JPH10214198A - Information processing system - Google Patents

Abstract

(57) [Problem] To provide an information processing system capable of protecting a deadline even if a process is executed again when a transient fault occurs. The processing in an information processing system having a memory for storing data and a processing device for performing processing based on given data is completed within a predetermined period, and a result of the processing is provided. Is separated from the non-critical processing that does not require the termination of the processing within the period, the critical processing is executed in the first half of the period, and the non-critical processing is executed in the second half.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a highly reliable information processing system, and more particularly to an improvement in system availability and an improvement in real-time performance when a failure occurs.

[0002]

BACKGROUND OF THE INVENTION As computer systems begin to play an important role in social infrastructure, special considerations are needed to ensure that computer system failures do not seriously affect society or human life. It has become to. Against this background, fault-tolerant computer technology has been widely adopted to increase the reliability by making the computer system redundant.

Faults that cause malfunctions of computer systems include fixed faults caused by component failures, electrical noise, cosmic rays, α rays from radiation isotopes in materials constituting semiconductor devices, and the like. It is classified as a transient fault that occurs temporarily. Recently, fixed faults have tended to decrease due to improvements in electronic component production techniques, and the ratio of transient faults has tended to increase relatively.

Transient faults are literally transient, that is, occur temporarily. Therefore, even if a fault occurs, if the same process is executed again at a different time, the fault can often be safely processed without causing a fault. Can be completed. Such a method is called time redundancy (edited by Yoshihiro Toma: Fault Tolerant System Theory, IEICE, p. 149).

[0005]

The above prior art is an excellent method for detecting or masking a transient fault without adding new hardware. However, when applying to a hard real-time system in which a processing result must be output within a required time (deadline), consideration must be given to protecting the deadline even when extra time is required by re-execution.
Therefore, a first object of the present invention is to provide a system that can protect the deadline even if the process is executed again when a transient fault occurs.

Furthermore, the above prior art requires further consideration so that a fault that can be recovered by re-execution can be distinguished from a non-recoverable fault for safe operation of the system. Fixed faults are non-recoverable faults, and transient faults are non-recoverable faults if the information needed for re-run is lost, and the information needed for re-run is not lost If it does, a recoverable fault results. If there is no means for distinguishing between a recoverable fault and an unrecoverable fault, even if an unrecoverable fault occurs, the processing is repeated again in the same manner as when a recoverable fault occurs. As a result, there is a fear that the second fault may occur during the re-execution of the processing due to the first fault. Since many fault-tolerant computers are designed to handle only a single fault, the behavior when two faults occur in this way is outside the intention of the designer.
Not only normal operation is not guaranteed, but also dangerous operation is sometimes considered. Accordingly, a second object of the present invention is to provide a system that can distinguish between recoverable faults and unrecoverable faults.

[0007]

According to the present invention, there is provided an information processing system having a memory for storing data and a processing device for performing processing based on given data. , The processing must be completed within a predetermined period and the result of the processing must be output.
Processing and the second processing that does not require the termination of the processing within the above period.
And the first processing and the second processing can be performed within the period, and the processing device performs the processing before performing the second processing within the period. This can be achieved by performing the first processing.

[0008]

FIG. 1 shows the processing time and order in a control frame of a critical processing 1 and a non-critical processing 2 of the present invention. Here, the critical process 1 is a process for terminating the processing result within a predetermined time. Specifically, in a control system, data is acquired from a control target, and a process of generating and outputting a control command to the actuator based on the data is performed.If the control command is not given to the actuator within a predetermined time,
Control cannot be performed. The non-critical processing 2 is processing that does not necessarily need to be completed within a predetermined time. Specifically, it is a process of simply sending data to a host computer.

First, processes executed by the computer system are classified into a critical process 1 which is a process for outputting a process result during a control frame and a non-critical process 2 which is another process. Subsequently, the processing time of the critical processing 1 is set to be less than half of the control frame. For this reason, when the processing performance of the processor is insufficient, a method of increasing the operating frequency of the processor, using a processor with higher processing performance, preparing a plurality of processors, and distributing the processing may be adopted. . Next, critical processing 1 is executed in the first half of the control frame, and non-critical processing 2 is executed in the second half.

FIG. 2 shows the operation when a failure occurs during the execution of the critical processing 1 in FIG. If a failure occurs during the execution of the critical process 1, the critical process is executed again in the control frame, and the result is output.

FIG. 3 shows the operation when a failure occurs during execution of the non-critical processing 2 in FIG. If a failure occurs during the execution of the non-critical processing 2, the non-critical processing is executed again in the next control frame, and the result is output.

According to the above-described method, even if a failure occurs during the execution of the critical processing 1, the critical processing can be executed again using the remaining time of at least half of the control frame. Can be output.

FIG. 4 shows a hardware configuration of a system to which the present invention is applied. Module 11,
12 are MPUs (Microprocessors) 110 and 12
0, output interfaces 21 and 22. Address buses 111 and 12 inside modules 11 and 12
The address 1 and the data on the data buses 112 and 122 are compared by the comparator 15 between the address and the data. The address buses 111 and 12 by the comparator 15
By comparing the address 1 and the data on the data buses 112 and 122, a mismatch between the operations of the modules 11 and 12, that is, the occurrence of a failure is detected, and the MPU 11
Notify 0,120. The comparator is the address bus 1
The occurrence of a fault can be detected not only by comparing the addresses of the data buses 11 and 121 and the data of the data buses 112 and 122 but also by comparing the output signals 41 and 42 of the modules 11 and 12 like a comparator 15 '. Further, the occurrence of a fault can also be detected by the modules 11 and 12 feeding back each other's output via the paths 41 'and 42' and comparing the outputs with the outputs they are trying to output. In this case, there are a method of comparing by software and a method of providing a comparator in the interfaces 21 and 22. Further, the comparators 15 and 1
As described in Japanese Patent Application Laid-Open No. Hei 7-234801, 5 'can further detect the failure of the comparator itself according to the invention of the present inventors, so that the reliability can be further improved.

Although not shown, each of the modules 11 and 12 has a memory therein.

Although an example of the hardware configuration of the system to which the present invention is applied has been described above, it is needless to say that the present invention is not limited to this example but can be applied to systems having various hardware configurations.

In the system having the hardware configuration shown in FIG. 4, when a failure occurs, the process temporarily shifts from the normal process 70 to the interrupt process 80 as shown in FIGS. 5 and 6, and the next process is started according to the situation. FIG. 7 shows an example of the processing flow of the normal processing 70 and the interrupt processing 80. In the normal processing 70, the processing is started 71 after the system is started, and the critical processing 1 is executed in the first half of the control frame, and then the non-critical processing 2 is executed. After the completion of the non-critical process 2, the process waits until the control frame ends (process 76).

Critical processing 1 when a failure occurs
In order to determine whether or not the process is being executed, the critical process flag is turned on before the critical process 1 (process 72), and the critical process flag is turned off after the critical process 1 is completed (process 73). The ON / OFF information of the critical processing flag is represented by redundant information such as a redundant code, so that a failure during the processing of turning the critical processing flag ON / OFF can be detected.

On the other hand, in the interrupt processing 80, after the failure interrupt 81, it is checked whether the critical processing flag is ON. If the critical processing flag is ON, the critical processing 1 is re-executed. The control waits for the end of the control frame (process 76). Before re-execution, the re-execution flag is turned ON to indicate whether or not the critical process 1 is re-executed (process 83). In particular, when the critical processing flag OFF is represented by specific redundant information (code word) and the other critical processing flag is turned ON, the critical processing flag is turned ON and OFF not only during the critical processing 1 If a failure occurs during the process to be performed, the critical processing flag becomes information (non-codeword) other than the specific redundant information (codeword), so that the critical processing flag is recognized as ON. ,
The critical process 1 is executed again.

In the normal processing 70, it is determined whether or not the re-execution flag is ON (processing 74). Only when the re-execution flag is OFF, the non-critical processing 2 is executed following the critical processing 1,
When ON, the non-critical processing 2 is not executed,
Only the re-execution flag is turned off (process 75).

According to the above-described method, even if a failure occurs during the execution of the critical processing, the processing can be executed again using the remaining time of at least half of the frame, so that the processing result can be output before the deadline. .

FIG. 8 shows a critical process 1 at the time of a fault interrupt.
This is an embodiment in which a determination (process 84) as to whether or not to re-execute is added. If the determination result 85 indicates that processing is to be continued,
The critical process 1 is executed again as in the embodiment shown in FIG. If the determination result 85 indicates that the processing has been stopped, the processing is stopped (step 86). When the processing is stopped, the output of the system is set to a safe side output in order to guarantee the safety of the operation of the system. The safety output differs depending on the application field of the system. For example, in the field of train control, a command to stop the train is the safety output.

FIG. 9 shows the operation of the system when a failure occurs according to FIG. After the failure occurs, the interrupt processing 80 is executed, and then the processing is stopped 86.

FIGS. 10 to 21 show a method of generating the judgment result 85. FIG.

In FIG. 10, the permissible re-execution frequency / frequency is obtained from the permissible re-execution frequency / frequency table 91 from the information on the environmental conditions observed by the environmental condition observing section 900. On the other hand, the modules 11 and 12 have a function 92 for counting the number of re-executions.
And the number of re-executions / frequency is obtained. The number of re-executions / frequency is compared with the number of permitted re-executions / frequency. If the number of executions / frequency is smaller than the allowed number of re-executions / frequency, the determination result 85 is determined to be the processing continuation. I do.

Here, attention is paid to the point that the failure of the electronic device is closely related to the environmental conditions. The environmental conditions closely related to the failure of the electronic device include lightning, electric noise, cosmic rays, and the like. No. Therefore, the environmental condition observation unit 900
Includes various sensors that observe these environmental conditions.

Hereinafter, a specific example of the environmental condition observing section 900 will be described.

FIG. 11 shows an RTC (Real Time Clock) 90 having a calendar and a clock function in the environmental condition observation unit 900.
It shows the case where is used. From the date and time information obtained from the RTC 90, the permissible number of re-executions / frequency table 9
The number of permissible re-executions / frequency is obtained by 1. On the other hand, the modules 11 and 12 have a function 92 for counting the number of re-executions, and obtain the number of re-executions / frequency. The number of re-executions / frequency is compared with the permissible number of re-executions / frequency. If the number of re-executions / frequency is smaller than the permissible number of re-executions / frequency, the determination result 85 is regarded as continuation. And As described above, if the RTC (Real Time Clock) 90 is used, it is possible to avoid, for example, a failure due to lightning that largely depends on the date and time, and it can be used to avoid a failure in a system installed outdoors.

FIG. 12 shows the allowable re-execution number / frequency table 91 of FIG. Here, the time per month and the time are shown every six hours to indicate the permissible re-execution frequency. The allowable frequency in the afternoon from July to August, when lightning occurs frequently, is 3 (times / hour), and the allowable re-execution frequency is set higher than in other periods.

FIG. 13 shows a case where an instantaneous interruption / surge detection circuit 95 provided in the power supply circuit 94 is used for the environmental condition observation section 900. The permissible number of re-executions / frequency is obtained from the instantaneous interruption / surge detection circuit 85 from the permissible number of re-executions / frequency table 91. Then, the number of re-executions / frequency is compared with the permissible number of re-executions / frequency as described with reference to FIG. 10, and if the number of executions / frequency is smaller than the permissible number of re-executions / frequency, the determination result 85 is processed. The processing is continued, and if it is larger, the processing is stopped.

FIG. 14 shows the permitted number of re-executions / frequency table 91 of FIG. Here, the frequency that is one (times / hour) greater than the instantaneous power failure / surge detection frequency is set as the re-execution frequency allowable frequency.

FIG. 15 shows a configuration in which the environmental condition observation unit 900 includes an antenna 96, a static receiver 97, and a measuring device for measuring the number / frequency of received static. Also in this case, as in FIG. 10, the number of re-executions / frequency is compared with the number of permitted re-executions / frequency from the allowable number of re-executions / frequency table 91, and the number of executions / frequency is smaller than the allowed number of re-executions / frequency. In this case, the processing is continued with the judgment result 85, and when it is larger, the processing is stopped.

FIG. 16 shows an example in which whether to continue or stop processing is determined based on the address accessed at the time of occurrence of the failure. Here, if the address accessed at the time of occurrence of the failure is the backup area, the determination result 85 is stopped, and if not, the processing is continued.

As described above, the environmental condition observation unit 900
Takes various modes depending on the environment, but may be a combination of a plurality of components instead of one as described above.

When a failure occurs, it is necessary to make a backup so that information necessary for re-executing the process is not lost due to the failure. Information necessary for re-execution of the process includes, for example, information on a past process result and an operation mode of the system. For example, FIG.
7, the method shown in FIG. 18, and the method shown in FIGS.

In the method shown in FIGS. 17 and 18, during the normal operation, information necessary for re-executing the processing after the completion of the critical processing 1 is copied from the normal area 94 of the memory to the backup area 95 as shown in FIG. When a failure occurs, the information in the backup area 95 is copied to the normal area 94 as shown in FIG.

The method shown in FIGS. 19 and 20 alternates the two regions in the normal region 9 during normal operation as shown in FIG.
4, used as the backup area 95, and
Then, the area used as the normal area 94 is used as the backup area 95 in the control frame i + 1. Therefore, the control frame i is stored in the area written in the control frame i.
Since writing is not performed at +1, even if erroneous information is written to the memory at the control frame i + 1 due to a failure, the information written at the control frame i is not destroyed. Therefore, when a failure occurs, re-execution can be performed using information in the area 95 as shown in FIG.

As described above, since information necessary for re-execution is stored in the backup area, the fact that a failure is detected during access to this area means that the information necessary for re-execution has been destroyed. It is likely.
Therefore, in such a case, the processing is stopped without re-execution.

FIG. 21 shows a configuration for obtaining an address accessed at the time of occurrence of a failure necessary for realizing FIG.
Address storage device according to interrupt signal 16 from comparator 15
151 and 152 are the address bus 1 in the modules 11 and 12
11 and 121 are stored. Subsequently, by looking at the contents of the address storage devices 151 and 152 in the interrupt processing 80, it can be determined whether or not a failure has occurred during access to the backup area.

As described above, according to the embodiment shown in FIG. 8 to FIG. 21, the allowable number of re-execution times / frequency is determined finely based on various information, so that a fault that can be recovered by re-execution and an unrecoverable fault can be recovered. Faults can be more strictly distinguished. Therefore, when an unrecoverable fault occurs, the operation of the system is immediately stopped on the safe side, and dangerous operation of the system due to the fault can be prevented.

[0040]

According to the present invention, it is possible to provide a system for outputting a processing result by a deadline even if a failure occurs. Further, dangerous operation of the system due to a fault can be prevented.

[Brief description of the drawings]

FIG. 1 shows the basic operation of the present invention.

FIG. 2 shows an operation when a failure occurs during critical processing.

FIG. 3 shows an operation when a failure occurs during non-critical processing.

FIG. 4 is a hardware configuration of a system to which the present invention is applied.

FIG. 5 is an operation when a failure occurs during critical processing in the configuration of FIG. 4;

FIG. 6 is an operation when a failure occurs during non-critical processing in the configuration of FIG. 4;

FIG. 7 is a processing flow of the present invention.

FIG. 8 is an embodiment of a processing flow to which a determination of a processing stop is added.

FIG. 9 shows the operation of the flow in FIG.

FIG. 10 is a diagram for explaining determination of processing stop based on environmental condition observation.

FIG. 11 is a specific example of a process stop determination based on a date and time.

FIG. 12 is a specific example of a re-execution permissible frequency table for the embodiment in FIG. 10;

FIG. 13 is a specific example of determination of processing stop based on instantaneous power failure / surge detection frequency / frequency.

FIG. 14 is a specific example of a re-execution allowable frequency table for the embodiment of FIG. 12;

FIG. 15 is a specific example of a determination to stop processing based on the number / frequency of receiving static electricity.

FIG. 16 is a specific example of a process stop determination based on a failure occurrence address.

FIG. 17 shows backup method 1.

FIG. 18 shows a backup method 1 (when a failure occurs).

FIG. 19 shows backup method 2.

FIG. 20 shows backup method 2 (when a failure occurs).

FIG. 21 shows a configuration of a failure address detection function for the embodiment of FIG. 14;

[Explanation of symbols]

1: critical processing, 2: non-critical processing, 1
1,12 ... module, 15,15 '... comparator, 16 ...
Interrupt signal, 70: normal processing, 80: interrupt processing.

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Naoto Miyazaki 7-1-1, Omika-cho, Hitachi City, Ibaraki Prefecture Within Hitachi Research Laboratory, Hitachi, Ltd.

Claims (5)

[Claims] An information processing system comprising: a memory for storing data; and a processing device for performing processing based on given data, wherein the processing is completed within a predetermined period. A first process for outputting the result of the above process,
A second process that does not require the end of the process within the period, and that can execute the first process and the second process within the period; An information processing system, wherein the first processing is executed before the second processing is executed. 2. The information processing system according to claim 1, wherein the processing device executes the first process again when a failure occurs during the execution of the first process. Information processing system. 3. The high-reliability system according to claim 1, wherein said processing device, when a failure occurs during execution of said second processing, at least within said next period. And outputting the result again. 4. The information processing system according to claim 1, wherein the processing device compares the number of re-executions / frequency of the processing with a predetermined allowable number of re-executions / frequency. Processing to execute the first processing or the second processing again based on the first processing or the second processing.
An information processing system characterized by stopping the processing of (1). 5. The information processing system according to claim 1, wherein said processing device stops processing when a failure occurs while accessing an address of a backup area of said memory. Processing system.