Tag Archives: OPC Unified Architecture

OPC UA Makes Production Traceability Possible

A primary objective of analyzers is to determine the process state/ behavior by measuring selected physical values that are characteristic for it. Obtained result – process data – is used to control, trace and optimize the production process.

To integrate analyzers into the supervisory control and tracing systems the process data must be transported and unambiguously represent the process and product for parties that are to be interoperable. To meet the above requirement it is proposed to employ OPC Unified Architecture technology that is universally accepted, platform-neutral communication standard.

In 2008 the OPC Foundation announced support for Analyzer Devices Integration into the OPC Unified Architecture and created a working group composed of end users and vendors with its main goal to develop a common method for data exchange and an analyzer data model for process and laboratory analyzers. In 2009 the OPC Unified Architecture Companion Specification for Analyser Devices was released. To prove the concept a reference implementation has been developed containing ADI compliant server and simple client using the Software Development Kid released by the OPC Foundation.

The model described in the specification is intended to provide a unified view of analyzers irrespective of the underlying device. This Information Model is also referred to as the ADI Information Model. As it was mentioned, analyzers can be further refined into various groups, but the specification defines an Information Model that can be applied to all the groups of analyzers.

The ADI Information Model is located above the DI Information Model. It means that the ADI model refers to definitions provided by the DI model, but the reverse is not true. To expand the ADI Information Model, the additional layers shall be provided.

There are variety of analysers groups. however, but the ADI Information Model is generic, and therefore before implementing it in a particular application must be expanded by application specific types and customized by overriding the predefined components.

Appropriate Information Model adaptation and implementation is a basic requirement to offer ADI ready and interoperable products. From the experience gained during development of the reference implementation it can be stated that this process can be accomplished engaging very limited resources. Thanks to the reference implementation and supporting tools like CAS Address Space Model Designer only basic knowledge of the Address Space and Information Model concepts are required.

Because there are a large variety of analyzers types, from various vendors with many different types of data, including complex arrays and structures a real challenge is integration of the analyzers and control, tracing and monitoring systems. Initiatives such as Process Analytical Technology are driving analyzer integration and the best way to accomplish this is via open standards. To address this problem two questions can be distinguished:

  • How to get access to (transport) the process data,
  • How to represent (model) the process data.

OPC Unified Architecture technology meets all the requirements, because:

  • It is a platform neutral standard allowing easy embedded implementation.
  • It is designed to publish real-time, historical and meta data.
  • It is designed to support complex data types and object models.
  • It is designed to achieve high speed data transfers using efficient binary protocols.
  • It has broad industry support beyond just process automation and is being used in support of other industry standards such as S95, S88, EDDL, MIMOSA, OAGiS.

One of the main goals of the OPC Unified Architecture is to provide a consistent mechanism for the integration of process control and enterprise management systems using client/server middle-range archetype. To make systems interoperable, the data transfer mechanism must be associated with a consistent information representation model. OPC UA uses an object as a fundamental notion to represent data and activity of an underlying system. The objects are placeholders of variables, events and methods and are interconnected by references. This concept is similar to well-known object oriented programming (OOP) that is a programming paradigm using “objects” – data structures consisting of fields, events and methods – and their interactions to design computer programs. The OPC UA Information Model provides features such as data abstraction, encapsulation, polymorphism, and inheritance.

The OPC UA object model allows servers to provide type definitions for objects and their components. Type definitions may be abstract, and may be inherited by new types to reflect polymorphism. They may also be common or they may be system-specific. Using the type definitions to describe the exposed by the server information allows:

  • Development against type definition.
  • Unambiguous assignment of the semantic to the expected by the client data.

Having defined types in advance, clients may provide dedicated functionality, for example: displaying the information in the context of specific graphics.

The Information Model is a very powerful concept, but it is abstract and hence, in a real environment, it must be implemented in terms of bit streams (to make information transferable) and addresses (to make information selectively available).

Information exposed by the OPC UA Server is composite. Generally speaking, to select a particular target piece of information a client has two options: random access or browsing. Random access requires that any target entity must have been assigned globally unique address and the clients must know it in advance. We call them well-known addresses. It is applicable mostly to entities defined by standardization bodies. The browsing approach means that clients walk down available paths that build up the structure of information. This process is costly, because instead of pointing out the target, we need to discover the structure of information step by step using relative identifiers. The main advantage of this approach is that clients do not need any prior knowledge of the structure – clients of this type are called generic clients. To minimize the cost, after having found the target, every access to it can use random access. Random access is possible since the browsing path is convertible to a globally unique address using the server services.

Related articles

OPC UA Makes Smart Utility Distribution Systems Possible

Most of us don’t give much thought to the major utilities until one or more do not work or price goes up. In Poland 15% to 20% of generated heat is lost in transit from the manufacturer (Combined Heat & Power plants) to consumers, which gives a value of hundreds of millions of euro a year for several biggest national networks. In most cases, nonrenewable conventional fossil fuel must be used up in order to produce that heat, i.e. natural resources must be depleted and the environment must be polluted.

Following the concept of smart grids, more and more companies decide to start working on smart utility distribution systems (gas, water, chilly water, or even oil) to improve the performance and availability, and enable the consumers to monitor consumption and have effect on its economical use.

An example is the heating system of Warsaw that is the largest centralized district heating system in Poland and one of the largest in the world. Through the district heating network common for the whole city area, it provides heat to almost 19 thousand buildings in Warsaw, thus satisfying ca. 80% of the demand. This municipal heating system consists of almost 1700 km of network. Power transmitted from the sources amounts to ca. 5200 MW. Ca. 10000 GWh of heat is supplied to the consumers via the heating network.

Important components of the heating system that are involved in heat transmission to the customers are (read full case study):

  • Water pumping stations
  • Consumer exchanger substation
  • Heat chambers

Generally speaking, the task of the “smart distribution” is to support all processes that will make improvement in its operational performance possible. Therefore, with the aim of optimizing processes, the solution should provide:

  • Availability management
  • Costs management

Usually the above tasks are contradictory to some extent, e.g. when minimizing the cost we cannot ignore the consumer’s needs.

Optimization is a method of determining the best (optimal) solution. It is a search for an extreme of a certain function from the point of view of a specific criterion (index) (e.g. cost, temperature, time, etc.).

The selection of the indexes depends on many factors, but in any case we need real time and historical data gathered from highly distributed process control devices (PLC, distributed I/O, meters, etc.) to provide optimal process control. In the example described above up to 500 000 values is expected to be measured for this purpose.

In order to make a design and analysis of such an elaborate system possible, it is necessary to distribute certain function groups that are logically relevant to each other, using the compound system concept. A well-defined functionality boundary must be a distinguishing feature of each system of that type. To perform their functions, those systems must communicate creating mutual links.

To fulfill the above requirements of Smart Utility Distribution Systems we need the following subsystems:

  • Optimization: supervisory and optimal control of the real-time processes
  • Telemetry: remote control and data acquisition
  • Repository: database management systems to archive process data

To make this architecture deployable and, next, maintainable some critical issues must be addressed:

  • Openness – components communication is based on a common open standard
  • Unified data access – real-time, historical and metadata must be available to all clients using a common publishing mechanism
  • Complex data – with the goal to protect data integrity, complex process data must be supported
  • Security – the strategic nature of these systems requires appropriate security protection against malicious attack
  • Internet technology – it is obvious that Internet technology must be used on the data transportation level between the systems even if we are going to build a separated private network

In my opinion, the only answer to the question how to meet these requirements is OPC Unified Architecture (OPC UA). It is a set of specifications for the development of software connected such systems as ERP, SAP, GIS, MES or process control systems. These systems are designed for information exchange and they are used for the control and supervision of real-time industrial processes. OPC UA defines the infrastructure modeling concept in order to facilitate the exchange of process data. The whole architecture of the new standard improves and extends the previous OPC (now called classic) capabilities in the field of application security, stability, event tracking and data management, thus improving interoperability of the distributed architecture components.

OPC UA permits easier cooperation and data exchange between the process control and business management layers. It is designed so as to support a wide range of devices from the lowest level with PLCs to the distributed systems dealing with IT management in an enterprise.

It is worth noting that OPC UA technology is based on services and objects. For more than one decade the software authors have been using solutions based on objects and services but those solutions have never been transferred directly to industrial applications. OPC Unified Architecture has become the first standard close to the technological process that is of a dual nature, both object oriented (Object Oriented Architecture – OOA) and service oriented (Service Oriented Architecture – SOA).

The application of the OPC Unified Architecture standard as a foundation for the proposed architecture will enable us to:

  • Standardize communication between component systems
  • Create a consistent information model that is available to all systems and illustrates the system structure
  • Create a database model (metadata) based on a OPC UA information model, thus giving applications that use Repository access not only to process data but also to metadata describing the system objects
  • Provide open solutions, i.e. the possibility of free connection of the next components in the future
  • As OPC UA is Internet technology it could be used to build even global solution

The OPC UA standard allows us to get an open, interoperable and scalable architecture, thus making the development of the infrastructure and its use for other tasks in the future possible. As the proposed architecture is based on the open connectivity standards it provides a framework for the integration of highly distributed “islands of automation” with top-level applications employing the artificial intelligence idea to optimal control of the Distribution Network as a whole.

See also

OPC UA – Specifications


OPC Unified Architecture (OPC UA) is described in a layered set of specifications broken into parts. It is purposely described in abstract terms and only in selected parts coupled to existing technology on which software can be built. This layering is intentional and helps isolate changes in OPC UA from changes in the technology used to implement it.

The OPC UA specifications are organized as a multi-part document combined in the following sets:

  • Core specification
  • Access type specification
  • Utility specification

The first set specifies core capabilities of OPC UA. Those core capabilities define the concept and structure of the Address Space and the services that operate on it. The access type set applies those core capabilities to specific models of data access. Like in OPC Classic, there are distinguished: Data Access (DA), Alarms and Conditions (A&C) and Historical Access (HA). A new access mode is provided as a result of introducing the programs concept and aggregation mechanisms. This set also specifies the UA server discovery process. Those mechanisms are not directly dedicated to support data exchange, but play a very important role in the whole interoperability process.

The core set contains the following specifications:

  • Part 1 – Overview and Concepts: presents the concepts and overview of OPC Unified Architecture.
  • Part 2 – Security Model: describes the model for securing interactions between OPC UA clients and servers.
  • Part 3 – Address Space Model: describes an object model that servers use to expose underlying real-time processes to create an OPC UA connectivity space.
  • Part 4 – Services: specifies the services provided by OPC UA servers.
  • Part 5 – Information Model: specifies information representations – types that OPC UA servers use to expose underlying real-time processes.
  • Part 6 – Mappings: specifies transport mappings and data encodings supported by OPC UA.
  • • Part 7 – Profiles: introduces the concept of profiles and defines available profiles that are groups of services or functionality.

The access type set contains the following specifications:

  • Part 8 – Data Access: specifies the use of OPC UA for data access.
  • Part 9 – Alarms and Conditions: specifies the use of OPC UA support for accessing alarms and conditions.
  • Part 10 – Programs: specifies OPC UA support for accessing programs.
  • Part 11 – Historical Access: specifies the use of OPC UA for historical access. This access includes both historical data and historical events.

The utility specification parts contain the following specifications:

  • Part 12 – Discovery: introduces the concept of the Discovery Server and specifies how OPC UA clients and servers should interact to recognize OPC UA connectivity.
  • Part 13 – Aggregates: describes ways of aggregating data.

Overview and Concepts

This part describes the goal of OPC UA and introduces the following models to achieve it:

  • Address Space and information model to represent structure, behavior, semantics, and infrastructure of the underlying real-time system.
  • Message model to interact between applications.
  • Communication models to transfer data over the network.
  • Conformance model to guarantee interoperability between systems.
  • Security model to guarantee cyber security addressing client/server authorization, data integrity and encryption.

Security Model

This part describes the OPC UA security model. OPC UA provides countermeasures to resist threats that can be made against the environments in which OPC UA will be deployed. It describes how OPC UA relies upon other standards for security. The proposed architecture is structured in an application layer and a communication layer. Introduced security policies specify which security mechanisms are to be used. The server uses security policies to announce what mechanisms it supports and the client – to select one of those available policies to be used when establishing the connection.

Address Space

There is no doubt that information technology and process control engineering have to be integrated to benefit from macro optimization and synergy effect. To integrate them, we must make systems interoperable. It causes the necessity of exchanging information, but to exchange information, it has to be represented as computer centric (saveable in a binary memory) and transferable (a stream of bits) data. According to the specification, a set of objects that an OPC UA server makes available to clients as data representing an underlying real-time system is referred to as its Address Space. The breaking feature of the Address Space concept allows representing both real process environment and real-time process behavior – by a unique means, mutually understandable by diverse systems.


The OPC UA services described in this part are a collection of abstract remote procedure calls that is to be implemented by the servers and called by the clients. The services are considered abstract because no particular implementation is defined in this part. The part Mappings describes more specific mappings supported for implementation. Separation of the service definition and implementation allows for harmonization with new emerging technologies by making new mappings.

Information Model

To make the data exposed by the Address Space mutually understandable by diverse systems, the information model part standardizes the information representation as computer centric data. To promote interoperability, the information model defines the content of the Address Space of an empty OPC UA server. This content can be used as a starting browse point to discover all information relevant to any client. Definitions provided in this part are considered abstract because they do not define any particular representation on the wire. To make the solution open for new technologies, the representation mappings are postponed to the part Mappings. The solution proposed in this model is also open to defining vendor specific representations.


This part defines mappings between abstract definitions contained in the specification (e.g. in the parts: Information Model, Services, Security Model) and technologies that can be used to implement them. Mappings are organized into three groups: data encodings, security protocols and transport protocols. Different mappings are combined together to create stack profiles.


This part describes the OPC UA profiles as groups of services or functionality that can be used for conformance level certification. Individual features are grouped into conformance units, which are further grouped into profiles. All OPC UA applications shall implement at least one stack profile and can only communicate with other OPC UA applications that implement the same stack profile. Servers and clients will be tested against the profiles. Servers and clients must be able to describe which of the features they support.

Data Access

This part describes the information model associated with the Data Access (DA) mode. It particularly includes an additional definition of variable types and a complementary description of Address Space objects. This part also includes additional descriptions of node classes and attributes needed for DA, as well as DA specific usage of services to access process data.

Alarms and Conditions

This part describes the representation of events and alarms in the OPC UA Address Space and introduces the concepts of condition, dialog, acknowledgeable condition, confirmable condition and alarm. To expose above information, it extends the information model defined in other parts and describes alarm specific uses of services.


This part extends the notion of methods and introduces the concept of programs as a complex, stateful functionality in a server or underlying system that can be invoked and managed by a OPC UA client. The provided definitions describe the standard representation of programs as part of the OPC Unified Architecture information model. The specific use of services is also discussed.

Historical Access

This part describes an extension of the information model associated with Historical Access (HA). It particularly includes additional and complementary definitions of the representation of historical time series data and historical event data. Additionally, this part covers HA specific usage of services to detect and access historical data and events.


The main aim of this part is to address the discovery process that allows the clients to first find servers on the network and then find out how to connect to them. This part describes how UA clients and servers interact to exchange information on resources available on the network in different scenarios. To achieve this goal, there are introduced the concepts of a discovery server that is a placeholder of global scope information and a local discovery server, whose main task is to manage information vital to local resources. Finally, this part describes how to discover UA applications when using common directory service protocols such as UDDI and LDAP.


This part specifies the information model associated with aggregates and describes how to compute and return aggregates like minimum, maximum, average etc. Aggregates can be used with base (live) data as well as historical (HA) data. This part also addresses the aggregate specific usage of services.

Related articles

OPC UA Makes Smart Factory Possible

From the historical perspective some key words can be recognized as mile stones of the manufacturing enhancement process. These key words describe the main solution or concept that is specific for consecutives eras of development. So the following words hit the big time in history: microprocessor system, automatic processing (PLC), and redundant high availability solution. Today, to be in fashion, we must provide smart solutions, and finally almost everything is smart. We have smart-cars, smart-grids, smart-buildings, and smart-cities. Therefore we must ask, if it is only a buzzword. Going further: can we imagine smart cigarettes? To be honest, I must say that today we do not need artificial intelligence to smoke things like that, but recently I have learnt that cigarettes may have a button to change their flavor on demand – it seems that we are very close to a keyboard concept. What’s more, today it is required that cigarettes are digitally signed to be traceable – it seems that we are very close to the RFID technology and, finally, the Internet of Things concept. Anyway, giving a right answer to this question is only a matter of the definition of the word smart, but nowadays production of cigarettes, as almost everything, is doubtless a challenging activity and needs a steady improvement of the manufacturing environment to compete successfully on the global market.

Read the story: Smart Factory Deployment Strategy

Smart Factory Deployment Strategy

Related articles

OPC UA Makes Cloud Computing Possible.

For someone accomplishing hundreds of control system projects it is not easy to accept the fact that we have adopted most innovative solutions from business technology. Unfortunately, first a programmable calculator was produced and later after that the programmable controller (PLC) appears, first the personal computer (PC) was used to prepare invoices, and later after that SCADA was deployed on the PC. This post is about adoption of the Cloud Computing concept by the process control industry and requirements that must be fulfilled to apply safely this concept.

The cloud concept becomes more and more popular in the – we call them disdainfully – office suit, but more officially business management applications. Maybe it also could be widely adopted and will give us new arm to further improve manufacturing efficiency index including cost reduction and improve availability of utilities.

Applications are traditionally classified as:

  • Business management
  • Process management

Customers Relationship Management (CMS) is a business management application, but controlling a process using PLC is an example of process management. As a rule we do not try to discover relations and possibility to integrate functionality of applications like that. It is like a myth – they have nothing in common – that’s all. Really? Writing this sentence a concept of Smart Grid comes immediately into my mind, where optimization of energy consumption is located mainly on the customers’ site – energy consumers.

The above example is used to illustrate as the highly distributed measurement environment can be offered as a service.

Cloud Computing is defined as a method to provide a requested functionality as a set of services. There are many examples that cloud computing is really useful to reduce cost and increase robustness. Following the Cloud Computing idea and offering control systems as a service it is required a mechanism created on the service concept and supported abstraction and virtualization – two main pillars of the Cloud Computing paradigm.

In my opinion, it can be obtained as the result of set up this mechanism on the foundation of OPC Unified Architecture (see also OPC Unified Architecture – Main Technological Features) that is out of the box solution derived from the Service Orient Architecture principles. Therefore we can say that it is service centric solution.

Thanks to OPC UA standard we are able to abstract the process control as the OPC UA Address Space implementing selected, process oriented information model. Address Space is very useful to offer selective availability, as a means to manage the process representation and scope of its exposition to the users – OPC UA Clients.

In Cloud Computing concept the virtualization is recognized as possibility to share the services by many users. OPC UA server is a publishing mechanism exposing process data and meta-data to unlimited number of clients, and therefore it fulfills this requirement as well.

Multiuser dynamic and global environment causes a risk of unauthorized access and concerns about how cloud reliability and security could threaten manufacturing stability. Because OPC UA engages public key infrastructure – the strongest widely used authentication mechanism – the process can be protected against any cyber attack.

All the above lead to the sentence that process control community is well equipped to adopt the Cloud Computing and take advantage of new features that open new fields of applications. The only open question is if the process control community is ready to put trust on the new emerging technology.

See also:

OPC Unified Architecture – Main Technological Features


One of the main goals of the OPC Unified Architecture is to provide a consistent mechanism for the integration of process control and management systems. It is assumed that it should be robust and the implementation should be platform independent. In this section I will examine technologies and paradigms used as a foundation for the development of the OPC UA standard and discuss their impact on the final result.

Service Oriented Architecture

At the very beginning of a new solution development, we must address a question about its fundamental paradigms and architecture. OPC Classic is based on the functionality provided by an operating system and is actually an instruction on how to use the functionality to interconnect participants of the data exchange. This was recognized as one of the drawbacks making the lifetime of the OPC Classic standard dependent on the lifetime of the technology it is based on.

Observing continuous evolution of the IT domain, it seems that finding a solution that will guarantee an unlimited lifetime is a real challenge. However, decupling the solution from any base technology increases the chance of it surviving the disappearance of the base technology from the market. Developing services and deploying them using a Service Oriented Architecture (SOA) is the best way to utilize IT systems to meet this challenge. A service differs from an object or a procedure because it is defined by messages that it exchanges with other services. SOA defines the way in which services are deployed and managed. Using a SOA approach increases reuse, lowers overall cost, and improves the ability to rapidly change and evolve systems, whether old or new.

To make systems interoperable, any even brilliant idea is not enough. We need a data transfer technology, however – when defining data exchange in context of messages – we do not need to bother with the different technologies used by the participants as long as they can absorb the messages.

Today, an ideal platform for the SOA concept implementation is Web Service technologies. They represent the most widely adopted distributed computing standards in industry history. Web Services are a set of standards based on XML (eXtensible Markup Language) and developed by W3C (World Wide Web Consortium). Those standards are generally marked with a WS-*** symbol. Because the WS-* standards are developed without any initial assumption concerning the underlying system platform they are implemented on, they therefore must precisely define what must be on the “wire”.

The WS-* standards are the basic foundation for OPC UA but, using them alone, would not be enough to reach the expected data throughput performance in industrial applications. The OPC UA suite of protocols, therefore, expands the WS-* standards by defining a few proprietary ones that can be used alternatively. OPC UA messages may be encoded as an XML text or in binary format for efficiency purposes. They may be transferred using multiple underlying transports, for example TCP or SOAP over HTTP. Clients and servers that support multiple transports and encodings will allow end users to make decisions about tradeoffs between performance and XML Web Services compatibility at the time of deployment, rather than having these tradeoffs determined by the OPC vendor at the time of product definition.

Object Oriented Information Model

To make systems interoperable, the data transfer mechanism must be associated with a consistent information representation model. OPC UA uses an object as a fundamental notion to represent data and activity of an underlying system. The objects are placeholders of variables, events and methods and are interconnected by references. This concept is similar to well-known object oriented programming (OOP) that is a programming paradigm using “objects” – data structures consisting of fields, events and methods – and their interactions to design applications and computer programs. The OPC UA Information Model provides features such as data abstraction, encapsulation, polymorphism, and inheritance.

The OPC UA object model allows servers to provide type definitions for objects and their components. Type definitions may be abstract, and may be inherited by new types to reflect polymorphism. They may also be common or they may be system-specific. Object types may be defined by standardization organizations, vendors or end-users.

The Information Model is a very powerful concept, but it is abstract and hence, in a real environment, it must be implemented in terms of bit streams (to make information transferable) and addresses (to make information selectively available). To meet this requirement, OPC UA introduces a Node notion as an atomic addressable entity that consists of attributes (value-holders) and references (address-holders of coupled nodes). The set of Nodes that an OPC UA Server makes available to clients is referred to as its Address Space, which enables representation of both real process environment and real-time process behavior. The Address Space is described in depth in the OPC UA eBook.

Each of the previous OPC Classic specifications defined their own address space model and their own set of services. OPC UA unifies the previous models into a single integrated Address Space with a single set of services.

Abstraction and Mapping

Interoperability of systems can be achieved if communicating parties are able to interchange streams of bits and assign to these streams the same meaning without any ambiguity. Unfortunately, the representation of information on the wire, and communication protocols are subject to continuous evolution, if not revolution nowadays. This could be dangerous for any long term initiatives. Because it is impossible to stop the progress of technology changes, some other precaution must be undertaken to keep the specification alive within a long term horizon. It is achieved by clear separation of definitions provided by the specification from their actual implementation. It makes OPC UA seamlessly portable from one technology to another. Mappings defined in the specification sets forth how to implement an OPC UA feature using a specific technology. For example, the mapping for OPC UA binary encoding specifies how to serialize OPC UA data structures as sequences of bytes.

Additionally, separation of the definition and implementation makes the solution more flexible and scalable thanks to a free (to a certain degree) selection of technologies appropriate for the current communicating parties needs. Unfortunately, it may cause an adverse interoperability issues, because the interconnected systems must be able to use the same communication mechanism. This is partially overcome by the definition of profiles and negotiation mechanism.


Security is a fundamental aspect of computer systems, in particular those dedicated to enterprise and process management. Especially in this kind of application, security must be robust and effective. Security infrastructure should also be flexible enough to support a variety of security policies required by different organizations. OPC UA may be deployed in diverse environments; from clients and servers residing on the same hosts, throughout hosts located on the same operation network protected by the security boundary protections that separate the operation network from external connections, up to applications running in global environments using public network infrastructure. Depending on the environment and application requirements, the communication services must provide different protections to make the solution secure, therefore OPC UA specification must offer scalability.

OPC UA Security is concerned with the authentication of clients and servers, the authorization of users, the integrity and confidentiality of their communications and the auditing of client server interactions. To meet this goal, security is integrated into all aspects of the design and implementation of OPC UA Servers and Clients. The OPC Foundation has also addressed the security issues that arise from implementation. This include independent reviews of all aspects of security starting from the design of in-depth security provided by the specification (which is built and model on the WS* specifications); to the actual implementation provided by the OPC Foundation. The OPC Foundation has chosen to use industry standard security algorithms and industry standard security libraries to implement OPC UA Security (see OPC UA eBook).

Security mechanisms can be provided by diverse communication layers. Transport-level security is a solution limited to point-to-point messaging. In this case messages can be protected by establishing a secure connection (association) between two hosts using for example Transport Layer Security (TLS) or IPSec protocols. But, if intermediaries are present when using a secure transport, the initial sender and the ultimate receiver need to trust those intermediaries to help provide end-to-end security, because each hop is secured separately. In addition, to explicit trust of all intermediaries, other risks such as local storage of messages and the potential for an intermediary to be compromised must be considered. Thus, using only transport security limits the richness of the security solution to transport-specific features. OPC UA is a session centric communication. Hence, a security association must survive beyond a single transport connection.

To meet the above requirements, the OPC UA security architecture is defined as a generic solution that allows implementation of the required security features at various places in the application architecture. The OPC UA security architecture is structured in an application layer and a communication layer atop the transport layer.

The routine work of a client application and a server application to transmit plant information, settings, and commands is done in a session in the application layer. The application layer also manages user authentication and user authorization. OPC UA Client and Server applications identify and authenticate themselves with X.509 Certificates. Clients pass a user identity token to the OPC UA Server. The OPC UA Server authenticates the user token. Applications accept tokens in any of the following three forms: username/password, an X.509v3 certificate or a WS-SecurityToken

A session in the application layer communicates over a secure channel that is created in the communication layer and relies upon it for secure communication. All of the session data is passed to the communication layer for further processing. The secure channel is responsible for messages integrity, confidentiality and applications authentication.

OPC UA uses symmetric and asymmetric encryption to protect confidentiality as a security objective. OPC UA relies upon the site cyber security management system to protect confidentiality on the network and system infrastructure, and utilizes the Public Key Infrastructure to manage keys used for symmetric and asymmetric encryption. OPC UA uses symmetric and asymmetric signatures to address integrity as a security objective.


OPC UA is designed to support a wide range of servers, from plant-floor PLCs to enterprise servers. Those servers are characterized by a variety of sizes, performance, execution platforms and functional capabilities. Therefore, OPC UA defines a comprehensive set of capabilities, of which servers may implement a subset of. These subsets are referred to as Profiles, and servers may claim conformance to them. Clients can then discover the Profiles for a server, and tailor their interactions with that server based on the Profiles. Client also contain Profiles which allow end user the ability to match up server profiles to client profiles, making it easier to ensure that diverse client and servers will interoperate. Servers can also discover these client profiles and could tailor their response to the client based on the client profile.


OPC UA is designed to provide robustness of published data. The major feature of all OPC UA Servers is the ability to publish data and event notifications. OPC UA provides mechanisms for clients to quickly detect and recover from communication failures associated with transfers without having to wait for long timeouts provided by the underlying protocols.

The design of OPC UA ensures that vendors can create redundant clients and redundant servers in a consistent manner. Redundancy may be used for high availability, fault tolerance and load balancing. Generally we can distinguish redundancy of: servers/clients, communication paths and signals. Although the specification provides support only for client/server redundancy, product vendors can incorporate all kinds of redundancy into the framework proposed by the specification. For example, a server can establish wireless connection as the means of recovery from cable connection failure or a server can use many data sources bound to a variable to provide continuous updating of the variable value even if one of the sensors has been damaged.

OPC UA requires a stateful model as the next feature that increases the solution robustness. State information is maintained inside an application session. Examples of state information are subscriptions, user credentials and continuation points for operations that span multiple requests.

Sessions are defined as logical connections between clients and servers. What is worth stressing, each session is independent of the underlying communications protocols. Failures of these protocols do not automatically cause the session to terminate. Sessions terminate based on a client or server request, or based on inactivity of the client.

More readings

More you can find in the eBook at:

OPC UA eBook