Tag Archives: Service-oriented architecture

IoT versus SCADA/DCS Data Acquisition Patterns


The term Internet of Things (IoT) is used in a variety of contexts where it is often misunderstood, because it can be replaced by other terms much better describing the matter we deal with or the definitions are not compliant with each other. Let me remind you about the very beginning of this term life.

That ‘Internet of Things’ Thing

The phrase “Internet of Things” started its life as the title of a presentation made in 1999 and aimed at explaining a new idea of radio frequency identification (RFID) in the context of the supply chain performance. It is clear that it doesn’t mean that someone has any right to control how others use the phrase, but my point is that a precise term definition is important for working together on: common rules, architecture, solutions, requirements, capabilities, limitations, etc. In practice having a common definition it is possible to check a selected technology, solution or product capabilities against requirements of the application entitled to use this term.

The main goal of this article is to contribute to the community work aimed to distinguish the IoT applications domain features. The main challenge faced up is to narrow the definition to make it unambiguous and meaningful.

In most publications I know the term IoT can be simply replaced with the following well-known terms:

  • SCADA – Supervisory Control and Data Acquisition
  • DCS – Distributed Control Systems

and the text still will be perfectly OK. In this context the “sensor” term plays the role of the “thing” and the nodes network is a synonym of the Internet. No one usually takes care whether we are talking about the temperature sensor in a bedroom or in a boiler drum in a power plant except that in case of a power plant sometimes the prefix Industrial is added. To make our life easier let’s forget about the “I” (Industrial) prefix at all because it doesn’t change the most important application domain features.

To illustrate the further discussion let me provide examples that can be recognized as SCADA/DCS and IoT applications respectively.

SCADA/DCS example

Let’s assume that an OPC UA Server exposes 123456 values representing the crude oil refining process. Using SCADA on top of this server we can monitor and manually control the process. Using DCS it is possible to implement a supervisory control algorithm to provide macro optimization.

For this scenario we can apply the following work-flow:

  • The server instantiates an OPC UA Information Model for the crude oil refining process.
  • All plant floor devices equipped with sensors are fetching data representing the current process state (for example the flow meter #A-4321 supporting the Modbus RTU communication protocol) and are waiting for data requests coming from the server communication engine.
  • The communication engine embedded in the server polls all plant floor devices including the flow meter #A-4321 to recover the current process state.
  • Finally, the OPC UA Server exposes the data (updates value attributes of the relevant variable nodes, e.g. #A-4321 object representing the virtual flow meter #A-4321) in his Address Space Management component (i.e. in the Address Space instantiated according to the Information Model of the crude oil refining process).
  • OPC UA Clients connected to this server are updated in a standardized way.

Note in this scenario that the OPC UA Client and OPC UA Server can establish connection over the Internet using any existing transport protocol, e.g. HTTP, HTTPS, TCP, UDP, AMQP. Selection of the transport protocol between the client and server is negotiated and limited by the OPC UA specification. To get more read OPC Unified Architecture – Main Technological Features.

You can use the server I have exposed many years ago to test this scenario. The instruction how to connect is included in the following document:


IoT example

Do you think a box (or even pack) of cigarettes could be the “thing”. It has a bar-code, so it is the source of data. Is it the sensor – NO because the bar-code reader (industrial scanner) is the sensor in this case. Can we recognize the bar-code reader as the “thing” – again the answer is NO if the goal is to provide a GLOBAL cigarettes tracking system. The same applies to drugs for example. Is it an IoT solution – my answer is YES, no doubts. Is it SCADA/DCS –the answer is NO, because the server (undelaying communication engine) cannot poll all possible places spread over the world where the box could appear. There are two reasons:

  • It is impractical or even impossible to manage such a huge set of addresses.
  • The server doesn’t know when to poll because the relevant data appear as an event instead of a process state value.

Assuming that the server is interested or even allowed to collect product data of one vendor only – not all codes fetched by any bar-code reader are relevant to the server.

Is the “thing” smart – I don’t think we can call the bar-code something smart. Is it controllable – NO.

The most interesting observation is that we can recognize this use case as an IoT application, but we have not mentioned OPC, AMQP, MQTT, SOA, Internet, WI-FI, wireless, Modbus, etc. at all, but only that we have important mobile data and the solution is globally scoped. It is good because we can check the available technology capabilities against this application requirements. As I have said selected communication technology is not the goal, but we must know how it scales to applications like this.

Now, let’s replace the word GLOBAL by LOCAL (for example cash desks farm in a shop) and the same application is no longer an IoT deployment, isn’t it? It is true even if the cash desks are interconnected using the IP protocol (e.g. Intranet)!

Sometimes it is stressed that any IoT application must guarantee a high level of robustness, but importance of the sensor and data robustness requirement is applicable to many kind of applications, e.g. controlling an airplane engine during flight. The same engine could be monitored and tracked after landing in any airport using the local WI-FI by uploading archival data to a central advanced analytic system (like the cigarettes box bar-code). Is it IoT? It isn’t during the flight, but the solution is life sensitive. After landing it is IoT, but the reliability of the data and data transfer is not so important, isn’t it?

IoT Paradigms

My proposal of the Internet of Things definition is as follows:

Internet of Things is all about:

  • mobile data fetching – how to gather the data from mobile devices (things);
  • mobile data subscription – how to transfer the data over the Internet to a place where it could be processed;
  • mobile data processing – how to integrate the data into a selected application to improve process behavioral performance.

Data fetching is related to a variety of last mile communication technologies, for example RFID, WI-FI, VHF, Bluetooth, etc. Subscription could be supported using messaging systems, e.g. AMQP, MQTT, etc. A good candidate for leveraging data consumption is for example OPC Unified Architecture.

Referring to previous examples, the data fetching process looks very similar in both cases – we have a data source and a sensor coupled together at some point in time responsible for sampling the data. Analyzing the examples from the application functionality point of view we cannot compare them because there are no requirements defined at all – only very general descriptions are provided. It looks like application capabilities are not relevant to the term definition. It is the reason why the terms SCADA, DCS and IoT are used interchangeably neglecting the fundamental differences between the following data acquisition patterns:

  • Data polling–continuous checking of the sensors to see what state they are in, usually in multipoint or multidrop communication (a communication engine with multiple devices attached that share the same line) by sending a message to each device, one at a time, asking each to respond and send new data.
  • Data subscription– senders of messages containing the process data fetched by the sensor, called publishers, do not prepare the messages to be sent directly to specific receivers, called subscribers, but instead they categorize published messages into topics without knowledge of which subscribers, if any, may receive the message. Similarly, subscribers express interest in one or more topics and only receive messages that are of interest, without knowledge of which publishers, if any, there are.

It is worth stressing that in both cases reusability of the fetched data is assured. In data polling scenario the server coupled with the communication engine may be connected to by many clients at the same time. In data subscription scenario the publisher is responsible for multicasting the data to all attached subscribers directly or indirectly using a broker.

To deploy the IoT scenario:

  • the mobile data must be sent over the Internet (or Intranet) using messages;
  • the payload of these messages is consumed asynchronously by a server (e.g. OPC UA Server) responsible for exposing it in an address space;
  • the applications (e.g. OPC UA client) process the exposed data to reach selected key performance indicators (KPI).

It is required that the messages payload is formatted in a standardized way to be factored on the fetching site and meaningfully consumed by the analytic application (e.g. OPC UA client).

Data Acquisition patterns

In the above discussion the application functionality has been excluded as a factor, which can be used to recognize IoT applications. Now let’s analyze the impact of the data acquisition pattern on the application behavioral model.

Using data polling we must deal with the synchronous data acquisition pattern. In this case the application must follow the interactive behavioral model, because it actively polls the data source for more information by pulling data from a sequence that represents the process state in time. Such behavior is represented by an iterator, which is used to iterate through a data stream. The application is active in the data retrieval process – it controls the pace of the retrieval by sending the request messages at its own convenience. This enumeration pattern is synchronous, which means that the application might be blocked while polling the data source. Such polling pattern is similar to visiting the books shop and checking out a book. After you are done with the book, you pay another visit to check out another one. If the book is not available you must wait, but you may read what you selected.

On the other hand, in the reactive behavioral model, the application is offered more information by subscribing to a data stream, and any update is handed to it from the source. The application is passive in the data retrieval process: apart from subscribing to the source data stream, it does not actively poll the source, but merely react to the data being pushed to it. In this case, the application will not be blocked by waiting for the source to update. This is the push pattern employed by IoT. It is similar to joining a books club in which you register your interest in a particular genre, and books that match your interest are automatically sent to you as they are published. You do not need to wait but you must read what you get. Employing a push pattern is helpful in many scenarios, especially if data is available asynchronously as events.

The push model implemented by IoT requires additional resources responsible for multicasting the pushed data to all subscribers. This functionality may be accomplished by a middleware fulfilling the broker role or supported by the network infrastructure, e.g. IP multicast.

The fundamental differences between the interactive and reactive behavioral model must obviously impact the final application functionality, for example:

  • process controllability;
  • data destination discoverability;
  • maintainability.

Using data polling the request message may also contain data to control the state of a selected actuator. In this case the response message usually contains positive or negative acknowledge that can be used by the application as a condition selecting further activity. For example in case of communication disruption the request message may be resent. In case of actuator failure an alarm may be raised. In case of the pushing data scenario it is hard to implement remote control functionality in a similar way because the communication path is like a one-way route.


In interactive behavioral model the communication engine must have all information including addressing in advance to properly prepare request messages. The messages must be self-contained to be used by the network routing mechanism. In case of reactive behavioral model the application doesn’t know the source of data in advance. Therefore the sensors responsibility is to format the message and push it to an appropriate distribution channel. In this case the messages are not self-contained, because the information carried by them is only indirectly used by the routing mechanism.

For the polling data scenario configuration modification may be required after replacing the sensor if the data sources are not isomorphic for the data acquisition process. On the other hand the pushing data scenario requires that any replacement or modification of the data source must not need any modification of the application configuration.


From the above discussion we can derive the following dependency models:

Interactive applications (e.g. SCADA, DCS):
  • The application engine depends on the synchronous data acquisition engine – data is observed as a stream of entities.
  • The acquisition engine depends on the process devices (sensors or actuators), which it must know in advance.
Reactive applications (e.g. IoT):
  • The application engine depends on the asynchronous data acquisition engine – data is observed as a stream of events.
  • The data source depends on the data distribution channel.
  • The asynchronous acquisition engine depends on the distribution channel.
  • The data source and acquisition engine are associated by the data distribution channel proprietary mechanism.

There is a well suited open source project to start prototyping with this scenario.



OPC UA Makes Smart Factory Possible

From the historical perspective some key words can be recognized as mile stones of the manufacturing enhancement process. These key words describe the main solution or concept that is specific for consecutives eras of development. So the following words hit the big time in history: microprocessor system, automatic processing (PLC), and redundant high availability solution. Today, to be in fashion, we must provide smart solutions, and finally almost everything is smart. We have smart-cars, smart-grids, smart-buildings, and smart-cities. Therefore we must ask, if it is only a buzzword. Going further: can we imagine smart cigarettes? To be honest, I must say that today we do not need artificial intelligence to smoke things like that, but recently I have learnt that cigarettes may have a button to change their flavor on demand – it seems that we are very close to a keyboard concept. What’s more, today it is required that cigarettes are digitally signed to be traceable – it seems that we are very close to the RFID technology and, finally, the Internet of Things concept. Anyway, giving a right answer to this question is only a matter of the definition of the word smart, but nowadays production of cigarettes, as almost everything, is doubtless a challenging activity and needs a steady improvement of the manufacturing environment to compete successfully on the global market.

Read the story: Smart Factory Deployment Strategy

Smart Factory Deployment Strategy

Related articles

OPC Unified Architecture – Main Technological Features


One of the main goals of the OPC Unified Architecture is to provide a consistent mechanism for the integration of process control and management systems. It is assumed that it should be robust and the implementation should be platform independent. In this section I will examine technologies and paradigms used as a foundation for the development of the OPC UA standard and discuss their impact on the final result.

Service Oriented Architecture

At the very beginning of a new solution development, we must address a question about its fundamental paradigms and architecture. OPC Classic is based on the functionality provided by an operating system and is actually an instruction on how to use the functionality to interconnect participants of the data exchange. This was recognized as one of the drawbacks making the lifetime of the OPC Classic standard dependent on the lifetime of the technology it is based on.

Observing continuous evolution of the IT domain, it seems that finding a solution that will guarantee an unlimited lifetime is a real challenge. However, decupling the solution from any base technology increases the chance of it surviving the disappearance of the base technology from the market. Developing services and deploying them using a Service Oriented Architecture (SOA) is the best way to utilize IT systems to meet this challenge. A service differs from an object or a procedure because it is defined by messages that it exchanges with other services. SOA defines the way in which services are deployed and managed. Using a SOA approach increases reuse, lowers overall cost, and improves the ability to rapidly change and evolve systems, whether old or new.

To make systems interoperable, any even brilliant idea is not enough. We need a data transfer technology, however – when defining data exchange in context of messages – we do not need to bother with the different technologies used by the participants as long as they can absorb the messages.

Today, an ideal platform for the SOA concept implementation is Web Service technologies. They represent the most widely adopted distributed computing standards in industry history. Web Services are a set of standards based on XML (eXtensible Markup Language) and developed by W3C (World Wide Web Consortium). Those standards are generally marked with a WS-*** symbol. Because the WS-* standards are developed without any initial assumption concerning the underlying system platform they are implemented on, they therefore must precisely define what must be on the “wire”.

The WS-* standards are the basic foundation for OPC UA but, using them alone, would not be enough to reach the expected data throughput performance in industrial applications. The OPC UA suite of protocols, therefore, expands the WS-* standards by defining a few proprietary ones that can be used alternatively. OPC UA messages may be encoded as an XML text or in binary format for efficiency purposes. They may be transferred using multiple underlying transports, for example TCP or SOAP over HTTP. Clients and servers that support multiple transports and encodings will allow end users to make decisions about tradeoffs between performance and XML Web Services compatibility at the time of deployment, rather than having these tradeoffs determined by the OPC vendor at the time of product definition.

Object Oriented Information Model

To make systems interoperable, the data transfer mechanism must be associated with a consistent information representation model. OPC UA uses an object as a fundamental notion to represent data and activity of an underlying system. The objects are placeholders of variables, events and methods and are interconnected by references. This concept is similar to well-known object oriented programming (OOP) that is a programming paradigm using “objects” – data structures consisting of fields, events and methods – and their interactions to design applications and computer programs. The OPC UA Information Model provides features such as data abstraction, encapsulation, polymorphism, and inheritance.

The OPC UA object model allows servers to provide type definitions for objects and their components. Type definitions may be abstract, and may be inherited by new types to reflect polymorphism. They may also be common or they may be system-specific. Object types may be defined by standardization organizations, vendors or end-users.

The Information Model is a very powerful concept, but it is abstract and hence, in a real environment, it must be implemented in terms of bit streams (to make information transferable) and addresses (to make information selectively available). To meet this requirement, OPC UA introduces a Node notion as an atomic addressable entity that consists of attributes (value-holders) and references (address-holders of coupled nodes). The set of Nodes that an OPC UA Server makes available to clients is referred to as its Address Space, which enables representation of both real process environment and real-time process behavior. The Address Space is described in depth in the OPC UA eBook.

Each of the previous OPC Classic specifications defined their own address space model and their own set of services. OPC UA unifies the previous models into a single integrated Address Space with a single set of services.

Abstraction and Mapping

Interoperability of systems can be achieved if communicating parties are able to interchange streams of bits and assign to these streams the same meaning without any ambiguity. Unfortunately, the representation of information on the wire, and communication protocols are subject to continuous evolution, if not revolution nowadays. This could be dangerous for any long term initiatives. Because it is impossible to stop the progress of technology changes, some other precaution must be undertaken to keep the specification alive within a long term horizon. It is achieved by clear separation of definitions provided by the specification from their actual implementation. It makes OPC UA seamlessly portable from one technology to another. Mappings defined in the specification sets forth how to implement an OPC UA feature using a specific technology. For example, the mapping for OPC UA binary encoding specifies how to serialize OPC UA data structures as sequences of bytes.

Additionally, separation of the definition and implementation makes the solution more flexible and scalable thanks to a free (to a certain degree) selection of technologies appropriate for the current communicating parties needs. Unfortunately, it may cause an adverse interoperability issues, because the interconnected systems must be able to use the same communication mechanism. This is partially overcome by the definition of profiles and negotiation mechanism.


Security is a fundamental aspect of computer systems, in particular those dedicated to enterprise and process management. Especially in this kind of application, security must be robust and effective. Security infrastructure should also be flexible enough to support a variety of security policies required by different organizations. OPC UA may be deployed in diverse environments; from clients and servers residing on the same hosts, throughout hosts located on the same operation network protected by the security boundary protections that separate the operation network from external connections, up to applications running in global environments using public network infrastructure. Depending on the environment and application requirements, the communication services must provide different protections to make the solution secure, therefore OPC UA specification must offer scalability.

OPC UA Security is concerned with the authentication of clients and servers, the authorization of users, the integrity and confidentiality of their communications and the auditing of client server interactions. To meet this goal, security is integrated into all aspects of the design and implementation of OPC UA Servers and Clients. The OPC Foundation has also addressed the security issues that arise from implementation. This include independent reviews of all aspects of security starting from the design of in-depth security provided by the specification (which is built and model on the WS* specifications); to the actual implementation provided by the OPC Foundation. The OPC Foundation has chosen to use industry standard security algorithms and industry standard security libraries to implement OPC UA Security (see OPC UA eBook).

Security mechanisms can be provided by diverse communication layers. Transport-level security is a solution limited to point-to-point messaging. In this case messages can be protected by establishing a secure connection (association) between two hosts using for example Transport Layer Security (TLS) or IPSec protocols. But, if intermediaries are present when using a secure transport, the initial sender and the ultimate receiver need to trust those intermediaries to help provide end-to-end security, because each hop is secured separately. In addition, to explicit trust of all intermediaries, other risks such as local storage of messages and the potential for an intermediary to be compromised must be considered. Thus, using only transport security limits the richness of the security solution to transport-specific features. OPC UA is a session centric communication. Hence, a security association must survive beyond a single transport connection.

To meet the above requirements, the OPC UA security architecture is defined as a generic solution that allows implementation of the required security features at various places in the application architecture. The OPC UA security architecture is structured in an application layer and a communication layer atop the transport layer.

The routine work of a client application and a server application to transmit plant information, settings, and commands is done in a session in the application layer. The application layer also manages user authentication and user authorization. OPC UA Client and Server applications identify and authenticate themselves with X.509 Certificates. Clients pass a user identity token to the OPC UA Server. The OPC UA Server authenticates the user token. Applications accept tokens in any of the following three forms: username/password, an X.509v3 certificate or a WS-SecurityToken

A session in the application layer communicates over a secure channel that is created in the communication layer and relies upon it for secure communication. All of the session data is passed to the communication layer for further processing. The secure channel is responsible for messages integrity, confidentiality and applications authentication.

OPC UA uses symmetric and asymmetric encryption to protect confidentiality as a security objective. OPC UA relies upon the site cyber security management system to protect confidentiality on the network and system infrastructure, and utilizes the Public Key Infrastructure to manage keys used for symmetric and asymmetric encryption. OPC UA uses symmetric and asymmetric signatures to address integrity as a security objective.


OPC UA is designed to support a wide range of servers, from plant-floor PLCs to enterprise servers. Those servers are characterized by a variety of sizes, performance, execution platforms and functional capabilities. Therefore, OPC UA defines a comprehensive set of capabilities, of which servers may implement a subset of. These subsets are referred to as Profiles, and servers may claim conformance to them. Clients can then discover the Profiles for a server, and tailor their interactions with that server based on the Profiles. Client also contain Profiles which allow end user the ability to match up server profiles to client profiles, making it easier to ensure that diverse client and servers will interoperate. Servers can also discover these client profiles and could tailor their response to the client based on the client profile.


OPC UA is designed to provide robustness of published data. The major feature of all OPC UA Servers is the ability to publish data and event notifications. OPC UA provides mechanisms for clients to quickly detect and recover from communication failures associated with transfers without having to wait for long timeouts provided by the underlying protocols.

The design of OPC UA ensures that vendors can create redundant clients and redundant servers in a consistent manner. Redundancy may be used for high availability, fault tolerance and load balancing. Generally we can distinguish redundancy of: servers/clients, communication paths and signals. Although the specification provides support only for client/server redundancy, product vendors can incorporate all kinds of redundancy into the framework proposed by the specification. For example, a server can establish wireless connection as the means of recovery from cable connection failure or a server can use many data sources bound to a variable to provide continuous updating of the variable value even if one of the sensors has been damaged.

OPC UA requires a stateful model as the next feature that increases the solution robustness. State information is maintained inside an application session. Examples of state information are subscriptions, user credentials and continuation points for operations that span multiple requests.

Sessions are defined as logical connections between clients and servers. What is worth stressing, each session is independent of the underlying communications protocols. Failures of these protocols do not automatically cause the session to terminate. Sessions terminate based on a client or server request, or based on inactivity of the client.

More readings

More you can find in the eBook at:

OPC UA eBook