Conventionally, a unit complying with a safety integrity level (hereinafter referred to as SIL, Safety Integrity Level) 2 of IEC61508 functional safety standard is required to have a safe failure fraction (hereinafter referred to as SFF, Safe Failure Fraction) defined by the IEC61508 safety standard of 90% or more, in a case where a system tolerance against failure (hereinafter referred to as HFT, Hardware Fault Tolerance) is 0. Further, a unit complying with the SIL2 is required to have the SFF of 60% or more, in a case where the HFT is 1. Here, the HFT being 0 means that system functions are lost due to a failure of one system function. The HFT being 1 means that the system functions are lost due to failures of two system functions.
Further, a unit complying with an SIL3 that requires higher safety than in the case of the SIL2 is required to have the SFF of 99% or more in a case where the HFT is 0. Further, a unit complying with the SIL3 is required to have the SFF of 90% or more in a case where the HFT is 1 and the SFF of 60% or more in a case where the HFT is 2. Here, the HFT being 2 means that the system functions are lost due to failures of three system functions.
In general, it is necessary for increasing the SFF to use components with higher grade or a large number of components, which leads to an increase in manufacturing cost of the unit. Therefore, in some cases, the following method is applied to an SIL3-compliant unit; that is, dualizing an internal component to achieve the HFT of 1 by a single unit, thereby satisfying the SIL requirements with suppressing the SFF to be low. It should be noted here that dualizing/dualization means that the same process is executed in parallel.
A method that uses two SIL2-compliant units by dualization for reducing a cost of system construction is known. That is, although a single unit with the SFF of 90% or more and less than 99% does not comply with the SIL3, using such two units in a dualized manner can comply with the SIL3. In other words, a unit with the SFF of 90% or more and less than 99% does not comply with the SIL3 when the HFT is 0 but can comply with the SIL3 when the HFT is made to be 1.
Moreover, Patent Document 1 discloses a technique in which an input/output device, which complies with the SIL2 when used alone, is dualized to comply with the SIL3.