US20150319227A1 - Distributed historization system - Google Patents

Distributed historization system Download PDF

Info

Publication number
US20150319227A1
US20150319227A1 US14/704,661 US201514704661A US2015319227A1 US 20150319227 A1 US20150319227 A1 US 20150319227A1 US 201514704661 A US201514704661 A US 201514704661A US 2015319227 A1 US2015319227 A1 US 2015319227A1
Authority
US
United States
Prior art keywords
data source
source device
historian
data
historian server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/704,661
Inventor
Shiewun Lie
Vinay T. Kamath
Ryan Benedict Saldanha
Abhijit Manushree
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aveva Software LLC
Original Assignee
Invensys Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/704,661 priority Critical patent/US20150319227A1/en
Application filed by Invensys Systems Inc filed Critical Invensys Systems Inc
Priority to US14/789,654 priority patent/US20160004734A1/en
Assigned to INVENSYS SYSTEMS, INC. reassignment INVENSYS SYSTEMS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KAMATH, VINAY T., LIE, SHIEWUN, MANUSHREE, ABHIJIT, SALDANHA, RYAN BENEDICT
Publication of US20150319227A1 publication Critical patent/US20150319227A1/en
Assigned to SCHNEIDER ELECTRIC SOFTWARE, LLC reassignment SCHNEIDER ELECTRIC SOFTWARE, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INVENSYS SYSTEMS, INC.
Priority to US16/460,756 priority patent/US10990629B2/en
Priority to US16/517,312 priority patent/US11755611B2/en
Assigned to AVEVA SOFTWARE, LLC reassignment AVEVA SOFTWARE, LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SCHNEIDER ELECTRIC SOFTWARE, LLC
Priority to US16/686,649 priority patent/US20200089666A1/en
Priority to US16/785,733 priority patent/US11445010B2/en
Priority to US17/208,178 priority patent/US20210286846A1/en
Priority to US17/675,035 priority patent/US20220391368A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • aspects of the present invention generally relate of the fields of networked computerized industrial control, automation systems and networked computerized systems utilized to monitor, log, and display relevant manufacturing/production events and associated data, and supervisory level control and manufacturing information systems.
  • Such systems generally execute above a regulatory control layer in a process control system to provide guidance to lower level control elements such as, by way of example, programmable logic controllers or distributed control systems (DCSs).
  • DCSs distributed control systems
  • Such systems are also employed to acquire and manage historical information relating to processes and their associated outputs.
  • aspects of the present invention relate to systems and methods for storing and preserving gathered data and ensuring that the stored data is accessible when necessary. “Historization” is a vital task in the industry as it enables analysis of past data to improve processes.
  • Typical industrial processes are extremely complex and receive substantially greater volumes of information than any human could possibly digest in its raw form.
  • sensors and control elements e.g., valve actuators
  • These sensors are of varied type and report on varied characteristics of the process. Their outputs are similarly varied in the meaning of their measurements, in the amount of data sent for each measurement, and in the frequency of their measurements. As regards the latter, for accuracy and to enable quick response, some of these sensors/control elements take one or more measurements every second. Multiplying a single sensor/control element by thousands of sensors/control elements (a typical industrial control environment) results in an overwhelming volume of data flowing into the manufacturing information and process control system. Sophisticated data management and process visualization techniques have been developed to store and maintain the large volumes of data generated by such system.
  • An aspect of the present invention is a system that stores data from multiple sources and enables access to the data in multiple locations and forms.
  • the system simplifies and streamlines a user's ability to access and analyze data from any location connected to the system. Further, the system maintains a granular system of user access control and advanced data visualization methods.
  • aspects of the present invention relate to a system that stores data from data sources on a server and enables access to the data stored on the server.
  • the system simplifies and streamlines a user's ability to access and analyze data from any location connected to the system. Further, the system maintains a granular system of user access control and data source registration methods.
  • a system historizes process control data.
  • the system has a data source device and a configurator module connected to a historian server.
  • the configurator module connects to the historian server.
  • the configurator module registers the data source device with the historian server.
  • the historian server registers the data source device as indicated by the configurator module.
  • the configurator module indicates to the historian server to generate data source registration information for identifying the registered data source device.
  • the historian server generates the data source registration information for identifying the registered data source device as indicated by the configurator module.
  • the historian server stores the data source registration information.
  • the historian server generates a connection token comprising the data source registration information.
  • the historian server sends the connection token to the configurator module.
  • the configurator module receives the connection token from the historian server.
  • the configurator module saves the connection token.
  • the configurator module forwards the connection token to the data source device.
  • the data source device receives the connection token from the configurator module.
  • the data source device stores the connection token.
  • the data source device sends data and the connection token to the historian server.
  • the historian server compares the connection token received from the data source device to the connection token stored by the historian server, wherein if the connection token received from the data source device and the connection token stored by the historian server are found to match, the historian server stores the data from data source device.
  • FIG. 1 is a diagram detailing an architecture of a historian system according to an embodiment of the invention.
  • FIG. 2 is an exemplary diagram of a historization workflow performed by the system of FIG. 1 .
  • FIG. 3 is an exemplary diagram of the structure of the system of FIG. 1 .
  • FIG. 4 is an exemplary sequence diagram of the registration of a data source device and uploading of data from the data source device to the historian.
  • FIG. 5 is an exemplary sequence diagram illustrating how user authentication is done in the system of FIG. 1 using an active directory.
  • FIG. 6 is an exemplary sequence diagram illustrating user authentication in the system of FIG. 1 including SAML to JWT token conversion.
  • a distributed historian system enables users to log into the system to easily view relationships between various data, even if the data is stored in different data sources.
  • the historian system 100 can store and use data from various locations and facilities and use cloud storage technology to ensure that all the facilities are connected to all the necessary data.
  • the system 100 forms connections with configurators 102 , data collectors 104 , and user devices 106 on which the historian data can be accessed.
  • the configurators 102 are modules that may be used by system administrators to configure the functionality of the historian system 100 .
  • the data collectors 104 are modules that connect to and monitor hardware in the process control system to which the historian system 100 is connected.
  • the data collectors 104 and configurators 102 may be at different locations throughout the process control system.
  • the user devices 106 comprise devices that are geographically distributed, enabling historian data from the system 100 to be accessed from various locations across a country or throughout the world.
  • historian system 100 stores a variety of types of information in storage accounts 108 .
  • This information includes configuration data 110 , raw time-series binary data 112 , tag metadata 114 , and diagnostic log data 116 .
  • the storage accounts 108 may be organized to use table storage or other configuration, such as page blobs.
  • historian system 100 is accessed via web role instances.
  • configurators 102 access configurator web role instances 124 .
  • data collectors 104 access client access point web role instances 118 .
  • Online web role instances 120 are accessed by the user devices 106 .
  • the configurators 102 share configuration data and registration information with the configurator web role instances 124 .
  • the configuration data and registration information is stored in the storage accounts 108 as configuration data 110 .
  • the data collectors 104 share tag metadata and raw time-series data with the client access point web role instances 118 .
  • the raw time-series data is shared with storage worker role instances 126 and then stored as raw time-series binary data 112 in the storage accounts 108 .
  • the tag metadata is shared with metadata server worker role instances 128 and stored as tag metadata 114 in the storage accounts 108 .
  • the storage worker role instances 126 and metadata server worker role instances 128 send raw time-series data and tag metadata to retrieval worker role instances 130 .
  • the raw time-series data and tag metadata is converted into time-series data and sent to the online web role instances 120 via data retrieval web role instances 122 .
  • Users using the user devices 106 receive the time-series data from the online web role instances 120 .
  • FIG. 2 describes a workflow 200 for historizing data according to the described system.
  • the Historian Client Access Layer (HCAL) 202 is a client side module used by the client to communicate with historian system 100 .
  • the HCAL 202 can be used by one or more different clients for transmitting data to historian system 100 .
  • the data to be sent 208 comes into the HCAL 202 and is stored in an active buffer 210 .
  • the active buffer 210 has a limited size. When the active buffer is full 214 , the active buffer is “flushed” 216 , meaning it is cleared of the data and the data is sent to historian 100 . There is also a flush timer 212 which will periodically cause the data to be sent from the active buffer 210 , even if the active buffer 210 is not yet full.
  • the data may be sent to a historian that is on premises 204 or a historian that stores data in the cloud 206 (step 228 ).
  • the HCAL 202 treats each type of historian in the same way. However, the types of historians may store the data in different ways.
  • the on-premises historian 204 historizes the data by storing the data as files in history blocks 230 .
  • the cloud historian 206 historizes the data by storing the data in page blobs 232 , which enable optimized random read and write operations.
  • the flushed data from the active buffer 210 is sent to a store forward module 220 on the client (step 218 ).
  • the data is stored 222 in the store forward module 220 in the form of snapshots written to store forward blocks 224 until the connection to the historian is functional again and the data can be properly transmitted.
  • the store forward module 220 may also get rid of data after a certain period of time or when it is full. In those cases, it will send an error to the system to indicate that data is not being retained.
  • FIG. 3 is a diagram 300 displaying the historization system structure in a slightly different way from FIG. 2 .
  • An HCAL 306 is hosted on an application server computer 302 and connected to a historian computer 304 and a store forward process 308 .
  • the HCAL 306 connects to the historian through a server side module known as the Historian Client Access Point (HCAP) 312 .
  • the HCAP 312 has a variety of functions, including sending data received from HCAL 306 to be stored in history blocks 320 .
  • the HCAP 312 also serves to report statistics to a configuration service process 314 and retrieve historian data from a retrieval service process 318 .
  • the HCAL 306 connects to the store forward process 308 through a storage engine used to control the store forward process.
  • the Storage Engine enables the HCAL 306 to store and retrieve snapshots and metadata 310 of the data being collected and sent to the historian.
  • the store forward process 308 on the application server computer 302 is a child Storage Engine process 308 related to a main Storage Engine process 316 running on the historian computer 304 .
  • HCAL 306 provides functions to connect to the historian computer 304 either synchronously or asynchronously. On successful call of the connection function, a connection handle is returned to client. The connection handle can then be used for other subsequent function calls related to this connection.
  • the HCAL 306 allows its client to connect to multiple historians. In an embodiment, an “OpenConnection” function is called for each historian. Each call returns different connection handle associated with the connection.
  • the HCAL 306 is responsible for establishing and maintaining the connection to the historian computer 304 . While connected, HCAL 306 pings the historian computer 304 periodically to keep the connection alive. If the connection is broken, HCAL 306 will also try to restore the connection periodically.
  • HCAL 306 connects to the historian computer 304 synchronously.
  • the HCAL 306 returns a valid connection handle for a synchronous connection only when the historian computer 304 is accessible and other requirements such as authentication are met.
  • HCAL 306 connects to the historian computer 304 asynchronously.
  • Asynchronous connection requests are configured to return a valid connection handle even when the historian 304 is not accessible. Tags and data can be sent immediately after the connection handle is obtained. When disconnected from the historian computer 304 , they will be stored in the HCAL's local cache while HCAL 306 tries to establish the connection.
  • multiple clients connect to the same historian computer 304 through one instance of HCAL 306 .
  • An application engine has a historian primitive sending data to the historian computer 304 while an object script can use the historian software development kit (SDK) to communicate with the same historian 304 . Both are accessing the same HCAL 306 instance in the application engine process.
  • SDK historian software development kit
  • These client connections are linked to the same server object.
  • HCAL Parameters common to the destination historian, such as those for store forward, are shared among these connections. To avoid conflicts, certain rules have to be followed.
  • the first connection is treated as the primary connection and connections formed after the first are secondary connections.
  • Parameters set by the primary connection will be in effect until all connections are closed. User credentials of secondary connections have to match with those of the primary connection or the connection will fail.
  • Store Forward parameters can only be set in the primary connection. Parameters set by secondary connections will be ignored and errors returned.
  • Communication parameters such as compression can only be set by the primary connection. Buffer memory size can only be set by the primary connection.
  • the HCAL 306 provides an option called store/forward to allow data be sent to local storage when it is unable to send to the historian. The data will be saved to a designated local folder and later forwarded to the historian.
  • the client 302 enables store/forward right after a connection handle is obtained from the HCAL 306 .
  • the store/forward setting is enabled by calling a HCAL 306 function with store/forward parameters such as the local folder name.
  • the Storage Engine 308 handles store/forward according to an embodiment of the invention. Once store/forward is enabled, a Storage Engine process 316 will be launched for a target historian 304 .
  • the HCAL 306 keeps Storage Engine 308 alive by pinging it periodically. When data is added to local cache memory it is also added to Storage Engine 308 . A streamed data buffer will be sent to Storage Engine 308 only when the HCAL 306 detects that it cannot send to the historian 304 .
  • the HCAL 306 can be used by OLEDB or SDK applications for data retrieval.
  • the client issues a retrieval request by calling the HCAL 306 with specific information about the query, such as the names of tags for which to retrieve data, start and end time, retrieval mode, and resolution.
  • the HCAL 306 passes the request on to the historian 304 , which starts the process of retrieving the results.
  • the client repeatedly calls the HCAL 306 to obtain the next row in the results set until informed that no more data is available.
  • the HCAL 306 receives compressed buffers containing multiple row sets from the historian 304 , which it decompresses, unpacks and feeds back to the user one row at a time.
  • network round trips are kept to a minimum.
  • the HCAL 306 supports all modes of retrieval exposed by the historian.
  • FIG. 4 shows a diagram 400 depicting a method of connection from a data source device, which comprises a configurator module 402 , an application module 404 , and a publisher module 406 , to the historian server 408 in order to upload information.
  • a data source device which comprises a configurator module 402 , an application module 404 , and a publisher module 406 , to the historian server 408 in order to upload information.
  • An administrator user first registers the device with the historian using the configurator module 402 .
  • the configurator module 402 communicates the attempted registration with the historian 408 to which the device is being registered.
  • a data source ID and data source secret are generated for use by the historian 408 in uniquely identifying the data source device.
  • connection token 410 comprising the data source secret and connection information is created and sent from the configurator module 402 to the publisher module 406 of the data source device.
  • the connection token 410 is also stored by the historian 408 to enable checking access attempts from the data source device in the future.
  • the data source device has the token 410 which can be used to access the historian 408 and upload data.
  • the data source ID and data source secret may be stored in the configurator module 402 as a result of a hashing function for increased security.
  • the connection information in the connection token 410 includes a method of accessing the historian, such as a universal resource locator (URL) link or the like.
  • URL universal resource locator
  • the publisher module 406 of the data source device may encrypt and store the data source ID, data source secret and connection information for later access to the historian 408 .
  • the system uses, for example, an encryption tool such as Data Protection Application Programming Interface (DPAPI) by MICROSOFT or a certificate-based encryption (CBE) system.
  • DPAPI Data Protection Application Programming Interface
  • CBE certificate-based encryption
  • the data source device which includes the publisher module 406 .
  • the publisher module 406 communicates the user information with a configurator module 402 on the server side and confirms that the user is recognized. If necessary, the user may request a security token, as described below.
  • the data source device then uploads data from the application module 404 to the historian by retrieving the stored connection token 410 , decrypting the token if necessary, and sending the data source secret along with the data to be uploaded to the historian 408 over a network connection.
  • the historian 408 compares the secret against the connection token 410 which it has stored from the data source registration process. In an embodiment, if the data source secret is found to be valid, the historian 408 accepts the uploaded data and stores it. If the data source secret is found to be invalid, the historian 408 rejects the uploaded data and does not store it.
  • the connection between the data source device and the historian 408 can be any secure network connection, such as Hypertext Transfer Protocol Secure (HTTPS) or the like.
  • HTTPS Hypertext Transfer Protocol Secure
  • a data source device maintains the registration information regardless of whether a different user is connected. In the event that a different user logs onto a data source device that is already registered, the data source device need not be registered again. The system will first confirm that the user is allowed to have the access requested and then confirm that the data source device is registered to upload information, as described above.
  • a data source device may automatically upload to the historian when no user is logged into the data source device.
  • the above described upload security system also ensures that the data source device is allowed to upload information even when there is no user credentials to check.
  • the data source ID and data source secret are both unique to the data source device to ensure that only those specific data source devices registered with the historian are allowed to connect and upload data.
  • a user registering or using a data source device is allowed to upload information through the device, but the user does not have access to the data source ID or data source secret. This ensures that a user cannot copy the data source registration information and use them with another device.
  • the registration information may be strongly encrypted to ensure that it can only be decrypted on the registered device.
  • the registered device may also block certain users or applications from accessing the registration information to ensure upload security by the user using the device or the application running on the device. A user may be denied registration information if the user's security clearance does not include the ability to register new devices with the historian for upload of data.
  • FIG. 5 shows a sequence diagram 500 of the user authentication process.
  • a user 502 may attempt to log in to a content server 506 through a web browser 504 .
  • the user 502 Upon accessing the system home page, the user 502 chooses a “signin link”, which redirects the browser 504 to open a login page from an active directory 508 .
  • the user 502 enters credentials such as a user name and password to attempt to login to the active directory 508 .
  • the active directory 508 authenticates the user's 502 credentials, and if they are satisfactory, the active directory 508 generates a “Security Assertion Markup Language” (SAML) Token, which is returned to the browser 504 for use.
  • SAML Security Assertion Markup Language
  • the SAML token is tenant-specific and only grants access to the active directory 508 assigned to the tenant of the user 502 .
  • the user 502 Once the user 502 has a valid SAML token, he or she is redirected back to the content server 506 to provide a token.
  • the content server 506 confirms that the token is valid and opens a session for the user 502 to access the content on the server.
  • Navigating to the home page e.g., historian.com
  • Clicking sign-in displays a generic login screen presented by the common active directory.
  • the domain portion of the username for example, onlinecustomer1.historian.com
  • the system can ‘brand’ the individual active directory 508 authentication pages.
  • the login page comes from the company specific active directory 508 .
  • FIG. 6 is a sequence diagram 600 that expands on FIG. 5 .
  • a user 602 may want to access certain APIs on the system that require a separate JSON Web Token (JWT) from the SAML token.
  • JWT JSON Web Token
  • a content server 606 Upon selecting the hyperlink, a content server 606 generates a JWT from the SAML for use with the APIs to access the desired data.
  • a browser 604 sends an HTTP request to a WebAPI 610 containing the valid JWT. The system then validates the JWT against the list of allowed tenants in storage 614 and returns the desired historian data from a historian WebAPI 612 to the user's browser.
  • the JWT token is a light weight token that can be used on the client side through Internet Explorer and javascript. This enables the system to use the active directory as a backend for authentication and still use a browser to interact with multiple websites that can provide a rich client-like web experience. The use of the JWT eliminates the need for the browser to interact with only its site of origin.
  • the JWT token is tenant specific and only grants access to data in the active directory or directories assigned to the tenant of the user.
  • the JWT is used to present evidence of authentication to the data retrieval layers of the architecture. These issued JWT tokens have a very short expiration time and are used once and then discarded. Once the browser has received this token it places it into a HTTP request header and requests data from the content server or WebAPI data layer. These layers authenticate the token by checking its signature, claims, and signing key (this assures that it trusts the original source of the token).
  • some users are given control over certain aspects of the control environment and denied access to other aspects.
  • one user is in charge of the line of equipment associated with a process cell.
  • Another user is in charge of a particular type of equipment instantiated throughout several lines of equipment in a process facility.
  • users are permitted access the historian system for aspects of the process control system with which they work with while they are denied access for unrelated aspects.
  • An embodiment of the present invention uses a small immutable security token to provide a guarantee of the current user in an embodiment.
  • An external trusted token provider issues the token to authenticate the user's identity.
  • the token associates the user with her group membership classes.
  • the token might associate one user with a process cell (e.g., the user who controls a line of equipment) and another user with a particular operation (e.g., the user who works with a particular type of equipment).
  • the security features can extrapolate the user's specific roles and permissions and do any required authorization. Because the security token is passed from a trusted external provider, it can be passed from the historian system to other products that also trust the provider. This in turn allows a single sign-on screen and permits the authentication process to be maintained external to the historian system.
  • programs and other executable program components such as the operating system
  • programs and other executable program components are illustrated herein as discrete blocks. It is recognized, however, that such programs and components reside at various times in different storage components of a computing device, and are executed by a data processor(s) of the device.
  • Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with aspects of the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, mobile telephones, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
  • Embodiments of the aspects of the invention may be described in the general context of data and/or processor-executable instructions, such as program modules, stored one or more tangible, non-transitory storage media and executed by one or more processors or other devices.
  • program modules include, but are not limited to, routines, programs, objects, components, and data structures that perform particular tasks or implement particular abstract data types.
  • aspects of the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote storage media including memory storage devices.
  • processors, computers and/or servers may execute the processor-executable instructions (e.g., software, firmware, and/or hardware) such as those illustrated herein to implement aspects of the invention.
  • processor-executable instructions e.g., software, firmware, and/or hardware
  • Embodiments of the aspects of the invention may be implemented with processor-executable instructions.
  • the processor-executable instructions may be organized into one or more processor-executable components or modules on a tangible processor readable storage medium.
  • Aspects of the invention may be implemented with any number and organization of such components or modules. For example, aspects of the invention are not limited to the specific processor-executable instructions or the specific components or modules illustrated in the figures and described herein. Other embodiments of the aspects of the invention may include different processor-executable instructions or components having more or less functionality than illustrated and described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Databases & Information Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system for historizing process control data. A configurator module registers a data source device with a historian server and indicates to the historian server to generate data source registration information for identifying the registered data source device. The historian server generates and stores the data source registration information. The historian server also generates a connection token comprising the data source registration information. The configurator module forwards the connection token to the data source device, which stores the token and sends it to the historian server with data. The historian server compares the connection token received from the data source device to the connection token stored by the historian server, wherein if they match, the historian server stores the data from data source device.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application claims priority of Naryzhny et al., U.S. provisional application Ser. No. 61/988,731 filed on May 5, 2014, entitled “Distributed Historization System.” The entire contents of the above identified application are expressly incorporated herein by reference, including the contents and teachings of any references contained therein.
  • This application claims priority of Madden et al., U.S. provisional application Ser. No. 62/092,051 filed on Dec. 15, 2014, entitled “Data Upload Security in a Historization System.” The entire contents of the above identified application are expressly incorporated herein by reference, including the contents and teachings of any references contained therein.
    • BACKGROUND
  • Aspects of the present invention generally relate of the fields of networked computerized industrial control, automation systems and networked computerized systems utilized to monitor, log, and display relevant manufacturing/production events and associated data, and supervisory level control and manufacturing information systems. Such systems generally execute above a regulatory control layer in a process control system to provide guidance to lower level control elements such as, by way of example, programmable logic controllers or distributed control systems (DCSs). Such systems are also employed to acquire and manage historical information relating to processes and their associated outputs. More particularly, aspects of the present invention relate to systems and methods for storing and preserving gathered data and ensuring that the stored data is accessible when necessary. “Historization” is a vital task in the industry as it enables analysis of past data to improve processes.
  • Typical industrial processes are extremely complex and receive substantially greater volumes of information than any human could possibly digest in its raw form. By way of example, it is not unheard of to have thousands of sensors and control elements (e.g., valve actuators) monitoring/controlling aspects of a multi-stage process within an industrial plant. These sensors are of varied type and report on varied characteristics of the process. Their outputs are similarly varied in the meaning of their measurements, in the amount of data sent for each measurement, and in the frequency of their measurements. As regards the latter, for accuracy and to enable quick response, some of these sensors/control elements take one or more measurements every second. Multiplying a single sensor/control element by thousands of sensors/control elements (a typical industrial control environment) results in an overwhelming volume of data flowing into the manufacturing information and process control system. Sophisticated data management and process visualization techniques have been developed to store and maintain the large volumes of data generated by such system.
  • It is a difficult but vital task to ensure that the process is running efficiently. An aspect of the present invention is a system that stores data from multiple sources and enables access to the data in multiple locations and forms. The system simplifies and streamlines a user's ability to access and analyze data from any location connected to the system. Further, the system maintains a granular system of user access control and advanced data visualization methods.
    • SUMMARY
  • Aspects of the present invention relate to a system that stores data from data sources on a server and enables access to the data stored on the server. The system simplifies and streamlines a user's ability to access and analyze data from any location connected to the system. Further, the system maintains a granular system of user access control and data source registration methods.
  • In one form, a system historizes process control data. The system has a data source device and a configurator module connected to a historian server. The configurator module connects to the historian server. The configurator module registers the data source device with the historian server. The historian server registers the data source device as indicated by the configurator module. The configurator module indicates to the historian server to generate data source registration information for identifying the registered data source device. The historian server generates the data source registration information for identifying the registered data source device as indicated by the configurator module. The historian server stores the data source registration information. The historian server generates a connection token comprising the data source registration information. The historian server sends the connection token to the configurator module. The configurator module receives the connection token from the historian server. The configurator module saves the connection token. The configurator module forwards the connection token to the data source device. The data source device receives the connection token from the configurator module. The data source device stores the connection token. The data source device sends data and the connection token to the historian server. The historian server compares the connection token received from the data source device to the connection token stored by the historian server, wherein if the connection token received from the data source device and the connection token stored by the historian server are found to match, the historian server stores the data from data source device.
  • In another form, a method is provided.
  • Other features will be in part apparent and in part pointed out hereinafter.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram detailing an architecture of a historian system according to an embodiment of the invention.
  • FIG. 2 is an exemplary diagram of a historization workflow performed by the system of FIG. 1.
  • FIG. 3 is an exemplary diagram of the structure of the system of FIG. 1.
  • FIG. 4 is an exemplary sequence diagram of the registration of a data source device and uploading of data from the data source device to the historian.
  • FIG. 5 is an exemplary sequence diagram illustrating how user authentication is done in the system of FIG. 1 using an active directory.
  • FIG. 6 is an exemplary sequence diagram illustrating user authentication in the system of FIG. 1 including SAML to JWT token conversion.
    •
  • Corresponding reference characters indicate corresponding parts throughout the drawings.
    • DETAILED DESCRIPTION
  • Referring to FIG. 1, a distributed historian system, generally indicated at 100, enables users to log into the system to easily view relationships between various data, even if the data is stored in different data sources. The historian system 100 can store and use data from various locations and facilities and use cloud storage technology to ensure that all the facilities are connected to all the necessary data. The system 100 forms connections with configurators 102, data collectors 104, and user devices 106 on which the historian data can be accessed. The configurators 102 are modules that may be used by system administrators to configure the functionality of the historian system 100. The data collectors 104 are modules that connect to and monitor hardware in the process control system to which the historian system 100 is connected. The data collectors 104 and configurators 102 may be at different locations throughout the process control system. The user devices 106 comprise devices that are geographically distributed, enabling historian data from the system 100 to be accessed from various locations across a country or throughout the world.
  • In an embodiment, historian system 100 stores a variety of types of information in storage accounts 108. This information includes configuration data 110, raw time-series binary data 112, tag metadata 114, and diagnostic log data 116. The storage accounts 108 may be organized to use table storage or other configuration, such as page blobs.
  • In an embodiment, historian system 100 is accessed via web role instances. As shown, configurators 102 access configurator web role instances 124. And data collectors 104 access client access point web role instances 118. Online web role instances 120 are accessed by the user devices 106. The configurators 102 share configuration data and registration information with the configurator web role instances 124. The configuration data and registration information is stored in the storage accounts 108 as configuration data 110. The data collectors 104 share tag metadata and raw time-series data with the client access point web role instances 118. The raw time-series data is shared with storage worker role instances 126 and then stored as raw time-series binary data 112 in the storage accounts 108. The tag metadata is shared with metadata server worker role instances 128 and stored as tag metadata 114 in the storage accounts 108. The storage worker role instances 126 and metadata server worker role instances 128 send raw time-series data and tag metadata to retrieval worker role instances 130. The raw time-series data and tag metadata is converted into time-series data and sent to the online web role instances 120 via data retrieval web role instances 122. Users using the user devices 106 receive the time-series data from the online web role instances 120.
  • FIG. 2 describes a workflow 200 for historizing data according to the described system. The Historian Client Access Layer (HCAL) 202 is a client side module used by the client to communicate with historian system 100. The HCAL 202 can be used by one or more different clients for transmitting data to historian system 100. The data to be sent 208 comes into the HCAL 202 and is stored in an active buffer 210. The active buffer 210 has a limited size. When the active buffer is full 214, the active buffer is “flushed” 216, meaning it is cleared of the data and the data is sent to historian 100. There is also a flush timer 212 which will periodically cause the data to be sent from the active buffer 210, even if the active buffer 210 is not yet full.
  • When historizing 226, the data may be sent to a historian that is on premises 204 or a historian that stores data in the cloud 206 (step 228). The HCAL 202 treats each type of historian in the same way. However, the types of historians may store the data in different ways. In an embodiment, the on-premises historian 204 historizes the data by storing the data as files in history blocks 230. The cloud historian 206 historizes the data by storing the data in page blobs 232, which enable optimized random read and write operations.
  • In the event that the connection between HCAL 202 and the historian 204 or 206 is not working properly, the flushed data from the active buffer 210 is sent to a store forward module 220 on the client (step 218). The data is stored 222 in the store forward module 220 in the form of snapshots written to store forward blocks 224 until the connection to the historian is functional again and the data can be properly transmitted. The store forward module 220 may also get rid of data after a certain period of time or when it is full. In those cases, it will send an error to the system to indicate that data is not being retained.
  • FIG. 3 is a diagram 300 displaying the historization system structure in a slightly different way from FIG. 2. An HCAL 306 is hosted on an application server computer 302 and connected to a historian computer 304 and a store forward process 308. The HCAL 306 connects to the historian through a server side module known as the Historian Client Access Point (HCAP) 312. The HCAP 312 has a variety of functions, including sending data received from HCAL 306 to be stored in history blocks 320. The HCAP 312 also serves to report statistics to a configuration service process 314 and retrieve historian data from a retrieval service process 318.
  • The HCAL 306 connects to the store forward process 308 through a storage engine used to control the store forward process. The Storage Engine enables the HCAL 306 to store and retrieve snapshots and metadata 310 of the data being collected and sent to the historian. In an embodiment, the store forward process 308 on the application server computer 302 is a child Storage Engine process 308 related to a main Storage Engine process 316 running on the historian computer 304.
  • In addition, HCAL 306 provides functions to connect to the historian computer 304 either synchronously or asynchronously. On successful call of the connection function, a connection handle is returned to client. The connection handle can then be used for other subsequent function calls related to this connection. The HCAL 306 allows its client to connect to multiple historians. In an embodiment, an “OpenConnection” function is called for each historian. Each call returns different connection handle associated with the connection. The HCAL 306 is responsible for establishing and maintaining the connection to the historian computer 304. While connected, HCAL 306 pings the historian computer 304 periodically to keep the connection alive. If the connection is broken, HCAL 306 will also try to restore the connection periodically.
  • In an embodiment, HCAL 306 connects to the historian computer 304 synchronously. The HCAL 306 returns a valid connection handle for a synchronous connection only when the historian computer 304 is accessible and other requirements such as authentication are met.
  • In an embodiment, HCAL 306 connects to the historian computer 304 asynchronously. Asynchronous connection requests are configured to return a valid connection handle even when the historian 304 is not accessible. Tags and data can be sent immediately after the connection handle is obtained. When disconnected from the historian computer 304, they will be stored in the HCAL's local cache while HCAL 306 tries to establish the connection.
  • In an embodiment, multiple clients connect to the same historian computer 304 through one instance of HCAL 306. An application engine has a historian primitive sending data to the historian computer 304 while an object script can use the historian software development kit (SDK) to communicate with the same historian 304. Both are accessing the same HCAL 306 instance in the application engine process. These client connections are linked to the same server object. HCAL Parameters common to the destination historian, such as those for store forward, are shared among these connections. To avoid conflicts, certain rules have to be followed.
  • In the order of connections made, the first connection is treated as the primary connection and connections formed after the first are secondary connections. Parameters set by the primary connection will be in effect until all connections are closed. User credentials of secondary connections have to match with those of the primary connection or the connection will fail. Store Forward parameters can only be set in the primary connection. Parameters set by secondary connections will be ignored and errors returned. Communication parameters such as compression can only be set by the primary connection. Buffer memory size can only be set by the primary connection.
  • The HCAL 306 provides an option called store/forward to allow data be sent to local storage when it is unable to send to the historian. The data will be saved to a designated local folder and later forwarded to the historian.
  • The client 302 enables store/forward right after a connection handle is obtained from the HCAL 306. The store/forward setting is enabled by calling a HCAL 306 function with store/forward parameters such as the local folder name.
  • The Storage Engine 308 handles store/forward according to an embodiment of the invention. Once store/forward is enabled, a Storage Engine process 316 will be launched for a target historian 304. The HCAL 306 keeps Storage Engine 308 alive by pinging it periodically. When data is added to local cache memory it is also added to Storage Engine 308. A streamed data buffer will be sent to Storage Engine 308 only when the HCAL 306 detects that it cannot send to the historian 304.
  • If store/forward is not enabled, streamed data values cannot be accepted by the HCAL 306 unless the tag associated with the data value has already been added to the historian 304. All values will be accumulated in the buffer and sent to the historian 304. If connection to the historian 304 is lost, values will be accepted until all buffers are full. Errors will be returned when further values are sent to the HCAL 306.
  • The HCAL 306 can be used by OLEDB or SDK applications for data retrieval. The client issues a retrieval request by calling the HCAL 306 with specific information about the query, such as the names of tags for which to retrieve data, start and end time, retrieval mode, and resolution. The HCAL 306 passes the request on to the historian 304, which starts the process of retrieving the results. The client repeatedly calls the HCAL 306 to obtain the next row in the results set until informed that no more data is available. Internally, the HCAL 306 receives compressed buffers containing multiple row sets from the historian 304, which it decompresses, unpacks and feeds back to the user one row at a time. Advantageously, network round trips are kept to a minimum. The HCAL 306 supports all modes of retrieval exposed by the historian.
  • In an embodiment, the system enforces security of communication with the historian on the device level. Devices are required to be registered in order to upload data to the historian. FIG. 4 shows a diagram 400 depicting a method of connection from a data source device, which comprises a configurator module 402, an application module 404, and a publisher module 406, to the historian server 408 in order to upload information. An administrator user first registers the device with the historian using the configurator module 402. The configurator module 402 communicates the attempted registration with the historian 408 to which the device is being registered. A data source ID and data source secret are generated for use by the historian 408 in uniquely identifying the data source device. A connection token 410 comprising the data source secret and connection information is created and sent from the configurator module 402 to the publisher module 406 of the data source device. The connection token 410 is also stored by the historian 408 to enable checking access attempts from the data source device in the future. In this way, the data source device has the token 410 which can be used to access the historian 408 and upload data. The data source ID and data source secret may be stored in the configurator module 402 as a result of a hashing function for increased security. In an embodiment, the connection information in the connection token 410 includes a method of accessing the historian, such as a universal resource locator (URL) link or the like. The publisher module 406 of the data source device may encrypt and store the data source ID, data source secret and connection information for later access to the historian 408. Also, the system uses, for example, an encryption tool such as Data Protection Application Programming Interface (DPAPI) by MICROSOFT or a certificate-based encryption (CBE) system.
  • When a user needs to upload data from a data source device to the historian 408, they sign into the data source device, which includes the publisher module 406. In an embodiment, the publisher module 406 communicates the user information with a configurator module 402 on the server side and confirms that the user is recognized. If necessary, the user may request a security token, as described below. The data source device then uploads data from the application module 404 to the historian by retrieving the stored connection token 410, decrypting the token if necessary, and sending the data source secret along with the data to be uploaded to the historian 408 over a network connection. Upon receiving the data to be uploaded and the data source secret, the historian 408 compares the secret against the connection token 410 which it has stored from the data source registration process. In an embodiment, if the data source secret is found to be valid, the historian 408 accepts the uploaded data and stores it. If the data source secret is found to be invalid, the historian 408 rejects the uploaded data and does not store it.
  • The connection between the data source device and the historian 408 can be any secure network connection, such as Hypertext Transfer Protocol Secure (HTTPS) or the like. A data source device maintains the registration information regardless of whether a different user is connected. In the event that a different user logs onto a data source device that is already registered, the data source device need not be registered again. The system will first confirm that the user is allowed to have the access requested and then confirm that the data source device is registered to upload information, as described above.
  • It may be desirable for a data source device to automatically upload to the historian when no user is logged into the data source device. The above described upload security system also ensures that the data source device is allowed to upload information even when there is no user credentials to check. The data source ID and data source secret are both unique to the data source device to ensure that only those specific data source devices registered with the historian are allowed to connect and upload data.
  • In an embodiment, a user registering or using a data source device is allowed to upload information through the device, but the user does not have access to the data source ID or data source secret. This ensures that a user cannot copy the data source registration information and use them with another device. The registration information may be strongly encrypted to ensure that it can only be decrypted on the registered device. The registered device may also block certain users or applications from accessing the registration information to ensure upload security by the user using the device or the application running on the device. A user may be denied registration information if the user's security clearance does not include the ability to register new devices with the historian for upload of data.
  • FIG. 5 shows a sequence diagram 500 of the user authentication process. A user 502 may attempt to log in to a content server 506 through a web browser 504. Upon accessing the system home page, the user 502 chooses a “signin link”, which redirects the browser 504 to open a login page from an active directory 508. The user 502 enters credentials such as a user name and password to attempt to login to the active directory 508. The active directory 508 authenticates the user's 502 credentials, and if they are satisfactory, the active directory 508 generates a “Security Assertion Markup Language” (SAML) Token, which is returned to the browser 504 for use. In an embodiment, the SAML token is tenant-specific and only grants access to the active directory 508 assigned to the tenant of the user 502.
  • Once the user 502 has a valid SAML token, he or she is redirected back to the content server 506 to provide a token. The content server 506 confirms that the token is valid and opens a session for the user 502 to access the content on the server. Navigating to the home page (e.g., historian.com) presents a generic home page. Clicking sign-in displays a generic login screen presented by the common active directory. By virtue of the domain portion of the username (for example, onlinecustomer1.historian.com), the user 502 gets authenticated against an active directory 508 that was created for that domain. The system can ‘brand’ the individual active directory 508 authentication pages. The login page comes from the company specific active directory 508.
  • FIG. 6 is a sequence diagram 600 that expands on FIG. 5. A user 602 may want to access certain APIs on the system that require a separate JSON Web Token (JWT) from the SAML token. Once the user 602 has an open session by virtue of having a valid SAML token from the active directory 608, as described above, the user may click on a hyperlink to access some data from a historian storage 614. Accessing the data may require the creation of a JWT. Upon selecting the hyperlink, a content server 606 generates a JWT from the SAML for use with the APIs to access the desired data. A browser 604 sends an HTTP request to a WebAPI 610 containing the valid JWT. The system then validates the JWT against the list of allowed tenants in storage 614 and returns the desired historian data from a historian WebAPI 612 to the user's browser.
  • The JWT token is a light weight token that can be used on the client side through Internet Explorer and javascript. This enables the system to use the active directory as a backend for authentication and still use a browser to interact with multiple websites that can provide a rich client-like web experience. The use of the JWT eliminates the need for the browser to interact with only its site of origin. In an embodiment, the JWT token is tenant specific and only grants access to data in the active directory or directories assigned to the tenant of the user.
  • The JWT is used to present evidence of authentication to the data retrieval layers of the architecture. These issued JWT tokens have a very short expiration time and are used once and then discarded. Once the browser has received this token it places it into a HTTP request header and requests data from the content server or WebAPI data layer. These layers authenticate the token by checking its signature, claims, and signing key (this assures that it trusts the original source of the token).
  • In the process control environment, some users are given control over certain aspects of the control environment and denied access to other aspects. For example, one user is in charge of the line of equipment associated with a process cell. Another user is in charge of a particular type of equipment instantiated throughout several lines of equipment in a process facility. In these kinds of cases, users are permitted access the historian system for aspects of the process control system with which they work with while they are denied access for unrelated aspects.
  • An embodiment of the present invention uses a small immutable security token to provide a guarantee of the current user in an embodiment. An external trusted token provider issues the token to authenticate the user's identity. In addition the token associates the user with her group membership classes. In the management system discussed above, the token might associate one user with a process cell (e.g., the user who controls a line of equipment) and another user with a particular operation (e.g., the user who works with a particular type of equipment). The security features can extrapolate the user's specific roles and permissions and do any required authorization. Because the security token is passed from a trusted external provider, it can be passed from the historian system to other products that also trust the provider. This in turn allows a single sign-on screen and permits the authentication process to be maintained external to the historian system.
  • The Abstract and summary are provided to help the reader quickly ascertain the nature of the technical disclosure. They are submitted with the understanding that they will not be used to interpret or limit the scope or meaning of the claims. The summary is provided to introduce a selection of concepts in simplified form that are further described in the Detailed Description. The summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the claimed subject matter.
  • For purposes of illustration, programs and other executable program components, such as the operating system, are illustrated herein as discrete blocks. It is recognized, however, that such programs and components reside at various times in different storage components of a computing device, and are executed by a data processor(s) of the device.
  • Although described in connection with an exemplary computing system environment, embodiments of the aspects of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. The computing system environment is not intended to suggest any limitation as to the scope of use or functionality of any aspect of the invention. Moreover, the computing system environment should not be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with aspects of the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, mobile telephones, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
  • Embodiments of the aspects of the invention may be described in the general context of data and/or processor-executable instructions, such as program modules, stored one or more tangible, non-transitory storage media and executed by one or more processors or other devices. Generally, program modules include, but are not limited to, routines, programs, objects, components, and data structures that perform particular tasks or implement particular abstract data types. Aspects of the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote storage media including memory storage devices.
  • In operation, processors, computers and/or servers may execute the processor-executable instructions (e.g., software, firmware, and/or hardware) such as those illustrated herein to implement aspects of the invention.
  • Embodiments of the aspects of the invention may be implemented with processor-executable instructions. The processor-executable instructions may be organized into one or more processor-executable components or modules on a tangible processor readable storage medium. Aspects of the invention may be implemented with any number and organization of such components or modules. For example, aspects of the invention are not limited to the specific processor-executable instructions or the specific components or modules illustrated in the figures and described herein. Other embodiments of the aspects of the invention may include different processor-executable instructions or components having more or less functionality than illustrated and described herein.
  • The order of execution or performance of the operations in embodiments of the aspects of the invention illustrated and described herein is not essential, unless otherwise specified. That is, the operations may be performed in any order, unless otherwise specified, and embodiments of the aspects of the invention may include additional or fewer operations than those disclosed herein. For example, it is contemplated that executing or performing a particular operation before, contemporaneously with, or after another operation is within the scope of aspects of the invention.
  • When introducing elements of aspects of the invention or the embodiments thereof, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements.
  • In view of the above, it will be seen that several advantages of the aspects of the invention are achieved and other advantageous results attained.
  • Not all of the depicted components illustrated or described may be required. In addition, some implementations and embodiments may include additional components. Variations in the arrangement and type of the components may be made without departing from the spirit or scope of the claims as set forth herein. Additional, different or fewer components may be provided and components may be combined. Alternatively or in addition, a component may be implemented by several components.
  • The above description illustrates the aspects of the invention by way of example and not by way of limitation. This description enables one skilled in the art to make and use the aspects of the invention, and describes several embodiments, adaptations, variations, alternatives and uses of the aspects of the invention, including what is presently believed to be the best mode of carrying out the aspects of the invention. Additionally, it is to be understood that the aspects of the invention is not limited in its application to the details of construction and the arrangement of components set forth in the following description or illustrated in the drawings. The aspects of the invention are capable of other embodiments and of being practiced or carried out in various ways. Also, it will be understood that the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting.
  • Having described aspects of the invention in detail, it will be apparent that modifications and variations are possible without departing from the scope of aspects of the invention as defined in the appended claims. It is contemplated that various changes could be made in the above constructions, products, and process without departing from the scope of aspects of the invention. In the preceding specification, various preferred embodiments have been described with reference to the accompanying drawings. It will, however, be evident that various modifications and changes may be made thereto, and additional embodiments may be implemented, without departing from the broader scope of the aspects of the invention as set forth in the claims that follow. The specification and drawings are accordingly to be regarded in an illustrative rather than restrictive sense.

Claims (20)

What is claimed is:
1. A system comprising:
a data source device comprising a registration processor and a corresponding memory device coupled thereto storing processor-executable instructions that, when executed by the registration processor, implement a configurator module for:
connecting the data source device to a historian server;
registering the data source device with the historian server;
indicating to the historian server to generate data source registration information for identifying the registered data source device;
receiving a connection token from the historian server;
saving the connection token; and
forwarding the connection token to the data source device; and
a historian server comprising a corresponding memory device coupled thereto storing processor-executable instructions that, when executed by the historian server, implement a historian module for:
receiving the connection from the configurator module;
registering the data source device as indicated by the configurator module;
generating data source registration information for identifying the registered data source as indicated by the configurator module;
storing the data source registration information;
generating the connection token comprising the data source registration information; and
sending the connection token to the configurator module;
wherein, in response to receiving the connection token from the configurator module, the data source device stores the connection token and sends data and the connection token to the historian server; and
wherein the historian server compares the connection token received from the data source device to the connection token stored by the historian server and stores the data from data source device when the connection token received from the data source device and the connection token stored by the historian server match.
2. The system of claim 1, wherein the data source registration information comprises a data source ID and a data source secret.
3. The system of claim 1, wherein the connection token comprises data source registration information and connection information for accessing the historian server.
4. The system of claim 1, wherein the data source device stores the data source registration information in an encrypted form.
5. The system of claim 1, wherein the sending of data by the data source device to the historian server is initiated by a user of the data source device, the user having logged in to the data source device through a user authentication process.
6. The system of claim 1, wherein the sending of data by the data source device to the historian server is initiated by an automatic process when no user is signed into the data source device.
7. The system of claim 1, further comprising a plurality of data source devices registered with the historian server, each of the plurality of data source devices storing a connection token comprising data source registration information unique to the data source device on which the connection token is stored.
8. The system of claim 1, further comprising a plurality historian servers to which the data source device is registered.
9. The system of claim 8, wherein a first historian server of the plurality of historian servers stores data on premise and a second historian server of the plurality of historian servers stores data in the cloud.
10. The system of claim 9, wherein the data source device connects with the first historian server and the second historian server through an access layer module, the access layer module maintaining connections to the first historian server and the second historian server.
11. A method for uploading data from a data source device to a historian server comprising:
connecting, by a configurator module, the data source device to a historian server;
registering, by the configurator module, the data source device with the historian server;
registering, by the historian server, the data source device as indicated by the configurator module;
indicating to the historian server, by the configurator module, to generate data source registration information for identifying the registered data source device;
generating, by the historian server, data source registration information for identifying the registered data source as indicated by the configurator module;
storing, by the historian server, the data source registration information;
generating, by the historian server, a connection token comprising data source registration information;
sending, by the historian server, the connection token to the configurator module;
receiving, by the configurator module, a connection token from the historian server;
saving, by the configurator module, the connection token;
forwarding, by the configurator module, the connection token to the data source device;
receiving, by the data source device, the connection token from the configurator module;
storing, by the data source device, the connection token;
sending, by the data source device, data and the connection token to the historian server; and
comparing, by the historian server, the connection token received from the data source device to the connection token stored by the historian server, wherein the historian server stores the data from data source device when the connection token received from the data source device and the connection token stored by the historian server are found to match.
12. The method of claim 11, wherein the data source registration information comprises a data source ID and a data source secret.
13. The method of claim 11, wherein the connection token further comprises connection information for accessing the historian server.
14. The method of claim 11, wherein the data source device stores the data source registration information in an encrypted form.
15. The method of claim 11, wherein the sending of data by the data source device to the historian server is initiated by a user of the data source device, the user having logged in to the data source device through a user authentication process.
16. The method of claim 11, wherein the sending of data by the data source device to the historian server is initiated by an automatic process when no user is signed into the data source device.
17. The method of claim 11, wherein a plurality of data source devices are registered with the historian server, each of the plurality of data source devices storing a connection token comprising data source registration information unique to the data source device on which the connection token is stored.
18. The method of claim 11, wherein the data source device is registered with a plurality historian servers.
19. The method of claim 18, wherein a first historian server of the plurality of historian servers stores data on premise and a second historian server of the plurality of historian servers stores data in the cloud.
20. A method for uploading data from a data source device to a historian server comprising:
connecting the data source device to a historian server;
registering the data source device with the historian server;
indicating to the historian server to generate data source registration information for identifying the registered data source device, wherein the data source registration information is stored by the historian server;
receiving a connection token from the historian server;
forwarding the connection token to the data source device, wherein data and the connection token is sent to the historian server and the data from data source device is stored by the historian server when the connection token received from the data source device and the connection token stored by the historian server are found to match.
US14/704,661 2014-05-05 2015-05-05 Distributed historization system Abandoned US20150319227A1 (en)

Priority Applications (8)

Application Number Priority Date Filing Date Title
US14/704,661 US20150319227A1 (en) 2014-05-05 2015-05-05 Distributed historization system
US14/789,654 US20160004734A1 (en) 2014-12-15 2015-07-01 Secure data isolation in a multi-tenant historization system
US16/460,756 US10990629B2 (en) 2014-05-05 2019-07-02 Storing and identifying metadata through extended properties in a historization system
US16/517,312 US11755611B2 (en) 2014-05-05 2019-07-19 Storing and identifying content through content descriptors in a historian system
US16/686,649 US20200089666A1 (en) 2014-05-05 2019-11-18 Secure data isolation in a multi-tenant historization system
US16/785,733 US11445010B2 (en) 2014-05-05 2020-02-10 Distributed historization system
US17/208,178 US20210286846A1 (en) 2014-05-05 2021-03-22 Storing and identifying metadata through extended properties in a historization system
US17/675,035 US20220391368A1 (en) 2014-05-05 2022-02-18 Cryptography system for using associated values stored in different locations to encode and decode data

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201461988731P 2014-05-05 2014-05-05
US201462092051P 2014-12-15 2014-12-15
US14/704,661 US20150319227A1 (en) 2014-05-05 2015-05-05 Distributed historization system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/704,666 Continuation-In-Part US20150317330A1 (en) 2014-05-05 2015-05-05 Storing data to multiple storage location types in a distributed historization system

Related Child Applications (3)

Application Number Title Priority Date Filing Date
US14/704,666 Continuation-In-Part US20150317330A1 (en) 2014-05-05 2015-05-05 Storing data to multiple storage location types in a distributed historization system
US14/789,654 Continuation-In-Part US20160004734A1 (en) 2014-05-05 2015-07-01 Secure data isolation in a multi-tenant historization system
US16/785,733 Continuation US11445010B2 (en) 2014-05-05 2020-02-10 Distributed historization system

Publications (1)

Publication Number Publication Date
US20150319227A1 true US20150319227A1 (en) 2015-11-05

Family

ID=54356099

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/704,661 Abandoned US20150319227A1 (en) 2014-05-05 2015-05-05 Distributed historization system
US16/785,733 Active US11445010B2 (en) 2014-05-05 2020-02-10 Distributed historization system

Family Applications After (1)

Application Number Title Priority Date Filing Date
US16/785,733 Active US11445010B2 (en) 2014-05-05 2020-02-10 Distributed historization system

Country Status (1)

Country Link
US (2) US20150319227A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150317463A1 (en) * 2014-05-05 2015-11-05 Invensys Systems, Inc. Active directory for user authentication in a historization system
CN106027523A (en) * 2016-05-20 2016-10-12 深圳市永兴元科技有限公司 Data collection method of distributed data system and distributed data system
US10387392B2 (en) * 2016-05-17 2019-08-20 Rockwell Automation Technologies, Inc. Method to automate historian configuration using controller based tag meta attribute

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080022087A1 (en) * 2006-05-12 2008-01-24 Sharp Kabushiki Kaisha Multifunction device, method of controlling multifunction device, multifunction device control system, program, and recording medium
US20080228880A1 (en) * 2007-03-12 2008-09-18 Microsoft Corporation Managed code mapi apis
US20090064341A1 (en) * 2004-11-08 2009-03-05 Frank Hartung Technique for registering a device with a rights issuer system
US20120259652A1 (en) * 2011-04-07 2012-10-11 Full Recovery, Inc. Systems and methods for remote monitoring, management and optimization of physical therapy treatment
US20130221083A1 (en) * 2012-02-24 2013-08-29 Wyse Technology Inc. System and method for information sharing using visual tags
US20150281233A1 (en) * 2014-03-26 2015-10-01 Rockwell Automation Technologies, Inc. Device authentication to facilitate secure cloud management of industrial data
US20170109751A1 (en) * 2014-05-02 2017-04-20 Nok Nok Labs, Inc. System and method for carrying strong authentication events over different channels

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6424429B1 (en) 1997-11-14 2002-07-23 Ricoh Company, Ltd. File system and a recording medium with a program used in the system stored therein
US6246771B1 (en) 1997-11-26 2001-06-12 V-One Corporation Session key recovery system and method
JP4305593B2 (en) 2000-07-17 2009-07-29 ソニー株式会社 DATA RECORDING / REPRODUCING METHOD AND DEVICE, DATA RECORDING DEVICE AND METHOD
US9565275B2 (en) 2012-02-09 2017-02-07 Rockwell Automation Technologies, Inc. Transformation of industrial data into useful cloud information
US7720818B1 (en) 2002-12-30 2010-05-18 Sprint Communications Company L.P. On-line account management system having a tiered account information storage system
US20050015488A1 (en) * 2003-05-30 2005-01-20 Pavan Bayyapu Selectively managing data conveyance between computing devices
US7529728B2 (en) 2003-09-23 2009-05-05 Salesforce.Com, Inc. Query optimization in a multi-tenant database system
US20060074980A1 (en) 2004-09-29 2006-04-06 Sarkar Pte. Ltd. System for semantically disambiguating text information
EP1934812A4 (en) 2005-09-09 2012-01-04 Salesforce Com Inc Systems and methods for exporting, publishing, browsing and installing on-demand applications in a multi-tenant database environment
US7689593B2 (en) 2005-12-30 2010-03-30 Sap Ag Systems and methods for accessing a shared space in a provider-tenant environment
US8752045B2 (en) 2006-10-17 2014-06-10 Manageiq, Inc. Methods and apparatus for using tags to control and manage assets
DE102006050639A1 (en) * 2006-10-26 2008-04-30 Philip Behrens Method and device for controlling and / or limiting electronic media content
US20080104542A1 (en) 2006-10-27 2008-05-01 Information Builders, Inc. Apparatus and Method for Conducting Searches with a Search Engine for Unstructured Data to Retrieve Records Enriched with Structured Data and Generate Reports Based Thereon
DE102007040675A1 (en) 2006-11-13 2008-05-15 Abb Technology Ag System and method for the lossless processing of process values of a technical plant or a technical process
US20080300900A1 (en) 2007-05-31 2008-12-04 Marc Demarest Systems and methods for distributed sequestration in electronic evidence management
US7801994B2 (en) 2007-11-29 2010-09-21 Hitachi, Ltd. Method and apparatus for locating candidate data centers for application migration
US9251239B1 (en) 2008-05-15 2016-02-02 Salesforce.Com, Inc. System, method and computer program product for applying a public tag to information
US8538942B2 (en) 2008-09-12 2013-09-17 Salesforce.Com, Inc. Method and system for sharing documents between on-demand services
WO2011091056A1 (en) 2010-01-19 2011-07-28 Servicemesh, Inc. System and method for a cloud computing abstraction layer
US20130124575A1 (en) 2011-11-11 2013-05-16 Rockwell Automation Technologies, Inc. System and Method for Dynamic Meta-Data in Control and Visualization
US8539567B1 (en) * 2012-09-22 2013-09-17 Nest Labs, Inc. Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers
US20150242412A1 (en) 2012-09-27 2015-08-27 Ge Intelligent Platforms, Inc. System and method for enhanced process data storage and retrieval
US20150046557A1 (en) 2013-02-10 2015-02-12 Einar Rosenberg System, method and apparatus for using a virtual bucket to transfer electronic data
US10223327B2 (en) 2013-03-14 2019-03-05 Fisher-Rosemount Systems, Inc. Collecting and delivering data to a big data machine in a process control system
US9558220B2 (en) 2013-03-04 2017-01-31 Fisher-Rosemount Systems, Inc. Big data in process control systems
US9075960B2 (en) * 2013-03-15 2015-07-07 Now Technologies (Ip) Limited Digital media content management apparatus and method
CN104866513B (en) 2014-02-26 2018-09-11 国际商业机器公司 System and method for being accessed across tenant data
US9720991B2 (en) 2014-03-04 2017-08-01 Microsoft Technology Licensing, Llc Seamless data migration across databases
US9838476B2 (en) 2014-03-26 2017-12-05 Rockwell Automation Technologies, Inc. On-premise data collection and ingestion using industrial cloud agents
US20160104005A1 (en) 2014-10-10 2016-04-14 Salesforce.Com, Inc. Facilitating tenant-based customization of access and security controls in an on-demand services environment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090064341A1 (en) * 2004-11-08 2009-03-05 Frank Hartung Technique for registering a device with a rights issuer system
US20080022087A1 (en) * 2006-05-12 2008-01-24 Sharp Kabushiki Kaisha Multifunction device, method of controlling multifunction device, multifunction device control system, program, and recording medium
US20080228880A1 (en) * 2007-03-12 2008-09-18 Microsoft Corporation Managed code mapi apis
US20120259652A1 (en) * 2011-04-07 2012-10-11 Full Recovery, Inc. Systems and methods for remote monitoring, management and optimization of physical therapy treatment
US20130221083A1 (en) * 2012-02-24 2013-08-29 Wyse Technology Inc. System and method for information sharing using visual tags
US20150281233A1 (en) * 2014-03-26 2015-10-01 Rockwell Automation Technologies, Inc. Device authentication to facilitate secure cloud management of industrial data
US20170109751A1 (en) * 2014-05-02 2017-04-20 Nok Nok Labs, Inc. System and method for carrying strong authentication events over different channels

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150317463A1 (en) * 2014-05-05 2015-11-05 Invensys Systems, Inc. Active directory for user authentication in a historization system
US10003592B2 (en) * 2014-05-05 2018-06-19 Schneider Electric Software, Llc Active directory for user authentication in a historization system
US10387392B2 (en) * 2016-05-17 2019-08-20 Rockwell Automation Technologies, Inc. Method to automate historian configuration using controller based tag meta attribute
CN106027523A (en) * 2016-05-20 2016-10-12 深圳市永兴元科技有限公司 Data collection method of distributed data system and distributed data system

Also Published As

Publication number Publication date
US20200396276A1 (en) 2020-12-17
US11445010B2 (en) 2022-09-13

Similar Documents

Publication Publication Date Title
US9426142B2 (en) Systems and methods for logging into an application on a second domain from a first domain in a multi-tenant database system environment
US20230370464A1 (en) Systems and methods for controlling sign-on to web applications
US10135796B2 (en) Masking and unmasking data over a network
US11445010B2 (en) Distributed historization system
US10003592B2 (en) Active directory for user authentication in a historization system
US8898765B2 (en) Signing off from multiple domains accessible using single sign-on
US8528066B2 (en) Methods and apparatus for enabling context sharing
EP3391616B1 (en) Device management with tunneling
US9485244B2 (en) Executing an operation over file repositories located in different authentication domains using a representational state transfer (REST)-compliant client
US10476733B2 (en) Single sign-on system and single sign-on method
US20110191591A1 (en) Transmitting Information Using Virtual Input Layout
US20150007269A1 (en) Delegating authentication for a web service
US20110302277A1 (en) Methods and apparatus for web-based migration of data in a multi-tenant database system
US20180205549A1 (en) Script verification using a hash
CN111988295A (en) Database auditing method and device, WEB server, database auditing system and storage medium
US10652332B2 (en) System, method, and apparatuses for dynamic authorization
CN110765137A (en) Electronic certificate processing method, device, equipment, platform and medium
CN114866258A (en) Method and device for establishing access relationship, electronic equipment and storage medium
US11283785B2 (en) Systems and methods for credential control among a plurality of client devices
CN114793244B (en) Resource processing method, device, equipment and medium for block chain
CN107343028B (en) Communication method and system based on HTTP (hyper text transport protocol)
CN115603958A (en) Login data processing method and device, computer equipment and storage medium
CN117240482A (en) Page display method, device, terminal and storage medium
CN115239261A (en) Account login method, device, equipment and medium
US10554789B2 (en) Key based authorization for programmatic clients

Legal Events

Date Code Title Description
AS Assignment

Owner name: INVENSYS SYSTEMS, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIE, SHIEWUN;KAMATH, VINAY T.;SALDANHA, RYAN BENEDICT;AND OTHERS;REEL/FRAME:036358/0308

Effective date: 20150729

AS Assignment

Owner name: SCHNEIDER ELECTRIC SOFTWARE, LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INVENSYS SYSTEMS, INC.;REEL/FRAME:041383/0514

Effective date: 20161221

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

AS Assignment

Owner name: AVEVA SOFTWARE, LLC, CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:SCHNEIDER ELECTRIC SOFTWARE, LLC;REEL/FRAME:050647/0283

Effective date: 20180514

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION