148 OPC-UA: The Industrial Interoperability Standard

148.1 Learning Objectives

After completing this chapter, you will be able to:

Explain OPC-UA architecture and its role in industrial integration
Understand the OPC-UA information model and node structure
Compare client-server and publish-subscribe communication patterns
Implement OPC-UA security features including authentication and encryption
Design OPC-UA-based systems for IT/OT integration

148.2 Prerequisites

Before diving into this chapter, you should be familiar with:

Industrial Protocols: Understanding of legacy and modern industrial protocols
Industry 4.0 Fundamentals: Core concepts of Industry 4.0 and ISA-95 automation levels
Networking Basics: TCP/IP and client-server communication patterns

148.3 Introduction

OPC Unified Architecture (OPC-UA) is the leading standard for industrial interoperability, designed to bridge IT and OT systems. Unlike proprietary protocols that lock users into specific vendor ecosystems, OPC-UA provides a vendor-neutral, platform-independent foundation for secure industrial communication.

148.4 Why OPC-UA?

Time: ~12 min | Difficulty: Advanced | Unit: P03.C06.U04

Traditional industrial protocols were designed for specific vendors or applications, creating integration challenges. OPC-UA provides:

Platform independence: Works on any OS, hardware, or programming language
Semantic data modeling: Self-describing data with context and relationships
Built-in security: Authentication, encryption, and audit logging
Scalable: From embedded devices to cloud servers
Service-oriented: Multiple communication patterns (client-server, pub-sub)

148.5 OPC-UA Architecture

148.6 Information Model

OPC-UA’s information model is object-oriented and hierarchical:

Core concepts:

Nodes: Objects, variables, methods, views
References: Relationships between nodes (HasComponent, HasProperty, etc.)
Attributes: Metadata (NodeId, BrowseName, DisplayName, Value, etc.)
Data types: Built-in and custom types

Example hierarchy:

%% fig-alt: "OPC-UA object hierarchy diagram showing a PLC Device node (Siemens S7-1500) with three child groups: Properties containing Manufacturer, Model, and SerialNumber; Sensors containing Temperature (45.2 degrees C with engineering units and timestamp) and Pressure variables; and Methods containing Start, Stop, and Reset operations. This illustrates OPC-UA's self-describing information model structure."
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TD
    Device["Device (Object)<br/>Siemens S7-1500"]

    subgraph props["Properties"]
        P1["Manufacturer: Siemens"]
        P2["Model: S7-1500"]
        P3["SerialNumber: AB12345"]
    end

    subgraph sensors["Sensors (Object)"]
        subgraph temp["Temperature (Variable)"]
            TV["Value: 45.2°C"]
            TU["EngineeringUnits: degC"]
            TT["Timestamp: 2025-12-15T10:23:45Z"]
        end
        PR["Pressure (Variable)"]
    end

    subgraph methods["Methods (Object)"]
        M1["Start()"]
        M2["Stop()"]
        M3["Reset()"]
    end

    Device --> props
    Device --> sensors
    Device --> methods

This self-describing model means clients can discover capabilities without prior knowledge of the device.

148.7 Communication Patterns

148.7.1 Client-Server (Request-Response)

The traditional OPC-UA communication pattern:

Client discovers server capabilities
Client reads/writes values
Client subscribes to data changes
Server notifies client of changes
Good for: SCADA systems, HMIs, configuration tools

Typical workflow:

Connect: Client establishes secure session with server
Browse: Client explores server’s address space to discover nodes
Read: Client reads current values of variables
Subscribe: Client creates subscriptions for data change notifications
Monitor: Server sends notifications when subscribed values change
Write: Client writes new values to writable nodes
Call: Client invokes methods on the server

148.8 Security Features

OPC-UA has security built-in from the ground up:

148.8.1 Application Authentication

X.509 certificates identify applications
Certificate exchange during connection establishment
Trust lists managed by administrators

148.8.2 Message Security

Sign: Detect tampering (HMAC-SHA256)
Sign and encrypt: Protect confidentiality (AES-256)

148.8.3 User Authentication

Username/password
X.509 user certificates
Kerberos tokens
SAML tokens

148.8.4 Audit Logging

All security events logged
Connection attempts, authentication failures
Read/write operations on critical data

148.8.5 Security Policies

Policy	Signing	Encryption	Use Case
None	No	No	Testing only
Basic128Rsa15	Yes	Yes	Legacy compatibility
Basic256Sha256	Yes	Yes	Current standard
Aes256-Sha256-RsaPss	Yes	Yes	Highest security

Security Best Practice

Never use Security Policy “None” in production environments. This setting disables all authentication and encryption, exposing industrial systems to unauthorized access and data manipulation. Even in development environments, testing with security enabled helps identify integration issues early.

148.9 Companion Specifications

OPC-UA foundation provides base specifications, but industry-specific companion specifications define standardized information models:

Key companion specifications:

Specification	Industry	Purpose
OPC UA for Machinery	General manufacturing	Base machine model
PackML	Packaging	State machine, counters
EUROMAP	Plastics/rubber	Injection molding machines
MTConnect	Machine tools	CNC and machining centers
ISA-95	Enterprise integration	MES/ERP connectivity
PLCopen	Motion control	Coordinated motion

Benefits of companion specifications:

Plug-and-play: Machines from different vendors expose same interface
Reduced integration: No custom mapping per vendor
Best practices: Industry consensus on data organization
Certification: Conformance testing ensures interoperability

148.10 Implementation Considerations

148.10.1 Embedded vs. Server-Class

Embedded OPC-UA (PLCs, gateways):

Limited resources (MB of RAM, MHz processors)
Use nano or micro profiles
Subset of features (no complex subscriptions)
Focus on reliability over features

Server-class OPC-UA (historians, MES):

Full feature support
High-performance subscriptions
Complex information models
Integration with enterprise systems

148.10.2 Performance Tuning

Subscription parameters:

Publishing interval: How often server checks for changes (100ms-5s typical)
Sampling interval: How often server reads underlying value (can be faster than publishing)
Queue size: How many changes to buffer between publications
Lifetime count: How many publishing intervals before subscription expires

Optimization strategies:

Batch reads: Read multiple nodes in single request
Indexed range: For arrays, read only needed elements
Dead-band filtering: Only report changes exceeding threshold
Aggregated subscriptions: Combine related nodes

148.10.3 High Availability

Redundancy patterns:

Server redundancy: Multiple servers with same address space
Client failover: Automatic reconnection to backup server
Network redundancy: Dual Ethernet paths

Session recovery:

Transfer subscriptions: Move subscriptions to backup server
Sequence numbers: Detect and recover from lost notifications
Secure channel renewal: Automatic key rotation

148.11 OPC-UA in Practice

148.11.1 Typical Deployment Architecture

Field Level (PLCs, sensors)
    ↓ Native protocols (PROFINET, EtherCAT)
Edge Gateways (OPC-UA servers)
    ↓ OPC-UA client-server
SCADA / Historian (OPC-UA clients)
    ↓ OPC-UA pub-sub over MQTT
Cloud Analytics Platform
    ↓ REST APIs
Enterprise Applications (ERP, BI)

148.11.2 Common Integration Patterns

Pattern 1: PLC to Cloud

PLC runs embedded OPC-UA server
Edge gateway subscribes to PLC data
Gateway publishes to MQTT broker
Cloud platform consumes MQTT messages

Pattern 2: Multi-vendor Integration

Each vendor’s equipment exposes OPC-UA server
Central OPC-UA aggregator collects from all servers
SCADA connects to single aggregator endpoint
Unified namespace across all equipment

Pattern 3: Legacy Integration

Protocol gateway converts Modbus/PROFIBUS to OPC-UA
Gateway exposes standardized information model
Modern applications connect via OPC-UA
Legacy equipment remains unchanged

148.12 Summary

OPC-UA has emerged as the standard for industrial interoperability:

Platform independence: OPC-UA works across operating systems, hardware platforms, and programming languages, eliminating vendor lock-in.

Semantic modeling: The self-describing information model enables clients to discover and understand data without prior knowledge, reducing integration effort.

Built-in security: Application authentication, message encryption, and audit logging address industrial cybersecurity requirements from the ground up.

Flexible communication: Client-server for traditional SCADA and pub-sub for cloud connectivity support diverse industrial architectures.

Industry adoption: Companion specifications provide standardized interfaces for specific industries, enabling plug-and-play integration between vendors.

148.13 What’s Next

Continue your learning journey:

Next Chapter: Real-Time Requirements and ISA-95 - Timing constraints and automation hierarchy
Related: Predictive Maintenance - Using IoT for condition monitoring
Related: Industrial Protocols - Modbus, PROFINET, EtherCAT comparison
Index: Industrial IoT and Industry 4.0 - Overview of all IIoT topics

Recommended learning path:

Study OPC-UA specifications (available at opcfoundation.org)
Experiment with open-source implementations (open62541, Node-OPCUA)
Explore OPC-UA certification programs
Review companion specifications for your industry