JPH047645A - Fault tolerant computer - Google Patents

Abstract

PURPOSE:To prevent the fall of control performance accompanying the occurrence of a fault by providing a function to cancel a stop signal to a unit isolated from a system, the function to inspect whether normal operation is possible or not, and the function to make preparations for resetting. CONSTITUTION:A backup processing circuit cancels temporarily the stop signal for the computer unit isolated from the system because of the fault. On the other hand, the computer unit released from the stop signal executes operation inspection consisting of self monitoring and mutual monitoring, and if these are processes within a definite period of time, the computer unit is reset to the system. If an error is detected by the operation inspection, or if the operation inspection could not be processed within a definite period of time, it is isolated again from the system by the stop signal from the backup processing circuit. Thus, the fall of the control performance due to the fault can be minimized.

Description

DETAILED DESCRIPTION OF THE INVENTION [Industrial Application Field] The present invention relates to a multiprocessor type fault-tolerant computer, and in particular to a system for restoring a unit that has been disconnected from the system due to a temporary failure, or The present invention relates to a fault-tolerant computer having a restart function for restoring a unit that has been disconnected from the system due to a failure after repair.

[Prior art]

Figure 2 shows the IEICE fault-tolerant
1 is a conceptual diagram of a conventional multiprocessor type fault-tolerant computer (hereinafter simply referred to as a system) announced at the System Research Group (FTS 87-31). Here, a multiprocessor is a computer unit (hereinafter referred to as a unit) with exactly the same configuration.
Install multiple units independently (four units in Figure 2), and each unit A
-D is connected via a common area. Each unit executes different tasks asynchronously using different clocks. In this multiprocessor, fault tolerance is achieved through three steps: mutual monitoring, isolation of failed parts, and backup.

First, in the step of mutual monitoring, each unit periodically monitors the operating state of other units while each unit is executing an individual task, and outputs the monitoring results to the backup processing circuit. Such monitoring is performed mutually between each unit.

In the next step, the backup processing circuit determines normal units and abnormal units based on the monitoring results from each unit, and outputs a stop signal to the abnormal unit to disconnect it from the system. In addition, operation information indicating which unit is currently in operation is output to the normal unit.

Subsequently, the normal unit determines a task to be executed based on the operation information from the backup processing circuit, and executes the task. At this time, tasks are determined so that each unit's tasks do not overlap or are omitted. Note that if there is a unit that has been disconnected from the system, the normal unit backs up that task.

Therefore, a normal unit executes multiple tasks depending on the situation.

In this conventional device, if a failure occurs in a part of the unit, that part is disconnected from the system and the remaining units perform the tasks of the entire system. Such reconfiguration is repeated until only one device remains. At that time,
If the number of normal units is greater than the number of tasks in the entire system, some of the normal units will wait without executing any tasks. Then, as the number of normal units decreases, a normal unit on standby will take over and execute the task. On the other hand, if the number of normal units becomes less than the number of tasks in the entire system, the remaining normal units execute a plurality of tasks.

[Problems with conventional technology]

As mentioned above, in the conventional technology, when the number of normal units becomes less than the number of tasks in the entire system, the remaining normal units are required to execute multiple tasks. This increases the computational time required to perform system-wide tasks. As a result, when controlling an object to be controlled as a system or an external device, control performance deteriorates. In order to restore the initial control performance, it is necessary to turn off the power, repair and inspect the faulty part, and restart the system.

By the way, if the failure is temporary, there is no need for repair, and once the failure has been avoided, the vehicle should be able to operate without reducing its original control performance. However, with this conventional technology, control performance remains degraded due to temporary failures, and in order to restore control performance, it is necessary to turn off the power and interrupt operation, which is detrimental to work efficiency. is also a big problem.

Furthermore, even when the fault is fixed, interrupting the operation of the controlled object significantly reduces work efficiency and is economically disadvantageous. If possible, it is desirable to repair the malfunctioning part during operation and restore the system again.

[Purpose of the invention]

The present invention has been made to solve the problems of the prior art described above. In the conventional technology, even if the failure is temporary, control performance deteriorates as the failure occurs. Furthermore, it is not possible to repair or inspect a malfunctioning part during operation, and it is necessary to interrupt operation in order to restore control performance.

The present invention provides a backup processing circuit with a function to release a stop signal to a unit disconnected from the system, a function to check whether the unit disconnected from the system can operate normally, and a function to check whether the unit disconnected from the system can operate normally. By configuring a function that prepares a failed unit to return to the system using a simple means, it is possible to prevent a decline in control performance due to a failure as much as possible, and to fix the failed part without interrupting operation. The objective is to provide a low cost, compact fault tolerant computer that can be repaired.

Another object of the present invention is to provide a recovery method appropriate for the type of failure, and to realize a fault-tolerant computer that safely recovers control performance within a short period of performance degradation.

[Description of the invention]

As shown in FIG. 1, the fault-tolerant computer of the present invention is a load-balanced fault-tolerant computer consisting of a multiprocessor system; Selectively determines and executes a task to be executed based on the operation information from the tasks, performs mutual monitoring periodically, outputs the monitoring result to the backup processing circuit, and disconnects from the system. When the stop signal is released from the state, operation inspection consisting of self-inspection and mutual inspection and input of control information for restart are performed, and the operation inspection and input of control information are completed within a certain period of time. a plurality of computer units having a restart function that returns to the system when a backup processing circuit that outputs the operating information to the normal computer unit and releases a temporary stop signal to the computer unit that is disconnected from the system; An input/output means for transferring data between;
a shared memory for writing and reading data from each computer unit; a bus on a common area connecting the computer unit, the input/output means, the shared memory and the backup processing circuit;
It is characterized by comprising the following.

[Operation and effects of the invention]

In the present invention, when performing fault tolerance with the above configuration, the backup processing circuit temporarily releases the stop signal to a computer unit that has been disconnected from the system due to a failure. On the other hand, the computer unit whose stop signal has been released performs an operation check consisting of self-monitoring and mutual monitoring, and returns to the system if these are processed within a certain period of time. If an error is found in the operation check or if processing cannot be completed within a certain period of time, the backup processing circuit will disconnect the system again by a stop signal.

In this way, in the present invention, the stop signal is temporarily released for a computer unit that has been disconnected from the system due to a failure, so it is possible to prevent a temporary failure in which the cause of the failure has already been removed. You can then reenter the system.

Therefore, control performance does not deteriorate due to the occurrence of a temporary failure.

In addition, even if a fixed failure occurs in a computer unit and the computer unit is disconnected from the system, if the fixed failure part is repaired while the system is running, the restart function will allow the computer unit to be disconnected. The computer unit can be returned to the system. Therefore, it is possible to control objects that must not be interrupted, such as aircraft, vehicles traveling on highways, nuclear reactors, blast furnaces, and the like.

As described above, according to the present invention, a fault-tolerant computer is realized in which the deterioration of control performance due to failure is minimal and there is no need to turn off the power for repair. Therefore, it becomes possible to significantly improve work efficiency, improve safety, and improve quality, which is also economically advantageous.

Furthermore, since the restart function is appropriately shared by taking advantage of the structural features of each computer unit and the backup processing circuit, the circuit for realizing it is extremely simple.

[Description of other inventions]

A second invention having a configuration that further embodies the invention will be described.

In the fault-tolerant computer according to the second aspect of the present invention, the backup processing circuit includes a monitoring result storage means for temporarily storing monitoring results sent from each computer unit via a common area; determining means for determining a normal/abnormal computer unit based on current operating information; operating information outputting means for outputting operating information based on the determination result as new operating information; an operation information-time storage means for temporarily storing the detected operation information and sending it to each computer unit via a common area and feeding it back to the backup processing circuit; a stop signal output means for disconnecting the abnormal computer unit from the system; a start signal generating means for generating a start signal at a set timing; a stop signal canceling means for temporarily canceling a stop signal to the abnormal computer unit based on the start signal; It is characterized by comprising the following.

In the second invention, with the above configuration, when realizing fault tolerance, temporary release of a stop signal for a computer unit separated from the system is performed by the start signal generation means and the stop signal release means. . Therefore, by configuring the start signal generating means using, for example, a self-excited oscillation circuit, the temporary stop signal is automatically released for the computer unit disconnected from the system, and such operations is repeated until the computer unit is disconnected from the system or returned to the system.

In this case, a computer unit that has been disconnected from the system due to a temporary failure will have its stop signal automatically released and can be returned to the system at the same time. Therefore, there is almost no period in which control performance deteriorates due to temporal disturbances. It is also advantageous in that it does not require any operation by the operator.

In particular, the second invention is applicable to a system in which the influence caused by temporarily releasing a stop signal on a computer unit separated from the system is small, and the control performance decrease caused by a temporal failure is large. Are suitable.

In addition, the present invention provides significant improvements in work efficiency, safety, quality, and economic advantages, which are not impaired in any way. Furthermore, there is also the advantage that the circuit for realizing these becomes extremely simple.

Note that it is also possible to configure the activation signal generating means with a manual switch. In this case, the computer unit disconnected from the system remains in that state unless it is manually operated. Therefore, it is possible to prevent unnecessary restarting of a computer unit that has experienced a failure that would adversely affect the system, thereby increasing reliability. Furthermore, it is convenient because the operator can choose the countermeasure depending on the operating condition and the failure situation.

In addition, the present invention provides significant improvements in work efficiency, safety, quality, and economic advantages, which are not impaired in any way.

Furthermore, there is also the advantage that the circuit for realizing these becomes extremely simple.

〔Example〕

Embodiments of the present invention will be described in detail below with reference to the drawings.

First Embodiment FIG. 3 shows the overall configuration of a fault-tolerant computer (hereinafter referred to as system) according to the first embodiment of the present invention.

The computer unit 10 (hereinafter referred to as the unit) is composed of a processor 11, a local memory 12, an address decoder 13, and a bus switch 14, which are connected via an address bus AB, a data bus DBI, and a control bus CBI. ing. Here, the processor 11 performs predetermined processing based on a program written in the local memory 12. This processor 11 is under the control of a backup processing circuit, and when a stop signal is issued, it immediately interrupts execution and leaves the system.

The address decoder 13 decodes the address output by the processor 11, outputs a chip select signal to the local memory 12 in the local area, and sends a chip select signal to the bus switch processing circuit (bus abiter) l in the common area. Outputs an access request signal.

The local memory 12 outputs programs and data, and stores data in response to requests from the processor 11.

In response to access requests from each unit 10 to NO, the bus switch processing circuit 1 outputs an access permission signal if the common area is not in use, and if it is in use, it waits until the use ends. Furthermore, if multiple units request access at the same time, access is granted in order of priority.

Based on the access permission signal, the bus switch 14 selects the address bus ABI and data bus DB1 within the unit IO.
．． Control bus CBI, address bus AB, and data bus DB in the common area.

Connect or disconnect from control bus CB.

It should be noted that since the units 20 to NO have the same configuration, their explanations will be omitted.

The address decoder 2 on the common area decodes the address of the common area based on the address signal on the common area and the control signal, and decodes the address of the common area based on the address signal on the common area and the control signal, and decodes the address of the common area from one of the shared memory 3, output port 4, and input port 5 arranged in the common area. Outputs a chip select signal to the

The shared memory 3 is connected to each unit 10 to NO.
or output data stored in each unit. Note that since it can be accessed from any unit, data transfer between units via the shared memory 3 is possible. Mutual monitoring between units is performed via this shared memory 3.

The output port 4 outputs command signals and the like output from each unit 1O-No to an actuator 6 disposed outside.

The input port 5 inputs a detection signal from an external sensor 7 and transfers it to each unit 10 to NO.

The backup processing circuit 100 includes an output port 101, an input port 102, and a normal/abnormal computer determination circuit 10.
3, which are arranged on the common area. Here, the results of mutual monitoring between each unit are output to the output port 101 on the common area via the common area, while the output port lO1 inputs the results of mutual monitoring between each unit. death,
It is output to the normal/abnormal computer determination circuit 103.

A normal/abnormal computer determination circuit 103 determines a normal unit and an abnormal unit based on the monitoring results from each unit and the operating information at that time.

Then, a stop signal is output to the abnormal unit via the manual restart switch 104. On the other hand, new operation information is output to the input port 102 to inform the normal unit which unit is currently operating normally, and at the same time, the normal/abnormal computer determination circuit 103 itself is informed of its operation. Feedback information.

The input port 102 sends the latched operation information to the normal unit via the common area. A normal unit selects and executes the task to be executed at that time based on its operation information. At this time, a program is written in advance in each local memory that assumes all operating states so that the tasks executed by each unit will not be duplicated or omitted.

In the above configuration, mutual monitoring between each unit is performed as follows based on the aquarium model as shown in FIG. 4 provided in the shared memory 3.

Step 1: The monitored computer unit sets its own aquarium to Fu.
Fill with water up to 1 liter.

Step 2: The monitoring computer unit drains water from the water tank of the monitored computer unit a certain amount at a time.

Step 3: If the water tank is empty as a result of draining water, the monitored computer unit is determined to be abnormal. If water remains, it is considered normal.

In reality, supplying water corresponds to reading a value in the shared memory 3, and draining water corresponds to decrementing a constant value from the value in the common area. These mutual monitors are performed by crossing each other.

Each unit periodically performs mutual monitoring using such software and outputs the monitoring results to the output port IO1.

The backup processing circuit 100 includes each unit lO to NO.
The system inputs the monitoring results output from the system, and determines normal units and abnormal units based only on the monitoring results of units that are determined to be normal based on current operating information. The basics in making that decision are as follows.

(1) A unit determined to be normal by a majority of units or more is determined to be abnormal.

(2) If less than half of the units determine that the unit is abnormal, both the side that has been determined and the side that has been determined are determined to be normal.

(3) If half of the units determine the remaining half of the units to be abnormal, the remaining half of the units are determined to be abnormal.

Next, a stop signal is output to the unit determined to be abnormal via the manual restart switch 104, and the unit is disconnected from the system.

On the other hand, new operating information is transferred to the normal units via the input port 102 in order to inform them which unit is currently operating normally.

At that time, the normal units execute tasks based on the operation information so that the tasks executed by each unit are not duplicated and are not omitted. The operation of each unit at this time is as shown in FIG. First, the operating states of the other units are mutually monitored and the results are output to the backup processing circuit. Next, current operating information is input from the backup processing circuit, and a task to be executed is determined based on that information. Note that if a faulty unit exists, it is necessary to execute all the tasks using the remaining normal unit, so it becomes necessary to execute a plurality of tasks using one unit. Therefore, after executing one type of task, it is determined whether it is necessary to execute other tasks, and if necessary, another task is executed again.

After completing the tasks to be performed, return to the initial mutual monitoring. Note that tasks to be executed for all operating states are written in local memory in advance. Task allocation is determined as follows based on the priority of each task and the priority of each unit.

(1) Among the operating units, tasks with high priority are executed in order of necessity for high-speed calculation.

(2) When it becomes necessary to serially process multiple tasks in one unit, connect the tasks in series starting from the one with the lowest need for high-speed calculation, and let the unit with the lowest priority process the tasks in series.

In this case, if a unit fails, that part is disconnected from the system and the remaining units perform system-wide tasks. Such reconfiguration is repeated until only one device remains.

At that time, if the number of normal units is greater than the number of tasks in the entire system, some units wait without executing tasks. Then, as the number of normal units decreases, the waiting units will take over and execute the task. On the other hand, if the number of normal units becomes less than the number of tasks in the entire system, the remaining units will be required to perform multiple tasks on the machine.
The control cycle for executing tasks becomes longer. Therefore, if left as is, the control performance will deteriorate.

Therefore, in the first embodiment, an operator inspects and repairs the malfunctioning part in this state, and after the repair is completed, the computer unit is restored again according to the procedure shown in FIG.

First, the operator must manually restart the
Press switch 104. At that time, the units that were previously disconnected from the system will have their stop signals released and will perform special restart operations based on the operational information. First, check local memory. If the memory check passes, the current control information is subsequently obtained from the shared memory 3 and converted into constants or variables necessary to execute each task. Note that it is checked whether these values are appropriate, and if they are not appropriate, the control information is obtained again. If these self-monitoring passes, then mutual monitoring is performed. If all of these are passed while the operator is pressing the manual restart switch 104, the normal unit is determined to be normal, and the reset signal from the backup processing circuit 103 is released. As a result, this unit will be able to return to the system and will share the task.

As described above, according to the first embodiment, when performing fault tolerance, it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a failure within the backup processing circuit 103. It is. When the stop signal is released, the unit performs an operational check consisting of self-monitoring and mutual monitoring, and if these are completed within a certain period of time, it can return to the system. If an error is found in the operation check or if processing cannot be completed within a certain period of time, the backup processing circuit 103 sends a stop signal to disconnect it from the system again.

In this way, in the first embodiment, it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a failure, so that it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a failure, so that it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a failure. However, you can return to the system again. Therefore, control performance does not deteriorate due to the occurrence of a temporary failure.

Furthermore, even if a fixed fault occurs and the unit is disconnected from the system, the system can be restored by repairing the fixed fault while the system is in operation. Therefore, there is no need to interrupt driving at all.

As described above, according to the first embodiment, a fault-tolerant computer is realized in which the deterioration of control performance due to failure is minimal and there is no need to turn off the power for repair. As a result, it becomes possible to significantly improve work efficiency, improve safety, and improve quality, which in turn becomes economically advantageous.

Furthermore, since the restart function is appropriately shared by taking advantage of the structural features of the unit and the backup processing circuit, the circuit for realizing it is extremely simple.

Further, in the first embodiment, when realizing fault tolerance, the manual restart switch 104 temporarily releases a stop signal for a unit disconnected from the system. Therefore, a unit disconnected from the system remains in that state unless it is manually manipulated.

In this case, it is possible to prevent unnecessarily restarting a unit that is experiencing a failure that would adversely affect the system, thereby increasing reliability. Furthermore, it is convenient because the operator can choose a countermeasure depending on the operating condition and the situation of the failure.

Second Embodiment FIG. 7 shows a fault-tolerant computer according to a second embodiment of the present invention. The second embodiment will be described below, and the parts having the same configuration as the first embodiment will be described with the same reference numerals.

Unit IO includes processor 11. local memory 12
, an address decoder 13, and a bus switch 14, which are connected to each other via an address bus AB1, a data bus DB1, and a control bus CBI. Units 20 to 20 are similarly composed of a processor, a local memory, an address decoder, and a bus switch.

These units 10 to NO are connected to each other via a common area. An address decoder 2, a shared memory 3, an output port 4, and an input port 5 are arranged on the common area, and perform data transfer between units and data input/output with the outside. Further, each unit mutually monitors each other via the shared memory 3. The above configuration and operation are completely similar to the first embodiment, and the details thereof will be omitted.

In addition to the above, a backup processing circuit 100 is arranged on the common area. Backup processing circuit 100
output port 101, input port 102, normal/abnormal computer determination circuit 103, manual restart switch 104, auto restart switch 10
5. It consists of a restart pulse generation circuit 106.

Here, the output port 101 inputs the results of mutual monitoring between the computer units and outputs them to the normal/abnormal computer determination circuit 103. A normal/abnormal computer determination circuit 103 determines a normal unit and an abnormal unit based on the monitoring results from each unit and the operating information at that time. Then, a stop signal is output to the abnormal unit via the manual restart switch 104. On the other hand, in order to inform the normal unit which unit is currently operating normally,
New operating information is output to the input port 102, and at the same time, the operating information is fed back to the normal/abnormal computer determining circuit 103 itself. The input port 102 sends the latched operation information to the normal unit via the common area.

The normal unit selects and executes the task to be executed at that time based on its operation information. At this time, a program is written in advance in each local memory that assumes all operating states so that the tasks executed by each unit will not be duplicated or omitted.

In the above configuration, mutual monitoring between each unit is performed based on an aquarium model as shown in FIG. 4 provided in the shared memory 3, just as in the first embodiment. This mutual monitoring is performed periodically by crossing each other, and the monitoring results are output to the output port 101. Note that the details of the mutual monitoring are the same as those in the first embodiment, and will therefore be omitted here.

The backup processing circuit 103 inputs the monitoring results output from each unit, and determines normal units and abnormal units based only on the monitoring results of units that are determined to be normal based on current operation information. The basics for determining normality/abnormality are also the same as in the first embodiment, so the details will be omitted.

Next, a stop signal is output to the unit determined to be abnormal via the manual restart switch 104, and the unit is disconnected from the system.

On the other hand, new operating information is transferred to the normal unit via the input port 102 in order to notify whether the unit is currently operating normally or not. At that time, the normal units execute tasks based on the operation information so that the tasks executed by each unit are not duplicated and are not omitted. The operation of each unit at this time is performed in the manner shown in FIG. 5, as in the first embodiment. That is, first, the operating states of the other units are mutually monitored and the results are output to the backup processing circuit 103. Next, the pack-up processing circuit 10
3, the current operating information is input, and the task to be executed is determined based on that information.

Note that if there is a faulty unit, all tasks must be executed on the remaining normal unit.
It becomes necessary to perform multiple tasks with one unit. Therefore, after executing one type of task, it is determined whether it is necessary to execute other tasks, and if necessary, another task is executed again. After completing the tasks to be performed, return to the initial mutual monitoring. Note that tasks to be executed for all operating states are written in local memory in advance. Tasks are allocated first based on the priority of each task and the priority of each unit.
Determined using the same method as in the example.

In this system, if a failure occurs in a part of the unit, that part is disconnected from the system and the remaining normal units perform the tasks of the entire system. Such reconfiguration is repeated until only one device remains. At that time, if the number of normal units is greater than the number of tasks in the entire system, some units wait without executing tasks. Then, as the number of normal units decreases, waiting units will take over and execute tasks. On the other hand, if the number of normal units becomes less than the number of tasks in the entire system, the remaining units will be required to execute multiple tasks, and the control cycle for executing the tasks will be or longer. Therefore, if left as is, the control performance will deteriorate.

Therefore, in this state, the operator inspects and repairs the malfunctioning part, and after the repair is completed, the unit is restarted using the manual restart procedure shown in FIG.

First, after the worker completes the repair, the operator must manually restart the
By pressing the switch 104, the stop signal is released.

At that time, the unit that was previously disconnected from the system performs a special restart operation based on the operational information. First, check local memory. If the memory check is passed, current control information is obtained from the shared memory 3. Next, mutual monitoring is performed and the operator presses the manual restart switch 10.
If all passes during the period when 4 is pressed, the normal unit is determined to be normal, and the backup processing circuit 1
The reset signal from 03 is released. It will be possible to return to the system if desired, and the tasks will be divided and executed.

The above is a manual restart means by an operator.

In contrast, the second embodiment also includes automatic restart means, which will be described below.

The restart pulse generation circuit 206 shown in FIG.
It is output to the abnormal computer determination circuit 103. The auto restart switch 205 turns on the restart pulse to the normal/abnormal computer determination circuit 103.
It's off. Here, when the auto restart switch 205 is off, the second embodiment has exactly the same function as the first embodiment. On the other hand, if the auto restart switch 205 is in the on state, normal/
A restart pulse is input to the abnormal computer determination circuit 103. In this case, when the restart pulse is off, the normal/abnormal computer determining circuit 103 determines and outputs a stop signal based on the mutual monitoring results and operation information at that time. When the restart pulse is on, the stop signal is unconditionally canceled regardless of the mutual monitoring results and operation information at that time. In order to realize this, the normal/abnormal computer determination circuit 103 has data written in advance in the ROM table such that the stop signal is released when the restart pulse is on.

In the above configuration, auto restart switch 20
5 is connected, the unit that has been disconnected from the system will be restored using the auto-restart procedure shown in FIG.

First, when the restart pulse is turned on, the stop signal is released. At that time, the units that were previously disconnected from the system will receive special restarts based on their behavior.
Execute the operation.

First, check local memory. If the memory check is passed, current control information is obtained from the shared memory 3. Next, when mutual monitoring is performed and all these are bused while the restart pulse is on, the normal unit is determined to be normal, and the backup processing circuit 1
The reset signal from 03 is released. Therefore, it becomes possible to return to the system and the tasks are shared and executed.

As described above, according to the second embodiment, when performing fault tolerance, it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a failure within the backup processing circuit 103. It is. When the stop signal is released, the unit performs checks consisting of self-monitoring and mutual monitoring, and if these are completed within a certain period of time, it can return to the system. If an error is found during inspection, or if processing cannot be completed within a certain period of time, a stop signal from the backup processing circuit 103 causes the system to be disconnected again.

In this way, according to the present invention, it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a fault, so that it is possible to temporarily release the stop signal for a unit that has been disconnected from the system due to a fault. , you can return to the system again. Therefore, control performance does not deteriorate due to the occurrence of a temporary failure.

Additionally, even if a fixed fault occurs and the unit is disconnected from the system, the system can be restored by repairing the fixed fault while the system is running, so there is no need to interrupt operation. Not at all.

In this way, according to the second embodiment, a fault-tolerant computer is realized in which the deterioration of control performance due to failure is minimal and there is no need to turn off the power for repairs. As a result, it becomes possible to significantly improve work efficiency, improve safety, and improve quality, which in turn becomes economically advantageous.

Further, since the restart function is appropriately shared by taking advantage of the structural features of the computer unit and the backup processing circuit, the circuit for realizing it is extremely simple.

Furthermore, in the second embodiment, when realizing fault tolerance, a manual restart switch can be used to temporarily release a stop signal for a computer unit that is disconnected from the system. Therefore, a computer unit disconnected from the system remains in that state unless it is manually operated.

In this case, it is possible to prevent unnecessary restarting of a computer unit that has experienced a failure that would adversely affect the system, thereby increasing reliability. Furthermore, it is convenient because the operator can choose a countermeasure depending on the operating condition and the situation of the failure.

Furthermore, in the second embodiment, when realizing fault tolerance, the stop signal for a computer unit disconnected from the system can be temporarily released by auto-restart. Therefore, for computer units disconnected from the system,
The temporary stop signal is automatically released, and this operation is repeated until the computer unit disconnected from the system is returned to the system.

In this case, a computer unit that has been disconnected from the system due to a temporary failure will have its stop signal automatically released and can be returned to the system at the same time. Therefore, there is almost no period in which control performance deteriorates due to temporal disturbances. It is also advantageous in that it does not require any operation by the operator.

In particular, it is suitable for a system in which the effect caused by the temporary release of a stop signal on a computer unit separated from the system is small, and the control performance is significantly degraded due to a temporary failure.

In the first and second embodiments described above, mutual monitoring is performed using an aquarium model, but this is not the essence of the present invention and is not limited to this. Furthermore, the method of determining normal computer units and abnormal computer units and the method of allocating tasks are not limited to the methods described in the above embodiments.

Moreover, although each of the above embodiments shows a combination of the first and second aspects of the invention, it is also possible to configure a combination other than the embodiments.

[Brief explanation of drawings]

Figure 1 is an overall configuration diagram of the fault-tolerant computer of the present invention, Figure 2 is a conceptual diagram of a conventional fault-tolerant computer, Figure 3 is a configuration diagram of the first embodiment, and Figure 4 is mutual monitoring. An explanatory diagram of the method, Fig. 5 is a flowchart of backup processing, Fig. 6 is a flowchart of restart operation in the first embodiment, Fig. 7 is a configuration diagram of the second embodiment, and Fig. 8 is a flowchart of the restart operation in the first embodiment. 3 is a flowchart of a restart operation in an example. Figure 2 Monitoring computer Monitored computer Figure 4

Claims (1)

[Scope of Claims] In a load-balanced fault-tolerant computer consisting of a multiprocessor system, a task to be executed is determined based on the operation information from each individual task whose functions are divided among the tasks of the entire multiprocessor system. selectively determines and executes based on the system, performs mutual monitoring periodically and outputs the monitoring results to the backup processing circuit, and when the stop signal is released from the state of being disconnected from the system. A plurality of systems having a restart function that performs operation inspection consisting of self-inspection and mutual inspection and input of control information for restart, and returns to the system when the operation inspection and input of control information are completed within a certain period of time. determines a normal/abnormal computer unit based on the monitoring results from each of the computer units, outputs the stop signal to the abnormal computer unit to disconnect it from the system, and transmits the operating information to the normal computer unit. a backup processing circuit for outputting a computer unit and temporarily canceling a stop signal in a computer unit that is separated from the system; and input/output means for transferring data between each of the computer units and an external device; A shared memory for writing and reading data from each of the computer units, and a bus on a common area that connects the computer unit, the input/output means, the shared memory, and the backup processing circuit. A fault-tolerant system featuring
Computer.