JP5733515B2 - Embedded equipment with RAS function - Google Patents

Description

  The present invention relates to an embedded device having a RAS function, in which a plurality of applications use a plurality of physical devices constituting hardware via a device driver of system software and implement a RAS function for the application and hardware. Is.

  RAS (Reliability Availability Serviceability) is a concept that combines three functions having independent meanings of system reliability, availability, and maintainability, and is implemented in an embedded device. Patent Document 1 discloses a technique for monitoring an abnormality of a device connected to a computer using an interface with a RAS function connected to the computer system by a bus.

  The RAS function refers to a function that provides system monitoring, early detection of an abnormality, determination of a failure state, and repair and recovery in a short time in order to prevent the computer system from stopping due to a failure as much as possible. The RAS function provides the following functions.

(1) System abnormality monitoring (a) Hardware operation monitoring necessary for operating an application.
(I) Monitor hardware used directly by applications. For example, operation monitoring of CPU, SDRAM, CF card, serial communication, etc.
(Ii) Monitoring the environment that adversely affects the operation of the hardware. For example, monitoring the voltage, current, ambient temperature, dust, and corrosion level of the power battery.
(B) Software operation monitoring by a watch dog timer (hereinafter referred to as WDT).
(2) Recording of the operating state of the system at the time of abnormality.
(3) Response processing when the system is abnormal. For example, I / O device restart, system shutdown, etc.

  FIG. 10 is a functional block diagram showing a configuration example of an embedded device having a conventional RAS function, and includes hardware 100, system software 200, and application software 300 as basic components.

  The hardware 100 includes a plurality of physical device groups 101 including a CPU. The system software 200 includes a boot loader 210 and an OS 220. The application software 300 includes applications 301 to 30N that use physical devices.

  The initialization diagnostic program 213 is installed in the device driver A 211 of the boot loader 210 and executes a physical device diagnostic process when the hardware activated by the device initialization unit 212 is initialized.

  The initialization diagnosis program 213 performs a unique diagnosis process for each physical device that requires initialization diagnosis. When an abnormality is detected, an abnormality handling process corresponding to the initialization diagnosis is executed by the abnormality handling program A214.

  The in-use abnormality detection program 223 installed in the device driver B 221 of the OS 220 is activated by the access unit 222 when using a physical device that receives a request from the applications 301 to 30N that use the physical device, and the application uses the physical device. Anomaly detection processing at timing is executed. When an abnormality is detected, an abnormality handling process corresponding to the device use diagnosis is executed by the abnormality handling process program B224.

  The fixed-cycle diagnostic program 231 installed in the device driver B 221 of the OS 220 is started at a fixed cycle by the timer 230 mounted on the OS 220, and the fixed-cycle is used for physical devices that are not used directly by the application or are used less frequently. Execute unique diagnostic processing for each physical device that needs to be diagnosed. When an abnormality is detected, an abnormality handling process is executed by the abnormality handling program C232.

  The device driver B 221 includes a WDT driver 240 for accessing the WDT 102 mounted on the hardware 100.

  The physical WDT 102 mounted on the hardware 100 is mounted to realize the monitoring function of the monitoring target application 310 via the WDT driver 240. The physical WDT 102 is reset at regular intervals via the WDT driver 240 by the WDT reset unit 310A installed in the application 310 itself to be monitored.

  Next, an outline of the operation will be described. The RAS function provides a function for improving the reliability and certainty of the system by diagnosing and monitoring the operating state of hardware and applications constituting the embedded device.

  When an abnormality is detected by diagnosis and monitoring, individually implemented response processing is performed according to the physical device and application in which the abnormality has occurred and the degree of the abnormality. The RAS function operates at the following four timings (1) to (4).

(1) Hardware diagnosis when initializing a physical device at the time of system start-up is a time-consuming diagnosis or a diagnosis that adversely affects the system when the system is online (for example, clearing all memory areas to zero Etc.).

  The initialization diagnosis process is executed by the initialization diagnosis program 213 installed in the device driver of the boot loader 210. The boot loader 210 performs a diagnosis process at initialization mounted on each physical device for a device that needs diagnosis at the time of startup. When an abnormality is detected, abnormality handling processing is individually performed by the abnormality processing handling program A214 in accordance with the location and degree of the detected abnormality.

(2) Hardware diagnosis executed when an application uses a physical device is limited to diagnosis that does not adversely affect the system because the system is online.

  The in-use abnormality detection process is executed by the in-use abnormality detection program 223 installed in the device driver B 221 incorporated in the OS 220. When an application accesses a physical device, the device driver A 221 performs an in-use abnormality detection process for each physical device accessed by the application. When an abnormality is detected, abnormality handling processing is individually performed by the abnormality processing handling program B224 in accordance with the location and degree of the detected abnormality.

(3) The hardware operating environment is diagnosed at regular intervals for devices that are not frequently used by applications and the surrounding environment that adversely affects the system.

  In the fixed period diagnosis process, the timer 230 of the OS 220 calls the fixed period diagnosis process program 231 installed in the device driver 221 at a fixed period to diagnose each physical device and environmental sensor (temperature sensor or the like). When an abnormality is detected, the abnormality handling processing is individually performed by the abnormality processing handling program C232 in accordance with the location and degree of the detected abnormality.

(4) In the operation monitoring of software, whether or not the application is operating normally is monitored using the physical WDT 102 mounted on the hardware 100. The OS is provided from the WDT driver 240. The WDT resetting means 310A, which is a means for realizing monitoring processing using WDT, is implemented in the application 310 itself to be monitored.

  The application 310 resets the counter of the physical WDT 102 at regular intervals via the WDT driver 240. When an abnormality occurs in the application 310 and the physical WDT 102 is no longer reset, the physical WDT 102 is timed up and a hardware response process such as a forced hardware reset is performed.

JP 2009-015472 A

The embedded device having the RAS function of the conventional configuration has the following problems.
(1) The RAS function is distributed and implemented in the system. The RAS function is processed differently depending on the required diagnosis timing and diagnosis contents, even if the diagnosis is for the same physical device.

  For this reason, each of various modules of system software such as a boot loader and an OS that calls the RAS function needs to have a unique RAS function. As a result, the RAS function is individually developed even when a part of the functions overlaps between modules, and is scattered and implemented in each module.

(2) The RAS function is implemented for each device as a function dedicated to the embedded device to be mounted.
The request for the RAS function varies depending on the purpose of use and the operation policy of each device. Specifically, if the physical device mounted on the device is different, the physical device to be monitored and abnormality detection and corresponding processing are different.

  In addition, when an abnormality is detected, the response processing is performed by separating the abnormal part and executing the system operation (operation that emphasizes the operating rate), and immediately stops if a small abnormality is detected (operation that emphasizes safety) ), Etc.

  The implementation of the RAS function depends on the model (physical device hardware specifications). Even if the processing procedure of abnormality detection and abnormality handling processing is the same, the access procedure is different for each physical device, so that the implemented processing is different.

(3) In the application monitoring using WDT, the monitoring target and the corresponding processing are limited. The object of application monitoring using one WDT provided by hardware is limited to one application process. When an abnormality of an application to be monitored is detected by WDT, the response process is limited to a hardware response process such as a CPU reset.

(4) Corresponding processing when an abnormality is detected is limited to the detected location. Since the abnormality detection process is individually implemented in each physical device, it is not possible to detect a complex abnormality.

  Since the abnormality handling process corresponds to the abnormality detection process of each physical device and is individually implemented depending on the hardware specifications, it is not possible to perform an integrated abnormality handling process for a plurality of hardware and software.

  The first object of the present invention is to solve the problem (1) and realize a configuration in which the boot loader, the OS, and the application do not depend on the RAS function as much as possible. At this time, the reliability and certainty of the RAS function are improved by mounting the RAS function in one place.

  A second object of the present invention is to solve the problem (2) and satisfy the requirements for the RAS function by using a common framework that does not depend on the type of embedded device having the RAS function.

  The third object of the present invention is to solve the problem (3), to enable monitoring of a plurality of applications, and to individually define the response processing at the time of abnormality detection for each application. There is to do.

  A fourth object of the present invention is to solve the problem (4) and to realize an integrated abnormality response processing function for performing a response process for complexly generated abnormalities.

In order to achieve such a subject, the present invention has the following configuration.
In an embedded device having a RAS function, in which a plurality of applications use a plurality of physical devices constituting hardware via a device driver of system software, and implement a RAS function for the application and hardware.
In the hypervisor layer interposed between the system software and the hardware, a logical RAS function unit that integrates and centrally manages the RAS functions of the plurality of applications and hardware is implemented .
The logical RAS function unit includes a logical device abnormality detection logic for a logical device obtained by classifying the plurality of physical devices into a predetermined number,
The logic device abnormality detection logic is
Embedded with RAS function, which is activated when the physical device is initialized from the system software boot loader and when the system software is accessed from the OS device driver, and performs abnormality detection diagnosis for the logical device machine.

( 2) Anomaly detection processing means for obtaining anomaly detection information from the logic device anomaly detection logic and detecting an anomaly of the hardware physical device;
Integrated abnormality response processing logic that integrates abnormality detection information from the logic device abnormality detection logic and abnormality detection information of the application to execute abnormality processing;
An abnormality handling processing means for executing an abnormality handling process of the hardware physical device based on anomaly handling information from the integrated malfunction handling processing logic;
An embedded device having a RAS function as described in ( 1) .

( 3) The logical RAS function unit includes a logical watchdog timer group and software processing abnormality detection logic corresponding to the plurality of applications,
The logical watchdog timer group monitors the plurality of applications by being reset by a reset request from a fixed period reset request means implemented in the plurality of applications.
Output time-up logic watchdog timer information to the software processing abnormality detection logic,
The software processing abnormality detection logic requests an abnormality handling process from the integrated abnormality handling processing logic, and the embedded device having the RAS function according to ( 2) .

( 4) The integrated abnormality response processing logic, when acquiring abnormality information from the software processing abnormality detection logic, notifies the application management means of the system software and requests response processing ( An embedded device having the RAS function described in 3) .

( 5) The integrated abnormality handling processing logic sets the correspondence between the abnormality level and the abnormality handling processing for the abnormality occurrence location based on the abnormality level and the abnormality handling processing for each of the abnormal locations for which a plurality of types are defined, An embedded device having the RAS function according to any one of ( 2) to ( 4), wherein device software dependency and complex abnormality handling processing are set.

( 6)
It said logic RAS function unit is characterized in that it comprises a physical watchdog timer reset means watchdog timer provided in the device periodic diagnosis timer and the hardware against the logic device abnormality detection logic (1) to ( 5) An embedded device having the RAS function described in any one of 5) .

( 7) a first database that provides logical RAS function setting information to the logical device abnormality detection logic and the logical watchdog timer;
A second database that provides past abnormality history information to the logic device abnormality detection logic and the software processing abnormality detection logic;
( 3) or an embedded device having the RAS function according to (4) .

(8) The embedded device having the RAS function according to (7) , wherein the abnormality processing content of the integrated abnormality handling processing logic is recorded in an abnormality history of the second database.

According to the present invention, the following effects can be expected.
(1) By providing the RAS function in an integrated manner using the logical RAS function unit, unified management of the RAS function can be realized. An environment that can easily implement the RAS function by reducing the modification to the upper layer application that uses the physical device by centralizing the processing that has been scattered in the individual applications into the logical RAS function unit of the hypervisor layer. Can be realized.

(2) By abstracting physical devices into functionally categorized logical devices, differences for each model can be absorbed. By abstracting the physical device that needs to implement the RAS function into the five types of logical devices shown in Table 1 of FIG. 2 and providing the RAS function for the logical function of the logical device that does not depend on the difference between the physical devices, the RAS function is provided. Need not be implemented for individual models.

  By dividing the RAS function for each physical device into the logical logic of the logical device and the processing specific to the physical device, the diagnosis logic can be shared and the physical device specific processing can be unified.

  By simplifying the RAS function for five types of abstracted logical devices, the RAS function can be realized in the hypervisor layer without requiring a mechanism such as an OS or a ROM monitor.

(3) A plurality of application processes can be monitored by the logical WDT group. By providing a plurality of logical WDT groups by the logical RAS function unit, it is possible to monitor a plurality of application processes.

  By combining with the integrated abnormality response processing logic, it is possible to perform detailed abnormality response processing in addition to hardware reset. Further, by realizing the logical WDT group in the hypervisor layer, software that affects the reliability of the software timer can be limited to a small portion.

(4) Complex abnormality handling processing can be realized by the integrated abnormality handling processing logic. By defining the three types of abnormality levels shown in Table 3 in FIG. 2 as the abnormality level for the location where an abnormality has occurred, and by unifying the abnormality handling processing items associated with them into the four types shown in Table 4 in FIG. Processing logic can be shared and physical device specific processing can be unified.

  Detailed abnormality response processing can be performed by combining the abnormality level and abnormality response processing items for the abnormal part. Further, by simplifying the processing by limiting the abnormality level and the type of abnormality handling processing, the RAS function can be realized in the hypervisor layer. Further, by integrating the abnormality handling processing, it is possible to perform complex abnormality handling processing for a plurality of devices and applications having dependency relationships.

It is a functional block diagram which shows one Example of the embedded apparatus provided with the RAS function to which this invention is applied. 3 is Table 1 to Table 4 showing logical RAS setting information. They are Table 5 to Table 8 showing logical RAS setting information, a table 9 showing an example of a past abnormality history, and a table 10 showing an example of a system state at the time of abnormality. It is a flowchart which shows the transition to the abnormality detection logic in a physical device initialization process. It is a flowchart which shows the transition from the access to a physical device to an abnormality detection logic. It is a flowchart which shows operation | movement of the abnormality detection logic with respect to a logic device. It is a flowchart which shows operation | movement of a software process monitoring and abnormality detection logic. It is a flowchart which shows operation | movement of the integrated abnormality response logic. It is a flowchart which shows the operation | movement of an abnormality handling process item search. It is a functional block diagram which shows the structural example of the embedded apparatus provided with the conventional RAS function.

  Hereinafter, the present invention will be described in detail with reference to the drawings. FIG. 1 is a functional block diagram showing an embodiment of an embedded device having a RAS function to which the present invention is applied. The same elements as those of the conventional configuration described with reference to FIG.

  In FIG. 1, applications 401, 402, 403, and 404 of the application software 400 use the physical device group 101 of the hardware 100 via a device driver of the system software 500.

  The constitutional feature of the present invention is that the hyperloader layer 600 is interposed between the boot loader 510 and OS 520 of the system software 500 and the hardware 100, and the application software and the logical RAS function unit 620 mounted on the hypervisor layer are provided. The point is that a mechanism for centrally managing the RAS function of the hardware is provided.

  The configuration and operation of elements related to the logical RAS function of the present invention will be described below. The physical device relay interface 610 in the hypervisor layer 600 is a functional block for monitoring access to the physical device group 101 via the system software 500 and executing a logical RAS function according to necessary timing. The two types of interfaces (1) and (2) described in (1) are provided to the upper layer software using the physical device.

(1) Physical device initialization interface 611:
This interface is used when initializing a physical device. When an abnormality occurs during initialization of a physical device, the logical RAS function is executed. FIG. 4 is a flowchart showing a transition to the abnormality detection logic in the physical device initialization process.

  At the start of the processing in step S1, the physical device initialization interface 611 acquires the signal c from the device initialization driver 512 in the various device drivers 511 in the boot loader 510 of the system software 500, and in step S2, the physical device of the hardware 100 An initialization signal k is output to the group 101.

  If an abnormality occurs during initialization in the check in step S3, the signal j is sent to a logic device abnormality detection logic 621 described later, the abnormality detection logic is executed in step S4, and the physical device initialization process is terminated in step S5. If there is no abnormality during initialization in the check in step S3, the process skips to step S5 and ends the physical device initialization process.

(2) Physical device access interface 612:
An interface used when an application accesses a physical device. When the physical device use request a from the applications 401, 402, and 403 is received by the various device drivers 511 provided in the OS 520 in the software 500, a use request signal e is transmitted from the device access unit 521 to the physical device access interface 612. Transition is made to execution of the logical RAS function unit 620 at a timing determined for each device.

  FIG. 5 is a flowchart showing a transition from access to a physical device to abnormality detection logic. In step S1, a request signal e is transmitted to the physical device access interface 612, and access to the physical device is started in step S2. However, if it is necessary to detect an abnormality before accessing in the prior check step S3, After the signal h is output to the logical device abnormality detection logic 621 and abnormality detection is executed, the signal l is output to the physical device group 101, and processing requested for the physical device is executed in step S5.

  If it is not necessary to detect abnormality in the check step S3, step S4 is skipped and the signal l is output to the physical device group 101, and the processing requested for the physical device is executed in step S5.

  Further, if abnormality detection is necessary after the access is made in the check step S6, the signal h is output to the logical device abnormality detection logic 621 to execute abnormality detection, and then the signal l is output to the physical device group 101. In step S7, the requested process is executed for the physical device, and the process ends in step S8. If it is not necessary to detect abnormality in check step S6, step S7 is skipped and the process ends in step S8.

  Next, the logical RAS function unit 620 constituting the main part of the present invention will be described. The logical RAS function unit 620 is a functional block that provides a logical RAS function in the hypervisor layer 600.

  The logical RAS function unit 620 includes an abnormality detection logic 621, a timer management unit 622, a software processing abnormality detection logic 626, and an integrated abnormality response processing logic for logical devices that classify the physical device group 101 into a plurality of types of logical devices. 627.

  The logical device abnormality detection logic 621 includes five types of physical devices that request execution of the logical RAS function: a logical CPU, a logical memory, a logical file, a logical I / O, and a logical sensor as shown in Table 1 of FIG. Classify and execute diagnostics and tests defined for each logical device.

  The logical device is a device abstracted as a device having a logical function shown in Table 2 of FIG. 2, and diagnostic / inspection items for verifying normality are defined for each logical function. When an abnormality is detected, three types of abnormality levels, Level 1, Level 2, and Level 3 shown in Table 3 of FIG. 2 are determined from the abnormality state and past abnormality history, and the integrated abnormality response processing logic 627 is performed. The abnormality detection information is transmitted by the signal p1.

  The timer management unit 622 includes a logical WDT group 623, a device fixed period diagnosis timer 624 that performs fixed period diagnosis, and a physical WDT reset timer 625. The logical WDT group 623 implements a logical WDT function in the hypervisor layer 600 with a plurality of software timers, and provides it as a monitoring function for software processing. When an abnormality is detected, a software abnormality information signal n is transmitted to the software processing abnormality detection logic 626.

  The device fixed period diagnosis timer 624 is a timer that serves as a trigger for performing hardware fixed period diagnosis, and transmits a signal m requesting physical device diagnosis to the logical device abnormality detection logic 621 at a constant period.

  Since the timer management unit 622 is a functional block that plays a central role in software monitoring, the timer management unit itself monitors an abnormality using the physical WDT 102. This is realized by outputting a signal q requesting resetting of the physical WDT 102 at a constant cycle by the physical WDT reset timer 625. The signal q is transferred to a physical WDT reset unit 633 in a physical device specific processing unit 630 described later, and the physical WDT 102 of the hardware 100 is reset by a signal u from the physical WDT reset processing unit 633.

  The software processing abnormality detection logic 626 uses the level 1 shown in the table 3 of FIG. 2 from the abnormality information signal n of software detected abnormally by the logical WDT group 623 and the past abnormality history data d5 retrieved from the second database 629. Three types of abnormality levels of level 2 and level 3 are determined, and the abnormality detection information is transmitted to the integrated abnormality response processing logic 627 by a signal p2.

  The integrated abnormality handling processing logic 627 has a function of receiving abnormality detection location and abnormality level information from signals p1 and p2 from the logic device abnormality detection logic 621 and the software processing abnormality detection logic 626, and executing abnormality handling processing. .

  The integrated abnormality handling processing logic 627 is dependent on the abnormality occurrence location and the abnormality occurrence location from the received plurality of abnormality detection information p1, p2 and the logical RAS function setting data d3 obtained by accessing the first database 628. Judgment of device, software, and abnormality simultaneity and complex execution of abnormality handling logic. The abnormality handling process provides four types of abnormality handling processes 1 to 4 shown in the table 4 of FIG.

  The first database 628 is a storage area in which setting information for realizing the logical RAS function is stored. Correspondence between physical devices and logical devices shown in Table 1 in FIG. 2, correspondence between each logical device and physical device specific processing shown in Table 2 in FIG. 2, device / software dependency shown in Table 5 in FIG. 3 is associated with the abnormality level and abnormality handling processing item of the abnormality occurrence location shown in the table 6, the association of the complex abnormality handling processing item shown in the table 7 of FIG. 3, and the logical WDT shown in the table 8 of FIG. 3. The setting information about the time-up time of the timer 623 is held.

  The second database 629 is a storage area for recording an abnormality detection history when an abnormality is detected in the past shown in the table 9 of FIG. 3, and a system state at the time of abnormality shown in the table 10 of FIG. The abnormality detection history is used as information for determining an abnormality level when an abnormality is detected. The system state at the time of abnormality is used for a maintenance worker or the like to refer to the state of the system where the abnormality occurs.

  The physical device specific processing unit 630 is a functional block that implements an abnormality detection processing unit 631 and an abnormality handling processing unit 632 for each physical device. The abnormality detection processing unit 631 executes physical device specific processing corresponding to the signal o from the logical device abnormality detection logic 621. The abnormality handling processing unit 632 executes physical device specific processing corresponding to the abnormality handling information transmitted by the signal r from the integrated abnormality handling processing logic 627.

Next, the operation of the embedded device of the present invention will be described in the following items (1) to (4).
(1) Logical RAS function execution interface to software:
The execution of the logical RAS function is performed by accessing the physical device relay interface 610 of the hypervisor layer 600 from the processing of the application software 400.

  The physical device relay interface 610 has two types of interfaces, a physical device initialization interface 611 and a physical device access interface 612, and the logical RAS function is executed according to the operation flows shown in FIGS. 4 and 5, respectively.

(2) Anomaly detection logic for logic devices:
FIG. 6 is a flowchart showing the operation of the abnormality detection logic for the logical device. When the process is started in step S1, the logic device abnormality detection logic 621 receives the signals h, j, and m in step S2.

  In step S3, the logical device abnormality detection logic 621 refers to the data d1 acquired by accessing the first database 628, and the correspondence recorded in the logical RAS function setting information for the physical device that requests execution of the logical RAS function. This is classified into 5 types of logical devices.

  Next, in step S4, the data d1 is referred to, the diagnosis and inspection items corresponding to the logical function of each logical device are referred to, and the diagnosis and inspection items that need to be executed are selected. This is because the abnormality detection logic to be executed differs depending on the request source of the logical RAS function execution, that is, the two types of interfaces provided by the physical device relay interface 610.

  This association is recorded in the logical RAS function setting information as information as shown in the example of the table 2 in FIG. For diagnosis and inspection items that need to be executed, a signal o is output, the corresponding physical device specific abnormality detection processing means 631 is called in step S5, and the abnormality detection processing of the physical device group 101 is executed by the signal s. .

  If an abnormality is detected in the check of step S6, the abnormality level and the data d4 acquired by accessing the second database 629 are referred to in step S7, the abnormality level is determined from the past abnormality detection history, and step S8. After updating the abnormality history with the data d4 in step S9, the abnormality detection location and abnormality level information is transmitted to the integrated abnormality response processing logic 627 in step S9, and the logic device abnormality detection logic is processed in step S10. finish. If no abnormality is detected in the check in step S6, the process skips to step S10 and ends.

  As a specific example, the operation of the abnormality detection logic when the device software AIO (Analog Input Output) is accessed will be described. When access is made to the AIO physical device access interface 612, an execution request is transmitted to the logical RAS function unit 620. The logical device abnormality detection logic 621 classifies the AIO as a logical I / O from the table 1 in FIG. 2, selects the AIO diagnosis and inspection items according to the table 2 in FIG. 2, calls the AIO specific process, and performs the diagnosis. Do.

  If a fatal abnormality is detected here, the previous abnormality detection history recorded by accessing the table 9 in FIG. 3 is referred to, and since no abnormality has been detected in the past, the abnormality level is set to level 2 (fatal , No reproducibility), the abnormality inspection history is updated, and the signal p1 is transmitted to the integrated abnormality response processing logic 627.

(3) Software processing monitoring and abnormality detection logic:
FIG. 7 is a flowchart showing the operation of the software process monitoring and abnormality detection logic. The timer management unit 622 of the logical RAS function unit 620 implements a logical WDT group 623 composed of a plurality of software timers and provides it to the upper software processing, thereby realizing monitoring of the plurality of software processing.

  The start and reset functions of the logical WDT group 623 are such that the applications 402, 403, and 404 themselves to be monitored implement the fixed-cycle WDT reset request means 402A, 403A, and 404A. Call.

  When monitoring of software processing is started in step S1, the logical WDT group 623 is started in step S2 by the signal f1 from the WDT reset unit 522 in the OS 520 or the signal f2 from the WDT reset unit 513 in the boot loader 510. .

  The logical WDT group 623 obtains the set time-up time from the logical RAS function setting information from the data d2 accessed to the first database 628 in step S3, and starts counting the timer of the logical WDT group in step S4.

  When the applications 402, 403, and 404 are operating normally, the counters are cleared at a cycle in which the counters do not time up by the fixed cycle WDT reset requesting means 402A, 403A, and 404A.

  If any of the logical WDT groups 623 is timed up due to a software abnormality in the check in step S5, the software abnormality information is transmitted to the software processing abnormality detection logic 626 as a signal n in step S6. The processing from step S1 to S6 is the processing range (A) of the logical WDT group 623.

  The software processing abnormality detection logic 626 determines the abnormality level by referring to the past abnormality detection history based on the data d5 accessed to the second database 629 in step S7.

  Further, in step S8, the abnormality detection history of the second database 629 is updated with the data d5, and in step S9, the information of the abnormality detection location and the abnormality level is transmitted to the integrated abnormality handling processing logic 627 by the signal p2. In step S10, the monitoring of the software process ends. The processing from step S7 to S9 is the processing range (B) of the software processing abnormality detection logic 626.

  As a specific example, a monitoring process of an HTTP server defined in the table 5 of FIG. 3 which is device software (not shown) installed as an application will be described.

  In the HTTP server itself, the start and reset processing of the logical WDT group 623 is implemented. When the HTTP server starts the logical WDT group 623, the logical WDT group 623 acquires a time-up time of 60 seconds from the setting of the time-up time as in the example of FIG. 3 table 8, and starts counting.

  The HTTP server resets the logical WDT group 623 at a period not exceeding 60 seconds when normal. When there is an abnormality in the HTTP server, the logical WDT group 623 is timed up and transmits software abnormality information to the software processing abnormality detection logic 626 by a signal n.

  The software processing abnormality detection logic 626 refers to the abnormality detection history of the table 9 by accessing the second database 629 based on the data d5, and an abnormality has occurred in the past. Therefore, the abnormality level is set to level 3 (Fatal). And the abnormality detection history is updated, and the information is transmitted to the integrated abnormality response processing logic 627 by the signal p2.

(4) Integrated abnormality response processing logic 627:
FIG. 8 is a flowchart showing the operation of the integrated abnormality handling logic. When the abnormality handling processing logic is started in step S1, the integrated abnormality handling logic 627 in step S2 receives the abnormality information signal p1 from the logic device abnormality detection logic 621 or the abnormality information signal p2 from the software abnormality detection logic 626. Receives information on anomaly detection locations and anomaly levels.

  In step S3, an abnormality handling process corresponding to the abnormality detection location and the abnormality level is searched. First, in the search, the correspondence processing according to the abnormality level for the location where the abnormality has occurred is accessed from the first database 268 with the data d3 and searched from the logical RAS function setting information (the operation flow of the abnormality handling processing item search is shown in FIG. And select an item.

  If there is an abnormality process for the physical device in the check in step S4, the signal r is output, the abnormality response processing means 632 in the physical device specific processing unit 630 is activated in step S5, and the physical device group 101 is received by the signal t. To execute the error handling process specific to the corresponding physical device.

  Next, if there is an abnormality in the software processing in the check in step S6, the signal g is notified to the application management means 523 in the OS 520, and an abnormality handling process is requested to the software management function in step S7.

  In step S8, the data d6 is transmitted to the second database 629, the system state at the time of abnormality is recorded in the past abnormality history in the tables 9 and 10, and the abnormality handling processing logic is terminated in step S9.

  FIG. 9 is a flowchart showing the operation of abnormality handling process item search by the integrated abnormality handling processing logic 627. When the abnormality response processing search is started in step S1, the integrated abnormality response processing logic 627 accesses the first database 628 with the data d3 and follows the abnormality level of the abnormal part with reference to the table 6 in step S2. Search for error handling items.

  In step S3, the data d3 that has accessed the first database 628 is referred to the table 5 to search for device software that is dependent on the location where the abnormality occurred. If there is device software that depends on the check in step S4, the process proceeds to the check in step S5. If no abnormality is detected in the dependent part, the first database 628 is accessed by the data d3 in step S6. Search the integrated error handling process to the part to be.

Next, if there is a need for integrated abnormality processing in the check in step S7, the abnormality handling of the dependent part is added to the processing item in step S8, and the abnormality handling processing search is terminated in step S9.

  If an abnormality is detected in the dependent part in the check in step S5, the process skips to step S8 and adds the abnormality corresponding to the dependent part to the processing item. If there is no dependent device software in the check in step S4, the process skips to step S9 and ends the abnormality handling process search.

  As is apparent from the processing flows of FIGS. 8 and 9, the integrated abnormality handling processing logic 627 searches the logical RAS function setting information for device software that is dependent on the abnormality occurrence location. For the dependent part, if an abnormality is detected in that part, or if a complex abnormality handling process is defined in the logical RAS function setting information, the handling process is added as an item.

  Of the processing items of the detected abnormality handling processing logic, the processing for the physical device calls the corresponding unique abnormality handling processing means 632 and executes the processing. In the process for software, an abnormality handling process is requested to the application management unit 523 which is a software management function of the OS. Finally, the state of the system when an abnormality occurs is recorded in the past abnormality history.

  As a specific example, an abnormality handling process when an AIO abnormality (abnormal level 2) is detected alone will be described. When the integrated abnormality response processing logic 627 receives the abnormality information signal p1, the integrated abnormality response processing logic 627 refers to the information on the association of the abnormality response processing shown in the example of Table 6, and the abnormality response processing 1 (AIO restart of the AIO) is performed. ) Is selected as a processing item.

  Next, it is grasped from the dependency relationship information shown in the example of Table 5 that the control application has a dependency relationship. Here, if an abnormality is detected in the control application, the abnormality handling process is added to the process item.

  In this example, since the abnormality is AIO alone, the process proceeds to a search for a complex abnormality handling process shown in the example of Table 7. Here, since the abnormality handling process and conditions of the dependent control application are set, the abnormality handling process 1 (reactivation of the control application) is added to the process item.

  Since the processing items of the abnormality handling process are enumerated as described above, an abnormality handling process unique to AIO and a request for restarting the control application are performed according to the processing item. Finally, as in the example shown in Table 10, the system state when an abnormality occurs is recorded.

The RAS function of the present invention described above can be extended as follows.
(1) Application to fault-tolerant functional devices that can be attached to and detached from embedded devices:
For the purpose of improving reliability, a logical fault tolerant function is implemented in addition to the RAS function for the logical RAS function.

  Higher-level software such as a boot loader and OS does not need to be aware of a redundant configuration of hardware or a single configuration. Therefore, the redundancy control function realized in the hypervisor layer controls the logically multiplexed CPU board and maps it to a function depending on hardware when accessing the physical CPU.

(2) An abstracted and simplified logical RAS function can be implemented in an FPGA. By mounting the RAS function on a programmable IC, a more reliable RAS function can be provided to an embedded device in a detachable form.

(3) When a multi-core CPU is adopted as a CPU, the logical RAS function unit 620, the physical device relay interface 610, and the physical device specific processing unit 630 implemented in the hypervisor layer 600 are allocated to a dedicated core CPU. Speeding up of signal processing related to the RAS function can be realized.

100 Hardware 101 Physical Device Group 102 Physical Watchdog Timer (WDT)
400 Application software 401-404 Application 402A-404A Fixed period WDT reset request means 500 System software 510 Boot loader 511 Device driver 512 Device initialization driver 513 WDT reset means 520 OS
521 Device access unit 522 WDT reset unit 523 Application management unit 600 Hypervisor layer 610 Physical device relay interface 611 Physical device initialization interface 612 Physical device access interface 620 Logical RAS function unit 621 Logical device abnormality detection logic 622 Timer management unit 623 Logical WDT Group 624 Device fixed period diagnosis timer 625 Physical WDT reset timer 626 Software processing abnormality detection logic 627 Integrated abnormality response processing logic 628 First database 629 Second database 630 Physical device specific processing unit 631 Anomaly detection processing means 632 Anomaly response processing means 633 Physical WDT reset means

Claims (8)

In an embedded device having a RAS function, in which a plurality of applications use a plurality of physical devices constituting hardware via a device driver of system software, and implement a RAS function for the application and hardware.
In the hypervisor layer interposed between the system software and the hardware, a logical RAS function unit that integrates and centrally manages the RAS functions of the plurality of applications and hardware is implemented.
The logical RAS function unit includes a logical device abnormality detection logic for a logical device obtained by classifying the plurality of physical devices into a predetermined number,
The logic device abnormality detection logic is
Embedded with RAS function, which is activated when the physical device is initialized from the system software boot loader and when the system software is accessed from the OS device driver, and performs abnormality detection diagnosis for the logical device machine. Anomaly detection processing means for obtaining anomaly detection information from the logic device anomaly detection logic and detecting an anomaly of the physical device of the hardware;
Integrated abnormality response processing logic that integrates abnormality detection information from the logic device abnormality detection logic and abnormality detection information of the application to execute abnormality processing;
An abnormality handling processing means for executing an abnormality handling process of the hardware physical device based on anomaly handling information from the integrated malfunction handling processing logic;
The embedded device having the RAS function according to claim 1. The logical RAS function unit includes a logical watchdog timer group and software processing abnormality detection logic corresponding to the plurality of applications,
The logical watchdog timer group monitors the plurality of applications by being reset by a reset request from a fixed period reset request means implemented in the plurality of applications.
Output time-up logic watchdog timer information to the software processing abnormality detection logic,
The embedded device having a RAS function according to claim 2, wherein the software processing abnormality detection logic requests the integrated abnormality response processing logic to perform an abnormality response process.   4. The integrated abnormality response processing logic, when acquiring abnormality information from the software processing abnormality detection logic, notifies an application management means of the system software and requests response processing. Embedded device having the described RAS function.   The integrated abnormality handling processing logic sets the correspondence between the abnormality level and the abnormality handling process for the abnormality occurrence location based on the abnormality level and the abnormality handling processing for each of the plurality of types of abnormality locations, and device software The embedded device having the RAS function according to any one of claims 2 to 4, wherein dependency relations and complex abnormality handling processes are set.   6. The logical RAS function unit includes a device fixed period diagnosis timer for the logical device abnormality detection logic and a physical watchdog timer reset unit for a watchdog timer provided in the hardware. An embedded device having the RAS function described in any one of the above. A first database for providing logical RAS function setting information to the logical device abnormality detection logic and the logical watchdog timer;
A second database that provides past abnormality history information to the logic device abnormality detection logic and the software processing abnormality detection logic;
An embedded device having a RAS function according to claim 3 or 4. The embedded device having the RAS function according to claim 7 , wherein the abnormality processing content of the integrated abnormality handling processing logic is recorded in an abnormality history of the second database.