Separated Safety Systems


Separate Levels of Protection Reduce Risk

Every production process harbors risks. Companies in the process industry must understand precisely the requirements of the IEC 61511 standard for functional safety, then implement them correctly. A great deal is at stake: the health of the employees, the tangible assets of the company and the environment.

To reduce the risk of downtime and accidents, IEC 61511 requires separate levels of protection for the areas of control and monitoring, prevention and containment, and emergency measures. Each of these three levels assumes specific sub-functions to minimize risk; together they reduce the hazards that derive from the overall production process.



Cleanly Separating the Safety and Process Control Systems  

IEC 61511 also requires independence, diversity and physical separation for each level of protection. To meet this requirement, the functions of the different levels need to be sufficiently independent of one another. But what does this mean exactly?

Many think it is enough to use different I/O modules for the different levels. That’s not accurate, as automation systems also depend on the functions of I/O bus systems, CPUs and software.

Safety systems and process control systems are considered as autonomous safety levels, as defined by IEC 61511, only if they are based on different platforms, development principles and philosophies. In concrete terms, this means that the system architecture must be designed in such a way that none of the components of the process control system levels and the safety levels can be used concurrently.

Maximum Safety with Control System Patches

Standardized hardware and software in computer process control require patches from time to time to correct weaknesses in software and operating systems. Due to the complexity of the software architecture, however, it is difficult to impossible to assess the potential risks of a system update. Patches made in the process control system, for example, can also affect the functionalities of the integrated safety system.

To ensure that critical errors with unforeseeable consequences do not occur in safety-relevant processes, the process control system and safety system must be separated from each other technologically. Only in this way is there a guarantee that updates in the control system do not impair functional safety.

Despite Separation: Integration of Operating and Maintenance Information

Efficient Operation of safety Systems does require to integrating general operating and maintenance information. Notwithstanding the independence required HIMA systems can be easily integrated into every leading process control systems.

In doing so HIMA assumes the task of DCS SIS integration and enables the functionalities required. Integration is achieved through high-capacity, cross-manufacturer communication standards.
For data integration all interfaces to external systems are described functionally in as part of a "whitelisting". This includes:

  • Data areas (where data is written/read)
  • Data content (which values the transferred data can have)
  • Interface functions (which commands will be accepted and when)

All activities on an external interface that do not comply with the pre-defined rules will be ignored. Every function needed for the integration of a safety system can, therefore, be mapped.


IEC 61511: How to apply multiple layers of protection

Advantages of separated systems:

  • Multiple levels of protection, in compliance with both the functional safety standard IEC 61511 and security standard IEC 62443
  • Independent layers of protection
  • Guaranteed technically free of repercussions (by design)
  • Elimination of "common cause" errors that result in safety-critical situations or undesired shutdowns
  • Avoidance of safety-critical design, programming and operating errors through the mixing of safe/non-safe elements ("human common cause" errors)
  • Clear separation of technical and organizational responsibilities
  • In cases of doubt, fulfillment of the requirement of separated layers specified in IES 61508/11 results in greater legal certainty
  • Emphasizes the different lifecycles of operating and safety layers because operating equipment is dynamic and safety equipment is static
  • Corresponds to the requirement of "Good Engineering Practice" in critical applications

More than 40 years of experience in safety-critical applications have taught us this: A separation of the process control system and safety system increases operating safety and the uptime of process technology systems, which improves operating efficiency in production. To learn more about the configuration of safety systems and complying with IEC 61511, contact our experts. They are ready to advise you.

Cyber Security & Functional Safety

1-day training on Cyber-Security on software and hardware level 

More information

Schedule & registration


Tel: +49 6202 709 0
Fax: +49 6202 709 107
Contact form