type field contains any of the followingcommands:

Set Value Get Value Get Status.

The Status field of the frame returns the status of theaddressed item. The value field contains the value of theaddressed item.

5. GSM accessibility

Foreseeing the potential of GSM services for low volumedata transmission and acquisition [911] we decided toincorporate these services in our system. The idea here isallow administrators and clients to access the PLC system viathe GSM network if needed, and also to be able to retrieve vitalstatus information through it. The Java communication packagewas used to allow for the communication between the GSMmodem and the various ports of the PLCs and the server. For the

Fig. 8. Frames used to communicaGSM modem that is connected to the PLC, ladder diagrams areused to send ATA commands as strings to the modem. Similarly

Fig. 9. Messaging format

Fig. 10. Messaging format fthe received SMS messages are read as strings. A messagingcommunication protocol that uses the public GSM services andis suitable for this project was developed. The protocol usesvarious frames to communicate with the system. Fig. 9 depictsthe format used for Query frames.

A brief description of the various fields included in the aboveframe is given below.

Type of Frame (TOF): this is a 1 byte field. The user(administrator or customer) should know what type of frame he/she is sending. For the query frame, the Type of Frame fieldshould be set to the value 1.

C/A (Customer/Administrator): this field indicates whether theuser is a customer by writing c or an administrator by writinga. This field has a size of 1 byte.

User ID: this field contains an ID for each user. The length ofthe field is 4 bytes.

Password: this field indicates whether the password belongs toan administrator or a client. Administrators have full accessibilityto change sensors status by using the set function, for example.The maximum length of this field will be 10 bytes which meansthe password can't exceed 10 characters.

Station ID: this field contains the Station ID number. In thiswork, station IDs are assumed to be in the range of 1 to 9999.The length of this field is 4 bytes.

Pointer ID: this field has the pointer ID number. Thepointers' IDs will be in the range of 1 to 9999. The length of thisfield is 4 bytes.

The Query response frame: the response frame will be sentfrom the Database to the administrator or client with the statusof a specific sensor. A frame illustration is shown in Fig. 10.

The Station ID and Pointer ID have the same meaning asdescribed above. The Value field contains the returned value ofthe item whose status is interrogated in the Query frame.

Note that the first 8 bytes in the response frame are used to

ith the PLC system using TCP/IP.store the following string: The Query Results for PLC/PointerReading is. Fig. 11 shows an SMS response to a query.

for the Query frame.

or the Response frame.

164 S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166The query error frame: this frame will be sent to theAdministrator or the customer via the GSM network to indicatethat an error has occurred. This error can be either in specifyingthe password, for example, or the Station ID doesn't exist, or thePointer ID doesn't exist. The Error frame format is given inFig. 12.

The first 8 bytes are used to store the string: Error:. TheType of Error field will state or clarify the origin of the error, forexample, a command type is not correct, or the PLC ID does notexist.

Command frame: the command frame can be sent from theadministrator to the Database Server or PLC seeking to changethe status of a specific pointer using a set function. The dif-ferent frame fields are shown in Fig. 13.

A brief description of each field is provided below.TOF (Type of Frame): For the command frame, the Type of

Frame field is set to the value 2.Value: this field will contain the value that the administrator

wants to set the specific addressed item to. For example, theBoolean which is used to set inputs and outputs sensors willhave the value of 0 (false) and 1 (true).

The rest of the fields carry the same meaning as discussed

Fig. 11. A sample response.previously. Fig. 14 is snap shot of a mobile screen containing acommand in the form of an SMS message using the frameformat discussed above.

We also implemented a Reporting mechanism by whichSMS messages are automatically generated and sent to theadministrator periodically or in case of an emergency. These

Fig. 12. Messaging forma

Fig. 13. Messaging format fmessages contain specific critical status information about anyPLC station that might require immediate attention. Theimplementation of this mechanism is detailed below.

The report frame: these frames are sent from the DatabaseServer to the administrator. There are two types of ReportsFrames:

Periodical Reports: sent periodically (for example weekly)and are used only to inform the administrator about the statusof a Station. Periodical Report Frames have the formatdepicted in Fig. 15.

The first 8 bytes represent a normal String which is Report.Time: the time field includes the date, day and the time the

report frame is generated.Status of Station: this field contains the status of the station that

has been defined by the administrator or the customer in theQueryusing Station ID. The status will be either 0 (OFF) or 1 (ON).

Emergency Report Frames: these kinds of report fames aresent by the system only on emergency cases, and it informsthe administrator of a specific Pointer Status (overflow or

Fig. 14. An SMS PLC command.underflow) and the corresponding station ID. These types offrames have the format shown in Fig. 16. A description of thevarious fields is provided below.

Pointer Status: this field will identify the specific Pointerstatus (according to the specific Pointer ID). The length of this

t for the Error frame.

or the Command frame.

field is 1 byte. If the Pointer Status field contains 1, it means thePointer status is overflow (its value is over the limited range).But, if the Pointer Status field contains 2, it means the Pointer isunderflow (its value is under the limited range). Finally, if thePointer Status field contains 3, it means the Pointer status iswithin range.

Communication between the mobile client and the PLC sys-tem is implemented using the CP340 communication processorand the GSM modem as illustrated in Fig. 2. The GSM modemcan be polled for messages but an Event Interrupt mechanism can

also be used. The polling processmay be initiated by sendingATAcommands to the GSM modem checking for new messages. IfEvent Interrupts are used, the GSM modem sends a signal(message) to the Server or PLC System through the serial portindicating that it has received a new SMS message. An interruptservice routine will perform the necessary tasks of reading andparsing the message and eventually executing the command em-bedded in the message.

In addition to the SMS built-in emergency reportingmechanism, administrators on the server side will also be notified

Fig. 15. Messaging format for the Report frame.

Fig. 16. Messaging format for the Emergency Report frame.

Erro

165S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166Fig. 17.Fig. 18. Adding secr report.urity features.

of any error or failures that might occur in the CPU or thecommunication processor. For example if the CPU or the TCP/IP

new technologies in automation and process control. TCP/IPprovides the needed flexibility and scalability in control plantsdesign. In this work, we discussed the design and implementationof a monitoring and control system for PLC-controlled processes.The proposed architecture and results demonstrate the feasibilityof using TCP/IP and GSM protocols to communicate effectivelywith PLCs with respect to both functions, of monitoring andcontrol. The systemwas tested using an industrial sortingmachinein a laboratory set us and had a very satisfactory performance.Wehave also tested the proposed architecture in a wireless

166 S. Da'na et al. / Computer Standards & Interfaces 30 (2008) 157166values from the PLC station, and generate an error report ormessage that can assist administrators in identifying the source ofthe error. Fig. 17 shows an example of failure in the station CPU.

6. Enhancing the security aspects

Security is critical to the remote access of industrial automationnetworks, as emphasized in recent articles in the industrialinformatics field [12,13]. The introduction of internet-basedaccessibility within the process controls industry has increased thevulnerability of these processes. The figure below depicts theearlier architecture with added security measures allowing securecommunication over the internet (Fig. 18).

The firewall is used to isolate the internal industrial networkfrom the internet at large, allowing specific connections to passwhile blocking others and therefore protecting the PLCs fromunauthorized accesses. Administrators on the process side canconfigure the firewall to act as a VPN (Virtual Private Network)concentrator. This can be accomplished by issuing the properaccess credentials (tunnel name, tunnel password, user name,user password, etc.) to the authorized personnel. A VPN clienttool on the client side permits an authorized client to remotelyaccess the processes.

In typical industrial setups, the above secure architecture can beimplemented using devices such as or similar to the SCALANCES6xx security switch [7]. For example, the SCALANCE S612provides a combination of securitymeasures such asVPN throughan IPSec tunnel. It protects individual devices or even entireautomation cells in the industry against:

Data reconnaissance Data manipulation Automatic break-in attempts. Unauthorized access.

It allows this protection flexibly, without consequences,protocol-independent (as of Layer 2 according to IEEE 802.3)and without complicated handling.

On the GSM side, the security aspects embedded in thestandard [14] provide adequate measures of protection for theproposed application. Additionally, any security shortcomings inthe present GSM standard (such as the false base station attack)have been addressed in the emerging 3G standards [15].

7. Conclusion

Incorporating TCP/IP based implementations in processcontrol plants provides a natural and modern way to exploitenvironment and it did perform to our satisfaction.

References

[1] M. Bertocco, F. Ferraris, C. Offelli, M. Parvis, A client-server architecturefor distributed measurement systems, IEEE Transactions on Instrumenta-tion and Measurement 47 (5) (1998) 11431148.

[2] K. Kalaitzakis, et al., Development of a data acquisition system for remotemonitoring of renewable energy systems, Measurement Journal 34 (2003)7583.

[3] H. Kleines, J. Sarkadi, F. Suxdorf, K. Zwoll, Measurement or real-timeaspects of Simatic PLC operation in the context of physics experiments,IEEE Transactions on Nuclear Science 51 (3) (2004).

[4] F. Pianegiani, D. Macii, P. Carbone, An open distributed measurementsystem based on an abstract client-server architecture, IEEE Transactionson Instrumentation and Measurement 52 (3) (2003).

[5] S. Mylvaganam, H. Waerstad, L. Cortvriendt, From sensor to web usingPLCwith embedded web server for remote monitoring of process, Sensors,Proceedings of IEEE, vol. 2, Oct. 2003.

[6] F. Radwan, T. Martin, Real-time monitoring and controlling of an Allen-Bradley SLC 500 through the internet, IEEE ICIT, 2003.

[7] www.siemens.com.[8] support.automation.siemens.com.[9] B.K. Siang, et al., SMS gateway interface remote monitoring and controlling

via GSM SMS, Proceedings. 4th National Conference on Telecommunica-tion Technology, 2003.

[10] Jia Haitao, Cao Li, A remote data acquisition system based on SMS, IEEEinternational conference on systems, Man and Cybernetics, 2004.

[11] A.R. Al-Ali et al., Implementation of experimental communicationprotocol for health monitoring of patients, Journal of Computer Standards& Interfaces, (in press) currently available at www.sciencedirect.com.

[12] D. Dzung, et al., Security for industrial communication systems,Proceedings of IEEE 93 (6) (2005).

[13] C. schwaiger, Security in automation networks, in: R. Zurawski (Ed.), TheIndustrial Information Technology Handbook, CRC Press, 2005.

[14] European Telecommunications Standards Institute (ETSI)), GSM 02.09:Security Aspects.

[15] M. Zhang, Y. Fang, Security analysis and enhancements of 3GPP au-thentication and key agreement protocols, IEEE Transactions on WirelessCommunications 4 (2) (2005).modules are not running probably the systemwill stop reading the

Development of a monitoring and control platform for PLC-based applicationsIntroductionSystem architectureSystem software architectureAn overview of the database systemApplication modulesThe user interface

Using TCP/IP to communicate with the PLCGSM accessibilityEnhancing the security aspectsConclusionReferences