How Will You Securely Expand Your PI System to Include Contract Manufacturers?

How Will You Securely Expand Your PI System to Include Contract Manufacturers?

How Will You Securely Expand Your PI System to Include Contract Manufacturers?


So you want to optimize your manufacturing operations. The competitive landscape virtually demands it, driving efficiency into every facet of every process across your organization and beyond, to your contract manufacturing organizations (CMOs) and original equipment manufacturers (OEMs).

The problem is, CMOs often run lean operations with little or no IT support and usually do not have pervasive data collection or analysis tools on site, much less manage their own (OSIsoft) PI System. As a result, you may have very little to no visibility into their systems, including access to the real-time data necessary to drive true process optimization. At best, you may rely on CMOs or OEMs to email or print and deliver reports and ad hoc data at scheduled intervals.

Getting on the Same Page

If you could receive data directly from your CMO or OEM straight into your central onsite PI System, it could help your engineers keep an eye on things, in near real-time, without having to go offsite. This would not only save on travel and prevent delays, but also enable deeper, more relevant analysis of manufacturing data outside of your main operations.

Visibility to operations data while equipment is being manufactured and tested offsite would also enable you to continuously characterize, optimize, and debug the development of that equipment. The visibility into OEMs would also allow you to create a baseline for when the equipment is transferred to the CMO.

As you deploy similar production lines across multiple CMOs/OEMs, you could also centralize your PI System data and standardize production monitoring, calculations, downtime categorization, compliance reporting, and performance comparisons across your entire extended manufacturing base.

How Others Are Doing It

Manufacturers are starting to use cloud services to install PI System historians and other monitoring systems on-site at their OEMs and CMOs facilities and connecting them to PI System historian databases at cloud service providers or back at the manufacturer’s own enterprise network.

A prime example of this setup can be found in this Eli Lilly use case from the 2017 OSIsoft User Conference.

“Currently, Eli Lilly does not have access to real-time data from the contract manufacturers (CM) in their Device Manufacturing group. They rely on the CM to provide reports and/or ad-hoc data. … [To address this,] Eli Lilly executed a Proof-of-Concept (PoC) to implement a PI System at a Contract Manufacturing site. … This PoC proved to enable an array of benefits, including standardized “Production Monitoring” calculations, categorization of various downtimes, automation of manual reports generated by the CM, compliance (batch reporting) and comparison of machine performance across multiple contract manufacturers, such as machines producing the same parts. Eli Lilly is now working through development and rollout strategies to implement this approach at a number of their contract manufacturers.”

In this example, Eli Lilly didn’t have access to real-time data from their CMO, relying on the CMO to send reports or ad-hoc data. Eli Lilly therefore implemented a PI System at the CMO to remotely monitor the manufacturing line making Eli Lilly’s product. This allowed Eli Lilly to be more directly involved in the reporting, compliance, and production performance.

Don’t Forget Security and Privacy

A word of caution – just because the operations are at your OEM or CMO doesn’t mean that you don’t need to secure the data transfer back to your own network. Also, your PI System database might be in a cloud service, such as AWS or Validated Cloud. Not to mention you will want to collect data from multiple CMOs, who, themselves, will want to define the production data they wish to share with you (after all, they have other customers).

You should treat transfers from third parties much the same way you secure transfer of PI System data from your OT network to your enterprise network. Such secure transfer isn’t just about setting up a firewall or VPN, which might be a difficult proposition for the IT- and security-challenged CMO or OEM, but about preventing that connection from becoming a potential pathway for cyberattack.

Data diodes are well-suited to securing data transfers between OEM or CMO with manufacturers, and we have seen a number of prominent organizations take to them as a preferred solution. Many of our manufacturing customers are using data diodes to replicate PI System databases outside their corporate networks, particularly to cloud instances of PI System databases, while others are replicating multiple PI System data sources to a single destination. In most cases, customers are replicating specified data to avoid mixing streams for different customers or production runs.

This use is a logical extension of securing the OT boundary with a data diode, shifting from securing the corporate OT network to securing a vendor’s OT network, a network that has your critical data.

What Do You See?

We see some interesting developments ahead as the organizations involved figure out how to justify the costs, separate out the data, and maintain privacy of the data at the CMO and at the manufacturer.

Are you looking to enable your CMOs and OEMs to deliver critical operational data straight to your PI database in the cloud or in your IT network? Will you secure that data transfer with the same level of security that you do protecting your own operation networks?

Let us know.

Charlie Schick Pharma and Healthcare Consultant

Total Geekery: Data Diode Bioreactor Demo

This post will be on the light side, describing a demo I had fun making and about which my co-workers are tired of hearing me speak. Nonetheless, despite the geekiness of the demo, it was...
November 21, 2019
John McKeon Business Development Manager - Financial Services

How Can SIEM Work with Air-Gapped Networks?

To keep a critical network safe, a common practice has traditionally been to establish an air gap – in other words, disconnect that network from “untrusted” or less secure networks,...
October 7, 2019
Charlie Schick Healthcare Consultant

A New Model for Secure IIoT Connectivity

I recently wrote a post about how IIoT devices are upending the Purdue Model as folks jump layers and stream data from the low layers directly up to the higher layers and beyond. Thinkin...
September 23, 2019