The aim of Industry 4.0 is to increase the flexibility and effectiveness of production processes in order to meet different customer requirements in a more targeted manner. The production process is to be controlled in line with demand, which for certain products means moving away from strictly timed assembly line production towards individual or group production of individual products. However, people are still indispensable in the production process. For this reason, protection against damage caused by systems and processes that are hazardous to them will continue to be a high priority in the future.

One area that will be massively impacted by the changes associated with Industry 4.0 is the communications infrastructure. In general, the number of objects capable of communicating will increase significantly and with it the number of messages to be transmitted - especially between mobile objects. If, for example, products have to be moved from one processing station to the next, coordination between driverless transport systems, cranes, robots or processing stations is conceivable. These can enter into temporary cooperation, which in turn requires a communication infrastructure that can be adapted to the respective situation but still requires monitoring of functions in terms of functional safety.

Relationships between safety and communication technology standards in production engineering in accordance with DIN EN 61784-3

© Ifak

Furthermore, mobile and moving objects require a flexible production design as well as wireless data transmission, usually based on radio communication. When moving over a large area, for example, a product carrier will require communication with various communication partners. This may also be a temporary application with functional safety requirements, such as at a processing station. Another scenario would be to operate several cranes or transport systems synchronously with one control system as required. However, all of this inevitably requires network transitions, which introduce additional sources of error into the communication path due to runtimes, buffer behavior and implementation properties.

In view of the fact that networking in the automation environment in the age of IIoT will increasingly take place on the basis of current or upcoming mobile communications standards such as 5G, the question arises: to what extent can these standards actually meet the requirements in industry? In terms of performance parameters, the prospects for 5G - the '5th Generation Mobile Networks' or '5th Generation Wireless Systems' - are extremely promising:

• 100 times higher data rates than today's LTE networks (i.e. up to 10,000 MBit/s),
• around 1000 times higher capacity (device density),
• 100 billion mobile devices worldwide can be addressed simultaneously,
• extremely low latency times (ping/round-trip delay times of less than 1 msec),
• 1/1000 energy consumption per transmitted bit compared to today's end devices
• and 90 % lower power consumption per mobile service.

The first international research projects on 5G basic technologies and concepts have been completed. In addition, standardization has already begun in parallel with a second research initiative.

uMTC addresses the industry

The aforementioned key performance indicators alone are certainly not a reason to pursue 5G in the context of industrial communication - especially since industrial users have had reservations about economic and technical dependency on mobile communications providers that cannot be ignored. However, it is worth noting that for the first time, 5G is focusing on numerous areas of application - so-called 'verticals' - that go beyond the traditional application areas of telecommunications technology.

One of these application areas, for example, is referred to as ultra-reliable machine-type communications - uMTC for short - and addresses industrial communication, particularly in the production process of machinery and equipment, where functional safety plays an important role. It should be noted that 5G is not limited to wireless communication, which is characteristic of mobile communications. Rather, the entire network architecture with base station, backbone network, protocols as well as data management and processing is undergoing radical change.

If the requirement of functional safety is to be covered with Vertical uMTC, a number of aspects need to be taken into account. For example, devices in the IoT communicate ad hoc and are considered stateless. In addition, the communication protocols commonly used on the Internet, such as IPv6, have not yet been used in functionally secure applications. Technologies such as Software Defined Network (SDN) or Network Functions Virtualization (NFV) must also be considered. Although these meet the flexibility requirements of Industry 4.0, additional requirements must be met if they are to be used in functionally secure applications. Finally, another concept is mobile edge computing (MEC). The aim here is to create a new platform for collaboration between operators and communication and application services. This means that communication services should be adaptable to the requirements of the application and guaranteed by service level agreements.

Functional safety in production

The black channel principle in safety-relevant systems allows the use of a communication system without available proof of design or validation in accordance with the IEC 61508 series.

© Ifak

So what does all this mean for the safety-relevant parts of the systems that have to guarantee a certain safety level or residual error rate? To answer this question, it should first be noted that the requirements for the functional safety of electrical, electronic and programmable systems are defined in IEC 61508 and a large number of derived industry and product standards. IEC 61784-3 in turn defines the requirements for functionally safe communication systems in the industrial sector.

Today, safety communication systems are usually based on the black channel principle, in which a safety protocol is integrated between the safety application and a non-safe communication channel. This safety communication layer corresponds to the safety level of the safety-relevant system and recognizes or controls the transmission errors of the underlying communication channel (black channel). In this way, complex communication methods such as Ethernet and radio-based protocols or network transitions between subsystems and backplane buses can be used without having to prove compliance with safety standards such as IEC 61508. However, the measures already included in the communication channel (CRC, time monitoring, etc.) are then not taken into account in the safety assessment. In contrast, the complete communication channel (hardware, software, network components) must be designed, implemented and tested in accordance with IEC 61508 if safety functions are to be implemented directly in the communication channel or the measures included are to be taken into account in the safety assessment (white channel principle).

It is to be expected that, for reasons of complexity and flexibility, security communication will also be integrated in future IIoT systems primarily according to the black channel principle. Here, the security communication layer continuously monitors the non-secure communication channel for integrity according to the quiescent current principle. Monitoring takes place in the communication endpoints assigned to each other and includes data integrity (correct message content), authenticity (correct message source and sink) and timeliness (timely message transmission, correct message sequence). The communication channel must therefore meet the following requirements:

• connection-oriented communication relationship with integration option of the security protocol in the communication endpoints,
• cyclical communication for monitoring in accordance with the quiescent current principle with configurable time expectancy,
• sufficient availability - for example, avoidance of timeouts due to roaming or reflections and interference in the radio channel
• as well as integrated measures for information security.

The objectives for uMTC suggest that the black channel principle can be applied.

From static to dynamic

Security-relevant administration shell in accordance with Industry 4.0

© Ifak

IIoT systems place particular demands on the engineering of safety functions. In today's industrial safety functions, the relationships are mostly static (sensor-actuator chains). This means that special tools are used for the offline configuration of the safety functions, for the offline programming of the safety PLC and for the offline parameterization of the safety devices (sensors, actuators). These special tools are also developed with safety in mind. In other words, they contain dedicated measures to prevent unauthorized configurations and incorrect parameterizations and to limit the programming of the safety functions to a pre-tested language scope and code modules. The finished safety system is also subject to an assessment, whereby compliance with SIL-based characteristic values - such as the resulting residual error rate - and the safety response time for the individual safety functions are also evaluated. Finally, all safety functions must be tested before the systems are commissioned and all tests and changes must be logged in a legally compliant manner.

For IIoT, on the other hand, completely new mechanisms and measures must be developed for the engineering and testing of the safety functions to be established dynamically at runtime. This means integrating the currently still static project planning and verification algorithms into the IIoT concepts. For Industry 4.0, this means

• Safety hardware, safety software, safety communication layer etc. need so-called administration shells with descriptions of their safety assets and safety properties such as SIL levels, residual error rates and response times of the sub-functions.
• Safety parameters, for example for authentication and time monitoring, must be configurable in the asset administration shells.
• The resource manager of an asset administration shell can be used to store test and calculation rules for the safety sub-functions. These can be executed on a special security server, for example, in order to determine the resulting parameters and verify them against the requirements of the security level before establishing a dynamic security function.
• Automated risk analysis and verification of the safety functions pose a particular challenge, as special strategies and test components have to be developed for this - for example by connecting test case generators and simulation systems.
• As all safety-relevant components must be developed and qualified in accordance with the applicable safety standards, this also applies to the aforementioned safety administration shells and servers. Last but not least, the decomposition into standard and safety components must be taken into account in IIoT concepts. Implementation concepts that run the security components redundantly with cross-comparison on several cores of multi-core systems are suitable here.

Information security is not left out

Information security plays an important role as a prerequisite for functional security, which should be inherent in the new IIoT concepts. An interesting question here is whether security communication and information security measures can be combined. From a technical point of view, this is certainly conceivable. However, the different risk and life cycle models must be taken into account, as security communication, for example, is subject to stringent change management and is therefore changed as rarely as possible, whereas IT security components should react quickly to new external threats and are subject to a frequent update cycle. Discussions in this regard are currently taking place in the expert committees.

Authors:
Elke Hintze is a research associate in the 'ICT and Automation' business unit at Ifak.
Dr. Lutz Rauchhaupt is deputy head of the 'ICT and Automation' business unit at Ifak.