The present invention relates to a control apparatus provided in a programmable electronic apparatus and a control method for the electronic apparatus.
In process facilities such as atomic power plants and chemical plants which are potentially very dangerous, a passive countermeasure using protection facilities such as barriers and an active countermeasure using a safety apparatus such as an emergency stop apparatus are taken in order to reduce influences upon workers and the peripheral environment in an emergent situation. Among them, control of the safety apparatus is conventionally implemented by electromagnetic and mechanical means such as relays.
As techniques in programmable control devices represented by programmable logic controllers (PLCs) advances in recent years, however, needs for utilization of them as control means of the safety control system are increasing.
For example, IEC 61508-1 is an international standard published to cope with such a trend. Requirements in the case where an electrical/electronic/programmable electronic device is utilized in a part of a safety control system are prescribed therein (IEC 61508-1 to 7, “Functional safety of electrical/electronic/programmable electronic safety-related systems” part 1 to part 7 (Non-Patent Document 1)).
In IEC 61508, SIL (Safety Integrity Level) is defined as a faculty measure of a safety control system. Requirement items corresponding to levels 1 to 4 are prescribed. As the SIL becomes higher, it is indicated that the degree to which potential dangers involved in the process facilities can be reduced becomes higher. In other words, it indicates how certainly predetermined safety control can be executed when an abnormality of process facilities is detected.
It is demanded to activate the safety control apparatus immediately when an abnormality has occurred in process facilities even if the safety control apparatus is inactive in the ordinary operation state. Therefore, it becomes important to always make a self-diagnosis and continue to check the soundness of itself. In the safety control system a high SIL is required of, it is necessary to make wide-range high-precision self-diagnoses in order to minimize the probability that the system will malfunction due to an undetected failure.
In the IEC 61508, self-diagnosis techniques are presented to use for each of the kinds of components that constitute the safety control apparatus, and the effectiveness of each technique is indicated in a form of diagnostic rate. The diagnostic rate indicates the rate of detectable failures when the diagnostic technique is adopted, relative to all failures in each component. It is said that the maximum diagnostic rate of 99% can be claimed in, for example, the diagnostic technique “Abraham” of RAM (U.S. Pat. No. 6,779,128, (Patent Document 2)).
In addition, as the failure detection means for a processor which is one of components of the PLC, it is effective to employ a method of monitoring the matching between output results by using a plurality of processors.
As a method for mutually diagnosing outputs of a plurality of processors, it is effective that processors execute similar control processing at the same time and confirm coincidence of outputs.
For example, there is a technique for immediately detecting a processor failure, if any, by comparing outputs of a plurality of processors operating asynchronously (JP-A-2007-11639 (Patent Document 1)).