In thermal power plants and the like, electronic safety devises are applied as safety devices that monitor states of the plants and detect an abnormal state, thereby safely terminating plants. High reliability is required for safety devices in plants, and requirements are provided in the International Standard for Functional Safety IEC 61508 and the like. For this reason, there have been increasing demands from users of plants that these safety standards be observed.
Generally, in electronic safety devices, in order to increase the reliability thereof, computation devices of electronic safety devices that compute logics of safety functions (which are implemented by causing software to operate on a CPU board) are multiplexed. According to Non-Patent Document 1, computation devices are arranged in parallel and thus are multiplexed. Each computation device performs self-diagnosis, and then results of the computations are compared among the computation devices, thereby detecting a failure of a computation device. Thus, the safety device (control device) disclosed in Non-Patent Document 1 decreases a probability that malfunction will occur due to a failure at the time the safety function should work.
FIG. 16 is a diagram illustrating a configuration of a safety device according to related art. As shown in FIG. 16, a safety device 900 disclosed in Non-Patent Document 2 has a configuration such that the same function is implemented by different technologies in order to reduce a probability that malfunction will occur due to a failure at the time the safety function should work. The different technologies are such that an output switch SWa1 on an execution side is constituted by a semiconductor switch, and an output switch SWa2 on an idle side is constituted by a mechanical switch, as shown in FIG. 16. Similarly, the invention disclosed in Non-Patent Document 2 has a configuration that computation devices (CPUs) are connected in parallel and thereby are multiplexed, as shown in FIG. 16. Thus, the safety device 900 disclosed in Non-Patent Document 2 includes no common hardware unit, thereby reducing the probability that malfunction will occur due to a failure at the time the safety function should work.
Generally, installation of the same software on each of multiplexed computation devices causes a common mode failure, thereby interfering with achievement of high reliability. The common mode failure means a common failure caused by installation of a common application. For this reason, in the invention disclosed in Non-Patent Document 1, different software units are installed on N multiplexed devices for diversification, thereby avoiding common mode failures. In the invention disclosed in Non-Patent Document 1, in a case where a function is implemented by multiple software modules, each module is generated by one or more versions of software. Additionally, in the invention disclosed in Non-Patent Document 1, a combination of the modules is varied, thus implementing the function by N versions of software.