What is the difference between OPC-DA and OPC-UA for pharma?

OPC-DA (Classic) is a Windows COM/DCOM-based protocol from the 1990s — it works only on Windows, requires DCOM configuration (notoriously difficult in firewalled OT environments), and has no built-in security. OPC-UA is the successor: platform-independent (runs on Linux, embedded systems, Windows), uses TCP/IP with built-in TLS encryption and certificate-based authentication, and includes semantic data modeling. For new pharma deployments, OPC-UA is the standard. For brownfield sites with existing OPC-DA installations, Kepware and other SCADA platforms provide OPC-DA-to-UA translation without requiring PLC firmware changes.

What is PA-DIM and how does it apply to pharma?

PA-DIM (Process Automation Device Information Model, OPC-UA Companion Specification OPC 30081) defines a standardized data model for process automation field devices — transmitters, actuators, analyzers — enabling vendor-neutral device representation. For pharma, PA-DIM means that a Vaisala humidity transmitter, an Endress+Hauser flow meter, and a Yokogawa pressure transmitter all appear in the OPC-UA namespace with the same node structure — device ID, measurement value, unit, status, calibration date. This eliminates custom integration work for each device type and provides a foundation for automated instrumentation asset management.

How do you integrate a legacy PLC (older than 2010) with OPC-UA?

Three approaches: (1) Protocol gateway/converter — devices like Kepware KEPServerEX or Moxa MGate translate legacy protocols (Modbus RTU, PROFIBUS DP, AB DF1) to OPC-UA without touching the PLC. This is non-invasive and requires no PLC program changes — the safest approach for GMP environments where PLC change control is burdensome. (2) SCADA-as-OPC-UA-server — use the existing SCADA system (if it supports OPC-UA server, which most modern SCADA do) as the OPC-UA interface, with the SCADA handling the PLC communication. (3) PLC firmware upgrade — if the PLC vendor supports OPC-UA in newer firmware (Siemens S7-1500 with FW 2.9, Rockwell v34+), upgrade the firmware. Requires full PLC change control assessment.

What security configuration is required for OPC-UA in a GMP OT network?

Minimum required per IEC 62443 and OPC Foundation security best practices: (1) Disable 'No Security' endpoint — all OPC-UA connections must use at least 'Sign' mode; (2) Use Message Security Mode 'SignAndEncrypt' for any connection crossing OT/IT network boundaries; (3) Certificate-based authentication with X.509 certificates for all OPC-UA client connections; (4) OPC-UA server endpoint whitelist — reject connections from uncertified clients; (5) Disable OPC-UA Discovery service on internet-exposed interfaces (14,220 OPC-UA servers were found internet-exposed in a 2025 Bitsight scan). Full OT cybersecurity detail in the OT Cybersecurity blueprint.

Can OPC-UA replace the data historian, or are both needed?

Both are needed. OPC-UA is a real-time communication protocol — it provides a live view of current process values and enables historian and MES systems to subscribe to data. It does not store historical data. The historian (AVEVA PI, InfluxDB) is the storage layer. OPC-UA HA (Historical Access) is an optional OPC-UA extension that allows historians to be queried via OPC-UA protocol, but the storage itself is always in a purpose-built historian. Think of OPC-UA as the motorway and the historian as the warehouse at the end of it.

How is OPC-UA validated for GMP use?

OPC-UA is a communication protocol, not an application — it does not require standalone GxP validation. It is validated as part of the system that uses it: when validating the historian, one OQ test scenario verifies that data received via OPC-UA matches the source values within acceptable precision (e.g., ±0.01°C for temperature). The security configuration of the OPC-UA server is documented in the IQ. Certificate management procedures are documented in the site's IT SOPs with reference in the validation documentation.

What is Unified Namespace (UNS) and is it relevant for pharma?

A Unified Namespace is an architectural pattern where all OT data — from all PLCs, all sites, all production lines — is published to a single OPC-UA server or MQTT broker with a standardized topic hierarchy, making every data point accessible to any authorized subscriber without point-to-point integration. For pharma, UNS is increasingly relevant for multi-site manufacturers building enterprise data lakes — it eliminates the historian-per-site integration complexity. Walker Reynolds and the Industrial DataOps community have been the primary advocates; Inductive Automation's Ignition platform (MQTT Transmission module) is the leading implementation.

OPC-UA Implementation for Pharma Manufacturing: Integration Guide

TL;DR: OPC-UA is the standard interoperability protocol for pharma OT/IT integration — it connects PLCs, SCADA, DCS, and field instruments to historians, MES, and analytics platforms without custom per-vendor protocol coding. This guide covers the PA-DIM companion spec for pharma, security configuration requirements, brownfield PLC integration approaches, MES/historian connectivity, and the validation scope. (~65 words)

OPC-UA in Pharma: The Integration Protocol That Ended the PLC-to-Historian Custom Work

Before OPC-UA achieved widespread adoption, every pharma site had a unique, fragile integration layer: custom drivers translating Siemens S7 Modbus to one historian format, ABB AC500 to another, Rockwell ControlLogix to a third. Each integration was hand-coded, undocumented, and broke when the PLC or SCADA software was updated. When a site had 15 different PLC brands across 3 production buildings, the integration maintenance cost was significant.

OPC-UA solves this through standardization: every OPC-UA compliant device or system speaks the same protocol, uses the same security model, and exposes data in the same structured namespace format. A historian with an OPC-UA client can subscribe to data from a Siemens S7-1500 PLC, a Rockwell ControlLogix, an ABB AC500, and an Emerson DeltaV DCS using the same driver, the same configuration interface, and the same security certificate management.

The OPC UA Gateways for Legacy PLC Integration market was valued at $268 million in 2025 and is growing at 12% CAGR — reflecting the scale of the brownfield integration challenge that OPC-UA gateways are solving across process industries including pharma.

PA-DIM: The Pharma-Relevant OPC-UA Companion Specification

The OPC Foundation publishes "companion specifications" that extend the base OPC-UA protocol with domain-specific data models. For process automation (including pharma), the relevant companion specification is PA-DIM (OPC 30081 — Process Automation Device Information Model).

PA-DIM defines how process automation field devices represent themselves in the OPC-UA namespace: a standardized node structure that includes device identification (manufacturer, model, serial number, firmware version), measurement values (with engineering unit and quality status), device diagnostics (health status, calibration due date), and configuration data (tag name, range, alarm setpoints).

The practical implication for pharma: when a Vaisala HMT360 humidity transmitter is connected via a PA-DIM compliant gateway, it appears in the OPC-UA namespace with nodes for ActualValue, Status, SensorHealth, CalibrationDueDate, and TagID — all in a standardized format, regardless of the gateway vendor. A historian or asset management system can read the calibration due date from any PA-DIM compliant device without device-specific configuration.

This is valuable for GMP instrumentation management: a PA-DIM aware asset management system can automatically flag sensors approaching calibration due dates by reading the CalibrationDueDate node from every PA-DIM compliant device on the OPC-UA network — replacing manual calibration tracking spreadsheets.

Brownfield Integration Approaches

Most pharma manufacturing sites have PLCs and SCADA systems installed before OPC-UA was widely supported. Three non-invasive integration approaches for brownfield OT:

Protocol Gateway (Recommended for GMP): Deploy a Kepware KEPServerEX, Moxa MGate, or Softing dataFEED OPC Suite gateway on the OT network. The gateway reads from legacy PLCs using their native protocols (Modbus RTU, PROFIBUS DP, Allen-Bradley DF1/EtherNet/IP, Siemens S7 TCP) and publishes the data as an OPC-UA server. No changes to PLC programs, no PLC firmware updates, no change control for the PLC itself. The gateway is validated as a new Category 4 software deployment — significantly faster than a PLC change control process. Gateway hardware sits in the OT network DMZ or at the edge node alongside the local historian.

SCADA-as-OPC-UA-Server: Modern SCADA systems (Ignition 8.1+, Wonderware AVEVA System Platform 2023, WinCC OA) support native OPC-UA server mode — they publish data to OPC-UA clients without requiring direct PLC-to-OPC-UA connectivity. The SCADA handles PLC communication (using whatever legacy drivers it already has) and the historian/MES connects to the SCADA via OPC-UA. Advantage: leverages existing SCADA investment, no additional hardware. Limitation: OPC-UA connectivity is dependent on SCADA availability — if SCADA has planned downtime, historian connectivity is interrupted.

PLC Native OPC-UA (Greenfield or Upgrade): For new equipment purchases or PLC upgrades in scope, specify OPC-UA server capability in the URS. Siemens S7-1500 (FW 2.9+), Rockwell ControlLogix 5580 (v34+), Beckhoff TwinCAT 3.1, and ABB AC500 V3 all support native OPC-UA. For Siemens, the OPC-UA server is configured in TIA Portal with a hardware UDT (User Data Type) that maps PLC variables to OPC-UA node IDs.

Security Configuration

OPC-UA includes three security modes that must be configured explicitly — they are not enforced by default in most implementations:

None: No encryption, no authentication. Suitable only for isolated lab environments with no GMP data. Should be disabled on all production OT networks.

Sign: Message signing (authentication, tampering detection) without encryption. Minimum acceptable for OT network internal traffic.

Sign and Encrypt: Full TLS 1.2+ encryption with certificate-based mutual authentication. Required for any OPC-UA connection crossing OT/IT network boundaries (from OT zone to historian in DMZ or cloud).

Certificate management is the most operationally challenging aspect of OPC-UA security: every OPC-UA server and client requires an X.509 certificate, and certificates expire (typically 1–2 years). An expired certificate causes the OPC-UA connection to fail — which in a historian context means a gap in the GMP monitoring record. Certificate renewal must be included in the site's IT maintenance calendar with a 30-day advance reminder.

The 2025 Bitsight report identified 14,220 internet-exposed OPC-UA servers, a significant proportion of which had the 'No Security' endpoint enabled. For GMP OT networks, the OPC-UA security configuration must be documented in the IQ, verified in OQ, and included in periodic security review.

MES and Historian Integration

The two most common OPC-UA integration targets in pharma:

Historian integration: AVEVA PI Server connects to OPC-UA servers via the PI Interface for OPC-UA (PI OPC-UA) or via Kepware as an intermediary. The historian subscribes to OPC-UA nodes (tag values, statuses) and stores them as PI tag time-series. Configuration: define which OPC-UA nodes map to which PI tags; set deadband (minimum change before recording) and storage frequency. This connection is what transforms raw PLC data into the GMP-compliant historian record described in Solutions: Data Historian →.

MES integration: Körber PAS-X, Werum, and Rockwell PharmaSuite all support OPC-UA client connections to SCADA/PLC for in-process data collection: actual batch parameter values (temperature, pressure, agitation speed) written directly into EBR fields from OPC-UA subscribed values. This eliminates manual transcription of process values into batch records — reducing transcription error risk and enabling real-time batch monitoring dashboards in the MES layer.

Vietnam Context

OPC-UA adoption among Vietnamese pharmaceutical manufacturers is accelerating alongside equipment upgrades for WHO GMP and export compliance. New lines being installed by joint venture manufacturers (typically supplying Korean, Japanese, or European markets) increasingly specify OPC-UA natively. Older domestic lines — particularly injection filling lines from Chinese equipment suppliers — often use Modbus RTU or proprietary protocols, making Kepware-style protocol gateways the practical first integration step. Vietnamese system integrators with Kepware and AVEVA experience are available in Ho Chi Minh City and Hanoi; the implementation timeline for a 50-tag protocol gateway deployment is typically 4–8 weeks including OQ documentation.

References

OPC Foundation — OPC UA for Process Automation (PA-DIM): https://opcconnect.opcfoundation.org/2025/09/opc-ua-solutions-for-unified-namespaces-bridging-brownfield-and-the-digital-factory/
Bitsight — OPC UA Server Internet Exposures 2025: https://www.bitsight.com/blog/opc-ua-server-internet-device-exposures-in-2025
Fact MR — OPC-UA Gateways for Legacy PLC Integration Market: https://www.factmr.com/report/opc-ua-gateways-for-legacy-plc-integration-market
Advanco — OPC-UA for the Pharma Industry: https://www.advanco.com/article/opc-ua-for-the-pharma-industry/
Prosys OPC — OPC Day Finland 2025: https://prosysopc.com/blog/opc-day-finland-2025-fluently-from-factory-to-the-cloud-with-opc-ua/
AVEVA PI System: https://www.aveva.com/en/products/aveva-pi-system/
IEC 62443 OT cybersecurity: https://www.iec.ch/iecnorex/62443
Kepware KEPServerEX documentation: https://www.ptc.com/en/products/kepware

Cluster Progress

ID	Title	Status
N3.P	IIoT & Edge Computing Hub	✅ Written
N3.1	IIoT Sensor Architecture Cleanrooms	✅ Written
N3.2	Edge Computing GMP Monitoring	✅ Written
N3.3	OPC-UA Implementation Pharma	✅ Written
N3.4	EMS/BMS Integration Pharma	⬜
N3.5	Data Historian: AVEVA PI vs OSS	⬜

Checklist triển khai

Áp dụng theo từng bước để đảm bảo tính tuân thủ GMP và khả năng vận hành ổn định.

Tài nguyên liên quan

TYPE 2 — Expert synthesis based on industry-standard GMP guidelines, regulatory publications and real-world pharmaceutical automation deployments in Vietnam and Southeast Asia. Transparency note: This resource reflects the author's professional experience and publicly available regulatory guidance. Readers should verify specific requirements with their qualified regulatory consultants.