Professional Documents
Culture Documents
Contents
1 Introduction......................................................... 2
2 Conflicts with Mandatory Standards................... 2
3 References, Acronyms and Definitions.............. 2
4 Background........................................................ 3
5 Virtual Servers.................................................... 6
6 Recommended Architecture by Plant Type...... 10
7 Thin-Clients………………………..………......... 17
8 Backup and Restore……………....................... 19
1. Introduction
1.1 Scope
This Best Practice provides information and guidelines for the deployment of
Virtual Servers and Thin client devices in Process Automation Systems.
1.2 Disclaimer
This SABP is not intended to detail all aspects of the configuration and does not
include adequate information to enable it to be used as an instruction or user
manual.
In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements (MSAERs), the Mandatory Saudi Aramco Engineering
Requirements shall govern.
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
3.1 References
Page 2 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
3.2 Acronyms
3.3 Definitions
Process Automation System (PAS): The system consisting of all four layers of
complete process automation: instrumentation, control, plant information and
optimization, and enterprise.
4. Background
Process Automation suppliers have adopted Virtual Server and Thin-client technologies
for their automation systems. Virtualization can refer to a variety of computing
concepts, but it usually refers to running multiple operating systems and associated
software applications on a single physical server, called a virtual server. While most
computers have a single operating system, virtualization software, called a Hypervisor,
allows a computer to run several operating systems at the same time.
Through virtualization, users are able to run multiple instances of traditional PCs or
servers on a single virtual server. The figure below is a conceptual diagram of a virtual
server which hosts four different traditional workstations.
This technology offers many advantages over traditional PC based workstations and
servers. Hardware obsolescence of PC based workstations used in Process Automation
Systems (PAS) is a major challenge for operating facilities. Virtualization software
minimizes the dependency of the Operating System (OS) and Vendor Application
software from the physical hardware (PC) on which it is running. Virtual Servers will
enable replacement of failed servers with newer model servers without impacting the
operating systems / application software running on the server. In the traditional
architecture, replacing an old model workstation or server with a newer model typically
requires upgrading of the automation application software. This is a costly and complex
process which could involve conversion of process graphics and control databases.
This is expected to result in a longer lifespan of the Process Automation application
software.
Access to the automation applications running on the virtual servers is still a requirement
and this is accomplished by providing a remote desktop connection from a device located
Page 4 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
at the operator / engineering console to the virtual server. Any computer running a
Windows operating system can be used to provide this remote connection; however, there
are significant advantages of using Thin-client (TC) devices. Thin clients are compact
devices which run an embedded Windows operating system. They utilize Remote
Desktop Protocol (RDP) to connect to an application running on a virtual server.
Communications with the virtual server is provided using standard Ethernet network
connection. This enables a user at the TC to interact with the automation application
which is running on the virtual server. The figure below shows the thin-client concept.
Thin-clients offer several advantages over traditional desktop PCs. Most significant is
they are much more reliable than traditional PCs because they have no hard-drive or
other moving parts. This increases the reliability and lifespan of thin-clients vs.
traditional PC desktops. In addition, Thin-clients typically do not contain any vendor
specific application software; making change-out of one TC device with a newer model
much simpler.
The adoption of Virtual Server and Thin Clients for Process Automation systems is
expected to significantly increase the reliability of the HMI layer. It is also expected to
extend the timeframe between automation applications software upgrades thereby
reducing total cost of ownership. Refer to Saudi Aramco Engineering Report,
SAER-6467, “Virtualization and Thin-client HMI for Process Automation Systems”
for details on the expected benefits and costs for implementation of V&TC for PAS.
5. Virtual Servers
5.1 There are three common architectures for achieving redundancy of virtual
servers. Details and the advantages / disadvantages of each contained below:
Independent Virtual Servers
Redundant Virtual Servers
Blade Virtual Servers
While this is the simplest and most cost effective architecture, it does not
provide any automatic failover or restart of virtual instances on the
redundant server in the event of a server failure. Restarting virtual
instances on the redundant server must be done manually. In order to do
this, the redundant server must have up-to-date images of the virtual
instances which are required to restart. In order to facilitate use of the
most recent virtual image, it is recommended to configure automatic
backup of virtual instances on each server on a periodic basis and to
store the backup images on a separate physical server or network storage
device.
Page 6 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
Page 8 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
recommended making the overall cost higher than the normal high
availability design.
5.2.1 Process Automation Systems which utilize more than two (2) virtual
servers, should have as a minimum, a separate physical server which
would serve as the domain controller for the virtual servers and also the
virtual server management station. Note that both applications may be
combined on the same physical server.
5.2.3 Virtual Server Network Interface Cards (NIC) should not be shared
between the primary process control network and other networks, such
as the PAN. Where access is required to more than one network,
separate physical NICs shall be used to connect to each network.
These facilities normally have 3 plant areas, Crude, Gas, Utilities. The normal
configuration is to have 2 operator workstations for Crude and two for Gas
and Utilities. In the virtual architecture, two virtual servers is adequate.
Redundant workstations for each plant area would be segregated to different
virtual servers. The DCS, ESD, VMS and CCS engineering workstations and
other process automation applications such as ALMS, IAMS, PI scan nodes, etc.
would be distributed between the two servers. The operator console should have
4 thin-clients, each with their own video display, keyboard and mouse. Two of
these thin-clients would normally be configured to connect to virtual instances
on one of the redundant virtual servers and the other two thin clients would be
configured to access virtual instances on the other redundant virtual server.
Two additional thin-clients are required for maintenance and engineering
functions. These thin-clients should be configured to connect to any of the
virtual servers hosting the engineering and maintenance applications.
A separate physical server may be required to host the system domain controller
and virtualization management software.
A multi-train GOSP is one which has more than one GOSP train within the same
plant fence. Manifa Central Processing Facility (CPF) and Khurais Central
Processing Facility are typical examples. Plants this size will typically have
separate Process Interface Buildings (PIBs) for each plant area. Manifa CPF has
three GOSP trains. The table below show the plant areas and PIBs at Manifa CPF:
Each plant area has an operator console in the CCR and Maintenance /
Engineering workstations in the corresponding PIB. For this plant layout, it is
recommended that all engineering an maintenance workstations in a PIB be
hosted on a single virtual server, located in the PIB. In this configuration, the
virtual server in the PIB would be configured to host the following applications:
Page 10 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
There are exceptions where more than one virtual server would be required per
PIB. If the DCS / ESD vendor has some restriction for not allowing other
applications like ALMS, CCS, IAMS or other applications to run on the same
virtual server, then two or more virtual servers would be required. A typical
example would be if one vendor only supported Microsoft Virtualization
software (Hyper-V) and another vendor only supported a different virtualization
software (e.g., VMWare). Where this is the case, two virtual servers would be
required in order to separate applications.
Another exeption which would require more than one virtual server to be located
in the PIB is where the automation system utilizes redundant servers to interface
with Control and IO signals. Where redundant servers are the standard
architecture for the automation system, it is recommended to utilize two virtual
servers to separate the virtual instances of the redundant servers onto different
virtual servers.
The configuration and layout of virtual servers within the Central Control Room
(CCR) should be designed to segregate virtual instances of operator
workstations onto separate virtual servers. Using the Manifa example, and
assuming there are four operator workstations for each operator console, the
layout of virtual workstations to virtual servers depends on whether the
automation system utilizes high-availability servers (refer to item 5.1.2 above)
or independent server architecture.
For systems which support the High Availability option (HAO), the layout of
virtual servers to virtual servers would change somewhat. Within the PIBs, high
Page 12 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
availability is not required, unless the DCS system utilizes servers which are
required for normal control and monitoring functions. In the CCR, the
distribution of virtual images to virtual servers is essentially the same as the
individual server architecture. Additional consideration must be given to the
assignment of backup servers. In addition, spare CPU and memory must be
allocated on each server to ensure that each server is able to run all virtual
instances, in the event of a single server failure. Table 2 below shows the
recommended assignment, where the A/B servers are used to backup each other.
Page 14 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
SCADA systems are very good candidates for virtualization, since, for most
systems, the entire system can be consolidated to two virtual servers.
Redundant stations within the traditional architecture (i.e., SCADA DB Servers,
Front End Processors and Operator Workstations) should be segregated onto
different virtual servers. All of our approved suppliers provide application
redundancy for critical services. For this reason, High Availability, is not
required for SCADA. By segregating redundant services to separate virtual
servers, there is no service interruption in the event of a hardware failure of the
virtual server. A recommended distribution of workstations and servers is
shown in the figure below.
The typical TMS system contains redundant Control database servers, redundant
Business Application Servers, TMS operator workstations, TMS engineering
workstations, auxiliary systems engineering workstations, and various support
servers like anti-virus patch management, domain controller, and historian
interface.
Page 16 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
7. Thin Clients
Automation suppliers have adopted different strategies for how they integrate TC devices
into their virtual automation environment. Two specific topologies are most widely used.
The first will be referred to as the 'Stand-alone' architecture, for the purpose of this
document. The second will be referred to as the 'Integrated' architecture. Each topology
has its own pros and cons. The major difference between the two is in how the user
authentication is handled for login to the thin-client operating system. The intent of this
document is not to discuss the pros and cons of each approach. The purpose is to provide
details of each topology and to provide specific guidelines for each to ensure the system
meets Saudi Aramco requirements for security and reliability.
3. The windows desktop for the 'user' account should be configured such that
the user does not have access to the 'Start' menu.
4. The only programs available to user shall be pre-configured remote desktop
icons on the desktop.
5. The device shall be 'write-protected' by enabling the 'write-lock' function
available on TC devices.
6. User account passwords for access to the virtual workstation running on the
virtual server shall not be stored or cached on the thin-client device.
7. Controls shall be implemented to prevent the thin-client device from booting
up into the Administrator account.
Page 18 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
shall contain only pre-configured remote desktop icons which are configured
to connect to the virtual workstation for which access is required.
8.1 Snapshots
Snapshots are software backups of virtual images which are created by the
virtualization software. These are different from the backup workstation images
created with software tools such as Acronis and Symmantec. Snapshots can be
taken for any virtual instance without shutting down the virtual instance.
However, snapshots cannot be used to restore a complete virtual image.
Snapshots are only incremental backups from the last snapshot. Snapshots are
not suitable for a complete backup and restore system. Snapshots would only be
used before and after major system changes, such as installation of new
application software patches or revisions and/or installation of major Windows
OS patches.
Virtualization software from both Microsoft and VMWare have the functionality
to export a complete virtual image to a backup file. Exports of virtual instances
are complete backups of a virtual instance and are equivalent to Acronis or
Symmantec Station backups in the traditional architecture. In the event of a
virtual server failure, virtual image exports are needed to restore virtual
instances on the replaced server. The following recommendations apply to
virtual image exports:
Exports of virtual images should be taken at least one time per year for each
virtual instance.
Exports should be stored on a separate physical server or on a different
virtual server. Exported images should not be stored on the same virtual
server which hosts the virtual instances for which the backups are taken.
8.4.1 Virtual Image Exports should be taken for all virtual images at least once
per year. These image shall not be stored on the same virtual server on
which the virtual images are running.
8.5 Recommended Backup and Failover Strategy for Independent Virtual Servers
Page 20 of 21
Document Responsibility: Process Control Standards Committee SABP-Z-074
Issue Date: 28 December 2015
Next Planned Update: TBD Virtual Servers and Thin Clients for Process Automation Systems
assigned to the redundant server, but not running, can be easily started on the
redundant server. The figure below shows this architecture in a simplified
diagram. In the event of a failure of Virtual Server A, Images 1, 2 & 3 can be
started quickly on Virtual Server B.
This strategy requires that virtual server A has current backup images of
instances running on virtual server B and visa-versa. To support this
requirement, Virtual Server A hard-disk may be used to store image backups for
virtual server B and visa-versa. In the event of a failure of server B (as an
example), Virtual Server A will have the latest image backups for B which are
ready to be started to restore services until such time as virtual server B has been
replaced.
Revision Summary
28 December 2015 New Saudi Aramco Best Practice was created for the implementation of Virtual Servers
and Thin clients for Process Automation Systems.