IEC 62541-1 Overview and concepts
Architecture overview — the address space model, session/subscription model, security model, and transport mappings. The starting point for understanding OPC UA.
IEC 62541
OPC Unified Architecture (OPC UA)
IEC 62541 is the normative standard for OPC UA (Unified Architecture) — the platform-independent, service-oriented communication protocol for industrial automation. OPC UA enables secure, reliable data exchange between PLCs, SCADA, MES, ERP and cloud systems, and is the foundation for Industry 4.0 and IIoT architectures.
Document structure
IEC 62541-3 Address space model
Defines the OPC UA address space — nodes, references, attributes, and node classes. The address space is the information model container: everything a server exposes is a node in this space.
IEC 62541-4 Services
Defines the 37 OPC UA services — discovery, session, attribute, method, view, monitored item, subscription and publish services. The complete API specification.
IEC 62541-6 Mappings
Transport protocol mappings — OPC UA Binary (UA TCP) for performance-critical applications, OPC UA XML/HTTPS for web services, and OPC UA WebSocket. Also covers Pub/Sub over MQTT and AMQP.
IEC 62541-7 Profiles
Conformance profiles — Nano embedded device, Micro embedded, Standard server, etc. Profiles define which services a compliant implementation must support. Used in procurement specifications.
IEC 62541-8 Data access
Information model for process data — variables, data items, analogue items with engineering units and ranges. The foundation for exposing PLC tags and instrument values.
IEC 62541-9 Alarms and conditions
Information model for alarm management — alarm states, shelving, suppression, acknowledgement. Enables unified alarm display across heterogeneous systems.
IEC 62541-10 Programs
Information model for program execution — start, stop, pause, resume. Enables remote batch execution and recipe management.
IEC 62541-11 Historical access
Information model for accessing historical data — raw data, processed (aggregated) data, historical events. Foundation for historian integration.
IEC 62541-14 PubSub
Publish-subscribe extension for OPC UA — decoupled communication over MQTT/AMQP brokers and UDP multicast. Key for IIoT cloud integration and edge-to-cloud data pipelines.
Key concepts
- Information model
- OPC UA's core innovation: rather than just transferring data values, it transfers self-describing information. A server exposes an address space where every node has a type, relationships to other nodes, engineering units, and metadata. Companion specifications (e.g., OPC UA for PROFINET, for PackML, for ISA-95) define standard information models for specific domains.
- Client-Server vs Pub/Sub
- OPC UA supports two communication patterns: Client-Server (pull model — client subscribes, server pushes on change, with session management and security) and Pub/Sub (push model — publisher sends to broker or multicast, no session overhead). Client-Server for SCADA/MES integration; Pub/Sub for cloud and edge scenarios.
- Security model
- OPC UA integrates security at the protocol level: authentication (X.509 certificates or username/password), message signing, and message encryption (AES-128/256). Three security modes: None (discovery only), Sign, Sign+Encrypt. Unlike OPC Classic (DCOM-based), OPC UA security works through firewalls and across the internet.
- Companion specification
- Domain-specific OPC UA information models defined by industry consortia — OPC UA for Devices (DI), for PLCopen motion, for PackML, for ISA-95 (manufacturing operations), for AutoID (RFID/barcode), for CNC. A companion spec defines standard node types so tools from any vendor can interoperate at the application level.
- Pub/Sub over MQTT
- OPC UA PubSub (IEC 62541-14) over MQTT is the standard architecture for IIoT edge-to-cloud pipelines. The OPC UA JSON encoding is the message format; an MQTT broker (e.g., HiveMQ, Mosquitto) handles routing. Enables Azure IoT Hub, AWS IoT, and Ignition Edge MQTT integration.
Notes & guidance
Overview
OPC UA (IEC 62541) is the universal middleware standard for industrial data exchange. It solves the integration problem that has plagued automation for decades: heterogeneous control systems (Siemens, Rockwell, ABB, Honeywell) using incompatible protocols, making plant-wide data access and MES/ERP integration expensive and fragile.
OPC UA provides:
- A unified address space — self-describing data accessible via a standard API
- Built-in security — certificate-based authentication and encryption by design
- Platform independence — runs on Windows, Linux, embedded RTOS, cloud
- Scalability — from microcontroller to enterprise server
Architecture Patterns
Classic SCADA / MES integration (Client-Server)
PLC / DCS → OPC UA Server → OPC UA Client (SCADA, Historian, MES)
Every major PLC (Siemens S7-1500, Rockwell 5380, Beckhoff, B&R) now has an embedded OPC UA server. SCADA platforms (Ignition, Wonderware, Inductive Automation) are native OPC UA clients.
IIoT / Cloud integration (Pub/Sub)
PLC → OPC UA PubSub → MQTT Broker → Cloud (Azure IoT / AWS IoT / InfluxDB)
Edge devices (Hilscher netX, Moxa, Kepware) translate legacy fieldbus to OPC UA and publish via MQTT.
Companion Specifications — Key Ones for Process & Manufacturing
| Companion spec | Domain | Maintained by |
|---|---|---|
| OPC UA for Devices (DI) | Device discovery, topology | OPC Foundation |
| OPC UA for PackML | Packaging machine states | OMAC / OPC Foundation |
| OPC UA for ISA-95 | Production scheduling, MES | OPC Foundation / ISA |
| OPC UA for PROFINET | PROFINET topology in UA | PI + OPC Foundation |
| OPC UA for CNC | Machine tool data | OPC Foundation |
| OPC UA for Weighing | Scale / batching | OPC Foundation |
Security Hardening Checklist
- Always use Sign+Encrypt mode in production (never “None” outside test labs)
- Use dedicated OPC UA certificates per server — rotate annually
- Restrict endpoint exposure: OPC UA TCP (port 4840) should not be exposed directly to untrusted networks
- Use an OPC UA gateway or DMZ server to isolate the control network from MES/ERP
- Implement Role-Based Access Control (RBAC) per IEC 62541-18 (Roles Part) for fine-grained permissions
Applicable industries
- process
- manufacturing
- oil-and-gas
- pharmaceuticals
- food-and-beverage
- energy
- water-treatment