In multilayer, vital control systems, including safety critical control systems, each layer of a control system needs to be able to safely shut down itself and the layers controlled by (below) that layer. Thus, when a control layer device is a master unit to a slave unit and detects a fault in the slave unit, the master unit needs to be able to shut down the slave unit in a vital manner. Often, the slave unit in such a system is remotely located relative to the master unit.
In a soft shutdown, a master unit sends a shutdown command over a communication channel to a slave unit or ceases communication over the communication channel, and in response the slave unit shuts down. This approach relies on software so a failure in software execution can result in an inability to send a shutdown command or cease communication. This design relies on a probabilistic approach to the assessment of all software failure modes being adequately addressed.
In a hard shutdown, a master unit cuts off power to its outputs and relies on a direct galvanic connection between the master unit and the slave unit via a copper cable. This approach is feasible only over relatively short distances and can be vulnerable to electromagnetic interference and other environmental factors such as lightning, especially with remote configurations.
Other options include configuring a slave unit as a vital unit itself, but this approach significantly increases system expense and complexity.