ISA-95 (IEC 62264) defines a five-layer model for structuring industrial automation systems. Its primary value is not architectural prescription — it's a shared vocabulary for defining what data crosses each boundary, in what form, and at what rate. Most OT/IT integration failures are boundary contract violations.
The layers
| Level | Name | Time horizon | Typical systems |
|---|---|---|---|
| 0 | Physical process | Continuous | Sensors, actuators, drives |
| 1 | Intelligent devices | Sub-second | PLCs, smart sensors, VFDs |
| 2 | Control systems | Seconds–minutes | SCADA, DCS, HMI |
| 3 | Manufacturing operations | Hours–shifts | MES, historian, scheduler |
| 4 | Business planning | Days–weeks | ERP, supply chain |
The time horizon is the most important column. A thermocouple at Level 0 produces a value every 100ms. A Level 4 work order is planned days in advance. Systems that ignore this mismatch either flood upper layers with noise or starve lower layers of context.
Data flow: what transforms at each boundary
Raw values don't propagate up intact. Each boundary applies aggregation and context:
L0 → 23.4 °C (raw analog)
L1 → "temp_high" alarm state (PLC threshold logic)
L2 → alarm event + historian tag write (SCADA)
L3 → batch OEE contribution (MES aggregation)
L4 → production variance report (ERP KPI)Design the transformation at the boundary. Decisions deferred to a later integration layer become the most expensive bugs.
Protocols by boundary
| Boundary | Common protocols | Notes |
|---|---|---|
| L0 → L1 | 4–20mA, HART, IO-Link | Analog or low-level fieldbus |
| L1 → L2 | Profinet, EtherNet/IP, Modbus TCP | Real-time Ethernet |
| L2 → L3 | OPC-UA, historian REST/SQL | Carries quality, timestamp, engineering units |
| L3 → L4 | REST/JSON, SAP IDocs, DB replication | Business-layer integration |
OPC-UA is the preferred L2–L3 protocol because it carries metadata alongside values — engineering units, data quality flags, and server-assigned timestamps travel in the same message. A raw Modbus register carries none of that.
Where modern architectures deviate
IIoT deployments frequently flatten the pyramid. An IO-Link smart sensor publishes directly to an MQTT broker, bypassing L1 and L2 entirely. This reduces latency and hardware cost but shifts responsibility:
- The aggregation and alarming normally performed at L1/L2 must happen elsewhere (edge gateway, stream processor)
- L0 devices gain network access, increasing the OT attack surface
- Data context (engineering units, asset ID, timestamp) must be injected by the publisher — there's no SCADA tag configuration to fall back on
The ISA-95 model remains valid as a data contract framework even when the physical topology flattens. Define what data each layer consumes — the path it takes is a separate concern.
Common boundary failures
L1 → L2 — type truncation: SCADA tag defined as integer; PLC outputs a float. Value 23.7 arrives as 23. No alarm, no indication.
L2 → L3 — timestamp skew: Historian writes in local time; MES assumes UTC. Shift-boundary production records are shifted by the UTC offset.
L3 → L4 — poll/push mismatch: ERP polls MES every 15 minutes via SQL query. MES writes production events continuously. Under load, the ERP sees data that is up to 15 minutes stale — acceptable in planning, catastrophic in real-time dashboards.
Define type, units, timestamp convention, and update mechanism at every boundary before implementation. A one-page data dictionary per boundary eliminates the majority of integration defects.