In modern automation architectures, the interaction between machinery safety (Safety) and operational security (Security) is increasingly becoming the key to practicable concepts.
15 Sep 2015
Authorisation concepts in machine automation
...to practicable concepts. It is important to consider not only the technical and normative requirements of safety, but in particular the need to assign information and authorisations carefully – issues that until now have been covered by organisational measures. With a safe operating mode selector switch, manipulation protection and access authorisations can be achieved in terms of overall safety.
The development towards a networked automation landscape means that companies face new security challenges. Industry 4.0 systems can be reconfigured and optimised autonomously – i.e. by the system itself during operation, which requires safety to be re-assessed during runtime. It must also be ensured that no new safety risks arise as a result of residual security vulnerabilities.
Holistic approach increasingly important
There are clear differences in perspective when it comes to the issue of safety: the internationally used terms are "Safety" for machinery safety and "Security" for operational security; this helps with the basic differentiation. Safety requires that residual risks that emanate from a plant or machine do not exceed the limit values specified in the standards. This includes hazards to the machine surroundings (e.g. environmental damage) as well as hazards inside the plant (e.g. persons inside the plant). Security is concerned with protecting a plant or machine from unauthorised access from outside, as well as protecting sensitive data from corruption, loss and unauthorised access internally. This includes explicit attacks as well as unintended security incidents.
When developing solutions it is also important to consider the needs of the user from the very start, in terms of handling and user friendliness during operation, for instance. If not, manipulation of safety measures will literally be programmed in.
Holistic safety concepts require the interaction of safety & security, but that's not all. In terms of the safety aspect, it's important to check the extent to which security issues influence functional safety. This is the case if access or authorisation systems can be defeated or copied using simple means, or are accessible to everyone when a master password is written on a note stuck to a screen, for example. Key issues here include clear, safe proof of identity for products, processes and machines as well as for authorised persons, including safe information exchange across the whole production process.
Safety must be considered from the start
In the internal European market, there is an obligation for machine manufacturers only to supply safe products to its customers. All relevant hazards must be identified, based on the intended use – taking into consideration all the lifecycle phases once the machine is first made available on the market. All the various groups who come into contact with the machine, such as operating, cleaning or maintenance staff for example, are also considered. The risk is estimated and evaluated for each hazard. Risk-reducing measures are established in accordance with the state of the art and in compliance with the harmonised standards.
Ultimately, an intelligent safety concept must provide the greatest possible leeway and freedom as well as the highest possible level of safety. Access points to the machine or process are of vital importance. These must be protected against unauthorised opening and must guarantee beyond doubt that nobody is inside the hazard zone when the machine is started.
No danger to people …
To ensure that deliberate or accidental opening of access doors cannot cause a hazard, they are protected in classic safety style with a safety gate system. This combines safety gate monitoring with safe guard locking inside one system and also provides safety functions such as emergency stop, escape release and a mechanical restart interlock. This means that anyone who is locked in accidentally can leave the danger zone quickly and easily in the case of danger. It will not then be possible to restart the plant until it is established beyond doubt via the integrated safety and reset functions that there is nobody else in the danger zone. With a safety gate system such as the PSENsgate from Pilz, human protection is guaranteed, in terms of safety. However, the matter of process protection in terms of operational security is still open.
… or process
In practice, protection against unauthorised access can be achieved via a safe operating mode selector switch. It fulfils two functions: it selects the operating mode and controls authorisation for machine access.
Operating mode selector switches such as PITmode from Pilz allow you to switch between defined operating modes. The operating mode is selected by inserting a transponder key with the relevant authorisation and pressing the pushbutton defined for the relevant operating mode. Each key is individually coded to enable unique user authentication, which prevents manipulation. As the unique key can be used on several machines and can have different authorisations stored on it, several mechanical keys can be combined within one transponder key. This in turn reduces administrative work.
Clearly defined responsibilities
Using the coded key, each operator is given access to the machine functions or machine operating modes allocated to him. Individual (access) authorisations can be assigned for each operator via the RFID-based keys. These can be assigned via identification management in the machine control system.
Thanks to operating mode selector switches like PITmode, authorised personnel are able to operate and control the plant in various operating modes. Operators are given the machine enables that match their individual abilities and qualifications, providing a high degree of protection against unintended actions and manipulations, as well as security of information.
On delicate or sensitive machinery, all operator actions need to be logged. Here too the system can provide support, as all operator actions are reported to the control system anyway. The authentication system can be used to assign the actions clearly to an operator. As a result, any changes during the machine operation can be documented, increasing traceability. Should anyone change a machine parameter during operation, this step will be documented. If errors then occur, the reasons can be identified more quickly.
Through self-monitoring, PITmode switches safely from one operating mode to the other. Five selectable operating modes are possible: automatic mode, setup mode, manual intervention under limited conditions, special mode / process monitoring and service mode. Thanks to the LED display, the currently selected operating mode can be clearly identified, as can the key's authorisation level. The operating mode selector switch can be used for applications up to PL d of EN ISO 13849-1 or SIL CL 2 of EN 62061.
With the definition of safe operating modes it is possible to harmonise the requirements of operator safety, process security and availability. After all, issues such as manipulation protection, demarcation of areas of responsibility/jurisdictions and clear proof of identity for machines and operators must be safely regulated before a process can be deemed "safe to operate".