Purdue Model

The Purdue Model – also known as the Purdue Enterprise Reference Architecture (PERA) – is a layered model that structures industrial systems from physical production to enterprise IT. It helps plan responsibilities, data flows, integrations, and security boundaries between OT and IT in a systematic way.

Developed at Purdue University in the 1990s, the model remains the most widely used reference framework for industrial network architecture and MES implementation projects.

The Levels of the Purdue Model (Level 0 to 5)

The Purdue Model divides industrial environments into six levels, spanning from the physical shop floor to enterprise IT.

Level 0 – Process: The physical production asset itself – machines, conveyors, reactors, and the actual manufacturing process.

Level 1 – Basic Control: Sensors, actuators, drives, and I/O modules that directly measure and control the process.

Level 2 – Supervisory Control: PLC/SPS systems, HMI interfaces, and SCADA functions that monitor and regulate lines and equipment locally.

Level 3 – Site Operations: MES, historian, dispatching, and quality and operational data systems at the plant level. This is where production execution lives: order management, OEE, traceability, shift logs.

Level 3.5 – Industrial DMZ: The buffer zone between OT and IT. Not a formal standard level, but in practice the most critical component for secure OT/IT coupling – including proxy, jump host, API gateway, event broker, and data buffering.

Level 4 – Business Planning: ERP, APS, BI platforms, and central IT services for planning, controlling, and reporting.

Level 5 – Enterprise / External: Corporate and cloud services, partner access, remote operations, and overarching analytics platforms.

What Is the Purdue Model Used For?

Architecture planning: The model gives every system category a defined location. A MES belongs at Level 3, an ERP at Level 4 – and access between these layers runs through controlled handover points, not as direct database connections across all layers.

OT/IT security: Clear layer separation allows the OT network (Levels 0–3) to remain stable and isolated, while IT systems (Levels 4–5) stay flexible. The DMZ at Level 3.5 is the controlled handover point – remote access, cloud connectivity, and BI integration run through here, not directly into the PLC.

Role clarity: Each level has a defined owner. This prevents the MES from becoming "ERP-lite" and stops the ERP from reaching into shop floor operational details.

Practical Example: MES Implementation According to the Purdue Model

A robust target architecture typically looks like this: at Level 2, the PLC captures states, counts, and alarms close to the line. Level 3 hosts the MES with production orders, confirmations, downtime tracking, quality management, and traceability. Level 3.5 forms the DMZ with a data buffer, API gateway, and controlled remote access via jump hosts. Level 4 covers ERP and BI – master data, planning, controlling, and reporting.

The result: data flows are controlled, IT-side changes do not affect OT real-time operations, and security responsibilities are clearly defined.

Common Mistakes

Connecting the MES directly to Level 1: Without a buffer and clear ownership, this works in a pilot but breaks down in live operations – both from a security and maintenance perspective.

Blending Levels 3 and 4: When MES and ERP have no clear boundary, responsibilities blur and shop floor stability suffers from IT change cycles.

Skipping the DMZ: Cloud, BI, and remote access then get connected to OT "somehow" – without controlled handover points.

Treating Purdue as rigid dogma: Modern architectures with edge computing, event streaming, and cloud-native MES approaches fit within the model – but not as a 1:1 copy. The Purdue Model is a planning framework, not a law.

FAQ

Is the Purdue Model still relevant today? It remains the most widely used reference framework for industrial network architecture, increasingly complemented by modern concepts such as zero-trust architecture and cloud-native OT connectivity. The core principle – clear layers, controlled handover points – remains valid.

Where does a cloud MES fit in the Purdue Model? MES functions (order management, OEE, traceability) remain at Level 3. If they are cloud-hosted, the connection runs via Level 3.5 (DMZ) – not directly from the cloud into Level 2 systems.

What is the difference between the Purdue Model and ISA-95? The Purdue Model defines the physical and network-level layering of industrial systems. ISA-95 describes the information and functional models for data exchange between the levels, particularly between MES (Level 3) and ERP (Level 4).

Is Level 3.5 (DMZ) always required? In production environments with security requirements, yes. Without a DMZ, remote access, cloud connectivity, and BI integration are difficult to operate securely.