JP3279004B2 - Redundant resource management method and distributed fault tolerant computer system using the same - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for managing redundant resources, and more particularly to an efficient use of redundant resources in a fault-tolerant computer system.

[0002]

2. Description of the Related Art Computers play a role in the center of society such as traffic control and finance, and also play a role in human life such as control of spacecraft and aircraft. Is spreading. In such an era, computer reliability is increasingly required.

In order to increase the reliability of a computer, a means of redundancy in which an extra computer or a unit constituting the computer is prepared in advance for the occurrence of a fault is widely used.

On the other hand, providing redundant hardware for high reliability of a computer leads to a large increase in cost, size, weight, and power consumption. Therefore, in order to increase the investment efficiency, that is, the cost performance, of the fault-tolerant computer system, it is required to effectively use the redundant hardware resources for improving the reliability and the processing performance.

As a redundant resource management method for effectively utilizing redundant hardware resources, a literature (Jean-Charles Fabr
e, et al .: “Saturation: reduced idleness for impro
vedfault-tolerance, "Proc. FTCS-18 (The 18th Int '
1 Symp.on Fault-tolerantComputing), pp.200-205
(1988)).

According to the prior art, the minimum required number of redundant copies executed simultaneously for each task, that is, the MNC (Minimum Copy)
mum Number of Copies) is determined in advance, and when the task execution request message arrives, the number of vacant (idle) nodes (redundant computer modules) is MN.
If the value is larger than C, task execution is started at the empty node. If the number of free nodes is smaller than the MNC, the task currently being executed ends, and the system waits until the required number of free nodes is output.

[0007]

The prior art disclosed in the above-mentioned document is based on the OLTP in which task start requests frequently occur.
(On-line Transaction Processor).

In the prior art, when the reliability of a real-time control computer is increased, the occurrence of a fault during the execution of a task and the occurrence of multiple faults are not sufficiently considered. This is because of the nature of OLTP that transactions are completed in a short time, task execution time is mean time between failures (MTBF).
This is because the prior art has been proposed on the assumption that it is sufficiently shorter than. However, in the case of a real-time control computer, tasks are often executed continuously for a long time. For example, in an aircraft, a spacecraft, or the like, the computer must not only normally operate during the mission time, but also require the assistance of the computer to interrupt the mission. Therefore, the task execution time cannot be ignored as compared with the mean time between failures MTBF, and it is necessary to consider the occurrence of a fault during the task execution and the occurrence of multiple faults.

In the prior art, the number of computer modules to be allocated is managed only at the start of task execution. Therefore, even if the function of the computer module executing the task due to the occurrence of a fault is lost during the task execution, no new computer module is added. In other words, if a fault occurs during the execution of a task, the task execution is continued with the redundancy (the number of computer modules executing the task redundantly) reduced, and the reliability of the task is impaired. . For example, if a failure occurs in one of the two computer modules when two computer modules are redundantly executing a task, the execution of the task may be interrupted if a second fault continues to occur. become. An object of the present invention is to provide a redundant resource management method capable of coping with the occurrence of a fault during the execution of a task and the occurrence of multiple faults, and a distributed fault-tolerant computer system using the same.

[0010]

SUMMARY OF THE INVENTION The present invention relates to a distributed fault-tolerant computer system in which a plurality of tasks are assigned to a plurality of computer modules and executed. Selecting at least one or more computer modules from among other computer modules to which a task different from the task executed by the computer module in which the error occurred has been assigned in advance;
Selective execution means is provided for allocating and executing a task executed by the failed computer module to the selected computer module.

Each of the computer modules according to the present invention specifically has the following configuration.

(1) Each computer module broadcasts fault occurrence information (fault detection result) and its processing result of its own computer module to other computer modules at an appropriate timing (checkpoint) during task processing.

(2) Each computer module determines a margin of reliability for each task based on fault occurrence information (fault detection result) broadcast from another computer module and information on matching / mismatching of processing results. Estimate an evaluation function Fij (i: computer module number, j: task number) to represent.

(3) Each computer module determines a task j that minimizes the evaluation function Fij as a process to be executed, and switches the executed process to the process to be executed.

Here, since the evaluation function Fij represents a margin of reliability for each task, the higher the importance of the task, the lower the Fij, and the higher the responsibility of the computer module for the task, the lower the Fij. Is determined so that the higher the reliability of is, the higher the Fij becomes.

For example, the above conditions can be satisfied by determining as follows.

Fij = Lrj-Lthij or Fij = Lrj / Lthij where Lthij: threshold value of the reliability level of task j in computer module i Lrj: reliability level of task j i: number of own computer module j: Task number or Fij = log {(1-Lthij) / Pej} where Pej is the probability that the result of task j is wrong. Here, the threshold value Lthij of the reliability level of task j differs depending on the task. A larger value of Lthij is set for an important (higher importance) task requiring higher reliability.

Further, Lthij is a computer module i
Lthij is set higher for a computer module having higher responsibility for a task.

[0019]

According to the present invention, a computer module is assigned to each task so that the evaluation function Fij is always balanced, so that the Fij of a specific task does not increase or decrease. In other words, if there is a specific task whose reliability level has been reduced due to the occurrence of a fault during operation (hereinafter, referred to as a dangerous task), a computer that is executing another task that has a margin in terms of reliability. Since the module executes a dangerous task, it is possible to prevent the reliability level of only a specific task from being lowered. Therefore, it is possible to cope with the occurrence of a fault during the execution of a task and fulfill the responsibility given to the system while maintaining reliability.

Since Lthij is set higher for a task having a higher importance, Fij is balanced with another task at a higher Lrj. Therefore, a higher reliability level Lrj can be maintained by assigning more computer modules to tasks with higher importance.

Further, since each computer module can autonomously determine a task to be executed, a central mechanism for allocating task execution is not required, and there is no single point of failure. Therefore, the entire system is not damaged by a single fault, and the reliability of the system can be improved.

[0022]

BRIEF DESCRIPTION OF THE DRAWINGS FIG.

<Operation Concept> FIG. 4 schematically shows an embodiment of the present invention. In FIG. 4, as an example, the computer modules 101 to 10 (i-1) redundantly execute the task 1
Is executed, the computer modules 10i to 10m redundantly execute the task 2, and assume that a fault (failure) occurs in the computer module 10 (i-1) and normal operation becomes impossible. ing. According to the present embodiment, when a fault (failure) occurs in the computer module 10 (i-1) and normal operation becomes impossible, the computer module 10i stops execution of the task 2, and Start execution of task 1. Therefore,
It is possible to alleviate a significant decrease in the number of computer modules executing the task 1 due to the failure of the computer module 10 (i-1), and to prevent a significant decrease in the reliability of the task 1.

FIG. 5 shows the computer module 10 of FIG.
This is an embodiment in which evaluation functions F1 and F2 are introduced in the determination of task switching of i. Here, the evaluation functions F1 and F2 reflect the reliability of task 1 and task 2, respectively.
How to determine the evaluation function will be described later. First, FIG.
On the left side of, since a fault has occurred in the computer module 10 (i-1) executing the task 1, the evaluation function F1 (reliability) is reduced to be lower than F2.
Therefore, as shown on the left side of FIG. 5, the computer module 1 among the computer modules executing the task 2
0i is added to the execution of the task 1, and the evaluation functions F1 and F2 have substantially the same value. If a large difference occurs in the value of the evaluation function due to the occurrence of a fault, the determination of which computer module is to change the task being executed is determined in advance by determining the degree of responsibility for each task of each computer module. It is decided by keeping. In this embodiment, among the computer modules 10i to 10m executing the task 2, the computer module 1
0i has the highest responsibility for task 1.

The redundant resource management function described above, that is,
If the hardware that performs the task switching function and the judgment function is not redundant and is single, the failure of the hardware may hinder the normal operation of the entire system based on the redundant resource management function. Therefore, it is necessary to make the hardware itself responsible for the redundant resource management function redundant. There are the following three methods for redundancy.

(1) A method in which dedicated hardware is assigned a redundant resource management function to make the hardware redundant.

(2) Computer modules 101 to 10
(I-1) A method of causing a plurality of computer modules to perform the redundant resource management function and determining and controlling which computer module is to perform the redundant resource management function by the redundant resource management function.

(3) Computer modules 101 to 10
(I-1) A method of autonomously determining a task to be executed by the own computer module and providing a redundant resource management function to execute the task.

The method (1) can be realized by preparing hardware or a plurality of hardware and software for realizing the redundant resource management function shown in FIGS. In the method (2), a task for performing the redundant resource management function shown in FIGS. 4 and 5 may be assigned to a plurality of computer modules, and this task may be subjected to redundant resource management like other tasks. Subsequently, an embodiment of the method (3) will be described below.

FIG. 6 shows an embodiment in which, when a large difference occurs in the value of the evaluation function due to the occurrence of a fault, each computer module independently determines whether or not to add to the execution of the task whose evaluation function has been lowered. . Each of the computer modules 101 to 10m calculates an evaluation function Fij (i: processor number, j: task number). Here, it is assumed that the evaluation function Fij is defined to be lower as the computer module has higher responsibility for the task j. That is, the evaluation function Fij can be considered as a margin of responsibility to be fulfilled by each computer module for each task. For example, in FIG. 6, the responsibility for task 1 is high and the responsibility for task 2 is low in the order of the computer modules 101,.
F11 <F21 <... <Fm1, F12> F22 ...> Fm2 even when all the computer modules are normal as shown on the left side of FIG. In the computer modules 101 to 10 (i-1), Fij <Fi2 holds and the computer module 10i
At 10 to 10 m, since Fi1> Fi2 holds, task 1 and task 2 are executed, respectively.

When a fault occurs in the computer module 10 (i-1) as shown in the center of FIG. 6, the value of Fi1 decreases in all the computer modules,
In the computer module 10i, the magnitude relationship between Fi1 and Fi2 is inverted, and Fi1 <Fi2. Therefore, as shown on the right side of FIG. 6, the computer module 10i stops execution of task 2 and starts task 1 by its own judgment. As described above, according to the present embodiment, since each computer module autonomously switches the task executed by its own judgment, there is no so-called manager in which the redundant resource management function of the entire system is concentrated. Therefore, there is no single point of failure, which is a path for improving reliability, and the reliability of the redundant resource management function itself can be improved.

In the embodiments shown in FIGS. 4 to 6, for the sake of simplicity, the case where only two tasks, task 1 and task 2, are executed in the system has been described as an example. Similarly, it goes without saying that redundant resources can be managed.

As a method of selecting a calculation result by a redundant computer module for each task, a method based on a majority decision is adopted, and Japanese Patent Application No. 63-118603 and Japanese Patent Application Laid-Open No. 1-288928 filed by the present inventors have already filed. And the like.

<System Configuration> FIG. 1 shows a system configuration for realizing the present invention. The system according to the present invention comprises m computer modules 101 having the same function.
-10 m. A plurality of computer modules are allocated to the tasks 111 to 11n for high reliability, and the tasks are executed redundantly. In the example of FIG. 1, i1 of the computer modules 101 to 10i1 is assigned to the task 1 (111),
(I1 + 1) to 10i2 (i2-i1) tasks 2
In (112), the computer module 10 (in _{+ 1} +
1) to ₁₀ m (in _{+ 1−} m) tasks n (11n)
Assigned to.

Each of the computer modules 101 to 10m can output to the output selection circuits 51 to 51. .., 3m-1 to 3m-1
Are computer modules 10-1,..., 10
−m is an output to the output selection circuits 51 to 51. Further, the computer modules 10-1,..., 10-m supply selection control signals 41-1 to 41-1 to the output selection circuits 51 to 51.
−l,..., Output 4m-1 to 4m-1
1, ..., 3m-1 to 3m-1. Selection control signals 41-1 to 41-1,..., 4m-1 to 4m-1
Are the outputs 31-1 to 31-l,..., 3m-1 to 3m-1
Is to be selected by the output selection circuits 51 to 51. For example, when the computer module 101 is normal and outputs the output 31-3 to be output to the output selection circuit 51, the selection control signal 41-1 turns on.

In the drawing, outputs 31-1 to 31-l,
Only the selection control signals 41-1 to 41-1 are shown, and the output 32
-1 to 32-1, ..., 3m-1 to 3m-1, and the selection control signals 42-1 to 42-1, ..., 4m-1 to 4m-1 are omitted.

The output selection circuits 51 to 51 determine the outputs to be selected based on the selection control signals 41-1 to 41-1,..., 4m-1 to 4m-1, and make the outputs 61-6l.
The outputs 61 to 61 are connected to the output device 71-7l. In the case of many control devices, the output device 71
-7l controls an object to be controlled by an actuator such as an electric or hydraulic pressure.

The output selection circuit 51-5l is disclosed in Japanese Patent Application No. 63-118603, filed by the present inventors.
MV (Modified Vote) described in FIG. 2 of JP-A 1-288928.
r) There is a circuit.

FIG. 2 is a functional image showing the configuration of a computer module 10i for implementing the present invention. The computer module 10i has a task execution means 12i, a fault information exchange function 13i, a determination function 14i for deciding a task to be executed, and a task switching function 15i. The task to be executed is selected from the tasks n (11n) and executed. In the embodiment of FIG. 2, the computer module 101 executes the task 1 (111).

The fault information exchange function 13i broadcasts the fault occurrence status in the own computer module and the processing result of the task being executed to other computer modules via the communication path 1, and
Collects the fault occurrence status broadcast by another computer module and the processing result of the task being executed.

As a method of communicating with another computer module via the communication path 1, a method using message passing, a method using a shared memory, a method using memory bank switching, and the like have been conventionally proposed. As a form, a bus type, a net type, a ring type, and the like have been proposed.

FIG. 3 shows the configuration of a computer module 10i for implementing the present invention. Bus 2
In 0i, an MPU (Micro-Processing Unit) 21i, a communication interface 22i, an output interface 23i,
The selection control signal interface 24i and the storage device 25i are connected. The communication interface 22i is used for communication with another computer module.
Connected to other computer modules via. The fault information exchange function 13i of FIG. 2 is realized through the selection control signal interface 24i.

The output interface 23i is a circuit for outputting the outputs 3i-1 to 3i-1 to the output selection circuits 51 to 51. The output transfer method can be either parallel transfer or serial transfer according to the application. The output 3i is independent from the output interface 23i.
If it is possible to output -1 to 3i-l, it can be used for an application using a plurality of output devices at the same time.

The selection control signal interface 24i provides the output selection circuits 51 to 51 with selection control signals 4i-1 to 4i-.
This is a circuit for sending l. The predetermined selection control signals 4i to 1 to 4i-l are turned on (selected) by writing from the MPU 21i to the register of the selection control signal interface 24i.
It can be. Note that the selection control signal 4i-l '
The condition for turning on (selecting) (l ′: 1,..., L) is that (a) the computer module 10i executes the task of outputting the output 3i−1 ′ to the output selection circuit 51 ′. And (b) the task being executed by the computer module 10i is considered to be normal. (B)
The method of judging whether is normal or abnormal is described in Japanese Patent Application No. 63-118603, which has already been filed by the present inventors.
There is a method of −288928.

A fault occurs in another computer module 10-i in which the computer module 101 is normal and executes the task 1 for outputting to the output selecting circuit 51, and executes the task 2 for outputting to the output selecting circuit 52. Occurs, and when the responsibility of the computer module 101 for the task 2 is the highest, the computer module 101 ends the execution of the task 1 and starts the execution of the task 2. At this time, the output selection circuit 51 is output from the computer module 101 which is on during execution of the task 1.
Is turned off when the execution of the task 1 is completed, and the output selection circuit 52 is started when the execution of the task 2 is started.
Is turned on. Further, the selection control signal 4i-2 from the computer module 10-i which has been turned on to the output selection circuit 52 turns off when a fault occurs. As a result, in the output selection circuit 52,
Before the occurrence of the fault, the output 32-i from the computer module 10-i normally executing the task 2 was selected as the output 62 and sent to the actuator 72.
The output 32-1 from 1 can be selected as the output 62 and sent to the actuator 72.

According to the embodiment of the present invention, a plurality of tasks can be executed in parallel and redundantly by using a plurality of computer modules.

The above description has been made on the assumption that one task outputs to a plurality of actuators. However, it is also conceivable that one task outputs to a plurality of actuators, or the task does not output to an actuator at all. .

<Evaluation Function Calculation and Judgment Algorithm> FIG. 7 shows a task to be executed according to the present invention by a judgment function 14-.
It is a flow chart of the judgment at the time of judgment in 1 to 14-m.

In the evaluation function calculation processing 300, an evaluation function Fij (j: task number) for each task is calculated.

Here, since the evaluation function Fij represents a margin of reliability for each task, the higher the importance of the task, the lower the Fij, and the higher the responsibility of the computer module for the task, the lower the Fij. Is determined so that the higher the reliability of is, the higher the Fij becomes. That is, ∂Fij / ∂I <0 ∂Fij / ∂Resp <0 ∂Fij / ∂Rel> 0, where I: importance Resp: responsibility Rel: reliability.

The evaluation function Fij satisfying the above condition is, for example,

[0052]

Fij = Lrj−Lthij (1) where Lthij is a threshold value of the reliability level of task j in computer module i Lrj: the reliability level of task j i: the number of the own computer module j: task number Number.

Here, the threshold value Lthij of the reliability level of the task j differs depending on the importance of the task, and a larger value is set for an important task, that is, a task requiring a higher reliability. Further, if the same value Lthij is set for all the computer modules, the operation of the system becomes unstable because all the computer modules execute the same task when a fault occurs. Therefore, Lthij differs depending on the computer module i, and a higher value is set for a computer module having a higher responsibility for a task.

That is, ∂Lthij / ∂I> 0 and ∂Lthij / ∂Resp> 0.

Here, a method of determining the reliability level Lrj of the task j will be described. The evaluation function having the reliability level Lrj is calculated from fault detection results, that is, fault information such as the number of computer modules executing the task j, the mismatch between processing results, and the number of processors having matching processing results. And

First, focusing on the probability that an erroneous result will be adopted as the output of the system, the reliability level Lrj can be calculated from the degree of pass of the check (inspection). When the task j is executed by the N1 computer modules, and the N2 computer modules are determined to be normal as a result of the check, and the calculation results of the N3 computer modules match, the calculation result of the task j is incorrect. Probability Pej is

[0057]

(Equation 2)

Here, Pε: the probability of occurrence of an error Pεd: the probability that a check misses an error Pεa: the probability that an erroneous calculation result coincides by chance. Here, Pε, Pεd, and Pεa can be obtained by the operating environment of the system and the error detection method. Since Pej is a known constant, Pej is a function of N1, N2, and N3-1.

The reliability level Lrj of task j, that is, the probability that the calculation result is not incorrect, is

[0060]

Lrj = 1−Pej (3)

Here, for the sake of simplicity, from equation (3), P
If we evaluate the magnitude of Lrj based on the magnitude of ej, (2)
If we take the log of both sides of the equation,

[0062]

Log (Pej) = N1 · log (Pε) + N2 · log (Pεd) + (N3-1) · log (Pεa) (4) where the values of Pε, Pεd, and Pεa are field data and simulations. Since the logarithms of these values are K1, K2, and K3, respectively, (4)
ceremony,

[0063]

(5) log (Pe) = N1 · K1 + N2 · K2 + (N3-1) · K3 (4 ′)

Further, paying attention to the probability Pe that the calculation result is incorrect instead of the evaluation function of the equation (1),

[0065]

[Formula 6] By defining an evaluation function of Fij = log {(1-Lthij) / Pe｝ (1 ′),

[0066]

Fij = K4−N1 · K1 + N2 · K2 + (N3-1) · K3 (1 ″) where K4 = log (1−Lthij) and the calculation of the evaluation function Fij can be performed only by addition, subtraction, and multiplication. And can be simplified (speeded up).

Similarly, the reliability level Lrj of the task j can be calculated by paying attention to the probability of occurrence of an error in the computer module executing the task j.

Assuming that N1 computer modules are executing task j, the probability that an error will occur in all of these computer modules and the calculation result for task j will be incorrect will be:

[0069]

(Equation 8)

Then, taking the logarithm of both sides, as in the equation (2),

[0071]

[Mathematical formula-see original document] Fij = K4-N1 * K1 (1 "") and the calculation of the evaluation function Fij can be simplified.

In the condition determination processing 301, an evaluation function (Fij (j: 1,..., N, n: number of tasks)) for each task and an evaluation function F for the task k currently being executed
Compare with ik. As a result, if there is a task j that satisfies Fij <Fik, the currently executed task k is terminated and the task j is started.

FIG. 8 shows tasking for ending task k and starting task j. In the case of a computer for feedback control, as shown in FIG. 8, input data is periodically read for each control frame, a task is executed, and a result is output. Now, the task k is being executed by the computer module i, and Fij <Fij <
Suppose that it becomes Fik. In the computer module i,
Immediately ends task k and starts preparation for execution of task j. When the data (history data) up to the previous control frame is not needed to start the task j, the task j can be started from the control frame 2. When history data is required to start task j, history data is collected in control frame 2 as shown in FIG. 8, and task j is started from control frame 3. At this time, the history data may be collected by issuing a request to the computer module already executing the task j via the communication path 1.

<Hunting Prevention-Setting of Dead Zone> FIG.
In this embodiment, if there is a task j that satisfies ij <Fik-δ, the currently executing task k is terminated and the task j is started. This embodiment further improves the operation of FIG.

As shown in FIG. 10 in the embodiment of FIG. 7, (1) Fij <Fik due to the occurrence of a fault and the task k
Is started at time t1, the evaluation function Fij increases,
The evaluation function Fik becomes smaller.

(2) Here, if the magnitudes of Fij and Fik are reversed and Fij> Fik, the computer module which has started execution of task j starts task k again at time t2.

As a result of repeating the above (1) and (2), there is a possibility that the operation efficiency of the system is reduced due to the collection of history data.

Therefore, as shown in FIG. 9, if a dead zone δ larger than the change of Fik and Fij at the time of task switching is provided at the time of the determination in the condition determination processing 301 and a hysteresis characteristic is provided, hunting of the execution task switching occurs. Without this, the system can be operated stably as shown in FIG.

Since Pε, Pεd, and Pεa are known, the change amount of Fij when N1, N2, and N3 change is obtained.
Fij / ∂N1, ∂Fij / ∂N2, ∂Fij / ∂N3 can be known in advance. Therefore, the width of the dead zone δ is max (∂Fij / ∂N1, ∂Fij / ∂N2, ∂Fij / ∂N
3) A larger value may be set.

As shown in FIG. 12, according to the embodiment shown in FIGS. 1 to 11 described above, even if the computer modules constituting the redundant system are lost with time due to the occurrence of a failure, the tasks 1,. It is possible to assign computer modules to n, and to balance the redundancy between tasks according to the reliability level required for each task. In addition, since more redundant computer modules are allocated to tasks of higher importance requiring higher reliability, the coverage of fault detection can be increased.

<Improvement of stability—averaging over time> Further, FIG.
By adding the embodiment shown in FIG. 13 to the embodiment shown in FIG. 12, the stability of the system can be improved.

FIG. 13 shows that when calculating the evaluation function Fij, Lrj
Alternatively, this is an embodiment in which Pe is averaged in the time domain.

According to the embodiment shown in FIGS. 1 to 12, when a failure occurs in the computer module executing the task j, the highest Lthij among the computer modules executing the task k, that is, the task Since Fij <Fik is satisfied in the computer module i having the highest responsibility for j, the computer module i starts executing the task j and can maintain the reliability level of the task j as shown in FIG. At this time, if a failure has occurred in the computer module i, there is no computer module for newly starting the execution of the task j, and the task j as shown in FIG.
Remains low. That is, the result of the redundant resource management is affected by the occurrence of the failure of the computer module i, and the stability of the system is reduced.

Therefore, if Lrj or Pej is averaged in the time domain when calculating the evaluation function Fij as shown in FIG. 13, Fij gradually decreases with time as shown by the solid line in FIG. If there is a computer module i having the highest responsibility for the task j, the computer module i starts executing the task j at time t1, and the value of Fij recovers, as shown in FIG. If the computer module i is not alive and the computer module i ′ having the next highest responsibility for the task j is alive, as shown in FIG. The execution of j is started, and the value of Fij recovers. If neither the computer module i nor the computer module i ′ is alive and the computer module i ″ having a high responsibility for the task j is alive after the computer module i ′, as shown in FIG. 15C. At time t3, the computer module i ″ starts executing the task j, and the value of Fij recovers.

As a method of averaging Lrj or Pe in the time domain, (1) a method of taking a moving average, and (2) a K-order delay system (transfer function G (s) = 1 / (1 + Ts) ∧K) is used. There are methods.

According to the present embodiment, it is possible to reduce the influence on the result of the redundant resource management due to the failure of a specific computer module having a high responsibility for a task. Therefore, the fault tolerance (fault tolerance) of the redundant resource management method itself can be reduced. ) Can be increased.

<Reduction of Communication Volume and Calculation Volume> FIG. 16 shows an embodiment of the present invention in which the communication volume between the computer modules 101-m and the calculation volume for calculating the evaluation function are alleviated. According to the embodiment shown in FIGS. 1 to 15, each computer module informs (broadcasts) the fault detection status of its own computer module to all other computer modules, and Ncom = m (m-1). Times of communication is required, and the amount of communication increases significantly. Therefore, in FIG. 16, normally, only the computer module executing the same task notifies the evaluation function fault detection status, and the evaluation function F
Notify all other computer modules only when ij changes. It is assumed that the computer modules 1 to 3 are executing the task 1 and the computer module i is executing the task 2. In the control frame 1, since no abnormality is found in the computer modules 1 to 3, only 6
Times communication occurs. Next, a case where an abnormality occurs in the computer module 3 in the control frame 2 is considered. First
The first communication is performed only between the computer modules 1 to 3, and the evaluation function Fij calculated based on the fault detection information exchanged by the communication (in this case, the computer module 3 is down and silent) is calculated by the computer module Previous time (control frame 1) due to abnormality 3
Than it is. Therefore, in the control frame 2, the second communication is continuously performed, and the computer module i is notified that the evaluation function Fij has decreased. The computer module i determines whether or not its own computer module should participate in the execution of the task 1 based on the notified information, and when it should participate, suspends the execution of the task 2 and starts the execution of the task 1.

According to this embodiment, the communication between the computer modules is

[0089]

(Equation 10)

Here, N1j is the number of computer modules executing the task j. here,

[0091]

[Equation 11]

Therefore, according to the present embodiment, the number of times of communication is Ncom'ｎNcom / n, which is approximately 1 / n.

FIG. 17 is a flowchart showing the determination as to whether or not to broadcast to all computer modules for the embodiment of FIG. First, fault detection information is exchanged between computer modules executing the same task (302), and an evaluation function Fij based on the fault detection information is calculated (300 '). The calculation function 300 'of the evaluation function Fij calculates the evaluation function Fij only for the computer module executing the same task. This is different from the calculation processing 300 of the evaluation function Fij.
Therefore, in the calculation processing 300 of the evaluation function Fij, m times Fij
Is required, the calculation function 300 ′ of the evaluation function Fij only needs to calculate Fij (O (m / n)) by the number of computer modules executing the same task. It can be approximately 1 / n. After the evaluation function Fij is calculated 300 ', the current Fij is compared with the previous value Fijold (303), and if they do not match, the fault information is broadcast to all the computer modules (304). Finally, the current evaluation function value Fij is stored in the variable Fijold for the next time (305).
I do.

On the other hand, the computer module on the broadcast receiving side determines whether or not there has been an entire area broadcast as shown in FIG. 18 (306), and proceeds to the determination shown in FIGS. 7 and 9 only when there is an all area broadcast.

<Application to Adaptive Control System> FIG. 19 shows an embodiment in which the present invention is applied to an adaptive control system. The physical quantity of the control target 20 is measured by the sensor 2, the state of the control target is observed (estimated) by the state observer 16, and the regulator 17 and the actuator 7 having characteristics suitable for control based on the observed state. Feedback is added to the control target 20. The above is a typical configuration of a control system that performs state feedback based on modern control theory.

Further, from the output signal of the sensor 2 and the input signal to the actuator 7, the characteristics of the controlled object 20 including the sensor 2 and the actuator 7 are identified by the controlled object characteristic identifying section 18, and the optimum regulator designing section 19 A regulator parameter optimal for control is calculated from the identification result of the control target characteristic, and the parameter of the regulator 17 is set to an optimal value. The control characteristics are improved by the adaptive control system as described above. In particular, due to the non-linearity of the aerodynamic characteristics of aircraft, space shuttles (so-called space shuttles),
It is known that a linearly approximated control system is particularly suitable for controlling a controlled object in which the characteristics of the controlled object apparently change depending on altitude and speed. Further, even if a failure occurs in the control target 20, the sensor 2, and the actuator 7, the control system regards the change as a characteristic change of the control target.
Since the optimal parameters are set in the regulator 17 each time, it is possible to compensate for the characteristic deterioration due to the failure of the control target. Usually, in a control system requiring reliability, the actuator is often made redundant. For example, in aircraft, control rudder, rudder, etc.
(Surface) and thrust generators are designed to be redundant, so that even if a part fails, flight is not hindered. However, when a part of these redundant actuators fails, the gain of the actuators equivalently decreases, and the control characteristics of the entire system deteriorate. Further, in some cases, interference occurs between the values to be controlled, and it becomes particularly difficult to control the vehicle through a human driving operation. Therefore, in the adaptive control device according to the present embodiment, the decrease in the gain of the actuator is detected by the characteristic identification unit 18, and the optimal regulator
By determining these parameters, the deterioration of the control characteristics can be compensated.

In this embodiment, in application to adaptive control, the state observer 16 and the regulator 17 are realized by task 1 (or task group 1), and the control target characteristic identification unit 18 and the optimal regulator design unit 19 are implemented by task 2 (Or task group 2), Lth11>Lth21>Lth31>Lth41> Lth51 and Lth12
<Lth22 <Lth32 <Lth42 <Lth52 and Lth11> Lth
52 and Lth21> Lth42 and Lth31> Lth32 and L
When th41> Lth22 and Lth51> Lth11 are set, and there is no computer module that executes task 2 (or task group 2), the parameters of the regulator 17 are set according to a numerical table prepared in advance. . FIG. 20 shows the state of redundant resource management according to this embodiment. First, when the number of normal computer modules is 5, three computer modules are assigned to task 1 (or task group 1).
Computer modules are assigned to task 2 (or task group 2). When a failure occurs in one computer module and the number of normal computer modules becomes four, two computer modules are assigned to task 1 (or task group 1) and two computer modules are assigned to task 2 (Or task group 2). When two computer modules fail and the number of normal computer modules becomes three, two computer modules are assigned to task 1 (or task group 1) and one computer module is assigned to task 2 (Or task group 2). If three computer modules fail and the number of normal computer modules becomes four, two computer modules are assigned to task 1 (or task group 1) and task 2 (or task group 1). In 2), no computer module is assigned. Instead, parameters of the regulator 17 are set according to a table prepared in advance, and control is continued.

As described above, according to the present embodiment, a control system that allows not only a failure in the computer module but also a failure in the control target can be configured, and the reliability of the entire control system can be improved.

FIGS. 21, 22, and 23 show an embodiment of a servo motor system having an output selection and majority decision function. This servo motor system has the functions of the output selection circuits 51 to 51 and the output devices 71 to 71 in FIG. As shown in FIG. 21, the servomotor of this embodiment is provided with a plurality of armature windings 7041 to 704l on a single shaft 701, and the field windings 7031 to 703l corresponding to the armature windings are replaced by armature windings. Are provided in the housing 702 so as to face the.
FIG. 22 shows a cross section taken along the line AA ′ in FIG. The output torque of this servomotor is given by the following equation.

[0100]

(Equation 12)

Where Ifi: current of the field winding 703i Iai: current of the armature winding 704i K: proportionality coefficient Here, if all Ifi are constant,

[0102]

(Equation 13)

However, K ′: proportional coefficient (K · Ifi), and by inputting Iri, an operation in accordance with majority decision (hereinafter referred to as pseudo majority decision) can be performed. If Ifi is a value proportional to the reliability of each input Iai, a weighted pseudo-majority decision can be performed as shown in equation (8). FIG. 23 shows a circuit for performing a weighted pseudo majority by using the servo motor having the pseudo majority function shown in FIGS. In this figure, the output selection circuit 51 and the output device 71 of FIG.
Is shown, but other output selection circuits 5
The same applies to 2 to 5 l and output devices 72 to 7 l.
Output 31 from computer module 101-10m
-1 to 3m-1 and a current proportional to the selection control signal 41-1 to 4m-1 are supplied to the armature winding 7041 via the servo amplifier.
To 704 m and field windings 7031 to 703 m, respectively. As described above, the selection control signals 41-1 to 4m-1
Module 101 considered normal by
A majority decision of outputs 31-1 to 3m-1 from 10 to 10m can be realized. Furthermore, a servo amplifier, armature windings 7041 to
By multiplexing the 704 m and the field windings 7031 to 703 m, it is possible to prevent a failure of the servo amplifier or a failure due to short-circuit or disconnection of the winding, thereby improving the reliability of the servo motor system.

Here, the selection control signals 41-1 to 4m
If -1 is not only a binary value of ON / OFF but also a multi-value value corresponding to the reliability of each computer module outputting an output, a weighted pseudo majority decision can be realized. FIG. 24 shows a system configuration to which the above servomotor system is applied.
As described above, in the system of FIG.
5l and the output devices 72 to 7l are respectively connected to the servo motor system 7
00 may be replaced. According to the present embodiment described above, the output selection circuits 51 to 5 of FIG.
1 and the functions of the output devices 71 to 7l can be realized, so that the configuration of the whole system can be simplified, and high reliability can be achieved by reducing the size and the number of parts. As is clear from equation (8), since the exchange law is established between Ifi and Iai, the current corresponding to the outputs 31-1 to 3m-1 from the computer modules 101 to 10m is supplied to the field winding 7031.
The same effect can be obtained by supplying currents corresponding to the selection control signals 41-1 to 4m-1 to the armature windings 7041 to 704m respectively.

[0105]

According to the present invention, an appropriate number of redundant resources can be allocated according to the reliability level required for each task, so that the processing performance and reliability of the redundant resources can be improved. .

Further, by applying the present invention to an adaptive control system, a control system that allows not only a failure in a computer module but also a failure in a control target can be configured, and the reliability of the entire control system can be improved.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a fault-tolerant system of the present invention.

FIG. 2 is a configuration diagram of a computer module.

FIG. 3 is another configuration diagram of a computer module.

FIG. 4 is a conceptual diagram of an embodiment of the present invention.

FIG. 5 is a conceptual diagram of an embodiment of the present invention.

FIG. 6 is a conceptual diagram of an embodiment of the present invention.

FIG. 7 is a flowchart of condition determination.

FIG. 8 shows task switching timing.

FIG. 9 is a flowchart of condition determination (with a dead zone).

FIG. 10 is a diagram showing a change in Fij (no dead zone).

FIG. 11 is a diagram showing a change in Fij (with a dead zone).

FIG. 12 is a diagram showing a computer module allocation status.

FIG. 13 is a diagram showing averaging of Lrj.

FIG. 14 is a diagram showing a change in Fij (without averaging of Lrj).

FIG. 15 is a diagram showing a change in Fij (with Lrj averaging).

FIG. 16 is a view for explaining reduction of the inter-module communication amount.

FIG. 17 is a flowchart of condition determination for wide area broadcasting.

FIG. 18 is a flowchart of condition determination for wide area broadcasting.

FIG. 19 is a system configuration diagram when applied to an adaptive control system.

FIG. 20 is a diagram showing a computer module allocation status.

FIG. 21 is a sectional view of a servomotor.

FIG. 22 is a sectional view of the servomotor (FIG. 21A-A ′);
surface).

FIG. 23 is a block diagram of a servo motor system.

FIG. 24 is a configuration diagram of a system to which a servo motor system is applied.

[Explanation of symbols]

101 to 10 m: Computer module, 111-1
1n task, 21-2h input device, 31-1-3m
−l,..., 31-1 to 3 ml,... Output, 41-1 to 4 m
−l,..., 41−1 to 4 ml −...
5l: output selection circuit, 71 to 7l: output device, 16: state observer, 17: regulator, 18: control target characteristic identification unit, 19: optimal regulator design unit, 20: control target.

Claims (12)

(57) [Claims] A computer module configured to execute a plurality of tasks,
In addition, in a method of managing redundant resources in a fault-tolerant computer system in which each task is executed by a plurality of redundant computer modules, each task is redundantly executed according to the number of normal computer modules and the importance of each task. The number of computer modules to be executed is changed, and an evaluation function is calculated for each task based on a fault detection situation in the redundantly executed computer module. If there is a first task having a lower evaluation function value, And causing a computer module executing a second task having a larger value of the evaluation function to execute the first task. 2. The computer system according to claim 1, wherein all the computer modules calculate an evaluation function for each task, and if there is a first task having a reduced evaluation function value, the execution is executed in the own computer module. If the value of the evaluation function of the second task is larger than the first task, the execution of the second task is stopped by the judgment of the computer module alone, and the first task is executed. To manage redundant resources. 3. A computer system comprising a plurality of computer modules, wherein a plurality of tasks are executed by the computer modules.
In addition, in a method of managing redundant resources in a fault-tolerant computer system in which each task is executed by a plurality of redundant computer modules, each task is redundantly executed according to the number of normal computer modules and the importance of each task. In each computer module, the task number and the fault occurrence information executed in its own computer module are notified to other computer modules, and the fault occurrence information notified from the other computer modules is added to each computer module. Estimate the reliability of each task based on
The computer module determines which task to participate in the redundant configuration, and when the task to be joined is different from the task currently being executed, the task to be executed is switched to the task to be joined. Redundant resource management method. 4. A one of claims 1 to 2, the computer module i the evaluation function for (i:: 1, ..., N, N Computer number of modules),
A redundant resource management method, wherein Fij is defined by the following equation, and a task j that minimizes the evaluation function Fij is determined as a process to be executed. Fij = Lrj-Lthij where Lthij: threshold value of reliability level of task j in computer module i Lrj: reliability level of task j i: number of own computer module j: number of task 5. In any one of claims 1 to 2, the computer module i the evaluation function for (i:: 1, ..., N, N Computer number of modules),
A redundant resource management method, wherein Fij is defined by the following equation, and a task j that minimizes the evaluation function Fij is determined as a process to be executed. Fij = Lrj / Lthij where Lthij: threshold value of the reliability level of task j in computer module i Lrj: reliability level of task j i: number of own computer module j: number of task 6. In any one of claims 1 to 2, the computer module i (i: 1, ... N , N: Computer number of modules) the evaluation function for, and Fij which is defined by the following formula, A redundant resource management method, wherein a task j that minimizes the evaluation function Fij is determined as a process to be executed. Fij = log {(1−Lthij) / Pej} where Lthij: threshold value of the reliability level of task j in computer module i Rej: probability that the result of task j is incorrect i: number of own computer module j: Task number 7. The one of claims 4 to 6, wherein Lthij is predetermined for each respective computer modules, and tasks, the Lrj is redundant resources being determined on the basis of the fault occurrence information Management method. 8. In any one of claims 4 to 6, in determining the task j that minimizes the evaluation function Fij, if they meet the following relational expression, determining as a task should participate the task j A method for managing redundant resources, characterized in that: Fij <Fik−δ, where k is the number of the currently executed task δ is the width of the dead zone 9. In any of claims 4 to 6, wherein Lrj is the time of fault occurrence, the management method of redundant resource, wherein a decrease over time. 10. A one of claims 4 to 6, the value of the Lrj the management method of redundant resource, characterized in that it is configured as a moving average of the confidence level of the task j per unit time. 11. The method according to claim 9 , wherein the value of Lrj is determined by a K (K: an integer of 1 or more) order delay system (transfer function G (s) = 1 / (1 + Ts) ｓK, T: time constant). A method for managing redundant resources, characterized by averaging. 12. In the ninth aspect , when the evaluation function Fij has not changed from the previous control frame, the fault occurrence information is notified only to the computer module executing the same task as that of the own computer module. If the evaluation function Fij has changed compared to the previous control frame, the redundant resource management method is characterized by notifying all computer modules of fault occurrence information.