Just check out any _proper_ safety related PLC. (And I don't mean the kludged hot standby or dual redundant systems) Try Triconex, which is 2oo3 voted inputs, outputs and processing. Has a very impressive safety record, even withstanding deliberate intrusion via a vulnerable DCS system and was certified to continue operating for something like 1500 hours with a single, flagged fault.
Biting the hand that feeds IT
