JPH09179836A - Multiplied computer and its fault detection processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To carry on a process even when it can not be demarcated which processing unit is abnormal by conventional technology. SOLUTION: Memory controllers 330A and 330B monitor the consistency of data among processing units in their systems 310 (31-A-1 and 310A-2, and 310B-1 and 310B-2). Further, an address detecting circuit 350A monitors addresses outputted by the processing units 310 to judge whether or not the processing units 310 are in exceptional process states. In case of data inconsistency, interface controllers 340 (340A and 340B) disconnect the system. Even when an exceptional process state is entered although the data are consistent, the system is also disconnected. The disconnection, however, is made after collating circuits 360A and 350B confirm the state of the other system. A system which takes over the process is made to perform a self-diagnosing process.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a multiplexing computer having a central processing unit in which a plurality of processing units synchronously perform the same processing, and a failure detection processing method thereof.

[0002]

2. Description of the Related Art In recent years, a data processing system has been playing an important role as an element supporting a social infrastructure such as a traffic control system and a financial system. In such a social background, the improper data generated due to the failure of the data processing system and the suspension of the data processing system due to the improper data has a great influence on the society. Therefore, it is a very important issue to maintain the validity of the data handled by the processing system and the continuity of the processing.

As a technique for detecting the unjustness of data in a processing system that requires such high reliability,
For example, there is US Pat. No. 5020024. In this technique, a central processing unit having a function of comparing output data between dual processors is duplicated. Then, the inconsistency of the control signals that should be the same between the central processing units is detected. This technique has a high fault detection rate because it can detect faults that could not be detected only by comparing the data in each central processing unit.

[0004]

In the above-mentioned known example, the abnormality of the multiplexed processing device is detected by detecting the inconsistency of the control signals within the system and the inconsistency of the control signals between the systems. . Even if the data of either system is valid, if a mismatch occurs, the processing of the processing device is stopped. Improving the fault detection rate by such a function is one of the important factors in a computer system that requires high reliability. But,
After the failure is detected, it is also important to continue the processing without causing the system to go down. This processing continuity depends on the degree of completion of the program, but
There is also room for improvement in terms of hardware.

The present invention provides a multiplex computer capable of continuing processing without causing a system down even when an abnormal condition cannot be determined by the conventional system, and a fault detection process therefor. The purpose is to provide a method.

It is an object of the present invention to provide a processing device that takes over (or continues) processing when a failure occurs, and a multiplexing computer capable of confirming that there is no real abnormality in peripheral hardware.

[0007]

Means for Solving the Problems The present invention has been made to achieve the above-mentioned object, and the first aspect thereof is as follows.
A failure detection processing method in a multiplexing computer, which comprises a plurality of systems having a plurality of multiplexed processing devices, and continues processing by changing the connection relationship between these systems and an external device when an abnormality occurs If the abnormality cannot determine which of the outputs of each of the processing devices is valid, check the processing state of each of the processing devices of each of the systems, and as a result of the check, the processing device is A system in a state where predetermined exception processing is being executed (hereinafter referred to as “exception processing state”), and a state in which the processing device is not executing predetermined exception processing (hereinafter referred to as “normal processing state”) If there is a system in), it is special that the process after that is taken over by the system in the normal processing state. Fault detection processing method in multiplexing computer and is provided.

According to a second aspect of the present invention, a plurality of systems including a plurality of multiplexed processing devices are provided,
In a multiplexing computer that continues processing even when a failure occurs by changing the connection relationship between these systems and external devices, each of the above systems may not have the same processing result between the processing devices of its own system. And a processing state of the processing device that is multiplexed in its own system, a state in which a predetermined exception processing program is being executed (hereinafter referred to as "exception processing state"),
The processing state determining means for determining whether the exception processing program is not being executed (hereinafter referred to as “normal processing state”) and the processing states of the multiplexed processing devices of other systems are When the other system processing state confirming means for confirming the exceptional processing state or the normal processing state and the inconsistency detecting means of the own system detect a mismatch, or the processing state determining means of the own system When it is determined that the system is in an exceptional processing state and the other system processing state confirmation means confirms that there is a system in the normal processing state, a switching means for disconnecting the own system from the external device, There is provided a multiplexing computer characterized by having.

Each of the above-mentioned systems further determines that the mismatch detection means of its own system detects a mismatch, or that the processing state determination means of its own system is in an exceptional processing state and the other system processing state. When the confirming means confirms that the system in the normal processing state exists, the requesting means for requesting the other system to confirm whether or not the own system may be disconnected from the external device. , If it is requested to confirm whether or not the other system may be disconnected from the other system, if it is possible to confirm the status of the own system and take over the processing that the other system was performing. Response means for outputting to the other system a permission signal permitting disconnection of the other system from the external device, and the switching means responds to the request from the requesting means of the other system. When the permission signal is returned from the above response means of Only, it is preferable autologous those which separated from the external device.

It is preferable that the switching means connects the own system to the external device when the response means outputs the permission signal to another system.

The processing state determining means is provided with an address (hereinafter referred to as "exception processing address") indicating an area in which the exception processing program is stored, and the address accessed by the processing device is the exception processing address. It may be determined whether or not, and as a result of the determination, if the exception processing address is accessed, it is determined that the exception processing state is in effect.

When the processing state determining means determines that the system is in the normal state and the other system processing state confirming means confirms the existence of another system in the exceptional processing state, the system in the normal state is detected. The processing device may be for self-diagnosis.

According to a second aspect of the present invention, a plurality of systems including a plurality of multiplexed processing devices are provided,
When a failure occurs, in the failure detection processing method in the multiplex computer that continues processing by changing the connection relationship between these systems and external devices, check the processing status of each processing device of each system, A system that is in the state of executing a specified exception handling program (hereinafter referred to as "exception handling state"),
If there is a system in a state where the processing device is not executing a predetermined exception handling program (hereinafter referred to as "normal processing state"), the system in the normal processing state takes over the subsequent processing. A failure detection processing method in a multiplexed computer is provided.

The operation of the present invention will be described based on the above-mentioned configuration.

The inconsistency detecting means monitors whether or not inconsistency occurs in the processing result between the processing devices which are multiplexed in the own system. In parallel with this, the processing state determination means determines whether the processing device of its own system is in the exceptional processing state or the normal processing state. This determination is made, for example, by monitoring the address accessed by the processing device. If the accessed address is the area in which the exception processing program is stored, it can be seen that it is in the exception processing state. The other system processing state confirmation means confirms whether the processing device of the other system is in the exceptional processing state or the normal processing state.

The switching means disconnects its own system from the external device in any of the following cases.

When the mismatch detection means of the own system detects a mismatch.

When the processing status judging means of the own system judges that it is in the exception processing status and the other system processing status checking means judges that there is a system in the normal processing status.

When the connection between the external device and the multiplexing computer is multiplexed (that is, when the external device itself is also multiplexed and each system is connected to each external device), In this way, it is possible to simply separate the own system. After this, the processing is taken over by the other multiplexed system.

However, when the connection relationship between the external device and the multiplexing computer is not multiplexed, sudden disconnection may prevent other systems from taking over the processing and interrupting the processing. To be Therefore, in such a case, it is preferable to perform the disconnection after confirming the possibility of disconnection as described below.

That is, in any of the above cases, the requesting means requests the other system to confirm whether or not the own system may be disconnected from the external device. The response means of the system receiving this request confirms the state of the system to which it belongs.
If the own system can take over the processing performed by the requesting system, the permission signal is output to the other system (the system requesting confirmation of the possibility of disconnection). When the permission signal is returned from the response means of the other system in response to the request output by the request means of the own system, the switching means disconnects the own system from the external device. On the other hand, the system switching means that has output the permission signal connects its own system to an external device.

When the processing state judging means judges that the own system is in the normal state, and the other system processing state checking means confirms the existence of another system in the exceptional processing state (that is, If both the system in the normal state and the system in the exception handling state exist). In such a case, the processing device of the system in the normal state performs self-diagnosis. As a result, the processing device of the system in this normal state can confirm that its own system is normal.

[0023]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings.

This embodiment is a dual computer to which the fault processing method in the multiple computer of the present invention is applied. First, the outline of the duplicated computer of this embodiment will be described with reference to FIG.

This computer is a fault-tolerant computer system having two systems (A system and B system).

The A system is a processing device 310A-
A central processing unit 300A including 1,310A-2, an input / output device group, and the like. Processing device 310A
-1 and the processing device 310A-2 execute the same processing in synchronization with each other.

The B system has the same configuration as the A system,
The central processing unit 300B includes processing units 310B-1 and 310B-2, an input / output unit group, and the like.

In the fault-tolerant computer system, the same processing is performed not only within the system but also between the systems (that is, the A system and the B system) in synchronization with each other. One of the two systems is the master system and the other is the slave system. When a failure occurs in the master system for some reason, the master system is immediately disconnected, and after that, the slave system continues processing.

Hereinafter, the description will be made on the assumption that the A system is operated as the main system and the B system is operated as the slave system. Further, the "exception processing state" described below is a state in which special processing (exception processing) performed when some abnormality occurs in the processor.

As described above, the right half (B system) and the left half (A system) of the figure have exactly the same configuration, and therefore, the left half A system portion will be described here.

The A-system central processing unit 300A will be described.

The central processing unit 300A includes processing units 310A-1 and 310A-2 and a main storage unit 320.
A, processor memory control device 330A, inter-processor system interface control device 340A, exception processing address access detection circuit 350A, other system exception processing collation circuit 36
It consists of 0A. Further, various signal lines for exchanging data and the like between these respective units, the B system, and the transmission bus are provided. In the following, the signals input / output through each signal line may be referred to by the reference numerals attached to the signal line. For example, a signal input / output through the signal line 610 may be referred to as a signal 610.

The processing device 310A-1 and the processing device 310A-2 are completely the same general-purpose processing device.

The main memory 320A stores instructions and data.

The processor memory control unit 330A connects the processing units 310A-1 and 310A-2, the main storage unit 320A and the system bus 370A. This is mainly the processing device 310A.
-1,310A-2 access to the data line 504
It plays a role of transmitting to the main storage device 320A and the system bus 370A via the. Also, the system bus 370
It plays a role of transmitting the access from A to the main storage device 320A. Further, the processor memory controller 33
0A is the output signal 5 of the processing device 310A-1.
00A and the output signal 502A of the processing device 310A-2, the processing device 31
It also plays the role of monitoring the presence or absence of 0 abnormalities. If the outputs of the two processing devices 310A-1 and 310A-2 do not match, it means that some abnormality has occurred in one of the processing devices.

Exception processing address access detection circuit 350
A is for detecting whether or not the processing device 310A-1 is in the exception processing state. The exception handling address access detection circuit 350A has an address where the exception handling routine is stored. Then, by monitoring the address accessed by the processing device 310A-1, it is determined whether or not this exception handling routine is accessed (that is, the processing device 3).
10A-1 is in the exception processing state).

The other-system exception handling collation circuit 360A checks the states of the A-system and the B-system to determine whether the state at that time corresponds to a special state described later.
In the case of this special case, the other-system exception handling collation circuit 360A outputs the signal 6 for requesting disconnection of the A-system.
06A is output. The other system exception handling collation circuit 360A
Has acquired the state of the A system by the output signal 610 of the exception processing address access detection circuit 350A and the output signal 604A of the processor memory control device 330A. On the other hand, the state of the B system is the signal lines 612 and 624 between the central processing unit 300A and the B processing central processing unit 300B.
Have earned through. It should be noted that the special state means that the data inconsistency does not occur in the A system, but the processing device 310A is in the exception processing state, while the B system has the processing device 310B in the exception processing state. In addition, it refers to the state where no data inconsistency has occurred. Note that this point will be described later in detail with reference to FIG.

Inter-processor system interface controller 3
Reference numeral 40A is for passing information indicating the state of the central processing unit through the signal lines 622 and 624 between the central processing unit 300A and the B-system central processing unit 300B. When the signal 606A is output from the other system exception handling collation circuit 360A, the inter-processor system interface control device 340A sends a request signal 622 for confirming whether or not the A system may be disconnected, to the central processing unit 300B. It is designed to output to. Also,
Error signal 60 from processor memory controller 330A
Similarly, when 4A is output, a request signal 622 for confirming whether or not the A system may be disconnected is also output. On the other hand, when there is a request signal from the B system, in response to this, confirmation and the like are made and a reply is made. This processor-system interface controller 34
Details of 0A and details of the information to be transferred will be described later.

In the system of this embodiment, not only the central processing unit 300 but also the input / output bus 520 is duplicated. Central processing unit 300A and central processing unit 3 described above
00B is connected to input / output buses 520A and 520B, respectively. In order to realize such a connection relationship,
The system bus 518 that connects the input / output bus 520 and the central processing unit 300 is also duplicated. That is, the duplex system bus 518A connects the central processing unit 300A and the central processing unit 300B to the input / output bus 520A. Similarly, the duplex system bus 518B connects the central processing units 300A and 300B to the input / output bus 520B. These duplex system buses 518A and 518B are the multiple system bus adapters 3
80A-1, 380A-2, 380B-1, 380B-
The central processing unit 300 and the input / output bus 520 can be connected / disconnected independently of each other. That is, the multiple system bus adapter 380 is connected to the central processing unit 300 and the input / output bus 52.
It constitutes a kind of selector for changing the correspondence with 0. Normally, the input / output of the central processing unit 300A is through the input / output bus 520A, while the central processing unit 300A
Input / output of B is set to be performed through the input / output bus 520B.

As described above, the central processing unit 300A
And the central processing unit 300B is simultaneously performing the same processing. Therefore, the multi-system bus adapter 380A-
1 is from the central processing unit 300A, and the multi-system bus adapter 380B-1 is from the central processing unit 300B.
At the same time, the access to the duplex system bus 518A is received. However, typically, the multi-system bus adapter 380
Only the access from the central processing unit 300A is transmitted to the duplex system bus 518A by A-1. Access from the central processing unit 300B is blocked by the multi-system bus adapter 380B-1.

On the other hand, access from the duplex system bus 518A is performed by the multiple system bus adapter 380A-1,
380B-1 receives it at the same time and transmits it to each central processing unit 300A and 300B at the same timing. The same applies to the multiple system bus adapters 380A-2 and 380B-2.

Next, the operation when a mismatch of processed data occurs in the system will be described.

Here, in an operation involving access to the main storage device 320A, the processing device 310A-
A case where the processing data of No. 1 and the processing data of the processing device 310A-2 do not match will be described. Processing device 310B-1 and processing device 3
It is assumed that the processing data of 10B-2 match.

At the time of writing to the main storage device 320A, the access from the processing device 310A-1 is made via the processor memory control device 330A.
It is output to A. In this case, the processor memory control device 330A has the processing data output from the processing device 310A-1 and the processing device 310A.
The processed data output from A-2 is compared. Then, as a result of this comparison, if a mismatch is detected, an error signal 604A is output to the other system exception processing collation circuit 360A and the inter-processor system interface control device 340A. Note that in FIG. 2, the circuit configuration is drawn in a form in which the logic element 602A is omitted for the sake of simplicity. However, in reality, the error signal is, as shown in FIG.
It is adapted to be inputted through the logical sum element 602A.

The inter-processor interface controller 340A, to which the error signal 604A is input, requests the inter-processor interface controller 340B via the inter-system interface signal line 622 to confirm whether or not the A system can be disconnected. To do.

Then, the inter-processor system interface controller 340B confirms the state of the central processing unit 300B. As a result of the confirmation, when the B system is in a state where it can take over the subsequent processing, the central processing unit 300
Signal for permitting disconnection of A (system A disconnection permission signal)
Is output to the processor intersystem interface control device 340A through the intersystem interface signal line 624. Further, the inter-processor system interface control device 340B
Makes the central processing unit 300B a duplicated system bus 518.
The interface signal line 6 transmits an instruction signal (A system connection instruction signal) to be connected to A (that is, the input / output bus 520A).
14B through multiple system bus adapter 380B-1
Output to

The multiple system bus adapter 380B-1 which has received the A system connection instruction signal enables the access from the central processing unit 300B to be transmitted to the duplex system bus 518A. Thereby, the central processing unit 300B is
Input / output bus adapter 390A and input / output adapter 400
Access to A becomes possible.

Further, the inter-processor system interface control device 340A which has received the above-mentioned A-system disconnection permission signal
Makes the central processing unit 300A a duplicated system bus 518.
A disconnection instruction signal for disconnecting from A is output to the multiple system bus adapter 380A-1. The multi-system bus adapter 380A that has received this disconnection instruction signal
-1 prevents the access from the central processing unit 300A from being transmitted to the duplex system bus 518A thereafter.

The multiple system bus adapter 380A
In the normal state, -2 is a state in which the central processing unit 300A and the duplicated system bus 518B are separated. Therefore, the multi-system bus adapter 380A-2 is kept in that state.

The system switching is completed as described above. After that, the processing is taken over by the central processing unit 300B. After this, the central processing unit 30
In order to confirm whether or not 0B is truly functioning properly, the central processing unit 300 should be timed appropriately.
The self-diagnosis processing of B is executed. This self-diagnosis process will be described later with reference to FIG.

Next, the operation when the processing device is in the exception processing state, although no data inconsistency occurs in the system, will be described with reference to FIGS. 1 and 3.

Here, a case will be described in which the data is the same in each of the A system and the B system, but the processing device 310A of the A system is in the exception processing state.

FIG. 1 is a diagram showing details of the central processing unit 300 of FIG. As mentioned above, the error signal 604A
Is actually input to the inter-processor system interface controller 340 through the logical sum element 602A as shown in FIG. The flowchart of FIG.
This is a process executed every machine cycle of the processing device.

First, the processor memory controller 330A
Indicates that the processing device 310A-1 is connected to the data bus 50.
The data output to 0A-1 and the processing device 31
0A-2 compares the data output to the data bus 502A-1. Further, similarly, the processing device 310
The address output from A-1 to the address bus 500A-2 and the address output from the processing device 310A-2 to the address bus 5A
02A-2 is compared with the output address (step 200).

If the comparison results do not match,
The processor memory control mechanism 330A outputs an error signal 604A to the other system exception handling collation circuit 360A and the inter-processor system interface control device 340A (step 202). After this, steps 214, 216, 2
Through the processing of 18, the A system is disconnected. A series of processes for disconnecting the A system (step 202 → step 214)
→ Step 216 → Step 218) is as described above as the processing operation when a mismatch occurs in the system.

If the comparison result data and the memory address in step 200 match, the processor memory control device 330A outputs the data to the main memory device 320A through the data bus 504A-1. Further, the memory address is output to the main storage device 320A through the address bus 504A-2. Address bus 504A-
2 is also connected to the exception processing address access detection circuit 350A. Therefore, this address is also input to the exception processing address access detection circuit 350A.

Exception processing address access detection circuit 350
A confirms whether the address output to the address bus 504A-2 at this time is a predetermined exception processing address (step 204). This confirmation
This is performed by determining whether the address input through the address bus 504A-2 matches the address indicating the memory area in which the exception handling routine is stored.

If the result of step 204 is that it is not an exception processing address, the exception processing address access detection circuit 350A judges that the central processing unit A is in a normal state and does nothing.

On the other hand, if the result of step 204 is that the address is an exception processing address, the exception processing address access detection circuit 350A causes the other system exception processing verification circuit 360A and the other system exception processing verification circuit 360B to detect the A system exception processing address. The signal 610 is output (step 208).

By the way, similar processing is performed in the B system in synchronization with the A system. When the B system is in the exception processing state, the B system exception processing address detection signal 612 is input from the exception processing address detection circuit 350B to the other system exception processing collation circuit 360A. If a data mismatch occurs in the B system, the B system disconnection request signal 624 is output from the inter-processor system interface controller 340B.
Is entered.

The other system exception processing collation circuit 360A has a B system exception processing address detection signal 612, an error signal 604A,
Based on the state of the B system disconnection request signal 624, the output determination of the A system disconnection request signal 606A is performed (step 2).
10). The determination logic will be described later with reference to FIGS. 5 and 6 together with the details of the other system exception handling collation circuit 360A.

If it is determined in step 210 that the output is necessary, the other system exception handling collation circuit 360A outputs the A system disconnection request signal 606A to the logical sum element 602A (step 212).

The logical sum element 602A receives the error signal 604.
When the A or A system disconnection request signal 606A is output, the A system disconnection request signal 608A is output to the inter-processor system interface control device 340A. When the A-system disconnection request signal 608A is input, the inter-processor system interface controller 340A sends a signal (A-system disconnection request signal) 622 requesting confirmation of whether or not the A-system may be disconnected between the processor systems. It is output to the interface control device 340B (step 214).

The inter-processor system interface controller 340B, which has received the A-system disconnection request signal 622, confirms that the B-system processing device 310 is normal. This confirmation is performed by determining whether or not the B-system disconnection request signal 608B is output. B system disconnection request signal 6
If 08B is not output, the inter-processor system interface control device 340B determines that the B-system processing device 310 is normal, and the A-system inter-processor system interface control device 340A permits the disconnection of the A system. The A-system disconnection permission signal 624 is output. Further, the A system connection instruction signal 614B is output to the multiplex system bus adapter 380B-1.

A that has received the A-system disconnection permission signal 624
System processor inter-system interface controller 340A,
The disconnection instruction signal 614A is output to the multi-system bus adapter 380A-1 (steps 216 and 218).

In accordance with this, the multi-system bus adapter 3
80B-1 connects the central processing unit 300B and the duplex system bus 518A. On the other hand, the multiple system bus adapter 380A-1 disconnects the central processing unit 300A from the duplex system bus 518A.

As described above, which system should be trusted is determined by determining whether or not the system is in the exception processing state. Then, the processing is continued by the system that is not in the exception processing state. After this, the self-diagnosis process of the system which is supposed to continue the process is executed at an appropriate timing. This self-diagnosis process will be described later with reference to FIG.

Next, a more detailed configuration of each of the above parts will be described.

Details of the processor memory controller 330A will be described with reference to FIG. The processor memory control device 330B has exactly the same configuration as the processor memory control device 330A.

The processor memory control unit 330A is roughly divided into a processor interface unit (hereinafter referred to as "PIU") 700, a memory interface unit (hereinafter referred to as "MIU") 702, and a system bus interface unit (hereinafter referred to as "SBIU"). Call) 70
4, an OR element 706 and a processing device output comparator 708. In addition, latches L are appropriately arranged at various places in the apparatus as needed.

The PIU 700 includes a processing device 31.
Access from 0 is accepted. When the external access of the processing device 310A-1 is a memory access, the PIU 700 determines that the processing device 310A-1
-1 outputs the memory address and data to the bus 5
00A-1, 500A-2 to receive buffer 714
It is designed to be taken into. Processing device 31
Similarly, when the external access of 0A-1 is an access to the input / output bus, the memory address and data output from the processing device 310A-1 are stored in the reception buffer 712.

The SBIU 704 is connected to the system bus 370A.
To access the I / O bus from the PIU 700.

When the access from the PIU 700 is an input / output bus read access, the SBIU 704 acquires the system bus right, and then uses the address stored in the reception buffer 712 through the selector 734 to the system bus 370.
Output to A. Further, the read data input from the system bus 370A is temporarily transferred to the selector 732,
It is stored in the transmission buffer 716. This read data is then processed by the processing devices 310A-1 and 310A-.
Returned to 2. On the other hand, if the access from the PIU 700 is an I / O bus write access, the SBIU 704
After acquiring the system bus right, the reception buffer 712
And outputs the read address and the write data stored in the system bus 370A via the selector 734 and the like.

Access from the system bus 370A is D
In the case of MA read, the SBIU 704 sets the read address stored in the reception buffer 720 to the MIU 70.
2 to the selector 736. Also, the system bus 3
If the access from 70A is a DMA write, the write address and write data stored in the receive buffer 720 are output to the selector 736 of the MIU 702.

The MIU 702 accepts the memory access from the PIU 700 and the DMA access from the SBIU 704 at the selector 736, and in response to this, the main memory 3
Access 20A. Then, the response result is returned to the PIU 700 or the SBIU 704, respectively.

The access that MIU 702 receives from PIU 700 includes memory read and memory write. In the case of memory read, the read address stored in the reception buffer 714 is transferred via the selector 736 to the main storage device 3.
It is transmitted to 20A. Then, the read data is
It is temporarily stored in the transmission buffer 716 via the selector 732. Then, after this, the processing device 31
0A-1, 310A-2. On the other hand, PIU70
When the access received from 0 is a memory write, the write address and write data stored in the reception buffer 714 are transferred via the selector 736 to the main storage device 320.
A is told. The main storage device 320A writes this write data to this write address.

The access that MIU 702 receives from SBIU 704 includes DMA read and DMA write.
In the case of DMA read, the MIU 702 transmits the read address sent from the receive buffer 720 of the SBIU 704 to the main storage device 320A via the selector 736.
Then, the data read from the main storage device 302A is temporarily stored in the transmission buffer 718 of the SBIU 704 via the selector 732. After that, the read data is returned to the input / output bus or the input / output device via the system bus 370A. On the other hand, if the access received from SBIU 704 is DMA write, MIU 702
Sends the write address and write data sent from the receive buffer 720 of the SBIU 704 to the main storage device 320A via the selector 736. Then, the main memory 320A writes this write data to this write address.

The processor memory control device 330A also takes in the memory address / data output from the processing device 310A-2 via the signal lines 502A-1 and 502A-2. However, the PIU 700 does not store these in the reception buffers 712 and 714. The memory address / data output from the processing device 310A-2 is used only for comparison with the address / data and the control signal sent from the processing device 310A-1. This comparison is based on the processing device 310A-
Performed by processing device output comparator 708 when 1 outputs a write access. As a result of the comparison,
If the values do not match, processing device output comparator 708 asserts error signal 722. The error signal 722 is output to the logical sum element 706.

Next, the exception processing address access detection circuit 350A and the other system exception processing collation circuit 360A will be described with reference to FIG.

The B system exception processing address access detection circuit 350B and the other system exception processing collation circuit 360B have exactly the same configuration as the exception processing address access detection circuit 350A and the other system exception processing collation circuit 360A.

Exception processing address access detection circuit 350
A is a memory 734, 736 and the like, and comparators 738, 74.
0 and the like, and an OR element 742. In addition, latches L are appropriately arranged at various places in the apparatus as needed.

In the memories 734, 736, ..., Addresses (hereinafter referred to as "exception processing addresses") indicating areas in the main memory 320A where exception processing routines are stored are stored in advance.

The comparators 738 and 740 are connected to the address bus 5
The memory address output to 04-2 and the memory 73
It is for comparing with the exception processing address stored in 4, 736 and the like. As a result of the comparison, when the two match, the comparator 738 and the like output a signal indicating that.

It should be noted that these memories and comparators may be provided as many as the number of exception processing addresses to be detected.

The OR element 742 is for notifying the other system exception handling collation circuit 360A that the exception handling address match has been detected, and the output signals of the comparators 738, 740 etc. are inputted.

The other system exception processing collation circuit 360A has an error signal 604A, a B system disconnection request signal 624, and a B system disconnection request signal 624.
The system exception handling address detection signal 612 and the A system exception handling address detection signal 610 are input. The A-system disconnection request / A-system self-diagnosis request output determination unit 744 of the other-system exception processing collation circuit 360A makes an output determination based on the states of these input signals. Then, according to the determination result,
The A-system disconnection request signal 606A and the A-system self-diagnosis request interrupt signal 620A are output. Other system exception handling collation circuit 360
The decision logic of this output decision by A is shown in FIG. Since this figure is for system A, "other system" in the figure corresponds to "system B.""Selfsystem" corresponds to system A. Description in other figures Is also the same.

As can be seen from FIG. 6, the A system disconnection request signal 606A is asserted in the case of FIG. 6F, that is, the error signals 604A, B system disconnection request 6
24 and B system exception handling address detection signal 612 is not asserted, and only A system exception handling address detection 610 is asserted. However, the signal 608A is
This is output not only in the case of FIG. 6 (f) but also in the cases of FIGS. 6 (a) and 6 (b). This is because the error signal 604A is directly input to the logical sum element 602A. That is, the other-system exception handling collation circuit 360A is a circuit for determining whether or not the following state (special case) has occurred. The A-system disconnection request 622 is output from the A-system to the B-system in the following cases (in principle) and in the following cases (special cases).

In principle, when a data mismatch occurs in the A system and an error signal 604A is output.

Special case Although no data inconsistency occurs in the A system, the processing device 310A is in the exceptional processing state, while in the B system, the processing device 310B is not in the exceptional processing state and the data If no discrepancy has occurred.

Also, the A-system self-diagnosis request interrupt signal 620A
6 (e), that is, the error signals 604A, B system disconnection request signal 624 and A system exception handling address detection signal 610 are not asserted, and the B system exception handling address detection signal is asserted. This is the case when only 612 is asserted.

FIG. 6 (a) shows the case where data inconsistency occurs in both the A system and the B system.
A-system disconnection request signal 622, B-system disconnection request signal 6
24 will be output together. (B) is the case where the data mismatch occurs only in the A system,
The A-system disconnection request signal 622 is always output. (C)
In the case where data mismatch occurs only in the B system, the B system disconnection request signal 624 is output.
(D) is a case where both the A system and the B system are normal. (E)
In this case, the data is the same in both the A system and the B system, but the B system is in the exception processing state. In this case, the A system continues to take charge of the processing even after this. However, system A confirms that it is normal by executing self-diagnosis. (F) is a case where the data is the same in both the A system and the B system, but the A system is in the exception processing state. In this case, B
The system takes over the processing. Also, although not shown in the figure,
System B confirms that it is normal by executing self-diagnosis. (G) is a case where the data is the same in both the A system and the B system, but in the exception processing state in the A system and the B system. In this case, the processing is continued by the main system A.

Next, the self-diagnosis processing performed when the other-system exception processing collation circuit 360A outputs the self-diagnosis request interrupt 620A will be described with reference to FIG.

Here, the other system exception handling collation circuit 360A
Will output the self-diagnosis request interrupt signal 620A to the processing devices 310A-1 and 310A-2 (the case of FIG. 6E described above).

When the self-diagnosis request interrupt signal 620A is input, the processing units 310A-1 and 310A-2 are processed.
Executes the predetermined four arithmetic operations for self-diagnosis after the end of the instruction being executed at that time (step 23).
0).

The self-diagnosis program (not shown) in the central processing unit 300A determines whether or not the result of the four arithmetic operations is abnormal (step 231). If the result of the determination is that it is normal, then a write / read comparison check of arbitrary data to the main memory 320A is executed (step 232). Then, similarly, it is determined whether or not the result is normal (step 233). If the result of determination is normal, execution of the program suspended for this self-diagnosis is resumed. The restart position is from the instruction next to the instruction executed immediately before the start of self-diagnosis.

If an abnormality is found in step 231 or step 233, the self-diagnosis unit inputs a processing stop request interrupt to the processing devices 310A-1 and 310A-2 (step 234). Then, the processing devices 310A-1 and 310A-2 stop processing.

Note that, here, only the calculation of the processing device and the write / read comparison of the main storage device are described as the diagnosis contents, but hardware diagnosis around the processing device is also executed if necessary.

Details of the inter-processor system interface controller 340A will be described below with reference to FIGS.
The inter-processor interface controller 340B
Has exactly the same configuration as the inter-processor system interface control device 340A.

Inter-processor system interface controller 3
40A includes a status register 768 and a disconnection determination circuit 7
And 64. In addition, latches L are appropriately arranged at various places in the apparatus as needed.

The status register 768 is used by the central processing unit 30.
It holds the state of 0A.

The disconnection determination circuit 764 is for determining which system should be disconnected. The disconnection determination circuit 764 determines which system is disconnected according to the determination logic described later.

The A-system disconnection request signal 608A is the logical sum of the error signal 604A and the A-system disconnection request signal 606A. A system disconnection request signal 608A
Is input to the disconnection determination circuit 764. Also, this signal 608A is the A system disconnection request signal 62 as it is.
2-1 is output to the inter-processor system interface control device 340B. As a response to the A-system disconnection request signal 622-1, the processor-system interface controller 340B returns:
This is the A-system disconnection permission signal 624-2. It is the disconnection instruction signal 614A-2 of the central processing unit 300A that receives the A-system disconnection permission signal 624-2 by the latch, adjusts the timing, and then outputs the signal. The disconnection instruction signal 614A-2 disconnects the central processing unit 300A from the duplex system buses 518A and 518B.

On the contrary, the inter-processor system interface controller 340A sends the B system disconnection request signal 62 from the inter-processor system interface controller 340B.
4-1 has been input. This B system disconnection request signal 6
24-1 outputs the signal 770 as the disconnection determination circuit 764.
Is input to Then, in response to this, the A-system disconnection determination circuit 764 outputs the B-system disconnection permission signal 622-2 to the inter-processor system interface controller 340B. In addition, the central processing units 300A and 2
The disconnection determination circuit 764 outputs to connect the redundant system bus 518B to the B system connection instruction signal 61.
4A-1.

FIG. 9 shows the decision logic of the disconnection decision circuit 764.
This will be described with reference to FIG.

The error may occur at two locations at the same time, or an error may occur in the remaining system when one system is already disconnected. Therefore, if the disconnection permission is output as it is in response to the disconnection request, both systems may be disconnected. Therefore, the disconnection determination circuit 764 confirms that the A system is in a state where the processing can be continued at that time, and then the B system disconnection permission signal 766.
(622-2) and the B system connection instruction signal 614A-1 are asserted.

Therefore, the B system disconnection instruction signal 766 and B
The system connection signal 614A-1 is asserted in FIG.
In the case of (b), that is, the A system is online, the A system disconnection request 608A (622-1) is not input, and the B system disconnection request 770 (624-).
Only when 1) is output.

Note that FIG. 9A shows a case where the data in both the A system and the B system do not match (corresponding to FIG. 6A). FIG. 9B shows a case where the data in only the B system does not match (corresponding to FIG. 6C), or in the A system, B
Within the system, the data are the same, but B
This is the case where the system is in the exception processing state (corresponding to FIG. 6 (e)). In addition, the A system is normal and online. FIG. 9 (c) shows a situation similar to that of FIG. 9 (b), but with some other fault occurring in the A system. FIG. 9 (d) shows the case where the data mismatch occurs only in the A system (corresponding to FIG. 6 (b)), or the data in the A system and the B system both match, but A When the system is in the exception processing state (Fig. 6 (f))
Is equivalent to). FIG. 9E shows the case where both the A system and the B system are normal (corresponding to FIG. 6D), or
Although the data are the same in the system, A
System B and system B are in exception processing state (Fig. 6)
(Corresponding to (g)).

As described above, in the present embodiment, not only the coincidence / non-coincidence of data but also whether or not the processing device is in the exception processing state is used as the criterion for determining the fault system. Therefore, in each of the A system and the B system, although the data between the duplication processing devices match, the matching data is different between the A system and the B system ( Even if the in-system match or the inter-system mismatch occurs, the processing can be continued by coping with this.

Further, it is possible to confirm that there is no true abnormality by causing the processing device and peripheral hardware that take over the processing to perform the self-diagnosis processing.

In the above embodiment, when disconnecting any of the systems, the system that has succeeded the processing thereafter is connected to the bus that has been connected to the separated system. However, in the above embodiment, the central processing unit 300
Not only input / output bus 520 and system bus 380
Is also multiplexed, and the system that takes over the processing also has its own bus. Therefore, it is possible to simply disconnect the faulty system from the bus. For example, the failure A
Even when the system is disconnected from the I / O bus 520A, the B system that takes over the processing does not have to be connected to the I / O bus 520A. The B system can take over the processing by using the input / output bus 520B connected to itself from the beginning.

The "mismatch detection means" referred to in the claims corresponds to the processor memory controller 330A in the A system of the above-described embodiment. The "processing state determination means" is the exception processing address access detection circuit 3
Equivalent to 50A. The "other system processing state confirmation means" corresponds to the other system exception processing collation circuit 360A. The "switching means" corresponds to the other system exception handling collation circuit 360A and the inter-processor system interface control device 340A. The "requesting means" and the "response means" mean the inter-processor system interface control device 340A (in particular, the disconnection judging section 7).
64). The “permission signal” is the signal 622-
2, 624-2 (see FIG. 8). “Request for confirmation of whether or not to disconnect” means signals 624-1 and 6-24.
22-1 (see FIG. 8). What is an "external device"?
I / O buses 520A, B, system buses 380A-1,
It corresponds to A-2, B-1, B-2, a bus adapter for controlling them, and a device connected through these input / output buses.

[0112]

According to the present invention, even if it is not possible to determine which processing device is abnormal (for example, in-system coincidence, inconsistency between systems), the processing can be continued without bringing down the system.

Further, by performing the self-diagnosis processing, it can be surely confirmed that there is no abnormality.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a main part of a first embodiment of the present invention.

FIG. 2 is a block diagram showing the overall configuration of the first embodiment.

FIG. 3 is a flowchart showing an operation.

FIG. 4 is a block diagram of processor memory controller 330A.

FIG. 5 is a block diagram showing details of an exception processing address access detection circuit 350A and another system exception processing collation circuit 360A.

FIG. 6 is a diagram showing a determination logic of another system exception handling collation circuit 360A.

FIG. 7 is a flowchart showing a self-diagnosis process.

FIG. 8 is a processor system interface controller 340.
It is a block diagram which shows the detail of A.

FIG. 9 is a diagram showing the determination logic of a disconnection determination circuit 764.

[Explanation of symbols]

310 ... Processing device, 320 ... Main memory device, 330 ... Processor memory control device, 340
... Processing system interface control device, 350
... Exception processing address access detection circuit 360 ...
・ Other system exception processing collation circuit

 ─────────────────────────────────────────────────── ─── Continuation of front page (72) Inventor Yoshihiro Miyazaki 5-2-1 Omika-cho, Hitachi City, Ibaraki Hitachi Ltd. Omika Plant, Hitachi Ltd. (72) Hideji Ishikura 5-2 Omika-cho, Hitachi City, Ibaraki Prefecture No. 1 Stock company Hitachi Ltd. Omika factory

Claims (6)

[Claims] 1. A fault detection in a multiplexing computer, which comprises a plurality of systems having a plurality of multiplexed processing devices, and which continues processing by changing the connection relationship between these systems and an external device when an abnormality occurs. In the processing method, if the abnormality cannot determine which of the outputs of each of the processing devices is appropriate, check the processing state of each of the processing devices of each of the systems, and check the results. , A system in a state where the processing device is executing a predetermined exception process (hereinafter referred to as “exception processing state”), and a state in which the processing device is not executing a predetermined exception process (hereinafter, “exception process”). If there is a system in the "normal processing state"), the subsequent processing is pulled by the system in the normal processing state. Gukoto, fault detection processing method in multiplexing computer characterized. 2. A multiplexing computer comprising a plurality of systems having a plurality of multiplexed processing devices, and changing the connection between these systems and the external device to continue processing even when a failure occurs. , Each of the above-mentioned systems has a mismatch detection means for detecting a mismatch of processing results between the processing devices of the own system, and the processing state of the processing device of the own system that has been multiplexed is predetermined. A process for determining whether the exception handling program is running (hereinafter referred to as "exception handling state") or the exception handling program is not running (hereafter referred to as "normal handling state") Whether the processing state of the state determining means and the processing apparatus of the other system multiplexed is the exceptional processing state or the normal processing state is confirmed. If the other system processing state confirmation means and the inconsistency detection means of the own system detect a mismatch, or if the processing state determination means of the own system determines that it is in an exceptional processing state and the other system processing state confirmation means When it is confirmed that there is a system in the above normal processing state,
A switching computer for disconnecting its own system from the external device, and a multiplexing computer. 3. Each of the above-mentioned systems further determines that the mismatch detection means of its own system detects a mismatch, or that the processing state determination means of its own system is in an exceptional processing state and the other system. When the processing status confirmation means confirms that there is a system in the normal processing status,
Requesting means for requesting confirmation of whether or not the own system may be disconnected from the external device, and requesting confirmation of whether or not the other system may be disconnected from the other system. If it is possible to check the status of its own system, and if it is possible to take over the processing performed by the other system, send a permission signal to the other system to allow the other system to be disconnected from the external device. Response means for outputting to the external device, and the switching means sets the own system to the external device only when a permission signal is returned from the response means of another system in response to a request from the requesting means of the own system. The computer according to claim 2, wherein the computer is separated from the computer. 4. The switching means connects the own system to the external device when the response means outputs the permission signal to another system. The multiplexing computer according to 3. 5. The processing state judging means is provided with an address indicating an area where the exception processing program is stored (hereinafter referred to as "exception processing address") in advance, and an address accessed by the processing device is the exception processing address. 2. The multiplexing according to claim 1, wherein it is determined whether or not it is, and as a result of the determination, it is determined to be in an exception processing state when the exception processing address is accessed. calculator. 6. If the processing state determining means determines that the system is in the normal state and the other system processing state confirming means confirms the presence of another system in the exception processing state, the system is in the normal state. 3. The multiplexing computer according to claim 2, wherein the processing device of the above system performs self-diagnosis.