The object-oriented structure, extraordinary flexibility, as well as satisfaction of the highest safety demands have made SIMATIC WinCC Open Architecture the preferred solution for complex, large-scale and/or safety critical projects.

Many individual mechanisms and functions guarantee safety, security, reliability and availability of data, these include:

  • Secure data transfer also in public networks and widely geographically distributed architectures

  • Security functionalities (logon, authorization system, automatic logoff)

  • System stability through diagnosis functions

  • Controlled handling of overload

  • Exclusion of data tampering through logging

  • Redundancy through hot standby system

  • Distributed system through functional split across autonomous subsystems

  • Disaster Recovery System (redundant data storage in a geographically separated second control center)


SSL encryption

SSL encrypted communication / Multiplexing Proxy
SSL (Secure Sockets Layer) are cryptographic protocols which are
designed to provide communication security over the network.
From version 3.12 SSL encryption for communication of managers to each other and to all clients is used consistently. It is implemented by default in the system.
It is implemented directly in the manager base class and active by default when creating a new project.


Main features of the Multiplexing Proxy:

  • A reduction of open network server ports (only one per system)

  • Blocking of denial-of-service attacks

  • Multiplexing Proxy may run under a low-privileged user account (different from other managers)


Benefits of SSL encryption:

  • Highest data security

  • By default implementation of SSL encryption in WinCC OA the security of communication has been extended


WinCC OA Secure - Kerberos

WinCC OA Secure is a third party authentication mechanism based on Kerberos, developed by MIT. Symmetric key encryption, no key word transfer. Absolute secure protection of internal and external communication.

  • WinCC OA Secure enables the authentication, integrity and encryption of the communication

  • No transfer of User/Password information via the network

  • Fast due to use of symmetric encryption protocol

  • Allows Single-Sign-On

  • Proven method

  • State of the Art


Hot standby redundancy

With the aid of the well thought-out redundancy concept of SIMATIC WinCC Open Architecture it is possible to fulfill the demands of plant engineers and operators in terms of availability and process and data security.

  • Hot standby redundancy with dual computer systems

  • In a redundant system each user interface is linked with the active and passive system. Redundancy switching is thus smooth without impairing system operability

  • Automatic switching is performed in the tenth-of-a-second range without data loss

  • Automatic matching of process image, alarm data and history at system start-up

  • Freely configurable switching mechanisms with weighted error status evaluation

  • Additional security by means of differentiating between computer and network failure

  • Redundant network connections between different computers

  • Split mode with redundancy - Test of new configurations and parameterizations without interfering the operation.


Disaster Recovery System

High availability and breakdown security are significant factors in automation technology. Even a short downtime can cause considerable costs and safety risks. The Disaster Recovery System secures the availability of the installation and data retention, even in the event of a total failure of the Master Control Center.

This system extends the single redundancy by a second redundant system, to which, in the event of a malfunction (e.g. an emission, a fire or an explosion in the building housing the primary system) one can switch over. This additional local redundancy provides the highest level of availability.

The Disaster Recovery System is designed as a Warm Standby System and consists of two geographically separated Hot Standby Systems, the Master Control Center and the Disaster Recovery Center, connected together by a high-availability dedicated line. In the normal operating condition, the Master Control Center is permanently connected to the periphery. In the event of a total breakdown of the Master Control Center, the geographically separated Disaster Recovery Center automatically takes over all the monitoring and control activities and activates the local periphery drivers of its own accord.

A further characteristic of the Disaster Recovery System is the local archive data retention in the Oracle databases of both Hot Standby Systems. This means that historical data can be accessed at all times. All database queries remain within the local network, thus requiring a narrower bandwidth. In order to secure up-to-date data in both systems, the historical data from both systems, in normal operating mode, are actively written to the specific Oracle database concerned. Synchronization of the data ensures redundant data retention.

The Disaster Recovery System is an extension of today's SCADA redundancy concept and thus reduces the probability of data loss to a minimum, guarantees faultless operation of the entire system and reduces excessive downtimes.

SIL3 certification according to IEC 61508

SIL 3 CERTIFICATE (Certificate number  QS/324/07/145/01/08)

With SIL3 certification, the independent TUEV SUED (Technical Inspection Agency, South Germany) attests that SIMATIC WinCC Open Architecture can be deployed in safety critical projects as a process visualization and control system.

The SIL3 certification offers the users significant benefits: by using SIMATIC WinCC Open Architecture planners, integrators and end-customers save time and subsequently money due to clear facilitation of the entire acceptance process of the control system. When the deployed hardware is also SIL3 certified (e.g. SIMATIC S7) then "only" the specific application creation must be certified. Satisfaction of SIL3 safety requirements is relevant amongst others for pressurized installations such as gas turbines and boiler protection, or for train control systems

System integrators, planners, and end-customers additionally benefit from the long-standing experience in mission critical applications and our comprehensive service portfolio. Binding design and configuration requirements in the form of a guideline backed by professional competencies are provided. This reduces staffing costs and time during acceptance and commissioning. This economic benefic is complemented by the high degree of scalability and unlimited flexibility of SIMATIC WinCC Open Architecture.

SIL3 in detail
IEC 61508 is the international standard regulating functional safety of electrical, electronic, and programmable electronic systems. Part three of the IEC 61508 standard covers the high demands regarding responsibilities, processes, documentation and techniques when designing and appraising safety relevant software applications.
The IEC 61508 standard uses “safety integrity” for quality classification which encompasses four levels starting with SIL1 (relatively low demands) up to SIL4 (very high demands). Failure of an application compliant with SIL3 security requirements would probably lead to dire consequences for the community and/or risk of death for several people. It is therefore crucial that all components of safety related systems, or at least those determined in risk analysis and specification, satisfy the safety integrity requirements (SIL); this also applies to control systems.