In today’s Industry 4.0 (I4.0) domain, digital twins operate in parallel to the real-world factory, where thousands of sensors constantly collect and process data either locally or on a larger scale, receiving continuous, real-time data from a product or asset to create a virtual representation of that physical object. As the object can be virtually monitored 24/7, this scenario enhances situational awareness. For example, the digital twin can be used to monitor and model simultaneously, predicting changes in a system’s dynamics based on real-time sensor data. Alternatively, it can model future scenarios, such as a system failure or even simply to predict maintenance requirements.
There are a number of benefits of the digital twin approach. One benefit is constant monitoring, which determines if a machine is about to fail, so any potential issue can be mitigated without interrupting function. This can be modelled on the digital twin in real-time to assess the size of a problem.
Another benefit is data monitoring and analysis, which makes iterative improvements to operations, increases efficiency and reduces costs in real-time. For example, a programmed robot that is operated in a specific sequence could be constantly modelled in parallel to reduce cycle times.
Finally, an additional benefit is the ability to plan probably one of the greatest uses of the digital twin.
It is therefore vital that the digital twins have customised safety and security profiles. A safety profile should be modelled to describe asset safety from a general and an application-specific perspective. These profiles should then be processed by an inference engine against actual application constraints to define limits and risk-mitigation capabilities in a real-world application, thereby providing automated risk evaluations at runtime.
ASSET MANAGEMENT
Asset administration shell (AAS) is a term coined by ‘Plattform Industrie 4.0’ in Germany. Every I4.0 asset is allocated an AAS, which exchanges asset-related data between assets and production orchestration systems or engineering tools. As the AAS contains all of the information and functionalities of an asset, it acts as a link between I4.0 objects, allowing for the use of many different communication channels and applications.
The AAS can be used for:
Non-intelligent and intelligent products; Covering the complete lifecycle of products, devices, machines and facilities; Allowing for integrated value chains; Serving as the digital basis for the development of autonomous systems and AI.
While I4.0 and skill-based production introduce new opportunities for increased productivity and radical innovation, the implementation of new technologies must also maintain the overall trustworthiness of production lines. Trustworthiness requirements are valid for every type of manufacturing facility, but the extent of the requirements increases with the I4.0 maturity level of the system. Specifically, safety and reliability are prerequisites for all manufacturing systems, irrespective of their maturity level. However, if the system is upgraded to include connectivity, to assure its overall trustworthiness the aspects of security and privacy must also be considered.
For systems that incorporate adaptive and smart features, resilience becomes vital and is added to the list of trustworthiness requirements. Trustworthiness within the collaborative infrastructure along the value chain is a prerequisite for stable operations.
RISK REDUCTION
While I4.0 sees reduced risk in several areas, the range and flexibility of connected interfaces introduce a new set of risk issues. As production facilities become more complex, operators must manage a rapidly evolving system that incorporates multiple interdependencies, while minimising downtime. It is therefore vital to consider the shifting landscape of risk, which is why I4.0 requires a new risk management approach that is customised to each individual actual use case.
As the increased flexibility created by I4.0 systems introduces new complexities and challenges, there is a shift from static risk assessment to one of dynamic risk assessment. Analysing and assessing the underlying physical and cyber risks to humans, property and the environment is therefore a challenging task.
Addressing safety and security is not just a legal obligation for system designers, integrators, system owners and operators, it also directly impacts their ultimate I4.0 mission to minimise downtime and maximise system availability. However, tackling safety issues by using a conventional static risk assessment approach would require time-consuming reiterations for every changing condition, which could potentially result in operational downtime.
Machinery safety standards define a set of general physical hazards that are used during type certification. However, current standards (such as ISO 12100 - Safety of machinery - general principles for design - risk assessment and risk reduction), have not been designed around the concept of machine connectivity and interoperability. While hazards depend on the intended use and other limits of the machine in the physical world, conventional safety concepts do not consider the sources and effects of cyber threats that could create new hazards. Another limit related to hazards is that safety measures are designed to protect only human health using a “worst-case” approach. Figure 1 highlights the differences between I3.0 and I4.0 regarding risk assessment.
RISK MANAGEMENT IN CONTEXT
In practice, when a machine operates in an application-specific context, its limits and applicable hazardous situations may differ from those considered under worst-case and stand-alone scenarios. Additional hazardous situations may also arise from machine-to-machine interaction. They can be related to human health, property and environment, as well as to undesired operational downtime or bottlenecks.
To give an example, an automated guided vehicle (AGV) navigating towards a machine in an operating area with a human presence represents a “collision risk”. This risk may be mitigated by using three safety measures incorporated in AGV design (according to ISO 3691-4 - Industrial trucks – Safety requirements and verification – Part 4: Driverless industrial trucks and their systems):
1. Personnel detection system
2. Speed control system
3. Braking system control
In current practice, speed limitations due to a human presence are therefore applied even if there are no humans in the actual AGV operating area.
Likewise, in a confined area, with no human presence allowed, an AGV that is making its final approach to a machine for docking may pose a collision risk between two industrial assets.
This unsafe docking event risk may be mitigated by using two safety measures incorporated into the AGV design: speed control system and parking braking system control. Although there is no risk for humans in a confined area, the measures are necessary to protect industrial assets from expensive damage. The use of a context-sensitive safety approach could achieve the goal of property protection combined with higher system efficiency.
A third scenario example looks at process optimisation, where operational downtime and bottlenecks may not pose a risk to humans, property and the environment, but they can affect system performance. AGVs with different maximum rated speeds navigating in line, one after the other are limited by the maximum speed of the first in line. If lane width and clearance distances from adjacent obstacles are deemed safe (i.e. no human can step into the AGV’s path without being detected) the system can change to parallel navigation. Such context-sensitive safety can enable higher speeds, improve navigation flexibility and increase efficiency.
These scenarios demonstrate the need for adaptive production systems capable of monitoring and recognising hazardous situations during runtime, to ensure that residual risks are handled within current practices. In addition to the limitations of the conventional (I3.0) worst-case approach, system operators should also be aware of real-world situations where safety installations may be either consciously manipulated or inadvertently modified, as these can cause serious accidents.
ADAPTIVE SAFETY
To meet the new needs of I4.0, a new event-triggered dynamic risk assessment and automated validation of safety measures approach is therefore required. This assessment would assist system designers and operators to navigate complex risk landscapes, in both virtual simulations and real-world applications. It would require a continuous and holistic risk assessment to ensure stable operations, increased productivity and reduced downtime in a smart manufacturing environment, which necessitates a digital representation of the physical manufacturing system, using digital twins and asset administration shells.
These so-called cyber-physical systems combine the strengths of the physical and virtual worlds and have the potential to significantly enhance industrial performance as the systems can be modelled using the digital twin in multiple ways.
While digital twins and AAS help manufacturers optimise performance and accurately predict business obstacles, they are also faced with the challenge of navigating a complex new risk landscape. Effective safety and security are key challenges as this can build trust with asset owners and operators, but it is becoming increasingly impossible to apply existing risk assessment criteria to a dynamic I4.0 operating environment that is characterised by multiple interactions and data flows.
By combining the strengths of the physical and virtual worlds, cyber-physical systems have the potential to significantly enhance industry performance, facilitate new products and spark innovative business models, as the real systems can be modelled using digital twins in multiple ways. However, machinery manufacturers and end users face a major shift in work methodlology, which requires a new risk management approach.