Separation of safety system and process control system



Integrated solution in spite of separate levels of protection: Good Engineering Practice

The demand for integrated safety solutions is increasing due to rising cost pressures and the growing complexity involved in the planning and operation of safety-critical systems. IEC 61511 requires the preservation of all layers of protection wherever possible. Independence, diversity and physical separation are demanded for each of these layers of protection. With regard to cybersecurity, IEC 61511 ED 2 also requires dedicated risk monitoring.

Safety without compromises
The safety system and process control system are autonomous and capable of acting as separate layers of protection (as defined in IEC 61511) only when they are based on different platforms, development principles and philosophies. Errors that affect different layers of protection simultaneously (common cause and systematic errors) are reduced when this is the case.

A separate safety system ensures the preservation of the levels of protection and thus reduces the risk that occurs from cyber attacks.

Levels of protection

IEC 61511 requires the preservation of all levels of protection.

Safety technology independent of the patch management of the control technology

Appropriate patch management is essential for standardized hardware and software used in process control technology. Patching eliminates weak points of the software used in process control systems and of the operating system. Problems can occur, however, because the complexity of the software architecture makes it difficult to impossible to assess the risks that could occur through the update. As an effect, if the safety system is integrated into the process control system, patching the process control system may also have an influence on the functionality of the safety system.

If risks of personal injury and/or environmental damage exist, the operator is obligated to ensure that errors do not result in critical situations as a consequence of patch processes. Only the physical separation of process control system and safety system ensures that functional safety is guaranteed while control system updates are running.


Effects of control system updates on the safety system are prevented through the technological separation of the systems.

Advantages of separated systems:

  • Multiple levels of protection, in compliance with both the functional safety standard IEC 61511 and security standard IEC 62443
  • Independent layers of protection
  • Guaranteed technically free of repercussions (by design)
  • Elimination of "common cause" errors that result in safety-critical situations or undesired shutdowns
  • Avoidance of safety-critical design, programming and operating errors through the mixing of safe/non-safe elements ("human common cause" errors)
  • Clear separation of technical and organizational responsibilities
  • In cases of doubt, fulfillment of the requirement of separated layers specified in IES 61508/11 results in greater legal certainty
  • Emphasizes the different lifecycles of operating and safety layers because operating equipment is dynamic and safety equipment is static
  • Corresponds to the requirement of "Good Engineering Practice" in critical applications

Integrated and nonetheless safe

So, how can profitability and the necessary independence of the systems be reconciled? The following aspects must be considered:

  1. SILworX® as an independent engineering tool
  2. Structural integrity of the automation platform
  3. Integration of operating information and maintenance information
  • 1. Independent engineering processes

    According to IEC 61511, the required functional independence of the various levels of protection of a system is not restricted to the technical implementation of the functionality. It also requires that an evaluation of the level of safety reached or for a higher SIL (see IEC 61508) establishes an engineering process that requires execution/testing through independent departments or organizations.

    On one hand, functional independence occurs in practice through the introduction of an appropriate management process; on the other hand, it occurs by having only qualified and trained personal implement the engineering of the safety controller. Thus by design, closed and diverse safety systems support functional independence.



    SILworX as an independent engineering tool

    An independent engineering tool for the safety system avoids "common cause" errors, yet nonetheless offers the possibility of easy data import and integration of data in the operating and monitoring function of the process control system. The advantages:

    • Clear separation of duties and responsibilities
    • Engineering and change processes for the safety system are independent from those of the operating equipment
    • Independent engineering system enables secure physical separation
    • Concentration of the easy and safe handling of the safety system
    • Prevention of user errors by supporting a secure operating philosophy
    • Secure access rights by an integrated user administration for project and control
    • Shared databases or the same database access mechanisms that store or change the configuration data of the operational automation, as well as the safety functions, are not used
    • The risk of the safety system being manipulated due to changes made on the process control system is reduced --> one of the active mechanisms of the STUXNET malware
    • SILworX enables the comprehensive transfer of configuration data (tag names, scaling, message texts, addresses, etc.) and complete functions (e.g., information concerning the logic to be implemented) from higher-level engineering systems

  • 2. Structural integrity of the automation platform

    A HIMA safety controller is more robust against cyber attacks because it uses custom-developed structures supported by:

    • More than 45 years of experience of developing safety systems with code reviews and quality management
    • Proprietary HIMA operating systems with unpublished content
    • Reduced number of functions, leaving only those necessary for the operation of HIMA automation platforms
    • Reduced scope and complexity of the operating system; unlike generic operating systems, virtually complete function tests are possible

    The combination of "relative simplicity" and extensive function tests supplies such a high degree of robustness that regular patches are not necessary.


  • 3. Integration of operating information and maintenance information

    In spite of the required independence, extensive integration of operating information and maintenance information is necessary for the operating safety in the plant. HIMA systems can be integrated in all leading control systems. In this regard we take responsibility for the PCS-SIS integration and enable the desired functionalities.

    For our data integration, all interfaces to external systems are completely described functionally as part of a "whitelisting.” This includes:

    • Data areas (where data is written/read)
    • Data content (which values the transferred data can have)
    • Interface functions (which commands will be accepted and when)

    All activities on an external interface that do not comply with the predefined rules will be ignored.


Phone: +49 6202 709 0
Fax: +49 6202 709 107