Skip to main content

OPC-UA Pub/Sub Over TSN: Building Deterministic Industrial Networks [2026 Guide]

· 12 min read

OPC-UA Pub/Sub over TSN architecture

The traditional OPC-UA client/server model has served manufacturing well for decades of SCADA modernization. But as factories push toward converged IT/OT networks — where machine telemetry, MES transactions, and enterprise ERP traffic share the same Ethernet fabric — the client/server polling model starts to buckle under latency requirements that demand microsecond-level determinism.

OPC-UA Pub/Sub over TSN solves this by decoupling data producers from consumers entirely, while TSN's IEEE 802.1 extensions guarantee bounded latency delivery. This guide breaks down how these technologies work together, the pitfalls of real-world deployment, and the configuration patterns that actually work on production floors.

Why Client/Server Breaks Down at Scale

In a typical OPC-UA client/server deployment, every consumer opens a session to every producer. A plant with 50 machines and 10 data consumers (HMIs, historians, analytics engines, edge gateways) generates 500 active sessions. Each session carries its own subscription, and the server must serialize, authenticate, and deliver data to each client independently.

The math gets brutal quickly:

  • 50 machines × 200 tags each = 10,000 data points
  • 10 consumers polling at 1-second intervals = 100,000 read operations per second
  • Session overhead: ~2KB per subscription keepalive × 500 sessions = 1MB/s baseline traffic before any actual data moves

In practice, most OPC-UA servers in PLCs hit their connection ceiling around 15-20 simultaneous sessions. Allen-Bradley Micro800 series and Siemens S7-1200 controllers — the workhorses of mid-market automation — will start rejecting connections well before you've connected all your consumers.

Pub/Sub eliminates the N×M session problem by introducing a one-to-many data distribution model where publishers push data to the network without knowing (or caring) who's consuming it.

The Pub/Sub Architecture: How Data Actually Flows

OPC-UA Pub/Sub introduces three key concepts that don't exist in the client/server model:

Publishers and DataSets

A publisher is any device that produces data — typically a PLC, edge gateway, or sensor hub. Instead of waiting for client requests, publishers periodically assemble DataSets — structured collections of tag values with metadata — and push them to the network.

A DataSet maps directly to the OPC-UA information model. If your PLC exposes temperature, pressure, and flow rate variables in an ObjectType node, the corresponding DataSet contains those three fields with their current values, timestamps, and quality codes.

The publisher configuration defines:

  • Which variables to include in each DataSet
  • Publishing interval (how often to push updates, typically 10ms-10s)
  • Transport protocol (UDP multicast for TSN, MQTT for cloud-bound data, AMQP for enterprise messaging)
  • Encoding format (UADP binary for low-latency, JSON for interoperability)

Subscribers and DataSetReaders

Subscribers declare interest in specific DataSets by configuring DataSetReaders that filter incoming network messages. A subscriber doesn't connect to a publisher — it listens on a multicast group or MQTT topic and selectively processes messages that match its reader configuration.

This is the critical architectural shift: publishers and subscribers are completely decoupled. A publisher doesn't know how many subscribers exist. A subscriber can receive data from multiple publishers without establishing any sessions.

WriterGroups and NetworkMessages

Between individual DataSets and the wire, Pub/Sub introduces WriterGroups — logical containers that batch multiple DataSets into a single NetworkMessage for efficient transport. A single NetworkMessage might contain DataSets from four temperature sensors, two pressure transducers, and a motor current monitor — all packed into one UDP frame.

This batching is crucial for TSN. Each WriterGroup maps to a TSN traffic class, and each traffic class gets its own guaranteed bandwidth reservation. By grouping DataSets with similar latency requirements into the same WriterGroup, you minimize the number of TSN stream reservations needed.

TSN: The Network Layer That Makes It Deterministic

Standard Ethernet is "best effort" — frames compete for bandwidth with no delivery guarantees. TSN (IEEE 802.1) adds four capabilities that transform Ethernet into a deterministic transport:

Time Synchronization (IEEE 802.1AS-2020)

Every device on a TSN network synchronizes to a grandmaster clock with sub-microsecond accuracy. This is non-negotiable — without a shared time reference, scheduled transmission is meaningless.

In practice, configure your TSN switches as boundary clocks and your edge gateways as slave clocks. The synchronization protocol (gPTP) runs automatically, but you need to verify accuracy after deployment:

# Check gPTP synchronization status on a Linux-based edge gateway
pmc -u -b 0 'GET CURRENT_DATA_SET'
# Look for: offsetFromMaster < 1000ns (1μs)

If your offset exceeds 1μs consistently, check cable lengths (asymmetric path delay), switch hop count (keep it under 7), and whether any non-TSN switches are breaking the timing chain.

Scheduled Traffic (IEEE 802.1Qbv)

This is the heart of TSN for industrial use. 802.1Qbv implements time-aware shaping — the switch opens and closes transmission "gates" on a strict schedule. During a gate's open window, only frames from that traffic class can transmit. During the closed window, frames are queued.

A typical gate schedule for a manufacturing cell:

Time SlotDurationTraffic ClassContent
0-250μs250μsTC7 (Scheduled)Motion control data (servo positions)
250-750μs500μsTC6 (Scheduled)Process data (temperatures, pressures)
750-5000μs4250μsTC0-5 (Best Effort)IT traffic, diagnostics, file transfers

The cycle repeats every 5ms (200Hz), giving motion control data a guaranteed 250μs window every cycle — regardless of how much IT traffic is on the network.

Stream Reservation (IEEE 802.1Qcc)

Before a publisher starts transmitting, it reserves bandwidth end-to-end through every switch in the path. The reservation specifies maximum frame size, transmission interval, and latency requirement. Switches that can't honor the reservation reject it — you find out at configuration time, not at 2 AM when the line goes down.

Frame Preemption (IEEE 802.1Qbu)

When a high-priority frame needs to transmit but a low-priority frame is already in flight, preemption splits the low-priority frame, transmits the high-priority data, then resumes the interrupted frame. This reduces worst-case latency from one maximum-frame-time (12μs at 1Gbps for a 1500-byte frame) to near-zero.

Mapping OPC-UA Pub/Sub to TSN Traffic Classes

Here's where theory meets configuration. Each WriterGroup needs a TSN traffic class assignment based on its latency and jitter requirements:

Motion Control Data (TC7, under 1ms cycle)

  • Servo positions, encoder feedback, torque commands
  • Publishing interval: 1-4ms
  • UADP encoding (binary, no JSON overhead)
  • Fixed DataSet layout (no dynamic fields — the subscriber knows the structure at compile time)
  • Configuration tip: Set MaxNetworkMessageSize to fit within one Ethernet frame (1472 bytes for UDP). Fragmentation kills determinism.

Process Data (TC6, 10-100ms cycle)

  • Temperatures, pressures, flow rates, OEE counters
  • Publishing interval: 10-1000ms
  • UADP encoding for edge-to-edge, JSON for cloud-bound paths
  • Variable DataSet layout acceptable (metadata included in messages)

Diagnostic and Configuration (TC0-5, best effort)

  • Alarm states, configuration changes, firmware updates
  • No strict timing requirement
  • JSON encoding fine — human-readable diagnostics matter more than microseconds

Practical Configuration Example

For a plastics injection molding cell with 6 machines, each reporting 30 process variables at 100ms intervals:

# OPC-UA Pub/Sub Publisher Configuration (conceptual)
publisher:
  transport: udp-multicast
  multicast_group: 239.0.1.10
  port: 4840

writer_groups:
  - name: "ProcessData_Cell_A"
    publishing_interval_ms: 100
    tsn_traffic_class: 6
    max_message_size: 1472
    encoding: UADP
    datasets:
      - name: "IMM_01_Process"
        variables:
          - barrel_zone1_temp    # int16, °C × 10
          - barrel_zone2_temp    # int16, °C × 10
          - barrel_zone3_temp    # int16, °C × 10
          - mold_clamp_pressure  # float32, bar
          - injection_pressure   # float32, bar
          - cycle_time_ms        # uint32
          - shot_count           # uint32

  - name: "Alarms_Cell_A"
    publishing_interval_ms: 0  # event-driven
    tsn_traffic_class: 5
    encoding: UADP
    key_frame_count: 1  # every message is a key frame
    datasets:
      - name: "IMM_01_Alarms"
        variables:
          - alarm_word_1  # uint16, bitfield
          - alarm_word_2  # uint16, bitfield

The Data Encoding Decision: UADP vs JSON

OPC-UA Pub/Sub supports two wire formats, and choosing wrong will cost you either bandwidth or interoperability.

UADP (UA DataPoints Protocol)

  • Binary encoding, tightly packed
  • A 30-variable DataSet encodes to ~200 bytes
  • Supports delta frames — after an initial key frame sends all values, subsequent frames only include changed values
  • Requires subscribers to know the DataSet layout in advance (discovered via OPC-UA client/server or configured statically)
  • Use for: Edge-to-edge communication, TSN paths, anything latency-sensitive

JSON Encoding

  • Human-readable, self-describing
  • The same 30-variable DataSet expands to ~2KB
  • Every message carries field names and type information
  • No prior configuration needed — subscribers can parse dynamically
  • Use for: Cloud-bound telemetry, debugging, integration with IT systems

The Hybrid Pattern That Works

In practice, most deployments run UADP on the factory-floor TSN network and JSON on the cloud-bound MQTT path. The edge gateway — the device sitting between the OT and IT networks — performs the translation:

  1. Subscribe to UADP multicast on the TSN interface
  2. Decode DataSets using pre-configured metadata
  3. Re-publish as JSON over MQTT to the cloud broker
  4. Add store-and-forward buffering for cloud connectivity gaps

This is exactly the pattern that platforms like machineCDN implement — the edge gateway handles protocol translation transparently so that neither the PLCs nor the cloud backend need to understand each other's wire format.

Security Considerations for Pub/Sub Over TSN

The multicast nature of Pub/Sub changes the security model fundamentally. In client/server OPC-UA, each session is authenticated and encrypted end-to-end with X.509 certificates. In Pub/Sub, there's no session — data flows to anyone on the multicast group.

SecurityMode Options

OPC-UA Pub/Sub defines three security modes per WriterGroup:

  1. None — no encryption, no signing. Acceptable only on physically isolated networks with no IT connectivity.
  2. Sign — messages are signed with the publisher's private key. Subscribers verify authenticity but data is readable by anyone on the network.
  3. SignAndEncrypt — messages are both signed and encrypted. Requires key distribution to all authorized subscribers.

Key Distribution: The Hard Problem

Unlike client/server where keys are exchanged during session establishment, Pub/Sub needs a Security Key Server (SKS) that distributes symmetric keys to publishers and subscribers. The SKS rotates keys periodically (recommended: every 1-24 hours depending on sensitivity).

In practice, deploy the SKS on a hardened server in the DMZ between OT and IT networks. Use OPC-UA client/server (with mutual certificate authentication) for key distribution, and Pub/Sub (with those distributed keys) for data delivery.

Network Segmentation

Even with encrypted Pub/Sub, follow defense-in-depth:

  • Isolate TSN traffic on dedicated VLANs
  • Use managed switches with ACLs to restrict multicast group membership
  • Deploy a data diode or unidirectional gateway between the TSN network and any internet-facing systems

Common Deployment Pitfalls

Pitfall 1: Multicast Flooding

TSN switches handle multicast natively, but if your path crosses a non-TSN switch (even one), multicast frames flood to all ports. This can saturate uplinks and crash unrelated systems. Verify every switch in the path supports IGMP snooping at minimum.

Pitfall 2: Clock Drift Under Load

gPTP synchronization works well at low CPU load, but when an edge gateway is processing 10,000 tags per second, the system clock can drift because gPTP packets get delayed in software queues. Use hardware timestamping (PTP-capable NICs) — software timestamping adds 10-100μs of jitter, which defeats the purpose of TSN.

Pitfall 3: DataSet Version Mismatch

When you add a variable to a publisher's DataSet, all subscribers with static configurations will misparse subsequent messages. UADP includes a DataSetWriterId and ConfigurationVersion — increment the version on every schema change and implement version checking in subscriber code.

Pitfall 4: Oversubscribing TSN Bandwidth

Each TSN stream reservation is guaranteed, but the total bandwidth allocated to scheduled traffic classes can't exceed ~75% of link capacity (the remaining 25% prevents guard-band starvation of best-effort traffic). On a 1Gbps link, that's 750Mbps for all scheduled streams combined. Do the bandwidth math before deployment, not after.

When to Use Pub/Sub vs Client/Server

Pub/Sub over TSN isn't a universal replacement for client/server. Use this decision matrix:

ScenarioRecommended Model
HMI reading 50 tags from one PLCClient/Server
Historian collecting from 100+ PLCsPub/Sub
Real-time motion control (under 1ms)Pub/Sub over TSN
Configuration and commissioningClient/Server
Cloud telemetry pipelinePub/Sub over MQTT
10+ consumers need same dataPub/Sub
Firewall traversal requiredClient/Server (reverseConnect)

The Road Ahead: OPC-UA FX

The OPC Foundation's Field eXchange (FX) initiative extends Pub/Sub with controller-to-controller communication profiles — enabling PLCs from different vendors to exchange data over TSN without custom integration. FX defines standardized connection management, diagnostics, and safety communication profiles.

For manufacturers, FX means the edge gateway that today bridges between incompatible PLCs will eventually become optional for direct PLC-to-PLC communication — while remaining essential for the cloud telemetry path where platforms like machineCDN normalize data across heterogeneous equipment.

Key Takeaways

  1. Pub/Sub eliminates the N×M session problem that limits OPC-UA client/server at scale
  2. TSN provides deterministic delivery with bounded latency guaranteed by the network infrastructure
  3. UADP encoding on TSN, JSON over MQTT is the hybrid pattern that works for most manufacturing deployments
  4. Hardware timestamping is non-negotiable for sub-microsecond synchronization accuracy
  5. Security requires a Key Server — Pub/Sub's multicast model doesn't support session-based authentication
  6. Budget 75% of link capacity for scheduled traffic to prevent guard-band starvation

The convergence of OPC-UA Pub/Sub and TSN represents the most significant shift in industrial networking since the migration from fieldbus to Ethernet. Getting the architecture right at deployment time saves years of retrofitting — and the practical patterns in this guide reflect what actually works on production floors, not just in vendor demo labs.