Risk management in industry 4.0
Developed by Stefano di Lenardo
Contents |
Abstract
Nowadays, innovation is synonymous with progress and modernity in every area - from the social sphere, through the educational system, to the economic sphere in science and economy, looking for new solutions that contribute to competitive advantage in the market and thus raise the level of economic and social development and ensure a high quality of life. The vast majority of businesses, are determined to implement product, technical, technological and organizational innovation. But most of all they follow a trend of industrial automation, which leads to the birth of Industry 4.0. In a few words, Industry 4.0 can be defined as the information-intensive transformation of manufacturing in a connected environment of data, people, processes, services, systems and production assets with the generation, leverage and utilization of actionable information as a way and means to realize the smart factory and new manufacturing ecosystems. However, new smart technologies and advanced automation require a huge amount of data, which lead the need of new prerequisites, in terms of security systems, in order to avoid any kind of risk. And risk management is the methodical process that involves understanding, analyzing and addressing these risks to make sure that organisations achieve their objectives. The aim of this essay is to conduct research on Industry 4.0 related to key aspects and presentation of a design of structure to implement risk management for the Industry 4.0 concept.
Background
Development of industry from 1.0 to 4.0
Before entering too much deeper into the risk management in Industry 4.0 concept, it’s useful to first understand how precisely manufacturing has evolved since the end of 1800s. It is possible to distinguish four different industrial revolutions that the world has known or continues to undergo today.
- The First Industrial Revolution - Mechanization
The first industrial revolution started between the late 1700s and early 1800s. During this period of time, manufacturing changed from focusing on manual labor performed by people and helped by work animals to a more optimized form of labor conducted by people through the use of water and steam-powered engines and other kinds of machine devices.
- The Second Industrial Revolution - Electrification
In the early part of the 20th century, the world experienced a second industrial revolution with the introduction of steel and use of electricity in factories. The beginning of use of electricity allowed manufacturers to considerably improve efficiency and aided make factory machinery more able to be moved easily. It was during this stage that mass production concepts - for instance the assembly line -were introduced as a way to greatly boost productivity.
- The Third Industrial Revolution - Automation
From the late 1950s, a third industrial revolution gradually started to become apparent, since manufacturers began integrating more electronic—and eventually computer—technology into their factories. During this period, manufacturers undertook experiencing a shift that put less emphasis on analog and mechanical technology and more on digital technology and automation software.
- The Fourth Industrial Revolution, or Industry 4.0 - Digitalization
In the past few years, a fourth – and actually last - industrial revolution has sprung up, known as Industry 4.0. Industry 4.0 gives importance to digital technology from recent decades to a whole new level with the help of interconnectivity through the Internet of Things (IoT), access to real-time data, and the introduction of cyber-physical systems (CBS). Industry 4.0 provides a more comprehensive, interlinked, and holistic approach to manufacturing. It connects physical with digital, and allows for better collaboration and access across departments, partners, vendors, product, and people. Industry 4.0 authorizes business owners to better manage and understand every aspect of their operation, and enables them to leverage instant data to boost productivity, improve processes, and drive growth.
Core idea of Industry 4.0
The core idea of industry 4.0 is to implement the Cyber Physical Systems (CPS) for production, i.e. using actuators and sensors, networks of microcomputers, linking the machines to the value chain. It also considers the digital enhancement and reengineering of products. The Figure 2 shows an abstract of industry 4.0 production style. In addition, it is denoted by highly differentiated customized products, and specific combination of product and services, and further the value added services with the actual product or service. After all, industry 4.0 is supposed to have three smart targets: machines, storage system, and production facility. That means minimizing the human interventions and grow productivity. It focus on decentralized and highly automated production, as shown in FIG.
Invented to solve logistic problems of army, one of the easiest examples of sensor networks is RFID (Radio-frequency Identification). RFID works via radio waves to read and capture information stored on a tag attached to an object. A tag can be read from up to several feet away and does not need to be within direct line-of-sight of the reader to be tracked. This means that it is possible to know what a pack contain exactly without open it.
In such an unknown business environment there are many challenges concerning the management approaches, for instance business model innovation, since success in industry 4.0 is due to the innovation capability of enterprise. If organization requires to be smart, they need bright employees, and climate for learning and innovation, which needs appropriate management practices. Management plays a fundamental role for industry 4.0, since the requisite of Industry 4.0 is to develop capabilities across different dimensions in the organizations as shown in figure 3. There is need to develop capabilities to successfully manage business models, and product portfolio, to access potential market and customers, to intensify value chain processes and systems, legal matters, cultural management -because of globalization- and mostly risk management. FIG 3
Risk Management
First of all, what is risk management? Risk management in a project management context is a comprehensive and systematic way of identifying, analyzing and responding to risks to achieve the project objectives [9]. The Risk Management Process can be divided into four main categories Identify risks, Assess risks, Treat risks and Monitor risks.
- Identification: proactive identification, Incident reporting, safety inspections, risk audits, safe design and purchasing, consultation.
- Assessment: likelihood of the hazard and risk, degree of harm, frequency and duration of exposure, severity of the hazard or risk.
- Control of hazard and risks: good knowledge about hazard, risk, cost associated and available options determine which would be desirable.
- Monitoring and controls: hazards may change and that risk control measures need to be reviewed continuously to determine their effectiveness.
The last few years has seen the emergence of Enterprise Risk Management (ERM), which is often denoted as a new business trend that builds on the principles of traditional risk management. It is a more structured and disciplined approach that aligns strategy, processes, people, technology and knowledge, with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. ISO 31000 represents a family of standards that seeks to provide unified and generic guidelines by means of an industry-independent risk management approach. The ISO 31000 is probably the most used risk management standard. However, it has some flaws, which managers need to take into consideration. First, a considerable amount of scientific literature arguing for the ISO 31000 is outdated since it uses ideas of risk assessment and characterization as used in the 1970s and 1980s, which does not take the fast-changing and connected world which projects happens in today into account. Second, the ISO 31000 is often criticized for having a narrow scope, for instance, the standard does not include setting objectives, but it does require that objectives are set. Furthermore, the guidelines provided in the ISO 31000 can be harder to understand and implement in Small and Medium-sized Enterprises which is why the ISO 31000 SME can be an additional standard, which managers need to take into consideration. Therefore it is vital that risk managers do not blindly follow the ISO 31000, but read material from multiple sources.
Risk management and performance
It is essential for management the performance measurement, since it allows to recognize the difference between contemporary and desired performance and gives the possibility to understand if this difference is going to be reduced. The indicators which help to improve performance are the Key Performance Indicators (KPI) and the Key Risk Indicator (KRI). Through these indicators a specific risk can be constantly checked and they can alert system for upcoming activities. However, there is not any kind of scheme to merge these to indicators and exploit their potential. Indeed, the cooperation between KPI and KRI could allow to find fundamental data for upgrading the achievement of a business and risk management.
- KPIs, or Key Performance Indicators, measure the actions and events that lead to a result, and are considered to be critical to the success of your business as their data is crucial in creating strategies and aligning goals.
- On the other end of the metric spectrum is the KRI, or Key Result Indicator. A KRI measures the results from your business actions, which are critical in tracking progress and defining success.
Structure to implement risk management
Risk identification
The purpose of risk identification is to find all the risks that can hinder the achievements of the business. And it is fundamental to identify the risks related to not getting an opportunity as soon as possible, since a risk that is not considered at this stage will not be recognized in remoter risk analysis. As it was mentioned before, industry 4.0 generates new several operational risk, affecting the manufacturing area:
- Manufacturing process management: information risk associated with data losses
- Maintenance: problem with availability and integrity of data for maintenance
- Operational methods and tools used: error data processing
- Machines and manufacturing technologies: sensitivity and vulnerability of data, problem related to cyber-attacks
- Human sources: low number of qualified workers
- Machine environments: attack from Internet network, problems related to electromagnetic compatibility and electromagnetic emissions affecting manufacturing machines
Most of repeated risk factors in the manufacturing are connected with information security. So, it is fundamental to understand to protect this manufacturing system against cyber-attacks, loss of data integrity or problems related to the availability of information and the way to achieve that is implementing the information security management system (ISMS). Even if information security is accessible only to who have access, it is fundamental to consider also integrity and availability. The first one means protecting the reliability and plenitude of information and processing methods. And availability means the possibility to get every data in every moment. Implementing this standard should be the key to solve the problem of security inside companies which follow Industry 4.0 model. The similarity with other ISO standards (ISO 9001, for instance) is important for building a certified integrated management system based on the management of quality, information and environmental requirements. On the other hand, the standard ISMS can be effectively integrated into ERM.
Design a structure
The following step is to incorporate and implement the crucial needs for ERM and ISMS. This idea is thought to implement Industry 4.0 concept in manufacturing companies, as it allows to cut down enterprise risks connected with enterprise strategy and the implementation of the certified information security system. This approach is based on a well-planned analysis tool, called Deming PDCA cycle. PDCA (Plan-Do-Check-Act) is a method for making changes to work processes and improving standards. It is implemented to improve the quality and effectiveness of processes within product lifecycle management, project management, human resource management, supply chain management and many other areas of business. Its activities are:
- Plan-Organizational vision and objectives: Establish policy (including ISMS policy), objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with the organization’s overall policies and objectives.
- Do-Processes: Implement and operate the policy, controls, processes and procedures.
- Check-Performance: Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
- Act-Improvement: Take corrective and preventive actions, based on the results of the internal audit and management review or other relevant information, to achieve continual improvement of the system.
FIG 2 exhibits the basic principle and processes of implementation. The article outlines the fact that the security policy must be expanded by risk management aspects to an integrated corporate policy. In this way it is possible to consider the requirements of all stakeholders and to determine appropriate risk objectives and strategies. The focus of an implemented integrated management system should be based on the functional and effective application of business process management, which means that analysis, description and optimization are the core functions to support and management of the processes. The output of the section is an inventory of risks which could be divided into different sections, such as planning risks, processes risks, technical risks.
Integration of performance and risk management
Risk management should become part of the corporate culture. The institution of business process management can allow to identify risks and choose to take up actions from the risk treatment and business continuity plan. In this way it is possible to appropriately integrate identified risk treatments and business continuity plans in to the manufacturing processes. The effectiveness of the company performance is systematically supported by the implementation, maintenance, testing and uploading of the measures. Risk management in industry 4.0 should embrace concepts from both the fields of BPM (Business Process Management) and PPM (Process Performance Management) and merge them with elements of risk management into a new idea. To do that, some assumptions must be exposed:
- Governance of business processes and examining process risks are essential for risk management based on real-time operational data in Industry 4.0
- To investigate the performance, risk and goal attainment of processes, approaches from BPM, PPM and RM have to be integrated and combined.
- Risks have to be assessed by means of clearly defined data structures and indicators in a designated calculation scheme building upon these structures.
Potential damage types and their probability of happen can be forecasted more exactly, because of the wide-ranging volume of the data from processes. However, the possible scenarios could be very complex and other evaluation procedures might be needed. It is also imaginable an adaptation of the evaluation criteria. As outlined before, each risk can be monitored by the KRIs which influenced the KPIs in connection with the enterprise performance. The concept is in FIG The risks identified were listed in a risk model. This model exhibits the important groups of identified risks and aides to classify them into categories. The different colors used in Figa (to better illustrate the process) divide the risks into: operational (orange) and strategic (yellow) risks. Each risk group may also have a different colour (see Figure 3) f.i. for categorization, priority or responsibility. As shown in Fig each risk group can be broken down into individual risks.
