Digital Twin Reference Model Development to Prevent Operators’ Risk in Process Plants

In the literature, many applications of Digital Twin methodologies in the manufacturing, construction and oil and gas sectors have been proposed, but there is still no reference model specifically developed for risk control and prevention. In this context, this work develops a Digital Twin reference model in order to define conceptual guidelines to support the implementation of Digital Twin for risk prediction and prevention. The reference model proposed in this paper is made up of four main layers (Process industry physical space, Communication system, Digital Twin and User space), while the implementation steps of the reference model have been divided into five phases (Development of the risk assessment plan, Development of the communication and control system, Development of Digital Twin tools, Tools integration in a Digital Twin perspective and models and Platform validation). During the design and implementation phases of a Digital Twin, different criticalities must be taken into consideration concerning the need for deterministic transactions, a large number of pervasive devices, and standardization issues. Practical implications of the proposed reference model regard the possibility to detect, identify and develop corrective actions that can affect the safety of operators, the reduction of maintenance and operating costs, and more general improvements of the company business by intervening both in strictly technological and organizational terms.


Introduction
A Digital Twin is a digital model of a particular physical element or a process with data connections that enable convergence between the physical and virtual states at an appropriate rate of synchronization [1]. Different enabling technologies of Industry 4.0 such as the Internet of Things (IoT), Cloud Systems and Big Data Analytics contribute to the creation of what is the Digital Twin of a physical process, i.e., a mathematical model able to describe the process, the product or the service in order to carry out analyses and apply company strategies. Digital Twin solutions integrate artificial intelligence, machine learning and software analytics with data collected in production plants to create digital simulation models that are updated when production process parameters or working conditions change [2]. This is a self-learning system, using data collected from various sources: from sensors that transmit operating conditions; from experts, such as engineers with a deep knowledge of the industrial domain; from other fleets of similar machines; as well as integrating historical data related to the past use of plant components [3]. The Digital Twin has long since established itself in an industry where it creates a lasting competitive edge [4].
In the literature, Digital Twin solutions have been developed to create a consistent improvement in efficiency [5], minimize failure rates [6], shorten development cycles [7] and open up new business opportunities [8]. The applications of Digital Twin tools focused on improving the safety of process plant operators and maintainers are few, even if it is a resilience engineering challenge for research [9]. The development of a reference model in this sector has become necessary and strategic in order to increase the safety levels of the operators involved in the maintenance phases. Today, the integration of the digital model with IoT has become particularly effective as the introduction of specific cloud platforms offers the possibility of integrating real-time data with all other company digital information on a given process, ensuring the realization of a real Digital Twin. At present, the analysis and assessment of risks and their impact on the maintenance processes of industrial plants is essentially based on the operators' experience. There are currently no solutions on the market based on Digital Twin technologies for risk analysis and the definition of predictive maintenance policies. Digital twin technologies, through a virtual representation of physical assets (a single control valve, a production line or an overall plant) make it possible to apply predictive policies in plant management and maintenance. In comparison to traditional simulation models, Digital Twin is reactive: it receives information from the sensors on the physical asset and changes when the asset is modified [10]. Existing production systems require a more in-depth analysis of information from machines and processes. For example, risk analysis only provides the AS-IS status of the situation. It does not show a clear view of the relationship between performance and risk events for TO-BE scenarios. In addition, machine condition data is not correlated with plant control and inspection data so that a distinction can be made between the process and machine degradation. Furthermore, Digital Twin is a leading opportunity to increase safety through serious games for industrial safety, as process simulation can train and improve industrial resilience [11].
Currently, an architecture that explains how to design, develop and implement a Digital Twin specifically dedicated to risk management does not exist in the literature. In this context, this work develops a reference model that researchers, technicians and business managers can follow whenever they want to apply Digital Twin solutions to risk management in work environments. These solutions could ensure predictive maintenance applications, which can create virtual modeling of maintenance processes and prevent high-risk events for operators. In this regard, the Digital Twin techniques to be developed must be able to predict and thus detect future faults, not only already visible and existing malfunctions.
This work specifically focuses on process plants since in this industrial sector the number of annual failures and injuries are likely to be very high, partly as a result of the normal wear of the components which are often subject to intensive working conditions [12].
The rest of the paper is as follows. This introduction is followed by a literature review that analyzes previous works on Digital Twin solutions for safety and risk assessment (Section 2). Section 3 presents current technologies deployed in Digital Twin while the reference model proposed in this work is described in Section 4. The discussion about critical aspects and practical implications are described in Section 5. To conclude, Section 6 summarizes the paper and outlines future research directions.

Literature Review: Digital Twin and Risk Assessment
As a new technology to realize virtual-physical integration, Digital Twins provide a chance to enhance the safety levels of operators involved in Human-Machine Interaction (HMI). Moreover, the integration of digital models with the IoT has the potential to generate the flexible interactive mode to enhance machine efficiency and process safety [13]. Digital Twins are not new to the process industries, where they are used in various forms, with the main intent of modeling a system, in line with the model-centric nature of engineering practice [14]. However, scientific literature has focused only on some specific topics, such as the main advantages of using digital models in industry or the role of Digital Twins in helping maintenance activities. As far as the former point is concerned, the main advantages of using digital models in industry have been discussed by [15] and include various aspects. First, virtual models driven by real-time data are able to provide a very faithful representation of the real environment and, as such, can be constructed to support immersive interactions between humans and machines. Secondly, Digital Twin data can integrate real and simulated data, allowing the user to get a comprehensive description of the whole environment and a deeper understanding of the physical entities. Finally, digital models provide concise, intuitive and easy-to-use platforms such as software and mobile Apps that could be adopted by users in different fields.
Maintenance activities are typical situations that require HMI. In maintenance, the digital model can reflect the real-time status of machines. Through the analysis of physical data, sensor data and maintenance methods, the digital model can easily identify components and parts showing signs of damage; this enables data-driven analyses and incremental risk assessment strategy starting from reporting of adverse events [16]. Triggering, e.g., predictive maintenance activities could eliminate the risk of downtime events or catastrophic failures, and related expenses [17]. Indeed, any loss or degradation of the function of a real system can lead to process safety issues; inadequate hazard identification, in particular, is the main cause of process fail, accounting for approximately 40% of process losses [14].
The literature reports several examples of Digital Twin applications in maintenance (e.g., [15,17,18]); by contrast, the implementation of digital models for safety or risk assessment are more limited in number. Nonetheless, ensuring process safety is of fundamental importance to avoid multiple fatalities, environmental damage, business losses and damage to reputation [19]. The use of improved digital tools and dynamic models to conduct process hazard analysis has the potential to address some of the main shortcomings of the traditional risk analysis procedures [20]. Moreover, as shown by [14], Digital Twins can be successfully used to enhance process safety in almost all phases of a process/plant lifecycle, ranging from the conceptualization of the system to the model-building phase.
Gabbar et al. [21] were the first authors that proposed dynamic process modeling for process safety analysis for assisting operators and assessing risk. They carried out a case study in a hydro-desulphurization unit and demonstrated the capability of the model to identify some specific high-risk scenarios. However, the proposed model did not attempt to systematically conduct a process hazard analysis. Ramzan et al. [22] also proposed a dynamic simulation model for process hazard analysis and applied it to a case study conducted on a distillation column with two products. In the proposed approach, dynamic simulation is used to identify the consequences of possible causes of process parameter deviations, assign severity and frequency rates for these consequences and finally determine the tolerability of the resulting risk. A further study that made use of dynamic simulation for conducting process hazard analysis was done by Wu et al. [23]; these authors integrated qualitative models with dynamic simulation for conducting process hazard analysis. To be more precise, at first their approach makes use of multilevel flow modeling (MFM) to determine the causes and consequences of risks and classify them. Then, high risk scenarios are rigorously analyzed and evaluated using dynamic simulation. The approach was tested on an industrial process. Similarly, Paltrinieri and Reniers [24] have developed a dynamic risk assessment model which uses Bayesian networks to provide real-time risk assessment of a real plant, on the basis of the safety measures installed and the probability of risk occurrence. The proposed approach is intended to provide quantitative assessment of how cost-cutting measures can increase risks, as well as to evaluate the probabilities of risk causes and the effectiveness of safety barriers.
In recent years, the advent of integrated software platforms has also offered the opportunity of coupling real-time data with all the digital information that a company has on a certain process. Accordingly, in a recent study, Kummer and Varga [25] developed an open software platform that allows generating failures, assessing when the steady-state conditions of the real system are achieved and generating sensitivities of critical variables to various disturbances. This tool was intended to automate generation and assessment of disturbances to provide input to traditional hazard analysis processes with the aim of reducing the duration and human error of the hazard analysis process. The proposed tool was tested in a chemical process to evaluate the sensitivity of the system to critical variable disturbances.
All the studies described above provided very interesting models for hazard analysis and risk assessment, based on specific tools. However, as the above review shows, relevant papers are few in number. Moreover, papers published before 2011 could not properly refer to Digital Twins, as Industry 4.0 concepts originated in 2011 and were formalized in 2013; rather, these papers describe general simulation models for maintenance or safety management. In addition, most of the published research refers to specific high-risk scenarios and aims to evaluate impacts rather than proposing general tools for a systematic hazard analysis [26]. In particular, to the best of the authors' knowledge, a framework that fully explains how to design, develop and implement a Digital Twin specifically dedicated to risk management still lacks in the literature. Indeed, all the studies reviewed only cover one or some aspects (e.g., phase one or phase three-see Section 5) of the methodological approach proposed in this study. This is why we believe that the framework described in this paper can represent an interesting addition to the literature.

Material and Methods: Current Technologies Deployed in Digital Twin
A Digital Twin system is an integration of different technologies that develop several functions. In the next sub-sections, the technologies used in the proposed reference model are described in order to highlight their role in a Digital Twin as well as the problems connected to their implementation and use.

Industrial Internet of Things and Digital Twin
Due to the increased numbers of embedded sensors, low-power wireless communications and signal processing algorithms, the use of IoT devices in a real application has recently achieved explosive development and proliferation. IoT provides opportunities to connect the real world with cyberspace, enabling the sensing of objects and processes, data gathering, machine learning and real-time feedback over the connected targets. Digital Twin represents a dynamic digital replica of a physical process. The backbone technology of Digital Twin is the IoT for real-time and multi-source data gathering. The more a Digital Twin can duplicate the physical object in terms of the amount of information acquired with IoT sensors, the more the advantages can increase. The potential research challenges can be summarized as follows: (1) Firstly, Digital Twin pushes the boundary of sensing capabilities toward the physical world.
Sensing methods that monitor physical metrics in an industrial context and which use less resources are more practical in industrial IoT. Wireless and battery-free sensors can support lightweight and robust monitoring. How to extend the capabilities of wireless signals [27][28][29][30] and how to increase the battery life have triggered numerous research motivations over the past few years [31][32][33]; (2) Secondly, the processing of massive networked sensors requires the upgrade of computing architecture to reduce elaboration time, e.g., collaborative edge computing [34][35][36], and in order to reduce the effort of cloud architecture and save the bandwidth, it is important to enable a resource-constrained IoT device with modern analysis techniques, e.g., deep learning [37][38][39][40]; (3) Thirdly, efficient data transmission methods, integrated into the IoT radio chip, are needed for correct implementation of Digital Twin, e.g., low-power wide-area networks [41], parallel backscatter for high throughput, low power communications [42], software-defined low-power wireless [43] etc.

Simulation Technology and Digital Twin
Although the use of simulation is well-known in the engineering field to investigate well-defined problems, it is essential to understand its central limit. According to [44], most simulation applications solve exactly one specific request, such as design and off-line optimization. However, since the structured and complicated process of model simulation alters only one aspect of the results, in complicated data exchange processes a new simulation setting phase is sometimes required. On the other hand, Digital Twin is used for the entire lifecycle in real-time since it is a digital representation of an existing physical object. Through a large number of sensors connecting the physical object with its digital copy, a Digital Twin can represent, in real-time, the state of the object changes [45]. This is the reason why their combined use is a crucial point for a proper controlling and monitoring system. In doing so, the application of simulation techniques brings Digital Twins to life, and they become testable [46]. Thus, a Digital Twin Simulation Interface (DTSI) is fundamental to responding to the needs related to the product or the asset life cycle simulation. To this end, information must be stored in a structured way through the use of appropriate data models [47]. The DTSI can be used to understand, in real-time, several aspects of what is happening on the shop-floor, and to update the real system with improvements obtained in the digital model [48]. The Digital Twin must follow the physical world in real-time, to be able to monitor, adjust and optimize real processes, anticipate failures and increase efficiency thanks to the simulation approach [49].

Machine Learning and Digital Twin
Digital Twin makes use of real data to simulate the real production plant. Machine learning models are a mainstays in the context of smart factories, where the digitalization of manufacturing systems are strictly correlated with the Digital Twins. The machine learning models require real data to acquire knowledge, be trained and tested, and to confirm their effectiveness. Subsequently, Digital Twin works in parallel with real production plants, using the validated machine learning models, and simulating new production situations to identify available improvements. Indeed, Digital Twin has a pivotal role because it verifies the concreteness of the machine learning model in unusual situations; in particular, Digital Twin is important for the prediction of dangerous situations in the plant, when it is not possible to test the machine learning model with real data. In these cases, the Digital Twin enables operators to test the model with simulated data without the real onset of risks for the workers. Subsequently, the validated machine learning models provide predictions for recognized situations, useful for the Digital Twin to simulate industrial modification. Thereby, the Digital Twin is useful for improving the capacities of the machine learning model and, similarly, the machine learning model automates the Digital Twin.
Two main criticalities make machine learning more complex in the context of Digital Twin: • Data availability. Machine learning works on information, and without the proper quantity and quality of data, it is impossible to develop and implement a proper machine learning model. It is important to analyze and to visualize the data to perform integrity checks, to validate data quality and to understand data meanings. Nowadays, industrial organizations commonly lack digitalized data, with several analogic PLCs (Programmable Logic Controllers) and few digital monitoring systems.

•
Complex environment and the human factor. Several industrial contexts are a complex reality, with processes, resources and people that interact partly with linear cause-effect relationships and partly with nonlinear, complex and even unpredictable ones [50]. Industries are socio-technical systems difficult to simulate and predict, due to their variability and irregularity.

Augmented and Virtual Reality and Digital Twin
Augmented Reality (AR) and Virtual Reality (VR) are some of the technologies that can benefit from the implementation of a Digital Twin, due to the fact that it provides a virtual and realistic view of the environment in which the historical and real-time data flow is integrated with the human presence [51]. However, considering the large amount of data and information in real-time that come from the Digital Twin model, it is difficult to provide users and operators with this information in an easy and intuitive way. In particular, the AR does not replace the physical world but allows the user to see the physical world with overlapping virtual objects. Moreover, it gives users the opportunity to interact with the physical world to perform specific tasks or be alerted to possible dangers [52]. The inclusion of these enabling technologies within Industry 4.0 implies their importance for modern factories [53,54]. In general, an architecture that integrates the Digital Twin and AR/VR is composed of the following three main blocks: (1) Calibration: in order to obtain a clear and intuitive data visualization using AR devices, all the processing of historical data is as important as the data. In order to better manage the AR device, the 3D or 2D models must be perfectly aligned with the physical part. This process is called calibration. (2) Control process: the control process is a very important aspect for AR systems as it allows the user to interact with both the physical and the virtual part of the Digital Twin. After viewing the data in the increased process, users can use this information to support decision-making and directly control the physical part through the AR device. (3) Augmented process: the augmented process, through the AR devices, must provide users with an intuitive and clear AR view of the information coming from the Digital Twin. In practice, the AR device receives data from the virtual part, and after the calibration phase, it correctly presents this to the user.
Making use of the current technology, some challenges arise using AR in manufacturing. They can be summarized in four types: (1) Real-time data: there is a huge amount of real-time data exchanged between the manufacturing process, cloud and VR device, and these have to be managed in order to support the users and operators in the correct way. (2) 3D and 2D modeling: recognizing, tracking and following the target object(s) is extremely important for the quality of AR utilization. (3) Reliability: the manufacturing environment is dangerous, noisy and dirty, so the AR device has to be reliable and robust enough to carry out the tasks. (4) User cooperation: the manufacturing task can be done with the cooperation of multiple users and operators at the same time, so the VR infrastructure must be flexible enough to permit the data exchange between multiple devices.

Cloud Technology and Digital Twin
Digital Twin includes data analysis methods that come from different types of sensors installed on the real system. In order to create a Digital Twin of a process or part of an industrial plant, it is important to use a set of computational services that represent models for their interactions [55]. Each of these methods requires specific computational resources. One of the solutions is to use a cloud infrastructure that offers high flexibility on one side and high processing performance on the other [56]. Therefore, it is necessary to use the cloud system that uses the "Containers as a Service" model to manage the high amount of data on one side and to support the algorithm execution container on the other. Digital Twin is a group of complex systems composed of mathematical models, computational methods and software services, which permit the real-time synchronization between a virtual system and real process. There are a few cloud vendors which offer a "Container-as-a-Service" solution for Digital Twin implementation, such as IBM, Amazon, Microsoft Azure etc. In detail: (1) IBM is a vendor that offers the most complete solution. It could build a Digital Twin on IBM Watson IoT [57]; (2) Amazon refers to the Digital Twin as a device shadow which is a JavaScript Object Notation (JSON) file that contains information, metadata, timestamps, and other important information to unequivocally identify the connected device. The near real-time communication could be implemented using Representational State Transfer (REST) call or MQ Telemetry Transport or Message Queue Telemetry Transport (MQTT) architecture [58]; (3) Microsoft proposes the Azure IoT solution which has the "Device Twin" model as part of device management. The Device Twin is represented by a JSON file that stores information on the status of the device and is updated in near real-time from the data coming from the real system [59].
In this context, there are many challenges in designing an industrial solution based on the Digital Twin approach. The common challenges for developing a smart Digital Twin are as follows: (1) Data privacy: the sharing of data regarding production is one of the major privacy issues.
(2) Security: with the high amount of factory information gathered from the production plant and sent to the Cloud for Digital Twin elaboration, the risk to security becomes more important. (3) Connectivity: the virtual process and the real system are to connect with each other in a real-time mode. Granting data connectivity and full bandwidth are the principal elements for a correct Digital Twin implementation.

Digital Twin Reference Model
The reference model based on Digital Twin methodologies for risk reduction in process plants is shown in Figure 1. This reference model allows a company to: (i) create a virtual process parallel to the physical one-this virtual process will offer a tool for both static and dynamic analysis of the physical industrial process; (ii) propagate this information to other interconnected and achievable digital objects, in order to increase the safety of the involved actors; and (iii) intercept anomalies at the beginning so as to be able to intervene promptly in order to minimize the damage from breakage or support preventive/predictive maintenance. 1) Process industry physical space: this layer consists of all physical industry resources such as product, personnel, equipment, material, process, environment, facility etc. This is the primary environment of the Digital Twin reference model that the company aims to control. With physical space, we refer to all observable plant elements in production that shall be monitored and sensed and may be actuated and controlled. (1) Process industry physical space: this layer consists of all physical industry resources such as product, personnel, equipment, material, process, environment, facility etc. This is the primary environment of the Digital Twin reference model that the company aims to control. With physical space, we refer to all observable plant elements in production that shall be monitored and sensed and may be actuated and controlled. (2) Communication system: the second layer is dedicated to transferring data or information between Digital Twin and plant elements. Physical elements are monitored and sensed from control devices and execution tools for data collecting and device controlling with various devices such as sensors, cameras, actuators and other composite devices. This system connects observable plant elements to digital entities, and vice versa, for their synchronization. To complete the second layer, a 3D Model Representation and a Risk Identification and Assessment Plan are needed in order to set up the simulation system and the Anomaly Prediction and Detection Tool.

The Digital Twin system consists of four main tools: (a) Control and Execution Tool
The Control and Execution Tool allows the physical system to communicate with the cyber system at the output through sensors, transducers, etc. and at the input through the control of actuators, switches, etc.. This is a computer system dedicated to the management or control of industrial processes. This tool executes a program and elaborates digital and analog signals coming from sensors and directed to the actuators present in an industrial plant.
(b) Simulation Tool The simulation tool allows the company to create virtual modeling of the processes. This is an advanced vision of the Digital Twin that includes not only a simulation model, which is coherent with the real plant, but also a behavioral and functional model through the creation of Mock Units.
The simulation tool can work on-line or off-line, i.e., the inputs can come from the sensors (in the first case) or can be entered manually (in the second case). When working off-line, through a virtual representation of the physical assets, the tool allows managers to analyze what-if scenarios without the need to physically realize them, thus avoiding potential situations of risk for operators. In this case, the tool can be used, for example, to commission a new plant in a virtual way to identify the risks for operators before actually activating the plant or to simulate a maintenance activity and identify the risks associated with it.
In the case where the tool works on-line it must be able to receive information from the sensors on the physical asset and it modifies its parameters when the asset changes its conditions. The on-line application can allow a company to have the comparison between the various data provided by the simulation system. The data is actually detected by the sensors in order to activate warning signals if the discrepancy between the two values is beyond defined thresholds. (

c) Anomaly Detection and Prediction Tool
This tool should predict why faults are occurring, what the causes are (anomaly detection) and how long the system can go on before it breaks down or goes out of the correct plant operating parameters (anomaly prediction and residual life assessment). Figure 2 shows the rule of this tool within the reference model. The tool is based on machine learning algorithms for the analysis of anomaly detection and prediction in the execution of production and maintenance processes within the IoT environment.

d) Cloud Server Platform
The platform must acquire real-time data from the field. Therefore, a normal server architecture would not be enough because, in the normal operating environment, the enormous amount of data would not make its operation stable. This is the same with classic relational databases which are not able to withstand an excessive number of requests for simultaneous access to reading and writing. This implies that the platform must be designed ad hoc for data acquisition, sorting and visualization through a cloud solution.
The platform provides APIs (Application Programming Interfaces) or external calls with related authentication, to manage: -Data input from the PLC; -External engines for input data analysis (sensor readings); -Elaborations carried out by the data analysis engines, after which they are visualized for comparison; -Data coming from the sensors to the simulated model of the plant; -Data coming from the simulated model (what-if scenarios) and relative comparison with the real one; -Data coming from the sensors to the 3D model of the plant; -Data coming from the 3D model and its comparison with the real one.
In addition to the functions listed above, it is also necessary to manage the historical data related to both field sensors and analysis. Moreover, the management of user permissions to avoid inappropriate deletions in non-applicable areas.

User Space
This is the last layer. The term "user" in this context refers to a human, a device or a system such as MES (Manufacturing Execution System) or an ERP (Enterprise Resource Planning). The Typical anomalies to be predicted through machine learning in process plants are the following:

•
During the operative phase of the plant, the operator closes by mistake a shut-off valve and the plant goes into overpressure, putting at risk the integrity of the piping and the personnel. Before the safety valve intervenes (which would lead to a partial emptying of the system with consequent stoppage of the system for a long time), the tool detects an increase in pressure at certain points, identifies the problem and warns the operator about the type of anomaly that is occurring; • During a pump maintenance operation, the operator does not close the shut-off valve and floods the area; • The control valve downstream of the tank is blocked and closed due to a fault and the system goes into overpressure; • A pump vibrates abnormally due to bearing failure; • A shut-off valve upstream of the pump closes by mistake and the pump goes into cavitation.

(d) Cloud Server Platform
The platform must acquire real-time data from the field. Therefore, a normal server architecture would not be enough because, in the normal operating environment, the enormous amount of data would not make its operation stable. This is the same with classic relational databases which are not able to withstand an excessive number of requests for simultaneous access to reading and writing. This implies that the platform must be designed ad hoc for data acquisition, sorting and visualization through a cloud solution.
The platform provides APIs (Application Programming Interfaces) or external calls with related authentication, to manage: -Data input from the PLC; -External engines for input data analysis (sensor readings); -Elaborations carried out by the data analysis engines, after which they are visualized for comparison; -Data coming from the sensors to the simulated model of the plant; -Data coming from the simulated model (what-if scenarios) and relative comparison with the real one; -Data coming from the sensors to the 3D model of the plant; -Data coming from the 3D model and its comparison with the real one.
In addition to the functions listed above, it is also necessary to manage the historical data related to both field sensors and analysis. Moreover, the management of user permissions to avoid inappropriate deletions in non-applicable areas.

User Space
This is the last layer. The term "user" in this context refers to a human, a device or a system such as MES (Manufacturing Execution System) or an ERP (Enterprise Resource Planning). The interface is offered to users through two solutions: • Activation of operational instructions for the maintenance and safety management of the system through AR/VR; • Activation of warning messages.
In this layer, classes of advanced services must be defined; for example, in the event that the machine learning system predicts risk situations, operators may be warned of anomalies through wearable systems. In addition to signaling warning situations, corrective actions and safety measures can also be taken.

Implementation of Digital Twin Reference Model
The development of the Digital Twin model proposed in the previous section is divided into five phases (see Figure 3). Every phase is connected to the other ones and they are carried out according to the following sequence: Phase 1: Development of the Risk Assessment plan During this phase, the risk is measured or estimated for the operators involved in the maintenance and management of the process industry.
In particular, it is necessary to identify all possible adverse events, the causes of these events and the internal and external risk factors, by observing the plant, its processes, the people and dynamics that characterize it and the socio-economic context in which it operates.
The following step is the risk analysis. This step will estimate the probability of occurrence and the impact generated by adverse events, on the basis of quantitative and/or qualitative techniques.
Finally, risk weighting must be carried out in order to support the organization in deciding which risks to deal with using the Digital Twin system and the risk treatment. This step will allow maintenance managers to identify and choose solutions to prevent or mitigate undesirable risks.

Phase 2: Development of the Communication and Control System
According to the risk analysis carried out in the first phase, the communication system is developed. The identification of the most important entities is needed in order to uniquely identify them and make, for example, the link between the real and digital entity of a Digital Twin.
The main part of the development of a Digital Twin is to have a complete information set, including the real-time data acquisition coming from a wide range of sensors and/or IoT devices. In order to increase the collection of this information, some common strategies are performed: (1) Use Existing Connected Sensors: This is a standard first step since it does not require the modification of existing physical installation adding new sensors. This approach requires only an application engineering and a software project to connect the gathering of data to the upper level where the Digital Twin is deployed. In this step, the development of new software is required in order to acquire information from existing supervision infrastructure, like Supervisory Control And Data Acquisition (SCADA), PLC, etc.
(2) Insertion of New Sensors into Existing Infrastructure Based on PLCs and Controllers: The second step is to evaluate if there are available hardware slots on the system controller, in order to add acquisition modules into which a new set of sensors can be plugged. Although this approach could be simple, it requires the modification of the existing software, developing new functions that manage the new sensors with the risk of making changes in the controller and creating performance and operating issues.
(3) Add Edge Devices: Another important support for developing a Digital Twin is the Internet of Things (IoT) with the Wireless Sensor Network. New edge devices have been introduced into the industrial field, and these are designed to capture and transmit information directly to enterprise systems and cloud applications. Many new sensors are not directly integrated into the control and automation system, operating separately and independently from them in order to monitor operating parameters for a complete Digital Twin and close the information loop. Many wireless or cabled edge devices directly communicate with the Cloud or private IT network. One of the best advantages of using this solution is that it has a very minimal impact on existing control software architecture because it works in a parallel backbone of the main infrastructure.
(4) Effect of Actuators: When a Digital Twin needs to produce an action in the real-world by way of actuators, it will generally use the support of the operator or a control system, which will interact with the real process. The action is usually associated with the operative decision, such as those used in a dynamic control system.

Phase 3: Development of Digital Twin Tools
This phase focuses on the design and development of the tools used in the Digital Twin. In this work, machine learning algorithms have been used for anomaly detection and prediction. The development of a machine learning model relies on the following steps: • Analysis of the context of application. It is important to understand the environment, the boundaries and the dependencies of the analyzed processes. In fact, this step defines the structure of the machine learning model and its target. For example, the reduction of the operators' risk requires the definition of the specific risks that can affect the operators.

•
Monitoring of the process and data records. The data must be prepared to make them suitable for use by the machine learning model; • Set up the parameters of the machine learning model; • Training of the model with training data from the real production process; • Testing the model on different data, for verifying its effectiveness. This is the conclusion of the real development of the machine learning model; • Improvement of the capacities of the machine learning model using the Digital Twin, as explained above.
In parallel to the machine learning tool, the simulation tool is also developed at this stage. The first step in designing this tool is the definition of the aspects to be simulated. Typical aspects to be considered are thermal behavior and physical, mechanical, chemical, electrical and organizational processes. It is then necessary to understand the behavior of the system or evaluate strategies for the operation of the system. The final step is the design of the model of a real system and conducting experiments with that model.

Phase 4: Tools Integration in a Digital Twin Perspective
The developed tools will then be integrated into an ad-hoc software platform. The platform will perform the following activities: data acquisition, data manipulation, detection state, health assessment, prognostic assessment and advice generation. The platform has to meet the requirements listed below: (1) Multimodal information: the platform has to be able to integrate multimodal information, such as sounds, videos, texts, 3D animations etc. into the platform; (2) Browsing and editing: the platform must enable the creation, modification and navigation of cyber-physical systems, which means modifying and creating environments that integrate the physical and virtual space; (3) Detection: through a grid of sensors, the platform must have the ability to monitor and store activities that occur in the work environment; (4) Heterogeneity: the platform should support different types of sensors and actuators; (5) Semantic abstraction and modularity: the platform should be able to provide a semantic abstraction, allowing easy communication between the elements of the environment; (6) Verification, validation and simulation: the platform must be able to simulate the behavior of the physical units present in the productive world. This will allow a company to predict and control the highest-risk events and to formulate alternative scenarios.

Phase 5: Models and Platform Validation
Scenarios of the process industry in which the reliability of the plants has an impact on the safety of the operators and on business efficiency have been used to validate the developed systems. This phase involves the verification of the platform's functionalities and testing activities.
The testing phase will allow researchers to collect quantitative data to evaluate the performance of the solution and estimate the main advantages, with particular attention to the benefits in terms of operator safety. The collection of feedback from the experimentation will be used for the revision/optimization of the tools and the platform.

Discussion
During the design and implementation phases of a Digital Twin, different criticalities must be taken into consideration. Moreover, some practical implications of the proposed reference model can be highlighted. These two aspects have been respectively presented in Sections 6.1 and 6.2.

Criticality in Reference Model Implementation
The critical aspects involving Digital Twin technologies can be summarized in the following points:

•
IoT is not perfectly IIoT (Industrial IoT). The industrial version of devices requires resilient, robust and reliable solutions, which are subject to industry regulations and standards (e.g., watchdog systems, certified code). Today, the solutions on the market, in many cases, do not perfectly meet the needs, in terms of performance and flexibility, compared to the industrial reality.

•
The need for deterministic transactions. Real-time implies determinism, i.e., the guarantee that an action by an actor is implemented, not necessarily at high speed. This means that processing must be based on suitable (operating) systems designed for real-time. The design of embedded systems, by definition, is aimed at applications with specific performance and guaranteed stability.

•
For embedded systems, the usual concept that computing devices will soon be more powerful and less expensive is no longer valid. Programming paradigms must take into account a new dimension where resources are limited "by design".

•
When the number of pervasive devices is large, factors such as energy consumption and energy supply (energy scavenging/harvesting techniques), life cycle and maintenance of components (dispersion of pollutants, recovery at the end of life, maintenance, recycling and/or reuse) become critical. Rapid wake-up systems (e.g., non-volatile memories) after minimum consumption sleep cycles.

•
Targeted design of human-machine interfaces (new, small but expressive interactive displays, low power consumption, e.g., Organic Light-Emitting Diode (OLED), e-paper), which are minimally invasive and disturbing (calm technology).
Moreover, different relevant standardization issues need to be addressed. For instance, the standardization regarding the synchronization of the physical object and its Digital Twin, the syntax and semantic interoperability to ensure interoperability across Digital Twins and the security protection of secrecy and integrity of the physical entity and its associated characteristics.

Practical Implications
The cyber-physical system approach will allow maintenance managers to detect, identify and develop corrective actions that can affect the safety of operators, the reduction of maintenance and operating costs and more general improvements of the company business by intervening both in strictly "technological" and organizational terms. Through wearable systems, it will be possible to monitor, for example, the distance of the operator from the plant and send alerts in case the cyber-physical system foresees risk situations (a burst, an unwanted emission, etc.). The cyber-physical system will anticipate these risk situations by dissipating residual energy; for example, discharging condensers, hydraulic and pneumatic circuits and accumulators, but also preventing the risks of lower dead body movements and blocking loads at height.
An important outcome is linked to the definition of a complex and integrated control system that uses the network of cyber-physical elements, in order to ensure continuity of shared monitoring even in the event of abnormal operation of the machinery itself, thus providing control and monitoring logic by the operators.
The following effects of the proposed solutions can also be highlighted: • Enable maintenance technicians to make their repair decisions based on actual data and forecasting of future scenarios, as opposed to the traditional approach to maintenance based on predefined activities or just on conjecture, by knowing about upcoming problems; • Provide a tool with high added value, allowing company managers to make increasingly reliable forecasts about the evolution of risk events. This functionality perfectly fits within the digital continuity required by modern industrial paradigms; • Helping business leaders in decision-making activities not only from an economic but also from an organizational point of view: resources can, therefore, be managed at their optimum level to obtain maximum profits, rather than performing corrective and reactive maintenance in the event of a part failure.

Conclusions
This paper has proposed a reference model for the implementation of Digital Twin models with the purpose of enhancing the safety level of employees in the workplace. The model encompasses all the key phases of Digital Twin design and implementation, as it starts from the analysis of the real system and ends with the development of a platform where the user can interact with that system. Because of its completeness, it is believed that researchers, technicians and business managers will benefit from this model anytime they need to develop and apply Digital Twin solutions for risk management in real environments. The approach enables predictive maintenance applications: in this respect, the proposed Digital Twin will be able to create virtual modeling of maintenance processes, thus preventing high-risk events for operators.
The natural application of this work will be the application and testing of the Digital Twin model first in laboratory settings and then in real environments. Laboratory tests will be made to check the effectiveness of the software platform and to evaluate the capability of the Digital Twin to learn the functioning of the system, identify risks and suggest maintenance interventions. As far as the in-field implementation is concerned, some relevant case studies will be identified, privileging industrial systems where the plant reliability can significantly affect employee safety and system effectiveness. Funding: This research was funded by INAIL (Istituto Nazionale per l'Assicurazione Contro gli Infortuni sul Lavoro), the Italian National Institute for Insurance against Accidents at Work grant number BRIC 2018 project titled "Sviluppo di soluzioni smart attraverso metodologie Digital Twin per aumentare la sicurezza degli operatori durante i processi di manutenzione degli impianti produttivi"-BRIC ID12.

Conflicts of Interest:
The authors declare no conflict of interest.