Reference Architecture Diagram + Narrative (OT/IT convergence with private 5G + MEC)
┌────────────────────────────────────────────┐
│ ROLES & DOMAINS │
Plant Ops │ OT Engineers │ Quality/Process │ Vendors │ Corporate IT/SEC│
└───────────┬───────────┬───────────┬────────┘
│ │ │
▼ ▼ ▼
┌───────────────────────────────────────────────────┐
│ FACTORY / PLANT EDGE (ZONES) │
│ ZONE 0/1 Robots & PLCs │ ZONE 2 Lines │ ZONE 3 IT│
├───────────────────────────────────────────────────┤
│ SD-BRANCH/SD-WAN EDGE (dual uplinks) │
│ • VRFs: OT/PLC │ Robotics/AMR │ Corp-IT │ Vendor │
│ • NGFW/NAC | ZTP | QoS (control > video > IT) │
└─────────────┬───────────────────────────┬─────────┘
│ │
Private 5G/LTE RAN (CBRS/licensed) │ Fiber/MPLS/DIA
Small cells + UPF at edge for URLLC │ (backhaul to core)
│ │
▼ ▼
┌────────────────────────────────────────────────────┐
│ MEC / EDGE CLUSTER (on-prem) │
│ • K8s/VMs for: vision AI, AMR orchestration, MES │
│ • OT gateways: protocol normalize (OPC-UA/Modbus) │
│ • Local historians, buffering, store-and-forward │
└─────────────┬──────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ TRANSPORT / SECURITY FABRIC │
│ SD-WAN overlays ║ MPLS/Waves ║ IX/Peering ║ SASE/SSE POPs │
│ (ZTNA, SWG, CASB, FWaaS, DLP; geo/data-residency fences) │
└─────────────┬───────────────────────────┬──────────────────┘
│ │
▼ ▼
┌───────────────────────────────────┐ ┌────────────────────────────────┐
│ ENTERPRISE & OT CORES (DC/Colo) │ │ CLOUD ON-RAMPS (DX/ER/GCI) │
│ • ERP/WMS/MES • IdP/PAM • HSM/KMS│ │ • Analytics/AI • Digital Twin │
│ • SIEM/NDR • Backups/Immutable│ │ • Supplier/API Hub • Data Lake│
└───────────────┬───────────────────┘ └───────────────┬────────────────┘
│ │
▼ ▼
┌──────────────────────┐ ┌────────────────────────┐
│ PRODUCTION APPS │ │ SUPPLY-CHAIN APPS │
│ Quality/vision AI │ │ EDI/Partner portals │
│ OEE/telemetry KPIs │ │ Forecast/plan/ship │
└──────────────────────┘ └────────────────────────┘
Observability bus (logs/metrics/traces) ─────► NOC/SOC + AIOps + ITSM/CMDB + IEC 62443 audits
Narrative (how the factory keeps coherence under motion)
1) Purpose & posture
- Objective: Run robotic lines and PLC control safely with deterministic latency, while unifying OT/IT for analytics, quality, and supply-chain flows.
- Posture: Zero-Trust, compartmentalized OT zones, and IEC 62443–aligned controls; privacy & data-sovereignty honored across sites/countries.
2) Edge, RAN & MEC (syntax where milliseconds matter)
- Private 5G/LTE small-cell RAN in the plant; local UPF breaks out traffic at the edge for uRLLC-grade paths to robots/PLCs.
- MEC/edge cluster runs vision AI, AMR orchestration, and OT gateways converting field protocols (OPC-UA/Modbus/PROFINET) into secured, routable flows.
- SD-Branch/SD-WAN provides dual underlays (fiber/MPLS/DIA) with per-flow QoS: control > safety video > MES/IT.
3) Segmentation & zero-trust (semantics preserved)
- VRFs: OT/PLC, Robotics/AMR, Corp-IT, Vendor. Microsegmentation prevents lateral drift; vendor access gated by ZTNA + PAM and time-bound just-in-time credentials.
- SASE/SSE POPs apply SWG/CASB/FWaaS/DLP for SaaS/partner flows; policies pin data to region and block exfiltration from OT VLANs.
4) Systems of record & cloud (meaning aggregated)
- On-prem/colocation cores host ERP/WMS/MES/IdP/HSM/SIEM with immutable backups for configs and recipes.
- Cloud on-ramps connect to analytics, digital-twin, data lake, and partner APIs for planning, sourcing, and logistics—always via private links and policy fences.
5) Resilience patterns (grammar under stress)
- Network failover: SD-WAN steers to secondary underlay; MEC keeps lines running (local control loops continue if WAN impaired).
- Data continuity: Edge store-and-forward buffers historians/telemetry until backhaul recovers.
- Robotics continuity: AMRs remain under local edge orchestration; non-critical IT traffic throttled during incidents.
6) Security controls (trust that scales)
- Identity-centric (IdP/MFA/device posture) for humans; certificate-based identity for machines/sensors.
- OT NDR/IDS watches east-west in OT segments; SIEM/SOAR automates containment (isolate VRF, revoke vendor session, roll keys in HSM/KMS).
- Change control via ITSM/CMDB; golden images for PLC/robot firmwares; scheduled maintenance windows aligned to takt time.
7) Telemetry & KPIs (pragmatics of proof)
- AIOps scores loops (latency/jitter), vision throughput, AMR uptime, OEE deltas; alerts drive proactive fixes.
- Reference KPIs: OT loop latency <10 ms, plant network availability ≥99.99%, failover <60 s, compromise containment ≤2 h, RTO/RPO for ERP/WMS ≤4 h / ≤15 min.
8) Minimal BOM (mapped to your matrix)
Private 5G/LTE + UPF, MEC/edge K8s, SD-WAN/SD-Branch, DIA/MPLS/Waves, OT gateways (OPC-UA/Modbus), SASE/SSE (ZTNA/SWG/CASB/FWaaS/DLP), IdP/PAM, HSM/KMS, SIEM/NDR/SOAR, ERP/WMS/MES, Cloud on-ramps, AIOps, ITSM/CMDB, immutable backup.