AVEVA System Platform to OPC Router Connectivity Options via OPC UA

AVEVA™ users have a range of native connectivity options for interfacing with different systems. OPC Router also supports connectivity to variety of different systems that users sometimes need to access from AVEVA System Platform. Users of AVEVA System Platform can leverage OI Gateway to easily and securely connect to OPC Router via OPC UA for connections to many other data sources.

In this blog post, we will cover the basic steps to connect AVEVA System Platform to OPC Router via OPC UA, enabling additional connectivity options for AVEVA users to systems such as SAP (and other ERPs), a variety of relational and other databases, conversion of file data including CSV, XML, JSON and others, IIoT systems including REST and SOAP web services and MQTT brokers and more.

While AVEVA™ users have their own options for connectivity, users may find they need to expand those connectivity options for ERP systems and other systems using OPC Router's own variety of supported connectivity interfaces. While System Platform can certainly also connect directly to OPC Router via OPC DA, if your system architecture requires that System Platform and OPC Router reside on different remote machines, OPC UA is an easier to configure option that provides greater security, as well (which is not even to mention the additional DCOM considerations related to Microsoft's DCOM hardening efforts). It's simply better (and more secure) to use OPC UA instead, wherever possible.

To that end, OPC Router has a native OPC UA server interface. And System Platform can access OPC UA server data sources through the OI Gateway acting as an OPC UA client.

There are nine basic steps AVEVA users will need to follow to get System Platform connected to OPC Router using OPC UA.

1. Configuring Non-OPC UA Data Sources in OPC Router

Once your source data is available in OPC Router it can then be shared with any of the other supported connectivity interfaces that OPC Router supports, including SAP, OPC DA client, OPC UA client, OPC UA server, MQTT client/subscriber, a variety of databases and more all through OPC Router's visual workflows (basically like drag-and-drop flow charts allowing you to connect together different data sources visually).Connectivity to the specific systems that OPC Router supports is beyond the scope of this particular post but we have a selection of available tutorials on configuring specific data sources in OPC Router available here.

2. Configuring Global Variables in OPC Router

With data available from one or more sources, to expose the variables from your other systems / data sources as OPC UA nodes/items/tags, they will need to first be mapped to what are referred to as Global Variables in OPC Router. You will need to have one Global Variable for each corresponding variable from your data source. Global Variables are configured under the Plug-ins in OPC Router, under Advanced -> Variables.

You'll notice here that there are Global Variables and Local Variables - Global Variables are needed for this purpose, since Local Variables are only available for use internally and we need the variables to be visible to OPC UA clients. The necessary Global Variables would all need to be defined prior to moving on to Step 3 so that they are available as the Destination for data values in the visual workflow.

3. Configuring Connections between Source Variables and Global Variables in OPC Router

For the purposes of explanation, let's refer to an OPC Router example parsing data variables from an XML file into Global Variables. Sources and Destinations and Triggers (which determine what "fires" a data transfer operation from source to destination) can be dragged/dropped to the Design space of a Connection from the Transfer Objects pane on the right-hand side of the interface.

The process would be similar for other data sources with respect to the arrow connectors shown coming from the variables in the source and going to the destination Global Variables (simply select the source of a piece of data and drag-and-drop an arrow connection to the desired destination for that data).

The visual workflow for connections in OPC Router makes it easy to drag the connector from the source point/variable to the destination point/variable - in this case, from individual variables parsed out of a specified XML file to the Global Variables that were created previously. This connection results in the values from the XML file being exposed in those Global Variables, where they are then visible to any OPC UA client applications connected to OPC Router.

4. Configuring OPC Router as an OPC UA Server

Now that the data from your source system is available as Global Variables, the OPC UA server endpoint and settings just need to be configured. The settings for connecting OPC UA clients to OPC Router are configured via instances of the OPC UA Server plug-in.

Each instance is a separate OPC UA server endpoint with its own specific port and security options (configuring the Address space, which defines data variables and objects that will be available to OPC UA client, is beyond the scope of this post. Clicking "New" or "Edit" buttons presents the following available setting:

Here are some details on the key settings pertaining to security you will need to configure for the OPC UA server endpoint (the other settings shown above either don't pertain to security or can generally be left at the defaults):

1. Name - user-defined friendly name used by OPC Router to identify this OPC UA server endpoint.
2. Port - the TCP port associated with this OPC UA server endpoint for OPC Router - this will be appended to the end of the endpoint URL.
3. Server certificate - this dropdown allows you to select an certificate (either a self-signed certificate that you've already create in OPC Router or a third-party certificate you've imported in Certificate Management.
   
   Alternately, you can:
   
   
   • Click the "+" button to define a new self-signed security certificate for use with this endpoint.
   • Click the "-" button to delete the selected security certificate.
   • Click the "eye" button to view the details of the selected security certificate.
     
     
4. Trusted client certificates - selects which OPC UA client security certificates to accept/trust for this endpoint. The default setting is "All" which will result in the certificate of any OPC UA client attempting a connection to this endpoint getting trusted automatically. Other options include:
   • Router - if the certificate has not already been imported and trusted through certificate management, you will be prompted to either trust or reject the OPC UA client's certificate when attempting to connect.
     
   • Windows - use this option if you've imported your OPC UA client's certificate to the "Third-Party Root Certification" section in the Local Machine Certificate Manager in Windows (Just search for "certificates" in Windows and select the options for "Manage computer certificates").
5. Log-in -  Allow anonymous connections - disabled by default, enabling this checkbox allows OPC UA clients to connect to this OPC Router endpoint without providing a username and password for authentication. If you plan to connect to OPC Router anonymously from OI Gateway (there is a corresponding setting for anonymous log-in in OI Gateway), you'll need to Enable this setting.
   
   When disabled, any OPC UA client connecting to this endpoint will need to provide a valid username and password as defined in the "User management" configuration for this endpoint.
   
   
   
   
6. Endpoint address - this is the actual endpoint you will need to specify in your OPC UA client for connecting to this endpoint and is based on the previous settings. Click the "Copy" button to the right of the endpoint to copy it, making it easy to paste right into your OPC UA client (consult the documentation for your OPC UA client for how to specify the OPC UA server endpoint to connect to).
7. Security settings - these settings define which encryption and signing options will be available for connections to this specific OPC Router UA server endpoint from OPC UA clients. All options are enabled by default.
   1. None (disabled by default) - least secure, no encryption will be used for UA connections using this option.
   2. Basic128Rsa15 (enabled by default) - Available signing options include Sign and Encrypt (default and most secure), Sign or or both can be available.
   3. Basic256Sha256 - most secure (enabled default) - Available signing options include Sign and Encrypt (default and most secure), Sign or or both can be available.
8. Output data - It's imperative that "OPC Router global variables" be enabled here. Otherwise, the source data mapped to Global Variables earlier won't be available to OPC UA clients.

Once you've edited the OPC UA Server settings for connections from an OPC UA client, just click OK to save and exit the dialog.

5. Setting All OPC Router Changes Productive

As with any other changes in OPC Router, make sure to go to the "Go Productive" section of the configuration and select the elements being used in your project (specifically, in this case, the relevant OPC UA Server plug-in but also any other plug-ins and connections used for your data transfer from other systems) and click the "Go productive" button to publish the changes.

6. Configuring AVEVA OI Gateway as an OPC UA Client to OPC Router

Next, you need to configure OI Gateway as an OPC UA client and connect it to OPC Router. In the AVEVA System Platform Management Console (SMC), you'll expand "Operations Integration Server Manager" in the tree view, the Node group, the desired Node, then the Operations Integration Supervisory Servers group, then the OI Gateway OPC DA ProgID ("OI.GATEWAY.3").

Click on "Configuration", then right-click and select "Add OPCUA Connection" and give the connection a meaningful name such as "OPCRouter".

For the "OPCUA Server Details", if OPC Router is on the same machine as OI Gateway, you can leave the "Server Node" as "localhost". If they are on separate machines, the "Server Node" will need to be the IP Address or Hostname of the OPC Router machine. And the "OPCUA Server" field should be the endpoint that was copied from the OPC Router OPC UA server settings.

By default, OI Gateway uses the most secure options for "Security Policy" and "Security Message Mode"  (currently Basic256Sha256) - if you prefer to use a lower level of security for the connection, you will need to change those settings (OPC Router has those defaults enabled - if you prefer to use something other than Basic256Sha256, make sure it's both supported in OPC Router and also enabled).

For Anonymous authentication, the "Anonymous User" setting needs to be enabled in OI Gateway under "User Credentials" in order to connect without needing a User Name and Password (it's disabled by default). Alternately, if you chose to define a user during the OPC Router OPC UA Server configuration, you can leave this disabled and enter the User Name and Password here, instead.

At this point, you can click the "Test" button to the right of where you entered the "OPCUA Server" endpoint. You might get the following message indicating the connection failed (the possible reasons are conveniently listed).

However, if the OPC Router was configured at the default of "All" for "Trusted Client Certificates", then OPC Router will automatically receive and trust the certificate from OI Gateway (and OI Gateway trusts UA Server certificates automatically, also) so you likely won't see the above message if the following are true:

• The "Server Node" and "OPCUA Server" endpoint fields are correct
• The selected Security Policy, Security Message Mode and User Credentials match what is configured in OPC Router
• Where applicable, an exception has been added to any firewalls for the port used by OPC Router's OPC UA server.

You can confirm the Test works (no, unfortunately, there isn't a message that explicitly confirms the test was successful) as you'll notice the OPC UA Namespace at the bottom of the configuration in OI Gateway is now populated for OPC Router.

So we can go ahead and Save our settings by clicking the Save button in the upper right corner of the configuration.

The next step is adding some nodes/tags/items from the OPC Router that you want to access with System Platform (or other OPC DA or SuiteLink clients that connect to OI Gateway). So you need to right-click on the OPC UA server under the Configuration branch in the tree view and select "Add OPCUAGroup Connection" - you'll want to enter a meaningful name.

The "Browse OPCUA Server" button will allow you to browse the OPC Router address space.

You can then select the desired data points that you wish to access in the OPCUA Tag Browser window that appears (be patient - I observed that it can take a few seconds and appear that nothing happened when you click the button).

The "Add to list" button then adds the selected items.

Click "OK" once all of the desired points have been added - for our purposes, there are the points parsed from the XML file into Global Variables in this OPC Router that that are accessible.

Back in the main configuration, you can then go to the "Device Items" tab and confirm that your points have been added to the item list here. Optionally, you may also choose to rename the items here with a more user-friendly name - this is helpful since the "Name" defined here will be used in the SuiteLink Topic attributes as the Item Reference in System Platform . Clicking the Save button at the top-right corner applies the additions.

Now, if your OI Gateway has been deactivated, you'll need to right-click on the top level "OI.GATEWAY.3" in the tree view and select "Activate". Otherwise, you'll need to deactivate then activate to apply the changes to the runtime. Now that OI Gateway is configured, it is typically a good idea to confirm that your configuration is working as expected prior to moving on to the next step.

To that end, you can connect to OI Gateway using a SuiteLink or OPC DA test client (the OPC Quick Client that installs with TOP Server, as shown below, or the Software Toolbox OPC Test Client is available as a standalone installation you can request and download here). As you can see from the image below, the test client successfully connects to the OPC DA ProgID "OI.GATEWAY.3" and is receiving good quality and values from the OPC Router points configured for the OPC UA connection.

The next step is accessing OI Gateway from System Platform.

7. Configuring AVEVA System Platform DI Objects

The first step is creating/adding an instance of the OPC or SuiteLink Device Integration (DI) object in the desired System Platform (ArchestrA) galaxy, since OI Gateway supports either interface for client connectivity. The following assumes that you already have a WinPlatform, AppEngine and Area created where either of the DI objects can be assigned. For our purposes, we'll use a SuiteLink DI Object below.

Adding a SuiteLink Device Integration Object

In the ArchestrA IDE for the galaxy you want to connect to OPC Router, go to the Template Toolbox under System objects and find the $DDESuiteLinkClient DI object template. Right-click and select New -> Instance which will create a new instance in the "Unassigned Host" folder in the Deployment view which you can rename to something meaningful such as "OIGW_OPCRouter".

You can drag-and-drop the new instance to the desired AppEngine. Then you can double-click on the new instance to open the properties.

The SuiteLink DI object involves configuring the following:

• Defining the "Server node" or IP / DNS name of the machine where OI Gateway is installed on your network (if OI Gateway is installed on the same machine as System Platform (which is most likely), the Server node gets left blank).
• Entering the "Server name" for OI Gateway (the SuiteLink service name for OI Gateway is just "Gateway").
• The "Communication protocol" should remain at the default of "SuiteLink".
• Creating a Topic under the "Topic" section (this needs to match the Device Group Name from the OPC UA group defined in OI Gateway from earlier - you can go back to OI Gateway and copy/paste the name from there, if needed.
  
  
  
  
• Adding Attributes to that Topic - you basically need to define an Attribute here for each Item that you want to access from OI Gateway using the "+" button above the "Associated attributes" section. For the "Item Reference" you'll use the "Name" for the item from your "Device Items" section in OI Gateway (the "Attribute" name itself can be the same or different). You can also use CSV import/export to populate this list, if you have a lot of attributes to add.
  
  
  
  
• Once finished, just click the Save button at the top right of the DI object properties and check the object back in.

These are the high level settings that get System Platform connected to OI Gateway via the SuiteLink DI Object.

8. Adding AnalogDevice Object for Attributes

Once the SuiteLink DI object is configured and checked back in, it will be necessary to define an instance of the $AnalogDevice object. So back in the Template Toolbox under System, you need to right-click on $AnalogDevice and select New -> Instance which will add the instance to the "Unassigned Host" folder where you can give it a meaningful name to represent the data points it will be linked to. You can drag-and-drop the instance to the desired Area to assign it.

Double-clicking on the object will open its properties where you need to go to the "Attributes" tab.

Here you need to click the "+" button at the top center of the tab to add an attribute.

Then configure the following:

• Name - this should be a meaningful to represent the specific item you want this object to access from OI Gateway - for simplicity, we're using the same name as the attribute in the Topic that was just configured.
• Data Type - this should match the corresponding data type of the item you're accessing from OPC Router.
• Available Features - Enable "I/O" here which allows you to select the input source.
  • Read from / Write to - this is where you map to the item in OI Gateway that corresponds to the OPC Router point/item you want this object to represent.
    • You can click the "..." ellipses button to browse available attributes (which will allow you to select from the list of attributes you defined earlier in the SuiteLink DI Object Topic).
      • This brings up the Galaxy Browser, where you can select the instance of the SuiteLink DI object you just configured and you'll find the associated attributes listed to the right - select the desired attribute and click "OK".
        
        
        
        
    • Alternately, you can manually enter the path to the item - either of the following syntax is valid:
      • <SuiteLinkDIObjectName>.<TopicName>.<DeviceItemName> (for directly accessing items from OI Gateway)
      • <SuiteLinkDIObjectName>.<TopicName>.<AttributeName> (for accessing the attribute name defined in the Topic in the SuiteLink DI Object)
    • Honestly, with the attributes already defined in the SuiteLink DI Object, browsing and selecting is the easiest method here.
  • You'll need to do the same thing to add each of the additional attributes that you defined earlier in the Topic of your SuiteLink DI Object.
  • Then all that remains is clicking the Save button at the top right, accept any warnings and check the object back in.

9. Deploying the Device Integration Object in System Platform

And last, but not least, once the SuiteLink DI object is configured with the desired items/tags and assigned appropriately depending on your galaxy architecture, it's necessary to deploy the SuiteLink DI object and related Application Objects for the associated tags. This deployment is accomplished the same way as for deploying any other objects and changes in System Platform - by right-clicking on the Galaxy object in System Platform (in the Deployment view) and selecting the "Deploy" option.

And the System Platform Object Viewer can then be used to confirm you are successfully connected and communicating by right-clicking on the AnalogDevice object and selecting "View in Object Viewer".

You can find the points/attributes that you added to the AnalogDevice object, highlight them and "Add to Watch" if you'd like to watch them update in real-time (though you can already see values and good quality).

Once the points have initialized, you can watch the selected attributes/items updating per their defined update rate with good values and quality.

This indicates you're receiving data all the way from OPC Router through the OI Gateway and into System Platform via OPC UA, for easy access to all of the data sources supported by OPC Router over secure remote OPC UA connections.

Don't forget to subscribe to our blog to not only be notified of future posts on OPC Router and AVEVA applications but to also find out about more relevant technical topics applying to industrial process automation and solving related challenges.

Want to try the latest OPC Router for yourself with AVEVA System Platform?  Download the free trial.