Alongside machinery safety, the standards landscape is focusing increasingly on Industrial Security. Because with digitisation and networking the environment is currently undergoing change. We are highlighting what the most important changes to standards in 2023 mean for machine manufacturers and operators.
The plant has a CE marking. The safety components installed in it meet the requirements for the required Performance Level (PLr) in accordance with EN ISO 13849–1 or the required Safety Integrity Level (SIL) in accordance with EN IEC 62061. The plant can be designed to be functionally safe. The good feeling associated with this begins to waver, however. Because machinery is being equipped with increasingly more digital elements that make new demands of Security: Could somebody from outside damage my software? Could somebody without authorisation gain access to the machine and make changes to the programming?
The standards organisations ISO and IEC have responded and are aiming to resolve these and similar concerns: they are upgrading and currently defining new requirements for products, plant and machinery with updated standards that are intended to shift the focus to Industrial Security. The new Machinery Regulation that will be replacing the Machinery Directive is also concerned with this. But that’s not all: with the first draft of the Cyber Resilience Act, an EU regulation is being prepared that lays down its own requirements for cybersecurity for all component and machine manufacturers and operators of plant and machinery. But one thing at a time …
EN IEC 62061 – Security as a safety issue
In addition to EN ISO 13849, EN IEC 62061 is the most important standard for functional safety. The standard defines the requirements and includes recommendations for the design, integration and validation of safety-related control systems (SCS) for machinery. Published in 2022 as an updated version, it also defines Security as a safety issue: the standard specifies that both “intentional attacks on the hardware, application programs and related software, as well as unintended events resulting from human error” are to be taken into account in the safety lifecycle and during the entire lifecycle of the plant and machinery. These must not adversely affect the integrity of the Safety.
ISO 13849–1 – safety-related software
There is a final draft available of the revised version of ISO 13849–1. It is expected to be published in the first half of the year (for more details, see page 4). One important aspect relates to the requirements with regard to software and management of functional safety – such as how data within machinery software are protected. Various software types are covered, such as safety-related embedded software (SRESW), safety-related application software (SRASW) or software for parameter setting. The standard contains suggestions for improvement with regard to how these can be linked to the requirements for programming languages with limited (“limited variability language”, LVL) or unlimited language scope (“full variability language”, FVL). It is far from clear when it will be harmonised into the EU standard EN ISO 13849–1 or when to expect an answer to the question of whether there will be a transition period after publication of the standard in the Official Journal and, if so, how long this will be.
The new Machinery Regulation – final draft
The European Parliament and the Council of the European Union have agreed on a final version of the new Machinery Regulation. It will be published soon. Once the regulation is published, the standards committees have 42 months to adapt the applicable standards to the new specifications. Meaning also creating harmonised standards that make it easier for us to achieve compliance with the regulation. “This is a lot of work,” explains Klaus Dürr, Vice President Standards Group at Pilz. “This also includes the ‘Protection against corruption’ section in which the Machinery Regulation defines requirements for cybersecurity and sets specifications for the life phases of a machine. The safety functions must not be affected by this.” A sample extract from the draft: “The machinery […] shall be designed and constructed so that the connection to it of another device, via any feature of the connected device itself or via any remote device that communicates with the machinery […] does not lead to a hazardous situation.”
Cyber Resilience Act – an independent EU regulation
The first draft of the Cyber Resilience Act is directed, among others, toward manufacturers of products and machinery with digital elements, be it software or hardware, as well as operators. In addition to comprehensive specifications on the topic of Industrial Security, the legal provision requires that product features as well as the plant or machinery have a suitable cybersecurity level which must be verified based on a risk assessment. The EU regulation is expected to be published in two to three years.
The main question: “How?”
The question of how all these upcoming normative requirements for Security can be implemented well and efficiently by international industry remains open. The challenges of taking the new requirements into consideration in existing and new development and manufacturing processes are understandably enormous. “We recommend early action,” states Arndt Christ, Vice President Customer Support International at Pilz. “We are staying on the ball around the world for our customers. My staff are answering questions around the clock – about our product portfolio but also general questions about how plant and machinery can be developed and operated securely. Or how Security requirements are even to be identified.” In response Pilz is currently also expanding its range of services.