Post on 15-May-2020
Presented by
© Copyright 2011 OSIsoft, LLC
Architecture and
Best Practices
Recommendations
for PI Systems
Chris Lonsberry
Field Service Engineer
© Copyright 2011 OSIsoft, LLC
Areas of discussion & Topics Outline
Visualization
Notifications
Asset Framework
Advanced Computing Engine
PI Server
Interfaces
© Copyright 2011 OSIsoft, LLC
Hardware and
Virtualization
© Copyright 2011 OSIsoft, LLC
Hardware Virtualization
4
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
© Copyright 2011 OSIsoft, LLC
Operating System Virtualization
• Why are OSIsoft customers using
Virtualization?
– Server consolidation
– Improved availability and provisioning
• OSIsoft supports virtualization
– OSIsoft Knowledge Base article 3062OSI8
– Consider shared resources implications
© Copyright 2011 OSIsoft, LLC
Virtualized PI Systems
PI Server
Primary
AF Server
PI Server
Secondary
ACE Server
Virtual Host B Virtual Host A
VM Host Farm
Virtual
Desktops
(Clients)
Interfaces
Virtual Host C
© Copyright 2011 OSIsoft, LLC
Operating System Virtualization*
• Treat virtual machines as if they were physical machines
• Invest in Enterprise-level hardware and software
• Do not mix virtual and physical on the same host
• Use qualified Virtualization support personnel
• Test on the target platform * OSIsoft Center of Excellence
© Copyright 2011 OSIsoft, LLC
Application Virtualization
• Applications centrally installed and managed
• Users are remote
• OSIsoft customers are successfully using Microsoft and
Citrix virtualization products
© Copyright 2011 OSIsoft, LLC
64-bit Operating Systems
• Why 64-bit?
– Access to larger memory footprint
– Reduce limitation to applications
9
© Copyright 2011 OSIsoft, LLC
PI System 64-bit OS Support
• Several products support native 64-bit operation
– Examples: PI Server, PI Web Parts, Asset Framework, PI ACE
Scheduler
• Windows compatibility layer enables 32-bit programs to
run on 64-bit
– Example: Interfaces
• Future product releases will support native 64 bit
– Example: PI Notifications
© Copyright 2011 OSIsoft, LLC
64-bit Application Support - Exceptions
• Certain components work only with 32-bit
versions of applications
• PI Add-ins for Microsoft Excel
• DataLink for Excel
• RDBMS interface and 64-bit drivers
• PI ActiveView & PI Graphic (SVG) require
32-bit Internet Explorer
© Copyright 2011 OSIsoft, LLC
PI System 64-bit Best Practices
• Verify support
– Release Notes
– Technical support
• Scenarios to watch out for
– Applications that are plug-ins or run by another application
• Microsoft Internet Information Server
• Office 2010
– Where 3rd party libraries (dlls) need to run with another application
• RDBMS interface
© Copyright 2011 OSIsoft, LLC
PI Interface
Buffering and
Failover
© Copyright 2011 OSIsoft, LLC
Interface Buffering
• Ability of interface node(s) to store data in
the event of disconnection from PI
Server(s)
• Goal: Minimize data loss
• Two flavors
– PI Buffer Subsystem
– PI Bufserv
PI Server
PI Buffer
Subsystem
PI interface(s)
Interface Node
© Copyright 2011 OSIsoft, LLC
Interface Failover: Why?
• Support failure of data collection
• Goal: Minimize data loss
• Synchronization is with the data source
or
• Synchronization is between the
interfaces
PI Buffer
Subsystem
PI interface
Failover mechanism
PI Buffer
Subsystem
PI interface
© Copyright 2011 OSIsoft, LLC
Interface Failover: How?
• Interfaces “watch” each other’s Heartbeat
and Status
• Failover Types
– Hot = No data loss
– Warm = Maybe data loss
– Cold = Some data lost (Hint: minimize data loss by using disconnected
startup)
© Copyright 2011 OSIsoft, LLC
Interface failover - Hot
File
Backup
Interface
Primary
Interface
Data Source
Device
Status:
Device
Status:
Heartbeat: Heartbeat:
0
Timeline : (interval)
Send
data
to PI
Send
data
to PI
from the last 2 intervals
(4 & 5) and this one (6)
Data
Collection
Data
Collection
1 2 3 4 5 6 7 1 2 3 4 5 6 7
0 95
1 2 3 3.5 4 5 6 7
Failure in the
communication layer
Possible overlap of data
during intervals 4 and 5
© Copyright 2011 OSIsoft, LLC
OPC Server Failover and Interface Failover
PI SDK, PI API
Interface Buffer
PI SDK, PI API
Interface Buffer
PRIMARY
DATA SOURCE
(e.g. OPC
SERVER)
PLC / INSTRUMENT SYSTEMS
PRIMARY
INTERFACE
BACKUP
INTERFACE
BACKUP
DATA SOURCE
(e.g. OPC
SERVER)
© Copyright 2011 OSIsoft, LLC
Disconnected Startup
• Previously, if the PI Server was not available, it was not
possible to start the interface
• Creates a local cache of all of the tags. Now the interface
can start without connecting to the PI Server
• Along with buffering, you know have an interface that
can operate (almost) indefinitely without the PI
Server! – Bonus: We have seen impressive decreases in interface startup time
when this feature is enabled
– Hint: If you make a lot of changes to this interface’s tags consider
shutting down the interface and deleting the cache files.
1
9
© Copyright 2011 OSIsoft, LLC
PI Interfaces Best Practices
• Configure buffering with PI Buffer Subsystem
• Consider implementing failover support
• Disconnected start-up
• Create interface health points
• Configure 2+ trusts using a limited account (not piadmin)
• Don’t forget to test the new features after you implement them
© Copyright 2011 OSIsoft, LLC
PI Server High
Availability (PI HA)
© Copyright 2011 OSIsoft, LLC
PI Server High Availability (PI HA)
• Redundancy with multiple PI Servers as
one collective
• Goal: Maximize data access for clients
© Copyright 2011 OSIsoft, LLC
PI Server – High Availability Architecture
23
Primary
PI server
Secondary
PI server
Configuration
changes
System
Management
Tools
Secondary
PI server(s)
Thin clients: PI WebParts
Smart clients: ProcessBook, DataLink, Custom
applications
PI-SDK
PI Buffer
Subsystem
PI interface
PI server collective
Failover mechanism
PI Buffer
Subsystem
PI interface
Identical time series data
© Copyright 2011 OSIsoft, LLC
NERC CIP-002 Critical Cyber Assets
PI Interface Node or
OEM with PI-to-PI
Business User Domain
Desktops and Data Access
Servers
Electronic Security Perimeter
DMZ
PI Server
Data Only Conduit
Originator
Time Series Data
Application Data
DMZ PI Server
© Copyright 2011 OSIsoft, LLC
CCAs
DMZ
Business User Domain
PI – SCADA Interface
PI Server
Electronic Security Perimeter
PI-to-PI PI Server
Protected User Domain
Originator
Time Series Data
Business Domain PI Server with PI to PI Interface
© Copyright 2011 OSIsoft, LLC
CCAs
DMZ
Business User Domain
PI Interface Node
PI Server (HA)
Electronic Security Perimeter
PI Server (HA)
Desktops and Data Access
Servers
Protected User Domain
Data Only Conduit
Configuration Data
Time Series Data
Application Data
HA Allows DMZ PI Server and Protected PI Server
© Copyright 2011 OSIsoft, LLC
PI Server High Availability
• Benefits
– Maintain availability during scheduled
maintenance
– Redundancy of data
– Locate PI Server member close to consumers
of the data
• Best Practices
– Implement PI Server High Availability
Copyright © 2010 OSIsoft, LLC
PI Server Windows Integrated Security
© Copyright 2011 OSIsoft, LLC
PI Server Security: Overview
• PI Server 3.4.380.36 (2009) introduced support for
Windows Integrated Security
• Microsoft Active Directory (AD) integration
• Map AD users to PI Identities
• PI Identities are roles on the PI Server
– PIOperators, PIEngineers, PISupervisor
© Copyright 2011 OSIsoft, LLC
Comparing PI Users and PI Identities
Nancy
Bob
Jim
© Copyright 2011 OSIsoft, LLC
Authorization: Object Level Security Model
© Copyright 2011 OSIsoft, LLC
Automatic Backward Compatibility
Tag dataaccess datagroup dataowner
sinusoid o:rw g:rw
w:r
pi_users bob
Tag datasecurity
sinusoid pi_users:A(r,w) | bob:A(r,w) |
PIWorld:A(r)
© Copyright 2011 OSIsoft, LLC
Active Directory Integration
• PI Server must be a member of a domain to leverage
Kerberos authentication
• Multiple AD domains must have trusts established or
users and groups from other domain cannot be used
– One-way trusts are supported: the server domain must trust the
client domain
• For non-domain accounts, you can use Windows Local
Groups from the PI Server machine
– Passwords have to match for NTLM authentication
© Copyright 2011 OSIsoft, LLC
PI Identity Planning
• Develop a PI Identity Scheme for your
Organization
– Protect your data
– Ease of maintenance
– Organizational separation
– Standardize
• Consider Kerberos
– Map AD principals directly
– Map AD principals to local groups
© Copyright 2011 OSIsoft, LLC
How to Tighten Security: Best Practices
1. Physical and OS security are the first line of defense
2. Use the new Security Tool to help secure your PI Server
3. Do not use the PIADMIN account in trusts or mappings
4. Disable PI Password authentication (explicit logins) (see KB00304)
5. Retire PI SDK-based Trusts
6. Use Windows Integrated Security
© Copyright 2011 OSIsoft, LLC
PI Server: Best Practices
• Security
• MCN Health
Monitor
• Archives
• Backups
© Copyright 2011 OSIsoft, LLC
PI Advanced
Computing Engine
© Copyright 2011 OSIsoft, LLC
PI Advanced Computing Engine
• Overview
– Develop calculations in Microsoft Visual Studio
– Wizards assist configuration
– High availability
– PI ACE 2010 adds support for 64-bit calculations
(How To: KB00553)
• Best Practices
– Configure buffering (64-bit requires extra care:
KB00552)
– Error handling
– Performance Counters
PI Server ACE
Data Buffering
Services
PI-S
DK
© Copyright 2011 OSIsoft, LLC
PI Asset Framework
and PI Notifications
© Copyright 2011 OSIsoft, LLC
PI Asset Framework: Overview
• An asset model to organize and structure all your data
with context
• Build hierarchy, categories and connectivity models
• Data references to time series (PI Points) and other data
• Search across multiple PI Servers to find information
• Leverage PI Notifications
Relational / Non Time Series Data
Asset Information / Metadata
Time Series Data
PI Server
PI Notifications
Time Series Data
PI Server Collective
© Copyright 2011 OSIsoft, LLC
PI Asset Framework – Components
• Two key components
– AF Server
– SQL Server database
• SQL Server
– Express, Standard
– Cluster or Mirror
• AF Server
– Behind a load balancer
– AF SDK Collective
© Copyright 2011 OSIsoft, LLC
PI Asset Framework – High Availability
© Copyright 2011 OSIsoft, LLC
PI AF – AF SDK High Availability
© Copyright 2011 OSIsoft, LLC
PI Asset Framework: Best Practices
• Backups!
• Monitor SQL Server with PI MCN Health Monitor
• Do not run the SQL Server database engine as
LOCALSYSTEM, admin, or domain admin.
• DO NOT RUN the AF Server with SysAdmin privilege (don’t
use SA account, LOCALSYSTEM, or admin)
• Minor: for AF Table, disable AF2.0 compatibility, enable
impersonation
© Copyright 2011 OSIsoft, LLC
PI Notifications Architecture: Overview
PI ProcessBook
PI DataLink
Delivery channels:
• Web service
• Office Communication Server (OCS)
• Custom developed (OSIsoft vCampus)
PI Servers
Other
Data Sources
© Copyright 2011 OSIsoft, LLC
PI Notifications: Best Practices
• Configure buffering
• Performance Counters
• Configure redundant scheduler
• Utilize templates
© Copyright 2011 OSIsoft, LLC
PI WebParts
© Copyright 2011 OSIsoft, LLC
PI WebParts
• Overview
– Visualization with
Microsoft
SharePoint
– Versions PI MDB or PI AF
• Best Practices
– Backup SharePoint
– Explore querystrings
© Copyright 2011 OSIsoft, LLC
More Information
• Whitepapers and Tech Support bulletins on OSIsoft
website
• User Manuals
– PI Server 2010 Configuring Security
– PI Asset Framework 2010 User's Guide
• OSIsoft vCampus – Online community
– Forums, Whitepapers, Webinars
© Copyright 2011 OSIsoft, LLC