Authorisation in machine automation - safety and security

Pilz Automation Ltdvisit website


This article from Pilz discusses machinery safety, operational security and ways in which access can be authorised.

Authorisation in machine automation - safety and securityIn modern automation architectures, the interaction between machinery safety (Safety) and operational security (Security) is increasingly becoming the key to practicable concepts. It is important to consider not only the technical and normative (standards) requirements of safety, but in particular the need to assign information and authorisations carefully – issues that until now have been covered by organisational measures. With a safe operating mode selector switch, manipulation protection and access authorisation can be achieved in terms of overall safety.

The development towards a networked automation landscape means that companies face new security challenges. Industry 4.0 systems can be reconfigured and optimised autonomously - ie by the system itself during operation - which requires safety to be reassessed during runtime. It must also be ensured that no new safety risks arise as a result of residual security vulnerabilities.

Holistic approach

There are clear differences in perspective when it comes to the issue of safety: the internationally used terms are Safety for machinery safety and Security for operational security; this helps with the basic differentiation. Safety requires that residual risks that emanate from a plant or machine do not exceed the limit values specified in the standards. This includes hazards to the machine surroundings (eg environmental damage) as well as hazards inside the plant (eg persons inside the plant). Security is concerned with protecting a plant or machine from unauthorised access from outside, as well as protecting sensitive data from corruption, loss and unauthorised access internally. This includes explicit attacks as well as unintended security incidents.

When developing systems it is also important to consider the needs of the user from the very start, in terms of handling and user-friendliness during operation, for instance. If not, manipulation of safety measures will be almost inevitable.

Holistic safety concepts require the interaction of safety and security, but that is not all. In terms of the safety aspect, it is important to check the extent to which security issues influence functional safety. This is the case if access or authorisation systems can be defeated or copied using simple means, or are accessible to everyone when a master password is written on a note stuck to a screen, for example. Key issues here include clear, safe proof of identity for products, processes and machines as well as for authorised persons, including safe information exchange across the whole production process.

Consider safety from the start

In the internal European market there is an obligation for machine manufacturers only to supply safe products to its customers. All relevant hazards must be identified, based on the intended use – taking into consideration all the lifecycle phases once the machine is first made available on the market. All the various groups who come into contact with the machine, such as operating, cleaning or maintenance staff, for example, are also considered. The risk is estimated and evaluated for each hazard. Risk-reducing measures are established in accordance with the state of the art and in compliance with the harmonised standards.

Ultimately, an intelligent safety concept must provide the greatest possible leeway and freedom as well as the highest possible level of safety. Access points to the machine or process are of vital importance; these must be protected against unauthorised opening and must guarantee beyond doubt that nobody is inside the hazard zone when the machine is started.

No danger to people

To ensure that deliberate or accidental opening of access doors cannot cause a hazard, they are protected in classic safety style with a safety gate system. This combines safety gate monitoring with safe guard locking inside one system and also provides safety functions such as emergency stop, escape release and a mechanical restart interlock. This means that anyone who is locked in accidentally can leave the danger zone quickly and easily in the case of danger. It will not then be possible to restart the plant until it is established beyond doubt via the integrated safety and reset functions that there is nobody else in the danger zone. With a safety gate system such as the PSENsgate from Pilz, human protection is guaranteed, in terms of safety. However, the matter of process protection in terms of operational security is still open.

No danger to processes

In practice, protection against unauthorised access can be achieved via a safe operating mode selector switch. It fulfils two functions: it selects the operating mode and controls authorisation for machine access. Operating mode selector switches such as the PITmode from Pilz enable switching between defined operating modes. The operating mode is selected by inserting a transponder key with the relevant authorisation and pressing the pushbutton defined for the relevant operating mode. Each key is individually coded to enable unique user authentication, which prevents manipulation. As the unique key can be used on several machines and can have different authorisations stored on it, several mechanical keys can be combined within one transponder key. This, in turn, reduces administrative work.

Clearly defined responsibilities

Using the coded key, each operator is given access to the machine functions or machine operating modes allocated to him or her. Individual (access) authorisations can be assigned for each operator via the RFID-based keys. These can be assigned via identification management in the machine control system.

Thanks to operating mode selector switches like PITmode, authorised personnel are able to operate and control the plant in various operating modes. Operators are given the permissions that match their individual abilities and qualifications, providing a high degree of protection against unintended actions and manipulations, as well as security of information.

On delicate or sensitive machinery, all operator actions need to be logged. Here, too, the system can provide support, as all operator actions are reported to the control system anyway. The authentication system can be used to assign the actions clearly to an operator. As a result, any changes during the machine operation can be documented, thereby increasing traceability. Should anyone change a machine parameter during operation, this step will be documented. If errors then occur, the reasons can be identified more quickly.

Through self-monitoring, the PITmode device switches the machine safely from one operating mode to the other. Five selectable operating modes are possible: automatic mode, setup mode, manual intervention under limited conditions, special mode or process monitoring, and service mode. Thanks to the LED display, the currently selected operating mode can be clearly identified, as can the key's authorisation level. The operating mode selector switch can be used for applications up to PL d of EN ISO 13849-1 or SIL CL 2 of EN 62061.

With the definition of safe operating modes it is possible to harmonise the requirements of operator safety, process security and availability. After all, issues such as manipulation protection, demarcation of areas of responsibility/jurisdictions and clear proof of identity for machines and operators must be safely regulated before a process can be deemed 'safe to operate.'

Follow the links to find out more about PITmode or to contact Pilz for a demonstration.

© Copyright 2006-14 The Engineering Network Ltd.