7 Safety & monitoring

"This chapter describes how the previously defined model acts – not what is modeled."

7. Security Architecture

This chapter describes, how security is conceived, modeled and made effective in Selmo.

Security in Selmo is:

not an addition
not a special case
not an exception to the logic

Security is an integral part of the model.

7.1 Security as a Property of the Model

In classical control systems, security is often:

considered outside the process
implemented in separate programs or layers
added as a reaction to risks

Selmo pursues a different approach:

Security arises where behavior is described explicitly.

This means:

Security relevance is modeled
monitoring is unambiguously defined
reactions are determined deterministically

Therefore, security is not a reactive element, but a the consistent consequence of clear models.

7.2 Separation of Types of Security

Selmo consciously distinguishes different levels of security:

Process safety → protection against inadmissible state combinations → implemented via Interlock (i)
system integrity → protection of people, machines and plants → implemented via CMZ
Operator safety in manual operation → protection against incorrect manual actions → implemented via MXIC

These mechanisms:

complement each other
are clearly delineated
are not mixed

Each safety function has a unique task.

7.3 Security Always Applies

A central principle in Selmo is:

Security is independent of the operating mode.

This means:

Security applies in automatic operation
Security applies in manual operation
Security applies during commissioning
Security does not know a "service mode"

Monitoring is:

permanently active
state-dependent or state-independent
hierarchically effective

7.4 Hierarchical Security Effect

Safety mechanisms act in a clear hierarchy:

Plant └─ Hardware Zone └─ Sequence

A deviation:

at a higher level
overrides all underlying levels

Examples:

Plant-CMZ stops the entire plant
HW-Zone-CMZ stops all contained sequences
Interlock stops a single sequence

The higher the level, the greater the effect.

7.5 Distinction from Hardware Safety

Selmo does not replace no:

emergency stop chain
safe shutdown
safety PLC
mechanical protective measures

Selmo complements these with:

formal description
deterministic monitoring
traceable reactions

Hardware safety protects physically. Selmo security protects logically and systemically.

7.6 Structure of This Chapter

Chapter 7 is divided into the following parts:

7.1 Interlock (`i`)

→ state-dependent process safety

7.2 CMZ – Constantly Monitoring Zone

→ state-independent system integrity → Sequence / Hardware Zone / Plant

7.3 Further Monitoring

→ Pair check → Bear check → Plausibility checks

Transition to the details

The following sections describe:

how individual safety mechanisms work
when they are used
how they complement each other

Security in Selmo is not a separate chapter – it is a structural principle.

PreviousMXIC – Manual Cross Interlock NextInterlock (I)

Last updated 2 months ago

Was this helpful?

Good evening

hashtag7. Security Architecture

hashtag7.1 Security as a Property of the Model

hashtag7.2 Separation of Types of Security

hashtag7.3 Security Always Applies

hashtag7.4 Hierarchical Security Effect

hashtag7.5 Distinction from Hardware Safety

hashtag7.6 Structure of This Chapter

hashtag7.1 Interlock (i)

hashtag7.2 CMZ – Constantly Monitoring Zone

hashtag7.3 Further Monitoring

hashtagTransition to the details