Professional Documents
Culture Documents
GS43D07N10-08EN - 005 Oprex Managed Service - Cloud Edition
GS43D07N10-08EN - 005 Oprex Managed Service - Cloud Edition
General
Specifications OpreX Managed Service -Cloud edition-
GS43D07N10-08EN
OVERVIEW
OpreXTM Managed Service is provided based on the advanced digitalization Managed Service Suite (MSS) platform
technologies, which is delivered as a managed service. The platform provides meaningful actionable information as a one-
stop shop linking Process, People and Technology. MSS connects all sources of available data of a plant and converts
this data into information (Technology) and proposes appropriate actions when required (Process) by the right person
(People).
Basic Services
Basic Services provide MSS functions to a customer and constantly monitors and maintains performance, system health,
platform security, and its applications 24/7 by the Service desk.
Optional Services
Optional Services are for the added value provided by Yokogawa's subject experts to improve maintenance efficiency.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
3
ARCHITECTURE
MSS Architecture
MSS consists of Site Component, Center Component, and Network Operations Center. These three are Yokogawa
managed SaaS infrastructure that are interconnected with an IPsec VPN connection. (Internet access required)
*1 Cloud service or some features may not be available in a particular country, region, sector, or organization due
to their data localization policies. E.g., personal and non-personal information which is collected in China must
be stored and processed in China. For more information about the service coverage area, please contact the
Yokogawa local support office.
Platform Deployment
Deployment pattern for OpreX Managed Service -Cloud edition- is as follows.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
4
Yokogawa
Network Operations Center
NOC
Servicedesk
Internet (Out of scope of MSS)
Enterprise Network (Out of scope of MSS)
Business user Site A
IPsec
HTTPS Customer
Customer Central Data Center MSS User
Site B work place
Site A work place
Business user Site B
Site A Site B
Business logistics MSS User (Site admin), Business logistics MSS User (Site admin),
systems MSS User systems MSS User
Control Control
systems systems
Intelligent Intelligent
devices devices
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
5
DEPLOYMENT
Deployment phases
The entire MSS deployment program contains several stages, including site survey, configuration design, deployment
installation and its commissioning and handover, to start operation of OpreX Managed Service -Cloud edition-.
Site survey
This phase aims to create an overview when building the PCD environment. On-demand, this will evaluate and
analyze the PCD environment. Information is analyzed during this phase to create a platform onboarding preparation
or coordination and implementation plan.
In this phase Use case and Network route for an expected solution should be assessed prior to the next design
phase. If the network bandwidth and the latency are not sufficient, the solution may not function or perform well.
Yokogawa requests the following bandwidth and latency in Table 2 to meet acceptable performance.
Table 2: Network considerations
Use case Network route Requirement
Remote Access (*1) Client PC - Endpoint assets via Center and/or Site Min bandwidth >= 2Mbps,
Max latency < 300ms
*1; Assumed scenario is a user will work with a Yokogawa DCS HIS by MSS HTML5 based RDP Remote Access
desktop operation for 1920x1080 resolution, no busy graphic motions or animations, and no coexisting heavy traffic
like large file transferring.
Design
The purpose of this phase is to use a check sheet to verify that the network configuration conforms to the standard
configuration for deploying the MSS. In this phase, you'll document your project, modify your tasks, and run them
in the time frame you need.
For deploying MSS-Site Component, Yokogawa recommends the installation of the following verified standard
model in Table 3.
Table 3: Hardware Specifications for Site Deployment
Vendor Model Specifications
DELL PowerEdge R6515 [CPU] AMD 7402P 2.8GHz,24C/48T,128M,180W,3200
[Memory] 96 GB (32 GB x 3)
[HDD] 4.8 TB (1.2 TB x 4)
[SSD] 2880 GB (960 GB x 3)
Deployment
The purpose of this phase is to prepare the network for MSS installation and to perform all required network
remediation. This Work Pack runs consecutively with the deployment of MSS itself at the customer’s location. After
deployment, it is tested and validated consistently.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
6
Asset inventory
An asset/application is a monitoring target of MSS. MSS supports monitoring following assets.
Table 5: Asset inventory
Asset/Application Type Asset/Application Subtype
Windows Agent based Compute asset
Compute asset
Windows WMI based Compute asset
Yokogawa Field Control station
Yokogawa Safety Control station
PLC/DCS asset Yokogawa Bus Converter
Yokogawa Vnet Router
Yokogawa Wide Area Communication Router
Field assets Field instruments monitored by PRM
Switch
Network assets
Router
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
7
Time Server
Firewall
Environmental assets Yokogawa Online Diagnostic Unit
McAfee ePolicy orchestrator
Security applications Microsoft WSUS
Veeam Backup and Replication
Control applications Yokogawa Centum VP
Asset Management applications Yokogawa Plant Resource Manager
Yokogawa Advanced Analytical Instrument
Analyzer Management applications
Management System
MSS users can create their own custom dashboards to meet operational needs. Such dashboards can be shared with
other users to collaborate.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
8
Asset availability
Asset availability in MSS is determined by,
1. Operational state
2. Heartbeat status
Operational state is a configurable property of an asset/application. MSS users can set the state of an asset in Site
Component.
‘Heartbeat’ is a metric of asset/application that lets users know if MSS can communicate successfully with
asset/application.‘
Table 7: Asset availability
Status Description
Operational State Operational The asset is active in production
Maintenance The asset is suspended temporarily for maintenance
Disposed The asset is no longer used in production is disposed
Heartbeat Status Up MSS can successfully communicate with the asset
Down MSS attempted to communicate, but asset didn’t respond
Turned Off MSS is not attempting to communicate with the device
‘Field assets’ and ‘Agent based Compute assets’ are exception to this.
• Availability of Field assets are determined by the Asset Management Application (such as PRM).
• ‘Agent based Compute assets’ always have an ‘unknown’ status as they do not have a heartbeat collector.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
9
Table 9: Maximum number of assets for data collection per Site Component
Asset type Purdue Level Maximum number of assets per site
Compute asset L2 and L3 240
PLC/DCS asset L1 160
Network asset L2 and L3 330
Environmental asset L2 and L3 20
Field asset L0 24,000
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
10
CPU usage
Memory usage
Metric Network usage
Process
Uptime
Windows logs (Application)
Event log Windows logs (Security)
Windows logs (System)
* Selection of the data collection method will be subject to the customer’s demand for data visibility, product
compatibility, restriction by corporate security policies, and other reasons.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
11
< Network assets >
Table 15: Data collected from Network assets
Data item examples
Method Data type
(* not regarded as part of the specification)
PSU status
Serial Number
Object ID
System Name
Description
SNMP data collection Location
(MIB-II) Software version
Status
Network interface Speed
Description
Operational status Heartbeat
CPU usage
Metrics Memory usage
SNMP data collection RX/TX
(Private MIB) *1
Vlan Vlan
Operational status Heartbeat
Syslog Syslog Syslog message
Refer to Supported Configuration Column of
SSH/Telnet *2 Configuration
Table 17
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
12
Table 19: Supported Environmental asset
Type Vendor Model/Series
M1790LL
Installation environment monitoring unit Yokogawa
SV7EM001
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
13
Table 27 below.
The data is collected in a variety of ways using agent-based and agentless data collection methods conducted by the
Site Component of MSS, and the collected data is stored in an isolated central location after going through the
transferring and buffering process.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
14
< Control application >
Table 22: Data collected from Control applications
Data item examples
Method Application Type Data type
(* not regarded as part of the specification)
Inventory Project Inventory
Agentless data
Centum Project Logs Historical Messages
collection
Operational status Heartbeat
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
15
Table 27: Supported Analyzer Management applications
Type Vendor
Advanced Analytical Instrument Management System Yokogawa
Remote Access
Authorized and authenticated MSS users can remotely access an asset at the customer site from the Center Component
or Site Component.
Each named user has role-based access control (RBAC) permissions, and Site responsible person controls the user
permission.
MSS remote access runs on modern secure web browser applications whose communication is encrypted, and data is
transferred using the Hypertext Transfer Protocol secure (HTTPS) connection only and any other additional software is
not required on user’s device.
MSS remote access is based on Hyper Text Markup Language 5 (HTML5) and it supports following protocols as shown
in Table 28.
- Remote Desktop Protocol (RDP)
- Secure Shell (SSH)
- Virtual Network Computing (VNC)
- Web (HTTP/HTTPS)
Table 28: Supported Remote Access Asset type and protocols
Access method
Asset type
RDP VNC SSH Web
Windows OS computer *1, 2
Network assets - - -
*1 Client editions of Windows allows one concurrent user whether remote or local to make a user session. If a
remote desktop connection made, it will disconnect the existing current user session.
*2 Terminal Server role service installed on a host server enables to provide multiple Remote Desktop sessions
to client users.
Network model for the interactive remote access flows is shown in the following Figure 5.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
16
Network asset
Computer asset
VPN
HTTPS
RDP, VNC, SSH
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
17
File Transfer
Authorized and authenticated MSS users can transfer a file at the customer site or users end on the Center Component
and/or Site Component.
MSS supports following file transfers as shown in Table 29.
Table 29: Supported file transfers
Transfer Type Description
User to upload files from Center Component
Upload/Download Center
User to download files from Center Component
User to upload files from Site Component
Upload/Download Site
User to download files from Site Component
Uploaded files are synchronized between Center
Synchronization
Component and Site Component
Synchronization
VPN
HTTPS
File Transfer
All uploaded files will be scanned by MSS anti-virus scanner for detecting virus infections. If a file is found to be infected
or cannot be scanned, it is quarantined.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
18
< Anti-Virus software server >
Anti-Virus software server: McAfee ePolicy Orchestrator (ePO) is built and maintained as follows:
1. Qualified anti-virus definition files are imported into MSS Center Component.
2. McAfee ePO Server in MSS Site Component synchronize to primary McAfee ePO Server in MSS Center
Component to replicate new policies and latest virus definition files.
VPN
HTTPS
MSS Site Component Windows Update download,
Windows Update Server & ePO synchronization
Anti-Virus software server
Computer asset
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
19
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
20
User Logout
User Login
Control applications Historical message
Condition is optional rule to add some exclusive conditions such as Attributes, OR, AND, etc. It prevents further
execution of automation rule unless condition is satisfied. Multiple conditions can be applied on a Trigger to make a
complicated rule.
Action is an operation performed by MSS after identifying an asset that matches the predefined Trigger and Condition.
MSS alerts
An alert created by MSS Automation rule can be viewed in Center Component via ‘Alert view’.
Alerts generated by Automations per site are consolidated and shown in Alert view.
● ServiceNow alerts
For advanced incident management, MSS integrates with ServiceNow. MSS can securely create incidents in
ServiceNow from OT assets using Automation rules.
After creating an incident, it is synced back to Center Component’s Alert view. The synced alerts are read-only and can
only be modified from ServiceNow. MSS tracks all the changes that happen inside ServiceNow and auto-closes the
alert once the incident is resolved in ServiceNow.
ServiceNow
Cloud instance where alert related to
application is created and managed
VPN
HTTPS
Computer asset
Figure 9 MSS ServiceNow integration
Email notification
Automations can also be configured to send out email notification in case there are issues with a device. By default,
MSS sends out email notification to Asset custodians. But it can be configured to send out emails to other email
addresses if required.
To prevent spamming users with multiple emails in case of issues, MSS has a limit of sending out one email for every
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
21
60 minutes per asset per Automation rule.
All Rights Reserved. ©2021 Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
22
TRADEMARKS
・ CENTUM, ProSafe are registered trademarks of Yokogawa Electric Corporation.
・ PRM is a registered trademark of Yokogawa Electric Corporation in the United States and Japan.
・ Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and other
countries.
・ McAfee and McAfee ePolicy orchestrator are registered trademarks of McAfee, Inc. in the United States and other
countries.
・ VMware and VMware vSphere are registered trademarks of VMware, Inc. in the United States and/or other
jurisdictions.
・ “FOUNDATION fieldbus” is a registered trademark of the FieldComm Group.
・ “HART” is a registered trademark of the FieldComm Group.
・ Veeam, Veeam Backup & Replication are registered trademarks or Veeam Software, Inc in United States and/or other
jurisdictions.
・ All other company names and product names that appear in this document are trademarks or registered
trademarks of the respective companies.
All Rights Reserved. Copyright © 2021, Yokogawa Electric Corporation GS 43D07N10-08EN Jul. 27, 2023
Subject to change without notice.