JP2015064737A - Redundancy device and redundancy method for process computer and process computer to which the same redundancy device is applied - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a device capable of achieving the redundant configuration of a process computer in which even when a backup operation is being performed, further backup is possible by another system so that it is possible to minimize the increase of installation sites and repair costs, and that it is not necessary to alter an existing process computer.SOLUTION: A computer which executes a program for allowing a redundancy device 20A as the redundancy device of a process computer 1 including: means 31 for monitoring the operating state of the server/client of the process computer 1 on the basis of an IP address obtained from a trunk transmission LAN connecting the server/client of the process computer 1; means 34 for performing the backup of the device unit of the server/client by a system different from the above mentioned system; and means 33 for performing the ON/OFF control of backup performed by the means 34 by the device unit of the server/client in accordance with the monitor result of the means 31 is connected to the trunk transmission LAN.

Description

  The present invention relates to a redundancy device and a redundancy method for a process computer, and a process computer to which the redundancy device is applied.

  For example, in a process computer with a need to constantly perform advanced monitoring, such as a process computer for an industrial plant, multiplexing is performed so that the execution of processing does not stop even if a failure occurs for some reason (generally, duplex) Has been. By making the process computer redundant (duplexing) in this way, even if one system stops, the other system can continue processing, which affects the operation of the plant monitored and controlled by the process computer. Designed to be safe.

  An example of the redundant system as described above is described in, for example, Japanese Patent Application Laid-Open No. 7-230301 (Patent Document 1) and Japanese Patent Application Laid-Open No. 2001-356927 (Patent Document 2).

JP-A-7-230301 JP 2001-356927 A

  As described above, in a duplicated process computer, when one system (normal system: master) fails and stops, the other system (standby system: slave) continues processing. It shifts to a so-called backup operation state. In a process computer that has a need for constantly performing advanced monitoring, there is a request to keep the backup operation in a state where backup is possible at all times, and it is not preferable that the backup operation state be prolonged.

  Therefore, when the process computer is shifted to the backup operation (in a state where further backup operation is not possible), the user who uses the process computer is responsible for the restoration of the process computer such as a manufacturer (hereinafter referred to as the manufacturer). (Referred to as “administrator”) and request restoration of the stopped system.

  The administrator side usually deals with the failure after investigating the cause of the failure. In order to investigate the cause of failure, it is indispensable to perform failure analysis suitable for the failure event, but this failure analysis work is performed by the engineer on the administrator side who is familiar with the process computer system. It is necessary to carry out while keeping in touch with the staff. For this reason, the proportion of manual work is inevitably increased, and much time is required for the work.

  On the other hand, since the user wants to avoid the situation where the system currently performing the backup operation further stops, the system in which the process computer is stopped in a short period of time, for example, within 24 hours or 48 hours is used. There is a request to restore. There is a request for such early restoration by the user side, and the manager side is required to further shorten the working time in addition to the carefulness and certainty of the restoration work.

  In consideration of the above-mentioned circumstances on the user side and the administrator side, in a process computer that has a need to constantly perform advanced monitoring, the state of the process computer is always in a state where one or more systems can be backed up. It is necessary to introduce measures or technologies that can be used in

  For example, from the viewpoint of ensuring that one or more systems are always ready for backup operation, the user side considers multiplexing the process computer system more than triple as a countermeasure. Yes. If the system of the process computer is tripled, even if the first system fails and stops and the second system shifts to the state of backup operation that continues processing, the third system is still Since the system is on standby as a system that can be backed up, there is an advantage that it is possible to earn more time until the first system is restored than a process computer in which the system is duplicated.

  However, in the case of a triple system, even if a new process computer is installed or a process computer with a duplicated existing system is refurbished, the installation space is increased and introduced or An increase in repair costs is inevitable. In particular, when an existing process computer is refurbished, there is a possibility that an installation space for an additional device or the like cannot be secured.

  On the user side, even if there is a potential need to make one or more systems available for backup at all times, the costs for the countermeasures are limited, and the necessary expenses including running costs are required. There is a fact that I want to keep it as cheap as possible. If this is the case, the triplicating of the system, which is burdensome for the user in terms of location and cost, cannot be a practical measure for always allowing one or more systems to be backed up.

  Furthermore, when a conventional process computer shifts to a backup operation, in many cases, a server / client is operated by a standby system, and a process input / output device (hereinafter referred to as “PIO”) is controlled. More than the case where the PIO controller to be operated is operated by the standby system. This is because the software processing executed by the PIO controller is single rather than multi, while the processing executed by the server / client is multi-real time for multiple functions such as plant events, long-term data collection, man-machine, etc. This is considered to be caused by the fact that hardware processing and software processing are performed in a complex manner.

  As a result, the frequency of malfunctions occurring in the server / client is higher than the frequency of malfunctions occurring in the PIO controller, and among the conventional process computers, the necessity and importance of further backup are more in the server / client than in the PIO controller. It can be said that it is expensive.

  The present invention has been made in consideration of the above-described circumstances, and minimizes the increase in installation space and refurbishment cost, and the normal system stops and the standby system without modifying the existing process computer. Redundancy apparatus and redundancy method of process computer, and redundancy apparatus for redundancy of process computer so that one or more other systems can be further backed up even in backup operation state The purpose is to provide a process computer to which is applied.

  In order to solve the above-described problem, the redundancy apparatus for a process computer according to the present embodiment includes a server and a client that start backup operation in the other system in which a failure has occurred when a failure occurs in one of the systems. Is connected via a network capable of communicating with a duplexed process computer, and monitors for the presence or absence of a fault in the system. When a fault occurs in one of the systems, the other system A redundancy apparatus for the process computer that starts operation as a backup of the system and maintains the system in a state of being multiplexed more than doubled. The redundancy apparatus is configured to connect the server and the client of the process computer. The IP address assigned to each is obtained from the network while the computer is kept accessible IP assigned to each device of the server of the process computer, the client, the computer that virtualizes the server and the client, and the server of the process computer, the client, and the computer that virtualizes the server and the client The status monitoring unit that refers to the IP address correspondence table that associates the address and determines which IP address has been acquired, and the server and the client device of the process computer are different from the system A redundancy unit that performs backup in units of devices in a system, and a backup control unit that performs on / off control of backups performed by the redundancy unit in accordance with the result of the IP address acquired by the state monitoring unit. The above-mentioned Characterized in that it is a computer that executes a computer program to function as a redundant device Seth computer.

  In order to solve the above-described problem, the process computer redundancy method according to the present embodiment includes a server and a client that start a backup operation in the other system in which a failure has occurred when a failure occurs in one of the systems. A computer connected via a network communicable with a process computer with which the system is duplicated, based on an IP address assigned to each of the server and the client of the process computer And status monitoring means for determining the loss and restoration of the IP address of the client, redundancy for performing device unit backup in a system different from the system for the server and the client device of the process computer And the IP address acquired by the state monitoring means. The process computer redundancy method using a device that functions as a backup control unit that performs on / off control of the backup performed by the redundancy unit according to the result of less, and the state monitoring unit includes: The server of the process computer, the client, and the server and the client of which the computer is held accessible while obtaining an IP address assigned to each of the server and the client of the process computer from the network An IP address correspondence table associating a computer that virtualizes the server, the server of the process computer, the client, and an IP address assigned to each device of the computer that virtualizes the server and the client And determining which IP address has been acquired, and the backup control unit performs backup performed by the redundancy unit in accordance with the result of the IP address acquired in the determination step. On the basis of the device unit on / off control performed in the on / off control step, the redundancy means is configured to control each of the server and client devices of the process computer. And a step of performing backup in units of devices in a system different from the system.

  In order to solve the above-described problem, the process computer according to the present embodiment includes a redundancy device for the process computer.

  According to the present invention, it is possible to minimize the increase in installation space and refurbishment cost, and in a backup operation state in which the normal system is stopped and the standby system is operated without remodeling the existing process computer. Furthermore, the process computer can be made redundant so that one or more other systems can be backed up.

1 is a schematic diagram showing a hardware configuration of a process computer to which a process computer redundancy device according to an embodiment is applied. FIG. 1 is a schematic diagram illustrating a hardware configuration example of a process computer redundancy device and a process computer according to a first embodiment; The functional block diagram of the redundancy apparatus of the process computer which concerns on 1st Embodiment. Explanatory drawing which shows an example of the IP address correspondence table used with the redundancy apparatus of the process computer which concerns on embodiment. Explanatory drawing (timing chart) which shows the operation timing of the process computer which concerns on 1st Embodiment. The overall processing flow figure of the 1st, 2nd redundancy procedure which the redundancy apparatus of the process computer which concerns on 1st, 2 embodiment performs. Explanatory drawing which shows an example of the redundancy setting image displayed in the redundancy apparatus of the process computer which concerns on 1st Embodiment. The processing flowchart of the backup mode transfer possibility determination process in the 1st redundancy procedure which the redundancy apparatus of the process computer which concerns on 1st Embodiment performs. The processing flow figure of the standby mode transfer process in the 1st redundancy procedure which the redundancy apparatus of the process computer which concerns on 1st Embodiment performs. The processing flow figure of the backup mode transfer process in the 1st redundancy procedure which the redundancy apparatus of the process computer which concerns on 1st Embodiment performs. FIG. 5 is a schematic diagram illustrating a hardware configuration example of a process computer redundancy device and a process computer according to a second embodiment. Explanatory drawing (timing chart) which shows the operation timing of the process computer which concerns on 2nd Embodiment. FIG. 10 is a schematic diagram illustrating a hardware configuration example of a process computer redundancy device and a process computer according to a third embodiment. The functional block diagram of the redundancy apparatus of the process computer which concerns on 3rd Embodiment. FIG. 14 is an overall process flow diagram of a third redundancy procedure executed by a process computer redundancy apparatus according to a third embodiment. In the 3rd redundancy procedure which the redundancy apparatus of the process computer which concerns on 3rd Embodiment performs. Schematic which shows an example of the test setting image which sets the execution start and stop of the test process in the 3rd redundancy procedure which the redundancy apparatus of the process computer which concerns on 3rd Embodiment performs.

  Hereinafter, a process computer redundancy apparatus, a redundancy method, and a process computer to which the redundancy apparatus is applied according to an embodiment of the present invention will be described with reference to the accompanying drawings. In addition, some terms used in the following description are defined as follows in order to clarify the meaning.

[Term Definition]
(1) Processor: One computer.
(2) Duplication of process computers: A form using two processors.
(3) Backup operation: One system has failed in a duplicated system of process computers, and the system has shifted to the state of one system operation in which the other system is operating Refers to the state.
(4) IP address: An identification number assigned to an existing process computer and a computer connected to a communication network (IP network) such as a virtual PC (Personal Computer). . ”(Dots), which is expressed by four numerical values (see FIG. 4).
(5) Application (application): Application software (application program). For example, an application implemented in a process computer used for power plant monitoring is a program having an algorithm for providing a power plant monitoring function.
(6) VM: A program (software) for operating an industrial OS installed on a process computer or the like on a general-purpose OS (Operation System) by using a virtualization technology.

[Basic embodiment]
FIG. 1 is a schematic diagram showing a hardware configuration of a process computer 50 to which a redundancy device 20 as an example of a process computer redundancy device according to the embodiment is applied.

  The process computer 50 is configured, for example, by adding the redundancy device 20 to the conventional process computer 1. Here, when the conventional process computer 1 shifts to the backup operation, the redundancy apparatus 20 often has a server / client (client terminal 2, monitoring server 3, and information management server 4) depending on the standby system. In view of the fact that the PIO controller 6 increases in comparison with the case where the PIO controller 6 is operated by a standby system, the client terminal 2, the monitoring server 3, and the information management server 4 of the conventional process computer 1 have fallen into a backup operation. In this case, it is a device that backs up the client terminal 2, the monitoring server 3, and the information management server 4.

  The conventional process computer 1 includes, for example, a client terminal 2 (2a, 2b), a monitoring server 3 (3a, 3b), an information management server 4 (4a, 4b), a time server 5, and a PIO controller 6. It is configured to be connected to a communication network such as a basic transmission LAN (Local Area Network) 7 capable of transmitting data. A PIO 9 that scans plant data is connected to the PIO controller 6 through plant equipment 8 such as sensors and valves installed in the plant. Reference numerals 11, 12 (12a, 12b) and 13 (13a, 13b) denote a hub (HUB), a display, and a printer, respectively.

  The client terminal 2 employs a distributed operation method. That is, the client terminal 2 has a plurality of computers having the same function, and even if any client terminal 2 is down (stops functioning), the remaining client terminals 2 can input / output to peripheral devices. State is maintained. For example, in the case of the client terminal 2 (2a, 2b) shown in FIG. 1, even if the first client terminal 2a goes down, the second client terminal 2b can perform input / output to / from peripheral devices.

  The monitoring server 3 and the information management server 4 which are servers are duplicated (multiplexed) by a normal system (master) and a standby system (slave). The monitoring server 3a and the first information management server 4a, which is the active information management server 4, monitor the output signal to the plant side or the plant, and the second monitoring server 3b which is the standby monitoring server 3. The second information management server 4b, which is the standby information management server 4, operates in hot standby while updating the plant data so that it can operate as a regular system in any case.

  If the plant raw input data detects an abnormality that cannot be handled by the conventional process computer 1 or if the process value is in an abnormal value that deviates from the appropriate range, the monitoring server 3 passes through the PIO 9. The adequacy of the alarm notification by the annunciator (hereinafter referred to as “ANN”) 14 is confirmed. After confirming the validity of the alarm notification, the monitoring server 3 stores the plant data after the confirmation. The monitoring server 3 stores various log data at a predetermined timing.

  The information management server 4 has a function of performing a plant trip process that does not belong to the real-time plant data of the monitoring server 3 and a function of performing a long-term trend process such as grasping a long-term operation state and analyzing a performance value. The long-term trend processing result by the information management server 4 is used as information for supporting economical and efficient operation of the plant, for example.

  The time server 5 is a server that provides information on the standard time (reference time) and adjusts (synchronizes) the time of computers connected via the backbone transmission LAN 7. The time server 5 is, for example, a GPS (Global Positioning System) type time server that receives current time information from GPS satellites and corrects the current time, thereby obtaining accurate standard time (reference time) information. I keep it.

  The PIO controller 6 digitizes the raw input data of the plant received from the PIO 9 and transmits it to the monitoring server 3 connected via the backbone transmission LAN 7. The PIO controller 6 is dual, that is, the system is made redundant (multiplexed) between the normal system and the standby system, and the normal system and the standby system perform the same processing at the same time.

  The main transmission LAN 7 transmits normal and standby plant raw data, and the PIO controller 6 handles the normal plant raw data if the normal system is normal, while the normal system fails. Handles standby plant raw data.

  The redundancy device 20 is a device that operates as a virtual computer of a server / client (client terminal 2, monitoring server 3, and information management server 4) constituting the conventional process computer 1, and includes the client terminal 2, monitoring server 3, And a device that backs up a failed computer when a failure occurs in at least one of the information management servers 4. That is, the redundancy device 20 is a device that makes the client terminal 2, the monitoring server 3, and the information management server 4 redundant in the example shown in FIG.

  The redundancy device 20 continuously monitors the status of the client terminal 2, the monitoring server 3, and the information management server 4, and depending on the monitoring result, the standby device (not backed up) or the backup status ( The status is changed during backup.

  More specifically, the redundancy device 20 monitors the client terminal 2, the monitoring server 3, and the information management server 4, and a failure occurs in at least one of the client terminal 2, the monitoring server 3, and the information management server 4. If it is determined that the computer has failed, the computer (at least one of the client terminal 2, the monitoring server 3, and the information management server 4) in which the failure has occurred is backed up.

  On the other hand, the redundancy device 20 monitors the client terminal 2, the monitoring server 3, and the information management server 4, and the computer in which the failure has occurred (at least one of the client terminal 2, the monitoring server 3, and the information management server 4). When it is determined that the computer has been restored and returned to normal, backup is stopped for the computer (at least one of the client terminal 2, the monitoring server 3, and the information management server 4) in which the failure has occurred.

  As described above, the process computer 50 includes the redundancy device 20, so that the redundancy device 20 is a server / client (client terminal 2, monitoring server 3, and information management server 4) of the conventional process computer 1. Even in the backup operation state where the active system is stopped and the standby system is operating, the other system operates as a backup, so even if both the normal and standby systems are stopped, further backup operation is possible. Operation can be continued.

  The process computer 50 includes, for example, a computer (hardware) such as a general-purpose personal computer (hereinafter simply referred to as “general-purpose PC”), a general-purpose OS that is general-purpose basic software executable by the computer, and the general-purpose OS. The VM that operates on the industrial OS that is the basic industrial software installed on the process computer and the like, and the general-purpose OS or the industrial OS, the client terminal 2, the monitoring server 3, and the information management The function of monitoring the server 4, the function of switching between standby state and backup, the function as the client terminal 2, the function as the monitoring server 3, and the application software (application) that provides the function as the information management server 4 cooperate. The general-purpose PC by monitoring the client terminal 2 Ba 3, and as at least one of the standby system information management server 4, i.e., can function as a redundant device 20.

  If the application that provides the function of monitoring the client terminal 2, the monitoring server 3, and the information management server 4 is described in relation to the redundancy procedure described later, the redundancy procedure described later is applied to the computer (general-purpose PC). A program (software) including a redundant program (hereinafter referred to as “redundant PG”) 40 to be executed.

  In the process computers 50A-50C in which the servers / clients of the process computers are made redundant by applying the redundancy devices 20A-20C and these redundancy devices 20A-20C to the conventional process computer 1, UDP / IP is used as a transmission protocol. (User Datagram Protocol / Internet Protocol) is adopted.

  The UDP / IP is adopted as the transmission protocol because it is normal to use the UDP / IP specified transmission protocol in the existing process computer 1 already installed, and to adopt a new system configuration that adapts this protocol. It can be built and can greatly add value, and UDP / IP has the advantage that it can process at high speed because TCP / IP does not perform processing such as plant data transmission request and flow control, and handles plant data. In consideration of the circumstances such as being advantageous.

  Note that the redundancy device 20 may further have a function of replacing a conventional test device that performs a test of the process computer 1 (for example, a third embodiment described later). That is, as the operation mode of the redundancy apparatus 20, a test mode for operating the computer as a test apparatus for the conventional process computer 1 is additionally provided so that the redundancy apparatus 20 can also operate as a test apparatus for the conventional process computer 1. It can also be configured.

  Further, the communication network of the process computer 50 is not limited to the backbone transmission LAN 7 which is a local communication network, and may be a dedicated line or an Internet line. For example, if a dedicated line is used, monitoring and display of plant data that changes every moment can be performed while maintaining reliability. In addition, it is possible to share raw information not only on the premises but also outside the premises.

  As another example, when an Internet line is used, the same man-machine and printer output as the actual machine can be obtained overseas as long as the Internet line can be used. (Including plant status, error log, trend data)

  Hereinafter, by applying the redundancy devices 20A to 20C, which are examples of the process computer according to each embodiment of the present invention, and the redundancy devices 20A to 20C to the conventional process computer 1, the server / client of the process computer is made redundant. The converted process computers 50A to 50C will be described.

[First Embodiment]
FIG. 2 is a schematic diagram illustrating a hardware configuration example of a redundancy apparatus 20A that is an example of a process computer redundancy apparatus according to the first embodiment and a process computer 50A that is an example of a process computer according to the first embodiment. It is.

  The redundancy device 20A includes, for example, three general-purpose PCs (virtual computers (virtual PCs)), that is, a client terminal virtual PC 21, a monitoring server virtual PC 22, and an information management server virtual PC 23. These virtual PCs 21, 22, and 23 are all connected to the backbone transmission LAN 7 so that data transmission is possible, and the client terminal virtual PC 21 is further connected to the hub 11 (FIG. 1: omitted in FIG. 2).

  In the process computer 50A, the media format of the conventional process computer 1 and the media media of the virtual PCs 21, 22, and 23 may differ in format format, but even if they are different, a general-purpose PC is selected as the virtual computer There is no obstacle to doing it. This is because even if data having a different format is transmitted to a general-purpose PC (virtual PC 21, 22, 23), the data is handled as a data format that can be handled by the general-purpose PC (virtual PC 21, 22, 23). is there.

  If this action is used, it is not always necessary to use a dedicated machine as a virtual machine from the viewpoint of the difference in data format between the media medium of the conventional process computer 1 and the virtual PCs 21, 22, and 23. , Free from model dependence.

  The client terminal virtual PC 21, the monitoring server virtual PC 22, and the information management server virtual PC 23 make the computer function as an apparatus including the state monitoring unit 31, the mode transition unit 33, and the server / client terminal redundancy unit 34. By executing the PG 40A (40A1, 40A2, 40A3), it functions as the redundancy device 20A including the means 31, 33, 34 (FIG. 3).

  Here, reference numerals 40A1 to 40A3 are examples of the redundant PG 40A, and are respectively a redundant PG 40A for the client terminal 2 (hereinafter referred to as “client redundant PG”) and a redundant PG 40A for the monitoring server 3. (Hereinafter referred to as “monitoring server redundancy PG”), a redundancy PG 40A for the information management server 4 (hereinafter referred to as “information management server redundancy PG”).

  The client redundancy PG 40 </ b> A <b> 1 is a program that causes the client terminal virtual PC 21 to function as a device that performs status monitoring of the client terminal 2, status determination of the client terminal 2, backup of the client terminal 2, and control of the backup, for example. That is, the client redundancy PG 40A1 uses the client terminal virtual PC 21 as, for example, the client terminal state monitoring means 311 and the operation mode control means (hereinafter referred to as “client terminal backup control means”) 331 of the client terminal redundancy means 341. And a client terminal redundancy means 341.

  By executing the client redundancy PG 40A1, the client terminal virtual PC 21 provides a human machine interface (HMI) for a client together with a general-purpose OS, a VM, and a client OS as an industrial OS. The machine application is held in the memory, the client OS is operated by the VM operating on the general-purpose OS, and the man-machine application is operated by the client OS. That is, the client terminal virtual PC 21 can fulfill the function of the client terminal 2 and can serve as the client terminal 2 that operates the man-machine application on the client OS.

  Further, the monitoring server redundancy PG 40A2 causes the monitoring server virtual PC 22 to function as, for example, a device that performs monitoring of the monitoring server 3, status determination of the monitoring server 3, backup of the monitoring server 3, and control of the backup. It is. That is, the monitoring server redundancy PG 40A2 includes the monitoring server virtual PC 22 as, for example, the monitoring server state monitoring unit 312 and the operation mode control unit of the monitoring server redundancy unit 342 (hereinafter referred to as “monitoring server backup control unit”). 332 and the monitoring server redundancy means 342 function as an apparatus.

  By executing the monitoring server redundancy PG 40A2, the monitoring server virtual PC 22 holds the monitoring server application that provides the functions of the monitoring server 3 together with the general-purpose OS, the VM, and the server OS as an industrial OS in the memory. The server OS operates by the VM operating on the OS, and the monitoring server application operates by the server OS. In other words, the monitoring server virtual PC 22 can fulfill the function of the monitoring server 3 and can serve as the monitoring server 3 for operating the monitoring server application by the server OS.

  Further, the information management server redundancy PG 40A3 performs, for example, status monitoring of the information management server 4, status determination of the information management server 4, backup of the information management server 4, and control of the backup for the information management server virtual PC 23. A program that functions as a device. That is, the information management server redundancy PG 40A3 includes the information management server virtual PC 23, for example, the information management server status monitoring means 313 and the operation mode control means (hereinafter referred to as “information management server backup control means”) of the information management server redundancy means 343. ”And a monitoring server redundancy means 343.

  By executing the information management server redundancy PG40A3, the information management server 4 holds the information management application that provides the functions of the information management server 4 together with the general-purpose OS, the VM, and the server OS as an industrial OS in the memory. The server OS is operated by the VM operating on the general-purpose OS, and the information management application is operated by the server OS. That is, the information management server virtual PC 23 can fulfill the function of the information management server 4 and can play a role as the information management server 4 for operating the information management server application by the server OS.

  In the redundancy device 20A, the control of running (running) of various applications such as man-machine application and monitoring application may be arbitrary. For example, the control for always running in the control method of starting running at an event. A technique may be used. However, when there is a request to stabilize the performance of the entire system, such as when there is a need for the process computer 50 to constantly perform advanced monitoring, it is necessary to run continuously rather than the control method that starts running at the event. The control method to be set is preferable.

  The redundancy device 20A may further include a tablet terminal (tablet PC) 24 that can communicate with the virtual PCs 21 to 23. The tablet terminal 24 can receive information provided to the virtual PCs 21 to 23, and can further expand the functions of the virtual PCs 21 to 23.

  The process computer 50A capable of using such a portable tablet terminal 24 is advantageous in that the state of the virtual PCs 21 to 23 can be confirmed even at a location away from the virtual PCs 21 to 23. In the process computer 50A, it is possible to provide a man-machine interface capable of giving a command by an intuitive operation such as a swipe (an operation for sliding a finger on the screen).

  FIG. 3 is a functional block diagram of the redundancy apparatus 20A which is an example of the redundancy apparatus for the process computer according to the first embodiment. FIG. 4 is an explanatory diagram showing an example of the IP address correspondence table 36.

  The state monitoring means 31 is used to check whether the client terminal 2, the monitoring server 3, and the information management server 4 (server / client), which are existing computers in the conventional process computer 1 to be monitored, are in normal operation (normal). It is a means for monitoring whether or not (abnormal) occurs. The state monitoring unit 31 includes, for example, a client terminal state monitoring unit 311, a monitoring server state monitoring unit 312, and an information management server state monitoring unit 313.

Condition monitoring means 31, the IP address included in the data circulating trunk transmission LAN7 periodically (period _{T 1),} for example, less than half of at least _{T 1} of the like period _{T (T ≦ T 1/2} ) While acquiring at an arbitrary timing, the acquired IP is referred to by referring to the IP address correspondence table 36 (FIG. 4) having IP address information assigned to each computer of the server / client constituting the process computer 50A. It is determined which computer of the process computer 50A the computer indicated by the address is, and it is determined whether the IP address is lost or restored.

  When the state monitoring unit 31 determines which computer of the process computer 50A is the computer indicated by the acquired IP address, finally, the state monitoring unit 31 finally sets the existing computer (in this case, the client terminal 2, It can be determined whether or not the IP addresses of the monitoring server 3 and the information management server 4) have been confirmed.

  The state monitoring means 31 determines whether the existing computer to be monitored is in a normal state in which a failure has occurred or an abnormal state in which a failure has occurred depending on whether the IP address of the existing computer in the process computer 50A has been confirmed.

  The state monitoring means 31 confirms the IP address for each period T for each computer (client terminal 2, monitoring server 3, and information management server 4) of the server / client of the process computer 50A, and indicates a result of confirming the IP address. Is given to the mode transition means 33.

  The mode transition means 33 is means for switching and controlling a plurality of operation modes during operation of the redundancy device 20A. For example, the operation mode is a standby mode (the backup mode is “off”) and a backup mode (the backup mode is "On" state), the backup mode backup control means.

  For example, the mode transition means 33 performs backup of the client terminal 2 by performing backup (backup “on” state) or stopping (backup “off” state) of the client terminal 2 and backup of the monitoring server 3. A monitoring server backup control unit 332 that switches whether to execute or stop, and an information management server backup control unit 333 that switches whether to perform backup of the information management server 4 or stop.

  The operation mode of the redundancy apparatus 20A is to monitor at least the server / client state, and to wait for a failure in case of a failure (backup “off” state), monitor the server / client state, and This includes a backup mode (backup “ON” state) in which any computer performs backup operation when the computer is performing backup operation.

  When the received signal changes from normal (no failure) to abnormal (failed), that is, when it is determined that there is a loss of the IP address and the server / client has failed, A command for starting backup of the computer specified from the IP address is generated and given to the server / client terminal redundancy means 34.

  For example, when the existing computer specified from the IP address is the client terminal 2, the client terminal backup control unit 331 generates a command for starting backup of the client terminal 2 and gives it to the client terminal redundancy unit 341. Similarly, when the existing computer identified from the IP address is the monitoring server 3, the monitoring server backup control unit 332 generates a command for starting backup of the monitoring server 3, and provides the monitoring server redundancy unit 342 with information. The management server backup control means 333 generates a command for starting backup of the information management server 4 and gives it to the information management server redundancy means 343.

  On the other hand, the mode transition means 33 determines that the received signal has changed from abnormal (failed) to normal (no failure), that is, the failure that has occurred in the server / client has been resolved (restored). In this case, a command for stopping the backup of the computer specified from the IP address is generated and given to the server / client terminal redundancy means 34.

  The server / client terminal redundancy means 34 is a means for making the client terminal 2, the monitoring server 3, and the information management server 4 which are servers / clients constituting the process computer 50A redundant. The server / client terminal redundancy means 34, for example, makes the client terminal redundancy means 341 for making the client terminal 2 redundant, the monitoring server redundancy means 342 for making the monitoring server 3 redundant, and making the information management server 4 redundant. The information management server redundancy means 343 is provided.

  The server / client terminal redundancy means 34 (client terminal redundancy means 341, monitoring server redundancy means 342, and information management server redundancy means 343) is a mode transition means 33 (client terminal backup control means 331, monitoring server backup control). The means 332 generates a command to start backup of the monitoring server 3 and gives it to the monitoring server redundancy means 342, and the information management server backup control means 333 generates a command to start backup of the information management server 4, and the information management server The backup is turned on and off by giving to the redundancy means 343.

  The IP address correspondence table 36 (FIG. 4) includes, for example, a server / client configuring the process computer 50A, the server of the process computer, the client, and each of the computers virtualizing the server and the client of the process computer. The computer identification information and IP address of the computer, and the IP address and status (mode information currently being executed) of a virtual computer such as a general-purpose PC (virtual PC) that virtualizes the server / client are associated with each other.

  The first and second client terminals 2a and 2b, the first and second monitoring servers 3a and 3b, and the first and second information management servers 4a and 4b, which are computers of the server / client constituting the process computer 50A. The IP address is, for example, xxx. yyy. zzz. 001-xxx. yyy. zzz. Six different IP addresses of 006 are assigned.

  The virtual PCs 21, 22, and 23, which are virtual computers, are also backed up computers (first and second client terminals 2a and 2b, first and second monitoring servers 3a and 3b, and first and second information). IP addresses corresponding to the management servers 4a and 4b) are assigned, for example, xxx. yyy. uu. 001-xxx. yyy. uu. Six different IP addresses of 006 are assigned.

  Here, the numerical values xxx, yyy, zzz, and uuu indicating the IP address are arbitrary numerical values of 0 to 255. Of xxx, yyy, zzz, and uuu, zzz and uuu have different numerical values (zzzz ≠ uuu), but xxx, yyy, and zzz are not necessarily different numerical values. That is, xxx = yyy = zzz may be included.

  Further, the association with the information on the status of the general-purpose PC (the operation mode currently being executed) is not necessarily required when the operation mode other than the standby mode is only the backup mode (single). However, it is necessary when adding a test mode as in the third embodiment to be described later.

  Since each processor of the conventional process computer 1 and the individual processors of the virtual PCs 21, 22, and 23 of the redundancy device 20A are managed by IP addresses, the conventional process computer 1 and the virtual PCs 21 and 22 using the IP addresses are used. , 23 is prepared, the redundancy apparatus 20A refers to the IP address correspondence table 36, and uses the acquired IP address as a key to obtain data including the IP address. It is possible to specify from which computer the is output.

  Further, from the detected IP address, whether the conventional process computer 1 is in normal operation (duplex operation) or backup operation (single system operation), whether the operation mode of the redundancy device 20A is the standby mode, etc. It is also possible to specify the driving state.

  Next, a process computer redundancy method according to the first embodiment (hereinafter simply referred to as “first redundancy method”) will be described.

  The first redundancy method is an example of a method for making the conventional process computer 1 redundant. For example, by using the redundancy device 20A that executes the first redundancy procedure (FIGS. 6, 8 to 10). It can be carried out.

  FIG. 5 is an explanatory diagram (timing chart) showing the operation timing of the process computer 50A.

  When the process computer 50A is activated, the time server 5 and the existing computer / client (client terminal 2, monitoring server 3, and information management server 4) each start a predetermined operation. Further, the redundancy device 20A (client terminal virtual PC 21, monitoring server virtual PC 22, and information management server virtual PC 23) receives the request for starting the redundancy operation, and first starts the operation in the standby mode.

  Under this situation, when any trouble such as a failure occurs in any of the computers of the client terminal 2, the monitoring server 3, and the information management server 4 and the operation becomes impossible, the redundancy device 20A causes the troubled computer (IP address loss of server / client) occurs (FIG. 5 (1)).

  When an existing computer becomes inoperable, the display means such as the display of the existing computer that has become inoperable indicates that one of the computers has become inoperable, that is, a backup operation is in progress. Display is made (FIG. 5 (2)). This warning display may be displayed not only on the existing computer but also on other display means other than the existing computer such as a virtual computer (FIG. 7).

  On the other hand, the redundancy device 20A periodically checks whether an IP address loss has occurred, so that the client terminal 2, the monitoring server 3, and the information management server 4 are in a normal state during normal operation. Check if the system is in an abnormal state where it cannot operate normally. When an IP address is lost in any of the existing servers / client computers, the redundancy device 20A uses a virtual PC (virtual computer) that virtualizes the server / client that needs to be backed up based on the IP address of the lost computer. ) Is obtained (FIG. 5 (3)).

  When the redundancy device 20A obtains the IP address, the redundancy device 20A starts virtualization of the obtained IP address by the virtual PC, that is, shift to the backup mode. At this time, the current time sent from the time server 5 is collated with the current time of the application running in the virtual PC for which the IP address is obtained (FIG. 5 (4)).

  If the difference between the current time sent from the time server 5 and the current time of the application running on the virtual PC that has obtained the IP address is within an allowable range (within an allowable value), the virtual PC is successfully virtualized. . That is, the standby mode is shifted to the backup mode (FIG. 5 (5)).

  On the other hand, when the computer in which the IP address loss has occurred is restored, the warning display that appeared in the restored computer is canceled (FIG. 5 (6)). Further, the redundancy apparatus 20A acquires the IP address of the restored existing computer (FIG. 5 (7)), and obtains the IP address of the virtual PC currently operating in the backup mode based on the acquired IP address ( FIG. 5 (8)). Thereafter, the virtual PC with the obtained IP address finishes the virtualization and shifts from the backup mode to the standby mode (FIG. 5 (9)). That is, the backup of the computer in which the IP address loss has occurred is stopped.

  FIG. 6 is an overall process flow diagram of the redundancy procedure (hereinafter referred to as “first redundancy procedure”) of the conventional process computer 1 executed in the redundancy apparatus 20A. FIG. It is the schematic which shows the redundancy setting image 45 which is an example of the image which sets execution start and stop of this redundancy procedure. Note that a circle A (A in A) shown in FIG. 6 is a connector.

  The first redundancy procedure executed in the redundancy device 20A of the process computer 50A includes, as main processing steps, for example, a state monitoring step (step S1 to step S3), a backup mode transition step (step S4), A backup mode transition success / failure determination step (step S5), a standby mode transition step (step S7), and a standby mode execution step and a backup mode execution step, which are execution steps of each operation mode.

  In the processing step of the first redundancy procedure, for example, the redundancy setting image 45 (FIG. 7) is displayed on the displays of the virtual PCs 21 to 23 by starting the redundancy device 20A. When the user presses (selects) the setting button 46a in the redundancy setting image 45, the first redundancy procedure is started (START).

  The redundancy setting image 45 includes at least a setting button 46a and a release button 46b for canceling the setting, a display area 47 for displaying an existing computer (server / client) that monitors the state and backs up when necessary, and an operation being executed. And a display area 48 for displaying mode and date / time information.

  When the setting is pressed, for example, the setting button 46a is displayed on the redundancy setting image 45 so that it can be seen that the setting is effective, for example, by inverting the colors of the background and characters. It is preferable. Also, considering the visibility of the user, etc., if there is an auxiliary IP address loss, the display area 49 for displaying a warning that the existing computer corresponding to the lost IP address is stopped is set to be redundant. The image 45 may be additionally provided.

  For example, in the redundancy setting image 45 illustrated in FIG. 7, the “first client terminal 2 a” that is an existing computer to be backed up in the display area 47 and the “operation in backup mode” that is the operation mode being executed in the display area 48. ”And“ 2011/11/30 11:58 ”(11:58 on November 30, 2011), which is an example of the current date and time (here, the time is the time server time of the conventional process computer 1 because it is virtualized) In the display area 49, “the first client terminal 2a is stopped” is displayed as a warning display indicating that the first client terminal 2a is present as an existing computer whose IP address is lost.

  Attention is focused on the overall processing flow (FIG. 6) of the first redundancy procedure. When the first redundancy procedure is started (START), the first redundancy procedure starts with the IP addresses of the client terminal 2, the monitoring server 3, and the information management server 4 (server / client), which are existing computers. Based on this, a state monitoring step (step S1 to step S3) for monitoring whether the state is normal (abnormal) is executed.

  The state monitoring step acquires the IP addresses of the client terminal 2, the monitoring server 3, and the information management server 4 (server / client), which are existing computers (step S1), and the acquired IP address is the existing computer (client terminal 2). The server / client abnormality detection step (step S2) for checking whether there is any loss (insufficiency) with respect to the IP addresses of the monitoring server 3 and the information management server 4), and the acquired IP address was executed immediately before A server / client restoration detection step (step S3) for detecting whether the lost IP address is restored (recovered) with respect to the normal / abnormal detection result of the existing computer.

  In the state monitoring step (steps S1 to S3), the state monitoring unit 31 checks the IP addresses of the client terminal 2, the monitoring server 3, and the information management server 4 (server / client) (step S1), and acquires the acquired IP. It is determined whether there is no loss with respect to the IP address that was confirmed immediately before (step S2) and whether there is no restoration (step S3). When the acquired IP address is not lost with respect to the IP address confirmed immediately before and there is no restoration of the lost IP address (No in step S2 → No in step S3), step S1 to step The processing step of S3 is repeated.

  On the other hand, in the state monitoring step, when the IP address loss is confirmed with respect to the IP address confirmed immediately before (No in step S2), that is, the existing computer (client terminal 2, monitoring server) in the conventional process computer 1 3 and when the abnormality is detected in the information management server 4), the processing flow of the first redundancy procedure goes through the repetition loop of the state monitoring process (step S1 to step S3) and proceeds to step S4.

  In the backup mode transition step of step S4, the mode transition means 33 gives a command to the server / client terminal redundancy means 34 to shift the operation mode of the redundancy apparatus 20A from the standby mode to the backup mode. The server / client terminal redundancy means 34 attempts to start backup upon receiving a command to shift to the backup mode. Thereafter, the processing flow of the first redundancy procedure proceeds from step S4 to step S5.

  In the backup mode transition success / failure determination step of step S5, the state monitoring means 31 determines whether the transition from the operation mode currently being executed (the standby mode in this case) of the redundancy apparatus 20A to the backup mode is successful. is there. When the backup mode transition success / failure determination step is executed, it is subsequently confirmed whether or not there is a request for termination of the first redundancy procedure (step S6).

  The presence / absence of a request for termination of the first redundancy procedure is confirmed, and when there is a termination request (Yes in step S6), the first redundancy procedure is terminated (END). On the other hand, if there is no termination request (No in step S6), the processing flow of the first redundancy procedure proceeds to step S1, and the processing steps after step S1 are executed.

  On the other hand, there is a loss in the IP address confirmed immediately before, but there is no loss in the IP address acquired this time, that is, when the restoration of the existing computer is confirmed (Yes in step S3), the first The process flow of the redundancy procedure is to go out of the repetition loop of the state monitoring process (step S1 to step S3) and proceed to step S7.

  In the standby mode transition step of step S7, the mode transition means 33 gives a command to the server / client terminal redundancy means 34 to shift the operation mode of the redundancy apparatus 20A from the backup mode to the standby mode. The server / client terminal redundancy means 34 attempts to stop the backup upon receiving a command to shift to the standby mode. Thereafter, the processing flow of the first redundancy procedure proceeds to step S1, and the processing steps after step S1 are executed.

  Next, each process (FIGS. 8, 9, and 10) that has been defined as a subroutine in the processing flow diagram (FIG. 6) of the first redundancy procedure will be described.

  FIG. 8 is a process flow diagram of the backup mode transition process in the first redundancy procedure, FIG. 9 is a process flowchart of the backup mode transition availability determination process in the first redundancy procedure, and FIG. 10 is a flowchart of the first redundancy procedure. It is a processing flow figure of a standby mode transfer process.

  The backup mode transition process (steps S41 to S42: FIG. 8) includes, for example, a backup mode transition notifying step (step S41) for notifying the user that the mode is shifted to the backup mode, and the backup mode as the current operation mode. A backup mode setting step (step S42) for setting.

  In the backup mode transition notifying step (step S41), the server / client terminal redundancy means 34 (FIG. 3) starts backup of the existing computer with the IP address lost, and transitions to the backup mode for the user. Is notified. The notification to the user that the mode is shifted to the backup mode is, for example, “backup” in the area 48 of the redundancy setting image 45 (FIG. 7) displayed on the display means such as the display of the virtual PCs 21 to 23 (FIG. 2). This is done by displaying “mode”.

  This notification is made on the assumption that the current operation mode is the backup mode, even if the operation mode of the virtual PCs 21 to 23 has not yet completed the transition to the backup mode. The notification is made on the assumption that the mode is the backup mode for the reason of preventing an erroneous operation when the operation mode is shifted manually by the user.

  In the backup mode setting step (step S42), the processors of the virtual PCs 21 to 23 set the backup mode as the current operation mode. That is, the backup state of the existing computer of the server / client terminal redundancy means 34 is switched to “ON”. When the backup mode setting step is completed, the backup mode transition process as a subroutine is exited (RETURN).

  The backup mode transition success / failure determination step (steps S51 to S55: FIG. 9) includes, for example, a virtual machine IP address specifying step (step S51) and a virtualization success / failure determination step (steps S52 and S53).

  In the virtual computer IP address specifying step (step S51), the state monitoring means 31 refers to the IP address correspondence table 36 and uses the IP address where loss is recognized as a key, and the existing computer corresponding to the IP address where loss is recognized The IP address of the virtual machine (virtual PC) that virtualizes When the IP address of the virtual machine is specified, a virtualization success / failure determination step (steps S52 and S53) is subsequently executed.

  In the virtualization success / failure determination step (steps S52 and S53), the current time (more in detail) of the virtual PCs 21 to 23 generated when the data processing in the process computer 50A is not completed within a predetermined time due to the congestion of the system operation. The time difference is confirmed between the current time of the man-machine application, the monitoring application, and the information management application) and the current time of the time server 5 (FIG. 1).

  The time difference between the current time information possessed by the virtual PCs 21 to 23 and the current time information possessed by the time server 5 is confirmed by processing in the trunk transmission line LAN 7 (FIG. 2) and the virtual PCs 21 to 23 (FIG. 2). This is because ensuring the soundness of the plant data stored in the virtual PCs 21 to 23 can be a problem when there is a traffic jam.

  In consideration of such circumstances, in the virtualization success / failure determination step, the state monitoring unit 31 includes information on the current time of the virtual PCs 21 to 23, more specifically, a man-machine application, a monitoring application, and information management. The current time of the application (current time tag) and the current time information (current time tag) of the time server 5 are acquired (step S52), and it is determined whether or not the difference between the two times is within the allowable range (step S52). Step S53), and finally the success or failure of the virtualization is determined from the determination result.

  When the current time tag (acquired in step S51) of the virtual PCs 21 to 23 is compared with the current time tag (acquired in step S52) of the time server 5, the difference between the two times is within an allowable range (step S53). In the case of Yes), it is determined that the transition to the backup mode, that is, the virtualization has been successful (backup has been started) (step S54). When step S54 is completed, the process exits the backup mode transition success / failure determination process (RETURN).

  On the other hand, as a result of comparing the current time tag of the virtual PCs 21 to 23 with the current time tag of the time server 5, if the difference between the two times is not within the allowable range (No in step S53), the backup mode is entered. It is determined that migration, that is, virtualization has failed (backup has not started) (step S55).

  At this time, the user is notified that the virtualization has failed by displaying on the display means such as the display of the virtual PCs 21 to 23 (FIG. 2) that the virtualization has failed. The display indicating that the virtualization has failed is performed, for example, by displaying “virtualization failure” in the area 48 in the redundancy setting image 45 (FIG. 7).

  When step S55 is completed, the processing flow of the backup mode transition success / failure determination process proceeds to step S51, and the processing steps after step S51 are executed. In the process flow of the backup mode transition success / failure determination step shown in FIG. 9, the success / failure of virtualization is repeatedly determined until it is determined that the virtualization is successful, but it is not necessarily limited to the illustrated example. For example, when the number of executions of step S55 exceeds a predetermined number, the backup mode transition success / failure determination step is terminated, and a warning is displayed on the display means such as the display of the virtual PCs 21 to 23 (FIG. 2) to indicate that the virtualization has failed. You may do it.

  The standby mode transition process (steps S71 to S73: FIG. 10) includes a virtual machine IP address specifying step (step S71), a standby mode transition notifying step (step S72), and a standby mode setting step (step S73). Prepare.

  In the virtual computer IP address specifying step (step S71), the IP address of the virtual computer (virtual PC) is obtained based on the IP address of the existing computer restored by the state monitoring means 31 and the IP address correspondence table.

  In the standby mode transition notifying step (step S72), the server / client terminal redundancy means 34 (FIG. 3) has transitioned to the standby mode on the display means such as the display of the virtual PCs 21 to 23 (FIG. 2), for example. Is displayed, the user is notified of the transition to the standby mode. The display indicating the transition to the standby mode is performed, for example, by displaying “standby mode” in the area 48 in the redundancy setting image 45 (FIG. 7).

  In the standby mode setting step (step S73), the processors of the virtual PCs 21 to 23 set the standby mode as the current operation mode. That is, the backup state of the existing computer of the server / client terminal redundancy means 34 is switched to “OFF”. When the standby mode setting step is completed, the standby mode transition process as a subroutine is exited (RETURN).

  In addition, when shifting to the standby mode (backup is stopped), there is no problem of the soundness of the plant data due to the presence of processing congestion unlike when shifting to the backup mode. Even if there is a processing jam, it is not a problem.

  According to the redundancy device 20A of the conventional process computer 1, the redundancy method of the conventional process computer 1 using the redundancy device 20A, and the process computer 50A, the following effects (1) to (7) are obtained. can get.

(1) Avoidance of backup operation When the conventional system of the conventional process computer 1 is stopped and the standby system operates, the client terminal virtual that is a virtual computer (virtual PC) of the redundancy device 20A Since the PC 21, the monitoring server virtual PC 22, and the information management server virtual PC 23 start backup of the client terminal 2, the monitoring server 3, and the information management server 4, which are existing computers of the conventional process computer 1, always one or more other The conventional process computer 1 can be made redundant so that the system can be backed up.

(2) Normalization avoidance of emergency response of restoration work Since the conventional process computer 1 can be made redundant so that one or more other systems can always be backed up, allowance is given to the response time until restoration. be able to. Therefore, it is possible to avoid a situation where an emergency restoration that has been normalized as before is forced.

(3) Reduction of installation space and refurbishment costs Even if the processors constituting the conventional process computer 1 are different, virtualization is possible if the processors themselves support standard protocols. In addition, due to the nature of VM, if the VM operating environment supports the OS version of a general-purpose PC, it can operate on a general-purpose PC without matching the version of the general-purpose OS. Even if it is not a customized computer (so-called dedicated machine), a general PC (general-purpose PC) can be used, and a more flexible response is possible.
Therefore, the conventional process computer 1 is made redundant by introducing a general-purpose PC in which software including an OS, a VM, and an application providing functions as the client terminal 2, the monitoring server 3, and the information management server 4 is installed. Since the redundancy device 20A can be provided, the installation space and the repair cost can be reduced as compared with the conventional case where the system is tripled.

(4) No need to remodel existing equipment for introduction When introducing the redundancy device 20A to make the conventional process computer 1 redundant, the hardware and software of the existing process computer 1 already installed are not modified. Since it is not necessary, the redundancy device 20A can be introduced without affecting the conventional process computer 1.

(5) Reduction of maintenance cost Conventionally, in order to make the conventional process computer 1 redundant, it is necessary to modify applications and databases in the existing computer. When an application in an existing computer is generated, a debugging environment database is prepared and constructed in advance. However, the technology transition in the IT field is one year in the IT (Information Technology) field and 7 years in other fields. This means that changes such as technological innovations are so fast that it is equivalent to), and the technological transition is so fast that it is carried out in units of several years, which increases the labor and cost of maintaining the equipment environment. ing.
In contrast, in the redundancy apparatus 20A, the redundancy method of the conventional process computer 1 using the redundancy apparatus 20A, and the process computer 50A, the effects (3) and (4) can be obtained. It is possible to greatly reduce the labor and cost of maintaining the cost.

(6) Visualization of virtualization health, etc. Since the success or failure of virtualization (for example, backup mode being executed / virtualization failure, etc.) is displayed on the virtualization PCs 21 to 23 (FIG. 7), the operator can clearly see Can determine the success or failure of virtualization. In addition, since the operating status of each processor can be monitored, it is possible to quickly grasp the plant operating status and deal with troubles.

(7) Efficient inspection work It is necessary to take off one processor offline during periodic inspections of the plant. Even in such a situation, inspection is performed with one or more other systems backed up. Work can be carried out.

[Second Embodiment]
FIG. 11 is a schematic diagram illustrating a hardware configuration example of a redundancy apparatus 20B as an example of a process computer redundancy apparatus according to the second embodiment and a process computer 50B as an example of a process computer according to the second embodiment. It is.

  The redundancy apparatus 20B is one general-purpose PC with respect to the redundancy apparatus 20A configured by including the client terminal virtual PC 21, the monitoring server virtual PC 22, and the information management server virtual PC 23, which are three general-purpose PCs. The difference is that the integrated virtual PC 25 is provided. Therefore, in the description of the present embodiment, the difference will be mainly described, and the constituent elements that are not substantially different from the constituent elements of the redundancy apparatus 20A and the process computer 50A will be denoted by the same reference numerals and description thereof will be omitted. .

  The redundancy device 20B includes an integrated virtual PC 25 connected to the backbone transmission LAN 7 and the hub 11. The integrated virtual PC 25 is a general-purpose PC that integrates the functions of the client terminal virtual PC 21, the monitoring server virtual PC 22, and the information management server virtual PC 23 of the redundancy device 20A. That is, the integrated virtual PC 25 executes the redundant PG 40B that causes the computer (general-purpose PC) to function as an apparatus including the state monitoring unit 31, the mode transition unit 33, and the server / client terminal redundancy unit 34. It functions as a redundancy device 20B comprising means 31, 33, 34.

  Next, a process computer redundancy method (hereinafter simply referred to as “second redundancy method”) according to the second embodiment will be described.

  The second redundancy method is an example of a method for making the conventional process computer 1 redundant. For example, the second redundancy method can be performed by using the redundancy device 20B that executes the second redundancy procedure.

  Regarding the operation timing of the process computer 50B, with respect to the operation timing of the process computer 50A (FIG. 5), the operation timing and processing contents until the execution of the application for virtualizing the server / client after the IP address loss of the existing computer is executed. However, the other points are not substantially different.

  In the process computer 50B, when the IP address loss of the existing computer occurs (FIG. 12 (1)), the display means such as the display of the existing computer that has become inoperable indicates that the one-system computer has become inoperable. That is, a warning display indicating that backup operation is in effect is displayed (FIG. 12 (2)).

  Upon confirming the IP address loss of the existing computer, the redundancy device 20B obtains and executes an application for virtualizing the server / client that needs to be backed up based on the IP address of the lost computer ((3) in FIG. 12). ).

  Here, the application for virtualizing the server / client is a man-machine application when the backup of the client terminal 2 is required, and an application for the monitoring server and an information management server when the backup of the monitoring server 3 is required. 4 is an information management application when a backup of 4 is necessary.

  The subsequent operation timing (FIGS. 12 (4) to 12 (5)) and the operation timing (FIGS. 12 (6) to 12 (9)) when the computer in which the IP address loss has occurred are restored are as follows. This is the same as the operation timing (FIG. 5 (4) to FIG. 5 (9)) in the process computer 50A.

  Further, the redundancy procedure of the conventional process computer 1 (hereinafter referred to as “second redundancy procedure”) executed in the redundancy apparatus 20B is as described above with respect to the first redundancy procedure. The operation timing and processing contents until the execution of the application for virtualizing the server / client after the loss of the IP address of the existing computer are different, but the above-mentioned difference between the second redundancy procedure and the first redundancy procedure This is because the integrated virtual PC 25 executes the processing contents executed by the virtual PCs 21 to 23.

  More specifically, in the second redundancy procedure, in the backup mode transition notification step (step S41: FIG. 8), the server / client is virtualized when executing the application for virtualizing the server / client. While the application itself is specified and executed, the first redundancy procedure is different in that a virtual machine is specified and an application mounted on the specified virtual machine is executed.

  However, both of the first and second redundancy procedures are common in that an application for virtualizing the server / client is finally executed, and there is no substantial difference in processing contents. . Therefore, the description of the second redundancy procedure and the processing flowchart are omitted with the description of the first redundancy procedure and the processing flowchart, respectively.

  In the redundancy device 20B, one integrated virtual PC 25 performs man-machine application, monitoring server application, and information management application (via industrial OS) according to the IP address loss situation. Since it is necessary to operate (load) on the VM, it is necessary to recognize that the desired application has been loaded on the VM. However, recognizing completion of loading on the VM is solved by a known technique without particularly introducing a new technique. When the loading on the VM is completed, the industrial OS notifies the processor that the loading has been completed, so whether or not the loading on the VM is completed by recognizing the presence or absence of this notification. Can be recognized.

  According to the redundancy device 20B of the conventional process computer 1, the redundancy method of the conventional process computer 1 using the redundancy device 20B, and the process computer 50B, the redundancy device 20A and the redundancy device of the conventional process computer 1 The same effect as that of the conventional process computer 1 redundancy method using 20A and the process computer 50A can be obtained, and the number of computers necessary for realizing the redundancy device 20B can be reduced to one. Therefore, installation space and power consumption can be further reduced.

[Third Embodiment]
FIG. 13 is a schematic diagram showing a hardware configuration example of a redundancy apparatus 20C as an example of a process computer redundancy apparatus according to the third embodiment and a process computer 50C as an example of a process computer according to the third embodiment. It is.

  The redundancy device 20C is obtained by adding the function of the test device of the conventional process computer 1 to the redundancy device 20B, for example, and instead of the integrated virtual PC 25, a single general-purpose PC is used as the client terminal virtual PC 21, A monitoring server virtual PC 22, an information management server virtual PC 23, and an integrated virtual PC 26 with a test function having a function as a test apparatus of the conventional process computer 1, and between the integrated virtual PC 26 with a test function and the backbone transmission LAN 7 The difference is that an isolation controller 27 is additionally provided. Therefore, in the description of the present embodiment, the difference will be mainly described, and the constituent elements that are not substantially different from the constituent elements of the redundancy apparatus 20B and the process computer 50B will be assigned the same reference numerals and description thereof will be omitted. .

  The redundancy device 20C includes an integrated virtual PC 26 with a test function connected to the backbone transmission LAN 7 and the hub 11, and an isolation controller that sets desired restrictions on data communication between the integrated virtual PC 26 with a test function and the backbone transmission LAN 7. 27.

  The integrated virtual PC 26 with a test function adds the function of the testing device of the conventional process computer 1 to the integrated virtual PC 25, that is, the client terminal virtual PC 21, the monitoring server virtual PC 22, the information management server virtual PC 23, and the conventional process computer 1 It is a general-purpose PC that integrates the functions of the test equipment.

  The integrated virtual PC 26 with the test function executes the redundant PG 40C, so that the client terminal 2, the monitoring server 3, and the information together with the general-purpose OS, VM, and industrial OS (client OS, server OS, and test device OS) Each application providing the functions of the management server 4 and the test apparatus of the conventional process computer 1 is held in the memory, the industrial OS is operated by the VM operating on the general-purpose OS, and the execution request is executed by the industrial OS. The application that was found works.

  That is, the integrated virtual PC 26 with a test function is a redundancy device of the conventional process computer 1 and can also serve as a test device. By cooperating with the isolation controller 27, the integrated virtual PC 26 shown in FIG. It functions as a redundancy device 20C having each means 31, 33, 34, 61-63.

  The isolation controller 27 has a function of controlling a communication state with the conventional process computer 1, and by controlling the communication state, a conventional process computer required for preventing leakage of data such as plant data and performing a test. Isolation with 1 is performed.

  In the redundancy device 20C, a general-purpose PC can be used as the integrated virtual PC 26 with a test function. Therefore, the redundancy device 20C is advantageous in terms of low cost and versatility compared with a redundancy device using a dedicated machine. Because opaque hardware and software are used, there is no guarantee that there will be no malicious code. The isolation controller 27 is added in order to ensure sufficient security in consideration of such circumstances.

  The isolation controller 27 includes a transmission unit 271 on the backbone transmission LAN 7 side, a transmission unit 272 on the integrated virtual PC 26 side with a test function, and a transfer unit 273 that performs data transfer between the transmission unit 271 and the transmission unit 272. . The isolation controller 27 can switch the data communication between the conventional process computer 1 and the integrated virtual PC 26 with the test function to be permitted or not permitted by appropriately setting the data transfer of the transfer unit 273 as necessary. It can function as a firewall, blocking unauthorized data communication.

  In addition, the isolation controller 27 performs data transfer between the transmission units 271 and 272 performed by the transfer unit 273 in a ladder language that is an example of a language introduced in the field of a process computer that monitors a plant. A system environment is provided as a completely different hardware and software platform between the process computer 1 and the integrated virtual PC 26 with a test function.

  Furthermore, since the isolation controller 27 can basically restrict data traffic only in the direction from the backbone transmission LAN 7 toward the integrated virtual PC 26 with the test function, the unauthorized communication is cut off during the test while the plant state is changed. You can enter it as it is. Therefore, in the process computer 50C, a test with realistic data is possible, and higher quality can be ensured.

FIG. 14 is a functional block diagram of the redundancy device 20C.
The redundancy device 20C is configured by adding the test function of the conventional process computer 1 to be tested to the function of the redundancy device 20B. For example, the status monitoring unit 31, the mode transition unit 33, and In addition to the server / client terminal redundancy means 34, a data communication control means 61, a test mode setting means 62, and a test execution means 63 are provided.

  The redundancy device 20C includes, for example, an integrated virtual PC 26 with a test function that executes a redundancy PG 40C that causes a computer (general-purpose PC) to function as a device including means 31, 33, 34, 62, and 63, and data according to settings. It can be realized by an isolation controller 27 as means for controlling the traffic (data communication control means 61).

  The data communication control unit 61 has a function of controlling the passage of data according to the setting, and is a unit that passes received data to the state monitoring unit 31 or the test execution unit 63.

  The test mode setting means 62 is a means for setting an operation mode (test mode) for performing a test of the conventional process computer 1 and canceling the set test mode.

  The test mode setting means 62 updates the status (information on the mode currently being executed) in the IP address correspondence table 36 according to the setting or cancellation of the test mode, and the test mode is set or canceled. To the data communication control means 61.

  When the test mode setting unit 62 receives a result of determining from the state monitoring unit 31 that there is a loss of the IP address of the existing computer, the test mode setting unit 62 cancels the test mode and gives a test stop command to the test execution unit 63.

  The test execution means 63 is means for executing a test of the conventional process computer 1. The test execution means 63 is, for example, software installed so as to be executable on the integrated virtual PC 26 with the test function and the integrated virtual PC 26 with the test function, which are hardware, and operates on the OS for the test apparatus that can operate on the VM. By cooperating with the test application, the integrated virtual PC 26 with a test function, which is a computer, is made to function as a means capable of executing the test of the conventional process computer 1.

  Next, a process computer redundancy method (hereinafter simply referred to as “third redundancy method”) according to the third embodiment will be described.

  The third redundancy procedure is different from the second redundancy procedure executed by the redundancy device 20B in that it further includes a test process as a process related to the test execution of the conventional process computer 1. Therefore, in the description of the third redundancy procedure, the description will focus on the test process that is different from the second redundancy procedure, and the description of the overlapping processing process will be omitted.

  FIG. 15 is an overall process flow diagram of the third redundancy procedure of the conventional process computer 1 executed in the redundancy apparatus 20C, and FIG. 16 is a process flowchart of the test process of the third redundancy procedure. FIG. 17 is a schematic view showing a test setting image 65 which is an example of an image for setting start and stop of the test process. Note that a circle B (B in FIG. 15) shown in FIG. 15 is a connector.

  The third redundancy procedure includes, as main processing steps, for example, a processing step related to redundancy of the conventional process computer 1, that is, a processing step (step S95) corresponding to the first and second redundancy procedures, and a test. And a process (step S92).

  In the third redundancy procedure, for example, when the redundancy device 20C is activated and whether to perform redundancy of the conventional process computer 1 or to perform a test is selected, the third redundancy procedure is started. (START).

  When the test is selected, the test setting image 65 (FIG. 17) is displayed on the display of the integrated virtual PC 26 with a test function. When the user presses (selects) the setting button 66a in the test setting image 65, a test mode setting request is output (in the case of Yes in step S91).

  The test setting image 65 includes at least a setting button 66a for requesting the setting of the test mode and a release button 66b for canceling the setting of the test mode, as well as a test target selection for receiving selection of an existing computer (server / client) for performing the test. A button 67 (67a, 67b, 67c), an operation mode being executed, and a display area 68 for displaying date and time information are provided.

  Note that when the test target selection button 67 is pressed to select an existing computer to perform a test, and the setting button 66a is pressed to select a test mode, for example, the pressed test target selection buttons 67a, 67b, and 67c are selected. It is preferable that the setting image 66 is displayed on the setting image 65 so that the test object and the setting of the test mode can be visually recognized by inverting the colors of the background and characters of the setting button 66. .

  In consideration of user visibility, etc., when the test mode is being executed, the progress of the test may be displayed in the display area 68 together. Further, a display area 69 for displaying a warning that the existing computer is conducting the test may be additionally provided in the test setting image 65 as an auxiliary.

  Here, attention is focused on the overall processing flow (FIG. 15) of the third redundancy procedure. When the third redundancy procedure is started (START) and a test mode setting request is output (Yes in step S91), a test process (step S92) is executed. Subsequently, when there is a request to end the third redundancy procedure (Yes in step S93), the third redundancy procedure is hunted (END).

  On the other hand, if the test mode setting request has not been output (No in step S91), this corresponds to the conventional execution request for redundancy of the process computer 1, that is, the first and second redundancy procedures. The presence / absence of a processing process execution request is confirmed (step S94).

  As a result of the confirmation, if there is a request to execute a processing step corresponding to the first and second redundancy procedures (Yes in step S94), the first and second redundancy procedures (FIGS. 6, 8 to 10) A corresponding processing step is executed (step S95). On the other hand, when there is no request for execution of the processing steps corresponding to the first and second redundancy procedures (No in step S94), the processing flow of the third redundancy procedure proceeds to step S91, and after step S91. The processing steps are executed.

  Subsequently, a more detailed processing step (step S921 to step S928: FIG. 16) of the test process (step S92: FIG. 15) will be described.

  The test process (step S921 to step S928) includes a step (step S921) for determining whether or not to shift to the test mode, a step for executing the shift to the test mode (step S922 to step S924), and a test to be tested. Step to be executed (step S925), step for confirming whether or not there is a request for transition to another operation mode (step S926), and step for executing transition to the operation mode for which a transition request has been made (step S927 to step S928) And comprising.

  When the test process is started (ENTER), it is first determined whether or not it is possible to shift to the test mode (step S921). The transition to the test mode is made only when the backup is not executed from the viewpoint of absolutely avoiding the situation where the system performing the backup operation further stops. In other words, whether or not to shift to the test mode is determined based on whether or not the conventional process computer 1 to be tested is performing a backup operation. Whether or not the backup operation is being performed is determined by the mode transition means 33 based on the backup state (backup “ON” or “OFF”).

  When the transition to the test mode is permitted (No in step S921), the test mode setting means 62 (FIG. 14) performs processing steps for transitioning to the test mode (steps S922 to S924). More specifically, the test mode setting unit 62 switches the display of the operation mode being executed to the test mode being executed (step S922), loads the application (step S923), and loads the application to the processor of the integrated virtual PC 26 with the test function. A test mode is set as the current operation mode (step S924). Thereby, the state where the test by the test execution means 63 is possible, that is, the transition to the test mode is completed.

  Subsequently, the test execution unit 63 tests the test target (step S925). In conducting the test, the data communication control means 61 controls the data passage.

  When the test is performed (step S925), it is confirmed whether or not there is an operation mode transition request (step S926). The operation mode transition request includes, for example, a request for returning to the operation mode that was originally performed by canceling (ending) the test mode and a request for transitioning to the backup mode when an IP address loss is detected.

  When there is a request for shifting to the operation mode (Yes in step S926), the user is notified that the operation mode has been requested to be shifted (step S927). The notification to the user that the operation mode has been requested to be transferred is, for example, the test setting image 65 (FIG. 17) displayed on the display means such as the display of the integrated virtual PC 26 with the test function (FIG. 13). This is performed by displaying the operation mode requested to be transferred in the area 48.

  Subsequently, the processor of the integrated virtual PC 26 with the test function sets the operation mode requested to be migrated to its own processor (step S928). When the setting of the operation mode for which the transfer request has been made is completed, the test process as a subroutine is exited (RETURN).

  On the other hand, if the current operation mode is backup (Yes in step S921), the test process is exited without going to the test mode (RETURN).

  If there is no operation mode transition request (No in step S926), the processing flow of the test process returns to step S926, and the processing steps after step S926 are executed. In other words, the test is performed until the test is completed, and it waits until there is a request for shifting to the operation mode.

  According to the redundancy device 20C of the conventional process computer 1, the redundancy method of the conventional process computer 1 using the redundancy device 20C, and the process computer 50C, the redundancy device 20B and the redundancy device of the conventional process computer 2 The same effect as the redundancy method of the conventional process computer 1 using the 20B and the process computer 50B can be obtained, and the redundancy device and the test device can be combined with one computer (general-purpose PC). In addition, the introduction cost can be kept lower than before.

  Further, according to the conventional redundancy device 20C of the process computer 1, the redundancy method of the conventional process computer 1 using the redundancy device 20C, and the process computer 50C, the isolation controller 27 is additionally provided, and the plant raw data The state of the conventional process computer 1 can be obtained even during the test execution (execution of the test mode) by making it possible to select the data necessary for the test and the data necessary for the state monitoring of the conventional process computer 1. Can be monitored. If an IP address loss occurs during the execution of the test mode, the test being performed is interrupted, and the server / client (client terminal 2, monitoring server 3, and information management server 4) that has lost the IP address. ) Can be started, it is possible to maintain a state in which one or more other systems can be backed up even while the conventional process computer 1 is being tested.

  Furthermore, according to the redundancy device 20C of the conventional process computer 1, the redundancy method of the conventional process computer 1 using the redundancy device 20C, and the process computer 50C, a dedicated line or an Internet line is used as a communication network. Thus, it is possible to connect to the integrated virtual PC 26 with a test function from outside the plant facility, and the test can be performed from a remote place. In addition, safety measures against unauthorized access from outside the facility can be achieved by additionally installing an isolation controller 27.

  Note that the redundancy device 20C and the process computer 50C described above are examples in which the function of the test device of the conventional process computer 1 is added to the redundancy device 20B. A configuration in which the function of the test apparatus of the process computer 1 is additionally provided can be employed.

  As described above, according to the process computer redundancy apparatus, the redundancy method, and the process computer to which the redundancy apparatus is applied, it is possible to minimize the increase in the installation space and the repair cost, and without modifying the existing process computer. Even when the normal system is stopped and the standby system is performing the backup operation, the process computer can be made redundant so that one or more other systems can be backed up.

  In addition, even if the active system is stopped and the standby system is performing backup operation, the process computer can be made redundant so that one or more other systems can be backed up. Even when it is sometimes necessary to perform an operation in which one processor is offline, the operation can be performed in a state where one or more other systems can be backed up.

  Furthermore, since the function of the test device can be added to the virtual computer as the redundancy device by operating the industrial OS that operates the test device on the VM, the device can test and make the process computer redundant. Can provide.

  It should be noted that the present invention is not limited to the above-described embodiment as it is, and can be implemented in various forms other than the above-described examples in the implementation stage, and various modifications can be made without departing from the spirit of the invention. Can be omitted, added, replaced, or changed. Further, the above-described embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  For example, the redundancy devices 20A to 20C and the process computers 50A to 50C described above perform backup operation of a computer that is stopped when the conventional process computer 1 is in backup operation. Although multiplexing is realized, further multiplexing (redundancy of four or more layers) may be realized by further adding a general-purpose PC.

  Further, although the isolation controller 27 is not installed in the redundancy devices 20A and 20B and the process computers 50A and 50B described above, the isolation controller 27 is added like the redundancy device 20C and the process computer 50C described above. You may set up.

  Further, the redundancy device 20B and the process computer 50B described above are examples in which all of the functions of the client terminal virtual PC 21, the monitoring server virtual PC 22, and the information management server virtual PC 23 are realized by using one integrated virtual PC 25. A configuration that realizes all the functions of the client terminal virtual PC 21, the monitoring server virtual PC 22, and the information management server virtual PC 23 using two or more general-purpose PCs may be employed.

  For example, the redundancy device 20 and the process computer 50 are realized by using one general-purpose PC as the client terminal virtual PC 21 and one general-purpose PC in which the functions of the monitoring server virtual PC 22 and the information management server virtual PC 23 are integrated. You can also.

  Furthermore, the redundancy device 20C and the process computer 50C described above have all the functions of the test equipment of the client terminal virtual PC 21, the monitoring server virtual PC 22, the information management server virtual PC 23, and the conventional process computer 1 as one test function. This is an example realized by using the integrated virtual PC 26, but functions of the client terminal virtual PC 21, the monitoring server virtual PC 22, the information management server virtual PC 23, and the conventional test apparatus of the process computer 1 using two or more general-purpose PCs A configuration that realizes all of the above may be adopted.

  For example, one general-purpose PC as the client terminal virtual PC 21, one general-purpose PC integrating the functions of the monitoring server virtual PC 22 and the information management server virtual PC 23, and one conventional test machine for the process computer 1 The redundancy device 20 and the process computer 50 can also be realized using a general-purpose PC.

  DESCRIPTION OF SYMBOLS 1 ... Conventional process computer, 2 (2a, 2b) ... Client terminal, 3 (3a, 3b) ... Monitoring server, 3a ... 1st monitoring server (normal, normal use monitoring server), 3b ... 2nd Monitoring server (normal, standby monitoring server), 4 (4a, 4b) ... information management server, 4a ... first information management server (normal, regular information management server), 4b ... second information Management server (normally, standby information management server), 5 ... time server, 6 ... PIO controller, 7 ... backbone transmission LAN (communication network), 8 ... plant equipment, 9 ... PIO, 11 ... hub, 12 (12a 12b) ... Display, 13 (13a, 13b) ... Printer, 14 ... Annunciator (ANN), 20 (20A, 20B, 20C) ... Redundant device, 21 ... Clear Terminal virtual PC, 22 ... monitoring server virtual PC, 23 ... information management server virtual PC, 24 ... tablet terminal (tablet PC), 25 ... integrated virtual PC, 26 ... integrated virtual PC with test function, 31 ... status monitoring means , 32 ... Computer specifying means, 33 ... Mode transition means, 34 (341, 342, 343) ... Server / client terminal redundancy means, 341 ... Client terminal redundancy means, 342 ... Monitoring server redundancy means, 343 ... Information management Server redundancy means, 36 ... IP address correspondence table, 40A (40A1, 40A2, 40A3) ... Redundancy PG, 40A1 ... Client redundancy PG, 40A2 ... Monitoring server redundancy PG, 40A3 ... Information management server redundancy PG, 45 ... redundancy setting image, 46a ... setting button, 46b ... release button, 47 49 ... Display area, 50 (50A, 50B, 50C) ... Process computer, 61 ... Data communication control means, 62 ... Test mode setting means, 63 ... Test execution means, 65 ... Test setting image, 66a ... Setting button, 66b ... Cancel button, 67 (67a, 67b, 67c) ... test object selection button, 68, 69 ... display area.

Claims (7)

When a failure occurs in one of the systems via a network capable of communicating with the process computer in which the system is provided with a server and a client that start a backup operation in the other system in which no failure has occurred Connected, monitoring for the presence or absence of a fault in the system, and starting operation as a backup of the other system when a fault occurs in one of the systems and multiplexing the system more than duplex A redundancy device for the process computer to be maintained at
The server of the process computer, the client, and the server and the client of which the computer is held accessible while obtaining an IP address assigned to each of the server and the client of the process computer from the network And an IP address correspondence table that associates an IP address assigned to each server of the server, the client, and the computer that virtualizes the server and the client of the process computer. State monitoring means for determining whether an IP address has been acquired;
Redundancy means for performing backup in units of devices in a system different from the system for each of the server and the client of the process computer;
A computer program that functions as a redundancy device for the process computer, comprising: backup control means for controlling on / off of backup performed by the redundancy means in units of the devices according to the result of the IP address acquired by the state monitoring means A process computer redundancy apparatus characterized by comprising: 2. A data communication control means for controlling data traffic according to a setting is further provided between the network and a computer that executes a computer program that functions as a redundancy device for the process computer. The process computer redundancy apparatus described. A computer that executes a computer program that functions as a redundancy device for the process computer,
Whether the state monitoring means, the redundancy means, and the backup control means are set to a test mode for executing the process computer test, cancel the test mode setting, and set the test mode. Or a test mode setting means for providing the data communication control means with information indicating whether it has been released, and a test execution means for performing a test of the process computer when the test mode setting means sets the test mode. The process computer redundancy apparatus according to claim 2, wherein a computer program that causes a computer to function as the process computer redundancy apparatus is executed. The test mode setting unit cancels the test mode when the determination result received from the state monitoring unit is a determination result that any of the IP addresses of the server and the client of the process computer is lost. The process computer redundancy apparatus according to claim 3, wherein the apparatus further operates to give a test stop command to the test execution means. 5. The process computer redundancy apparatus according to claim 1, wherein a computer that executes a computer program that functions as the process computer redundancy apparatus is a single computer. 6. 6. A process computer, wherein the process computer redundancy device according to claim 1 is applied. When a failure occurs in one of the systems via a network capable of communicating with the process computer in which the system is provided with a server and a client that start a backup operation in the other system in which no failure has occurred State monitoring means for determining whether or not the IP address of the server and the client is lost and restored based on an IP address assigned to each of the server and the client of the process computer; For each device of the server and the client of the process computer, according to the result of the IP address acquired by the status monitoring means, the redundancy means for performing backup in units of devices in a system different from the system, Backups performed by the redundancy means are turned on and off for each device. A redundancy method of the process computer using the apparatus to function as a backup control means Gosuru,
The state monitoring means obtains an IP address assigned to each of the server and client of the process computer from the network, while the server of the process computer, the client, which is held accessible by a computer, And an IP address correspondence table associating the computer that virtualizes the server and the client with the IP address assigned to each device of the server, the client, and the computer that virtualizes the server and the client of the process computer To determine which IP address has been acquired, and
The backup control means performing on / off control of backup performed by the redundancy means in units of devices according to the result of the IP address acquired in the determining step;
Based on the device-by-device on / off control performed in the on / off control step by the redundancy means, the server and the client device of the process computer are devices in a system different from the system. A process computer redundancy method comprising the step of performing unit backup.

Images