Master Service Agreement: Manufacturing Operations ↔ Information Technology

Draft synthesized from Gary Workman’s positions on the 2026-04-21 Manufacturing Operations Network Architecture call. Phrasing follows his idiom — “Manufacturing Operations” replaces the older “OT” wherever Gary objected to the misnomer. Each clause traces to an underlying assertion in the source call; intended as a working starting point for the model service agreement Gary, John Rinaldi, and River agreed needed to exist.

1. Definitions and scope

1.1 This agreement governs the interface between any Manufacturing Operations Department network (paint, conveyance, machining, powerhouse, packaging, etc., each treated as a peer entity) and the Information Technology network. Each Manufacturing Operations Department is a peer; IT is treated as a wide-area-network service provider, analogous to a fiber or satellite carrier.

1.2 The interface is a router-to-router interconnect, not a shared infrastructure. There is no shared switching fabric, no shared VLAN, and no IT-administered device inside any Manufacturing Operations Department network.

1.3 Terminology in this agreement supersedes vendor and industry usage where it conflicts:

• Secure (AIC) governs control-signal traffic — Availability, Integrity, Confidentiality, in that order. Secure (CIA) governs information-system traffic. Both apply within their respective domains and do not cross.
• Connection in the control-signal context means temporally-ordered, non-resequenced messaging. Connection in the IT context means in-sequence messaging. Each side must use the qualifier when interfacing.
• Gateway means an application gateway — an end device on the IT network. It does not mean router. It does not mean bridge.
• The Manufacturing Operations Firewall means a firewall installed between a One Big Switch and the IT layer-3 switch, administered by Manufacturing Operations. It is not the DMZ firewall — that is the IT firewall protecting IT from its own manufacturing-touching side.

2. Manufacturing Operations responsibilities

The Manufacturing Operations Department shall maintain and operate, for each of its networks, all of the following independently of IT:

2.1 Asset inventory. Up-to-date, machine-readable, queryable. IT is entitled to receive a current inventory on demand for capacity planning, but cannot generate or alter it.

2.2 Network monitoring. Passive monitoring of the Manufacturing Operations network with an event broker capable of forwarding selected events upstream per § 5.

2.3 Local services on a well-known address. The services server lives at address .2 on the Manufacturing Operations subnet (router being .1):

• DNS server, zone-authoritative for Manufacturing Operations namespace, backwards-compatible with standard DNS for any IT-side query authorized under § 4
• DHCP server with infinite (or zero-equivalent) lease times for control-system endpoints
• NTP / time server
• SNMP server
• Syslog / event log

2.4 Switch standardization within a network. Every switch within a single Manufacturing Operations network shall be from the same manufacturer and at the same firmware revision. Different Manufacturing Operations networks may use different vendors, provided each network is internally consistent.

2.5 Firmware management. Manufacturing Operations administers all firmware upgrades on its own switches and equipment. IT shall not push, schedule, or trigger any firmware change inside a Manufacturing Operations network.

2.6 Production-schedule disclosure. Manufacturing Operations provides IT with its production-schedule feed so that IT monitoring of the boundary interface is meaningful — that is, does not alert on a scheduled powerdown.

2.7 Application security at IO-link interface. Where IO sensors are exposed via point-to-point IO-link rather than ethernet, Manufacturing Operations is responsible for application security at the IO-link master only. Network-security obligations under this agreement do not extend below the IO-link master.

3. Information Technology responsibilities

IT shall provide, deliver, and guarantee:

3.1 Bandwidth reservation. For each Manufacturing Operations network requiring long-distance interlocks across the IT backbone, IT shall reserve sufficient bandwidth to satisfy the timing requirement specified in the relevant interlock annex.

3.2 Priority class. Control-signal traffic carrying long-distance interlocks is the highest-priority traffic class on the IT backbone. In any congestion or contention event, control-signal traffic is delivered; lower-priority IT traffic is shed.

3.3 Redundancy. The IT backbone path between Manufacturing Operations networks is redundant. Path failover does not exceed the maximum allowed loss window declared in the interlock annex.

3.4 Uptime measurement. Uptime is measured at the Manufacturing Operations router-facing port, not at the IT switch chassis. Sub-threshold “blips” excluded from typical IT 99.999% reporting are explicitly included here. The target SLA is set such that any blip exceeding the interlock fail-safe window (four expected update intervals) counts as an outage.

3.5 Testability. Manufacturing Operations is entitled to issue ICMP echo, traceroute, and link-quality test traffic toward the IT side at any time, without prior coordination, for the purpose of verifying SLA compliance. IT shall not block these from the Manufacturing Operations downlink.

3.6 No RSPAN, no port mirroring without joint take-down. Any remote-span or port-mirroring session established by IT for diagnostic purposes shall have a maximum lifetime declared at setup and shall be torn down by IT at expiry. Sessions left active beyond expiry are a Major Incident under § 7.

3.7 No firmware changes on the boundary switch without coordination window. IT shall provide Manufacturing Operations 14 days’ notice and a coordination window for any firmware change to the IT layer-3 switch that terminates a Manufacturing Operations downlink.

3.8 No reach into Manufacturing Operations services. IT shall not query Manufacturing Operations DHCP, attempt name resolution against the Manufacturing Operations DNS except through the published external resolver, or send broadcast traffic into the Manufacturing Operations network. All cross-boundary lookups are pull-mode through the Manufacturing Operations services gateway.

4. Interconnect architecture

4.1 Each Manufacturing Operations network terminates at one One Big Switch — logical; physically may be one or many static-routing-capable switches operated as one administrative unit.

4.2 Above each One Big Switch sits the Manufacturing Operations Firewall, administered by Manufacturing Operations. Above that, the IT layer-3 switch, administered by IT.

4.3 PLCs and devices inside the Manufacturing Operations network use the static-routing-capable switch as their gateway address. The static-routing-capable switch’s gateway address is the IT layer-3 switch. Devices inside the Manufacturing Operations network have no awareness of the IT network or of any sibling Manufacturing Operations network.

4.4 Addressing convention:

4.5 No VLAN crosses the boundary. IT-side VLAN definitions are not propagated into Manufacturing Operations networks, and vice versa.

4.6 The cross-boundary firewall pair (Manufacturing Operations Firewall + IT firewall on the IT layer-3 switch) is administered jointly per § 7. Each side configures its own firewall; configuration is mutually disclosed.

5. Long-distance interlock service

Where a Manufacturing Operations network requires implicit-message control signaling to a peer Manufacturing Operations network via the IT backbone:

5.1 Traffic is implicit messaging only, sequence-numbered, temporally ordered, not resequenced. Stale messages are discarded by the receiver.

5.2 Fail-safe behavior. Receiver assumes loss and falls to safe state if no value received within four expected update intervals.

5.3 IT shall provide the bandwidth, priority class, and redundancy specified in the interlock annex — one annex per active long-distance interlock, listing peer endpoints, expected update interval, maximum allowed loss window, and required redundancy.

5.4 Manufacturing Operations is entitled to issue interlock-quality test traffic on demand to verify § 5.3 compliance, per § 3.5.

5.5 Operator visibility into the middle of a long-distance interlock is an open item. The parties agree to maintain a joint troubleshooting runbook (Annex C) until a tooling solution is in place.

6. Cross-boundary published services

6.1 Manufacturing Operations publishes to IT, via the Manufacturing Operations services gateway:

• Asset inventory snapshot (pull, JSON)
• Selected DNS records authorized for external resolution
• Selected event-broker topics authorized for external subscription
• Production schedule feed (per § 2.6)

6.2 IT publishes to Manufacturing Operations:

• Backbone link-quality metrics (per § 3.4)
• Scheduled-maintenance calendar for the IT layer-3 switch terminating the Manufacturing Operations downlink

6.3 All cross-boundary publication uses pull-mode or one-way-broker patterns. No push-into-Manufacturing-Operations primitives are authorized.

7. Incident classification

Major Incident — subject to root-cause analysis and remediation deadline:

• Any control-signal loss exceeding the § 5.2 fail-safe window
• IT-induced outage of a Manufacturing Operations interface (the RSPAN-left-up case)
• Unauthorized configuration change made by either side to the other’s domain
• Firmware change on the boundary switch without § 3.7 coordination

Minor Incident — logged, reviewed quarterly:

• Sub-threshold link flaps
• Monitoring false positives caused by missing production-schedule data

8. Governance

8.1 Joint review. Quarterly with Manufacturing Operations and IT leadership. Standing agenda: SLA compliance, incident review, capacity, scheduled changes, terminology drift.

8.2 Hands-off clause. Neither party administers the other’s domain. The phrase “these are my switches, hands off” is the operative principle. Disputes escalate to plant manager, not to either side’s vendor or auditor.

8.3 Configuration disclosure. Each side’s firewall configuration, switch firmware version, and ACL set are mutually disclosed and version-controlled in a shared registry. Changes require pre-commit notification.

8.4 Maturity track. Over time, the plant may converge on a single Manufacturing-Operations-switch supplier across all Manufacturing Operations networks; this is the goal, not the starting state.

What’s deliberately not in here

• No “IT/Manufacturing Operations DMZ.” Gary’s position is that the DMZ as commonly drawn is IT-protecting-IT and has no role in this agreement.
• No “convergence.” Manufacturing Operations and IT are two management domains. They are not merging.
• No vendor names. Switch and firewall vendor choice is internal to each domain.
• No “Manufacturing Operations firewall” as a marketing-vendor product class. The firewall in § 4.2 is a real firewall whose distinguishing feature is who administers it, not what brand it is.

Annexes to be drafted

• Annex A — Per-network address allocations and services-server mappings
• Annex B — Interlock specifications, one per active long-distance interlock
• Annex C — Joint troubleshooting runbook for the long-distance-interlock visibility gap
• Annex D — Mutual firewall configuration register
• Annex E — Approved Manufacturing Operations switch families per network — vendor lock-in only within a network

Open items (Gary flagged these explicitly)

1. Operator visibility into the middle of long-distance interlocks — § 5.5 / Annex C. No tooling solution exists. Joint runbook is the interim.
2. Tooling gap on the Manufacturing Operations side — § 2.1–2.3 obligations are hard to staff today because the inventory, monitoring, DNS/DHCP/NTP-as-product stack for Manufacturing Operations doesn’t exist as off-the-shelf product. River’s Marlinspike + conversational-factory work is a candidate; RTA’s InsightEdge work is the parallel commercial track.

Source: 2026-04-21 - Gary Workman & River - Manufacturing Operations Network Architecture, ~2h10m. Direct quotes and architectural positions throughout this draft trace to Gary’s statements on that call.