Goals
- Improve security
- Improve application management
- Reduce operational costs
- Solutions and Products
- ACP ThinManager
- InTouch
- Historian Client
Challenges
- Running multiple HMI applications under the same service account
- Batch server redundancy
- Running back office applications on thin clients
Results
- Improved security
- Improved application management
- Reduced operational costs
- Reduced downtime in the event of a client failure
Background
Gauteng, South Africa
The mainframe approach to computing of the 1970s and 80s left much to be desired – a cumbersome arrangement with a single point of failure, dumb “glass” terminals and almost non- existent flexibility. The PC fixed all that but at the cost of multiple points of failure, costly software and hardware maintenance and opening the door to a multiplicity of security breaches. Many leading companies in the industrial world have decided that they want the benefits of both PCs and mainframes but the disadvantages of neither.
The solution was the introduction of “thin” clients – intelligent, local devices without the complexity of PCs (hard drives, fans, operating systems, etc.) that communicate with a redundant array of servers. SAB implemented ACP ThinManager with thin clients in their manufacturing environment as a replacement for desktop-based SCADA machines.
At SAB, desktop machines are replaced periodically at a significant cost to ensure that they are up to date and still supported by their vendors. Apart from security concerns, they require extensive configuration management to make sure that they have the correct software version and are not running unauthorised applications. Thin clients are immune from these issues and provide a cost-effective, low-maintenance, more secure and high-availability alternative.
Goals
“Our first objective was to improve security,” says Christopher Clark, Process Control Engineer, The South African Breweries (SAB). “With thin clients, users only have access to those applications they need and no data are stored locally. Another plus is that, if stolen, the hardware is only useful as hardware as the thief has no access to software or data.”
The next priority was to improve application management through the ability to image redundant HMIs, deploy applications rapidly while ensuring they were all configured the same way and the rapid recovery from hardware failures. “The centralised management and deployment of applications mean that all releases are consistent with one another and that running from PC to PC to configure each one is a thing of the past,” adds Clark. “In addition, should a thin client fail, it can be replaced and back online in a matter of minutes because no operating system, software or configuration is involved.”
The third objective was to reduce operational costs through less costly and less frequent hardware replacement, reduced system management (25 clients to 2 servers), lower licensing costs associated with anti-virus protection requirements, OS maintenance and reduced operational management. Another opportunity for cost reduction was the critical areas which previously had redundant hardware. This would no longer be necessary because thin clients can be replaced almost instantly.
In order to achieve these goals, the system would need to support all existing manufacturing applications while being redundant and without any single point of failure for the plant. The Thin Client servers needed to have the same reliability as the backend servers (AVEVA System Platform, Batch etc.). The system would also need to be hosted locally on-site to prevent it from being dependant on a WAN connection. In addition, system configuration needed to be simple and decentralised to allow each region to manage its own environment. For example, dual, HD display resolution was required for certain plants.
From a security angle, users would need to be prevented from having access to critical areas of the server, such as the C: Drive and the system would need to integrate into SAB’s existing active directory security model. “We wanted to be able to assist operators rapidly so the remote monitoring and control of user sessions became an important requirement,” says Clark.
Implementation
SAB chose ACP ThinManager which allowed for a locally-hosted solution that enabled the use of zero clients (client devices that require no configuration and have nothing stored on them). As ThinManager supports a very wide range of hardware, SAB could continue to use their existing enterprise hardware vendors as well as existing industrial hardware like HMIs.
“ThinManager’s simple and intuitive user interface means that it can be easily managed by the on-site engineers without resorting to an application specialist,” says Clark. “And since it’s supplied by IS³, this meant that if we encountered issues with our AVEVA (formerly Wonderware) software on the platform then IS³ support would be able to replicate the system.”
The chosen hardware was Dell Wyse DxOD clients since Dell is an existing SAB supplier and the unit supports dual HD displays. It has a 1.4Ghz dual core CPU with 4 GB RAM
The implementation took a couple of months and the system allowed for a side-by-side implementation which greatly reduced the risk involved and allowed for a gradual, smooth transition for the operators. Initially, one machine in each area that had multiple PCs was replaced with a thin client which operators were encouraged to use to see if there were any issues. “After a week, all PCs were replaced with thin clients but the PCs were left in place. In the event of a major issue the screen, keyboard, network and mouse could be reconnected to the PC and the PC booted up,” adds Clark.
The system was extensively tested before being put into the plant. The regions’ applications were loaded onto the terminal servers and the full system was configured as it would be in production. All 25 clients for the site were then booted up and tested fully including simulating failures in various parts of the system. This included simulated server, network and client failure as well as checking the client replacement procedure and speed.
“The system was implemented on the manufacturing network and allows for full remote control on that network,” says Clark. “In my opinion, the system’s most outstanding features include its support of a broad range of hardware such as touch panels and zero clients, its redundancy features and simple configuration as well as its terminal shadowing facility.” Shadowing is a popular management tool that allows an authorised user to view what is running on a remote client.
Challenges
Access control and authentication is provided by the applications with each one running under a service account. In a Terminal Services environment, however, this causes an issue when attempting to run multiple HMI applications on the same server. Each application creates specific files so that when multiple different applications are run under the same account, this causes a clash and the HMI will not start. This has since been resolved by modifying the registry of the generic account.
“We also had a problem with our batch system,” says Clark. “It stores its target server in the registry. What this means is that each instance of the client on a terminal server must view the same batch server. At our Chamdor brewery, we have 4 batch servers which, if we wanted redundancy, would mean that we required 8 terminal servers. We were able to resolve this using a custom launch script that arbitrated the use of the registry among clients. Only 2 servers were eventually required.”
Having PCs in place meant that many regions had installed non-manufacturing applications on the manufacturing work stations. Many machines had MS office installed which should only be installed on the “back-office” admin machines (on a different domain and network) in the plant. “Our back-office uses Citrix so we attempted to provide Excel from the back office environment onto the new thin manufacturing clients but we were not able to get this to work,” says Clark. “But that’s not necessarily a bad thing.”
Future Plans
SAB has many OEM machines with “black box” computer- based control and / or HMI systems tied to specific hardware and whose backup/recovery is difficult. The solution, as SAB sees it, is to virtualise the black box PCs and “stream” them back to thin HMIs. This removes the dependency on specific hardware and provides easy backup and recovery.
Another possibility lies in the benefits to be derived from wireless, tablet-based SCADA using ThinManager Relevance software that senses and identifies the presence of individuals and automatically provides them with the access privileges they were assigned as they move about the plant. “Location-aware manufacturing systems means that the control room moves with the people in control,” says Clark.
Conclusion
As shown in this implementation, thin clients indeed deliver the benefits of both PCs and mainframes but without the disadvantages of either. While PCs will always have their place as stand-alone and independent solutions, when it comes to complex, linked systems, there’s a strong case to be made for thin clients, especially in the industrial sector because of their robustness and total lack of moving parts. Add to this their low maintenance, ease of replacement and security benefits and it’s easy to understand their growing popularity in the mining and manufacturing industries.
Benefits
- Improved security
- Improved application management
- Reduced operational costs
- Reduced downtime in the event of a client failure