Solution components - Amazon Virtual Andon

Solution components

Web interface

The Amazon Virtual Andon solution features a web interface that simplifies managing factory settings, notifications, and data analysis. The interface leverages Amazon Cognito for user authentication, AWS Amplify for interacting with cloud services, and an Amazon Simple Storage Service (Amazon S3) bucket to host web assets.

        Amazon Virtual Andon web interface

Figure 2: Amazon Virtual Andon web interface

As shown in Figure 2, the web interface provides the following menu options: Sites, Client, Observer, Metrics, History, Users, Permissions, and Root Causes. These options provide users with the following features:

  • Management tools: These tools include the Sites, Users, Permissions, and Root Causes menu options. Administrators use these tools to manage users (such as factory floor workers, engineers, and managers), assign them to one or more specialized groups (refer to Amazon Cognito user groups), and enter the factory details for their facility. Administrators use the Sites option to define a factory using the following criteria: sites, areas, processes, stations, devices, and event details.

  • Analysis tools: These tools are provided in the Metrics and History menu options. Users assigned to the Admin and Manager groups can view the historical information about issues that have occurred over the last seven days.

  • Client tool: This tool is provided in the Client menu option. Users identify events or issues on the factory floor using this tool. If a point-of-contact (such as an engineer) is assigned to the event, an Amazon Simple Notification Service (Amazon SNS) notification is sent.

  • Observer function: This function is provided in the Observer menu option. Users assigned to the Admin, Manager, and Engineer groups can access a real-time view of events across the factory site and respond to issues. Responses are recorded and synchronized in the web interface.

In order to access the web interface, the solution administrator must add users and assign them to one or more groups. Groups provide the users with the appropriate access privileges to the tools and functionalities available in the web interface. For details about setting up the web interface, refer to Automated deployment. For more information about the web interface, refer to Solution web interface.

The web interface supports seven languages: German, English, Spanish, French, Japanese, Korean, and simplified Chinese.

AWS AppSync

The solution uses AWS AppSync queries, mutations, and subscriptions generated by the AppSync schema. These queries, mutations, and subscriptions help set up the factory with management tools and real-time issue updates.

Amazon Cognito user groups

The solution uses Amazon Cognito to authenticate users. Authorization to the different user interface components is restricted by the user’s assigned group. As shown in Figure 3, the solution administrator assigns a user to one of the following groups:

  • Admin Group: Users in this group have access to all menu options, providing them with access to the management, analysis, and client tools, as well as the observer function.

  • Manager Group: Users in this group can access the Client, Observer, Metrics, and History menu options, providing them with access to the analysis and client tools and the observer function.

  • Engineer Group: Users in this group can access the Client and Observer options.

  • Associate Group: Users in this group can access the Client option.

        Web interface Add User page

Figure 3: Web interface Add User page

As an administrator you can restrict a user's access to certain sites, processes, and areas so that only information related to the assigned group can be viewed. The solution administrator manages this access through Amazon Cognito user groups to the AWS AppSync GraphQL queries and mutations. Users that are not in the appropriate resolver group cannot query the AWS AppSync schema. For example, the following schema shows a schema.graphql file where only users assigned to the Admin Group have access to the mutations that allow a Site to be deleted.

type Mutation { deleteSite(id: ID!): Site @aws_auth(cognito_groups: ["AdminGroup"]) }

The following schema example shows a mutation.delete.req.vtl file where an error message generates if the request does not originate from a user in the Admin Group.

## Check authorization #set ($isAllowed = false) #set ($userGroups = $"cognito:groups")) #set ($allowedGroups = ["AdminGroup"]) #foreach ($userGroup in $userGroups) #if ($allowedGroups.contains($userGroup)) #set ($isAllowed = true) #break #end #end ## Throw authorized if the user is not authorized. #if ($isAllowed == false) $util.unauthorized() #end { "version": "2017-02-28", "operation": "DeleteItem", "key": { "id": $util.dynamodb.toDynamoDBJson($ } }

Amazon DynamoDB

This solution uses Amazon DynamoDB to persist factory setup data and store user generated issues. This solution creates the following DynamoDB tables:

  • Site: Stores the Sites metadata

  • Area: Stores the Areas metadata for the areas in each site

  • Process: Stores the Processes metadata for each area

  • Event: Stores metadata for the events that are likely to occur in each process

  • Station: Stores Stations metadata for each area of a site

  • Device: Stores Devices metadata for each station

  • Issue: Stores metadata about the issues that are activated by users

  • Permission: Stores Permissions metadata specifically for the Associate Group

  • Root Cause: Stores the root causes for events that are entered by users in the Admin Group

AWS IoT Core

The web interface communicates with AWS IoT Core to publish messages regarding the issues occurring on the factory floor to an AWS IoT Core topic. Specifically, the web interface uses the AWS Amplify PubSub category with AWSIoTProvider, which signs a request according to Signature Version 4. The AWS IoT Core rules engine initiates an AWS Lambda function that processes the message.

The solution creates an AWS IoT Core policy during deployment. When a user accesses the web interface, the appropriate AWS IoT Core policy is assigned an Amazon Cognito identity based on the group that the user belongs to. This policy allows the user to post to the ava/issues and ava/groups/# AWS IoT topics.

Solution microservices

The Amazon Virtual Andon microservices are a series of AWS Lambda functions that provide the business logic and data access layer for all device operations. Each Lambda function assumes an AWS Identity and Access Management (IAM) role with least privilege access (minimum permissions necessary) to perform its designated functions.

Handle issues microservice

The HandleIssues microservice runs every time a message is posted to the ava/issues topic in AWS IoT Core or a file is placed in the DetectedAnomalies Amazon S3 bucket. This microservice calls the AWS AppSync API to store the issue details in the issue Amazon DynamoDB table, and sends a notification to the Amazon Simple Notification Service (Amazon SNS) topic for the event.

Custom resource microservice

The CustomResource microservice supports the initial solution setup, which includes putting the solution’s web interface resources and configuration into an Amazon Simple Storage Service (Amazon S3) bucket. This microservice also updates the solution when customers deploy a new version of the solution.