JP5966181B2 - Redundant device and power supply stopping method - Google Patents

Description

  The present invention relates to a configuration control technique between two devices in a redundant configuration.

  In a redundant configuration, two devices with the same configuration connected to the network are made standby redundant, with either one serving as the primary system and the other as the secondary system. In this case, a configuration control technique for switching the slave system to the master system is used.

  For example, in Patent Document 1, two computers with standby redundancy are connected by two LANs (Local Area Networks), a survival notification sentence is transmitted to one LAN, and the survival notification sentence is If it does not reach, it is determined that a failure has occurred in the partner computer. A technique for transmitting a CPU (Central Processing Unit) restart (reset) request to a counterpart computer using the other LAN is disclosed (see paragraphs 0020, 0022, 0046, FIG. 7, etc.). .

  In Patent Document 2, a main computer (computer in the literature) and a slave computer are connected to each other by a signal line for mutual monitoring and a signal line for remote reset. The computer changes the state of the signal line at a constant cycle, and this change is monitored by the slave computer. If the state does not change within a predetermined time, it is determined that an abnormality has occurred in the main computer. A technique for remotely resetting a primary computer from a secondary computer using a signal line for remote reset is disclosed (see paragraphs 0010, 0011, 0019, etc.).

JP 2007-058708 A Japanese Patent Laid-Open No. 10-021202

  However, the techniques described in Patent Documents 1 and 2 use only the determination that a signal cannot be detected from a redundant partner computer for determination on the occurrence of a failure, and there is a possibility that configuration control cannot be performed correctly. For example, in a case where a signal cannot be detected from a redundant partner computer, a failure (for example, disconnection or connector disconnection) has occurred in the communication line other than when an abnormality has occurred in the partner computer. In some cases, a failure may occur in the reception function of its own computer. If a reset signal (for example, restart or stop) is sent to the partner computer even though there is no problem with the partner computer, configuration control can be performed as intended. Will not be.

  Further, in the techniques described in Patent Documents 1 and 2, even if a reset signal is transmitted to the counterpart computer that is determined to have a failure (abnormality), the counterpart computer can correctly receive the reset signal. Whether or not it is in a state has not been confirmed. For this reason, if the partner computer is not in a state where it can correctly receive the reset signal, even if the reset signal is transmitted to the partner computer, the partner computer may not be reset. That is, there is a possibility that the configuration control cannot be performed as intended.

  In particular, Patent Documents 1 and 2 do not describe a technique for preventing the counterpart computer from being reset (restarted or stopped) by mistake.

  Accordingly, an object of the present invention is to provide a technique for performing configuration control as intended.

In order to solve the above-mentioned problem, a duplexing device according to the present invention is a duplexing device in which a first device and a second device are configured in a redundant manner, and includes a first device and a second device. To check whether the network communication section that normally transmits and receives the survival information via the network in a predetermined cycle is operating normally and whether the network is disconnected. Confirming that the network communication unit is normal and that the network is not disconnected, and determining that the second device is abnormal, the network connection monitoring unit, the first device, a plurality of control lines and the second device is connected in order to perform mutual monitoring, control lines determines autologous cable connection state representing a connection state of the to the first device of the control line by the potential And the control line And determining the control line by a potential of the other-system cable connection state representing a connection to the serial second device, and a control line for receiving the power state of the second device, a plurality of control lines including, When it is determined that the second device is abnormal, it is confirmed that the power supply of the second device is in an ON state via a control line between the first device and the second device. a power monitoring unit, it is determined that abnormality in the second device, the power source of the second device is confirmed to be oN state, when the other-system cable connection state of the connection, the control line A signal generator for transmitting information for stopping the power supply of the second device via
It is characterized by providing.

  According to the present invention, it is possible to provide a technique for performing configuration control as intended.

It is a figure which shows the structural example and functional example of a redundant duplication apparatus. It is a figure which shows the example of a diagnosis of a signal generation part. It is a figure which shows the corresponding example of the determination result which specified the abnormal location of the apparatus, and a reset hold signal. It is a figure which shows the example of a cable fault monitoring judgment flow of a control line.

  Next, a mode for carrying out the present invention (hereinafter referred to as “the present embodiment”) will be described in detail with reference to the drawings as appropriate.

(Overview)
First, an outline of the present embodiment will be described. As shown in FIG. 1, in this embodiment, the duplexing device 100 is configured redundantly between two devices 1 (device [own system] 1a, device [other system] 1b), and survives via the network 50. Send and receive information. Further, the duplexing device 100 connects the devices 1 (1a, 1b) with the control line 20 (bundling the control lines 21-25, 26a, 26b, 27a, 27b), and makes the redundant side 100 itself ( Hereinafter, the operation state (for example, power supply state), control line cable connection state, and the like of the other party (hereinafter referred to as another system) and the control line cable connection state are mutually monitored to identify an abnormal part.

When the device [own system] (first device) 1a detects an abnormality of the device [other system] (second device) 1b, the reset hold signal (device [other system] ] Is transmitted to the apparatus [other system] 1b, and the apparatus [other system] 1b is stopped. The device [own system] 1a confirms that the device [other system] 1b has stopped, and stops transmitting the reset hold signal.
Further, the device [own system] 1a can reliably transmit and receive the reset hold signal without malfunction due to the failure of the signal generation unit 12 and the reset hold determination unit 13, the noise to the control line 20, and the like. In order to do this, the functions of the signal generation unit 12 and the reset hold determination units 13a and 13b are duplicated. This is because the reset hold signal is prevented from being transmitted due to a malfunction at one location, or because the control line 20 uses two voltage levels (High, Low). This is because if the level fluctuates, incorrect information may be transmitted.

(Configuration of duplexer)
A configuration example of the duplexer will be described with reference to FIG.
Since the device [own system] 1a and the device [other system] 1b have the same function, the function of the device [own system] 1a will be described here. In FIG. 1, only the functions related to the present invention are described in detail with respect to the functions of the apparatus [own system] 1a, and descriptions of other functions are omitted. In FIG. 1, functions of the apparatus [other system] 1 b are described only for functions necessary for explanation.

  In the present embodiment, the duplexer 100 connects between the network 50 and a device having a communication function in order to increase reliability when connecting a device or the like (including a computer) having a communication function to the network 50. It is installed to relay. Further, the duplex device 100 is standby-redundant between the two devices 1. In the present embodiment, when the two apparatuses 1 are distinguished, one is the apparatus [own system] 1a (hereinafter also referred to as the own apparatus), and the other is the apparatus [other system] 1b (hereinafter referred to as the apparatus). Although it is also referred to as a device of another system), it is described as device 1 when both are not distinguished. In addition, each of the device [own system] 1a and the device [other system] 1b may be further duplexed (redundant configuration).

The device [own system] 1a and the device [other system] 1b are connected by a duplex communication system via two independent networks 50a and 50b. The device [own system] 1a and the device [other system] 1b mutually transmit / receive survival information indicating their own survival in a predetermined cycle. Accordingly, the device [own system] 1a can confirm the survival of the device [other system] 1b by receiving the survival information from the device [other system] 1b.
The device [own system] 1a is unable to receive the survival information from both of the two networks 50a and 50b, or a code error has occurred in the survival information received from both of the two networks 50a and 50b. When the state is reached, it is determined that an abnormality has occurred in the device [other system] 1b or the network 50. If the device [other system] 1b determined to have an abnormality is operating as a master system in the master-slave relationship in standby redundancy, the master-slave relationship is reversed and the normal device [ Self system] 1a is operated as a main system. The network 50 need not be limited to a LAN, but will be described as being a LAN in this embodiment.

The apparatus [own system] 1 a includes at least a processing unit 11. The processing unit 11 includes a CPU and a main memory (not shown), and each function of the processing unit 11 is realized by developing an application program (not shown) stored in the storage unit 19 in the main memory.
As shown in FIG. 1, the function of the processing unit 11 includes a signal generation unit 12, reset hold determination units 13a and 13b, a power supply monitoring unit 14, an interrupt reception unit 15, a hard reset unit 16, a network connection monitoring unit 17, and a network. Communication unit 18.

  The signal generation unit 12 has a function of transmitting a reset hold signal to the device [other system] 1b determined to have an abnormality. The signal generator 12 transmits a reset hold signal using the two control lines 26a and 26b. Further, the signal generator 12 has a function of performing an operation diagnosis in order to confirm that it is operating normally. Details of the function of the signal generator 12 will be described later.

  The reset hold determination units 13a and 13b receive the reset hold signal from the device [other system] 1b via the control lines 27a and 27b, and refer to the other system cable connection state 112 to connect the control line 20 to the cable. It has a function of confirming that the state is normal and determining whether or not the reset hold signal is correct. In addition, when the reset hold determination unit 13a or 13b determines that the reset hold signal is correct, the reset hold determination unit 13a or 13b issues an interrupt instruction to the interrupt reception unit 15 so that the hard reset unit 16 can start the process of stopping the power supply. In addition to outputting, a stop instruction for stopping the power supply is output to the hard reset unit 16. Details of the functions of the reset hold determination units 13a and 13b will be described later.

  The power supply monitoring unit 14 of the device [own system] 1a has a function of transmitting to the device [other system] 1b via the control line 22 whether the power of the device [own system] 1a itself is ON or OFF. Have. Then, the processing unit 11 of the device [own system] 1 a stores the power state received from the power monitoring unit 14 of the device [other system] 1 b via the control line 21 as the other system power state 111.

  The interrupt receiving unit 15 has a function of receiving an interrupt instruction that is output when the reset hold determining units 13a and 13b determine that the received reset hold signal is correct, and safely stopping the processing of the processing unit 11. Have

  The hard reset unit 16 receives a stop instruction that is output when the reset hold determination units 13a and 13b determine that the received reset hold signal is correct, and stops the power supply of the device [own system] 1a itself. Have

  In the network connection monitoring unit 17, the network communication unit 18 that transmits and receives the survival information at a predetermined cycle via the network in order to mutually confirm the survival between the own device 1 and the other device 1 is normal. And a function for confirming whether or not communication with another apparatus 1 is possible via the network 50. For example, when the network 50 is a LAN, whether or not communication with the other apparatus 1 is possible via the network 50 is determined by examining link up or link down.

  The network communication unit 18 has a function of transmitting and receiving information (including survival information) via the network 50.

  The storage unit 19 is configured by a memory, and includes another system power supply state 111, another system cable connection state 112, own system cable connection state 113, own system setting state 114, own system reset hold signal state 115, and own system reset hold state 116. The other system reset hold signal state 117 and the network state 118 are stored by the processing unit 11.

  The other system power state 111 is a power state of the device [other system] 1 b received by the processing unit 11 from the power monitoring unit 14 of the device [other system] 1 b via the control line 21. The power state is represented by ON or OFF.

  The other system cable connection state 112 is represented by whether or not the control line 23 is connected to the device [other system] 1b. Specifically, if the voltage of the control line 23 is at the same potential as the ground of the device [other system] 1b, the processing unit 11 determines that the connection state is established. In contrast to the control line 23, the control line 30 in FIG. 1 is for the device [other system] 1b to determine the cable connection state of the device [other system] 1b itself.

  The own system cable connection state 113 is represented by whether or not its own control line 24 is connected. Specifically, if the voltage of the control line 24 is the same potential as the ground of the device [own system] 1a itself, the processing unit 11 determines that the connection state is established. In contrast to the control line 24, the control line 31 in FIG. 1 is for the device [other system] 1b to determine the cable connection state of the device [other system] 1b itself.

  The own system setting state 114 is represented by any one of the master-slave relationships of the device [own system] 1a. Specifically, the control lines 25 and 32 are used to determine which of the device [own system] 1a and the device [other system] 1b becomes the main system when the power is turned on. This is a mechanism necessary for setting one to the main system and the other to the slave system when both are turned on and both start up normally. Both devices 1 communicate with each other via the network 50. When both devices 1 are main systems, there is an abnormality such as disconnection of the control line 20 or contact failure of the control line connecting portion. This can be detected by the self-system setting state 114. In FIG. 1, the control line 25 of the device [own system] 1a has a low potential, and the control line 32 of the device [other system] 1b has a high potential. You can determine which of the systems.

  The own system reset hold signal state 115 is obtained by acquiring the reset hold signal transmitted from the signal generator 12 from the control lines 26a and 26b.

  The own system reset hold state 116 represents an interrupt instruction output from the reset hold determination units 13 a and 13 b to the interrupt reception unit 15.

  The other system reset hold signal state 117 represents the reset hold signal transmitted from the signal generator 12 of the apparatus [other system] 1b via the control lines 27a and 27b.

  The network connection state 118 represents the result of the network connection monitoring unit 17 determining whether the network communication unit 18 is operating normally and whether the network 50 is disconnected.

(Function of duplexer)
Here, functional examples (1) to (7) of the duplexer 100 will be described (see FIG. 1 as appropriate).

(1) Duplex Network Function As shown in FIG. 1, the device [own system] 1a and the device [other system] 1b communicate via two independent networks 50 (50a, 50b). The device [own system] 1a and the device [other system] 1b exchange survival information (for example, keep alive packets) with each other at a predetermined cycle, and when the survival information is not received or the received survival information is abnormal ( For example, when a code error or the like) occurs, it is determined that there is an abnormality in the own apparatus 1, an abnormality in the other apparatus 1, or an abnormality in the LAN. Note that if correct survival information can be exchanged via at least one network 50, it is determined as normal.

(2) Function of control line The duplex device 100 connects the two devices 1 (1a, 1b) with the control line 20, and monitors the status of the other device 1 with each other. A reset hold signal is transmitted when it is determined as abnormal. Therefore, when the other apparatus 1 determines that the own apparatus 1 is abnormal, the own apparatus 1 receives the reset hold signal from the other apparatus 1.
Items to be monitored regarding the operation state of the duplexer 100 are, for example, (a) the cable connection state of the control line 20 (other system cable connection state 112, own system cable connection state 113), and (b) own system setting state (self System setting state 114), (c) Other system power supply state (other system power supply state 111), (d) Own system reset hold signal transmission / reception state (own system reset hold signal state 115, other system reset hold signal state 117) ), (E) own system reset hold state (own system reset hold state 116), and (f) own system network communication state and link state (network connection state 118). When the network 50 is a LAN, the local network communication unit represents the local LAN transmission / reception unit.
When the duplication apparatus 100 fails to receive the survival information described in the above (1) or an abnormality occurs in the received survival information, the duplexing apparatus 100 combines with any of the information of (a) to (f) The location can be specified.

(3) Diagnosis function of communication unit for own network If the network connection monitoring unit 17 of the own device 1 fails to receive the survival information or an abnormality occurs in the received survival information, the communication for the own network The unit 18 has a function of self-diagnosis as to whether or not it is normal.
When the own device 1 determines that the own network communication unit 18 is abnormal, the own device 1 determines that the own device is abnormal. In addition, when the local apparatus 1 is normal in the local network communication unit 18 and the link with the other apparatus 1 is in a link-down state, the network (LAN) is disconnected. Is determined. Also, the own device 1 determines that the other device 1 is abnormal when the own network communication unit 18 is normal and is in a link-up state. In this way, the duplexer 100 can identify an abnormal part.

(4) Reset Hold Signal Stop Function The processing unit 11 resets by checking the state where the information of the other system power state 111 is turned off after transmitting the reset hold signal to the other system device 1. It is determined that the hold is being executed by the other system device 1 as intended, and the reset hold signal is autonomously stopped. The reason for stopping the reset hold signal is that if the reset hold signal continues to be transmitted, an event that does not meet the purpose, such as stopping again when the other system device 1 is restarted, occurs. This is to prevent this.

(5) Function of Redundant Reset Hold Signal Control Line The signal generator 12 forms and outputs a reset hold signal using two signal lines 26a and 26b as shown in FIG. In order to prevent the reset hold signal from being erroneously formed when the own apparatus 1 fails, for example, the signal of one communication line 26a is set to High active, and the signal of the other communication line 26b is set to Low active. Make the polarity different.
The reset hold signal output by the signal generator 12 is determined to be valid by being continuously output for a predetermined time. Further, the processing unit 11 can record the reset hold signal in the own system reset hold signal state 115 and confirm that the reset hold signal is output as intended.

(6) Issuing function of reset hold signal The signal generation unit 12 is configured to prevent the erroneous transmission of the reset hold signal to the device 1 of the other system. When information is written and predetermined second information (but different from the first information) is written in the other register, a reset hold signal is output for the first time.

(7) Reset Hold Signal Reception Function The reset hold determination units 13a and 13b are signals (High or Low) output from the signal generation unit 12 of the apparatus [other system] 1b via the two control lines 27a and 27b. Is detected and it is determined whether or not it is a reset hold signal. For example, it is determined that the reset hold signal is when the signal of the control line 27a is High and the signal of the control line 27b is Low for a predetermined time.
The reset hold determination units 13a and 13b are composed of logic circuits that operate with a double clock, and measure a predetermined time using the clock. In other words, a predetermined time can be measured if at least one of the duplicated clocks is operating. The logic circuit is also duplicated. Therefore, the reset hold determination unit 31 can correctly determine the reset hold signal if at least one logic circuit is operating.
When all the clocks are stopped, the reset hold determination units 13a and 13b switch to a circuit different from the logic circuit operating with the clock, and the reset hold signal is output without measuring the duration. Enable reception. This is because even if all the clocks are stopped, the power supply is stopped (turned off) on the safe side.

(8) Diagnosis function of signal generation unit and reset hold determination unit In order to properly stop the power supply of the apparatus 1 of the other system, the signal generation unit 12 and the reset hold determination units 13a and 13b must be operating correctly. Therefore, the processing unit 11 has a function of diagnosing the operations of the signal generation unit 12 and the reset hold determination units 13a and 13b.
The processing unit 11 confirms the output signal of the signal generation unit 12 recorded in the own system reset hold signal state 115 at a predetermined cycle (for example, a short cycle of about 1 second), thereby determining its own signal generation unit. 12 operation states can be confirmed (diagnostic). Further, the processing unit 11 records the signal received from the signal generation unit 12 of the apparatus [other system] 1b in the other system reset hold signal state 117 at a predetermined cycle (for example, a short cycle of about 1 second). It is confirmed that the signal from the device [other system] 1b is normal at a period of (for example, a short period of about 1 second).

Here, an example of the diagnostic function of the signal generator 12 will be described with reference to FIG. 2 (see FIG. 1 as appropriate).
In FIG. 2, the output state of the signal generation unit 12 is indicated by a number in a circle. For example, the number “0” on the left side in the circle 211 in the steady state S201 indicates that the signal on the control line 26a is Low, and the number “1” on the right side indicates that the signal on the control line 26b is High. Represents. Also, in the reset hold issuance time S202 that outputs the reset hold signal, the left number “1” in the circle 212 indicates that the signal of the control line 26a is High, and the right number “0” indicates the control line 26b. This signal is Low, indicating that it is a reset hold signal.

  At the time of self-diagnosis S203, the signal generator 12 operates so that the output is “01” → “00” → “01” → “11” → “01”. That is, the signal generator 12 operates so that the output does not become “10”, which is the same as the reset hold signal.

In the initial diagnosis when the apparatus 1 is activated, the processing unit 11 executes the operation of S203 during self-diagnosis.
In the regular time S201, the processing unit 11 records the output of the signal generation unit 12 in the own system reset hold signal state 115 at a predetermined short cycle (for example, 1 second), and is in the “01” state. Confirm. In addition, the processing unit 11 performs the operation of S203 during self-diagnosis at a predetermined long cycle (for example, 1 hour).
Further, at the time of reset hold issuance S202, the processing unit 11 records the output of the signal generation unit 12 in the own system reset hold signal state 115 at a predetermined short cycle (for example, 1 second), and the state of “10” Make sure that

  The diagnosis of the output signal from the device [other system] 1b diagnoses that the output state of the signal generator 12 is “01”. When the output state becomes “00” or “11” due to a failure of the signal generation unit 12 of the apparatus [other system] 1b, the read value is “continuous” in a predetermined cycle (for example, a short cycle of about 1 second). If it is not “01”, it is determined to be abnormal. In the self-diagnosis S203, the output signal becomes “00” or “11”. However, even if the device [other system] 1b is S203 at the time of self-diagnosis, it becomes abnormal in the first reading, but by reading at a predetermined cycle longer than the signal pattern switching time in the self-diagnosis, 2 In the second reading, “01” can be read normally. Therefore, when the read value is not “01” twice in succession, it is possible to specify that the signal generation unit 12 of the apparatus [other system] 1b is out of order instead of pattern switching by self-diagnosis.

Next, a correspondence example of the determination result specifying the abnormal part of the duplexer and the reset hold signal will be described with reference to FIG. 3 (see FIG. 1 as appropriate).
In this embodiment, since the operation state of the apparatus 1 is mutually monitored using the control line 20, an abnormal part can be specified. FIG. 3 shows the determination result 310 and the reset hold signal for identifying the abnormal location using the other system power supply state 111, the other system cable connection state 112, and the network connection state 118 (the local network communication unit state and the link state). A correspondence example 311 is shown.

  In the first line (reference numeral 301), when the other system power supply state is “OFF”, the other system cable connection state is “not connected”, and the local network communication unit state is “normal”, the determination result is “other system power”. “Device not connected”, and the corresponding example is “Reset hold signal transmission unnecessary to other system”.

  In the second line (reference numeral 302), when the other system power supply state is “OFF”, the other system cable connection state is “connected”, and the local network communication unit state is “normal”, the determination result is “other system device”. “Power OFF”, and the corresponding example is “reset hold signal transmission unnecessary for other systems”.

  In the third line (reference numeral 303), when the other system power supply state is “ON”, the other system cable connection state is “connected”, the local network communication unit state is “normal”, and the link state is “link down”. The determination result is “LAN disconnection”. Link-down means a state in which communication with the communication partner is disabled due to some abnormality or cable disconnection, and link-up means a state in which communication with the communication partner is established via a cable and communication is possible. However, when the device 1 is connected to the network 50 via a hub or the like, the device 1 determines that the link is up if the connection with the hub is normal, and even if the disconnection occurs on the other side of the hub, the link is up. The state of does not change.

  In the fourth line (reference numeral 304), when the other system power supply state is “ON”, the other system cable connection state is “connected”, and the local network communication unit state is “abnormal”, the determination result is “own system device”. “Abnormal”, and the corresponding example is “Reset hold signal received from other system and stopped”.

  In the fifth line (reference numeral 305), when the other system power supply state is “ON”, the other system cable connection state is “connected”, the local network communication unit state is “normal”, and the link state is “link up”. The determination result is “another system error”, and the corresponding example is “send reset hold signal to other system”.

Also, an example of a cable fault monitoring determination flow of the control line 20 will be described with reference to FIG. 4 (see FIG. 1 as appropriate).
As illustrated in FIG. 4, in step S <b> 401, the processing unit 11 refers to the own system cable connection state 113 and determines whether or not the own system cable is connected. If it is connected (Yes in step S401), the process proceeds to step S403. If it is not connected (No in step S401), the process proceeds to step S402.

  In step S402, the processing unit 11 outputs “disconnection of own system control line connector” to the display unit (not shown) as an error display. Then, the process ends.

  In step S403, the processing unit 11 refers to the other system cable connection state 112 and determines whether or not the other system cable is connected. If connected (Yes in step S403), the process proceeds to step S405. If not connected (No in step S403), the process proceeds to step S404.

  In step S404, the processing unit 11 outputs “other system control line connector disconnection” to the display unit (not shown) as an error display. Then, the process ends.

  In step S405, the processing unit 11 refers to the other system power supply state 111 and determines whether the other system power supply is OFF. If it is OFF (Yes in step S405), the process proceeds to step S406. If it is not OFF (No in step S405), the process ends.

  In step S406, the processing unit 11 refers to the other system power supply state 111, and determines whether or not the other system power supply OFF state continues for a predetermined time. If it has continued for a predetermined time (Yes in step S406), the process proceeds to step S407. If it has not continued for a predetermined time (No in step S406), the process returns to step S401.

  In step S407, the processing unit 11 outputs “other system power OFF abnormality” to the display unit (not shown) as an error display. Then, the process ends.

  As described above, the duplexer 100 according to the present embodiment is redundantly configured with two units, transmits / receives the survival information at a predetermined cycle via the network 50, and mutually changes the operating state via the control line 50. Monitor. The device [own system] 1a includes a network connection monitoring unit 17 that monitors whether or not the network communication unit 18 that transmits and receives survival information is operating normally, and whether or not the network 50 is disconnected. [Other system] The power supply monitoring unit 14 for confirming that the power supply of 1b is in the ON state via the control line 20, and the signal generation for transmitting information for stopping the power supply of the apparatus [other system] 1b via the control line 20 Unit 12. Then, when the device [own system] 1a does not receive the survival information from the device [other system] 1b or when an abnormality occurs in the received survival information, the network connection monitoring unit 17 performs communication for its own network. After confirming that the unit 18 is normal and the network 50 is not disconnected, it is determined that the device [other system] 1b is abnormal. Next, in the device [own system] 1a, the power monitoring unit 14 confirms that the power source of the device [other system] 1b is ON, and the signal generation unit 12 supplies power to the device [other system] 1b. Send information to stop.

  By having such a configuration, the device [own system] 1a can identify an abnormal part when it no longer receives the survival information from the device [other system] 1b or when an abnormality occurs in the received survival information. Can do. Then, the device [own system] 1a prevents erroneous transmission of information for stopping even though no abnormality has occurred in the device [other system] 1b, and performs configuration control as intended. It can be performed.

In addition, this invention is not limited to above-described embodiment, Various modifications are included. For example, the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to one having all the configurations described. In addition, a part of the configuration of a certain embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of a certain embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of the embodiment.
Further, some or all of the functions of the processing unit 11 may be realized by hardware by designing, for example, an integrated circuit. Information such as programs and files for realizing each function is stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), an IC (Integrated Circuit) card, an SD card, a DVD (Digital Versatile Disc), etc. Can be placed on a recording medium.
Further, in the duplexer 100, the description of the information lines connecting the components in the processing unit 11 is omitted, but in practice, it may be considered that almost all the components are connected to each other.

1a Device [own system] (first device)
1b Device [other system] (second device)
DESCRIPTION OF SYMBOLS 11 Processing part 12 Signal generation part 13a, 13b Reset hold determination part 14 Power supply monitoring part 15 Interrupt reception part 16 Hard reset part 17 Network connection monitoring part 18 Network communication part 19 Memory | storage part 20 Control line 50 (50a, 50b) Network 100 Redundant device

Claims (5)

A duplex device in which the first device and the second device are configured redundantly,
Whether or not the network communication unit that transmits and receives the survival information at a predetermined cycle via the network in order to mutually confirm the survival between the first device and the second device is operating normally, And monitoring whether or not the network is disconnected, and confirming that the network communication unit is normal and that the network is not disconnected and determining that the second device is abnormal A network connection monitoring unit;
It said first device and said second device is a plurality of control lines connected to perform mutual monitoring, autologous cable connection state representing a connection state of the to the first device of the control line and determining the control line by the potential, and determines the control line by the potential other system cable connection state representing a connection state to the second device control line, receives the power state of the second device A plurality of control lines including a control line;
When it is determined that the second device is abnormal, it is confirmed that the power supply of the second device is in an ON state via a control line between the first device and the second device. A power monitoring unit;
Wherein the abnormality determination of the second device, the power source of the second device is confirmed to be ON state, when the other-system cable connection state of the connection, via the control line, the A signal generator for transmitting information for stopping the power supply of the second device;
A duplexer characterized by comprising: Whether or not the network communication unit that transmits and receives the survival information in a predetermined cycle via the network in order to mutually confirm the survival between the first device and the second device, and Network connection that monitors whether or not the network is disconnected, determines that the network communication unit is normal and that the network is not disconnected, and determines that the second device is abnormal A monitoring unit;
When it is determined that the second device is abnormal, it is confirmed that the power supply of the second device is in an ON state via a control line between the first device and the second device. A power monitoring unit;
A signal generator for transmitting information for stopping the power supply of the second device via the control line;
With
Confirming that the signal generation unit is transmitting information for stopping the power supply of the second device, and confirming that the power supply of the second device is turned off by the power supply monitoring unit, A duplexer characterized in that transmission of information for stopping the power supply of the second device is stopped. Whether or not the network communication unit that transmits and receives the survival information in a predetermined cycle via the network in order to mutually confirm the survival between the first device and the second device, and Network connection that monitors whether or not the network is disconnected, determines that the network communication unit is normal and that the network is not disconnected, and determines that the second device is abnormal A monitoring unit;
When it is determined that the second device is abnormal, it is confirmed that the power supply of the second device is in an ON state via a control line between the first device and the second device. A power monitoring unit;
A signal generator for transmitting information for stopping the power supply of the second device via the control line;
With
The information for stopping the power supply of the second device determines whether one of the two control lines is at a high level and the other voltage is at a low level and continues for a predetermined time or more. It has a reset hold determination unit,
The information that the reset hold determination unit stops the power supply of the second device is that one of the two control lines is at a high level and the other voltage is at a low level, and continues for a predetermined time or more. When the determination is made, a duplexer is provided that executes a process of turning off the power. The signal generation unit sets the voltage level of the two control lines to a combination excluding a combination of information for stopping the power supply of the second device, and executes its own operation check. Item 4. The duplex device according to item 3. A power supply stopping method for a duplex device in which the first device and the second device are configured redundantly,
The first device includes:
Whether or not the network communication unit that transmits and receives the survival information at a predetermined cycle via the network in order to mutually confirm the survival between the first device and the second device is operating normally, And monitoring whether or not the network is disconnected, and confirming that the network communication unit is normal and that the network is not disconnected and determining that the second device is abnormal A network connection monitoring step;
A plurality of control lines connected to perform mutual monitoring between the first device and the second device, the self-system cable connection state representing a connection state of a control line to said first device control line the determination of the steps of performing a determination of the other system cable connection state representing a connection state of the second device to the control line of the control line, the reception of the power state of the second device,
When it is determined that the second device is abnormal, it is confirmed that the power supply of the second device is in an ON state via a control line between the first device and the second device. A power monitoring step;
The abnormality determination of the second device, to verify that the power of the second device is in the ON state, when the other-system cable connection state of the connection, via the control line, the A signal generation step of transmitting information for stopping the power supply of the second device;
The method of stopping the power supply characterized by performing.

Images