DE102013106923A1 - A method of operating a high availability computer system using one or more virtual machines - Google Patents

Abstract

The invention relates to a method for operating a high-availability computer system using one or more virtual machines, in which a plurality of application programs are provided for executing an application application. The application programs may not be identical or identical to each other. Using a single control system with two non-identical application programs achieves software uptime. When using two or more control systems with non-identical or identical application programs, software and hardware uptime is achieved. Identical application programs are operated according to the master / slave method. Non-identical application programs are operated by the virtual machines at the same time, whereby accesses to the input / output system are synchronized.

Description

The invention relates to a method for operating a high-availability computer system using one or more virtual software machines, referred to below as a virtual machine.

Highly available computer systems are already known. They have a master / slave configuration, with the master in each case actively controlling a technical process or an application application by executing an application program, while the slave is operated in standby mode and assuming control of the technical process in the event of a failure of the master. For example, this engineering process may be the operation of a production machine controlled by the master using access to an input / output system.

From the DE 10 2005 053 275 A1 there is known a high availability computer interconnect system having a first computer system and a second computer system. The first computer system comprises at least one virtual computer unit and a control device, wherein the control device is adapted to allocate to the at least one virtual computer unit of the computer memory of variable size. The virtual computer unit is set up as a virtual substitute computer unit within the computer network system and is suitable for assuming its tasks in the event of the failure of one of the other computer systems. The first computer system includes a high availability agent that is capable of detecting a failure of one of the other computer systems and, upon detecting a failure, directing the controller to allocate memory of a particular size to the backup virtual computer unit. The size of the work memory allocated to the virtual spare computer unit depends on whether or not the spare virtual computer unit takes over tasks of any of the other computer systems.

The solution in DE 10 2005 053 275 A1 has disadvantages in controlling a technical process. The allocation of memory after detecting the failure of a computer system takes time. This is often incompatible with the claims of a process to be controlled.

The object of the invention is to provide a method for operating a fault-tolerant computer system using one or more virtual machines in which, in the event of a failure of the application program controlling a technical process, the continuation of the technical process is accelerated.

This object is achieved by a method having the features specified in claim 1. Advantageous embodiments and further developments of the invention are specified in the dependent claims.

The advantages of the invention will become apparent from the following exemplary explanation with reference to FIGS. It shows

1 a block diagram of a first embodiment of a high-availability computer system,

2 a block diagram of a second embodiment of a high-availability computer system,

3 a block diagram of a third embodiment of a high-availability computer system,

4 4 is a block diagram of a fourth exemplary embodiment of a high-availability computer system,

5 a block diagram of the basic structure of a virtual machine,

6 a representation for explaining the operation of an interpreter,

7 a block diagram for explaining a master / slave configuration,

8th a representation for explaining a case of redundancy in the in 7 shown configuration,

9 a representation explaining the data transfer from the master to the slave in the event of a fault,

10 a block diagram of the construction of a computer system in which in a single control system, a virtual machine is provided for controlling two application programs,

11 a representation for explaining the two application programs of 10 associated runtime environment,

12 a block diagram for explaining a master / slave configuration in which two different application programs are implemented in the master and in the slave,

13 a representation for explaining the runtime environment of the virtual machine of the master system of 12 associated with two different application programs in normal operation and

14 a representation for explaining the virtual machine of the master system of 12 associated with different application programs when an error occurs in the master system.

According to the present invention, there is provided a method of operating a high availability computer system using one or more virtual machines. This computer system has one, two or more control systems. If there are two or more control systems, these are coupled together by bidirectional communication links. Each of these control systems includes a virtual machine where the virtual machines of different control systems are identical. Each virtual machine implements a complete runtime environment for one or more application programs.

A user of the computer system creates in a first step an application program provided for executing an application application in a desired programming language. This creates a source code that is translated by a compiler into the machine language of the virtual machine. This machine language is then executed by an interpreter of the virtual machine.

The 1 shows a block diagram of a first embodiment of a high-availability computer system. In this first embodiment, the computer system has a single control system. To this belongs a virtual machine VM which operates two non-identical application programs AW1 and AW2 provided for executing the same application application. These non-identical application programs, which are intended to execute the same application application, have different implementations. For example, the application programs are created in different programming languages. The first application program AW1 is used in normal operation to control the application application. The second application program AW2 is also processed by the virtual machine at the same time.

During this operation of the application programs by the virtual machine, synchronization of the two application programs by the virtual machine takes place, this synchronization being performed each time one of the two application programs accesses the input / output system of the control system. If one of the application programs wants to write data at a particular program location, then the virtual machine stops this application program until the other application program also accesses the I / O system. Thereafter, both application programs are continued synchronously. Through this synchronization, both application programs are synchronized with respect to the processing of the input / output signals and are inherently consistent.

During this operation of the application programs, the virtual machine monitors the two application programs for the occurrence of errors. These errors include, for example, the occurrence of a division by zero, a steadily increasing memory requirement, and so on. If the virtual machine detects the occurrence of an error, then the affected application program is aborted by the virtual machine. If the error occurred in application AW1, then the virtual machine performs a bumpless switchover from application AW1 to application AW2, i. H. from the first application program to the second application program. This bumpless transfer does not lose any data because the two application programs always have access to the currently valid runtime data and are synchronized with each other in terms of their access to the input / output system. After this bumpless transfer, the second application program is used to further control the application application. In this way, software high availability and thus high availability of the application application is achieved after all.

Using two non-identical application programs increases the likelihood of software common mode errors, i. H. in the case of identical programming errors occurring, reduced.

Occurs in this embodiment, however, a complete power failure in the (single) control system, then a further control of the application programs and thus an execution of the application application is no longer possible.

The 2 shows a block diagram of a second embodiment of a high-availability computer system. In this second embodiment, the computer system has two control systems coupled to one another via a communication link. Each of these control systems has a virtual machine VM. The virtual machine of the first one Control system controls a first application program AW1, the virtual machine of the second control system, a second application program AW2. The two application programs AW1 and AW2 are identical application programs intended for executing the same application application. The first application program AW1 is assigned master function, the second application program AW2 slave function. The first application program AW1 is used to control the application application. The second application program AW2 is operated in standby mode. The virtual machines monitor the associated application program as well as the state of the respective control system. The accesses to the input / output system are not synchronized.

In the case of an error occurring in the first control system which was not caused by the first application program, the first application program is stopped and the runtime data and the peripheral data of the first application program are transmitted to the second control system. The existing identical application program takes over the further execution of the application application.

The switching between the first application program implemented in the first control system and the identical second application program implemented in the second control system takes place bumplessly, ie. H. without data loss, since the runtime data and the peripheral data of the first application program are provided to the second application program when an error occurs.

The 3 shows a block diagram of a third embodiment of a high-availability computer system. In this third embodiment, the computer system has two control systems coupled to one another via a communication link. Each of these control systems has a virtual machine VM. The virtual machine of the first control system controls a first application program AW1, the virtual machine of the second control system controls a second application program AW2. The two application programs AW1 and AW2 are not identical application programs, but they are intended for the execution of the same application application. The first application program AW1 has a different implementation to the application program 2 on. The first application program AW1 is assigned master function, the second application program AW2 slave function. The first application program AW1 is used in normal operation to control the application application. The second application program AW2 runs quasi parallel to the AW1. The virtual machines each monitor the associated application program and also the state of the respective control system. The accesses to the input / output system are synchronized. In the case of an error occurring in the first control system, which may be a runtime error of the first application program or another error in the first control system, the first application program is stopped and a switchover is performed. The application program AW2 present in the second control system then obtains a master function and assumes the further execution of the application application.

The switchover between the first application program implemented in the first control system and the non-identical second application program implemented in the second control system is bum-free, since the accesses of both application programs to the input / output system are synchronized.

The 4 shows a block diagram of a fourth embodiment of a highly available computer system. In this fourth embodiment, the computer system has two control systems coupled to one another via a communication link. Each of these control systems has a virtual machine VM. The virtual machine of the first control system controls a first application program AW1 and a second application program AW3, which are non-identical application programs. The virtual machine of the second control system controls a second application program AW2 and a fourth application program AW4, which are also non-identical application programs. The application program AW1, however, is identical to the application program AW2. The application program AW3 is identical to the application program AW4. All application programs are designed to execute one and the same application application.

The virtual machines check their assigned, non-identical application programs, which are executed at the same time and synchronized with respect to their accesses to the input / output system, and also monitor the state of the respective control system.

• – Die Laufzeit- und Peripheriedaten des gestoppten Anwendungsprogammes an das zweite Steuerungssystem übertragen. Das identische Anwendungsprogramm des zweiten Steuerungssystems übernimmt die weitere Ausführung der Anwendungsapplikation oder:
• – Das nicht identische Anwendungsprogramm des ersten Steuersystems übernimmt die weitere Ausführung der Anwendungsapplikation.

In the case of an error occurring in the first control system, which is a runtime error of an application program, the failed application program is stopped by the virtual machine. The virtual Machine now checks the type of error. Depending on the detected error, either:

• - Transfer the runtime and peripheral data of the stopped application program to the second control system. The identical application program of the second control system takes over the further execution of the application application or:
• - The non-identical application program of the first control system takes over the further execution of the application application.

The 5 shows a block diagram of the basic structure of a virtual machine. Such a virtual machine has a command processing unit 1 , a compiler 2 , an interpreter 3 , an application program 4 , a runtime system 5 , an input / output unit 6 , an input / output hardware 7 , a network system 8th , possibly additional system services 9 , an agent 10 and a master / slave synchronization 11 on. The input / output unit 6 and the input / output hardware 7 together form an input / output system, also referred to below as an I / O system.

The runtime system implements a complete runtime environment for one or more user programs. In a first step, a user creates an application program 4 in a desired programming language. The compiler 2 translates this application program or the source code of this application program into the machine language of the virtual machine. This machine language is provided by the interpreter 3 executed. Different programming languages can be used or supported. The compiler 2 is designed to handle application programs of multiple programming languages to those of the interpreter 3 can translate the machine language required by the virtual machine.

Will then in normal operation of the computer system by the interpreter 3 running an application program, then the interpreter generates 3 the required runtime information for this application program. The interpreter uses a register image for processing the application program, which consists essentially of working registers and an instruction pointer register. The application program itself has program data PD and a program code PC. Both the register image of the interpreter and the runtime data of the application program, which comprise the program data and the program code, are stored in a memory area managed by the operating system.

By means of the input / output unit 6 and the input / output hardware 7 which constitute an input / output system, peripheral data is written and read. The network system 8th offers the possibility of inter-process communication of the application application with other system components. The service unit 9 offers additional system services such as access to the file system. The agent 10 handles the monitoring of the application application (s) in terms of resource requirements, etc., and implements redundancy management. The synchronization 11 implements the data transfer of the runtime and peripheral data from the master to the slave.

The 6 shows a representation for explaining the operation of the interpreter 3 , It is on the left side of the 6 illustrates the register image RA used by the interpreter for processing the respective application program, which essentially consists of working registers and an instruction pointer register. On the right side of the 6 the runtime data LZD of the application program are shown, to which the program data PD and the program code PC belong. The program code includes a variety of machine instructions. The program data consists of a large number of variables.

The 7 shows a block diagram for explaining a master / slave configuration, which is a simple redundancy system based on a virtual machine. The master system forms a first control system and the slave system a second control system. These systems can consist of commercially available industrial PCs or of so-called embedded systems.

Both systems contain a command processing unit 1 , a compiler 2 , an interpreter 3 , an application program 4 , a runtime system 5 , an input / output unit 6 , an input / output hardware 7 , a network system 8th , a service unit 9 , an agent 10 and a synchronization 11

By means of the agent 10 a mutual monitoring of the systems is carried out. Furthermore, the synchronization 11 in the event of a fault, to transfer data from the faulty master system to the slave system, wherein this data transmission takes place via the communication connection provided between the systems.

In operation with identical user programs, the application application is executed under the control of the virtual machine provided in the master system, which uses the application program provided in the master system for executing the application application. The master system has the sole control over the application application. The Slave system is in standby mode. The virtual machine of the slave system has loaded an identical application program, which, however, is not executed in normal operation by the associated interpreter. The interpreter itself is also in a standby mode. The slave system monitors the master system through cyclic communication over the communication link between the two systems.

The master system continues execution of the application application as long as no error occurs in the master system.

• – von der virtuellen Maschine nicht detektierbare Fehler und
• – von der virtuellen Maschine detektierbare Fehler.

Possible errors can be divided into the following two categories:

• - errors undetectable by the virtual machine and
• - Errors detectable by the virtual machine.

Errors that can not be detected by the virtual machine include, for example, a sudden power failure of the master system and a total failure of the hardware platform.

A sudden power failure will result in an immediate system shutdown unless battery backup is provided, which will maintain the voltage for some time. A total failure of the hardware platform of the master system occurs when system-relevant hardware modules of the master system such as memory modules or the processor itself are no longer functional. In such cases, the virtual machine can not initiate a controlled switch to the slave system.

• – Fehler im Eingabe/Ausgabesystem,
• – kritische Fehler im Anwendungsprogramm,
• – einen stetig steigenden Ressourcenverbrauch des Anwendungsprogrammes,
• – Fehler in den Subsystemen der virtuellen Maschine selbst.

The virtual machine, however, can detect errors that occur:

• - errors in the input / output system,
• - critical errors in the application program,
• A constantly increasing resource consumption of the application program,
• - Errors in the subsystems of the virtual machine itself.

Errors in the input / output system occur when the I / O hardware 7 When writing and / or reading signals reports an error. Critical errors in the application program occur due to incorrect implementation by the user, for example when a division by zero occurs. A steadily increasing consumption of resources occurs when the application program allocates, for example, dynamic memory and does not release it again. Over a longer period of time, a critical system state is achieved as a result, because other subsystems can no longer allocate dynamic memory. Errors in the virtual machine occur due to improper implementation of the virtual machine itself, such as in the case of access to non-valid memory areas. A redundancy case occurs if the master fails due to an error. Then the slave system takes control of the process to be controlled.

• – Redundanzfall bei nicht detektierbaren Fehlern
• – Redundanzfall bei detektierbaren Fehlern.

Essentially, two redundancy cases are distinguished:

• - Redundancy case with undetectable errors
• - Redundancy case with detectable errors.

If a redundancy case occurs due to an undetectable error, then the master system can not make a controlled switchover to the slave system. Since the slave system cyclically monitors the master system via the communication channel and also receives the current image cyclically via input and output signals, the slave automatically takes over control if the communication with the master no longer takes place after the cycle time has expired. The slave uses the last values of the I / O signals received from the master. Since the I / O signals may have changed at the time of taking control of the slave, the slave is not in possession of the last change in the I / O signals. This means that its image of these signals may be inconsistent.

If, on the other hand, a redundancy case occurs due to an error detectable by the virtual machine, the master system can carry out a bumpless switchover to the slave system in which no loss of information occurs.

This latter case will be described below with reference to 8th Explains which a representation to explain a case of redundancy in the in the 7 shown configuration shows.

The 8th shows the state of the master system and the slave system in case of detectable error with subsequent redundancy case. The interpreter of the master system executes the specified command sequence. The slave system is in standby mode, with the same application program being loaded in the slave system as in the master system. However, the interpreter does not run this application in standby mode. The code segment PC of the application program is already available in the interpreter of the slave system. The data segment PD was also generated. However, since the application program has not yet been started, corresponding application variables have not yet been initialized (NI). The register contents of the interpreter of the slave are also invalid (UG).

The interpreter of the master system executes the command IOSYS $ R1 and calls the write function of the I / O system to set a corresponding output signal. Hardware access of the I / O system causes an error F, so that the signal can not be written. The I / O system reports to the error handling of the virtual machine an error in the I / O hardware. The virtual machine stops program execution by the interpreter, so the register's instruction pointer points to the IOSYS $ R1 command and stops.

Through the communication channel, the master informs the slave that a redundancy case has occurred.

The master transmits the values of all I / O signals as well as the runtime information of the interpreter consisting of the working registers and the data segment of the application program to the slave.

This is in the 9 Fig. 11 is an illustration for explaining this data transfer in an error case.

The slave accepts the current values of all I / O signals that correspond to the exact image of the process to be controlled at the time of the error. Furthermore, the virtual machine of the slave system initializes the interpreter with the runtime information of the master system. All variable values of the application from the data segment of the master are written to the data segment of the slave. Also the contents of all registers of the interpreter of the master are transferred to registers of the interpreter of the slave. The instruction pointer register is initialized to refer to the same machine instruction that caused an error in the master. In this case, the instruction pointer points to the machine command IOSYS $ R1 at the same position in the code segment. Then the interpreter of the slave is started, which now executes exactly this machine command, because this command could not be executed due to an error in the I / O system in the master. The interpreter of the slave executes this I / O command in the manner already described by setting the corresponding signal in its own redundant I / O hardware.

In this procedure, the program execution can be switched from the master to the slave with the correct command, without loss of runtime information of the application as well as current values of I / O signals. Conventional systems require a cyclic synchronization between master and slave during normal operation for as exact a changeover as possible and must sometimes carry a history of application-specific status data.

In the method described here, neither a cyclic synchronization in normal operation nor the carrying of a history of application-specific status data is necessary. By transferring the runtime information of the interpreter from the master to the slave, the application application in the slave system can be continued with command accuracy.

The 10 shows a block diagram of the structure of a computer system in which in a single control system, a virtual machine for controlling two provided for executing the same application application, different application programs A and B is provided. The 11 shows a representation for explaining the various application programs A and B of 10 associated runtime environment.

In this embodiment, when an error occurs in the input / output system 6 . 7 the master a bumpless switchover from the faulty to the still functioning application, so that the application application (process to be controlled) can continue bumplessly.

The use of different, d. H. For example, a different programming and thus different program code having application programs A and B, which are provided for execution of the same application application, has the advantage that so-called common mode errors can be avoided. Common mode errors would occur if, in the event of a fault in the application program of the master, there is a switchover from the master to the slave and an identical application program in the slave, i. H. an application program of the same implementation would be loaded.

• – die beiden verschiedenen Anwendungsprogramme sind – wie es in der 10 dargestellt ist – in einem einzigen Steuerungssystem implementiert;
• – die beiden verschiedenen Anwendungsprogramme sind in zwei verschiedenen Steuerungssystemen implementiert, wobei in jedem dieser Steuerungssystem eines der Anwendungsprogramme implementiert ist.

Basically, the following two configurations are possible when using two different application programs, which are intended to execute the same application application:

• - the two different application programs are - as it is in the 10 illustrated - implemented in a single control system;
• The two different application programs are implemented in two different control systems, one of the application programs being implemented in each of these control systems.

That in the 10 The control system shown has a virtual machine that is a command processing unit 1 , a compiler 2 , a first interpreter 3a , a first Application program A, a second interpreter 3b , a second application program B, a runtime system 5 , an input / output unit 6 , an input / output hardware 7 , a network system 8th a service unit 9 , an agent 10 and a synchronization 11 contains. The first application program A is by means of the compiler 2 translated into the machine language of the virtual machine and from the first interpreter 3a executed. The second application program B is using the compiler 2 translated into the machine language of the virtual machine and the second interpreter 3b executed.

In normal operation of the in the 10 shown control system lead the interpreter 3a and 3b their respective associated application program, so that with respect to each of these application programs runtime data independently determined and stored. In each case there is no access to the runtime data of the other application program.

So that a bumpless changeover from application A to application B can take place when an error occurs in application A, one of the two application programs is transferred to the input / output system each time it is accessed 6 . 7 a synchronization of the two application programs performed. For example, if after the simultaneous start of the two application programs, a certain signal is to be written and the application program A reaches the corresponding location in the program code first, the signal is written and blocked the interpreter of the user program A until the application program B write the same signal want. The interpreter of application program B calls the input / output system 6 . 7 to write the said signal, then the blocking of the interpreter of the user program A is canceled, so that both interpreters can continue the execution of their respective application program, this continuation is done simultaneously or synchronized.

In this way, a synchronization of the two application programs is ensured, due to which the two application programs that perform different code due to their different implementation, always have the same image of the I / O signals. As a result, the internal state data and variables of the respective application program with respect to the current values of the I / O signals are always consistent, so that in the case of the occurrence of an error in application A bumpless, loss of data loss application A to application B can be done.

The 12 shows a block diagram for explaining a master / slave configuration in which two different application programs A and B are implemented in the master and in the slave. All of these application programs are intended for execution of the same application application. The 13 shows a representation to explain the runtime environment of the virtual machine of the master system of 12 associated non-identical application programs in normal operation. The 14 shows a representation for explaining the runtime environment of the virtual machine of the master system of 12 associated non-identical application programs when an error occurs in the master system.

When in the 12 shown master / slave configuration are the application programs A and B in the master system and the application programs A and B loaded in the slave system.

The master system has two interpreters 3a and 3b one of which executes the application program A and the other the application program B. The slave system also has two interpreters 3a and 3b one of which executes the application program A and the other the application program B. All application programs are designed to run the same application.

In normal operation, the two different application programs A and B implemented there are executed at the same time in the master system. The application programs A and B implemented in the slave system are in standby mode during normal operation.

The application programs A and B execute different code. The two interpreters execute the respective application program assigned to them and thereby have no access to the runtime data area of the respective other application program. In order to be able to perform a command-precise changeover from the master to the slave in the event of a fault, both application programs A and B (within a virtual machine) are synchronized when accessing the I / O system. For example, if after the start of the two application programs a particular signal is to be written and the application program A reaches the corresponding location in the code first, then the signal is written and the I / O system blocks the interpreter of the application program A until the application program B want to write the same signal. As soon as the interpreter of the application program B then also calls the I / O system to write the signal, the waiting interpreter of the application program A is continued again, wherein the Interpreter of application program B also continues to run.

In this way, a synchronization of the two application programs on I / O signal level is performed. This ensures that both application programs that execute different code always have the same image of the I / O signals. As a result, the internal state data and variables of the respective application program are always consistent with regard to the current values of the I / O signals.

From the 14 the runtime information of both application programs is shown at the time of an error within the virtual machine of the master. The interpreter of the application program B is currently executing the machine command LADDR $ R1, Value at this time. Since the virtual machine can not continue the application program A due to the mentioned error, the associated interpreter terminates the application program A and informs the interpreter of the application program B that the program execution of the application program B is stopped after execution of the current machine command. After the interpreter of the application program B has executed the current machine instruction LADDR $ R1, Value, the interpreter increases the instruction pointer 1 so that the instruction pointer register references the machine instruction LOAD $ R2, $ R1 and stops program execution. The runtime information of the application program B is frozen.

The virtual machine now transmits the image of all I / O signals as well as the runtime information of application program B to the slave system. The slave system initializes the runtime data area of its application program B, which is in standby mode, with the runtime information received from the master. The interpreter of application program B in the slave system executes the next machine command, in this case the command LOAD $ R2, $ R1.

In this way, a bumpless, command-accurate switching from master to slave without runtime data loss is possible. It is irrelevant which application program fails because the system can always transmit the runtime information of the respective functional application program to the slave. In this application, there must be no cyclic synchronization in normal operation between master and slave, nor is it necessary to carry a history of application-specific status data. In the embodiment described here, the user implements two different application programs for the same application application. The method described here is scalable with regard to the redundant application programs, so that the user can theoretically implement any number of application programs for the same application application. In this case, only the time required for the synchronization of the application programs for I / O access increases.

• – beide Anwendungsprogramme greifen auf das gleiche Signal zu,
• – beide Anwendungsprogramme wollen die gleiche Operation auf dem Signal ausführen, d. h. beide Anwendungsprogramme wollen das Signal entweder lesen oder schreiben, und
• – wenn das Signal von beiden Anwendungsprogrammen geschrieben werden soll, wird geprüft, ob der gleiche Wert geschrieben werden soll.

The above-described synchronization of the application programs when accessing I / O signals is performed in order to keep two application programs running independently of each other consistent with respect to the processing of the I / O signals and to allow a redundant behavior. The two application programs call functions of the I / O system to write or read I / O signals. If one of the application programs calls the I / O system to write a certain signal with a certain value, this application program is blocked until the other application program also calls the I / O system. The I / O system checks whether both application programs want to read the same signal or write with the same value. This means that consistent synchronization is only possible if the following criteria are met:

• - both application programs access the same signal,
• - both application programs want to perform the same operation on the signal, ie both application programs want to either read or write the signal, and
• - if the signal is to be written by both application programs, it is checked whether the same value should be written.

If not all of the above criteria are met, then both application programs are out of sync and redundancy is no longer given. Since the I / O system detects such a synchronization error, the system can respond accordingly. After accessing a particular I / O signal under successful verification of the above criteria, the I / O system keeps both application programs running independently until the next access to an I / O signal occurs. In this way, both application programs always have the current image of the I / O signals. If an application program now fails due to an error, the further, redundant application program can continue to run through the consistent image of the I / O signals alone, which enables bumpless switching from the faulty to the redundant application program. If both application programs are executed in the same control system, synchronization takes place within the I / O system via operating system mechanisms. Be both Application programs executed in different control systems, then the synchronization is carried out via the exchange of data via a communication link between the control systems of the master and the slave.

The virtual machines are already started at startup on all computers and run, depending on the application, in parallel time, not synchronous, with. All operating system technical requirements such as a reservation of storage requirements, etc., are already carried out at startup. The virtual machines each process one or more application programs at the same time.

The invention, after all, relates to a method of operating a high availability computer system using one or more virtual machines having been provided for executing an application application of multiple application programs. These can not be identical or identical to each other. If a single control system is used which is equipped with two non-identical application programs, then software uptime is achieved. When two or more control systems equipped with identical or non-identical application programs are used, software and hardware uptime is achieved. Non-identical application programs are operated by the virtual machines at the same time, whereby accesses from the input / output system are synchronized.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102005053275 A1 [0003, 0004]

Claims (8)

 A method of operating a high availability computer system using one or more virtual machines, wherein A first application program provided for executing an application application is provided, A second application program provided for executing the same application application is provided, - The application programs are each translated by means of a compiler in the machine language of the virtual machine and - The machine language is executed by an interpreter of the virtual machine, where The first application program is used to control the application application, The second application program is operated in standby mode or is being processed in parallel at the same time, - When a fault occurs bumpless switching from the first to the second application program and - After switching the second application program is used to control the application application. Method according to Claim 1, characterized in that two non-identical application programs are provided for executing the same application application, both application programs are processed simultaneously, and synchronization of the two application programs is performed each time one of the application programs is accessed by an input / output system. A method according to claim 2, characterized in that the application programs are provided to a single common control system comprising a virtual machine, and in the event of a detected fault the virtual machine controls the switching from the first to the second application program. A method according to claim 2, characterized in that - the first application program is provided to a first control system comprising a first virtual machine, - the second application program is provided to a second control system comprising a second virtual machine and to the first control system via a communication link is connected, - in the case of a detectable error in the first control system, the first application program is stopped and - the second application program in the second control system takes over the further execution of the application application. Method according to Claim 2, characterized in that the two non-identical application programs are each provided to a first control system and a second control system, the first control system having a first virtual machine and the second control system having a second virtual machine, the two application programs in the first control system of the first virtual machine are controlled, the two application programs in the second control system are controlled by the second virtual machine and in the event of an error in the first control system to the non-identical application program of the first control system or after transmission of runtime data to the identical application program of the second Control system is switched. Method according to Claim 1, characterized in that - the first application program provided for executing the application application is provided to a first control system, - a second application program, identical to the first application program, for executing the same application application, is connected to the first control system via a communication connection second control system is provided, and - are transferred to a bumpless transfer runtime and peripheral data from the first control system via the communication link to the second control system.  A high availability computer system for performing a method according to claim 1, comprising a single control system having a virtual machine and equipped with two non-identical application programs for executing the same application application.  A high availability computer system for performing a method according to claim 1, comprising two control systems interconnected via a communication link, each comprising a virtual machine and each equipped with an application program for executing the same application application, the application programs being identical or not identical.

Images