The design of a highly reliable safety critical emergency shutdown system

An emergency shutdown system (ESD) by its nature should be fail-safe. That is, in case of failure in any of its operations, in order to safeguard human life, property and the environment, it should shut down the plant that it controls. However, a complete shutdown, for example, of a petrochemical or nuclear plant is extremely costly. Therefore, as an alternative, the design of highly reliable emergency shutdown systems should be investigated. The major difference between a shutdown system and other control systems is the degree of tolerable operational integrity. A malfunction in the latter is immediately visible and the system can be replaced by a fully operational one. A shutdown system on the other hand is usually, sometimes for years and hopefully forever, 'dormant'. When, however, a true emergency situation arises and real demand is placed on it, it must be fully functional. Reliability is of paramount importance. Therefore, besides applying structured design techniques and improved testability other design methods will also need to be incorporated in the final system in order to increase its reliability. (C) 1998. Published by Elsevier Science Limited.