Adapting your safety approach for smart manufacturing
04 October 2021
Industry 4.0 (I4.0), also known as the Industrial Internet of Things (IIoT), is a major paradigm shift as the convergence of enterprise IT and operational technology enables systems and devices to exchange and interpret shared data on a global scale. By combining the strengths of the physical and virtual worlds, cyber-physical systems, have the potential to significantly enhance industry performance, facilitate new products and spark innovative business models
Systems and devices can exchange and interpret data on a global scale
(Click here to view article in digital edition)
A digital twin receives continuous, real-time data from a product or asset to create a virtual representation of that physical object. As the object can be virtually monitored 24/7 this enhances situational awareness. For example, the digital twin can be used to monitor and model simultaneously, predicting changes in a system’s dynamics based on real-time sensor data. Alternatively, it can model future scenarios, such as a system failure or even simply to predict maintenance requirements.
In today’s I4.0 domain, digital twins operate in parallel to the real-world factory, where thousands of sensors constantly collect and process data, either locally or on a larger scale.
Specific benefits of the digital twin approach include:
- Constant monitoring - to determine if a machine is about to fail, so any potential issue can be mitigated without interrupting function. This can be modelled on the digital twin in real-time to assess the size of a problem.
- Data monitoring and analysis - to make iterative improvements to operations, increase efficiency and reduce costs in real-time. For example, a programmed robot that is operated in a specific sequence could be constantly modelled in parallel to reduce cycle times.
- Ability to plan - probably one of the greatest uses of the digital twin.
Asset administration shell (AAS) is a term coined by ‘Plattform Industrie 4.0’ in Germany. Every I.40 asset is allocated an AAS, which exchanges asset-related data between assets and production orchestration systems or engineering tools. As the AAS contains all of the information and functionalities of an asset, it acts as a link between I4.0 objects, allowing for the use of many different communication channels and applications.
The AAS can be used for:
- Non-intelligent and intelligent products
- Covering the complete lifecycle of products, devices, machines and facilities
- Allowing for integrated value chains
- Serving as the digital basis for the development of autonomous systems and AI
While I4.0 and skill-based production introduce new opportunities for increased productivity and radical innovation, the implementation of new technologies must also maintain the overall trustworthiness of production lines. Trustworthiness requirements are valid for every type of manufacturing facility, but the extent of the requirements increases with the I4.0 maturity level of the system. Specifically, safety and reliability are prerequisites for all manufacturing systems, irrespective of their maturity level. However, if the system is upgraded to include connectivity, to assure its overall trustworthiness the aspects of security and privacy must also be considered.
For systems that incorporate adaptive and smart features, resilience becomes vital and is added to the list of trustworthiness requirements. Trustworthiness within the collaborative infrastructure along the value chain is a prerequisite for stable operations.
Changing risk profile
While I4.0 sees reduced risk in several areas, the range and flexibility of connected interfaces introduce a new set of risk issues. As production facilities become more complex, operators must manage a rapidly evolving system that incorporates multiple interdependencies, while minimising downtime. It is therefore vital to consider the shifting landscape of risk, which is why I4.0 requires a new risk management approach that is customised to each individual actual use case.
As the increased flexibility created by these interdependent and dynamically changing I4.0 systems introduces new complexities and challenges, there is a shift from static risk assessment to one of dynamic risk. Analysing and assessing the underlying physical and cyber risks to humans, property, and the environment is therefore a challenging task.
Addressing safety and security is not just a legal obligation for system designers, integrators, system owners and operators, it also directly impacts their ultimate I4.0 mission to minimise downtime and maximise system availability. However, tackling safety issues by using a conventional static risk assessment approach, including existing tools such as Sistema, would require time-consuming reiterations for every changing condition, which could potentially result in operational downtime.
Machinery safety standards define a set of general physical hazards that are used during type certification. However, current standards, such as ISO 12100 - Safety of machinery - General principles for design - Risk assessment and risk reduction, have not been designed around the concept of machine connectivity and interoperability. While hazards depend on the intended use and other limits of the machine in the physical world, conventional safety concepts do not consider the sources and effects of cyber threats that could create new hazards. Another limit related to hazards is that safety measures are designed to protect only human health using a “worst-case” approach. Figure 1 highlights the differences between I3.0 and I4.0 with regard to risk assessment.
Figure 1 – Safety paradigm shift I.30-I4.0
Risk management in context
Given the connective complexity of interacting assets, applying worst-case assumptions can have an extremely negative impact on productivity and efficiency - preventing manufacturers from reaping the benefits.
In practice, when a machine operates in an application-specific context, its limits and applicable hazardous situations may differ significantly from those considered under worst-case and stand-alone scenarios. Additional hazardous situations may also arise from machine-to-machine interaction. They can be related to human health, property and environment, as well as to undesired operational downtime or bottlenecks - the main concern for system owners and operators.
To give an example, an automated guided vehicle (AGV) navigating towards a machine in an operating area with a human presence represents a “collision risk”. This risk may be mitigated by using three safety measures incorporated in AGV design (according to ISO 3691-4 - Industrial trucks — Safety requirements and verification — Part 4: Driverless industrial trucks and their systems):
1. Personnel detection system
2. Speed control system
3. Braking system control
In current practice, speed limitations due to a human presence are therefore applied even if there are no humans in the actual AGV operating area.
Likewise, in a confined area, with no human presence allowed, an AGV making its final approach to a machine for docking may pose a collision risk between two industrial assets. This unsafe docking event risk may be mitigated by using two safety measures incorporated in AGV design:
1. Speed control system
2. Parking braking system control
Paul Taylor, TÜV SÜD
Although there is no risk for humans in a confined area, the measures are necessary to protect industrial assets from expensive damage. The use of a context-sensitive safety approach could achieve the goal of property protection combined with higher system efficiency.
A third scenario example looks at process optimisation, where operational downtime and bottlenecks may not pose a risk to humans, property and the environment, but they can affect system performance. AGVs with different maximum rated speeds, navigating in line, one after the other, are limited by the maximum speed of the first in line. If lane width and clearance distances from adjacent obstacles are deemed safe, i.e. no human can step into the AGV’s path without being detected, the system can change to parallel navigation. Such context-sensitive safety can enable higher speeds, improve navigation flexibility and increase efficiency.
These scenarios demonstrate the need for adaptive production systems capable of monitoring and recognising hazardous situations during runtime, to ensure that residual risks are handled within current practices. In addition to the limitations of the conventional (I3.0) worst-case approach, system operators should also be aware of real-world situations where safety installations may be either consciously manipulated or inadvertently modified, as these can cause serious accidents.
To meet the new needs of I4.0, a new event-triggered, dynamic risk assessment and automated validation of safety measures approach is required. This would assist system designers and operators to navigate complex risk landscapes, in both virtual simulations and real-world applications. This requires a continuous and holistic risk assessment to ensure stable operations, increased productivity and reduce downtime in a smart manufacturing environment. This necessitates a digital representation of the physical manufacturing system, using digital twins and asset administration shells. These so-called cyber-physical systems combine the strengths of the physical and virtual worlds and have the potential to significantly enhance industrial performance as the systems can be modelled using the digital twin in multiple ways.
While digital twins and AAS help manufacturers optimise performance and accurately predict business obstacles, they are also faced with the challenge of navigating a complex new risk landscape. Effective safety and security are key challenges as this can build trust with asset owners and operators, but it is becoming increasingly impossible to apply existing risk assessment criteria to a dynamic I4.0 operating environment that is characterised by multiple interactions and data flows. It is therefore vital that the digital twins have customised safety and security profiles. A safety profile should be modelled to describe asset safety from a general and an application-specific perspective. These profiles should then be processed by an inference engine against actual application constraints to define limits and risk-mitigation capabilities in a real-world application, thereby providing automated risk evaluations at runtime.
About the author:
Paul Taylor is the Business Development Director for Industrial Services at TÜV SÜD, a global product testing and certification organisation. TÜV SÜD’s Machinery Safety Division is the official partner of the Process and Packaging Machinery Association on regulatory affairs.
Contact Details and Archive...