JP6026142B2 - Control system in which multiple computers operate independently - Google Patents

Description

  The present invention relates to a control system in which a plurality of computers operate independently.

  For example, in a control application (so-called social infrastructure control system) that requires high reliability such as railway operation management control, power system management control, and plant monitoring control, a multi-system is constructed.

  In a multi-system, an active computer and a standby computer are prepared, and processing is normally performed by the active computer. In the event of a failure in the active computer, processing of the active computer is transferred to the standby computer. (Patent Documents 1, 2, and 3).

  On the other hand, there may be a system in which a plurality of computers that perform the same processing each operate independently. One computer and the other computer provide business application processing services to terminals under mutual management.

Patent No. 4487260 JP 2007-179310 A JP 2009-282791 A

  A system in which a plurality of computers in charge of the same process operate independently (hereinafter referred to as a two-system system as an example. A system in which three or more computers operate independently) may appear at first glance. This gives the impression that it is similar to a multisystem.

  However, in the multi-system system, the active computer normally operates, and in the event of an abnormality, the processing is taken over by the standby computer, whereas in the two-system system, a plurality (for example, two) of the same processing is in charge. Each computer executes the same process independently. Even if one computer stops due to a failure or the like, it does not directly affect the other computer.

  The two-system system is merely provided with a plurality of computers of the same type to perform a certain process, and there is no cooperation between the computers. Therefore, the two-system system is completely different from the multi-system system and the parallel processing system. The two-system system processes information between terminal groups associated with each system, and a load distribution system that distributes requests from a common terminal group among a plurality of computers according to the load. Also different.

  Such a two-system system can be used as a computer connected to an input / output terminal of a control center, for example, in the fields of railway operation management and power system control. In order to process a large amount of requests, a plurality of computers are installed, and a plurality of terminals are allocated to each computer in advance.

  When the manager of the center inputs a request from a terminal, the request is processed by a computer associated with the terminal, and the processing result is returned to the terminal. Since multiple computers of the same type are installed, the effect of load distribution can be obtained as a result, but these multiple computers do not have a cluster configuration, but requests from terminals associated with their own devices Is just processing.

  In this way, only one of the computers that execute the same process independently from each other continues to operate. Business cannot be continued using a terminal under the control of the stopped computer. Businesses can be continued by using other terminals under the control of the operating computer.

  Since the two-system system is composed of a plurality of computers that independently execute the same processing, it is possible to realize moderate load distribution and redundancy as a result. However, the amount of business processing is increasing year by year, and improvement in service quality is also required. Accordingly, it has become unacceptable for any one of the computers included in the two-system to stop even if it is an inconvenience planned from the beginning. In order to process a large amount of work in a short time, it is preferable to connect a normal terminal associated with the stopped computer to another computer for effective use.

  The present invention has been made paying attention to the above-described problem, and its object is to provide a predetermined terminal corresponding to a stopped computer when either the first computer or the second computer that operates independently stops. It is an object of the present invention to provide a control system in which a plurality of computers can operate independently so that the computer of the other computer that has stopped the operation can be backed up and the convenience can be improved.

  In order to solve the above problems, a control system in which a plurality of computers according to the present invention operate independently operates independently, and includes a first computer and a second computer that provide an information input / output screen to each terminal. The first computer and the second computer are connected to the first terminal and the second terminal via the information input / output communication path, respectively, and the first computer and the second computer communicate with each other for survival confirmation. When the other computer is monitoring each other by a predetermined communication using the route, and the first computer and the second computer determine that a failure has occurred in the other computer by the predetermined communication The terminal backup process for providing the information input / output screen to a predetermined terminal associated with the counterpart computer among the first terminal and the second terminal is performed.

  In the backup process, an information input / output screen can be generated for a predetermined terminal, and the generated information input / output screen can be provided to the predetermined terminal via the information input / output communication path.

  The survival confirmation communication path includes a first confirmation path and a second confirmation path, and the first computer and the second computer use the first confirmation path and the second confirmation path to perform predetermined communication. , Each other monitors whether the partner computer is operating, and if a stop of the partner computer is detected on both the first confirmation route and the second confirmation route, terminal backup processing is performed. May be executed.

  The first computer and the second computer may end the terminal backup process when the operation recovery of the counterpart computer is confirmed by predetermined communication on either the first confirmation route or the second confirmation route.

  According to the present invention, in a control system in which a plurality of computers operate independently, even if one of the computers is stopped, a terminal associated with the stopped computer can be used by the other computer of the computer. It can be. This improves the convenience of the control system.

The whole block diagram of the control system concerning an embodiment. The schematic block diagram of the software mounted in the computer. It is a time chart which shows a mode that the terminal corresponding to the computer which detected the failure generation and was stopped by the failure is backed up by a normal computer. It is a time chart which shows a mode that backup of a terminal is complete | finished when a computer recovers from a failure.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In this embodiment, as described later, in a plurality of computers that execute the same processing independently of each other, when one computer is stopped, the other computer is directed to one terminal managed by one computer. Provides information input / output screens and processes requests from one terminal.

  An embodiment of the present invention will be described with reference to FIGS.

  (1) “Hardware configuration”

  FIG. 1 shows the overall configuration of the control system. The control system includes a plurality of computers 1A and 1B and a plurality of terminals 2A and 2B connected to the computers 1A and 1B. Each computer 1A, 1B and each terminal 2A, 2B are connected via communication paths 30, 31 for information input / output. The computers 1A and 1B are connected to each other through communication paths 40 and 41 for survival confirmation. Unless otherwise distinguished, the computers 1A and 1B may be referred to as the computer 1, and the terminals 2A and 2B may be referred to as the terminal 2, respectively.

  Since the computers 1A and 1B basically have the same configuration, the configuration will be described using the computer 1A as an example. The computer 1A includes, for example, a microprocessor (CPU) 10A, a memory 11A, and an input / output control device (I / O) 12A. A disk device 13A, a management bus 18A, and an expansion bus 19A are connected to the input / output control device 12A. Further, the LAN control device 14A is also connected to the input / output control device 12A through the extended management bus 20A.

  A circuit that extends the function of the computer 1A is connected to the expansion bus 19A. Generally, when an expansion board on which a circuit is mounted is inserted into a slot connector, it can be connected to the expansion bus 19A. However, some functions may be mounted in the main body of the computer 1A and directly connected to the expansion bus 19A.

  The computer 1A includes a LAN board 15A and a system switching control (LXP) board 16A as expansion boards. The system switching control board 16A is connected to the input / output control device 12A via the management bus 18A.

  The LAN control device 14A is connected to the LAN control device 14B in the counterpart computer 1B via the first confirmation communication path 40 for existence confirmation, and transmits and receives life notification information.

  The LAN board 15A is connected to communication paths 30 and 31, and communicates with other computers 1B and terminals 2A and 2B connected to the communication paths 30 and 31.

  The system switching control board 16A is a function expansion board for system switching control (LXP) of the computer 1A, and is connected via a second confirmation communication path 41 for existence confirmation. In this embodiment, since the computers 1A and 1B used in the multiplex system are diverted to the two-system system, the system switching control is not performed. By configuring the computer used in the multi-system system and the computer used in the two-system system as a common computer, the manufacturing cost of the system can be reduced.

  The other computer 1B also has the same configuration as described in the computer 1A. The configuration of the computer 1B can be described by replacing “A” in the above description with “B”. Therefore, redundant description of the computer 1B is omitted.

  The terminal 2A as the “first terminal” is associated with the computer 1A as the “first computer”. The computer 1A holds terminal information for managing the terminal 2A. Furthermore, the computer 1A also holds terminal information for managing the terminal 2B under the control of the counterpart computer 1B. Therefore, as described later, the computer 1A can exchange information with the terminal 2A in a normal case, and can exchange information with the terminal 2B when an abnormality occurs in the counterpart computer 1B. Yes.

  The terminal 2A is configured as a computer terminal including an information output device and an information input device, such as a notebook computer, a tablet computer, a mobile phone, a personal digital assistant, a headset computer, and the like. Examples of the information output device include a display device, a printer device, and a voice synthesizer. Examples of the information input device include a keyboard, a mouse, a touch panel, and a voice input device.

  The terminal 2A is connected to both the communication paths 30 and 31, and normally communicates with the computer 1A. When a failure occurs in the computer 1A, the terminal 2A communicates with the computer 1B as will be described later. The terminal 2A provides information processed by the computer 1A to the user via a display device or the like. Further, the terminal 2A transmits the contents (instructions, information, etc.) input from the keyboard or the like by the user (control system administrator or the like) to the computer 1A and reflects them.

  The terminal 2B as the “second terminal” is associated with the computer 1B as the “second computer”. The computer 1B holds terminal information for managing the terminal 2B. Further, the computer 1B also holds terminal information of the terminal 2A under the management of the counterpart computer 1A. Therefore, the computer 1B can exchange information with the terminal 2B in a normal case, and can exchange information with the terminal 2B when an abnormality occurs in the counterpart computer 1B.

  The terminal 2B is also connected to the communication paths 30 and 31, and normally communicates with the computer 1B. When a failure occurs in the computer 1B, the terminal 2B communicates with the computer 1A. The terminal 2B provides information processed by the computer 1B to the user via a display device or the like. Furthermore, the terminal 2B transmits the contents (instructions, information, etc.) input by the user from the keyboard or the like to the computer 1B for reflection.

  The computers 1A and 1B use two physically independent communication paths 40 and 41 when monitoring the state of the other party. The first confirmation communication path 40 is connected to the LAN control device 14A of the computer 1A and the LAN control device 14B of the computer 1B.

  The second confirmation communication path 41 is connected to the system switching control board 16A of the computer 1A and the system switching control board 16B of the computer 1B, and is connected to the input / output control devices 12A and 12B via the expansion buses 19A and 19B. Has been.

  Since the first confirmation communication path 40 and the second confirmation communication path 41 have different connection destination bus lines, even if a failure occurs in one of the paths, the life and death of the partner computer is monitored via the other path. can do. As described above, since the communication path for the survival confirmation is composed of a plurality of physically independent paths, the reliability of the survival confirmation can be improved.

  As will be described later, in this embodiment, the terminal 2 managed by the computer 1 in which the failure has occurred is backed up by further utilizing the configuration of existence confirmation using the plurality of confirmation communication paths 40 and 41. The execution timing of the terminal backup process is controlled.

  In FIG. 1, two computers 1A and 1B and two terminals 2A and 2B in total of two in each system are shown, but the number is not limited. The present invention can also be applied to a system having three or less computers and a system having five or more terminals.

  (2) "Software configuration"

  FIG. 2 is a functional relationship diagram of the hierarchical structure of the software P1A stored in the memory 11A.

  The memories 11A and 11B of the computers 1A and 1B store a mutual monitoring program P10, a terminal display program P11, a screen input / output program P12, and a business application P13, respectively. In addition to these, an operating system (OS), various drivers (both not shown), and the like are also stored in the disk devices 10A and 10B or the memories 11A and 11B.

  The CPUs 10A and 10B of the computers 1A and 1B read the mutual monitoring program P10, the terminal display program P11, the screen input / output program P12, and the business application P13 from the memories 11A and 11B, and execute them on the OS. In FIG. 2, the configurations of the software P1A and P1B are shown without distinguishing between the computer 1A and the computer 1B. When distinguishing between the computer 1A and the computer 1B, as shown in FIG. 3 and FIG. 4, either “A” or “B” is added to the code of each computer program.

  The mutual monitoring program P10 transmits / receives the survival notification information to / from the counterpart computer via the communication paths 40 and 41 for survival confirmation. Since the communication path of the survival notification information is duplicated, if a timeout occurs in only one of the communication paths 40 and 41, it is determined as a LAN failure. When a timeout occurs in both communication paths 40 and 41, the mutual monitoring program P10 determines that a failure has occurred in the counterpart computer.

  Further, after detecting the occurrence of a failure in the partner computer, if the survival notification information is received from the partner computer via at least one of the communication paths 40 and 41, the mutual monitoring program P10 The other party's computer is determined to have recovered from the failure.

  The mutual monitoring program P10 indicates that the terminal display program P11 indicates that the state of the partner computer has changed when the state of the partner computer has changed (change from the normal state to the failure state, or change from the failure state to the normal state). Notify

  The terminal display program P11 manages information of the terminals 2A and 2B displayed by the computers 1A and 1B. That is, the terminal display program P11 manages information such as which computer manages which terminal and what information (eg, IP address) is used to transmit the information input / output screen. Yes.

  The terminal display program P11 notifies the screen input / output program P12 of a backup instruction when the partner computer fails, and a backup cancellation instruction when a backup cancellation request is received from the terminal.

  If the counterpart computer is stopped when the computer is started up alone, the terminal backup process is executed by a notification from the mutual monitoring program P10. The computer that executes the terminal backup process provides an information input / output screen to a terminal under the control of the counterpart computer in addition to the terminal under the control of the own computer. That is, the computer that executes the terminal backup process uses the terminal associated with the partner computer like the terminal of its own computer. That is, the computer can extend the range of terminals that can use the computer by executing the terminal backup process.

  When two computers 1A and 1B are started up at the same time, each computer 1A and 1B provides an information input / output screen to a terminal to be managed as usual. The computer 1A provides an information input / output screen to the terminal 2A, and the computer 1B provides an information input / output screen to the terminal 2B. As described above, when the two computers 1A and 1B are started up simultaneously, the computers 1A and 1B do not perform the terminal backup process, and provide an information input / output screen only for the terminal 2 to be managed.

  When the terminal display program P11 receives a backup release request from the terminal 2, the terminal display program P11 notifies the terminal display program P11 of the counterpart computer of the backup state change.

  The screen input / output program P12 receives input / output information from the information input / output screen displayed on the terminal, and exchanges information with the business application P13. When a backup instruction is issued from the terminal display program P11, the screen input / output program P12 outputs information on the computer that executes the terminal backup process to the terminal to be backed up and displays it on the terminal screen. When a backup cancellation instruction is issued from the terminal display program P11, the screen input / output program P12 displays on the screen of the terminal to be canceled via the partner computer that the terminal backup processing has been completed.

  The business application P13 is a program specialized for each device. When backup cancellation is input from the terminal, input information from the screen input / output program P12 is received, and a backup cancellation request is notified to the terminal display program P11. The software configuration described above is merely an example, and a configuration other than the above may be used.

  (3) “Description of software operation”

  FIG. 3 is a time chart showing a processing procedure for the mutual monitoring program P10, the terminal display program P11, and the screen input / output program P12 to back up the terminal of the counterpart computer when the counterpart computer fails. Here, for the sake of easy understanding, an example will be described in which a failure occurs in the computer 1B and the computer 1A backs up the terminal 2B under the management of the computer 1B. A similar processing procedure is executed when a failure occurs in the computer 1A and the computer 1B backs up the terminal 2A under the management of the computer 1A.

  After the computer 1 is started, the mutual monitoring program P10 and the terminal display program P11 operate. In response to a request from the terminal 2A, one terminal display program P11A transmits an information input / output screen from the terminal information to the terminal 2A managed by its own computer 1A (S10A). The input from 2A is received (S11A, S12A).

  Similarly, the other terminal display program P11B transmits an information input / output screen in response to a request from the terminal 2B (S10B), and then receives an input from the terminal 2B (S11B, S12B). As a result, the administrator of the control center executes, for example, a change of the railway operation diagram, control of the power system, control of various devices in the plant, and the like via the information input / output screen.

  One mutual monitoring program P10A and the other mutual monitoring program P10B exchange survival notification information at a predetermined cycle. If the survival notification information can be received from the counterpart computer via one of the plurality of communication paths 40 and 41 within a predetermined time, the mutual monitoring program P10 determines that the counterpart computer is operating normally. If the survival notification information cannot be received from either of the communication paths 40 and 41 within the predetermined time from the other party computer, the mutual monitoring program P10 indicates that the other party computer is not operating normally, that is, an abnormal situation has occurred. It is determined that

  When the occurrence of a failure in the computer 1B is detected, the mutual monitoring program P10A of the computer 1A operating normally cannot receive the survival notification information from the counterpart computer 1B. When this state elapses for a certain period of time (life and death judgment time), a timeout occurs and a failure of the counterpart computer 1B is detected.

  Here, it is assumed that some trouble occurs in the computer 1B at time T1, and the computer 1B does not operate normally. The mutual monitoring program P10A of the computer 1A transmits the survival notification information to the computer 1B (S14), but the survival notification information does not reach from any of the communication paths 40 and 41 from the computer 1B. When the state in which the life notification information cannot be received from any of the communication paths 40 and 41 reaches a predetermined life / death determination time, the mutual monitoring program P10A of the computer 1A determines that a failure (abnormal state) has occurred in the computer 1B ( S15A). Here, at time T2, the mutual monitoring program P10A of the computer 1A determines that a failure has occurred in the computer 1B. For example, the predetermined life / death determination time can be expressed as a difference (= T2−T1) between the failure occurrence time T1 and the abnormality detection time T2.

  When the terminal display program P11A of the computer 1A receives a notification that a failure has occurred in the counterpart computer 1B from the mutual monitoring program P10A, the terminal 2B managed by the computer 1B in which the failure has occurred is included in the terminal information as a backup target. As a terminal.

  The terminal display program P11A transmits an information input / output screen toward the backup target terminal 2B, and starts backup display (S16A). When the backup display is completed on the screen of the backup target terminal 2B (S17A), the screen input / output program P12A receives an input from the backup target terminal 2B (S18). Accordingly, the terminal 2B that has used the computer 1B can access the computer 1A and use the business application P13.

  FIG. 4 shows a processing procedure for the mutual monitoring program P10, the terminal display program P11, and the screen input program P12 to release the terminal backup when the computer recovers from the failure.

  As described in FIG. 3, when a failure occurs in the computer 1B, the terminal display program P11A of the counterpart computer 1A operates. The terminal display program P11A automatically backs up the display on the terminal 2B managed by the failed computer 1B. The computer 1A transmits information input / output screens to both terminals 2A and 2B, and provides business application processing services (S20A). While the failure occurs in the computer 1B, the survival notification information from the computer 1B is not received from any of the communication paths 40 and 41 (S21).

  Here, it is assumed that the computer 1B has recovered from the failure at time T10. When the computer 1A receives the survival notification information from the counterpart computer 1B by the mutual monitoring program P10 via any one of the communication paths 40 and 41, the computer 1A detects that the computer 1B has recovered from the failure (S22A). Thereby, the exchange of the survival notification information by the mutual monitoring programs P10A and P10B is resumed (S23).

  By the way, the terminal display program P11A of the computer 1A does not notify the terminal display program P11B of the computer 1B only by the recovery of the computer 1B. That is, the terminal backup process is not automatically canceled only by the computer 1B recovering from the failure. This is because if the administrator automatically switches the connection destination computer during the business process using the backup target terminal 2B, the process in the middle of the work is wasted, and the usability is reduced. Therefore, the computer 1A waits for an explicit instruction from the backup target terminal 2B.

  For example, the administrator who is divided into tasks inputs an instruction to cancel the terminal backup process at time T11 (S24B). When the screen input / output program P12A of the computer 1A receives a backup cancel input (S25A), the backup display ends (S26A).

  When the terminal display program P11A of the computer 1A receives the backup release notification from the screen input / output program P12A, it notifies the counterpart computer 1B that the backup display has been released (S27A). That is, the computer 1A notifies the computer 1B that the state has changed from the backup state to the backup release state.

  When the computer 1B receives the backup release state from the counterpart computer 1A, the computer 1B transmits an information input / output screen in response to a request from the terminal 2B managed by the computer 1B (S28B). Is received (S29B).

  Thus, the cancellation of the terminal backup process is activated by terminal input from a user such as an administrator. If the backup display is suddenly canceled while the user is operating the terminal, input from the terminal may not be accepted. Therefore, in this embodiment, the user can instruct the cancellation of the backup display at an arbitrary determination. If an explicit cancel input is not required, the backup display may be automatically canceled after the computer is restored.

  Since the present embodiment is configured as described above, the following effects can be obtained. In this embodiment, when a failure occurs in any one of a plurality of computers that execute the same business application process, a normal computer is connected to a predetermined terminal associated with the failed computer. Provides an information input / output screen to use application processing. Therefore, normally, a plurality of computers that operate independently can be used to back up terminals under mutual management when an abnormal situation occurs. Thereby, even when a failure occurs in a computer, business application processing can be performed using a terminal associated with the computer, and work efficiency is improved.

  In this embodiment, the mutual operation state is monitored by transmitting and receiving information between the computers 1A and 1B. As described above, in this embodiment, since the failure is detected between the computers 1A and 1B without using the host device, the occurrence of the failure can be detected more quickly than in the case of detecting using the host device. . Therefore, the failure detection can be speeded up and the reliability of the system is improved.

  In the present embodiment, the computers 1A and 1B are connected by a plurality of physically different communication paths 40 and 41, and the survival notification information is transmitted and received through both communication paths 40 and 41. In this embodiment, when the survival notification information cannot be received from the communication paths 40 and 41 within a predetermined time, it is determined that a failure has occurred in the counterpart computer. When only one of the communication paths does not send the survival notification information, there is a possibility that the cause is, for example, a disconnection or a cable contact failure.

  Therefore, in this embodiment, when the life notification information cannot be received from any of the communication paths 40 and 41, it is determined that a failure has occurred. Therefore, it is possible to prevent the terminal backup process from being executed due to a minor failure, for example, when a timeout occurs due to a temporary overload. Thereby, it is possible to prevent the terminal backup process from being performed unnecessarily, and to suppress an increase in the load on the computer executing the terminal backup process. Therefore, it is possible to prevent the load on the computer executing the terminal backup process from increasing and the response of the business application process from being lowered, and the usability and system reliability are improved.

  In the present embodiment, when the survival notification information can be received via one of the communication paths 40 and 41, it is determined that the computer has recovered from the failure. As a result, in this embodiment, the terminal backup process can be terminated relatively early, and the load on the computer that assumed the display can be reduced.

  In the present embodiment, after the computer recovers from the failure, the terminal backup process is terminated after waiting for an explicit release input from the backup target terminal. Therefore, it is possible to prevent the process during the operation from being stopped or the terminal screen from being frozen, and the usability and the reliability of the system are improved.

  In addition, this invention is not limited to embodiment mentioned above. A person skilled in the art can make various additions and changes within the scope of the present invention.

  1A, 1B: Computer, 2A, 2B: Terminal, P1A, P1B: Software, P10A, P10B: Mutual monitoring program, P11A, P11B: Terminal display program, P12A, P12B: Screen input / output program, P13A, P13B: Business application, 40: first confirmation route, 41: second confirmation route

Claims (4)

A control system comprising a first computer and a second computer that operate independently and provide an information input / output screen to each terminal,
The first computer and the second computer are configured to be usable for both a two-system system and a multi-system system,
A first terminal and a second terminal are connected to the first computer and the second computer via an information input / output communication path, respectively.
The first computer and the second computer mutually monitor whether the counterpart computer is operating by a predetermined communication using the communication path for existence confirmation,
When the first computer and the second computer determine that a failure has occurred in the counterpart computer through the predetermined communication, the predetermined one associated with the counterpart computer among the first terminal and the second terminal. Terminal backup processing for providing the information input / output screen to the terminal of
In the backup process, the information input / output screen is generated for the predetermined terminal, and the generated information input / output screen is provided to the predetermined terminal via the information input / output communication path. And
The survival confirmation communication path includes a first confirmation path and a second confirmation path,
The first computer and the second computer mutually monitor whether the counterpart computer is operating by performing the predetermined communication using the first confirmation route and the second confirmation route, respectively. And
When a stop of the counterpart computer is detected on both the first confirmation route and the second confirmation route, the terminal backup process is executed ,
The system switching control unit when the first computer and the second computer are used in the multi-system system, the system switching control unit for the second confirmation when the first computer and the second computer are used in the two-system system Used for communication over routes,
Control system multiple computer operates independently. When the first computer and the second computer confirm the operation recovery of the counterpart computer through the predetermined communication in either the first confirmation route or the second confirmation route, the terminal backup process Exit,
A control system in which a plurality of computers according to claim 1 operate independently. The first computer and the second computer terminate the terminal backup process when a predetermined release notification is input from the predetermined terminal after confirming the operation recovery of the counterpart computer.
A control system in which a plurality of computers according to claim 2 operate independently. The first computer and the second computer are configured to execute the same business application process,
The business application process is any one of railway operation management control, power system management control, and plant monitoring control.
Control system in which a plurality computers operates independently of any of claims 1-3.

Images