JP6257345B2 - Communication control device and failure recovery method - Google Patents

Description

  The present invention relates to a communication control apparatus that holds system data and the like necessary for operation in a nonvolatile manner, and more particularly, to a communication control apparatus that is provided for Internet service and is difficult to recover immediately when a failure occurs in an end user's home. The present invention relates to a communication control device having a function of detecting and automatically recovering from a failure caused by an abnormality, and a failure recovery method thereof.

  A conventional communication control device uses a check code (parity, checksum, operation history, etc.) as a mechanism for detecting an abnormality in a part or the whole of a data set in which a plurality of system data held inside is integrated. A means for giving is taken (see, for example, Patent Document 1). These means detect data abnormality or possibility of abnormality by inspecting the inspection code when reading data or periodically. In addition, as a data recovery means when an abnormality is detected, a method of correcting the data by calculation from the redundant information of the inspection code, or holding one or more copies of the data set or past history, and normal data when the abnormality is detected The method of replacing with a set is taken.

JP 2006-270859 A

  Since the conventional communication control apparatus is configured as described above, there is a problem that only an abnormality that has occurred at a later stage of processing or a part corresponding to a lower layer can be detected than a functional part to which an inspection code is assigned. For example, when an illegal content is stored due to a failure of a nonvolatile memory, a power failure during writing, an abnormality of a writing function due to a malfunction, an abnormality can be detected. On the other hand, if data that is illegal for the upper function is passed to the write function due to a malfunction of the upper application software that uses the write function, an inspection code that includes the incorrect data is assigned to the data set. Therefore, no abnormality can be detected. Therefore, when the communication function of the device is hindered due to the illegal data, it cannot be recovered unless the device is replaced.

  In recent years, there are increasing opportunities to incorporate open source software and general sales software in communication control devices. If the logical destruction of data is caused by potential problems such as security holes caused by these black box software, or a combination of them, there is a risk of holding illegal data that causes abnormal operation of the entire device in a nonvolatile manner. It is up. Failures caused by data corruption continue until the cause data is repaired. Therefore, when the data is held in a non-volatile manner, there is a problem that the operation cannot be recovered by means that can be performed by a general end user, such as restarting the apparatus or turning on the power again.

  The present invention has been made to solve the above-described problems, and does not depend on means for detecting only a cause of failure assumed in advance in the design of an inspection code or the like, and non-volatile illegal data generated due to an unspecified cause. It is an object of the present invention to provide a communication control device and a failure recovery method capable of automatically recovering from a failure state caused by a failure.

Communication control apparatus according to the present invention includes a storage unit for storing the system data used by software execution modules and the software execution modules, the redundant configuration, after starting the start of its own, storage unit or Raso software execution module and by executing the system data is read, the process starting unit that performs activation of the process and, after activation start of the process by the process startup unit determines the activation determination unit for determining activation of the process is completed by the set time And a restart instructing unit that causes the process starting unit to perform redundancy switching of the software execution module to be used and restarts when the start determining unit determines that the start has not been completed, and a restart by the process starting unit If the activation determination unit determines that the activation has not been completed again, the restart instruction is issued. Before treatment with, in which a data recovery unit for performing repair the system data stored in the storage unit.

Furthermore, error recovery method according to the present invention, the storage unit, a storing step of storing the system data used by software execution modules and the software execution modules, the redundant configuration, the process starting unit, activation of its own after the start, the storage unit or Raso software execution module and system data by performing reads out a process startup step of starting the process, the activation determination section, the process of activation after the start by the process startup unit, the set time A software execution module to be used for the process activation unit when the activation determination unit determines whether the activation of the process has been completed by the activation determination unit and the activation instruction unit Restart instruction step for restarting by performing redundant switching of data, and data The recovery unit, after the restart is performed by the process startup unit, when it is determined that activation is not completed again by activation determination unit, the pretreatment with restart instructing section, system stored in the storage unit And a data repairing step for repairing data.

  According to the present invention, since it is configured as described above, it is not dependent on means for detecting only the cause of failure assumed in advance in the design of inspection codes or the like, and automatically from a failure state due to non-volatile illegal data generated by an unspecified cause. It can be recovered.

It is a figure which shows the general whole structure of the communication control apparatus which concerns on Embodiment 1 of this invention. It is a figure which shows the data stored in the memory | storage part in Embodiment 1 of this invention. It is a figure which shows the software internal structure of the process part in Embodiment 1 of this invention. It is a time chart which shows the software operation | movement of the communication control apparatus which concerns on Embodiment 1 of this invention. It is a figure which shows the software internal structure of the process part in Embodiment 2 of this invention. It is a time chart which shows the software operation | movement of the communication control apparatus which concerns on Embodiment 2 of this invention. It is a time chart which shows the software operation | movement of the communication control apparatus which concerns on Embodiment 2 of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Embodiment 1 FIG.
FIG. 1 is a diagram showing a general overall configuration of a communication control apparatus according to Embodiment 1 of the present invention.
As shown in FIG. 1, the communication control device includes a processing unit 1, a communication controller 2, a storage unit 3, and an external interface unit 4.

  The processing unit 1 transmits / receives communication data to / from Ether Net (registered trademark), a telephone line, a wireless LAN, and the like through the external interface unit 4. Further, the processing unit 1 is equipped with a user interface and provides data setting and display functions to the operator. The processing unit 1 includes a CPU and software. The internal software configuration of the processing unit 1 will be described later.

  The communication controller 2 assists the communication function of the processing unit 1. That is, the received packet data is selected and passed to the processing unit 1, the transmission packet is assembled and transferred to the external interface unit 4 based on a rule set in advance from the processing unit 1, and a plurality of interfaces in the external interface unit 4 It performs operations such as sending / receiving and transferring packet data between them.

  The storage unit 3 is a non-volatile memory that stores data necessary for the communication control device to operate. As shown in FIG. 2, the storage unit 3 includes a software execution module for starting a process (service process), system data (operation values) used by the software execution module, user data, and initial data of the system data. Stored. The data stored in the storage unit 3 is read by the processing unit 1 or the update data is written by the processing unit 1, whereby the apparatus operates.

Here, specific examples of system data include line type, route information, IP address, various filter settings, and other operation logs. The line type is the type of line connected to the external interface unit 4. The route information is route information of communication data until it is received by the communication control device, and route information of communication data transmitted from the communication control device. Further, it may be identification information (for example, an IP address) of a device (one or a plurality) on the route. The IP address is the IP address of the own device.
The system data is updated when the communication control apparatus is operated. For example, the line type or the like is checked at the time of activation or at regular intervals, and the system data is updated if it is different from the previous time. In the case of an IP address that changes dynamically, the system data is updated each time the address changes.

  The software execution modules have a redundant configuration and are stored in the storage unit 3 in two. One software execution module is used for startup, and the other software execution module is a backup. In the following, for the sake of convenience, the former will be referred to as one surface and the latter as two surfaces.

Next, an internal configuration of software that operates in the processing unit 1 will be described with reference to FIG.
As shown in FIG. 3, the processing unit 1 includes a device control unit 11 and a timer control unit 12.

  The device control unit 11 is responsible for starting up the entire software. The apparatus control unit 11 includes a timer setting unit 111, a process activation unit 112, an activation determination unit 113, a restart instruction unit 114, and a data restoration unit 115.

  The timer setting unit 111 sets a value (setup completion timer) counted by the timer control unit 12 for the timer control unit 12 after starting the communication control device.

  The process activation unit 112 activates a process necessary for providing a function to the user after the communication control apparatus is activated. At this time, the process activation unit 112 sequentially reads and executes the software execution modules from the storage unit 3 and appropriately reads the system data from the storage unit 3 and proceeds with the processing while performing various settings necessary for the operation. . Note that there may be a plurality of processes to be activated, and the processes may be activated one by one or may be activated all at once. Each process is configured to notify the apparatus control unit 11 of completion when activation is completed.

  The activation determination unit 113 starts the process activation by the process activation unit 112 and waits for a set time (before receiving a time-out notification from the timer control unit 12). It is determined whether startup of all processes) is completed. At this time, the activation determination unit 113 determines whether the activation is completed by determining whether an activation completion notification is received from the process activated by the process activation unit 112.

  When the activation determination unit 113 determines that the activation has not been completed, the restart instruction unit 114 causes the process activation unit 112 to perform redundancy switching of the software execution modules to be used and to restart.

  After the restart is performed by the process activation unit 112, the data restoration unit 115 is stored in the storage unit 3 before the process by the restart instruction unit 114 when the activation determination unit 113 determines that the activation is not completed again. The corresponding system data stored in is repaired.

  After the setup completion timer is set by the timer setting unit 111, the timer control unit 12 counts the setup completion timer and notifies the device control unit 11 of a timeout when the set time has elapsed. .

Next, the operation of the communication control apparatus configured as described above will be described with reference to FIG. In FIG. 4, it is assumed that there is an abnormality in the system data that is updated when the communication control apparatus is operated, not the software execution module that is not updated when the communication control apparatus is operated.
In the operation of the communication control device, as shown in FIG. 4, first, the timer setting unit 111 sets a setup completion timer in the timer control unit 12 after starting the communication control device (step ST401). Then, the timer control unit 12 starts counting the setup completion timer (step ST402).

  In addition, the process activation unit 112 activates a process necessary for providing a function to the user after the communication control apparatus is activated (step ST403, process activation step). At this time, the process activation unit 112 sequentially reads and executes the software execution modules from the storage unit 3 and appropriately reads the system data from the storage unit 3 and proceeds with the processing while performing various settings necessary for the operation. . Each process then notifies the apparatus control unit 11 of completion when activation is completed. Here, the software execution module used by the process activation unit 112 is one side.

  Thereafter, the timer control unit 12 counts the setup completion timer and notifies the device control unit 11 of a timeout when the set time has elapsed (step ST404).

Next, the activation determination unit 113 determines whether an activation completion notification has been received from the process after the process activation by the process activation unit 112 and before receiving a timeout notification from the timer control unit 12 (step ST405, activation determination step). ).
In step ST405, the activation determination unit 113 determines that the activation is completed when it is determined that the process activation unit 112 has received the activation completion notification from the process activated, and the communication control apparatus shifts to the operation state. To do. FIG. 4 shows a case where some kind of failure occurs in the process and the start completion notification cannot be returned to the apparatus control unit 11.

  On the other hand, if the activation determination unit 113 determines in step ST405 that it has not received activation completion notification from the process activated by the process activation unit 112, it determines that activation has not been completed, and restart instruction unit 114 causes the process activation unit 112 to perform redundancy switching of the software execution modules to be used and to restart (steps ST406 and 407, restart instruction step). That is, the restart instruction unit 114 assumes that there is some abnormality in the software execution module stored in the storage unit 3, and restarts by switching the software execution module used by the process startup unit 112 from one side to two sides. Let

In this restart, similarly to the above, the timer control unit 12 counts the setup completion timer, the timer control unit 12 starts counting the setup completion timer, and the process activation unit 112 sequentially activates the processes ( Steps ST408 to 410, process starting step).
Thereafter, the timer control unit 12 counts the setup completion timer and notifies the apparatus control unit 11 of a timeout when the set time has elapsed (step ST411).

Next, the activation determination unit 113 determines whether an activation completion notification has been received from the process after the process activation by the process activation unit 112 and before receiving a timeout notification from the timer control unit 12 (step ST412, activation determination step). ).
In step ST412, the activation determination unit 113 determines that the activation is completed when it determines that the process activation unit 112 has received activation completion notification from the process activated, and the communication control apparatus shifts to the operation state. To do. FIG. 4 shows a case where some kind of failure occurs in the process and the start completion notification cannot be returned to the apparatus control unit 11.

  On the other hand, in step ST412, if the activation determination unit 113 determines again that the activation of the process is not received from the process activated by the process activation unit 112, it is determined that the activation has not been completed, and the data restoration is performed. Unit 115 restores the corresponding system data stored in storage unit 3 (step ST413, data restoration step). That is, the data restoration unit 115 assumes that there is some abnormality in the system data stored in the storage unit 3 and restores the system data.

  FIG. 4 shows an example in which the data restoration unit 115 initializes the system data using the initial data stored in the storage unit 3 as system data restoration means. However, the present invention is not limited to this, and a method for replacing the system data with a backup in the same manner as the software execution module or holding the generation data updated in the past and replacing it with this. But you can. Further, after the initialization or replacement, a method of acquiring necessary data from an external device when the communication function operates normally may be combined.

  Next, after the system data is restored by the data restoration unit 115, the restart instruction unit 114 causes the process activation unit 112 to perform redundant switching (switching from the first screen to the second screen) of the software execution module to be used. Reactivation is performed (steps ST414, 415, reactivation instruction step).

As described above, according to the first embodiment, since the abnormality of the device operation itself is detected, the data recovery is executed when the non-volatile retained data is illegal as the possibility of the abnormality. It is possible to automatically recover from a failure state caused by non-volatile illegal data generated due to an unspecified cause without depending on a means for detecting only a failure cause assumed in design such as an inspection code. Then, when trying to restart due to a process error, by restoring nonvolatile system data to a bootable content, even if an error depends on the data, it does not fall into the event of repeated restarts, and communication control The possibility of successfully starting the device is increased.
As a result, the failure state caused by the generation of illegal data due to the security hole by the black box software or the malfunction of the upper application can be solved, and the communication control device can be restored to the normal operation state. As a result, when a failure occurs, the end user can quickly receive the support and service of the communication service provider. In addition, the communication service provider is not a method that takes time and cost such as replacement of a communication control device, but has an effect of performing user support by remote maintenance means or recovering a failure and restarting the service.

Embodiment 2. FIG.
In the first embodiment, the example of data restoration in the event that the process is not completely started when the communication control device is started has been described. On the other hand, not only during startup but also during operation of the process, for example, abnormality detection by range judgment when using system data, process no response detection, watchdog timeout, conditional branch establishment beyond design assumptions, Combining with known anticipated events, such as process shutdown by the operating system, can further increase the likelihood of failure recovery. Hereinafter, a configuration for recovering from a failure when a failure occurs in an operating process will be described.
FIG. 5 is a diagram showing an internal software configuration of the processing unit 1 according to the first embodiment of the present invention. The processing unit 1 in the second embodiment shown in FIG. 5 is obtained by adding a failure detection unit 116, a failure information storage unit 117, and a failure information determination unit 118 to the processing unit 1 in the first embodiment shown in FIG. . Other configurations are the same, and only the different parts are described with the same reference numerals.

  The failure detection unit 116 detects a failure that has occurred in an operating process. Here, as the failure detection means by the failure detection unit 116, there are a health check for making an inquiry for confirming the normality of the process, monitoring of the response of processing entrusted to the process, and the like. When the health check is performed, the timer setting unit 111 sends the value (health check completion timer) counted by the timer control unit 12 to the timer control unit 12 when the failure detection unit 116 performs the health check. Set. In addition, there may be a plurality of processes for which the failure detection unit 116 detects a failure.

The failure information storage unit 117 is a non-volatile memory that stores information indicating a failure when the failure detection unit 116 detects a failure.
The failure information determination unit 118 determines whether the same failure has occurred based on information stored in the failure information storage unit 117 when a failure is detected by the failure detection unit 116.

Note that the restart instruction unit 114 restarts the process corresponding to the process starting unit 112 when a failure is detected by the failure detecting unit 116.
Further, the data restoration unit 115 restores the system data stored in the storage unit 3 before processing by the restart instruction unit 114 when the failure information determination unit 118 determines that the same failure has occurred. .

Next, the operation of the communication control apparatus configured as described above will be described with reference to FIG. In FIG. 6, it is assumed that the failure detection unit 116 periodically performs a health check on the process as a failure detection unit to detect no response of the process.
In the operation of the communication control device, as shown in FIG. 4, first, the timer setting unit 111 sets a health check completion timer for the timer control unit 12 while the communication control device is in operation (step ST601). Then, the timer control unit 12 starts counting the health check completion timer (step ST602).

  In addition, the failure detection unit 116 performs a health check on the process, and makes an inquiry to confirm the normality of the process (step ST603, failure detection step).

  Thereafter, when the timer control unit 12 counts the health check and the set time has elapsed, the timer control unit 12 issues a timeout notification to the device control unit 11 (step ST604).

Next, after the health check, the failure detection unit 116 determines whether there is a response from the process before receiving a timeout notification from the timer control unit 12 (step ST605, failure detection step).
In step ST605, when the failure detection unit 116 determines that there is a response from the process that performed the health check, it determines that no failure has occurred, and the sequence returns to step ST601. FIG. 6 shows a case where there is no response from the process.

On the other hand, if the failure detection unit 116 determines in step ST605 that there is no response from the process that performed the health check, it determines that a failure has occurred, and the failure information storage unit 117 stores information indicating the failure. Store (step ST606, failure information storage step).
After that, the restart instruction unit 114 restarts the process corresponding to the process starting unit 112 (step ST607, restart instruction step). This restart is the same operation as in the first embodiment, and the description thereof is omitted (steps ST608 to 614).

Thereafter, when the process activation is completed, the operation is started, and the timer control unit 12 counts the health check completion timer in the same manner as described above, and the timer control unit 12 starts counting the health check completion timer. The detection unit 116 performs a health check on the process (steps ST615 to 617, failure detection step).
Thereafter, when the timer control unit 12 counts the health check completion timer and the set time has elapsed, the timer control unit 12 notifies the device control unit 11 of a timeout (step ST618).

Next, after the health check, the failure detection unit 116 determines whether or not there is a response from the process before receiving a timeout notification from the timer control unit 12 (step ST619, failure detection step).
In step ST619, when the failure detection unit 116 determines that there is a response from the process that performed the health check, it determines that no failure has occurred, and the sequence returns to step ST601. FIG. 6 shows a case where there is no response from the process.

On the other hand, if the failure detection unit 116 determines in step ST619 that there is no response from the process that performed the health check, it determines that a failure has occurred, and the failure information storage unit 117 displays information indicating the failure. Store (step ST620, failure information storage step).
Next, the failure information determination unit 118 determines whether the same failure has occurred based on the information stored in the failure information storage unit 117 (step ST621, failure information determination step).

In step ST621, when the failure information determination unit 118 determines that the same failure has occurred, the data restoration unit 115 restores the system data stored in the storage unit 3 (step ST622, data restoration). Step). That is, the data restoration unit 115 confirms that the failure of the same factor has repeatedly occurred, assumes that the failure is caused by the system data, and restores (initializes) the system data.
Thereafter, the restart instruction unit 114 restarts the process corresponding to the process start unit 112 (step ST623, restart instruction step).

  As described above, according to the second embodiment, in addition to the effects of the first embodiment, since it is configured to detect a failure during operation, a repeated failure of a specific service that occurs after the apparatus is successfully started up However, the possibility that the fault state can be resolved is increased.

  In the present invention, within the scope of the invention, any combination of the embodiments, or any modification of the components of the embodiments, or omission of any components of the embodiments can be made. is there.

  DESCRIPTION OF SYMBOLS 1 Processing part, 2 Communication controller, 3 Memory | storage part, 4 External interface part, 11 Apparatus control part, 12 Timer control part, 111 Timer setting part, 112 Process start-up part, 113 Start-up determination part, 114 Restart instruction | indication part, 115 Data Repair unit 116 Failure detection unit 117 Failure information storage unit 118 Failure information determination unit

Claims (3)

A storage unit for storing the system data to be used in redundant configuration of the software execution modules and the software execution module,
After starting activation of its own equipment, by running from the storage unit reads the software execution modules and system data, and process startup unit is used to start the process,
An activation determination unit that determines whether the activation of the process is completed by a set time after the activation of the process by the process activation unit;
When it is determined that the activation has not been completed by the activation determination unit, a restart instruction unit that causes the process activation unit to perform redundancy switching of the software execution module to be used, and to restart,
After the restart is performed by the process startup unit, the start if the activation determination unit again by are determined not completed, the prior treatment with restart instructing section, the systems stored in the storage unit A communication control device comprising a data restoration unit for restoring data. A fault detection unit that detects a fault that has occurred in an operating process;
A failure information storage unit that stores information indicating the failure when a failure is detected by the failure detection unit;
A failure information determination unit that determines whether the same failure has occurred based on information stored in the failure information storage unit when a failure is detected by the failure detection unit;
The restart instruction unit, when a failure is detected by the failure detection unit, to restart the process in the process startup unit,
The data restoration unit restores the system data stored in the storage unit before processing by the restart instruction unit when it is determined by the failure information determination unit that the same failure has occurred. The communication control apparatus according to claim 1, wherein: The storage unit, a storing step of storing the system data to be used in redundant configuration of the software execution modules and the software execution module,
The process startup unit, after activation start of its own equipment, by running from the storage unit reads the software execution modules and system data, and process start step of starting the process,
An activation determination step for determining whether the activation of the process has been completed by a set time after the activation of the process by the process activation unit by the activation determination unit;
When the restart instruction unit determines that the activation has not been completed by the activation determination unit, a restart instruction step for causing the process activation unit to perform redundancy switching of the software execution module to be used and restarting,
When the data restoration unit determines that the activation has not been completed again by the activation determination unit after the process activation unit has been restarted, before the processing by the restart instruction unit, in the storage unit error recovery method and a data restoration step of performing repairs of the stored the system data.

Images