JP2013109532A - Device, method and program for diagnosis and restoration - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the safety and continuity of data processing using memory.SOLUTION: A diagnosis and restoration device for executing prescribed processing by an application, and diagnosing and restoring data by comparing the executed processing result comprises: storage means to store prescribed data in three or more data areas; processing program execution means to write the prescribed data in the three or more data areas in different formats, to import and collate each of the written data in the three or more data areas when the application is executed, to perform prescribed restoration when collated results are mismatched and to execute the application with the restored data; and collation processing means to collate the result after execution of the application with a result after execution of the application by at least one of other diagnosis and restoration devices.

Description

  The present invention relates to a diagnostic repair device, a diagnostic repair method, and a diagnostic repair program, and in particular, a diagnostic repair device, a diagnostic repair method, and a diagnostic repair program for improving the safety and continuity of data processing using a memory. About.

  Conventionally, in order to reduce a transient soft error phenomenon after data processing caused by, for example, radiation, diagnosis is performed on data after processing stored in a memory (hereinafter referred to as “memory device” if necessary). There are technologies to do this. Here, the soft error means not a defect (hard error) such as a part of a semiconductor chip that is a memory being broken, but a defect such that only a part of stored data is inverted. . Such soft errors are caused by particle beams such as alpha rays, neutron beams, proton beams, heavy ion beams entering the semiconductor chip, and the time for the particle beam to pass through the semiconductor chip is extremely short. Features such as being instantaneous are known. Also, soft errors are likely to occur due to the densification of the printed board.

  Here, conventionally, it is known that, for example, soft error recovery in a memory that reads and writes in real time can be returned to a normal operation by resetting or rewriting (rewriting) the memory element ( For example, refer nonpatent literature 1). Further, in Non-Patent Document 1, as a countermeasure against soft errors, it is examined that a single bit or 2 bits or more as check information has changed in detection of an error correction code (hereinafter referred to as “ECC” (Error Correction Code)). Or determining whether only a single bit has changed and correcting the data by inverting that bit to a complementary value. Also, the combined use of an existing interleave method and ECC is shown.

  Conventionally, there is known a technique of storing positive data and its inverted data in advance and using the inverted data when an abnormality is detected by a parity check or the like at the time of data access (for example, Patent Documents). 1). Conventionally, a method is known in which positive data, its inverted data, and a check code are stored in advance, and data such as a point in time when the master key is removed is monitored and restored. Further, conventionally, when a software error occurs, a method for diagnosing a CPU (Central Processing Unit) or a memory that is hardware used when executing the software is known (for example, non-patent document). 2).

Japanese Patent Application Laid-Open No. 5-216671 JP 2002-55885 A

design feature, February 2005, “http://ednjapan.cancom-j.com/content/issue/2005/02/feature/feature02.html” IEC61508 Functional safety of electrical / electrical / programmable electrical safety-related systems (IEC61508-7; A.5.7 (Double RAM with backward read)

  However, mounting a complex ECC such as that shown in Non-Patent Document 1 in a memory that reads and writes in real time increases the hardware cost. In addition, in the method shown in Non-Patent Document 1, data correction of 2 bits or more cannot be performed unless combined with a special method such as interleaving. Further, in ECC detection, since rewriting to the memory in which an error has occurred is not performed, the soft error recovery of the memory cannot be performed.

  Further, the conventional soft error diagnosis is performed at a specific timing or periodically. Therefore, conventionally, the timing of reading the memory to actually perform the predetermined processing is different from the timing of reading the memory for diagnosis, and there is a possibility that the soft error cannot be detected and repaired at the timing of reading the data to be processed. is there. That is, in the diagnosis of the soft error, the error detection / recovery timing and the memory read timing for use in the processing are simultaneous, and it is necessary to perform processing using the data detected and repaired.

  Further, the method as disclosed in Patent Document 1 detects an error when the memory is taken out, but the detection method is unclear. For example, Patent Document 1 describes a parity check, but the parity check has a low error detection capability. Further, the technique disclosed in Patent Document 1 does not perform rewriting to a memory in which an error has occurred, and therefore cannot repair a memory soft error.

  In addition, the method as disclosed in Patent Document 2 does not specify a monitoring time, and cannot detect a memory soft error at a timing used when performing a predetermined process. The data reliability cannot be guaranteed.

  In the method disclosed in Patent Document 2, the target is assumed to be an EPROM (Erasable Programmable Read Only Memory), an EEPROM (Electrically Erasable Programmable Read-Only Memory), and a RAM (Random Memory error). This is not shown for detection and repair of data, and is not applicable to real-time memory use because it increases the processing load such as the need for a check code.

  Furthermore, “IEC61508-7 A.5.7 Double RAM” described in Non-Patent Document 2 can detect a soft error at the time of memory access, but cannot recover data and soft error. Therefore, the above-described method cannot improve the safety and continuity of data processing on a system using a memory or the like.

  The present invention has been made in view of the above-described problems, and provides a diagnostic repair device, a diagnostic repair method, and a diagnostic repair program for improving the safety and continuity of data processing using a memory. With the goal.

  In order to solve the above-described problems, the present invention employs means for solving the problems having the following characteristics.

  The present invention stores a predetermined data in a plurality of three or more data areas in a diagnostic / repair device that executes a process by a preset application and compares and executes the result of the executed process to diagnose and repair data. The storage means and the predetermined data are written to the three or more data areas in different formats, the data written to the three or more data areas are read and collated when the application is executed, and the collation results If there is a mismatch, the processing program executing means for executing the predetermined repair using the repaired data, the execution result of the application, and the application in at least one other diagnostic repair device And a diagnostic processing device for collating with the result of executing

  According to another aspect of the present invention, there is provided a diagnostic and repair method for executing processing by a preset application, and comparing and executing the processing results, and diagnosing and repairing data. A storage step of storing in an area, and writing the predetermined data in the three or more data areas in different formats, and reading and collating the data written in the three or more data areas, respectively, when executing the application , A processing program execution step for performing a predetermined repair when the result of collation does not match and executing the application using the data after the repair, a result of executing the application, and at least one other diagnostic repair A verification processing step for verifying the result of executing the application by the method. The features.

  Further, the present invention is a diagnostic repair program for causing a computer to function as each unit included in the above-described diagnostic repair apparatus.

  In addition, what applied the component, expression, or arbitrary combination of the component of this invention to a method, an apparatus, a system, a computer program, a recording medium, a data structure, etc. is also effective as an aspect of this invention.

  According to the present invention, the safety and continuity of data processing using a memory can be improved.

It is a figure which shows an example of the block configuration of the diagnostic repair apparatus in this embodiment. It is a figure for demonstrating the outline | summary of the diagnosis restoration in this embodiment. It is a figure which shows an example of the hardware constitutions which can implement | achieve the diagnostic repair process in this embodiment. It is a flowchart which shows an example of a diagnostic repair process sequence. It is a flowchart which shows an example of the process sequence of a data write function. FIG. 6 is a diagram showing an example of data writing corresponding to the data write function processing procedure of FIG. 5. It is a figure which shows an example of a data management table. It is a figure which shows an example of a structure definition file. It is a flowchart which shows an example of the process sequence of a data reading function. It is a flowchart which shows an example of a collation process procedure. It is a figure for demonstrating the collation process in case the process of a collation destination precedes. It is a figure for demonstrating the collation process in case the process of a collation destination is late. It is a figure which shows an example of a collation data file.

<About the present invention>
The present invention detects a soft error in a storage means such as a memory that reads and writes data in real time, and performs real-time performance by performing a diagnosis such as repair or verification of a soft error in the memory using a majority rule, for example. While maintaining, improve safety, reliability, availability, cost, etc.

  Further, in the present invention, by performing diagnosis using, for example, a divers diagnosis method, even if the output is the same, by changing the processing method, abnormalities in the CPU and memory other than transient errors, etc. A more appropriate diagnosis can be made.

  Here, the “diversity diagnosis method” in the present invention is defined as follows. The divers diagnosis method, for example, is for diagnosing the result obtained by separately reading the input data (device etc.) and processing method when reading the predetermined input data and outputting the same data. is there.

  More specifically, for example, in the case of performing some data processing on acquired data, the diversity diagnosis method is different in programming language, algorithm, version, compiler, compiler, When executing multiple tasks, there are differences in the order of execution, differences in devices (here, differences in devices include, for example, the concept of two devices of the same type or different devices from other companies' products). A diagnosis method using results processed under different conditions such as Note that the different conditions in the diversity diagnosis method are not limited to this in the present invention. Further, the condition set by the diversity diagnosis method may be any one of the above differences, or a plurality of conditions may be combined.

  Further, in the present invention, each error range and data error range obtained by diverse is set in advance, and it is determined whether or not they match in the set range, or the process is performed by majority decision as appropriate. The software error safety is improved by judging whether the result is normal or abnormal.

  DESCRIPTION OF EMBODIMENTS Embodiments of a diagnostic repair apparatus, a diagnostic repair method, and a diagnostic repair program according to the present invention will be described below with reference to the drawings.

<Example of block configuration of diagnostic repair device>
FIG. 1 is a diagram illustrating an example of a block configuration of a diagnostic repair apparatus according to the present embodiment. Here, the diagnosis / repair devices 10-1 and 10-2 shown in FIG. 1 indicate that a plurality of diagnosis / repair devices are multiplexed, and 10-1 and 10-2 are used to distinguish each device. However, they have the same configuration. Therefore, in the following description, for the sake of convenience, functions of each configuration will be described using only the diagnostic / repair device 10-1. In addition, the diagnostic / repair devices 10-1 and 10-2 in the present embodiment can be defined as functions processed by each CPU (for example, CPU1, CPU2, etc.).

  The diagnostic / repair device 10-1 includes a memory 11 as a storage unit, a data management table 12, a structure definition file 13, a processing program execution unit 14, a verification data file 15, a verification processing unit 16, and a communication unit. 17 and time management means 18.

  The memory 11 is, for example, a memory (for example, a RAM) that can be read and written in real time. The memory 11 has a plurality of data areas inside. In the example of FIG. 1, among the plurality of data areas in the memory 11, areas for detecting and repairing soft errors are divided into “data area 1”, “data area 2”, and “data area 3”. to manage. In the present embodiment, the number of data areas is not limited to this. However, since the determination by majority vote may be performed using data in the data areas, the number of data areas is an odd number of 3 or more. It is preferable.

  In the present embodiment, a register or the like may be provided as an area for storing data processed according to predetermined processing contents, and a cache memory or the like for temporarily storing data to be accessed may be provided. It may be.

  The data management table 12 is arranged in a common area accessible from either or both of the data write function 14a and the data read function 14b included in the processing program 14, and manages the start address of the data area of the memory 11. To do.

  The structure definition file 13 is arranged in a common area accessible from either or both of the data write function 14a and the data read function 14b. For example, each data name, the number of bytes of the data name, the data name Manages information that defines the relative address of the beginning of. Here, for example, when each of the functions described above is in C language, a structure definition that is set in advance before the diagnostic / restoration apparatus 10-1 (CPU) executes actual processing, such as when compiling a program, is performed. Data acquired from the data 21 can be converted and constructed as the structure definition file 13.

  The processing program execution means 14 has at least a data write function 14a and a data read function 14b. The data write function 14a is a function for writing predetermined data in a data area in the memory 11 in a predetermined format. The data read function 14b is a function for reading data from the data area in the memory 11 and performing memory diagnosis, data and soft error repair, and the like.

  That is, the processing program execution means 14 has a data write function 14a and a data read function 14b as application processing programs for writing and reading data for which a soft error is to be detected.

  Furthermore, the processing program execution means 14 has various applications 14c. The various applications 14c include a plurality of applications that perform different processes. The processing program execution means 14 selects an application from the various applications 14c according to the processing content set in advance, executes a processing program (application processing program) corresponding to the selected application, and compares the execution result with the collation data file 15 Output to.

  Here, the application processing program by the various applications 14c is, for example, a program that outputs the same output by a predetermined control command or the like to the same input in the diagnostic repair device 10-1 (CPU1) and the diagnostic repair device 10-2 (CPU2). It is. In other words, the application processing program, for example, processes the above-described CPU 1 and CPU 2 with the same algorithm, or applies the above-described divers diagnosis method and performs processing using another processing algorithm or the like on the input. Processing by diversification, such as output. In this embodiment, by performing diversification, it is possible to detect and avoid a common cause failure due to, for example, a program or design error.

  The collation data file 15 collates, for example, the processing result of the processing program execution unit 14 in the diagnosis / repair device 10-1 (CPU1) and the processing result of the processing program execution unit 14 in the diagnosis / repair device 10-2 (CPU2). Then, data for verifying and diagnosing the repaired data is stored. The verification data file 15 can also store history information (eg, previous data, current data, etc.) of the processing results so far.

  As the collation processing, the collation processing unit 16 collates, for example, the processing result of the processing program execution unit 14 in the diagnostic repair device 10-1 with the processing result of the processing program execution unit 14 in the diagnostic repair device 10-2. It is checked whether or not the predetermined results match, and processing for verifying and diagnosing the repaired data is performed. Note that the determination of whether or not they are coincident is not limited to complete coincidence, and may be determined, for example, based on whether or not they are within a predetermined error range.

  Further, the collation processing means 16 may collate the processing result data (current data) for each of the multiplexed diagnosis / repair devices, and correspond to the processing timing of each diagnosis / repair device. For example, collation may be performed using the processing result data (previous data) for the previous time.

  The communication means 17 enables data transmission / reception between the diagnostic / repair device 10-1 and the diagnostic / repair device 10-2. Specifically, for example, diagnosis / repair results are collated by the communication means 17.

  The time management means 18 manages the time for causing the processing program execution means 14 to execute at least one process (application) preset. Moreover, the time management means 18 manages the time for synchronizing execution with other multiplexed diagnostic repair apparatuses. Therefore, each time management means 18 in each multiplexed diagnostic repair apparatus 10 may be connected so as to be synchronized by a communication network or the like.

  In the present embodiment, the present invention is not limited to this. For example, a management control device that performs control so that predetermined processing is executed in synchronization with the processing program execution means 14 of each diagnosis and repair device 10 is provided. The management control device may output time information for executing predetermined processing on each of the multiplexed diagnostic / repair devices 10. Thereby, in this embodiment, the real-time diagnostic repair process by time management is realizable.

  The structure definition data 21 is data in which a structure of data acquired from the outside is defined. In this embodiment, the structure definition data 21 is converted to obtain the structure pair definition file 13, but the present invention is not limited to this. For example, the structure definition file 13 itself is directly input from the outside. You may get it. The acquisition from the outside may be acquired from other devices via a communication network such as the Internet or a LAN (Local Area Network), or may be set by an input from a user or the like.

  Here, the diagnostic repair device 10-2 has a block configuration equivalent to the multiplexed diagnostic repair device 10-1, and performs processing corresponding to each function described above. The diagnosis / repair device 10-2 can perform processing in parallel with the multiplexed diagnosis / repair device 10-1, or can perform processing at different timings, and these can be set in advance by a user or the like. In the example of FIG. 1, the diagnostic / repair device 10-2 (CPU2) constitutes a parallel duplex system with the diagnostic / repair device 10-1 (CPU1). However, the present invention is not limited to this. Alternatively, the multiplexing system may be configured with the diagnostic / repair device 10 having a triple or more configuration.

<Overview of diagnostic repair>
Here, an outline of diagnosis and repair in the present embodiment will be described with reference to the drawings. FIG. 2 is a diagram for explaining an outline of diagnostic repair according to the present embodiment. In the present embodiment, as shown in FIG. 2, for the memory 11 that reads and writes in real time, memory diagnosis, read data repair, and soft error repair of the memory 11 are performed in the following procedure. In FIG. 2, the data areas 1 to 3 described above are memories 11-1 to 11-3, respectively.

  First, in the present embodiment, as shown in (1) of FIG. 2, when data is written, predetermined data is written into the data area in, for example, three different formats. As the data format to be written, for example, data as it is (positive data), data obtained by performing EOR (exclusive OR) on positive data with a hexadecimal number ffff (high value (all f)), and positive data are preset. Bit error other than soft error by using EOR operation with one or a plurality of different predetermined patterns (for example, hexadecimal aaaa, abcd, 4321, 0a0a, etc.) and selectively using those data It is possible to detect errors such as. Furthermore, in the present embodiment, by performing a collation process shown in FIG. 2 (5) described later, the reliability of data is improved, and additional data such as a checksum is unnecessary.

  The predetermined pattern described above may be a sequence of the same numbers such as the hexadecimal number aaaa, or may be an ascending order or a descending order such as the hexadecimal numbers 1334 and 4321, or may be a predetermined number such as the hexadecimal number 0a0a. Two or more values may be alternately arranged. The data pattern described above may be changed for each process, or may be always fixed to a preset pattern. Furthermore, the operation content in the present embodiment is not limited to the above-described EOR operation, and for example, a predetermined operation such as a logical product operation may be used, and an operation method may be used according to each process or the content of the processing data. May be set arbitrarily. The number of digits of the additional data such as the hexadecimal numbers ffff and aaa described above is shown as four digits for convenience of explanation, but actually, the number of digits corresponding to the number of bytes of the positive data is set.

  Next, in this embodiment, the data shown in (2) of FIG. 2 is read at the timing used for processing. Further, at the time of reading, the positive data written in the memory 11-1 by the processing of (1) in FIG. 2 and the inverted data which is EOR-calculated with the hexadecimal number ffff written in the memory 11-2 are collated to confirm a match. Here, at the time of collation, collation is performed after the inverted data obtained from the memory 11-2 is returned to the data before the EOR operation with the hexadecimal number ffff. Note that the determination of whether or not they are coincident is not limited to complete coincidence, and may be determined, for example, based on whether or not they are within a predetermined error range. If the collation results do not match, a memory error is determined.

  Furthermore, in the present embodiment, the pattern data written in the memory 11-3 is used to collate with the above-described positive data to confirm the match. In the case of collation with pattern processing, for example, the pattern data of data 3 is collated with data 1 after returning before the hexadecimal number aaaa is added. That is, the collation here is performed by collating the three data of the positive data, the inverted data, and the pattern data to confirm the coincidence.

  Next, in the present embodiment, when it is determined that a memory error has occurred in the above-described process (2) in FIG. 2 as the process (3) in FIG. 2, data is written in the memories 11-1 to 11-3. A majority decision is made with the data in the three areas, and the majority is determined as normal data. That is, in the above example, data having two identical data among the three data is defined as normal data.

  The normal data obtained by the determination is used for actual predetermined processing, and the normal data is written in a predetermined format in the memory determined to be a memory error to repair the soft error.

  Next, in the present embodiment, as the processing of (4) in FIG. 2, the data written in the memory determined to be a memory error (memory 11-1 in the example of FIG. 2) is re-read, and the written data and the data are re-read. It is determined whether or not the read data matches. If they do not match, it is regarded as a hard error and a predetermined hard error process is performed.

  Next, in the present embodiment, as the processing of (5) in FIG. 2, the processing result using the data restored by the system (for example, the CPU 1) and the other system (for example, the redundant system) , CPU 2) is compared with the corresponding processing result. In this collation, if there is a match, it is verified that the repair data is correct. If they do not match, predetermined error processing is performed as an error.

  In the example of FIG. 2, in this embodiment, positive data is written in the memory 11-1, inverted data is written in the memory 11-2, and pattern data is written in the memory 11-3. However, the present invention is not limited to this. Instead, for example, pattern data obtained by adding different patterns to the positive data may be written in the memories 11-2 and 11-3. Further, in the present embodiment, for example, five data areas are prepared, positive data is written in one of them, two inverted data are written in the remaining four, and pattern data obtained using different patterns. 2 may be written, and pattern data obtained using patterns different from the four patterns may be written. What data is written in which data area can be selectively set according to the contents of the data.

<Hardware configuration example>
Here, in the diagnostic repair apparatus 10 (including 10-1 and 10-2) described above, an execution program (diagnosis repair program) that can cause a computer to execute each function is generated. By installing the execution program on a server or the like, it is possible to realize the diagnosis and repair processing or the like in the present invention.

  Here, an example of a hardware configuration of a computer capable of realizing the diagnosis and repair process according to the present embodiment will be described with reference to the drawings. FIG. 3 is a diagram illustrating an example of a hardware configuration capable of realizing the diagnostic / repair processing according to the present embodiment.

  3 includes an input device 31, an output device 32, a drive device 33, an auxiliary storage device 34, a memory device 35, a CPU 36 for performing various controls, and a network connection device 37. These are connected to each other by a system bus B.

  The input device 31 has a pointing device such as a keyboard and a mouse operated by a user or the like, and inputs various operation signals such as execution instructions of various programs from the user or the like.

  The output device 32 has a display for displaying various windows and data necessary for operating the computer main body for performing the processing in the present invention, and various kinds of applications such as the application processing program described above by the control program of the CPU 36. Program execution progress and results can be displayed.

  Here, the execution program installed in the computer main body in the present invention is provided by, for example, a portable recording medium 38 such as a USB (Universal Serial Bus) memory or a CD-ROM. The recording medium 38 on which the program is recorded can be set in the drive device 33, and the execution program included in the recording medium 38 is installed in the auxiliary storage device 34 from the recording medium 38 via the drive device 33.

  The auxiliary storage device 34 is a storage means such as a hard disk, and executes various kinds of data (for example, the data management table 12) necessary for executing the execution program according to the present invention, the control program provided in the computer, and the diagnostic repair processing according to the present invention. , Structure definition file 13, collation data file 15, etc.) can be stored and input / output can be performed as necessary.

  The memory device 35 is a storage unit corresponding to the memory 11 described above. The memory means 35 stores an execution program read from the auxiliary storage device 34 by the CPU 36. The memory device 35 includes a RAM, a ROM (Read Only Memory), or the like.

  The CPU 36 performs various operations and hardware configurations based on, for example, a control program such as an OS (Operating System), an execution program stored in the memory device 35, an application processing program included in the processing program execution unit 14, and the like. Each process in the diagnostic / repair process can be realized by controlling the process of the entire computer, such as data input / output with the unit. Various information necessary during the execution of the program can be acquired from the auxiliary storage device 34, and the execution result and the like can also be stored.

  The network connection device 37 obtains (downloads) an execution program or the like from an external device or the like connected to the communication network by connecting to a communication network or the like, or an execution result or book obtained by executing the program The execution program itself in the invention can be provided to an external device or the like. In addition, the network connection unit 37 can acquire various data (for example, the structure definition data 21 and the like) necessary for performing the diagnostic repair process according to the present invention from an external device via a communication network or the like.

  With the hardware configuration as described above, the diagnostic repair process according to the present invention can be executed. In addition, by installing the program, the diagnosis and repair process according to the present invention can be easily realized by a general-purpose personal computer or the like.

<Diagnostic repair procedure>
Next, an example of a diagnostic / repair processing procedure in the present embodiment will be described using a flowchart. FIG. 4 is a flowchart illustrating an example of the diagnostic repair processing procedure. In FIG. 4, the diagnostic repair process is performed using the above-described application processing program or the like.

  First, the diagnostic repair process calls the data write function 14a and executes a process of writing predetermined data in a predetermined format into a plurality of data areas in the memory 11 set in advance (S01). At this time, for example, as described above, the predetermined format is arbitrarily selected from as-is data (positive data), inverted data of positive data, pattern data obtained by adding a predetermined pattern to positive data, and the like.

  Next, the diagnostic repair process calls the data read function and executes the corresponding process (S02). Specifically, the data in each data area is read and the match is confirmed by collation. Here, in the diagnostic repair process, it is determined whether or not the function value of the data reading function based on the collation result is normal termination (S03). In the process of S03, for example, “whether it is normal termination”, “whether to perform data restoration processing”, or “abnormal termination” is determined.

  In the diagnosis repair process, when it is determined in the process of S03 that “data repair process is performed”, the predetermined data repair is performed, and the repaired data is stored in a predetermined data area in the memory 11. (S04). It should be noted that the predetermined data area may be only a data area where the collation results do not match or may be the entire data area.

  Further, when it is determined in the process of S03 that the operation is “normally completed” or when the process of S04 described above is completed, a predetermined application process that executes at least one preset application process program is executed. (S05). Further, using the processing result as collation processing data, for example, information including “processing number” for identifying each executed process, “collation processing data”, and “data restoration presence / absence” is stored in the collation data file 15. Write (S06).

  Thereafter, in the diagnostic repair process, for example, a collation process is performed with a collation process data file in which a result of a predetermined process in another multiplexed diagnostic repair apparatus is written (S07). In the present embodiment, the process of S07 may not be performed. Further, in the diagnosis and repair process, when it is determined that “abnormal end” in the process of S03 described above, a predetermined abnormality process for notifying the user or the like is performed (S08). In the present embodiment, when a memory hard error is detected when the data reading function 14b is executed, a predetermined abnormality process corresponding to the memory hard error is performed.

  Here, the “processing number” written in the collation data file 15 described above is a unique number in the diagnostic repair device (CPU) assigned to each processing program, for example, and two multiplexed diagnostic repairs, for example. In the devices (CPU1 and CPU2), the same processing number is assigned to processing programs that perform the same processing. The “collation processing data” described above indicates data generated as a result of predetermined application processing. Furthermore, in the above-described data restoration processing, the determination of “presence / absence of data restoration” is performed by setting a flag, character, identification information, or the like indicating that data restoration has been performed, for example, when data restoration is actually performed.

<Processing Procedure of Data Write Function 14a>
Next, a processing procedure example of the above-described data writing function will be described using a flowchart. FIG. 5 is a flowchart showing an example of the processing procedure of the data write function. FIG. 6 is a diagram showing an example of data writing corresponding to the data write function processing procedure of FIG.

  Here, the parameters of the data write function 14a in the present embodiment are a write data name and write data. In the following description, as a function description example, for example, “rinf = wsdat (a [3] = 20)” is shown. This indicates that the write data name is the third (relative value) of the integer type a and the write data is 20, as defined in FIG. Further, rinf is a function value, but is not used in the data write function 14a in the present embodiment.

  In this embodiment, an example in which the write data name and the write data are specified is described. However, the present invention is not limited to this, and other functions are used to write, for example, Data having consecutive addresses can be written in a lump by associating each data with the write head relative address, the number of write data bytes, and the write data as parameters.

  In the example of FIG. 5, the data write function 14a reads the data management table 12 and the structure definition file 13 and calculates the write start address (S11). The calculation example in the process of S11 is calculated using an expression such as “write head address = data area 1 head address + write data name head address + (relative value−1) × number of data name bytes”. However, the present invention is not limited to this.

  Next, the data write function 14a writes parameter data for the number of bytes corresponding to the data name of the structure definition file 13 (S12). For example, in the case of an integer type, 2 bytes are written.

  Next, the data write function 14a reads the start address of “data area 2” from the data management table 12, and calculates the write start address from the structure definition file 13 (S13). The calculation in the process of S13, for example, only changes the data area start address with respect to the calculation of the process in S11 described above. Specifically, “write start address = data area 2 start address + write data name start” Although it can be calculated using an expression such as “address + (relative value−1) × number of data name bytes”, the present invention is not limited to this.

  Next, the data write function 14a adds, for example, an EOR operation of hexadecimal number ffff to the write data (S14), and writes the added data (inverted data) with the number of bytes of the corresponding data type (S15). The address to be written at that time is written to the address calculated in the process of S13 described above.

  Next, the data write function 14a reads the start address of “data area 3” from the data management table 12, and calculates the write start address from the structure definition file 13 (S16). Note that the calculation here only changes the data area head address, for example, as in the above-described calculation in S01. Specifically, it can be calculated using an expression such as “write start address = data area 3 start address + write data name start address + (relative value−1) × number of data name bytes”. The present invention is not limited to this.

  Next, the data write function 14a adds, for example, an EOR operation of hexadecimal number aaaa which is a predetermined pattern to the write data (S17), and the added data (pattern data) is calculated in the process of S16. Write in the number of bytes of the corresponding data type from the address (S18). As a result of the processing described above, as shown in FIG. 6, integer type 2 bytes × 40 data is written in the area a [3] from the head relative address.

<About the data management table 12>
Here, a specific example of the data management table 12 will be described with reference to the drawings. FIG. 7 is a diagram illustrating an example of the data management table. The data management table shown in FIG. 7 has, for example, “number”, “name” and the like as items, but the present invention is not limited to this.

  In the data management table 12, a plurality of data areas set in the memory 11 are identified by “numbers”, and each number in the memory 11 used in the data write function 14a and the data read function 14b is used for each number. Stores the start address of the data area. When the head address changes, the address of the target data area is updated.

<About structure definition file 13>
Next, a specific example of the structure definition file 13 will be described with reference to the drawings. FIG. 8 is a diagram illustrating an example of a structure definition file. 8A shows the structure definition data 21, FIG. 8B shows the structure definition file 13 obtained from the structure definition data 21 of FIG. 8A, and FIG. ) Shows an example of memory allocation.

  The structure definition data 21 shown in FIG. 8A shows an example of the structure definition data 21 when the C language is used, for example. Here, “char” is a character type and is composed of one character and one byte. “Int” is an integer type and is composed of 1 data and 2 bytes. “Long” is a long integer type and is composed of 4 bytes of 1 data. “Double” is a double-precision real number type and is composed of 8 bytes per data.

  A plurality of data names of each type (for example, integer type) can be set. [N] indicates that the data area is for n data.

  The structure definition file 13 shown in FIG. 8B is arranged in a common area that can be accessed from either or both of the data write function 14a and the data read function 14b shown in FIG. "," Number of bytes of the data name "," the relative address of the head of the data name ", and the like. The items in the structure definition file 13 shown in FIG. 8B include, for example, “data name”, “number of bytes”, “start relative address”, etc., but the present invention is not limited to this. is not.

  In the present embodiment, the structure definition data 21 shown in FIG. 8A is input, each data is converted into a table, and the structure definition file 13 shown in FIG. 8B is constructed.

  FIG. 8C shows an example in which the structure definition file 13 is allocated to the memory 11. Here, in the example of FIG. 1 described above, since there are three data areas in the memory 11, the same area allocation is in a predetermined format (for example, character type, integer type, long integer) in three places in the memory 11. Data type such as type, double precision real number type, and the number of bytes corresponding to the data type).

<Processing procedure of data read function 14b>
Next, an example of a processing procedure of the above-described data reading function 14b will be described using a flowchart. FIG. 9 is a flowchart illustrating an example of the processing procedure of the data reading function.

  Here, the parameters of the data read function 14b in this embodiment are a read data name and a read register name. Further, there are three types of function values, for example, “normal”, “abnormal”, and “data repair”. In the following description, as a function description example, a case of “rinf = rsdat (b [5], x)” is shown. This indicates that the read data name is the fifth (relative value) of the long integer type b as defined in FIG. 8 and the read data storage area is x. Also, rinf is a function value, but is not used in the data read function 14b in the present embodiment.

  In the present embodiment, an example of specifying a read data name and a read register name is described. However, the present invention is not limited to this. For example, a read address is set using another function. Consecutive data can also be read in a batch by associating each data with the read head relative address, the number of read data bytes, and the read data area as parameters.

  In the example of FIG. 9, the data read function 14b reads the data management table 12 and the structure definition file 13, and calculates the read start addresses of the data areas 1, 2, and 3 (S21). The calculation example in the process of S21 is, for example, “read start address 1 = data area 1 start address + read data name start address + (relative value−1) × number of data name bytes”, “read start address 2 = data area” “2 start address + read data name start address + (relative value−1) × data name byte count”, “read start address 3 = data area 3 start address + read data name start address + (relative value−1) × data name Although it can be calculated using an expression such as “number of bytes”, the present invention is not limited to this.

  Next, the data read function 14b reads the data written in each data area from the read addresses 1, 2, and 3 with a predetermined number of read data bytes (S22). Each read data at this time is referred to as data 1, 2, 3 for convenience. Next, the data read function 14b performs an EOR operation on the data 2 with the hexadecimal number ffff and the data 3 with the predetermined pattern data (hexadecimal number aaa) (S23). Each data at this time is referred to as data a and data b for convenience. Specifically, for example, “data a =“ data 2 ”EOR“ hexadecimal number ffff ”” and “data b =“ data 3 ”EOR“ hexadecimal number aaa ”” are performed. In the above process, the data write function 14a writes the inverted data obtained by adding the hexadecimal number ffff to the positive data in the data area 2 (data 2), and converts the positive data into the data area 3 (data 3). On the other hand, since the pattern data to which the hexadecimal number aaaa is added is written, in order to return these data to the data before the addition, the EOR operation is performed using the same additional data.

  When the additional data is added by the above-described data writing function 14a by an arithmetic method other than the EOR operation, the data reading function 14b is configured so that the data 2 and the data 3 correspond to the contents of the additional data, the arithmetic method, and the like. Processing is performed using additional data or a calculation method that returns to the data before the addition.

  Next, the data reading function 14b collates the data 1 with the data a and b, and confirms the coincidence of data (S24). Here, it is determined whether or not the three data match (S25). If they do not match (NO in S25), it is next determined whether or not the two data match (S26). ).

  Here, when the two data match (YES in S26), the data reading function 14b sets the matching data as normal data of the read data (S27).

  Next, the data read function 14b writes the normal data to the address of the mismatch data (S28). Here, for example, when a cache memory is used, only the cache memory is updated, so that the cache memory is passed through and written to the address of the mismatched data. That is, to pass through the above-described cache memory means, for example, that normal data is written to both the cache memory and a predetermined data area in the memory 11.

  Next, the data read function 14b reads data from the address of the write data (S29). In this case, the cache memory is also passed. Here, “through the cache memory” means that, for example, data is read from a predetermined data area in the memory 11 instead of from the cache memory.

  Next, it is determined whether or not the write data and the read data match (S30). If they match (YES in S30), it is determined that the memory data has been repaired, and the error that has occurred is soft. Judged as an error. Thereafter, the data reading function 14b sets “data repair” as the function value (S31), and ends the function processing.

  Further, if the write data and the read data do not match in the process of S30 (NO in S30), the data read function 14b determines that the data is not restored even in the rewrite process in S28, so that it is a hard error. “Abnormal” is set as the function value (S32), and the function is terminated. Note that the data read function 14b determines that an error occurs because all three pieces of data do not match if the two pieces of data do not match in the processing of S26 (NO in S26). The value “abnormal” is set (S32).

  The data reading function 14b sets “normal end” to the function value when the three data match in the processing of S25 described above (YES in S25), and sets the data 1 as normal data (S33). Ends function processing.

<Verification processing procedure>
Next, an example of the above-described collation processing procedure will be described using a flowchart. FIG. 10 is a flowchart illustrating an example of the collation processing procedure. The collation processing shown in FIG. 10 is started when a series of processing sequences in a certain diagnostic / repair device 10 (CPU) is completed, for example. Therefore, in a system that performs a series of processing sequences with a fixed period of activation, the matching process is similarly activated with a constant period of time.

  Here, in the following description, the collation destination CPU is CPU1, the collation source CPU is CPU2, and each collation data file includes processing results (current data, previous data) for the current time and the previous time when predetermined application processing is performed. ) Exist.

  In the present embodiment, for example, when data is restored by the collation source CPU (CPU 2), the process number and the collation processing data are transmitted to the collation destination CPU (CPU 1) to request collation. In this embodiment, for example, when the collation destination CPU (CPU 1) determines that the collation has failed, the collation source CPU (CPU 2) performs a predetermined abnormality process.

  Further, in the present embodiment, the collation destination CPU (CPU 1) receives the collation data (process number and collation processing data after data restoration) from the collation source CPU (CPU 2), and performs a predetermined collation process from the received collation data. The verification success / failure is transmitted to the verification source CPU (CPU 2). In this case, since the collation destination CPU (CPU1) is normal, the abnormality process is not performed.

  Here, since the CPU 1 and the CPU 2 can be a collation destination and a collation source, the collation processing is performed by both the collation source and the collation destination CPU. In the present embodiment, the present invention is not limited to this. For example, the collation process may be performed only by a preset CPU. In the following description, a collation processing procedure having both functions of a collation source and a collation destination will be described.

  First, collation processing creates collation transmission data (S41). Specifically, for example, a message (collation data) to be transmitted to the collation destination CPU is created using the application process number with data restoration of the collation data file 15 and the collation process data of the application process number.

  Next, the collation process transmits the collation data to the collation destination CPU (S42). If the memory is not restored, the application process number is set to 0 and the verification process data is transmitted as a blank. In this embodiment, when the application process number is 0, the collation process data need not be transmitted.

  Next, the collation process receives collation data from the CPU as a collation source (S43). The structure of the received message (collation data) is, for example, the application process number and collation process data with data restoration of the collation data file, and the application process number when there is no data restoration, as with the transmitted message. Is 0.

  Here, the collation process determines whether there is no restoration at the collation source, that is, whether the process number is 0 (process number = 0) (S44). When the process number is not 0 (NO in S44), the collation process matches the received application process number and collation process data with the process number of the current data in the collation data file 15 and the collation process data of the process number. It is determined whether or not there is (S45). When there is no match in the collation process (NO in S45), the received application process number and collation process data match the process number of the previous data in the collation data file 15 and the collation process data of the process number. It is determined whether or not there is (S46).

  Here, in the collation process, if there is a match (YES in S46), the process number = 0 in the process of S44 (YES in S44), or the collation process data matches in the process of S45. In the case (YES in S45), the verification success is transmitted to the verification source CPU (S47). Further, in the collation process, if they do not match in the process of S46 (NO in S46), a collation failure is transmitted to the collation destination CPU (S48).

  Next, the collation processing receives collation success or collation data as a collation result from the collation destination (S49), and determines whether collation with the received data is unsuccessful (S50). Here, when collation is unsuccessful (YES in S50), predetermined abnormality processing for notifying the user or the like is performed (S51). In the abnormal process, since the verification of the memory repair is unsuccessful, the abnormal process set in advance corresponding to the situation is performed. Further, the collation process ends when the collation is successful (NO in S50).

<About specific examples of verification and verification data file 15>
Next, a specific example of collation and a specific example of the collation data file 15 in the present embodiment will be described with reference to the drawings. FIG. 11 is a diagram for explaining the collation process when the collation destination process precedes. FIG. 12 is a diagram for explaining the collation process when the collation destination process is delayed. FIG. 13 is a diagram illustrating an example of a collation data file.

  Here, FIG. 11 and FIG. 12 show communication time charts of the respective processes on the time axis. For example, “processing number 1 → processing number 2 → processing number 3 → matching processing” is set as one cycle, and the matching source The processing twice (A1, A2) by the CPU (CPU2) and twice (B1, B2) by the collation destination CPU (CPU1) are repeatedly performed while taking synchronization. 11 and 12 show, as an example, “(a) when there is no change in the input of process number 2” and “(b) when there is a change in the input of process number 2”.

  Further, the collation data file 15 shown in FIG. 13 stores history information of a plurality of collation data. For example, FIG. 13 (a) shows the current data and FIG. 13 (b) shows the previous data. However, the present invention is not limited to this, and the past data is further accumulated. It may be left. Further, the difference between the current data and the previous data is not limited to the difference in the number of processings, but includes, for example, the difference in processing due to the above-described diversification. In the example of FIGS. 11 and 12, A1 and B1 correspond to the previous data (FIG. 13B), and A2 and B2 correspond to the current data (FIG. 13A).

  The items of the collation data file 15 shown in FIG. 13 include, for example, “processing number”, “collation processing data”, “data restoration”, but the present invention is not limited to this. For example, the latest data shown in FIG. 13A stores the latest data of the collation destination CPU (CPU1). The processing number is a number uniquely added to the CPU application processing unit. In the same process number, CPU 1 and CPU 2 input the same data, and a predetermined process is executed as an application process so that a process result is obtained. At this time, you may perform the application process by diversification mentioned above.

  In the collation data file 15, process numbers are stored in the time series order of each application process. The collation process data stores the process result of the application process with the process number. Therefore, for example, when the calculation process (predetermined application process program) of “1 + 2 = 3” is performed in process number 2, the collation process data of process number 2 is 3. Further, the item “data repair” of the verification data file 15 stores whether or not data repair has occurred in the memory data for the processing.

  The previous data shown in FIG. 13 (b) is shown in FIG. 13 (a) when a series of processing sequences are completed at the collation destination CPU (CPU 1) and the collation processing as shown in FIG. 10 is completed. This is a copy of the data. At this point, the current data area in FIG. 10A is initialized. Here, since the same processing is periodically performed by the collation target CPU (CPU1) and the collation source CPU (CPU2), the same number is periodically repeated for both CPUs.

  Next, a specific example of collation will be described. The CPU 1 and the CPU 2 shown in FIG. 11 and FIG. 12 have the function of the diagnostic repair apparatus 10 described above, and can be both a collation destination and a collation source. Here, even if the collation target CPU (CPU1) and the collation source CPU (CPU2) are provided with the time management means 18 and synchronize their processing timings, they are completely affected by the influence of the load and processing performance of each CPU. It is difficult to synchronize. For this reason, in this embodiment, for example, the respective processing is performed when the collation destination CPU (CPU1) is ahead of the collation source CPU (CPU2) and when it is delayed.

  First, as shown in FIG. 11, even if the collation target CPU (CPU 1) precedes the collation source CPU (CPU 2) and the memory of process number 2 is restored in A1, the contents of process number 2 are changed by memory restoration. If there is no data ((a) in FIG. 11), in the collation processing in B2 of the collation destination CPU (CPU1), there is no change in the input for the processing number 2, so the collation reception data of A1 and the current data of B2 match. To do.

  If there is an input change of process number 2 after the memory repair of process number 2 in A1 (FIG. 11 (b)), input of process number 2 is performed in the collation process at B2 of the collation destination CPU (CPU1). Since there is a change in data, the verification reception data of A1 and the current data (B2) of CPU1 do not match. In this case, in this embodiment, the collation reception data of A1 is compared with the previous data (B1) of CPU1. In the example of FIG. 11B, in this case, the data matches each other. Thus, in this embodiment, by using the previous history information (for example, previous data) for the collation process, the system is not immediately terminated with a collation error between the current data (one time), Extended verification processing can be realized. Thereby, in this embodiment, the real-time diagnostic repair process which improved the safety | security and continuity of data processing is realizable.

  In addition, as shown in FIG. 12, when the collation destination CPU (CPU1) is behind the collation source CPU (CPU2), even if the memory restoration of process number 2 of A2 is performed, the process number 2 is performed by memory restoration. Even when there is no change (FIG. 12A), the collation reception data of A2 and the current data (B2) of the CPU 1 match.

  Further, when there is an input change of process number 2 after the memory repair of process number 2 in A2 (FIG. 12B), in process number 2 of A2, memory repair is performed after the input and process number 2 Therefore, the collation received data of A2 and the current data (B2) of the CPU 1 match. That is, in the example of FIG. 12, when the memory repair is successful, the collation processing data with the process number 2 matches the current data.

  In the above-described embodiment, the collation process is performed on the three data areas, and the process is performed using the duplicated CPU (diagnostic repair device 10). However, the present invention is not limited to this. Instead, the CPUs may be multiplexed more than three times, each of the multiplexed ones may be collated, and the presence / absence of abnormality may be diagnosed by majority processing or the like.

  As described above, according to the present invention, the safety and continuity of data processing using a memory can be improved. Specifically, the present invention diagnoses and detects a soft error in a memory such as a RAM, repairs read data, and repairs data in the memory.

  Further, in the present invention, when the collation does not match, the data written in a predetermined format at the timing is read, the repair data is determined by majority decision, the read data is repaired, and the memory is rewritten. To eliminate soft errors.

  Therefore, according to the present invention, ECC hardware is not required, and soft errors can be detected and repaired at low cost. Further, according to the present invention, soft errors can be detected and repaired in real time at the timing when the predetermined processing is actually performed, and correct data can be used for the predetermined processing. Further, according to the present invention, it is possible to perform error detection and repair of a plurality of bits that cannot be handled by ECC.

  Further, in the present invention, the result of application processing after repair is collated between multiplexed systems, so that soft error repair can be verified without additional processing such as an extra checksum in the memory data. Data can be written and read. Further, according to the present invention, by comparing the application processing result after the repair between the multiplexing systems, it is possible to detect a soft error such as a CPU or a register other than the memory that occurs simultaneously with the memory soft error.

  In the present invention, the accuracy of the repair data can be verified by collation using a duplex system or more multiplexing system. Furthermore, in the present invention, by using history information (for example, previous data) for the collation process, an extended collation process is realized without immediately terminating the system due to a collation error between the current data. Can do. Thereby, in this invention, the real-time diagnostic repair process which improved the safety | security and continuity of data processing is realizable.

  Further, according to the present invention, since collation is also performed in units of application processing, it is not necessary to perform the same application processing between multiplexed systems, and diversity of application processing between multiplexed systems can be ensured. Therefore, in the present invention, robustness against soft errors is improved, and the safety and availability of the system can be improved.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to such specific embodiments, and various modifications, within the scope of the gist of the present invention described in the claims, It can be changed.

10 Diagnosis Repair Device 11 Memory (Storage Unit)
DESCRIPTION OF SYMBOLS 12 Data management table 13 Structure definition file 14 Processing program execution means 15 Collation data file 16 Collation processing means 17 Communication means 18 Time management means 21 Structure definition data 31 Input device 32 Output device 33 Drive device 34 Auxiliary storage device 35 Memory device 36 CPU (Central Processing Unit)
37 Network connection device 38 Recording medium

Claims (11)

In a diagnostic and repair device that executes processing by a preset application and compares the executed processing results to diagnose and repair data,
Storage means for storing predetermined data in three or more data areas;
The predetermined data is written in the three or more data areas in different formats, the data written in the three or more data areas is read and collated when the application is executed, and the collation result is inconsistent. Processing program execution means for performing a predetermined repair in the case of running and executing the application using the repaired data;
A diagnostic repair apparatus comprising: a collation processing unit configured to collate a result of executing the application with a result of executing the application by at least one other diagnostic repair apparatus. The storage means
As the different formats, at least two formats among the input data, the inverted data of the data, and the pattern data obtained by a logical operation of the data and a predetermined pattern are written in the three or more data areas. The diagnostic repair device according to claim 1. The processing program execution means includes
3. The diagnosis according to claim 1, wherein as the predetermined restoration process, normal data is determined by a majority decision of a plurality of three or more read data, and the determined normal data is written to the data area. Repair device. The verification processing means includes
The result of executing the application is compared with the result of executing the application in the other diagnostic repair device in synchronization with the execution timing of the application, and if the verification does not match, the application is executed last time The diagnostic repair apparatus according to claim 1, wherein collation is performed using the result obtained in this manner. The program execution means executes the application a plurality of times under conditions set by a predetermined diversity diagnosis technique,
The diagnostic repair apparatus according to any one of claims 1 to 4, wherein the verification processing unit performs verification based on the result of the plurality of executions. In a diagnosis and repair method for executing processing by a preset application and comparing and executing data processing and performing data diagnosis and repair,
A storage step of storing predetermined data in three or more data areas of the storage means;
The predetermined data is written in the three or more data areas in different formats, the data written in the three or more data areas is read and collated when the application is executed, and the collation result is inconsistent. A processing program execution step for performing a predetermined repair in the case of performing the application using the repaired data;
A diagnostic repair method comprising: a collation processing step of collating a result of executing the application with a result of executing the application by at least one other diagnostic repair method. The storing step includes
As the different formats, at least two formats among the input data, the inverted data of the data, and the pattern data obtained by a logical operation of the data and a predetermined pattern are written in the three or more data areas. The diagnostic repair method according to claim 6. The processing program execution step includes:
8. The diagnosis according to claim 6, wherein normal data is determined by majority determination of a plurality of three or more read data as the predetermined restoration process, and the determined normal data is written in the data area. Repair method. The matching processing step includes
The result of executing the application is collated with the result of executing the application by the other diagnostic repair method in synchronization with the timing of executing the application, and when the collation does not match, the application is executed last time. The diagnostic repair method according to any one of claims 6 to 8, wherein collation is performed using a result obtained in this manner. In the program execution step, the application is executed a plurality of times under conditions set by a predetermined diversity diagnosis technique,
10. The diagnosis and repair method according to claim 6, wherein the collation processing step performs collation based on the result executed a plurality of times. Computer
A diagnostic / repair program for causing the diagnostic / repair apparatus according to any one of claims 1 to 5 to function as each unit.

Images