JPH08190494A - High-reliability computer with dual processors - Google Patents

Abstract

PURPOSE: To provide a high-reliability computer which is highly common with general-purpose computers and also high in performance-cost ratio. CONSTITUTION: The computer consisting of two CPUs 1A and 1B of the same constitution and an input/output device has an identical-frequency, in-phase clock supply means for both the CPUs 1A and 1B, a doubled controller DSBA 2 which connects both the CPU 1A and 1B to the input/output device, and a communication means which sends and receives the states of the CPUs, etc., between both the CPUs 1A and 1B. The DSBA 2 selects an output instruction from one CPU and sends it to the input/output device, sends a response from the input/output device to both the CPUs 1A and 1B, informs the memories in the CPUs 1A and 1B of memory access from the an input/output device, and selects a memory access response from one CPU and sends it to the input/ output device. If a fault occurs in the CPU 1A or 1B, the DSBA 2 automatically disconnects the faulty CPU and continues to execute a program with the sound CPU. Consequently, high reliability is easily obtained at a low cost and a fault position can be replaced during on-line transaction execution.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a highly reliable computer (fault tolerant computer), and more particularly to a fault tolerant computer in which a dual processor and memory are connected to a single input / output bus.

[0002]

2. Description of the Related Art Computers have come to carry out the functions that occupy the core of society, such as traffic control systems and financial systems. When a computer that performs these functions fails and stops operating, it causes a great deal of confusion in society.
Therefore, there is an increasing demand for computer reliability.

The demand for high reliability of such a computer has been studied in the field of electronic control (controller), and a multi-computer system as shown in Japanese Patent Laid-Open No. 57-20847 was devised. There is. JP-A-57-20
Japanese Laid-Open Patent Publication No. 847 discloses a method of increasing reliability, in which a plurality of computers perform the same arithmetic operation, compare these at the time of data output, and output the correct one. Such a method is based on the premise that the output timings are matched by software and compared, and can be applied to a relatively small-scale control system. But,
Large-scale and complicated application software of recent years cannot be applied because it requires a large number of man-hours for data comparison. In order to deal with such a problem, the following high-reliability technology which compares data mainly by hardware has been proposed.

Regarding the computer high reliability (Fault-tolerance) technology, Japanese Patent Laid-Open No.
There is 202638 publication. As in this system, if the processors participating in the majority vote are operating with independent clocks, some kind of ingenuity is required to synchronize the processors. Japanese Unexamined Patent Publication No. 2-202638 is an invention relating to means for achieving synchronization between processors.

In response to the demand for computers having higher processing performance, computers having a multiprocessor structure have been widely used conventionally for improving the processing performance. As a fault-tolerance technique for a computer with a multiprocessor configuration, refer to the document "Nikkei Electronics 1983.
May 1977 issue, pages 197 to 202 ”.

[0006] This document describes a technique called pair and spare method for operating two wiring boards composed of a memory, a processor and the like having a self-diagnosis function as one set. When a fault occurs in the circuit on one wiring board, the processing operation is continued on the circuit on the other wiring board. With this method, operation continues even if a fault occurs, so checkpoint restart
It is not necessary to restart the process from the checkpoint before the fault occurrence, called (Checkpoint Restart).

[0007] Other high reliability techniques include US Pat. No. 4,907,228 (JP-A-1-154240) and US Pat. No. 5255367 (JP-A-1-154241). This is a basic that enables error detection by connecting a shared resource such as memory to a data path (double rail) extending from two processors and comparing signals from two data buses at the entrance of the shared resource. Prepare one set (two) of data processing devices. A highly reliable computer configuration method having error detection means by comparison at the entrance is shown for an input / output device shared by a set of data processing devices.

Further, as another technique for improving reliability, there is JP-A-4-241039. In this, the BPU itself formed on each wiring board, which is a replacement unit at the time of failure, has a fault tolerance function. BP
Even if a failure occurs in U, the fault tolerance function allows the normal operation to continue until the next "breaking point" (hereinafter referred to as a checkpoint for convenience), and the process is handed over to another BPU at the checkpoint. in this case,
It is appropriate to set the “breaking point” (check point) at, for example, a task switching point.

In order to continue normal operation until the next checkpoint even if a failure occurs in the BPU, B
Each element forming the PU is multiplexed (redundant), and normal elements are combined to continue the operation. A cache memory that can detect a failure by parity check or the like is duplicated, and a normal cache memory is selected and used. M
When a general-purpose product is used for the PU, the MPU cannot have a check function, so the output signals of the MPU are compared and compared to determine normality / abnormality. Turn into.

In this way, even if the BPU itself formed on each wiring board as a replacement unit has an internal failure, the processing can be continued until the next check point.
It is possible to reduce the deterioration of processing performance due to the operation of saving the state at the checkpoint in preparation for the restart of the checkpoint when a failure occurs. Moreover, a pair of BP
Since U is unnecessary, a signal line for clock synchronization between different BPUs is unnecessary, and the speed of the clock can be increased.

Further, since the MPUs constituting the replacement unit operate with the same clock, no special operation for synchronization between MPUs is required, and there is no reduction in processing performance.

In the above conventional techniques, the minimum environment required for software execution is the multiplex of the processor and memory, and when a failure occurs in these parts, the failure part is separated by the hardware, and the program is executed. It is intended to guarantee continuity. In other words, the program realizes that the failure of the processor and the memory is completely invisible (transparent), which is an important technology for reducing special programming for constructing a highly reliable system.

[0013]

These conventional techniques are
This is a general-purpose processor that is distributed in the market, and its peripheral circuits are specially devised to realize a multiplexed CPU. Compared with ordinary data processing devices, workstations, and personal computers that use the same general-purpose processor. In that case, an increase in cost and an increase in hardware / software overhead are inevitable.

Particularly in recent years, the performance of general-purpose processors has been rapidly improved, and the development speed of ordinary data processing devices, workstations, and personal computers using this high-speed processor has been accelerating. This is
This means that there is an inherent problem that the performance price difference between a high-reliability computer that requires a special peripheral circuit even if the same processor is used, and an ordinary data processing device, workstation, or personal computer is further widened.

The present invention has been made in view of these problems, and an object of the present invention is to provide a highly reliable computer which has a high commonality with a general-purpose computer, can be jointly developed with the general-purpose computer, and has a high performance price. It is in providing.

[0016]

In order to achieve the above-mentioned object, a first data processing block exemplifying a CPU including a memory and a data processing device exemplifying a processor, an input / output bus and an input / output device. A second CPU having the same configuration as the first CPU and a clock or reset signal having the same frequency and the same phase with respect to the first and second CPUs. And a clock control means for supplying two CPUs and a dual control means for connecting two CPUs to the input / output device DSBA (Dual System Bus Adapter)
It is referred to as BA) and an inter-block communication means for passing the state of the CPU and the like between the two CPUs.

The DSBA selects an output instruction from the first or second CPU, transmits it to the input / output device, and transmits a response from the input / output device to both the first and second CPUs. Also
The DSBA conveys memory access from the input / output device to the memory in the first and second CPUs, and the first or second CPU
It has a function to select the memory access response from and transmit it to the input / output device.

[0018]

In the above structure, at the time of initial start-up by turning on the power, the same clock is supplied to the two CPUs by the clock means, and each CPU independently performs an initialization operation such as memory clear. Then, after confirming the completion of both initializations by the communication means, the two CPUs are reset at the same timing by the clock means. As a result, the two CPUs thereafter execute exactly the same operation, that is, the same program in the same order. Then, at the time of input / output access, as described above, D
Access control of the redundant CPU is performed by SBA.

Next, when a failure occurs in the CPU, D
By SBA automatically disconnecting the faulty CPU,
Continue running the program on a healthy CPU.

As described above, when a failure occurs in the CPU, DSBA automatically disconnects the failed CPU, so that the program execution can be continued by the sound CPU, so that a highly reliable computer can be realized.

Further, rather than providing a redundant control device in a portion such as a CPU that requires a very high speed and a high degree of mounting technology, a low speed interface portion with an input / output device is used.
By providing the DSBA, high reliability can be realized easily and inexpensively, and the CPU and the input / output device can be shared with the ordinary data processing device, workstation or personal computer, so that the cost can be reduced and the development speed can be improved. be able to.

[0022]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 2 shows the external appearance of a highly reliable computer (hereinafter computer) in which the present invention is implemented. 200A, 20
OB is a CPU-BOX, which includes a processor and a memory. 201A and 201B are disk devices,
A mirror disk configuration can be adopted as necessary in order to improve the reliability of the disk device. 202A, 20
Reference numeral 2B is a power supply, which supplies power to the A system and the B system, respectively. Reference numerals 203A and 203B denote cooling fans, which cool the A system and the B system, respectively. In this way, by duplicating all the hardware required for system operation, even if a single point of hardware failure occurs, continuous operation can be realized by disconnecting the faulty module.

Further, by adopting the device mounting as shown in FIG. 2, since the A system and the B system can be physically separated, the duplication form becomes clear and human error at the time of maintenance work is reduced.
It also enables heavy inspections such as backboard cleaning.

A conceptual hardware configuration of the computer shown in FIGS. 3 and 2 is shown.

Reference numerals 1A and 1B are central processing units (CPU) having a processor, a memory, and peripheral control circuits for these. During normal operation, the CPUs 1A and 1B execute exactly the same programs in the same instruction execution order in synchronization with clocks having the same frequency and the same phase. 2 CPUs 1
D connecting A and 1B with the input / output bus 30A or 30B
It is an SBA and transmits a normal CPU access to the input / output bus and transmits an access from the input / output bus 30 (30A, 30B) to the two CPUs. I / O bus 30
A and 30B include various input / output device adapters (IOA). As the IOA, for example, IO for a disk device
A, IOA for line control equipment and LAN for network
There is C etc.

As can be seen from the figure, the hardware 1
All hardware is duplicated to achieve high reliability against point failures. Where it has the ability to detect errors,
A unit that serves as a separation unit will be called a block. In this embodiment, there are three types of blocks, and each block is duplicated in A system and B system, so there are a total of 6 blocks. The main components of each block are as shown in Table 1 below.

[0028]

[Table 1]

A characteristic point of the operation against the failure in this embodiment is that the separation of the multiplexed blocks is shared by the hardware and the software. That is, the CPU block performs duplication control by hardware, and the IO bus block and the device block perform duplication control by software. For the error detected in the CPU block, the block is separated by hardware, and for the error detected in the IO block and device block, the block is separated by software, and the remaining normal processing is performed. To continue.

Therefore, from the viewpoint of software controlling the I / O bus, there are two I / O buses 30A and 30B having independent addresses, and the flag indicating which I / O bus is normal is memorized. Therefore, by using two input / output devices in combination according to this flag, the input / output devices are duplicated and continuous operation is realized for one point failure of the input / output devices.

FIG. 1 shows a more detailed block diagram of the hardware block diagram shown in FIG. Here, since the right half and the left half of the configuration diagram have exactly the same configuration, the A-system portion of the left half will be described in detail here.

Reference numerals 3A and 4A are processors each having a built-in cache memory having exactly the same structure, and normally perform exactly the same operation. 5A is a memory for storing instructions and data, and its capacity and configuration are various known to those skilled in the art, but in any case, it will not be a problem in carrying out the present invention, and therefore will not be described in detail here.

6A is a processor 3A, 4A and a memory 5
There is a processor memory control unit (PMCU) that connects A and the system bus 9A, and is mainly the processor 3A or 4
The access from A is transmitted to the memory or the system bus 9A, and the access from the system bus is transmitted to the memory. Further, the output signals 500 and 501 of the processors 3A and 4A are compared with each other to check the output disagreement of the two processors to detect a failure in the processors.

7A is a signal line 57 between the CPUs 1A and 1B.
It is an inter-processor interface control device (PXI) that performs control for passing information such as status to the CPU via the (PXI bus).

8A is a clock circuit (C
CLK), CLK8A cooperates with CLK8B of B through the signal line 55 to supply a clock of the same frequency / phase to the entire A system as a clock timing signal. Also C
The LK8A has an oscillator stop detection circuit.

Reference numerals 11, 12, 13, and 14 are DSBAs for controlling a DS (Dual System) bus connecting the A system and the B system. In this example, four sets of DSBAs are shown,
11A and 11B (11), 12A and 12B (1
2), 13A and 13B (13), 14A and 14B (14)
Is a set, and further 11 and 12 pairs and 13 and 1
The set of 4 forms a dual system of I / O buses and I / O devices. Since the operation of each set is the same, the set (11) of 11A and 11B will be described here.

A bus switch 16 connects / disconnects the A system side 15A and the B system side 15B of the DS bus, and is a MOS manufactured by a C-MOS process with a small delay delay.
Switches are preferred. A by turning off the bus switch
Since the systems B and B can be separated logically and electrically, it becomes easy to replace components in the online operation state.

The DSBA 11A is defined as a primary DSBA, and the other DSBA 11B is defined as a secondary DSBA.
The primary and secondary DSBAs are the respective CPUs
Although it receives a DS bus access from 1A and 1B at the same time, only the primary DSBA actually tells the DS bus its CPU access. That is, a kind of selector is formed. Then, the access from the DS bus is received by the primary and secondary DSBAs at the same time, and the respective CPs are received.
Report to U1A and 1B at the same timing.

Reference numerals 20A and 21A are input / output bus adapters (IOBA) for connecting the DS bus and the input / output bus 30A. 31A and 35A are input / output buses 30A and S, respectively.
Standard input / output device buses 32A, 33A, 36 represented by CSI (Small Computer System Interface) buses
It is an input / output adapter (IOA) for connecting A and 37A. 39A is a local area network controller (LANC) for connecting a local area network represented by Ethernet.

Reference numeral 34 (34A, 34B) is a so-called disk device, and in the case of this embodiment, 34A and 34B have a mirror disk structure by software, but another highly reliable disk structure not shown here should be adopted. Is also possible. Three
Reference numeral 8 is a public line connection device for connecting to a public line network.

It should be noted in this embodiment that these input / output buses are recognized by the software as IOBCs having different addresses in 20A and 20B, and the input / output devices are recognized by the software. It is to be recognized as a different input / output device.

Therefore, a highly reliable computer having various grades can be realized only by setting the software. For example,
Here, an example is shown in which all I / O buses and I / O devices are duplicated. However, by unifying I / O devices that are less important in the system, it is possible to flexibly deal with system cost reduction. Becomes Alternatively, it is possible to take measures such as quadrupling a disk storing very important data.

(A) Processor memory control unit (P
MCU): FIG. 4 shows a block diagram of the PMCU. Since 6A and 6B have exactly the same configuration, 6A will be taken up and described here. The PMCU is roughly divided into a processor interface unit (PIU) 40, a memory interface unit (MIU) 41, a system bus interface unit (SBIU) 42, and a processor output comparator 44. Reference numeral 40 denotes an interface unit (PIU) between the processors 3A and 4A. When the external access of the processor is a memory access, the memory address / data from the master processor 3A is fetched into the reception buffer 47 via the signal line 500. When the external access of the processor is an access to the input / output bus (PIO access), the memory address data is stored in the reception buffer 46. On the other hand, the memory address data from the slave processor 4A is taken into the PMCU via the signal line 501, but is not stored in the receiving buffer.

Addresses, data and control signals from the master and checker processors are sent to the processor output comparator 44 when the master processor outputs a write access.
Are compared. When the values do not match, the master checker error signal 400 is asserted. Further, although not shown, a parity error detected during this PIU operation, an error in the control circuit, and the like are transmitted to the logical sum element 43 via the signal line 401.

The MIU 41 receives a memory access from the PIU and a DMA access from the SBIU at the selector 506, accesses the memory 5A and sends a response to each PI.
Return to U or SBIU. The access that the MIU receives from the PIU is memory read and memory write. At the time of memory read, the read address stored in the reception buffer 47 is transmitted to the memory 5A via the selector 506. Then, the read data is stored in the selector 5
Stored in the transmission buffer 48 via
It is returned to the checker processors 3A and 4A. At the time of memory write, the read address and the write data stored in the reception buffer 47 are written in the memory 5A via the selector 506.

The access that MIU receives from SBIU is
DMA read and memory write. At the time of DMA read, the read address stored in the reception buffer 50 is transmitted to the memory 5A via the selector 506. Then, the read data is stored in the transmission buffer 49 and returned to the input / output bus or the input / output device via the system bus 9A. At the time of DMA write, the read address and the write data stored in the reception buffer 50 are written in the memory 5A via the selector 506.
Although the control method of the selector 506 is not shown here, it is desirable to give priority to SBIU.

Parity errors and control circuit errors detected during the MIU operation are transmitted to the logical sum element 43 via the signal line 402. Reference numeral 45 monitors read / write access to the memory performed by a normal MIU at the time of memory copy (details will be described later), and fetches an address and data as necessary. Then, this is output to the system bus as a memory copy access via the signal line 504, and is written to the memory of the other system via the paired DSBA.

SBIU42 is a DMA from the system bus 9A.
Handles access and PIO access from PIUs. P
At the time of PIO read access from the IU, the address stored in the reception buffer 46 is output to the system bus 9A after acquiring the system bus right. Then, the read data is stored in the transmission buffer 48 via the selector 505 and returned to the master checker processors 3A and 4A. At the time of PIO write, the read address and write data stored in the reception buffer 46 are stored in the selector 507.
System bus 9A after acquiring the system bus right via
Output to. The DMA read / write access from the system bus 9A is as described above. These S
When a parity error, a control circuit error, or the like is detected during the BIU operation, it is transmitted to the logical sum element 43 via the signal line 403.

Reference numeral 43 is a logical sum element, and when an error is detected during the operation of the PMCU, the signal line (PMC
U-ERR) 95A is asserted and transmitted to PXI7A. (B) Clock circuit (CLK): The clock circuit 8 in FIG.
The internal block diagram of A and 8B and connection are shown. Since the clock circuit itself is the same for both A and B, 8A will be described. 5
OA is an oscillator (OSC) having a crystal oscillator, which is well known to those skilled in the art, and outputs a clock 501A having a relatively low frequency of 10 MHz. By setting the OSC frequency low, it is possible to supply a stable clock to both systems even when mounting is performed with a distance of several tens of centimeters between 8A and 8B as shown in FIG. 51A is a selector for selecting a clock from the OSC of the own system and a clock from the OSC of the other system. Reference numeral 52A is a phase-locked loop circuit (PLL), which generates a clock 54A having an n-fold frequency in phase with the clock selected in 51A and supplies a high-frequency clock necessary for the processor and peripheral circuits. 53A is a stop detection circuit of the OSC,
When the transmission stop of 01A and 501B is detected, the normal OSC output is selected by the control signal 56A of the selector.

The OSCs 50A and 50B perform a master / slave operation in which the first power source is the clock master.
For example, if the A-system starts up first, 50A becomes the clock master and both selectors 51A and 51B select 501A. When 50A is stopped, the stop detection circuits 51A and 51B detect it,
The selector operates to select 501B. This switching operation is less than the PLL pull-in time, 300n
Since it is performed in a short time of about s, the outputs of both PLLs can supply the clock to the processor and peripheral circuits without interruption even if the selectors are switched.

(C) Multiple system bus adapter (DSB
A): Two CPUs and one CPU using FIG. 6, FIG. 7 and FIG.
A multi-system bus adapter (DSBA) that connects two input / output buses will be described. FIG. 6 shows a configuration focusing on the duplex system bus control by DSBA. DS
BA11A is defined as the primary DSBA and the other DSBA11B
Is defined as the secondary DSBA. The two DSBAs are
It receives a DS bus access from each CPU 1A and 1B at the same time, but only the primary DSBA tells the DS bus that CPU access. Then, the access from the DS bus is simultaneously received by the primary and secondary DSBAs and transmitted to the respective CPUs 1A and 1B at the same timing. That is, the DSBA forms a selector for access from the CPU and acts as a distributor for access from the DS bus.

By the way, the CPUs 1A and 1B perform the same operation under normal conditions, but if some trouble occurs, the synchronous operation is deviated. This synchronization deviation becomes apparent when two CPUs access one DS bus 15A. The inter-DSBA interface 60 detects this synchronization deviation and generates the timing for disconnecting the faulty CPU block when one-sided fault occurs. DSBA interface 60
Has at least eight signal lines, as shown in FIG. 61A and 61B are system bus requests from the CPUs 1A and 1B, respectively, and 62A and 62B are system bus use permission signals generated by the CPUs 1A and 1B, respectively. 63A and 63B are the respective DSBAs
It is an error signal indicating that an error has been detected within. In this embodiment, an error detection code such as a parity bit is not added to the inter-DSBA interface 60, but it is clear that it can be added as needed.

FIG. 7 shows the internal structure of the DSBA11A. DS
The operation of the BA differs depending on whether it is the primary or the secondary, but since it can be realized with the same hardware, the DSBA11A will be described here.

The signals on the system bus 9A include a data / address signal 751 and a control signal 752. Similarly, the signal of the DS bus 30A is the data / address signal 753.
And control signal 754. Reference numerals 73 and 74 are buffers for storing addresses and data. The reference numeral 71 manages the buffers 73 and 74 and controls the system bus 9A or DS
A transmission / reception control unit that manages access to the bus 30A. The access processed by the DSBA is the access from the CPU to the input / output device (called PIO read access and write access) and the access from the input / output device to the memory (D
(MA read access and write access).

At the time of PIO read access, the signal line 75
The read address on 1 is stored in the reception buffer 73, and the DS bus is accessed using this address. The data read out from the input / output adapter or the input / output device is once stored in the transmission buffer 74 for the system bus, and then transmitted to the CPU via the signal line 751. P
At the time of IO write access, the write address and the write data on the signal line 751 are stored in the reception buffer 73,
This address is used to access the DS bus. Then, it is written in a register in the input / output adapter or the input / output device.

At the time of DMA read access, the signal line 75
The read address on No. 3 is stored in the transmission buffer 74, and the memory in the CPU is accessed using this address.
Then, the data read from the memory is temporarily stored in the reception buffer 73 for the DS bus and then returned to the DMA access source via the signal line 753. At the time of DMA write access, the write address and the write data on the signal line 753 are stored in the transmission buffer 74 and written in the memory using this address.

Reference numeral 76 denotes P stored in the reception buffer 73.
It is an IO space convolution circuit that converts an IO access address into an address within the input / output adapter or input / output device under the DSBA. Reference numeral 771 is a flag for instructing selection of whether the output of the IO space convolution circuit 76 is valid, and is set by software when one of the control registers in the DSBA has a failure in the DSBA paired with this DSBA. It In the present embodiment, the description has been centered on the case where all the control of the duplicated input / output device is performed by software, but even if the input / output device is switched by using the IO space convolution circuit 76, Since it is not necessary to change the address for software (for example, device driver), the burden of dual control can be reduced.

755 and 756 are signal lines 751 respectively.
And 753 are parity checkers, and when an error is detected, it is transmitted to the logical sum element 76 as a parity error.
If any error is detected in DSBA, DSBAERROR63A
Is transmitted to the disconnection request generator of the own system and the other system.
When the disconnection request generation unit 72 detects an error in these DSBAs or between DSBAs, the disconnection request generation unit 72 generates a disconnection request signal (DISCONREQ) 64A and transmits it to the PXI7B (PXI of the other system). 75 is D
It is an output gate control circuit that controls an output gate to the S bus.

FIG. 8 shows the details of the output gate control circuit.
The normal output gate control may be performed by opening the output gate when a transmission signal (send) to the DS bus is output from the transmission / reception control circuit. However, in this embodiment, the configuration shown in FIG. 8 is adopted in order to operate the DSBA as a multiple system bus adapter. 81 and 82 are AND elements, and 83
Reference numerals 0, 831 and 832 are negative logic elements. Signal line 8
4 is a transmission signal from the transmission / reception control circuit to the DS bus (sen
The signal line 65 is a DISCON signal indicating that the own system CPU block is disconnected. Signal line 66
Indicates that the other system CPU block is disconnected
This is the DISCON signal. The signal line 67 is a secondary DSBA
Is a signal indicating that. When the two CPUs are operating normally, both the primary and secondary D
The SBA asserts the send signal 84 in the same way, but the primary (ie, signal line 67 is negated) DSBA
Only the output gate is opened and address / data etc. can be sent out. Also, when the own system CPU block fails,
When it is disconnected (the signal line 65 is asserted), the output gate control signal (OE) 85 is negated by the signal line 65, so that the output gate of the own system is not opened at all, which causes the own system CPU block to be disconnected from the DS bus. Achieve separation. When another system fails and is disconnected (the signal line 66 is asserted), the secondary DSBA
Even in this case, the address / data and the like can be transmitted according to the send signal 84.

FIG. 9 shows the configuration of the separation request control unit.
900 (900-1 to 900-4), 901, 902, 9
03 (903-1 to 903-3) are a logical product element, a logical sum element, an exclusive logical sum element, and a negative logical element, respectively. 90 is a timer of 10 microseconds. Timer 9
0 is the system bus use permission signal 91A from the PMCU
Whether a mismatch between (61A) and 91B (61B) is detected by the exclusive OR element 902 and the signal 910 is asserted,
Or PMCUERR signal 9 when an error is detected in PMCU
When 5A is asserted, it starts counting and C of other system
When the XDISCON signal that disconnects the PU block is asserted, the count is stopped and cleared, but after 10 microseconds have elapsed, the timeout signal 96 is asserted. The logical product element 900-1 is a circuit that detects a one-sided error. That is, when the own system is not an error and the other system is an error, the error signal 99 of the other system is asserted, so that the other system CP
The U block disconnection request signal 94A is asserted. The logical product elements 900-2 and 900-3 are circuits that detect a synchronization shift. The one in which the system bus request signal and the system bus use permission signal are not asserted is regarded as a failure, and the synchronization deviation error signals 911 and 98 of the other system are given.
Assert. Regarding the sync error signal 98, it is dangerous to issue a disconnection request immediately because the CPU may already be out of sync for another reason. Therefore, as described above, the synchronization error signal 98 is masked by the timer 90 and the output 96 for a while until the cause becomes clear.

10 and 11 are time charts from the detection of the synchronization error to the assertion of the one-system CPU block disconnection request. Figure 10 shows the PMCU
The bus use permission signal from is normally output from the B system, but is not output from the B system. P
The bus use permission signal (PBGRTB-N) from the MCU is once D
It is latched by SBA (62B) and passed between two DSBAs over one cycle via the inter-DSBA interface 60 (91B). In the DSBA of the own system, it is further internally latched to match the phase with the bus use permission signal from the other system (91A). In DSBA, 91A and 9
1B is compared and a mismatch signal (CMPERR-N) is asserted.

In the case of FIG. 10, there is a possibility that the signal of the PMCU is out of sync, and the CPU is out of sync due to another cause, and there is a possibility that a disconnection request has been issued from the PMCU. Therefore, after waiting for disconnection for a while, if the disconnection is not performed, DSBA issues a disconnection request again (94A).

FIG. 11 shows a case where the bus use request signal from the DSBA is normally output from the B system but not from the B system. The bus use request signal (PBREQB-N) from the DSBA is the interface 6 between the DSBAs.
It is passed between two DSBAs via 0 through one cycle (92B). In the DSBA of the own system, it is further latched internally to match the phase with the bus use permission signal from the other system (92A). In DSBA, 92A and 92B are compared, a mismatch signal (910) is asserted, and a disconnection request is issued (94A). The disconnection request is PXI7.
It is passed to A to generate the final disconnect signal.

(D) Interprocessor interface control device (PXI): FIG. 12A shows the configuration of the PXI7A for generating the disconnection signal. Although the PXI is present in each system, it has exactly the same configuration, so the PXI of the A system will be described here. 94A is another system CP issued from own system DSBA
This is a U block disconnection request signal. 57 is an interface signal with the PXI of the other system, LXDISCONREQA-
N is a request to disconnect the B system from the A system, LXDISCONREQB-N
Is a request to disconnect the A system from the B system, and LXDISCONA-N is A
B system disconnection instruction from system, LXDISCONB-N is A system disconnection instruction from B system. Reference numeral 65 denotes a disconnection instruction signal of the own system CPU block whose timing is adjusted by receiving LXDISCONB-N by a latch, and disconnects the own system from the DS bus by closing the output gate of the DSBA. 121
Is an OR element.

Reference numeral 122 is a status register for holding the status of the CPU of its own system. As the states, the six states shown in FIG. 13 (NONE, INIT, READY, COPY, ON
LN, DISCON). A disconnection determination circuit 120 determines which system is to be disconnected. An error may occur at two locations at the same time, or an error may occur in the remaining system when one system has already been disconnected. Therefore, if a disconnection request is issued and a disconnection instruction is issued as is, a fatal disconnection of both systems will occur. It may be in a different state. Therefore, the disconnection determination circuit 120 negotiates whether the disconnection may be performed, and then the B system disconnection instruction LXDISC from the A system.
Assert ONA124.

FIG. 12B shows the decision logic of the disconnection decision circuit 120. That is, only when the own system is online, there is no disconnection request to the own system, and the disconnection request to another system is issued from the own system CPU, LXDISC
ONA124 is asserted.

(E) CPU operation mode: CPU in FIG.
Indicates the state of. As the states, the six states shown in FIG. 13 (NONE, INIT, READY, COPY, ONLN,
DISCON). NONE is a non-mounted state or a clock stopped state, and is a state in which no operation is performed. INIT
Is in the process of initializing the CPU, and the CP itself is asynchronous with other systems.
This is a state in which the U initialization process is being executed. READY
Is in a memory copy start waiting state. The memory copy will be described later. COPY is a state in which a memory copy is being performed, and a memory matching process is performed by receiving a memory copy from another system. ONLN is in a state of being incorporated in the system and operating normally. DISCON is a state where a disconnection instruction is issued by another system.

The state at the time of initial power recovery is NONE, and C
After the PU initialization process, the state becomes ONLN. on the other hand,
In the case where the redundant synchronous operation state is separated and then turned on again due to an error occurrence, the CPU is initialized, and then a waiting state for starting the copying of the memory from the normal CPU is entered. After that, the copying state of the memory from the CPU of the normal system is actually entered, and when the copying is completed, the ONLN state is entered and the duplex synchronous operation state is restored.

(F) Description of Operation: Next, a typical operation of the highly reliable computer shown in this embodiment will be described.

(A) Normal operation: (1) When no IO bus access is involved When two programs are executed only by the processor and memory without IO bus access, the two CPUs execute the same program in the same order. Execute independently while synchronizing.

(2) When accompanied by IO access As shown in FIG. 14, when the IO access is started, two C
Accesses to the same IO are simultaneously output from the PU. DSBA (Primary and Secondary D shown in FIG. 7)
In response to this, the SBA) transmits only the access on the primary DSBA side to the input / output bus or the input / output device (140, 141). The response from the IO is received by the primary and secondary DSBAs and returns the same response to the two CPUs at the same time (142, 143). Here, CPU
However, when the input / output bus or the input / output device is the access source, DMA (direct memory access) only causes the activation and response in FIG. 14 to be reversed. In other words, two CPUs operating in synchronization with one input / output bus or input / output device are connected by DSBA, and C
By selecting the access from the PU by the DSBA and distributing the access from the input / output bus or the input / output device to the two CPUs, the duplex synchronous operation of the CPUs can be continued even with the IO.

(B) CPU failure operation: (1) error detection, (2) failure block disconnection, (3) failure block replacement, and (4) replacement block re-input as failures operation Since steps are required, the steps will be described.

(1) Error Detection Various error detection means such as parity check have been considered, but it is important in the present invention that error detection is possible, and it does not matter what kind of means is used. Therefore, here, consider the case where a parity error occurs in one-sided memory.

(2) Disconnection of faulty block When an error is reported to the PXI, the PXI becomes 300
The disconnection instruction signal 65 is issued to the CPU block in which the error has occurred in a very short time of about ns. DSBA
Closes the output gate according to the disconnection instruction signal 65 to disconnect the CPU block from the input / output bus. As a result, as shown in FIG. 15, when the IO access is activated, only normal DSBA access (regardless of primary and secondary) is transmitted to the input / output bus or input / output device (144). The response from IO is received by the normal system DSBA (regardless of primary and secondary), and the normal CP
A response is returned only to U (145). Here, the CPU is used as the access source, but in the case of DMA (direct memory access) in which the input / output bus or the input / output device is the access source, the activation and response in FIG. 15 are only reversed.

(3) Replacement of faulty CPU If the error is due to an unrecoverable permanent failure, CP
U must be replaced. Since this exchange is performed while the online work is being executed in the normal system, it will be called online insertion / removal of the CPU. FIG. 16 shows a CPU online insertion / removal procedure. The CPU-BOX in FIG. 2 has an online insertion / extraction panel shown in FIG. 16 (a). Reference numeral 160 denotes a removal request switch, which informs the system of the intention to remove the CPU to the normal CPU. Reference numeral 161 denotes a removal permission lamp, and a CPU of a normal system has a removal request.
Lights red when you can remove. 162 is a CPU
-BOX power switch, valid only when removal is permitted. Reference numeral 163 denotes a mechanical key for fixing the CPU-BOX, which prevents an operator who does not have the key from accidentally removing it.

The procedure for removal is shown in the flowchart of FIG. 16 (b). First, the operator turns on the removal request switch and then waits until the removal permission lamp lights up in red. When it lights up, turn off the power and then remove it. Next exchange CP
When inserting the U-BOX, as shown in the flow of FIG. 16C, after confirming that the removal request switch is off, turn on the power after insertion.

(4) Reintroduction of the replacement CPU The replacement CPU-BOX has a CP as shown in FIG. 13 after power recovery.
After the initialization process of U is performed, a state of waiting for the start of copying the memory from the normal CPU is started. After that, the COPY state is reached in which the memory is actually copied from the normal CPU. When the replacement CPU is in the COPY state, the normal CPU generates a memory copy program and scans all the memories.

FIG. 17 shows a data flow at the time of memory copy. When the memory is accessed from the processor (170), the memory access monitor 45 in the PMCU steals the memory access address and data and writes it in the memory of the exchange CPU-BOX via the DS bus (171). There are two types of memory access from the processor at this time: those that occur when the memory copy program scans the memory and those that generate other online business programs. In either case, the memory copy operation is Treat in the same way.

On the other hand, in the DMA write access (172) which occurs during memory copy, the memory access monitor 45 also steals the memory access address and data and writes it in the memory of the exchange CPU-BOX via the DS bus (173). . That is, all the memories are scanned by the memory copy program to copy the memory contents of the normal CPU to the memory of the exchange CPU, and the memory update by the normal program and the memory update by the DMA performed during this period are all exchange CPUs. When the memory scanning of the memory copy program is completed, the contents of the two memories are completely matched by reflecting them in the memory of.

However, in this state, since the internal states of the processors do not match, the two CPUs are reset at the same time and the same operation is started. As a result, the duplex synchronous operation state can be restored again.

[0081]

According to the present invention, the redundant control device is not provided in a portion such as a CPU that requires a very high speed and a high level of mounting technology, but a DSB is provided in a connecting portion with an input / output device.
By providing A, high reliability can be easily realized at low cost. That is, even if a hardware one-point failure occurs, the non-stop operation can be realized by separating the failure part and continuing the processing. Further, since the faulty part can be exchanged during the execution of the online work, no-down operation can be realized.

[Brief description of drawings]

FIG. 1 is an overall configuration diagram of a highly reliable computer.

FIG. 2 is an external view of the device.

FIG. 3 is a schematic configuration diagram.

FIG. 4 is a configuration diagram of a PMCU.

FIG. 5 is a clock power supply diagram.

FIG. 6 is a diagram of an interface between DSBAs.

FIG. 7 is a block diagram of DSBA.

FIG. 8 is a diagram of a DSBA output gate control circuit.

FIG. 9 is a diagram of a disconnection request generation circuit.

FIG. 10 is a diagram of a time chart when synchronization deviation is detected.

FIG. 11 is a diagram of a time chart when synchronization deviation is detected.

FIG. 12 is a diagram of separation determination means.

FIG. 13 is a diagram of an operation mode of a CPU block.

FIG. 14 is a diagram of an IO access operation under normal conditions.

FIG. 15 is a diagram of an IO access operation when a CPU fails.

FIG. 16 is a diagram of an online insertion / extraction procedure.

FIG. 17 is a diagram showing the flow of data during memory copy.

[Explanation of symbols]

3A, 3B, 4A, 4B ... Processor, 5A, 5B ... Memory, 6A, 6B ... Processor memory control unit, 9
A ... system bus, 11A, 11B, 12A, 12B,
13A, 13B, 14A, 14B ... Multiple system bus adapter, 16 ... Bus switch, 20A, 20B, 21
A, 21B ... Input / output bus adapter.

 ─────────────────────────────────────────────────── ─── Continuation of front page (72) Inventor Yoshihiro Miyazaki 5-2-1 Omika-cho, Hitachi City, Ibaraki Prefecture Hitachi Ltd. Omika Plant, Ltd. (72) Inventor Kazuhiro Hinata 5-chome, Omika-cho, Hitachi City, Ibaraki Prefecture No. 1 Incorporated company Hitachi Ltd. Omika factory (72) Inventor Sataka Ishikawa 810 Shimoimaizumi, Ebina City, Kanagawa Prefecture Incorporated company Hitachi Ltd. Office Systems Division (72) Inventor Hiroshi Oguro 810 Shimoimazumi, Ebina City, Kanagawa Prefecture Stock Company Hitachi, Ltd. Office Systems Division

Claims (13)

[Claims] 1. A first data processing block having a first memory for storing a program and data, a first data processing device for fetching the program and data from the memory and processing the same, and storing the program and data. A second data processing block having a second memory and a second data processing device for fetching a program and data from the memory and processing the program and data, and a clock and a reset signal to the first and second data processing blocks. A clock means to be supplied, an input / output device for storing or sending a processing result to the outside according to designation of the first and second data processing blocks, a first and second data processing block and connected to the input / output device. Duplication control means, first inter-block communication means and second block connected to the first and second data processing blocks Reliable computer having a dual processing apparatus characterized by comprising communications means. 2. A first data processing block having a first memory for storing a program and data and a first data processing device for fetching the program and data from the memory and processing the same, and storing the program and data. A second data processing block having a second memory and a second data processing device for fetching a program and data from the memory and processing the program and data, and a clock and a reset signal to the first and second data processing blocks. A clock means for supplying, a first input / output device for storing or sending a processing result to the outside according to designation of the first and second data processing blocks, a first and second data processing block and the input / output device. The processing result is stored or externally specified by the first redundant control means to be connected and the designation of the first and second data processing blocks. A second input / output device having the same configuration as that of the first input / output device to be output, first and second data processing blocks, second duplication control means connected to the input / output device, first and second A high reliability computer having a duplexing processing device, comprising a first inter-block communication means and a second inter-block communication means connected to two data processing blocks. 3. The high reliability computer according to claim 1 or 2, wherein said duplexing control means selects an output instruction from said first or second data processing block and outputs it to said input / output device. A high-reliability computer having a duplexing processing device, characterized by transmitting the response from the input / output device to the first and second data processing blocks. 4. The high reliability computer according to claim 1 or 2, wherein the duplexing control means causes a memory access from the input / output device to a memory in the first and second data processing blocks. A high-reliability computer having a duplexing processing device, characterized in that a memory access response from the first or second data processing block is selected and transmitted to the input / output device. 5. The high reliability computer according to claim 1 or 2, wherein said clock supply means is a clock having the same frequency and the same phase for said first and second data processing blocks and said duplex control means. A high-reliability computer having a redundant processing device. 6. The high reliability computer according to claim 1 or 2, wherein said duplex control means is a main control means connected to said first data processing block and an input / output bus, and said second control means. Data processing block and slave control means connected to the input / output bus, the main control means sending a start signal to the input / output bus, and the main and slave control means sending a start signal from the input / output bus. A high-reliability computer having a duplex processing device characterized by receiving. 7. The high reliability computer according to claim 1, wherein the first data processing device uses a main processor that retrieves a program and data from a memory and processes the program and data, and the same clock as the main processor. , A slave processor that executes the same program synchronously, but does not write data to the memory, and an output of the master and slave processors when connected to the master and slave processors and the master processor makes an external access A highly reliable computer having a duplication processing device, characterized by having a comparison means for comparing data. 8. The high reliability computer according to claim 1 or 2, wherein the first data processing device comprises:
A first disconnection request for disconnecting the data processing device from the duplication control device when the error detection device detects an error. To the first and second inter-block communication means, and the second data processing device has a second error detecting device for detecting an error occurring in the data processing device. When it detects an error, it issues a second disconnection request to the second inter-block communication means for disconnecting the data processing device from the duplication control means, and the first inter-block communication means sends the first disconnection request. When there is a second disconnection request without a request, a second disconnection instruction for disconnecting the second data processing device from the redundant control means is issued to the redundant control means, and a second block is issued. The inter-cook communication means issues a first disconnection instruction to disconnect the first data processing device from the redundant control means to the redundant control means when there is a first disconnect request and no second disconnect request. A high-reliability computer having a dual processing device. 9. The high reliability computer according to claim 5, wherein said main controller means inhibits sending of a start signal to an input / output bus in response to a disconnection instruction, and said slave control means responds to a disconnection instruction. A high-reliability computer having a duplex processing device, characterized in that start signal transmission to the input / output bus is started in place of the main controller means. 10. The high reliability computer according to claim 2, wherein the first and second duplex control means and the first and second input / output devices have independent addresses, and the first and second A second aspect of the present invention is a high reliability computer having a dual processing device, which is provided with status information indicating which one of the redundant control device and the input / output device is normal. 11. The high reliability computer according to claim 10, wherein if the status information indicates that the first redundant control means and the first input / output device are normal, the first redundant control means. If the status information indicates that the second redundant control means and the second input / output device are normal, the second redundant control means and the second input / output device are used. A high-reliability computer having a duplex processing device characterized by using an output device. 12. The high reliability computer according to claim 2, wherein the first and second redundant control means and the first and second input / output devices have independent addresses, and the second redundant controller is provided. The control means also has a function of receiving an address for the first input / output device, converting the address into an address of the second input / output device, and transmitting the second input / output device. A high-reliability computer having a duplexing processing device, characterized in that it is provided with a setting means for determining whether or not it is valid. 13. The high reliability computer according to claim 12, wherein the setting means is set to be effective when the first input / output device fails. .