1. Background
During a recent safety inspection organized by the Municipal Emergency Management Bureau, one of the reviewing experts insisted that enterprises should add an automatic (emergency) shutdown function in the Distributed Control System (DCS) and configure a corresponding software button on the operator interface.
As a participant in this inspection, I raised an objection. According to industry standards and system functionality, the DCS should not be responsible for emergency shutdown (ESD) functions. This raised a key question:
👉 Should the emergency shutdown button be integrated into the DCS or the Safety Instrumented System (SIS)?
2. Functional Positioning of DCS vs. SIS
Basic Process Control System (BPCS / DCS):
Designed for routine process monitoring, regulation, and optimization. Focus is on productivity, product quality, and efficiency.Safety Instrumented System (SIS):
Dedicated to safety protection in abnormal or hazardous conditions. Responsible for triggering emergency shutdowns, isolating energy, and preventing escalation of incidents.
📌 According to standard design logic:
Emergency Shutdown Button (ESD button) belongs to the SIS, not the DCS.
Keeping ESD within SIS ensures independence, reliability, and compliance during emergencies.
3. Regulatory Basis
The SH/T 22820-2024 “Engineering Design Specification for Chemical Safety Instrumented Systems” explicitly requires that ESD buttons must be designed and operated under SIS, independent of the BPCS/DCS.
Similarly, the Notice on the Automation Transformation Guide for Chlorination, Fluorination, Diazotization, and Peroxidation Processes (Liao Emergency Hazardous Chemicals [2025] No. 10) also specifies:
ESD must be independent of the BPCS/DCS.
A software button should be configured on the operator interface.
Physical buttons with protective covers must be installed in the control room and at appropriate field locations.
This confirms that the inspection checklist contained inconsistencies due to drafting errors. If enterprises implemented the requirement incorrectly, it would violate national standards and increase risks.
4. Risks of Misplacing ESD in DCS
If enterprises were to configure emergency shutdown buttons in the DCS:
System Confusion: Mixing process control and safety functions may lead to delayed or failed shutdown actions.
Reduced Reliability: A DCS failure or cyberattack could compromise safety protection.
Cost and Compliance Issues: Enterprises may face unnecessary retrofit expenses and fail future audits.
Case in Practice: Some plants that mistakenly embedded ESD in the DCS later had to reconfigure a dedicated SIS module, doubling costs and causing shutdown delays during modification.
5. Practical Recommendations
Always implement ESD functions under SIS, not under DCS.
Configure both software buttons (HMI) and physical buttons (with protective covers) in compliance with standards.
Ensure safety independence during design and inspection phases.
Experts and inspectors should strictly rely on standards to avoid misleading enterprises into non-compliant practices.
6. Conclusion
The role of DCS is process control, while SIS is responsible for safety protection.
Emergency shutdown buttons must always be configured under SIS to ensure independence, reliability, and compliance.
✅ Key Takeaway:
Enterprises should not add ESD buttons inside DCS systems. Instead, follow national safety standards and deploy them in SIS, with corresponding software and physical buttons.