Building a Custom IEC 870-5-101 Simulator: Tools and Best Practices

How to Use an IEC 870-5-101 Simulator for Protocol ConformanceIntroduction

IEC 60870-5-101 (commonly written IEC 870-5-101) is a widely used telecontrol protocol for communication between control centers and substations, especially in electrical power systems. A simulator for IEC 101 is an essential tool for engineers and testers who need to validate devices (RTUs, IEDs, master stations) for protocol conformance, interoperability, functional behavior, and robustness under normal and fault conditions. This article explains step-by-step how to use an IEC 101 simulator for protocol conformance testing, including preparation, common test scenarios, test execution, interpretation of results, and best practices.

---

1. Understand the protocol basics

Before using a simulator, make sure you or your team understand the core elements of IEC 101:

• Role types: Master (control center) and Slave/Controlled station (RTU/IED). Conformance tests often verify both master and slave behaviors depending on the device under test (DUT).
• ASDU structure: Application Service Data Unit (ASDU) carries information objects; ASDUs have type identification (e.g., M_SP_NA_1 for single-point information), variable structure qualifiers, cause of transmission (COT), and more.
• Frame types and link layer: IEC 101 supports both fixed-length and variable-length frames, using link-layer control fields, sequence numbers (for normalized link layer), and checksums.
• Time formats and synchronization: CP56Time2a is used for timestamped information.
• Interrogation and spontaneous transmission: Master can request interrogation; slaves can send spontaneous or cyclic updates.
• Supervision and watchdog: Loss of link, test frames, and link resetting behaviors must be handled appropriately.

Key fact: IEC 101 has specific ASDUs, causes of transmission, and link-layer behaviors that must be validated for conformance.

---

2. Prepare for testing

• Identify the Device Under Test (DUT): master or slave. Tests differ significantly depending on role.
• Obtain the device’s protocol documentation (supported ASDUs, address ranges, data mapping).
• Define test objectives: full conformance (per IEC 101 parts), interoperability, performance, error handling, timing.
• Setup physical connectivity: serial (RS-232/RS-485) or serial-over-IP (tunnel/serial server), matching baud rates, parity, stop bits, and cable wiring. Confirm ground/reference connections for RS-485.
• Configure simulator and DUT addresses (ASDU address, link addresses). Record initial settings.
• Prepare a test plan or checklist aligned with IEC 101 requirements and your product’s supported subset.

---

3. Choose simulator features you need

A capable IEC 101 simulator should offer:

• Role emulation (master and slave).
• Custom ASDU creation and editing (set type ID, object addresses, cause of transmission, qualifiers).
• Sequence number control and link-layer error injection (to test retransmission, frame rejects).
• Time-stamping with CP56Time2a editing.
• Automated test scripts and test suites (for repeatability).
• Logging and trace (hex dump of frames, timestamps).
• Fault injection (bit flips, wrong length, unexpected ASDU types).
• Performance/load simulation (high-rate spontaneous messages).
• Support for multiple connections/sessions.

Choose the simulator that matches required physical interface (serial, TCP tunneling) and supports scripting or automation if you need repeated conformance runs.

---

4. Basic conformance test scenarios

Below are typical scenarios you should run to validate protocol conformance. For each, create test cases that include expected behavior and pass/fail criteria.

1. Link establishment and supervision

   • Test connection setup with correct link addresses and parameters.
   • Verify proper handling of test frame (TESTFR_ACT and TESTFR_CON).
   • Verify link reset and re-synchronization behavior.
   • Inject missing ACKs or sequence errors to confirm retransmission.

2. Frame format and checksum

   • Send valid fixed and variable-length frames; confirm DUT processes them correctly.
   • Send frames with incorrect length or corrupted checksum; DUT should reject or ignore per standard.

3. Interrogation command (C_IC_NA_1)

   • Master sends interrogation; slave responds with correct sequence of ASDUs and end-of-interrogation (COT = activation and termination).
   • Verify object ordering, sequence numbering, and causes of transmission.

4. Single-point and double-point information (M_SP_NA_1, M_DP_NA_1)

   • Verify correct status mapping, quality descriptors, and timestamps when enabled.

5. Measured values and scaled values (M_ME_NC_1, M_ME_NB_1)

   • Check scaling factors, range handling, and timestamp behavior.

6. Control commands (C_SC_NA_1, C_DC_NA_1, C_RC_NA_1)

   • Test activation and termination procedures, positive/negative responses, and interlocks.
   • Validate select-before-operate sequences where applicable.

7. Spontaneous and cyclic transmission

   • Validate spontaneous transmission behavior for changes in input points.
   • Validate cyclic reporting intervals and sequence numbers.

8. Time synchronization

   • Send time sync commands (if supported) and verify CP56Time2a handling and acceptance/rejection.

9. Error/exception handling

   • Send unsupported ASDUs or invalid cause codes; check DUT responses (e.g., no response, error, buffer discard).
   • Perform stress tests: high message rates, fragmented frames, concurrent sessions.

10. Addressing and multiple ASDU addresses

    • Check behavior with different ASDU addresses, VSQ variations (number of objects in single ASDU), and object addressing boundaries.

---

5. Using the simulator: step-by-step example (master testing a slave)

1. Configure physical link: set COM port, baud rate, parity, stop bits.
2. Set simulator to Master mode; set link-layer addresses to match DUT.
3. Configure ASDU address and object address ranges.
4. Run basic link test: send STARTDT_ACT and confirm STARTDT_CON from slave.
5. Perform interrogation: send C_IC_NA_1 (interrogation command, activation). Expect a sequence of information ASDUs from slave followed by a termination cause (COT = 20 or appropriate).
6. Validate individual items: send read or control commands, toggle inputs on the slave, and verify spontaneous updates.
7. Inject faults: alter sequence numbers or corrupt checksum and observe whether the slave retransmits or disconnects per the standard.
8. Log all traffic: save hex dumps and time stamps for offline analysis and compliance records.

Include automated scripts where possible to repeat the above steps consistently and to catch intermittent issues.

---

6. Interpreting simulator logs and traces

• Use hex-level traces to confirm ASDU type identifiers, cause of transmission, information object addresses, and link-layer control fields.
• Check sequence numbers (N(S), N®) to ensure proper frame sequencing and flow control.
• Confirm timestamps are encoded as CP56Time2a and reflect expected time zone/offset.
• Look for error patterns: repeated link resets, missing acknowledgements, or malformed frames indicating either DUT or simulator misconfiguration.
• Correlate DUT behavior with expected IEC 101 state machine transitions (e.g., connection states, command confirmation sequences).

---

7. Automation and regression testing

• Implement test scripts for mandatory conformance tests and common interoperability scenarios.
• Use parameterized scripts that iterate over ASDU types, object addresses, cause codes, and link-layer variations.
• Schedule regression runs after firmware changes to detect regressions early.
• Store test results and traces in a versioned test repository for audits and certification evidence.

---

8. Common pitfalls and troubleshooting

• Mismatched serial settings (baud, parity) cause framing errors — verify both ends.
• Wrong ASDU addresses or object addressing schemes prevent proper mapping — confirm addressing plans.
• Overlooking normalized vs non-normalized link-layer implementations leads to sequence/matching failures — check whether the DUT supports sequence numbering.
• Time format mismatches (CP56Time2a vs device-specific formats) cause timestamp rejection.
• Insufficient logging granularity — enable full hex dumps when diagnosing subtle conformance issues.
• Ignoring electrical-level problems on serial lines (termination, biasing, ground loops) that manifest as intermittent protocol errors.

---

9. Reporting conformance results

A conformance report should include:

• Test environment and hardware/software versions.
• Test plan and list of executed test cases.
• Configuration parameters (link settings, ASDU addresses).
• Pass/fail results with clear failure descriptions.
• Relevant traces (hex dumps) and timestamps for each failed test.
• Recommendations and suggested fixes for failures.

Use a standard template to keep reports consistent and audit-friendly.

---

10. Advanced testing: interoperability and security considerations

• Interoperability: test DUT against multiple vendors’ masters/slaves to uncover vendor-specific assumptions.
• Performance: simulate large numbers of information objects and high update rates to validate processing limits.
• Robustness: run long-duration soak tests and randomized fault injection.
• Security: IEC 101 itself lacks native security (it predates modern cybersecurity concerns). Test for safe integration into secure tunnels (e.g., serial-over-IP with VPN) and ensure command authentication/authorization is handled by surrounding systems or gateways.

---

Conclusion

Using an IEC 101 simulator effectively requires both protocol knowledge and disciplined test planning. Start with basic link and ASDU validation, then expand into functional, error-handling, and performance tests. Automate repetitive checks and capture detailed traces for each test. A rigorous conformance test regime reduces interoperability problems and increases confidence that devices will behave correctly in real-world substation environments.