Remote Access Here or There

Remote Monitoring, Diagnostics and Control Tools Enable Machine Builders and Integrators to Skip the Travel, but Offer More Services

By Jim Montague, Executive Editor

CD1311 webcoverDemanding applications such as heat-treating can be complex, so furnace control systems must do more than regulate temperature. For example, a 10-bar, quench-furnace system provided by Ipsen, Rockford, Ill., also must control speed, pressure, flow direction and other variables throughout the quenching process because they directly affect load distortion in die-casting operations. These parameters change from product to product, so furnace controls need to allow users to develop and test batch recipes too.

Users of Ipsen's industrial vacuum and atmosphere furnaces use its CompuVac control system to look into their thermal-processing applications in the aerospace, commercial heat treating, medical, energy and automotive fields. However, users still need more help.

SEE ALSO: Remote Access: No Travel Required

"Local controls provide a window into the furnace's process with standard features, including an integrated touchscreen for monitoring workloads, displays for programming, running, real-time and historical monitoring, almost unlimited recipe creation, modification and storage, and alarm displays, batch reports, quality control audits and record archiving," says Larry Moore, electrical and software engineering manager at Ipsen. The company designs and builds industrial vacuum furnaces, atmosphere furnaces and supervisory control systems, while its aftermarket support team helps users around the world solve problems, plan furnace controls upgrades, replace hot zones and secure parts, maintenance and field services.

"Though CompuVac makes it easy to create and run custom heat-treating profiles and batches, users often have questions or need support from our engineers," Moore explains. "Ipsen's aftermarket support team is prepared to offer technical advice and help diagnose problems, and remote access to both control systems helps our technical personnel see what the system is doing. In the past, we relied on an Ethernet modem, which required an analog phone connection at both the customer and Ipsen's locations. Phone modems are notoriously slow, and in some cases, providing the analog phone connection at the customer site proved difficult or impossible. We clearly needed a better remote access solution."

Saving Miles and Time
Luckily, the expansion, diversification and growing sophistication of remote machine support makes it more practical for builders, integrators and other service professionals to access users' equipment and production lines from a distance, and then monitor, maintain, troubleshoot, repair and upgrade them without being physically onsite. Instead of dealing with clunky, old-style, dial-in modems, or even jumping through hoops to get permission to access users' internal virtual private networks (VPNs) or other networks, the latest remote-access components let outside experts work on safe versions of a machine's operating software and data, which are served up to cloud-based services that don't require users and their IT departments to allow access to their internal networks.

"We encourage customers to install ports into their systems to allow remote access for monitoring and troubleshooting," says Jon Ertle, vice president of sales at Criterion Manufacturing Solutions in Comstock Park, Mich. The company manufactures CNC routers and CMM-style gauging machines and delivers custom production, automation and gauging equipment. "In the beginning, the best way was to dial in," Ertle continued. "Later, due to security concerns with the Internet and early VPNs, we usually phoned ahead to request access, but it could take days or a week for some IT departments to grant it. Most recently, we've been able to use VPN routers, such as eWon's Cosy 141, which plug onto our customer's machine, establish a secure, SSL-based VPN tunnel, and can call our headquarters when they have a problem."

This gives Criterion a safe, remote link to the PLCs and HMIs on its users' machines. "We can also monitor and manage serial connections to program barcode readers and other devices, or we can integrate cameras or other peripheral equipment," Ertle adds. "Using these new VPN routers saves our customers and us a lot of time. Many times, users contact us with a problem that's actually a symptom or the result of another problem, but now we can look at their HMIs and PLCs for the underlying situation and solution."

Dominique Blanc, eWon's U.S. general manager, adds that, "eWon delivers pure VPN remote access to users' control systems at their customers' sites, but our technology doesn't need to change firewalls or jeopardize users' IT infrastructures. Our secure VPN connection only reaches what's behind our devices, but has no access to the rest of a user's plant. So we can tell a customer that our remote access only reaches what it's supposed to, and that makes IT much more comfortable."

The Right Router
Though they're relatively new in remote machine monitoring, VPN routers are being deployed to remotely monitor and control all kinds of machines and other equipment because they're easier to set up, more secure and less intrusive than other monitoring methods.

For instance, to achieve secure remote access to its furnace controls installed worldwide, Ipsen's support team evaluated several remote access solutions and chose Phoenix Contact's mGuard VPN routers. These allow Ipsen to connect to a customer's industrial network via the Internet with little intervention from its IT department, while secure communication is provided by the VPN and a stateful packet inspection (SPI) firewall.

"The router's wide-area network (WAN) port typically connects to the customer's company network, which gives it access to the Internet through the corporate firewall/router. But because it tunnels outbound — that is, back to Ipsen — no ports need to be opened on the inbound side of the customer's network. This satisfies the customer's IT department security requirements because outsiders can't detect a port," Moore explains. "Conversely, the router can be connected directly to the Internet via its WAN port if a customer doesn't want any connection to its corporate network."

Once its initial connection is made, the VPN router runs at 99 Mbps, which allows Ipsen's engineers to view system data in real time and download program changes when needed. The router can be installed in the furnace's control panel via a DIN-rail module, a PCI card or as a portable device that plugs into a USB port, depending on the customer's requirements. Typically, there is a router at each end of the tunnel. Ipsen installs one per furnace, but only one receiving router is needed at Ipsen's home base to accommodate up to 250 simultaneous VPN connections.

"The network is configured in such a way that our service technicians can access each customer's VPN from laptops," Moore says. "A technician can see all the customer furnaces that are tunneled back to the mGuard at Ipsen in a hub-and-spoke topology. Once connected, the router lets our engineers access data from any Ethernet-connected device on the furnace's local network, including PLC, HMI, DAQ instruments and video recorders. The router's own configuration can also be accessed remotely through the VPN connection."

As a result, the VPN router can be used for start-up support, maintenance support or customer-requested enhancements. And, though these installations on equipment are relatively new, Ipsen already has performed many remote control modifications and diagnostics that previously would have required an on-site service technician.

"Saving the cost of one service trip under warranty is enough to pay for the cost of a system," Moore adds. "Remote access is a mature technology, but past iterations often lacked performance, cost-effectiveness and security. Our mGuard VPN remote access system overcomes these challenges and provides safe, secure, high-speed and low-cost access to users' equipment worldwide from one router located at our headquarters."

Standards Aid Oversight
To help improve machine monitoring, some builders have pursued standards to help streamline communications with their devices — and between them. While many builders still use basic TCP/IP and other Ethernet varieties such as Profinet, EtherNet/IP and EtherCat to enable machine connections and ties to upper levels, some interoperability problems persist. As a result, several developers launched the six-year old MTConnect open, factory-floor communication protocol, which was initially used for machine monitoring, status reporting and other details, but is growing to include alerts and alarms, temperature, speed and other information.

"There are basically three ways to get information from a machine," says Dave Edstrom, president and board chair of the MTConnect Institute. "The first is native support for a standard, such as MTConnect, which is basically plug-and-play. The second way is to use a device that doesn't speak a standard protocol, but does have an adapter that translates from the proprietary protocol to a common format, for example, using an MTConnect adapter to speak to a Fanuc controller via its standard Focas protocol. The third way is to use a machine that can't provide information through a software interface, so the only way to get information is by intercepting electrical signals. One advantage of MTConnect is there are lots of options for using it with legacy equipment."

For example, Okuma in Nagoya, Japan, and its U.S. subsidiary, Okuma America, in Charlotte, N.C., stopped counting when its users reached more than 200 machines with MTConnect for shop-floor monitoring of its legacy and current, open-architecture Thinc-OSP controls, according to Brian Sides, Okuma's technology director.

"One notable installation occurred recently in Europe, where our customer wanted to connect its new Okuma machines to its existing Freedom eLog shop-floor monitoring system," Sides says. "Using our MTConnect agent, we were able to provide the customer with the necessary plug-and-play connectivity to allow them to monitor the productivity of these new installations from their U.S. headquarters." Freedom eLog comes from 5ME, which is a new business launched in July that includes the tooling and services, cryogenics and software business units of the former MAG IAS.

Security and Documentation
Of course, despite the ability of VPN routers and other networking components to segregate network traffic and conduct secure tunneling, many users remain concerned that remote monitoring will expose them to intrusions and possible attacks. To allay these fears, most suppliers give users physical keys and switches, so they can enable their VPN routers only when remote monitoring and support is needed, and disable them when the problem is resolved.

Besides its software-based security, Blanc adds that eWon's VPN routers also have a hardware key, so users can turn on their local VPN and allow remote access when assistance is needed, and then switch off the VPN after remote assistance has been provided. "We also have Talk2M, which is like a historian that reports who's connected to the router, when and for how long," Blanc explains. "Typically, users have to provide a name and password to access a router, but then lose control of it after that point. Talk2M lets administrators manage their routers better because they can see who's trying to access it, kick out any unauthorized users or simply set up a whitelist ahead of time."

Similarly, to maintain its security, mGuard has a digital input that can be wired to the switch or relay to activate its VPN tunnel. This lets each of Ipsen's customers activate their tunnel when needed, which increases peace of mind because they're in control of their own remote access connection. "The remote access system is all hardware," Moore says. "No software is required. This provides a high degree of security because changes to hardware require deliberate effort that can be easily monitored, as opposed to software changes that can be performed at the touch of a key."

Likewise, mGuard's SPI firewall keeps track of the state of its network connections, such as TCP streams or UDP communications, as they travel through it. "For instance its algorithm distinguishes legitimate packets for different types of connections," Moore adds. "Only packets matching a known connection state are allowed by the firewall, while others are dropped or rejected. We and our customer jointly set up the rules, so no other entity can intrude on the system."

Meet in the Cloud
Once a secure VPN router connection or other external link is established, another primary way that remote monitoring and control can become more approachable and workable for many users is by sending applicable operating information to a third-party location, such as a cloud-based service. This strategy gives remote engineers and technicians the data they need to support the equipment, but doesn't compromise the user's internal network security.

John Curie, business unit leader for Thiele Technologies' Streamfeeder product line, reports that Thiele has added eWon's monitoring on bigger products, such as its large collating systems for printed materials, which can be examined remotely via through the cloud-based service. "A lot of users are concerned about not being able to get support for their machine when they need it, so we can add an optional eWon module, which ties in to the controller," Curie states. "Then, the customer assigns it an IP address, which allows only predetermined users to communicate with it on eWon's own cloud. This means we don't have to touch our client's internal operating system or corporate network, but we still get enough information via eWon's cloud to monitor machine performance, check for glitches, capture new operating data, examine software, and even make changes at startup or on the fly if they can be done in a couple of minutes."

Seeing is Believing
Besides accessing operating data and conditions, remote monitoring and control increasingly means collecting and relaying real-time video and other specialized data streams.

For example, Germany-based groninger GmbH and its subsidiary, groninger USA LLC in Charlotte, N.C., design and build fill-and-finish processing lines for pharmaceutical and cosmetics manufacturers. Since the firm was formed in 1980, they've installed more than 3,000 machines, including more than 500 in North America.

To help reduce its considerable travel and phone time, groninger recently worked with Phoenix Contact to develop its Remote Video Service, which it offers as an option on new machines or as an upgrade to existing, Ethernet-enabled equipment. The service begins with a secure, key-switch-enabled, customer-initiated VPN connection between a user's machine at its facility and groninger's secure, internal service network in the U.S. and Germany. Both sides employ FL mGuard VPN NAT routers to maintain a secure, encrypted VPN connection and tunnel.

Most onsite machine networks include the usual PLCs, HMIs, servo controllers and other Ethernet-enabled devices, which groninger's service engineers can access to see live program statuses, make any needed changes, backup or restore programs, create new recipes and deliver machine or software updates or revisions. Once a problem is resolved or the machine's PLC or program is updated, the users can switch off their VPN key to disconnect their machine network from groninger's service network.

However, groninger's service also lets users connect a remote-controlled video camera to their same machine network (Figure 2). So besides viewing live PLC and I/O displays, groninger's engineers also see the machine from an operator's perspective by panning, tilting and zooming in the camera to examine particular areas. For easy camera setup, groninger uses a Power-over-Ethernet (PoE) module to supply its remote cameras with power and data over one cable.

The company also developed remote monitoring and control over wireless networks, which is a setup option in its Remote Video Service. This method employs one router, one key switch and one wireless access point at each production floor. As a result, each groninger machine with the wireless option has an antenna installed that allows it to connect to the wireless access point. The firm reports that wireless is especially effective for many of its cosmetics customers, who must reconfigure their production lines regularly to accommodate changes in packaging size, shape and types.