Architecture and

Best Practices
Recommendations
for PI Systems
Presented by

Chris Lonsberry
Field Service Engineer

© Copyright 2011 OSIsoft, LLC

Areas of discussion & Topics Outline

Visualization

Notifications

Asset Framework

Advanced Computing
Engine

PI Server

Interfaces

© Copyright 2011 OSIsoft, LLC

Hardware and
Virtualization

© Copyright 2011 OSIsoft, LLC

Hardware Virtualization

APP APP APP

OS OS OS

APP APP APP

OS OS OS

4
© Copyright 2011 OSIsoft, LLC
 Operating System Virtualization

• Why are OSIsoft customers using

Virtualization?
– Server consolidation
– Improved availability and provisioning

• OSIsoft supports virtualization

– OSIsoft Knowledge Base article 3062OSI8
– Consider shared resources implications

© Copyright 2011 OSIsoft, LLC

Virtualized PI Systems

PI Server PI Server
Secondary Primary

ACE Server
AF Server

Virtual Host A Virtual Host B

Virtual
Desktops
(Clients)

Interfaces

Virtual Host C
VM Host Farm

© Copyright 2011 OSIsoft, LLC

 Operating System Virtualization*

• Treat virtual machines as if they were

physical machines
• Invest in Enterprise-level hardware and
software
• Do not mix virtual and physical on the same
host
• Use qualified Virtualization support
personnel
• Test on the target platform
* OSIsoft Center of Excellence

© Copyright 2011 OSIsoft, LLC

 Application Virtualization

• Applications centrally installed and managed

• Users are remote
• OSIsoft customers are successfully using Microsoft and
Citrix virtualization products

© Copyright 2011 OSIsoft, LLC

 64-bit Operating Systems

• Why 64-bit?
– Access to larger memory footprint
– Reduce limitation to applications

9
© Copyright 2011 OSIsoft, LLC
 PI System 64-bit OS Support

• Several products support native 64-bit operation

– Examples: PI Server, PI Web Parts, Asset Framework, PI ACE
Scheduler

• Windows compatibility layer enables 32-bit programs to

run on 64-bit
– Example: Interfaces

• Future product releases will support native 64 bit

– Example: PI Notifications

© Copyright 2011 OSIsoft, LLC

 64-bit Application Support - Exceptions

• Certain components work only with 32-bit

versions of applications
• PI Add-ins for Microsoft Excel
• DataLink for Excel
• RDBMS interface and 64-bit drivers
• PI ActiveView & PI Graphic (SVG) require
32-bit Internet Explorer

© Copyright 2011 OSIsoft, LLC

 PI System 64-bit Best Practices

• Verify support
– Release Notes
– Technical support
• Scenarios to watch out for
– Applications that are plug-ins or run by another
application
• Microsoft Internet Information Server
• Office 2010
– Where 3rd party libraries (dlls) need to run with
another application
• RDBMS interface

© Copyright 2011 OSIsoft, LLC

 PI Interface
Buffering and
Failover

© Copyright 2011 OSIsoft, LLC

 Interface Buffering

• Ability of interface node(s) to store data in

the event of disconnection from PI
Server(s)
• Goal: Minimize data loss
• Two flavors PI Server

– PI Buffer Subsystem
– PI Bufserv PI Buffer
Subsystem
PI interface(s)

Interface Node

© Copyright 2011 OSIsoft, LLC

 Interface Failover: Why?

• Support failure of data collection

• Goal: Minimize data loss
• Synchronization is with the data source
or
• Synchronization is between the
interfaces
Failover mechanism

PI Buffer PI Buffer
Subsystem Subsystem

PI interface PI interface

© Copyright 2011 OSIsoft, LLC

 Interface Failover: How?

• Interfaces “watch” each other’s Heartbeat

and Status
• Failover Types
– Hot = No data loss
– Warm = Maybe data loss
– Cold = Some data lost
(Hint: minimize data loss by using disconnected
startup)

© Copyright 2011 OSIsoft, LLC

 Interface failover - Hot

Send
data
Send
to PI
data
from the last 2 intervals
to PI
(4 & 5) and this one (6)
Heartbeat: 7
6
5
4
3
2
1 Heartbeat: 7
6
5
4
3
2
1
Primary Backup
Interface File Interface
Device 950 Device 0
Status: Status:

FailureData
in the Data
communication
Collection
layer Collection
Data Source

Timeline : 3.5
3 (interval)
2
1
7
6
5
4 Possible overlap of data
during intervals 4 and 5
© Copyright 2011 OSIsoft, LLC
OPC Server Failover and Interface Failover
PI SDK, PI API PI SDK, PI API

Interface Buffer Interface Buffer

PRIMARY BACKUP
INTERFACE INTERFACE

PRIMARY BACKUP
DATA SOURCE DATA SOURCE
(e.g. OPC (e.g. OPC
SERVER) SERVER)

PLC / INSTRUMENT SYSTEMS

© Copyright 2011 OSIsoft, LLC

 Disconnected Startup

• Previously, if the PI Server was not available, it was not

possible to start the interface
• Creates a local cache of all of the tags. Now the interface
can start without connecting to the PI Server
• Along with buffering, you know have an interface that
can operate (almost) indefinitely without the PI
Server!
– Bonus: We have seen impressive decreases in interface startup time
when this feature is enabled
– Hint: If you make a lot of changes to this interface’s tags consider
shutting down the interface and deleting the cache files.

1
© Copyright 2011 OSIsoft, LLC 9
 PI Interfaces Best Practices

• Configure buffering with PI Buffer

Subsystem
• Consider implementing failover support
• Disconnected start-up
• Create interface health points
• Configure 2+ trusts using a limited account
(not piadmin)
• Don’t forget to test the new features after
you implement them

© Copyright 2011 OSIsoft, LLC

 PI Server High
Availability (PI HA)

© Copyright 2011 OSIsoft, LLC

 PI Server High Availability (PI HA)

• Redundancy with multiple PI Servers as

one collective

• Goal: Maximize data access for clients

© Copyright 2011 OSIsoft, LLC

 PI Server – High Availability Architecture

System Thin clients: PI WebParts

Management Smart clients: ProcessBook, DataLink, Custom
Tools applications

PI-SDK

PI server collective

Secondary Configuration Primary Secondary

PI server changes PI server PI server(s)

Identical time series data

Failover mechanism
PI Buffer PI Buffer
Subsystem Subsystem
PI interface PI interface

© Copyright 2011 OSIsoft, LLC 23

 DMZ PI Server

NERC CIP-002 Critical Electronic Business User

Cyber Assets Security Perimeter Domain

DMZ
PI Interface Node Desktops and
or PI Server Data Access
OEM with PI-to-PI Servers
Data Only Conduit

Originator
Time Series Data
Application Data

© Copyright 2011 OSIsoft, LLC

Business Domain PI Server with PI to PI Interface

Electronic Business User

CCAs Security Perimeter Domain

Protected User
Domain DMZ

PI – SCADA PI Server PI-to-PI PI Server

Interface

Originator
Time Series Data

© Copyright 2011 OSIsoft, LLC

 HA Allows DMZ PI Server and Protected PI Server

Electronic Business User

CCAs Security Perimeter Domain

Protected User
Domain DMZ
Desktops and
PI Server Data Access
PI Server
PI Interface (HA) Servers
(HA)
Node Data Only Conduit

Configuration Data
Time Series Data
Application Data

© Copyright 2011 OSIsoft, LLC

 PI Server High Availability

• Benefits
– Maintain availability during scheduled
maintenance
– Redundancy of data
– Locate PI Server member close to consumers
of the data
• Best Practices
– Implement PI Server High Availability

© Copyright 2011 OSIsoft, LLC

PI Server Windows Integrated Security

Copyright © 2010 OSIsoft, LLC

 PI Server Security: Overview

• PI Server 3.4.380.36 (2009) introduced support for

Windows Integrated Security

• Microsoft Active Directory (AD) integration

• Map AD users to PI Identities

• PI Identities are roles on the PI Server

– PIOperators, PIEngineers, PISupervisor

© Copyright 2011 OSIsoft, LLC

Comparing PI Users and PI Identities

 Nancy
 Bob
 Jim

© Copyright 2011 OSIsoft, LLC

Authorization: Object Level Security Model

© Copyright 2011 OSIsoft, LLC

 Automatic Backward Compatibility

Tag dataaccess datagroup dataowner

sinusoid o:rw g:rw pi_users bob
w:r

Tag datasecurity

sinusoid pi_users:A(r,w) | bob:A(r,w) |

PIWorld:A(r)

© Copyright 2011 OSIsoft, LLC

 Active Directory Integration

• PI Server must be a member of a domain to leverage

Kerberos authentication
• Multiple AD domains must have trusts established or
users and groups from other domain cannot be used
– One-way trusts are supported: the server domain must trust the
client domain
• For non-domain accounts, you can use Windows Local
Groups from the PI Server machine
– Passwords have to match for NTLM authentication

© Copyright 2011 OSIsoft, LLC

 PI Identity Planning

• Develop a PI Identity Scheme for your

Organization
– Protect your data
– Ease of maintenance
– Organizational separation
– Standardize
• Consider Kerberos
– Map AD principals directly
– Map AD principals to local groups

© Copyright 2011 OSIsoft, LLC

 How to Tighten Security: Best Practices

1. Physical and OS security are the first line of defense

2. Use the new Security Tool to help secure your PI Server
3. Do not use the PIADMIN account in trusts or mappings
4. Disable PI Password authentication (explicit logins) (see KB00304)
5. Retire PI SDK-based Trusts
6. Use Windows Integrated Security

© Copyright 2011 OSIsoft, LLC

 PI Server: Best Practices

• Security

• MCN Health
Monitor

• Archives

• Backups

© Copyright 2011 OSIsoft, LLC

 PI Advanced
Computing Engine

© Copyright 2011 OSIsoft, LLC

 PI Advanced Computing Engine

• Overview
– Develop calculations in Microsoft Visual Studio
– Wizards assist configuration
– High availability
– PI ACE 2010 adds support for 64-bit calculations
(How To: KB00553)
• Best Practices
– Configure buffering (64-bit requires extra care:
KB00552)
PI-SDK
ACE
– Error handling PI Server

– Performance Counters Data Buffering

Services

© Copyright 2011 OSIsoft, LLC

PI Asset Framework
and PI Notifications

© Copyright 2011 OSIsoft, LLC

 PI Asset Framework: Overview

• An asset model to organize and structure all your data

with context
• Build hierarchy, categories and connectivity models
• Data references to time series (PI Points) and other data
• Search across multiple PI Servers to find information
• Leverage PI Notifications
Asset Information / Metadata PI Notifications

Relational / Non Time Series Data

PI Server PI Server Collective

Time Series Data Time Series Data

© Copyright 2011 OSIsoft, LLC

 PI Asset Framework – Components

• Two key components

– AF Server
– SQL Server database
• SQL Server
– Express, Standard
– Cluster or Mirror
• AF Server
– Behind a load balancer
– AF SDK Collective

© Copyright 2011 OSIsoft, LLC

PI Asset Framework – High Availability

© Copyright 2011 OSIsoft, LLC

PI AF – AF SDK High Availability

© Copyright 2011 OSIsoft, LLC

 PI Asset Framework: Best Practices

• Backups!
• Monitor SQL Server with PI MCN Health Monitor
• Do not run the SQL Server database engine as
LOCALSYSTEM, admin, or domain admin.
• DO NOT RUN the AF Server with SysAdmin privilege (don’t
use SA account, LOCALSYSTEM, or admin)
• Minor: for AF Table, disable AF2.0 compatibility, enable
impersonation

© Copyright 2011 OSIsoft, LLC

PI Notifications Architecture: Overview
PI ProcessBook
PI DataLink
PI Servers

Delivery channels:
Other • E-mail
Data Sources • Web service
• Office Communication Server (OCS)
• Custom developed (OSIsoft vCampus)

© Copyright 2011 OSIsoft, LLC

 PI Notifications: Best Practices

• Configure buffering

• Performance Counters

• Configure redundant scheduler

• Utilize templates

© Copyright 2011 OSIsoft, LLC

PI WebParts

© Copyright 2011 OSIsoft, LLC

 PI WebParts

• Overview
– Visualization with
Microsoft
SharePoint
– Versions PI MDB or PI AF
• Best Practices
– Backup SharePoint
– Explore querystrings

© Copyright 2011 OSIsoft, LLC

 More Information

• Whitepapers and Tech Support bulletins on OSIsoft

website

• User Manuals
– PI Server 2010 Configuring Security
– PI Asset Framework 2010 User's Guide

• OSIsoft vCampus – Online community

– Forums, Whitepapers, Webinars

© Copyright 2011 OSIsoft, LLC

© Copyright 2011 OSIsoft, LLC