IEC 61850 does not treat control operations as simple “write a value and hope it works.”
Instead, it defines formal control models that describe how a command is issued, who is allowed to issue it, and how safety is guaranteed.
These control models are one of the most important — and most misunderstood — parts of IEC 61850.
This article explains:
- What IEC 61850 control models are
- Why they exist
- How Direct, Select-Before-Operate (SBO), and SBO with Enhanced Security (SBOwES) work
- Where each model is used in real substations
Table of Contents
1. Why IEC 61850 Needs Control Models
In older protocols (Modbus, DNP3), a control command is usually simple:
- Write a value
- Device executes it
There is no built-in protection against:
- Accidental clicks
- Two operators issuing commands at the same time
- Stale SCADA sessions
- Wrong device selection
IEC 61850 was designed for protection and high-risk operations, such as:
- Breaker open/close
- Disconnector operation
- Transformer tap changing
For these actions, safety is more important than speed.
So IEC 61850 defines control models that enforce:
- Authorization
- Validation
- Command sequencing
- Locking
- Supervision
2. Where Control Models Are Defined
IEC 61850 control behavior is defined mainly in:
- IEC 61850-7-2 (ACSI – control services)
- IEC 61850-7-4 (Logical Nodes like XCBR, CSWI, CILO)
Control models apply to controllable Data Objects, typically:
XCBR.Pos(breaker position)CSWI.Pos(switch control)ATCC.TapPos(tap changer)
Each controllable object includes a control model attribute:
ctlModel
This attribute defines which control model is used.
3. Overview of IEC 61850 Control Models
IEC 61850 defines three main control models used in practice:
| Control Model | Safety Level | Typical Use |
|---|---|---|
| Direct Operate | Low | Non-critical control |
| Select-Before-Operate (SBO) | High | Breakers, switches |
| SBO with Enhanced Security (SBOwES) | Very High | Protection-critical control |
4. Direct Operate Control Model
What It Is
Direct Operate means:
- The client sends one command
- The device executes it immediately
There is no prior selection step.
How It Works
- SCADA sends an Operate command
- IED checks basic permissions
- Action is executed
That’s it.
Characteristics
- Fast
- Simple
- Minimal signaling
- No object locking
Risks
- Accidental operation
- No confirmation that the operator selected the correct device
- No protection against multiple clients issuing commands simultaneously
Where Direct Operate Is Used
Direct control is typically used for:
- Test functions
- Non-critical auxiliary equipment
- Engineering or maintenance actions
- Low-risk automation tasks
It is not recommended for:
- High-voltage breakers
- Protection-related switching
- Interlocked devices
5. Select-Before-Operate (SBO)
Why SBO Exists
SBO was introduced to prevent accidental or unsafe operations.
It enforces a two-step process:
- Select the object
- Then operate it
This ensures the operator and the system agree on what is being controlled.
SBO Sequence (Step by Step)
Step 1 – Select
- SCADA sends a Select command
- IED checks:
- Is control allowed?
- Is the object available?
- Are interlocks satisfied?
- If valid:
- The object is locked
- Only that client may operate it
Step 2 – Operate
- SCADA sends the Operate command
- IED verifies:
- Same client as Select
- Selection has not timed out
- Action is executed
- Lock is released
Key Properties of SBO
- Prevents wrong-device operation
- Prevents multiple clients from acting simultaneously
- Forces explicit operator intent
- Much safer than Direct Operate
Timeout Protection
If Operate is not received within a defined time:
- Selection expires
- Object is unlocked automatically
Where SBO Is Used
SBO is the most common control model in IEC 61850 and is used for:
- Circuit breakers (XCBR)
- Disconnectors
- Earthing switches
- Bay control via CSWI
- Substation switching operations
6. SBO with Enhanced Security (SBOwES)
What Makes SBOwES Different
SBOwES adds stronger validation on top of standard SBO.
In addition to Select + Operate, it requires:
- Control origin verification
- Explicit confirmation of intent
- Stronger supervision of control conditions
This model is designed for mission-critical operations.
Additional Protections in SBOwES
SBOwES includes:
- Control number matching
- Originator identity verification
- Strict state consistency checks
- Rejection of stale or duplicated commands
This makes it extremely resistant to:
- Network delays
- Duplicate messages
- Replay attacks
- SCADA session confusion
Where SBOwES Is Used
SBOwES is typically used for:
- Protection-related control
- Critical breaker operations
- Inter-IED automated control
- Digital substations with high automation levels
Not all IEDs support SBOwES — it depends on vendor implementation.
7. Control Models and Logical Nodes
Control models are applied inside Logical Nodes, such as:
XCBR→ physical breakerCSWI→ switch controllerCILO→ interlocking logic
Typical structure:
XCBR1.Pos.ctlModel
The control model is defined in the IED configuration (SCL) and is read-only at runtime.
8. Control Models and Safety Philosophy
IEC 61850 control models reflect a key design principle:
Control must be safe first, fast second
- Direct Operate → speed, low safety
- SBO → balance of safety and usability
- SBOwES → maximum safety
Utilities choose the model based on:
- Voltage level
- Operational risk
- Automation complexity
- Cybersecurity policy
9. Common Engineering Mistakes
Common issues seen in real projects:
- Using Direct Operate for breakers
- Mixing SBO and Direct across systems
- Ignoring Select timeout behavior
- Not aligning SCADA behavior with ctlModel
- Assuming all vendors behave identically
Control models must be tested during commissioning, not assumed.
10. Summary
IEC 61850 control models are not optional features — they are fundamental to safe operation.
- Direct Operate is simple but risky
- SBO is the industry standard for safe switching
- SBOwES provides maximum protection for critical control
Understanding control models is essential for:
- SCADA engineers
- Protection engineers
- Commissioning teams
- Substation automation designers
IEC 61850 does not just send commands — it defines how control should behave.
That is what makes it suitable for modern, digital, high-risk power systems.