In order to monitor a plant or safely control a field device, an information processing apparatus of which control system is redundant is known. As to this information control apparatus, a stand-by control apparatus to set one of two control channels to stand-by status, and a redundant control apparatus to duplicate two control channels (to attach importance to safety), are known.
As to the redundant control apparatus, in general, a first processing unit and a second processing unit to respectively (independently) execute the same processing are equipped. In the first and second processing units, a diagnostics unit to compare two operation data (processing results of the first and second processing units) and decide failure of the apparatus itself is equipped. Briefly, the redundant control apparatus to comparatively decide operation data without falling throughput of the first and second processing units is disclosed (For example, refer to Japanese Patent No. 396599 (Patent reference 1)).
Furthermore, as technique to comparatively decide whether two data match, in order to detect falsification of data, a hash value calculated from original data not falsified is compared with a hash value calculated from data possibly falsified (For example, refer to JP-A 2005-242871 (Kokai) (Patent reference 2)).
Furthermore, in a system which cannot compare original data not falsified with data possibly falsified, by comparing a hash value calculated from data possibly falsified to a hash value previously attached to the data, technique to detect falsification is disclosed (For example, refer to JP-A 11-285582 (Kokai) (Patent reference 3)).
In the redundant control apparatus, a diagnostics unit to detect failure of the apparatus itself by comparatively deciding whether operation data from two channels (two processing units) match, is equipped. In order to improve reliability of decision processing of the diagnostics unit, it is necessary to minutely compare the operation data from two channels, such as not only output data from the two processing units, but also input data to be operated and intermediate data being operated by the two processing units. Hereinafter, these data are called “operation data”.
For example, as to a diagnostics function of which comparison object is output data only, when intermediate data is an injustice value by failure of the processing unit of one channel, it rarely happens that output data is a justice value. This failure cannot be detected only by comparing output data from two channels. As a result, reliability of comparison decision processing by the diagnostics unit falls.
However, if all of the input data, the intermediate data and the output data of the processing unit are used to be compared, a data quantity for comparison is greatly larger than output data only for comparison. Accordingly, comparison decision processing by two processing units is not completed within an execution time to be previously set. As a result, processing speed of the processing unit falls.
In the redundant control apparatus having two processing units, if the processing speed falls, a control cycle of the apparatus becomes late, and control performance thereof also falls. Briefly, improvement of reliability of failure diagnostics by increasing the data quantity to be compared and acceleration of the execution time of comparison decision processing represent trade-off.
In technique disclosed in Patent reference 1, operation data from two channels can be synchronized. However, when the operation data increase, a processing time to compare the operation data is more taken. Furthermore, in technique disclosed in Patent references 2 and 3, falsification of the data can be detected. However, as to a large quantity of operation data by two processing units in the redundant control apparatus, technique to diagnose unmatch of the operation data within a control cycle (previously set in the apparatus) without more taking the processing time is not disclosed.