1.2 Interoperability and Governance

A system architecture without governance is not an architecture; it is a "spaghetti topology" of fragile point-to-point connections. In a high-volume manufacturing environment, interoperability is the discipline of defining boundaries and contracts. If System A writes directly into the database of System B, you have violated the boundary. If System A changes a message format and crashes System B, you have violated the contract.

This chapter establishes the "Constitution" for how systems in your landscape (ERP, MES, SCADA) coexist. These rules are non-negotiable architectural constraints.

Architectural Topology Rules

Stop building fragile bridges. Enforce Decoupling.

Rule 1: Abolish DB-to-DB Integration.

• Prohibition: Never allow an external system to execute INSERT, UPDATE, or DELETE directly on another system's SQL database.
• Why: This bypasses business logic validation (e.g., checking if a Part Number exists before creating a Work Order). It creates "Zombie Records."
• Mandate: All integration must occur via an Abstraction Layer (API, Message Broker, or Enterprise Service Bus).

Rule 2: The "Hub" vs. "Mesh" Decision.

• Constraint: Avoid direct mesh connections (System A ↔ System B, A ↔ C, B ↔ C). This scales with N(N-1)/2 complexity.
• Mandate: Use a Hub-and-Spoke or Unified Namespace (UNS) pattern. Systems publish events to a central broker (MQTT/Kafka) or call a central API Gateway.
• Benefit: When you replace the ERP, you only update one connector at the Hub, not 50 distinct point-to-point scripts.

The Interface Control Document (ICD)

The ICD is the legal contract between two architectural blocks. No integration code is written until the ICD is signed.

Mandatory ICD Components:

1. Transport Protocol: (e.g., HTTPS REST, MQTT, TCP Socket).
2. Directionality: Who initiates? (Push vs. Pull).
3. Authentication: API Key, OAuth, or Certificate.
4. Schema Definition: The exact payload structure (JSON/XML).
   • Strict Typing: Define quantity as Integer, not String.
   • Unit of Measure: Define temperature as Celsius, not just 240.
5. Error States: How does the system signal failure? (HTTP 400 vs 500).

Pro-Tip: Store ICDs in a Git repository alongside the code. They are living documents, not PDFs buried in SharePoint.

Semantic Governance: Naming & IDs

If you cannot uniquely identify an object, you cannot control it.

Naming Strategy: The ISA-95 Hierarchy

Do not invent names. Use the physical hierarchy to create logical namespaces.

• Format: Site/Area/Line/Cell/Device
• Example: MEX01/SMT/Line04/PickPlace02/Feeder12
• Why: This allows you to aggregate data logically. A query for MEX01/SMT/* returns all SMT performance for the site.

Identity Strategy: The Immutable UID

• The Problem: Vendor Serial Numbers are not unique globally. A resistor reel from Vendor A might have the same ID as a capacitor reel from Vendor B.
• The Mandate: Generate an Internal Unique Identifier (UID) at the point of entry (Receiving).
• Implementation: UUID (e.g., 550e8400-e29b...) or a prefixed integer (UID-999999). Use this Internal UID as the Primary Key in all database relations.

Temporal Governance: Time Synchronization

Distributed systems essentially function as a time-machine. If clocks drift, cause-and-effect logic breaks.

The NTP Mandate

• Master: Deploy a local Stratum 1/2 NTP Server in the OT Network.
• Drift Tolerance: ±500ms max.
• UTC Standardization:
  • Storage: All timestamps in databases and logs must be UTC (ISO 8601).
  • Display: Convert to Local Time only at the UI layer (Operator Screen).
  • Risk: If you store Local Time, a Night Shift crossing Daylight Savings Time will duplicate or lose one hour of production data.

Message Resilience & Versioning

Assume the network will fail. Assume the API will change.

Versioning Policy

• Rule: Never break the contract.
• Implementation: Use Semantic Versioning in the Endpoint.
  • POST /api/v1/work-order (Legacy)
  • POST /api/v2/work-order (New Feature)
• Deprecation: Maintain support for v-1 for a minimum of 6 months.

Error Handling & Idempotency

• Scenario: MES sends a "Consumption" message to ERP. ERP receives it but the Ack is lost. MES retries.
• Risk: ERP deducts materials twice.
• Mandate: The Receiver must be Idempotent. It must check the Message-ID. If it has already processed Msg-101, it simply returns "Success" without re-processing the transaction.

Store-and-Forward (Buffering)

• Constraint: Network partitions are inevitable.
• Mandate: All Edge Gateways and MES interfaces must buffer messages locally (Disk/Queue) if the upstream connection is lost.
• Recovery: When connection restores, flush the buffer in FIFO (First-In, First-Out) order to preserve sequence.

Final Checklist: Governance Readiness

Governance Pillar	Control Point	Mandatory Standard	Engineering Consequence
Contract	ICD	Signed & Versioned	Prevents "Tribal Knowledge" integrations that are unmaintainable.
Topology	Decoupling	No Direct SQL Access	Protects data integrity and allows independent system upgrades.
Time	NTP Sync	UTC + Local NTP	Guarantees accurate sequence of events for genealogy.
Naming	Namespace	ISA-95 Structured	Enables scalable analytics and clear asset management.
Resilience	Retry Logic	Idempotent Receiver	Prevents double-counting inventory during network jitters.
Versioning	API Lifecycle	Explicit (v1, v2)	Prevents "Big Bang" deployments; enables safe rollouts.