The present invention generally relates to a control apparatus, a control method, and a control program. More specifically, the present invention is directed to a control apparatus, a control method, and a control program, which are suitably operable for functional safety.
Very recently, there are many demands capable of realizing such programmable electronic apparatuses capable of securing safety aspects as to human life and environments. In contract to “intrinsic safety”, such a safety established under an initial condition of normal operation of an apparatus is referred to as “functional safety.” There is no question that enlargements capable of applying the so-called “functional safety” may depend upon considerable improvements in performance and reliability of electronic appliances.
Effects achieved by applying programmable electronic apparatuses are caused not only by such a fact that protection logic equipments constructed of conventional mechanical relays can be realized by compact apparatuses with lighter weight and higher reliability than that of the protection logic equipments, but also by other means. In conventional maintenance checkup systems, operations of plant apparatuses which constitute protection subjects are stopped in a periodic manner so as to check up operations of protection logic equipments. In contrast thereto, based upon self-diagnostic functions utilizing features of electronic apparatuses, the protection logic apparatuses can be diagnosed without stopping the plant apparatuses, which may contribute improvements in operation rates of the plant apparatuses, and also may save man power of maintenance works. Such diagnostic techniques have been described in, for instance, JP-A-6-290066.
In view of target characteristics as to safety protections for human life and environments, standards capable of determining levels of objective functional safety may become major important matters. Establishments of standards started in Europe, and then, nowadays, the international standards such as IEC 61508 are being established. In IEC 61508, while factors for impeding “functional safety” are mainly divided into two impedance factors, the standards of IEC 61508 have defined measures and effects of these impedance factors in detail. The first impeding factor corresponds to a random failure which is caused by hardware, whereas the second impeding factor corresponds to a systematic failure which is usually referred to as a “software bug.” Thus, the standards of IEC 61508 defines diagnostic methods of random failures (first impeding factor) and diagnostic rates corresponding thereto, and further defines developing processes capable of preventing the systematic failures (second impeding factor).
Since users use such products, the users can secure required safety levels, while these products have been certified by a third institution which has been independently established based upon the international standard. As previously described, the certification of the products based upon the functional safety, and the international standard thereof, and the international standard may have higher contribution degrees.
On the other hand, communication control apparatuses are equipped with input apparatuses for acquiring equipment data about equipment under control, and a plurality of information processing apparatuses for monitoring, or controlling the appliances based upon the acquired equipment data. These communication control unit have been utilized in monitoring/controlling systems for plants. In these communication control apparatuses, events occurred in the equipment under control are stored; occurrence times of these events are measured by time measuring counters; and event occurrence times (time stamps) are added to contents of these events, and then, the resulting event contents are stored as status data. If the communication control units analyze these stored status data, then occurrences of input events of plural signals can be grasped in a time sequential manner. As a result, even when failures happen to occur in equipments, the communication control units can correctly grasp causes of these failures.
JP-A-2004-356955 discloses such a technical idea capable of defining input event times in correspondence with input status data