Safety in smart manufacturing

A DIGITAL twin receives continuous, real-time data from a product or asset to create a virtual representation of that physical object. As the object can be virtually monitored 24/7 this enhances situational awareness. For example, the digital twin can be used to monitor and model simultaneously, predicting changes in a system’s dynamics based on real-time sensor data. Alternatively, it can model future scenarios, such as a system failure or even simply to predict maintenance requirements.

In today’s I4.0 domain, digital twins operate in parallel to the real-world factory, where thousands of sensors constantly collect and process data, either locally or on a larger scale.

Specific benefits of the digital twin approach include:

- Constant monitoring - to determine if a machine is about to fail, so any potential issue can be mitigated without interrupting function. This can be modelled on the digital twin in real-time to assess the size of a problem

- Data monitoring and analysis - to make iterative improvements to operations, increase efficiency and reduce costs in real-time. For example, a programmed robot that is operated in a specific sequence could be constantly modelled in parallel to reduce cycle times

- Ability to plan - probably one of the greatest uses of the digital twin, as an entire factory can be simulated before the first brick is laid.

Asset administration shell (AAS) is a term coined by Plattform Industrie 4.0 in Germany. Every I.40 asset is allocated an AAS, which exchanges asset-related data between assets and production orchestration systems or engineering tools. As the AAS contains all of the information and functionalities of an asset, it acts as a link between I4.0 objects, allowing for the use of many different communication channels and applications.

The AAS can be used for:

- Non-intelligent and intelligent products

- Covering the complete lifecycle of products, devices, machines and facilities

- Allowing for integrated value chains

- Serving as the digital basis for the development of autonomous systems and AI

Changing risk profile

While I4.0 sees reduced risk in several areas, the range and flexibility of connected interfaces introduce a new set of risk issues. As production facilities become more complex, operators must manage a rapidly evolving system that incorporates multiple interdependencies, while minimising downtime. It is therefore vital to consider the shifting landscape of risk, which is why I4.0 requires a new risk management approach that is customised to each individual actual use case.

As the increased flexibility created by these interdependent and dynamically changing I4.0 systems introduces new complexities and challenges, there is a shift from static risk assessment to one of dynamic risk. Analysing and assessing the underlying physical and cyber risks to humans, property, and the environment is therefore a challenging task.

Addressing safety and security is not just a legal obligation for system designers, integrators, system owners and operators, it also directly impacts their ultimate I4.0 mission to minimise downtime and maximise system availability. However, tackling safety issues by using a conventional static risk assessment approach, including existing tools such as Sistema, would require time-consuming reiterations for every changing condition, which could potentially result in operational downtime.

Machinery safety standards define a set of general physical hazards that are used during type certification. However, current standards, such as ISO 12100 - Safety of machinery - General principles for design - Risk assessment and risk reduction, have not been designed around the concept of machine connectivity and interoperability. While hazards depend on the intended use and other limits of the machine in the physical world, conventional safety concepts do not consider the sources and effects of cyber threats that could create new hazards. Another limit related to hazards is that safety measures are designed to protect only human health using a “worst-case” approach.

Context-sensitive risk management

Given the connective complexity of interacting assets, applying worst-case assumptions can have an extremely negative impact on productivity and efficiency - preventing manufacturers from reaping the benefits.

In practice, when a machine operates in an application-specific context, its limits and applicable hazardous situations may differ significantly from those considered under worst-case and stand-alone scenarios. Additional hazardous situations may also arise from machine-to-machine interaction. They can be related to human health, property and environment, as well as to undesired operational downtime or bottlenecks - the main concern for system owners and operators.

To give an example, an automated guided vehicle (AGV) navigating towards a machine in an operating area with a human presence represents a “collision risk”. This risk may be mitigated by using three safety measures incorporated in AGV design (according to ISO 3691-4 - Industrial trucks — Safety requirements and verification — Part 4: Driverless industrial trucks and their systems):

1. Personnel detection system

2. Speed control system

3. Braking system control.

In current practice, speed limitations due to a human presence are therefore applied even if there are no humans in the actual AGV operating area.

Likewise, in a confined area, with no human presence allowed, an AGV making its final approach to a machine for docking may pose a collision risk between two industrial assets. This unsafe docking event risk may be mitigated by using two safety measures incorporated in AGV design:

1. Speed control system

2. Parking braking system control.

Although there is no risk for humans in a confined area, the measures are necessary to protect industrial assets from expensive damage. The use of a context-sensitive safety approach could achieve the goal of property protection combined with higher system efficiency.

The above scenarios demonstrate the need for adaptive production systems capable of monitoring and recognising hazardous situations during runtime, to ensure that residual risks are handled within current practices. In addition to the limitations of the conventional (I3.0) worst-case approach, system operators should also be aware of real-world situations where safety installations may be either consciously manipulated or inadvertently modified, as these can cause serious accidents.

Adaptive safety

To meet the new needs of I4.0, a new event-triggered, dynamic risk assessment and automated validation of safety measures approach is required. This requires a continuous and holistic risk assessment to ensure stable operations, increased productivity and reduce downtime in a smart manufacturing environment. This requires a digital representation of the physical manufacturing system, using digital twins and asset administration shells.

While digital twins and AAS help manufacturers optimise performance and accurately predict business obstacles, they are also faced with the challenge of navigating a complex new risk landscape. It is therefore vital that the digital twins have customised safety and security profiles. A safety profile should be modelled to describe asset safety in a general and from an application-specific perspective. These profiles should then processed by an inference engine against actual application constraints to define limits and risk-mitigation capabilities in a real-world application, thereby providing automated risk evaluations at runtime.

Paul Taylor is business development director for industrial services at TÜV SÜD

http://www.tuvsud.com/uk