The present invention relates to a task management apparatus for control apparatus, input/output control apparatus, information control apparatus, task management method, input/output controlling method, and information controlling method.
The fields of Electronics and information technology have been developed, and the functions required for single apparatus have become complicated and compounded. The development of these fields and the function's complexity and compounding tendency made great contributions to widening the application of programmable electronic apparatus and to improving the reliability required at the same time.
For the commonly known high reliability, there are known methods of constructing multiple mechanisms or using a plurality of processors in the programmable electronic apparatus.
The regular-system/standby-system structure is known as a form of the multiple-mechanism programmable electronic apparatus. This structure is able to improve the availability because it can be switched to the standby system when a failure is found in the regular system.
On the other hand, JP-A-2004-234144 describes a programmable electronic apparatus using a plurality of processors for increasing the safety.
In addition, processing facilities having potential hazards such as atomic power plant and chemical plant employ protective means such as barriers for the passive countermeasure and a safety device such as an emergency shutdown device for the active countermeasure in order to reduce the influence of hazards on the workers and the peripheral environment in case of an accident. Of these countermeasures, the control means for the safety device or the like has so far been realized by electromagnetic/mechanical means such as relays. Recently, however, the technology in the control equipment that is programmable as represented by the Programmable Logic Controller (PLC) has been developed and thus demanded to use as control means for the safety control system.
The IEC 61508-1˜7, “Functional safety of electrical/electronic/programmable electronic safety-related systems” part 1˜part 7 (abbreviated IEC 61508) is the international standard issued according to this trend. It specifies the requirements for the electrical/electronic/programmable electronic safety-related system to be used in part of the safety control system. The IEC 61508 defines the Safety Integrity Level (SIL) as a measure of ability of the safety control system, or specifies requirements corresponding to levels 1 through 4. The higher level of SIL indicates the larger degree to which the processing installation is capable of reducing its potential risk. In other words, it means how much surely the processing equipment can implement the safety control when an abnormality is detected in the equipment.
Even if the safety control system is inactive in the normal operating condition, it is required to immediately become active when a trouble occurs in the processing installation. To this end, it is important to usually make self-examination, or to continue to check its own health, or good condition. In addition, the safety control system that needs high SIL is required to implement self-diagnosis over a wide range and with high precision in order to minimize the probability that the system becomes inactive due to a failure not detected.
In the IEC 61508, autognosis techniques are presented to use for each of the kinds of components that constitute the safety control system, and the effectivity of each technique is shown in a form of diagnostic rate. The diagnostic rate indicates the rate of detectable failures, when that autognosis technique is employed, relative to all failures that could occur in each constituent. In the diagnosis technique “Abraham” of RAM described in, for example, U.S. Pat. No. 6,779,128, it is said that the maximum diagnostic rate of 99% can be claimed.
In addition, as the failure detecting means for a processor as a single constituent, it is effective to employ a method of monitoring the matching between the output results from a plurality of monitors used.
As a method for mutually examining the outputs from a plurality of processors, it is effective to employ the means that each processor executes the same control processing at the same time and confirms that its output is coincident with those of the other processors.
As a typical example, JP-A-6-290066 describes a method in which two processors are operated in synchronism with each other and the same information is supplied as an input to the processors so that the outputs can be made coincident, thereby checking the excellent condition of the processors.