Spotlight on Security!

Along­side machinery safety, the stan­dards land­scape is focusing increas­ingly on Indus­trial Secu­rity. Because with digi­ti­sa­tion and net­working the envi­ron­ment is ­cur­rently under­going change. We are high­lighting what the most impor­tant changes to stan­dards in 2023 mean for machine man­u­fac­turers and oper­a­tors.

The plant has a CE marking. The safety com­po­nents installed in it meet the require­ments for the required Per­for­mance Level (PLr) in accor­dance with EN ISO 13849–1 or the required Safety Integrity Level (SIL) in accor­dance with EN IEC 62061. The plant can be designed to be func­tion­ally safe. The good feeling asso­ci­ated with this begins to waver, how­ever. Because machinery is being equipped with increas­ingly more dig­ital ele­ments that make new demands of Secu­rity: Could some­body from out­side damage my soft­ware? Could some­body without autho­ri­sa­tion gain access to the machine and make changes to the pro­gram­ming?

The stan­dards organ­i­sa­tions ISO and IEC have responded and are aiming to resolve these and sim­ilar con­cerns: they are upgrading and cur­rently defining new require­ments for prod­ucts, plant and machinery with updated stan­dards that are intended to shift the focus to Indus­trial Secu­rity. The new Machinery Reg­u­la­tion that will be replacing the Machinery Direc­tive is also con­cerned with this. But that’s not all: with the first draft of the Cyber Resilience Act, an EU reg­u­la­tion is being pre­pared that lays down its own require­ments for cyber­se­cu­rity for all com­po­nent and machine man­u­fac­turers and oper­a­tors of plant and machinery. But one thing at a time …

EN IEC 62061 – Security as a safety issue

In addi­tion to EN ISO 13849, EN IEC 62061 is the most impor­tant stan­dard for func­tional safety. The stan­dard defines the require­ments and includes rec­om­men­da­tions for the design, inte­gra­tion and val­i­da­tion of safety-related con­trol sys­tems (SCS) for machinery. Pub­lished in 2022 as an updated ver­sion, it also defines Secu­rity as a safety issue: the stan­dard spec­i­fies that both “inten­tional attacks on the hard­ware, appli­ca­tion pro­grams and related soft­ware, as well as unin­tended events resulting from human error” are to be taken into account in the safety life­cycle and during the entire life­cycle of the plant and machinery. These must not adversely affect the integrity of the Safety.

Stan­dards specify: the focus is shifting to Secu­rity.

ISO 13849–1 – safety-related software

There is a final draft avail­able of the revised ver­sion of ISO 13849–1. It is expected to be pub­lished in the first half of the year (for more details, see page 4). One impor­tant aspect relates to the require­ments with regard to soft­ware and man­age­ment of func­tional safety – such as how data within machinery soft­ware are pro­tected. Var­ious soft­ware types are cov­ered, such as safety-­re­lated embedded soft­ware (SRESW), safety-­re­lated appli­ca­tion soft­ware (SRASW) or soft­ware for para­meter set­ting. The stan­dard con­tains sug­ges­tions for improve­ment with regard to how these can be linked to the require­ments for pro­gram­ming lan­guages with lim­ited (“lim­ited vari­ability lan­guage”, LVL) or unlim­ited lan­guage scope (“full vari­ability lan­guage”, FVL). It is far from clear when it will be har­monised into the EU stan­dard EN ISO 13849–1 or when to expect an answer to the ques­tion of whether there will be a tran­si­tion period after pub­li­ca­tion of the stan­dard in the Offi­cial Journal and, if so, how long this will be.

The new Machinery Regulation – final draft

The Euro­pean Par­lia­ment and the Council of the Euro­pean Union have agreed on a final ver­sion of the new Machinery Reg­u­la­tion. It will be pub­lished soon. Once the reg­u­la­tion is pub­lished, the stan­dards com­mit­tees have 42 months to adapt the applic­able stan­dards to the new spec­i­fi­ca­tions. Meaning also cre­ating har­monised stan­dards that make it easier for us to achieve com­pli­ance with the reg­u­la­tion. “This is a lot of work,” explains Klaus Dürr, Vice Pres­i­dent Stan­dards Group at Pilz. “This also includes the ‘Pro­tec­tion against cor­rup­tion’ sec­tion in which the Machinery Reg­u­la­tion defines require­ments for cyber­se­cu­rity and sets spec­i­fi­ca­tions for the life phases of a machine. The safety func­tions must not be affected by this.” A sample extract from the draft: “The machinery […] shall be designed and con­structed so that the con­nec­tion to it of another device, via any fea­ture of the con­nected device itself or via any remote device that com­mu­ni­cates with the machinery […] does not lead to a haz­ardous sit­u­a­tion.”

Cyber Resilience Act – an independent EU regulation

The first draft of the Cyber Resilience Act is directed, among others, toward man­u­fac­turers of prod­ucts and machinery with dig­ital ele­ments, be it soft­ware or hard­ware, as well as oper­a­tors. In addi­tion to com­pre­hen­sive spec­i­fi­ca­tions on the topic of Indus­trial Secu­rity, the legal pro­vi­sion requires that product fea­tures as well as the plant or machinery have a suit­able cyber­se­cu­rity level which must be ver­i­fied based on a risk assess­ment. The EU reg­u­la­tion is expected to be pub­lished in two to three years.

The main question: “How?”

The ques­tion of how all these upcoming nor­ma­tive require­ments for Secu­rity can be imple­mented well and effi­ciently by inter­na­tional industry remains open. The chal­lenges of taking the new require­ments into con­sid­er­a­tion in existing and new devel­op­ment and man­u­fac­turing processes are under­stand­ably enor­mous. “We rec­om­mend early action,” states Arndt Christ, Vice Pres­i­dent Cus­tomer Sup­port Inter­na­tional at Pilz. “We are staying on the ball around the world for our cus­tomers. My staff are answering ques­tions around the clock – about our product port­folio but also gen­eral ques­tions about how plant and machinery can be devel­oped and oper­ated securely. Or how Secu­rity require­ments are even to be iden­ti­fied.” In response Pilz is cur­rently also expanding its range of ser­vices.

Share with your network!

1 Star2 Stars3 Stars4 Stars5 Stars (Average rating)

Leave a Reply