The demand for integrated safety solutions is increasing due to rising cost pressures and the growing complexity involved in the planning and operation of safety-critical systems. IEC 61511 requires the preservation of all layers of protection wherever possible. Independence, diversity and physical separation are demanded for each of these layers of protection. With regard to cybersecurity, IEC 61511 ED 2 also requires dedicated risk monitoring.
Safety without compromises
The safety system and process control system are autonomous and capable of acting as separate layers of protection (as defined in IEC 61511) only when they are based on different platforms, development principles and philosophies. Errors that affect different layers of protection simultaneously (common cause and systematic errors) are reduced when this is the case.
A separate safety system ensures the preservation of the levels of protection and thus reduces the risk that occurs from cyber attacks.
IEC 61511 requires the preservation of all levels of protection.
Appropriate patch management is essential for standardized hardware and software used in process control technology. Patching eliminates weak points of the software used in process control systems and of the operating system. Problems can occur, however, because the complexity of the software architecture makes it difficult to impossible to assess the risks that could occur through the update. As an effect, if the safety system is integrated into the process control system, patching the process control system may also have an influence on the functionality of the safety system.
If risks of personal injury and/or environmental damage exist, the operator is obligated to ensure that errors do not result in critical situations as a consequence of patch processes. Only the physical separation of process control system and safety system ensures that functional safety is guaranteed while control system updates are running.
Effects of control system updates on the safety system are prevented through the technological separation of the systems.
So, how can profitability and the necessary independence of the systems be reconciled? The following aspects must be considered:
1. Independent engineering processes
According to IEC 61511, the required functional independence of the various levels of protection of a system is not restricted to the technical implementation of the functionality. It also requires that an evaluation of the level of safety reached or for a higher SIL (see IEC 61508) establishes an engineering process that requires execution/testing through independent departments or organizations.
On one hand, functional independence occurs in practice through the introduction of an appropriate management process; on the other hand, it occurs by having only qualified and trained personal implement the engineering of the safety controller. Thus by design, closed and diverse safety systems support functional independence.
SILworX as an independent engineering tool
An independent engineering tool for the safety system avoids "common cause" errors, yet nonetheless offers the possibility of easy data import and integration of data in the operating and monitoring function of the process control system. The advantages:
2. Structural integrity of the automation platform
A HIMA safety controller is more robust against cyber attacks because it uses custom-developed structures supported by:
The combination of "relative simplicity" and extensive function tests supplies such a high degree of robustness that regular patches are not necessary.
3. Integration of operating information and maintenance information
In spite of the required independence, extensive integration of operating information and maintenance information is necessary for the operating safety in the plant. HIMA systems can be integrated in all leading control systems. In this regard we take responsibility for the PCS-SIS integration and enable the desired functionalities.
For our data integration, all interfaces to external systems are completely described functionally as part of a "whitelisting.” This includes:
All activities on an external interface that do not comply with the predefined rules will be ignored.