JP2778849B2 - Supervisory control method for redundant computer system - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a redundant computer system in which a plurality of controlled objects and a pair of computers are connected to, for example, an n: n transmission system, and more particularly, to a control between an operating computer and a non-operating computer. The present invention relates to a method for monitoring and controlling a redundant computer system that executes an optimal mismatch countermeasure process when data mismatch is detected.

[0002]

2. Description of the Related Art Conventionally, in a redundant computer system in which a plurality of control targets are connected to a pair of computers via a transmission system, one of the pair of computers is designated as an operation computer and the other computer is designated as an operation computer. Designate a non-driving computer. Each computer fetches data from the control target and executes a control operation. Then, the calculation result of the computer specified as the operation computer is applied to each control target as control data.

[0003] When some trouble occurs in the operation computer and the operation cannot be continued, the non-operation computer which has executed the same control operation as the operation computer is switched to the operation computer, and the computer which has been stopped after that. Instead, control data is applied to each control target.

[0004]

However, in the above-described dual computer system, the other non-operating computer for standby is operated only when the operating computer becomes inoperable due to some failure. Designated as a computer (duplex system, distributed system).

In a redundant computer system, an abnormality is detected when the control outputs of the two computers are different. At that time, either of the two computers is disconnected or the functions of the two computers are stopped. Therefore, in a duplicated computer system that compares output values, system operation after abnormality detection is not guaranteed.

The present invention has been made in view of such circumstances, and even if a mismatch in control data between a running computer and a non-running computer is detected, the replacement of the running computer or the entire system is immediately performed. It is an object of the present invention to provide a method of monitoring and controlling a redundant computer system that can execute optimal mismatch processing according to a degree of mismatch and corresponding to a control target without stopping, thereby greatly improving the reliability of the entire system. And

[0007]

In order to solve the above-mentioned problems, a method for monitoring and controlling a duplicated computer system according to the present invention is characterized in that a pair of computers and a plurality of controlled objects are connected to a transmission system, and one of the paired computers is provided. Computer performs a control operation on each control target as a driving computer, applies the calculation result to each control target as control data, and executes the same control calculation as the driving computer on the other computer as a non-driving computer In computer systems,

[0008] Operation machine, each controlled object the control data and the non-operating computer for each control object itself are outputted is outputted
By comparing each control data with each other and detecting mismatched control data , a preset value is set in advance according to the importance of each control target.
Processing based on specified mismatch conditions and optimal mismatch measures
I want to run .

According to another aspect of the present invention, there is provided a supervisory control method according to the above-described redundant computer system, wherein each control data for each control object output from the operation computer and each control data for each control object output from the non-operation computer are provided. By comparison, when mismatch control data is detected, a monitoring computer that sends mismatch determination data to the operation computer is connected to the transmission system,
Operating computer receives mismatch determination data, the control
A mismatch condition set in advance according to the importance of each object;
The processing is executed based on the optimal mismatch countermeasure . Further, the monitoring control method according to another invention is the above-described dual control method.
In a computerized system, the operation computer outputs itself.
Control data for each controlled object and non-operational computer output
Compared with each control data of each controlled object
When all control data is detected,
The mismatch condition and the optimum set in advance according to the match ratio
The processing is executed based on the inconsistency countermeasures.

[0010]

According to the method for monitoring and controlling a redundant computer system configured as described above, the operation computer constantly monitors whether or not the control data output by itself and the control data output from the operation computer match. ing. Then, when the mismatch control data is detected, an optimum mismatch countermeasure process is executed according to the importance of the control target to which the mismatch control data is applied.

That is, the content of the countermeasure processing when the mismatch data occurs differs depending on the type of each control target.
For example, countermeasures such as outputting an alarm immediately when unmatched data continues, or switching control of the control target from automatic control to manual control when unmatched data appears at a fixed rate, can be considered.

In another aspect of the present invention, a monitoring computer is provided separately, and the monitoring computer compares control data output from the operation computer with control data output from the non-operation computer. When the mismatch control data is generated, the mismatch control data is sent to the operation computer.
In this way, by causing each computer to monitor each control data, it is possible to reduce the processing load on the operation computer in a normal state.

[0013]

An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing a schematic configuration of a redundant computer system to which the monitoring control method of the embodiment is applied. n: a transmission interface 2 for each of the n transmission systems 1
Computers 3a and 3b are connected via a and 2b.
Further, a common alarm buzzer 4 is connected to the computers 3a and 3b. Shared memories 5a and 5b are connected to the transmission interfaces 2a and 2b, respectively.

The transmission system 1 has transmission interfaces 6a, 6b, 6c, 6 in addition to the computers 3a, 3b.
Each of the control objects 7a, 7b, 7c,
7d, 7e, 7f are connected.

In the shared memory 5a, as shown in FIG. 2 , a self computer area 8a for storing information of its own computer 3a and a counterpart computer area 9 for storing information of the counterpart computer 3b are formed. .

In the self computer area 8, the own computer 3
a to control data 7a to 7f output from the control data 7a to 7f, and control of coincidence and non-coincidence with the control data of the transmission data area 9a of the partner computer area 9 A monitoring result area 8b for storing monitoring results A to F for each of the targets 7a to 7f is formed. Note that, specifically, the number of mismatches is stored as a monitoring result.

On the other hand, in the partner computer area 9, a transmission data area 9 for storing the control data Da to Df output from the partner computer 3b to each of the control targets 7a to 7f.
a, and a monitoring result area 9b for storing monitoring results A to F for each of the control targets 7a to 7f that match or do not match the control data of the transmission data area 8a of the self-computer area 8. The shared memory 5b for the other computer 3b has the same configuration as the shared memory described above.

The storage units of the computers 3a and 3b store FIG.
Is formed. Each of the controlled objects 7a to 7f
The optimum mismatch processing to be executed when the mismatch condition determined to be mismatched for each time and the mismatch condition is satisfied is stored.

For example, regarding the control target 7a, the control data Da of the transmission data area 8a of the self computer area 8 and the control data Da of the transmission data area 9a of the partner computer area 9 in FIG. If it does, it is determined that they do not match, and the monitoring result A in the monitoring result area 8b does not match. Then, when they do not match, the alarm buzzer 4 is sounded for a certain period of time to call attention to the operator. Control target 7
The condition of b is the same as that of the control target 7a.

Further, regarding the control target 7c, when three times of non-coincidence occur consecutively, it is determined that they do not coincide, and the monitoring result C becomes inconsistent. Then, as a countermeasure against the inconsistency, the alarm buzzer 4 is sounded and the control of the control target 7c is switched from the automatic control mode to the manual control mode. The control target 7d is also the control target 7
This is the same condition as c.

The control object 7e is judged to be inconsistent when the ratio of the number of inconsistent data to the total number of control data De output per minute becomes 50% or more, and the monitoring result E is inconsistent. Becomes Then, only the mismatch message is printed out as the mismatch countermeasure processing.

Further, regarding the control target 7f, when the control data Df output from each of the computers 3a and 3b has a data value different by 5% or more, it is determined that they do not match, and the monitoring result F does not match. Then, the alarm buzzer 4 is only sounded in the same manner as the control objects 7a and 7b as the inconsistency countermeasure processing.

As described above, even if the control data Da to Df simultaneously output from the computers 3a and 3b become inconsistent, the control data Da to Df are officially provided unless the inconsistency condition set in the inconsistency processing table 10 is satisfied. The control on each of the control objects 7a to 7f is continued without being regarded as a mismatch.

Although not shown, it goes without saying that, when the operation computer becomes incapable of controlling each of the controlled objects 7a to 7f, the non-operation computer becomes the operation computer and continues the control. The operation of the computers 3a and 3b storing such a mismatch processing table 10 will be described.

First, when the dual computer system is started, one of the computers 3a and 3b is designated as the operating computer and the other is designated as the non-operating computer. Each of the computers 3a and 3b fetches data indicating a state output at, for example, a one-second cycle from each of the controlled objects 7a to 7f, and executes a predetermined control operation defined for each of the controlled objects 7a to 7f.
Then, each execution result is used as the control data Da to Df for each of the control targets 7a to 7f as the transmission interfaces 2a and 2f.
b to the transmission system 1. Each controlled object 7a-7f
Each of the transmission interfaces 6a to 6f is connected to each of the computers 3a and 3f.
The control data Da to Df designating the control target of itself transmitted from b. Then, of the pair of control data taken in, the control data from the computer designated as the operation computer is transmitted to its own control target.

The transmission interface 2a stores the control data Da to Df for each of the control targets 7a to 7b directly output from its own computer 3a in each area of the transmission data area 8a of its own computer area 8 of the shared memory 5a. I do.
At the same time, the control data Da to Df for each of the control targets 7a to 7b output from the other computer 3b to the transmission system 1 are fetched and stored in the transmission data area 9a of the other computer area 9. Note that the transmission interface 2b also performs an operation according to the transmission interface 5a.

Each of the computers 3a and 3b and each of the transmission interfaces 5a, 5b and 6a to 6f perform the above processing, for example, by one.
Repeat every second cycle. Therefore, each shared memory 5a, 5b
Control data Da to D of each transmission data area 8a, 9a
f is updated to the latest data every second. Then, each of the computers 3a and 3b executes the mismatch detection process and the mismatch countermeasure process according to the main routine shown in FIG.

First, at P1, data is read from each of the control objects 7a to 7f, and a predetermined control operation is executed. Then, the calculation result is output as control data Da to Df. next,
At P2, the control data Da to Df of the transmission data area 8a of the own computer area 8 of the shared memories 5a and 5b are compared with the control data Da to Df of the transmission data area 9a of the partner computer area 9. All control data D at P3
If a to Df match each other, each computer 3
Since a and 3b are operating normally, nothing is done.

At P3, the mismatched control data Da to Df
Is detected, the number of mismatches is added to the monitoring results A to F corresponding to the control targets 7a to 7f corresponding to the detected mismatch control data. When the mismatch control data is the control data Df of the control target 7f, both control data Df
The data difference ΔDf is calculated, and the data difference ΔD
When f is 5% or more of the control data Df, the monitoring result F is set to be inconsistent.

Each of the monitoring results A to F in the monitoring result area 8b
Is also executed for each of the monitoring results A to F in the monitoring result area 9b of the partner computer area 9 of the partner shared memory. The processes from P1 to P4 are commonly and concurrently executed by both the computers 3a and 3b. And
The processing after P5 is executed only by the computer designated as the operation computer.

That is, the operation computer searches the monitoring results A to F in the monitoring result area 8b of the self-computer area 8 at P5, and satisfies the respective mismatch conditions set in the mismatch processing table 10 shown in FIG. It is checked whether or not there are monitoring results A to F to perform. Monitoring result A that satisfies the mismatch condition at P5
ＦF exist, it is checked whether they match the corresponding monitoring results A〜F in the monitoring result area 9b of the other computer area 9. If they match, it matches the monitoring result performed by the non-operation computer, so the process proceeds to P7, and the optimum mismatch processing corresponding to the corresponding control target 7a to 7b set in the above-described mismatch processing table 10 shown in FIG. 3 is executed. .

Although not shown in the flow chart of FIG. 4,
At P4, the shared memory 5a. The non-operating computer that has updated the monitoring results A to F of the monitoring result area 8b of 5b and the monitoring results A to F of the monitoring result area 9b of the other party's shared memory has the monitoring result A of the monitoring result area 8b of its own shared memory. ... F satisfy the mismatch condition, the mismatch information is printed out.

When the control data Da to Df in the partner computer area 9a are not updated at all by the operation computer in its own shared memory, the non-operation computer determines that the function of the operation computer has been lost. Rises as the running computer and causes the other computer to transition to a forced non-running computer.

With the monitoring and controlling method for the redundant computer system configured as described above, even if the control data Da to Df corresponding to each of the control objects 7a to 7f become inconsistent in each of the computers 3a and 3b, each of the computers 3a and 3b becomes inconsistent. Each control target 7 set in the mismatch processing table 10 stored in 3a, 3b
Unless the mismatch condition for each of a to 7f is satisfied, it is not formally determined that there is a mismatch. The mismatch condition is determined for each control target 7
They are individually set according to the importance levels a to 7f. Therefore, even if a mismatch occurs, in the case of a control object that is not so important, it is determined that no mismatch has occurred formally, and no mismatch countermeasure processing is performed. Even if the mismatch condition is satisfied, an optimum mismatch process corresponding to the type and importance of each control target is executed. Therefore, unlike the conventional dual computer system, when the mismatch is detected, the operating computer does not change immediately.

FIG. 5 is a block diagram showing a schematic configuration of a redundant computer system adopting a supervisory control system according to another embodiment of the present invention. The same parts as those in the embodiment of FIG. 1 are denoted by the same reference numerals. Therefore, the detailed description of the overlapping part will be omitted.

In this embodiment, a monitoring computer 12 is connected to the transmission system 1 via a transmission interface 11. In the monitoring computer 12, each of the control targets 7a to 7f in the mismatch processing table 10 shown in FIG.
A table for storing each mismatch condition is formed. Each of the computers 3a and 3b is connected to each of the shared memories 5a and 5b.
b, the control data Da to D are stored in the transmission data areas 8a and 9b.
Although f is written, it is not determined whether or not the control data DA to Df in the transmission data areas 8a and 9b match.

Then, the monitoring computer 12 determines whether the control data DA to Df in the transmission data areas 8a and 9b of the shared memories 5a and 5b match. If they do not match, the monitoring results A to F of the monitoring result areas 8a and 9b
To update. Then, the updated monitoring results A to F are compared with the respective mismatch conditions of the table set in the self-storage unit described above, and when a mismatch is determined corresponding to each of the control targets 7a to 7f, the mismatch determination is performed. Send the data to the operation computer. When the driving computer receives the mismatch judgment data,
The optimum mismatch processing of the corresponding control targets 7a to 7f set in the mismatch processing table 10 is executed. Even with the monitoring control method configured as described above, it is possible to obtain substantially the same effects as in the above-described embodiment. Furthermore, in this embodiment, since the computers 3a and 3b do not need to judge whether they match or not, the processing load during normal operation can be reduced.

The present invention is not limited to the embodiment described above. For example, if the present invention is applied not only to monitoring and control of a redundant system for operating a running computer and a non-running computer but also to remodeling of software of a computer system, the test efficiency of the remodeled software can be improved. That is, in a duplicated computer system comprising an operating computer and a non-operating computer, the software is modified only for the non-operating computer. In this case, the non-operating computer performs mismatch detection, but only prints the result.The operating computer always outputs the monitoring of the control device under test as normal, which makes it easier to confirm the result of software software modification. it can.

Further, in the embodiment, the operating computer matches its own monitoring result with the monitoring result of the non-operating computer. However, only the monitoring result of the non-operating computer is used or only its own monitoring result is used. It can be simplified by using it.

[0041]

As described above, according to the monitoring and control method of the present invention, even if a mismatch in control data between the operating computer and the non-operating computer is detected, replacement of the operating computer or the entire system is immediately performed. Without stopping, the optimum mismatch processing can be executed according to the degree of mismatch and corresponding to the control target, and the reliability of the entire redundant computer system can be greatly improved.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a schematic configuration of a redundant computer system to which a monitoring control method according to an embodiment of the present invention is applied;

FIG. 2 is a diagram showing storage contents of respective shared memories of the system of the embodiment;

FIG. 3 is a diagram showing a mismatch processing table stored in each computer of the system of the embodiment;

FIG. 4 is a flowchart showing the operation of the system of the embodiment;

FIG. 5 is a block diagram showing a schematic configuration of a redundant computer system to which a monitoring control method according to another embodiment of the present invention is applied.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... Transmission system, 3a, 3b ... Computer, 5a, 5b ... Shared memory, 7a, 7b, 7c, 7d, 7e, 7f ... Control object, 8 ... Self computer area, 9 ... Remote computer area, 10 ...
Mismatch processing table, 12 ... Monitoring computer.

Claims (3)

(57) [Claims] 1. A transmission system in which a pair of computers and a plurality of controlled objects are connected, one of the paired computers performs a control operation on each of the controlled objects as an operation computer, and controls the operation result. In a duplicated computer system in which the other computer executes the same control operation as the operation computer as the non-operation computer while applying the data to each control object as data, the operation computer outputs each control for each control object output by itself. The data is compared with the control data for each control object output by the non-driving computer, and when inconsistent control data is detected, it is set in advance according to the importance of each control object.
Processing based on specified mismatch conditions and optimal mismatch measures
A method for monitoring and controlling a redundant computer system, the method comprising executing the method. 2. A transmission system in which a pair of computers and a plurality of controlled objects are connected, one of the paired computers performs a control operation on each of the controlled objects as an operation computer, and controls the operation result. In a redundant computer system in which the other computer executes the same control operation as the operation computer as the non-operation computer while applying the data to each control object as data, the control data for each control object output by the operation computer and the By comparing each control data for each control object output by the non-operation computer, when a mismatch control data is detected, a monitoring computer for sending mismatch determination data to the operation computer is connected to the transmission system. the operating computer receives mismatch determination data, importance of the respective control target
Mismatch conditions and optimal mismatch pairs preset according to the degree
A method for monitoring and controlling a redundant computer system, wherein the method executes processing based on a measure . 3. A transmission system in which a pair of computers and a plurality of controlled objects are connected, one of the paired computers executes a control operation on each of the controlled objects as an operation computer, and controls the operation result. In a duplicated computer system in which the other computer executes the same control operation as the operation computer as the non-operation computer while applying the data to each control object as data, the operation computer outputs each control for each control object output by itself. The data is compared with each control data for each control object output by the non-operation computer, and when the mismatch control data is detected, the mismatch is set in advance according to the mismatch ratio of the control object data. A method of monitoring and controlling a redundant computer system, wherein a process is executed based on a condition and an optimal mismatch measure.