Architecture and Best Practices - Recommendations for PI ... - OSIsoft

Regional Seminar Series
Architecture and Best Practices:
Recommendations for PI Systems
Glenn Moffett
Product Management
OSIsoft, LLC
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Areas of discussion & Topics Outline
Visualization
Notifications
Asset Framework
Advanced Computing Engine
PI Server
Interfaces
2 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Hardware and Virtualization
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Hardware Virtualization
Overview
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
4 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.
APP
OS
4

Operating System Virtualization
• Why are OSIsoft customers using Virtualization?
• Server consolidation
• Improved availability and provisioning
• OSIsoft supports virtualization
• OSIsoft Knowledge Base article 3062OSI8
• Consider shared resources implications
5 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Virtualized PI
PI Server
Secondary
ACE Server
Virtual Host A
VM Host Farm
PI Server
Primary
AF Server
Virtual Host B
Virtual
Desktops
(Clients)
Interfaces
Virtual Host C
6 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Operating System Virtualization*
Best practices
• Treat virtual machines as if they were physical
machines
• Invest in Enterprise-level hardware and
software
• Do not mix virtual and physical on the same
host
• Use qualified Virtualization support personnel
• Test on the target platform
* OSIsoft Center of Excellence
7 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Application Virtualization
Overview
• Applications centrally installed and managed
• Users are remote
• OSIsoft customers are successfully using Microsoft and
Citrix virtualization products
8 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

64 Operating Systems
Overview
• Why 64-bit?
• Access to larger memory footprint
• Reduce limitation to applications
• PI ACE contexts was limited due to 32 bit
9 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.
9

PI System 64 bit operating system support
• Several products support native 64-bit operation
• Examples: PI Server, PI WebParts, Asset Framework
• Windows compatibility layer enables 32-bit programs to run
on 64-bit
• Example: Interfaces, PI ACE
• Future product releases will support native 64 bit
• PI ACE, PI Notifications
10 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

64-bit Application Support - Exceptions
• Certain components work only with 32-bit
versions of applications
• PI System Add-ins for Microsoft Excel
• DataLink for Excel
• RDBMS interface and 64-bit drivers
• PI ActiveView & PI Graphic (SVG) require
32-bit Internet Explorer
11 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI System 64 bit operating system support
Best practices
• Verify support
• Release Notes
• Technical support
• Scenarios to watch out for
• Applications that are plug-ins or run by another application
• Microsoft Internet Information Server
• Office 2010
• Where 3 rd party libraries (dlls) need to run with another
application
• RDBMS interface
12 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Interface Buffering and Failover
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Interface Buffering
Overview
• Ability of interface node(s) to store data in
the event of disconnection from PI Server(s)
• Goal: Minimize data loss
• Two flavors
• PI Buffer Subsystem
• PI Bufserv
PI Server
PI Buffer
Subsystem
PI interface(s)
Interface Node
14 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Interface Failover
• Support failure of data collection
• Goal: Minimize data loss
• Synchronization is with the data source
or
Overview
• Synchronization is between the interfaces
PI Buffer
Subsystem
PI interface
Failover mechanism
PI Buffer
Subsystem
PI interface
15 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Interface Failover
• Interfaces “watch” each other’s Heartbeat
and Status
• Failover Types
• Hot = No data loss
• Warm = Maybe data loss
• Cold = Some data lost
(Hint: minimize data loss by using disconnected startup)
16 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Interface failover - Hot
Send
data
to PI
Primary
Interface
Failure Data in the
communication Collection layer
Timeline : 3.5 1 2 3 4 5 6 7 (interval)
Heartbeat:
Device
Status:
1 2 3 4 5 6 7
95 0
File
Data Source
Heartbeat:
Device
Status:
Send
data
to PI
from the last 2 intervals
(4 & 5) and this one (6)
1 2 3 4 5 6 7
Backup
Interface
17 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.
0
Data
Collection
Possible overlap of data
during intervals 4 and 5

OPC Server Failover and Interface Failover
PRIMARY
INTERFACE
PRIMARY
DATA SOURCE
(e.g. OPC
SERVER)
PI SDK, PI API
Interface Buffer
PLC / INSTRUMENT SYSTEMS
PI SDK, PI API
Interface Buffer
BACKUP
DATA SOURCE
(e.g. OPC
SERVER)
BACKUP
INTERFACE
18 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Interfaces
Best practices
• Configure Buffering
• PI Buffer Subsystem
• Consider implementing failover support
• Disconnected start-up
• Create interface health points
• Do not authenticate to PI using piadmin
19 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Server High Availability (PI HA)
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Server High Availability (PI HA)
Overview
• Redundancy with multiple PI Servers as one
collective
• Goal: Maximize data access for clients
21 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Server – High Availability Architecture
PI server collective
Secondary
PI server
PI Buffer
Subsystem
PI interface
System
Management
Tools
Configuration
changes
Failover mechanism
Thin clients: PI WebParts
Smart clients: ProcessBook, DataLink, Custom
applications
Primary
PI server
PI-SDK
Identical time series data
PI Buffer
Subsystem
PI interface
Copyright © 2010 OSIsoft, LLC
Secondary
PI server(s)
22

PI HA and security architecture
NERC CIP-002 Critical
Cyber Assets
PI Interface
Node
Protected User
Domain
PI Server
(HA)
Electronic
Security Perimeter
Data Only Conduit
DMZ
PI Server
(HA)
Business User
Domain
Desktops and
Data Access
Servers
Configuration Data
Time Series Data
Application Data

PI deployment across security zones
CIP-002 Critical
Cyber Assets
PI Interface Node
or
OEM with PI-to-PI
Data Only Conduit
Electronic
Security Perimeter
DMZ
PI Server
Business User
Domain
Desktops and
Data Access
Servers
Originator
Time Series Data
Application Data

Replication of PI Server data
CIP-002 Critical
Cyber Assets
PI – SCADA
Interface
Protected User
Domain
PI Server
Electronic
Security Perimeter
DMZ
PI-to-PI
Business User
Domain
PI Server
Originator
Time Series Data

PI Server High Availability
Benefits
• Maintain availability during scheduled maintenance
• Redundancy of data
• Locate PI Server member close to consumers of the data
Best practices
• Implement PI Server High Availability
26 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

New PI Server Security Concepts
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Server Security
Overview
• PI Server 3.4.380.36 (2009) introduced support for Windows
Integrated Security
• Microsoft Active Directory (AD) integration
• Map AD users to PI Identities
• PI Identities are roles on the PI Server
• PIOperators, PIEngineers, PISupervisor
28 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Comparing PI Users and PI Identities
Nancy
Bob
Jim
29 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Mapping Windows users to PI Identities
30 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Authorization: Object Level Security Model
31 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Automatic Backward Compatibility
Tag dataaccess datagroup dataowner
sinusoid o:rw g:rw w:r pi_users bob
Tag datasecurity
sinusoid pi_users:A(r,w) | bob:A(r,w) | PIWorld:A(r)
32 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Active Directory Integration
• PI Server must be a member of a domain to leverage
Kerberos authentication
• Multiple AD domains must have trusts established or users
and groups from other domain cannot be used
• One-way trusts are supported: the server domain must trust the
client domain
• For non-domain accounts, you can use Windows Local
Groups from the PI Server machine
• Passwords have to match for NTLM authentication
33 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Identity Planning
Best practices
• Develop a PI Identity Scheme for your Organization
• Protect your data
• Ease of maintenance
• Organizational separation
• Standardize
• Consider Kerberos
• Map AD principals directly
• Map AD principals to local groups
34 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

How to Tighten Security
Best practices
1. Use the new Security Tool to help secure your PI Server
2. Disable or protect the PIADMIN account
3. Disable PI password authentication (Explicit Logins)
4. Secure piconfig by forcing login
5. Retire PI SDK-based Trusts
6. Use Windows Integrated Security
36 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Server
• Security
• Monitoring!
• MCN Health Monitor
• Archives
• Backups
Best practices
37 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Advanced Computing Engine
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Advanced Computing Engine
Overview
• Develop calculations in Microsoft Visual Studio
• Wizards assist configuration
• High availability
Best practices
• Configure buffering
• Error handling
• Performance Counters
ACE
Data Buffering
Services
PI Server
39 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.
PI-SDK

Module database and Asset Framework
ACE uses the Module Database (MDB) for configuration
and calculation metadata
PI ACE
MDB MDB
PI SERVER COLLECTIVE AF Link Subsystem AF SERVER
40 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Asset Framework and PI Notifications
Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Asset Framework
Overview
• Organize PI Server data and metadata by asset
Clients: PI ProcessBook, PI WebParts 2010, PI Notifications
AF SDK
Data References
RDB OLE-DB
PI Server
PI SDK
TCP 5450
Asset
Framework
Service
TCP 5457
TCP 1433
MS SQL
Express/
Server
42 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Asset Framework – Components
• Two key components
• AF Server
• SQL Server database
• SQL Server
• Express, Standard
• Cluster or Mirror
• AF Server
• Behind a load balancer
• AFSDK Collective
43 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Asset Framework – High Availability
44 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI AF – AFSDK High Availability
45 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Asset Framework
Best practices
• Backups!
• Monitor SQL Server with MCN Health Monitor
• Do not run the SQL Server database engine as
LOCALSYSTEM, admin, or domain admin.
• DO NOT RUN the AF Server with SysAdmin privilege (don’t
use SA account, LOCALSYSTEM, or admin)
• Minor: for AF Table, disable AF2.0 compatibility, enable
impersonation
46 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Notifications
Overview
• Let the right people know when a critical event occurs
PI SDK
TCP 5450
PI SDK
PI Server
AN SDK
Notification Scheduler
& Analytic Processors
Data Buffering
Services
Clients: PI Notifications
TCP 5458
AF SDK
TCP 5450 TCP 5450
TCP 5457 TCP 5457
Asset
Framework
(AF) Server
AF SDK
TCP 5458
TCP 1433
Acknowledgement
Web Page
AN SDK
MS SQL
Express/
Server
Clients: Web
Browser
TCP 80/443
47 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

PI Notifications
Best practices
• Configure buffering
• Performance Counters
• Configure redundant scheduler
48 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

More Information
• Whitepapers and Tech Support bulletins on OSIsoft web site
• User Manuals
• PI Server 2010 Configuring Security
• Asset Framework 2010 User's Guide
• OSIsoft vCampus – Online community
• Forums, Whitepapers, Webinars
49 Empowering Business in Real Time. © Copyright 2010, OSIsoft, LLC. All rights Reserved.

Thank you
© Copyright 2010 OSIsoft, LLC.
777 Davis St., Suite 250 San Leandro, CA 94577