PLC-Implementation of

Emergency Shut-Down Systems

Wolfgang A. Halang
FernUniversitat, Department of Electrical Engineering
D-58084 Hagen, Germany

Johan Scheepstra
Rijksuniversiteit Groningen, Department of Computing Science
P. O. Box 800, NL-9700 AV Groningen, The Netherlands

Abstract

The task of safeguarding· systems is to bring processes from dan-

gerous into safe states. A special class of safeguarding systems are
emergency shut-down systems (ESD), which, until now, are only
implemented in inherently fail safe hard wired forms. Despite their
high reliability, there is an urgent industrial need to replace them
by more flexible systems. Therefore, a low complexity, fault detect-
ing computer architecture was designed, on which a programmable
logic controller for ESD applications can be based. Functional logic
diagrams, the traditional graphical specification tool of ESDs, are
directly supported by the architecture as appropriate user oriented
programming paradigm. Thus, by design, there is no semantic gap
between the programming and machine execution levels enabling
the safety licensing of application software by formal methods or
back translation. The concept was proven feasible by a working
demonstration model.

1 Introduction
Many technical systems have the potential of disastrous effects on, for instance,
the environment, equipment, employees, or the general public in case of mal-
functions. An important objective of the design, construction, and commis-
sioning of such systems is, therefore, to minimise the chances that hazards
occur. One possibility to achieve this goal is the installation of a system whose
only function is to supervise a process and to take appropriate action if any-
thing in the process turns dangerous. So, to prevent hazards, many processes
are guarded by these so called safeguarding systems. A special kind of them
systems are Emergency Shut-Down systems (ESD), which are defined as:
J. Górski (ed.), SAFECOMP ’93
© Springer-Verlag London Limited 1993
54

A system that monitors a process, and only acts - i.e., guides the
process to a static safe state (generally, a process shut-down) - if
the safety of either human beings, the environment, or investments
is at stake.

The mentioned monitoring consists of observing whether certain physical quan-

tities such as temperatures or pressures stay within given bounds and to super-
vise Boolean quantities for value changes. Typical ESD actions are opening or
closing valves, operating switches etc. Structurally, ESDs are functions com-
posed of Boolean operators and delays. The latter are required, because in
start-up and shut-down sequences often some monitoring or actions need to be
delayed. Originally, safeguarding systems were constructed pneumatically and
later, e.g., in railway signaling, with electromagnetical relays. Nowadays, most
systems installed are based on integrated electronics and there is a tendency
to use microcomputers.
The current (electrical) systems used for emergency shut-down purposes are
hard wired and each family makes use of a certain principle of inherently fail
safe logic. The functionality of an ESD system is directly implemented in
hardware out of building blocks for the Boolean operators and delays by in-
terconnecting them with wires. These building blocks are fail safe, i.e., any
internal failure causes the outputs to assume the logically false state. Unless
implemented wrongly, this results in a logically false system output, which in
turn causes a shut-down. Thus, any failure of the ESD system itself will lead
to a safe state of the process (generally a process shut-down). This technol-
ogy, used successfully for decades now, has some very strong advantages. The
simplicity of the design makes the hardware very reliable. The one-to-one map-
ping of the client's specification expressed as functional logic diagrams (FLD) to
hardware modules renders implementation mistakes virtually impossible. The
"programming" consists of connecting basic modules by means of wires, stress-
ing the static nature of such systems. Finally, the fail safe character of hard
wired systems is a very strong advantage. But there are also disadvantages
that gave rise to the work reported here.
Economical considerations impose stringent boundary conditions on the de-
velopment and utilisation of technical systems. This holds for safety related
systems as well. Since manpower is becoming increasingly expensive, also safety
related systems need to be highly flexible, in order to be able to adjust them
to changing requirements at low costs within short times. In other words,
safety related systems such as ESDs must be progJ:am controlled in order to
relinquish hard wired logic from taking care of safety functions in industrial
processes. Owing to their simplicity, the most promising alternative to hard
wired logic in ESD systems are programmable logic controllers (PLC), which
can provide the same functionality. However, although a reasonable hardware
reliability can be obtained by redundancy, constructing dependable software
constitutes a serious, still unsolved problem.