JPH11167498A - Data processor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a highly reliable data processor with excellent failure resistance so as to realize a failsoft by surely operating while suppressing the degeneration of a function even at the time of occurrence of a failure caused by a bug in a program to be executed by a data processor. SOLUTION: Normal operation firmware 40A and firmware for degeneration operation at the time of a failure 40B expressed in mutually different coding are housed in ROM 30A and 30B respectively. The firmware 40B is provided only with a required function being a part of the function of the firmware 40A. At first the firmware 40A is executed, but when a failure occurs, a switching means 32 switches to the execution of the firmware 40B read from ROM 30B. As the firmwares 40A and 40B do not share a bug with each other, the failure is removed.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data processing device for performing information processing and device control, and more particularly to improving the fault tolerance of a data processing device.

[0002]

2. Description of the Related Art In a data processing apparatus, a fault due to a hardware failure is improved by a method such as hardware duplication or degenerate operation in which the faulty hardware is separated so that the execution of the processing can be continued. . However, such a configuration of the hardware may not be able to cope with a case where a failure cause exists in a program such as firmware. For example, even if the hardware is duplicated, if each is running the same firmware, if there is a bug in it, both hardware will fail, the system will hang, or the system will be stopped once Stopping and restarting may cause the same failure again.

In order to cope with a failure caused by a program such as software or firmware, the system is provided with a plurality of types of programs, and the operation of the system is continued by switching and executing a program to be executed when a failure occurs. This improves fault tolerance and reliability.

FIG. 7 is a block diagram showing a configuration of a conventional data processing apparatus disclosed in Japanese Patent Application Laid-Open No. 64-7147. In FIG. 7, a read-only memory (ROM: Re
ad Only Memory) 2A and 2B store the same firmware. The load control unit 4 is, for example, a ROM
RAM (Random Access Memory) which is a memory in which the firmware stored in the 2A can be written / read at any time.
ry) Load to 6. If the load control unit 4 detects a failure in the ROM 2A during loading, the load control unit 4 stops the loading process, switches the loading source from the ROM 2A to the ROM 2B, and restarts the loading process. Even if the loading process from the ROM 2A is completed normally, if the CPU 8 detects an abnormality during execution of the loaded firmware, a request for reloading is made to the load control unit. In response to the request, the load control unit loads the firmware from the other ROM 2B, and the CPU 8 starts executing the firmware.

Thus, even if one of the ROMs fails and cannot be read, or if the contents of the ROM are damaged, the normal firmware is loaded by changing the firmware reading destination and the data processing device Can execute normal processing. In this case, firmware stored in the two ROMs has the same contents, and bugs that are defects in the firmware are included in the same manner.

FIG. 8 shows another prior art, which is a principle diagram of a semiconductor memory device disclosed in Japanese Patent Laid-Open No. 7-248909. ROM 12A, 1
2B stores programs having different versions, such as the firmware before the revision and the firmware after the revision. By operating the changeover switch 14, this device can switch the ROM from which the firmware is read to the RAM 16. According to this device, even if the version is upgraded, the firmware before the revision is easily executed by operating the changeover switch 14, and the result is compared with the firmware after the revision, or when a failure occurs, the firmware is switched to the firmware before the revision and the failure occurs. Can be restored.

In this case, the firmware stored in the two ROMs is different before and after the version upgrade. However, version upgrades are generally
Based on the firmware before the upgrade,
This is done by adding code or changing / deleting parts of the code. That is, many codes are commonly used before and after version upgrade. Therefore, if there is a bug in the commonly used code,
M12A and 12B will also be included. For example, the firmware A before the revision is composed of a code C1, a code C2, and a code C3, while the firmware B is an upgraded version of the firmware A and a code C
1, a code C2 and a code C3 'created by changing the code C3. In this case, the code C1 and the code C2 except for the code C3 and the code C3 ′ related to the revision are shared by the firmware A and the firmware B. Therefore, bugs existing in the codes C1 and C2 are commonly included in the firmware A and B.

[0008] Further, as a countermeasure for improving the fault tolerance as compared with the related art, availability (availability) is used.
There is a direction of approach to improve. The improvement in availability is to increase the ratio of the time during which the system is functioning normally (uptime) to the time during which the system is not functioning properly (downtime). For this purpose, downtime is reduced by shortening the failure recovery time, and the uptime is lengthened. As a method of improving the uptime, there is a method of fail software (also referred to as a degeneration allowable system) that continues operation while losing some of the failed functions in a system that performs a plurality of functions in a normal state. . In this case, specifically, the function of one unit of program specified as a range in which a failure may exist is lost by the failure isolation operation.

[0009]

In the above-mentioned conventional example, it is possible to recover from a failure in the ROM or a failure due to a bug in the additional code of the firmware by switching the ROM to be used. However, a plurality of programs (firmware) stored in these conventional devices have a common code. Therefore, it is highly probable that a program failure occurs due to a bug in the program that exists in this common part, and the failure is not recovered even if the program is switched as described above, and processing cannot be continued. There was a problem that.

On the other hand, in the case of configuring the system with fail software, it is not possible to specify a range in which a failure point may exist sufficiently narrowly, and a function essential for system operation is included in the range. In such a case, the function of the entire specified failure range including the essential function is lost, resulting in a problem that the system cannot be operated.

The present invention solves the above problem,
Even if a failure occurs due to a bug in the program executed by the data processing device, fail-soft operation is realized by minimizing the degradation of functions and ensuring operation of the device to achieve fail-safe and reliability. An object of the present invention is to provide a data processing device excellent in the above.

[0012]

According to a first aspect of the present invention, there is provided a data processing apparatus comprising: first program storage means for storing a normal operation program; and a function specification having a lower function specification than the function specification of the normal operation program. A second program storage unit for storing a failure operation reduced operation program, a program selection unit for selecting any one of the normal operation program and the failure operation program as an execution program, It has processing failure determination means for detecting a failure, and the function of the failure-time degraded operation program and the function of the normal operation program corresponding thereto are created based on the function specifications different from each other. All of them are expressed by different coding from each other, and the program selecting means is When a fault is detected more the normal operation program, it is that switches the execution program to the disaster degenerate operation program from the normal operation program.

[0013] In a data processing apparatus according to a second aspect of the present invention, the normal operation program and the fault reduction operation program are firmware stored in a read-only memory or software stored in a magnetic recording medium, respectively. Things.

In the data processing apparatus according to a third aspect of the present invention, in the above-mentioned invention, the normal operation program counts according to the progress of the main processing, and the processing failure determination means updates the count value normally. That is, it is determined as a failure based on what is not done.

[0015] In a preferred aspect of the present invention, the processing failure judging means is constituted by a timer interrupt processing for judging a normal update of the count value.

In the data processing apparatus according to a fourth aspect of the present invention, when the faulty reduced operation program switched by the program selecting means is activated, a predetermined switching of the initialization process of the faulty reduced operation program is performed. The unnecessary initialization process is omitted.

According to a preferred aspect of the present invention, the unnecessary initialization process at the time of switching is a memory initialization process for creating a check bit of a memory or an operation check, an initialization process for the processing failure determination unit, or the normal process. When the conversion data table for processing is shared between the operation program and the fault reduction operation program, at least one of the initialization processing of the table is included.

A data processing apparatus according to a fifth aspect of the present invention detects a hardware failure of the data processing apparatus based on a recurrence of the failure after switching to the failure reduction operation program by the program selecting means, It has hardware failure removing means for separating the relevant part of the hardware concerned.

[0019]

[First Embodiment] FIG. 1 is a block diagram showing an overall schematic configuration of a data processing apparatus according to an embodiment of the present invention. This device is used in, for example, a communication control processing device, a computer system management control device, a database machine, and the like. A component such as a semiconductor device used in a data processing apparatus may be broken under an excessively high temperature condition, for example, or may malfunction due to a change in characteristics when the component is out of a certain temperature range including room temperature. This equipment avoids such operational problems due to temperature changes and maintains high reliability of processing results.
It has a function to monitor the temperature of the substrate inside the main body and perform a predetermined action.

In FIG. 1, various general components of the data processing apparatus main body, that is, a central processing unit (CPU) 20, which is a processor, a memory (RAM) 22 which can be written / read at any time, a nonvolatile memory 24, and the monitoring device 26 is a system bus 28
It is connected to the. The system further includes a system bus 2
8, two read-only memories (ROM) 30A, 30
B is connected via the switching means 32. Further, a temperature sensor 34 for monitoring the substrate temperature and a liquid crystal display (LCD) 36 which is a display unit for displaying a processing result in the main body are also connected to the system bus 28.

Now, here, the firmware is the ROM
Is held. In a general data processing device, there is only one type of firmware. In this device, however, the normal operation firmware 40A used during normal operation and some of the plurality of functions of the normal operation firmware 40A, It is provided with two types of firmware: a faulty degraded operation firmware 40B including the minimum basic functions necessary for the continuation of operation. Two ROMs 30A, 30B are used for storing them. That is, the ROM 30A is a program storage unit that holds the normal operation firmware 40A (firmware A).
Is a program storage unit that holds the failure-time degraded operation firmware 40B (firmware B).

The basic function (degraded operation function), which is a function that the degraded operation firmware at the time of failure has in common with the normal operation firmware, is in common with the function of the normal operation firmware corresponding thereto in a large meaning. However, they are created based on different specifications, so that functions or processes at a finer level may be different from each other.

Here, as an example, a brief description will be made using a shutdown function for stopping the system. The shutdown function for the normal operation firmware and the degraded operation firmware for failure is common in the function of finally stopping the system. It is. However, while the normal operation firmware is created based on a specification that performs various evacuation processes until the power is turned off, the failure-time degraded operation firmware stops the access operation of the hard disk or the like, but executes the firmware. It can be created based on the specification that the process of saving the data of the middle application is omitted. The function in the large sense here means, from the viewpoint of maintaining the operation of the system as an example,
In order to achieve the purpose of maintaining operation, it is a function level that can not be changed or omitted in other functions.On the other hand, a function in a detailed sense is considered as another example in the case of operation maintenance. It is a functional level that does not hinder operation maintenance even if the function is replaced or omitted. This could be expressed, for example, as having a common purpose for the functions, but different means of achieving.

By the way, the normal operation firmware 40A
Since the common function of the failure firmware and operation firmware 40B is created based on different specifications,
Generally, they will be represented by different codings.

The switching means 32 selects one of the ROMs storing the firmware as a firmware reading destination and connects it to the system bus 28. That is, the switching unit 32 functions as a program selection unit. The ROMs 30A and 30B are EPROM
Or an erasable read-only memory such as a flash ROM.

In the nonvolatile memory 24, information for identifying a ROM to be read at the next start-up is written. For example, when the identification numbers “1” and “2” are assigned to the ROMs 30A and 30B, information “1” is written when firmware is to be read from the ROM 30A, and information “2” is written when firmware is to be read from the ROM 30B. This value is retained even when the power of the data processing apparatus is turned off, and is referred to at the next startup. The non-volatile memory 24 can be replaced with a predetermined area of a magnetic disk drive (not shown) as a storage area without using a special semiconductor memory. A volatile memory is provided in the switching unit 32, and the power is turned on. Other arrangements are possible, such as temporarily holding this while in use.

The monitoring device 26 is a processing failure determining means for detecting a failure during execution of the firmware, and its operation will be apparent from the following description.

Next, the operation of the data processing apparatus of the above embodiment will be described. FIG. 2 is a flowchart illustrating the operation of the present apparatus. When the data processing device is started, the CP
U20 issues a firmware load instruction to system bus 2
8 (S50). Upon receiving this, the switching means 32 reads the ROM stored in the nonvolatile memory 24.
The identification information is obtained (S55). At the time of normal startup of the device, the non-volatile memory 24 stores the ROM 30A holding the normal operation firmware 40A as the ROM identification information.
Is stored, and the switching means 32 outputs
Select the ROM 30A corresponding to the information, and
Read the normal operation firmware 40A from the
22 (S60).

When all the normal operation firmware 40A is read from the selected ROM and written into the RAM 22, the CPU 20 starts executing the normal operation firmware transferred to the RAM 22 (S65). By executing the firmware, the apparatus exchanges data with the outside via an input / output port (not shown), and performs predetermined processing and control.

The monitoring device 26 monitors the execution status of the normal operation firmware. If the monitoring device 26 detects a failure in the execution of the normal operation firmware (S70)
Writes the identification information of the ROM to be selected at startup stored in the nonvolatile memory 24 from the value “1” specifying the ROM 30A to the value “2” specifying the ROM 30B holding the degraded operation firmware 40B at the time of failure. Replacement (S7
5) Restart the system (S80).

Incidentally, for example, the firmware may fail to control the processing of a branch instruction or the like due to the bug, and the processing to proceed according to a predetermined sequence may fall into an infinite loop. The monitoring device 26 detects such a state in the normal operation firmware and determines that a failure has occurred.

When the system is restarted, the CPU 20 sends a firmware load instruction to the system bus 28 again (S85), and the switching means 32 receives the instruction, and the ROM identification information value "2" from the nonvolatile memory 24. Is acquired (S90), the corresponding ROM 30B is selected, the faulty degraded operation firmware 40B is read therefrom, and written to the RAM 22 (S95).

As a result, the firmware on the RAM 22 is updated from the normal operation firmware to the faulty degraded operation firmware, and the CPU 20 starts executing the faulty degraded operation firmware (S100). As described above, the faulty degraded operation firmware is created based on a specification different from that of the previously executed normal operation firmware, and is generally represented by different coding. That is, in general, it does not include a bug that causes a failure in the execution of the normal operation firmware. Therefore, processing and control can be performed correctly even in the situation where the previous failure has occurred.

If a failure occurs again after switching and executing the firmware, the possibility of a hardware failure increases. The monitoring device 26 may also be configured to determine that a failure recurs due to such firmware switching as a hardware failure and notify the user. In addition, a configuration is also possible in which a hardware failure is removed from the data processing device by detecting a hardware failure from such a situation and separating a part of the hardware related to the failure. For example, a diagnostic program for hardware diagnosis is stored in a ROM (not shown), and if the failure recurs after switching the firmware, the diagnostic program is loaded into the RAM and executed to perform a detailed diagnosis of the hardware. Such a configuration is possible.

FIG. 3 is a processing flow chart when a failure occurs in this embodiment. First, the normal operation firmware is loaded and executed by starting the apparatus (S11).
0). The monitoring device 26 continues to monitor whether a failure has occurred (S112). If a failure has occurred, it is determined whether the failure has occurred again after the firmware switch (S114). If it is still the first failure in the current firmware, the firmware is switched (S116), and the status is monitored.

On the other hand, if the fault has occurred again in the current firmware, a diagnostic program for hardware diagnosis is loaded into the RAM and executed, and detailed hardware diagnosis is performed (S118). In this diagnosis, if new faulty hardware is detected (S
120), and writes the faulty hardware to the faulty hardware list (S122). For example, when a data error occurs in a part of the RAM in the diagnosis, or when an inconsistent result is obtained in a repeated data compare check,
It is determined that a failure has occurred in the RAM module including the RAM area, and the failure is recorded in, for example, a failure hardware list held in a nonvolatile memory. In a multi-CPU apparatus using a plurality of CPUs, when a failure such as an error in a calculation result is detected in one of the CPUs in the diagnosis, the information is similarly written in the list.

Thereafter, a new firmware is designated and restarted. At this time, the failed hardware list is referred to, and the failed hardware recorded therein is separately activated (S124). In the above RAM example,
Only the remaining RAM modules are used without using the RAM modules listed. Also in the example of the multi-CPU, the configuration of the apparatus is changed so that the CPUs described in the list are disabled and only the remaining CPUs are used.

If no new faulty hardware is detected in step S120, it is determined that the cause cannot be identified and the system is notified to the outside and the system is stopped (S120).
126).

In the example described above, among the functions of the degraded operation firmware at the time of failure, the functions common to the normal operation firmware are all different in coding from one another. The effects of the present invention can be obtained. In other words, even if a part of the faulty degraded operation firmware is created based on the common specification with the normal operation firmware and has a common coding in that part, on the other hand, as long as it has different coding parts, The probability of occurrence of a failure due to a bug can be suppressed as compared with the case where all coding is common.

Further, the data processing device according to the above embodiment has the firmware stored in the ROM. However, the present invention is not limited to only firmware, and can be applied to software recorded on a fixed magnetic disk device, a magneto-optical disk device, a magnetic tape, or the like. In other words, software having the same function but different coding is stored in a disk device or the like, and when a failure occurs, the software is switched to improve the fault tolerance.

The features of the present apparatus have been described above generally.
Next, the features of the present apparatus will be described more specifically by taking the substrate temperature monitoring function of the present apparatus as an example.

FIG. 4 is an explanatory diagram showing an example of a functional specification for creating a substrate temperature monitoring function for monitoring a substrate temperature and performing a predetermined action. FIG. 4A shows the function specifications of the normal operation firmware in an itemized list, and FIG. 4B shows the function specifications of the faulty degraded operation firmware in the itemized list. A comparison between the two shows that the faulty degraded operation firmware implements only a part of the functions of the normal operation firmware.

The operation of the apparatus in this example of the functional specification is as follows.

First, the normal operation firmware performs an operation of taking in the measured temperature value of the substrate to be monitored from the temperature sensor 34. The normal operation firmware secures a data area for storing the temperature measurement values for 100 times in the RAM 22, and holds the latest 100 temperature measurement values there. Based on the temperature measurement data stored in the RAM 22, the normal operation firmware determines that the substrate temperature is abnormal if the temperature continuously drops below 0 ° C. or exceeds 80 ° C. for the last 10 seconds. Judge as normal. Here, when the normal operation firmware determines that the substrate temperature exceeds 80 ° C., it displays an abnormality message on the LCD 36 and stops the system, for example. On the other hand, in the normal operation firmware, the board temperature is 0
When it is determined that the temperature is lower than the temperature, the operation of displaying an error message on the LCD 36 is performed. Further, when the normal operation firmware determines that the firmware is normal, it does not take any action corresponding thereto. The above is the processing performed in step S65 in FIG. 2 for this example.

When the monitoring device 26 detects a failure in the execution of the normal operation firmware (S 70), the monitoring device 26
Then, the identification information of the ROM to be selected at the time of startup stored in No. 4 is rewritten from the value "1" specifying the ROM 30A to the value "2" specifying the ROM 30B holding the degraded operation firmware at the time of failure (S75). Is restarted (S80). Hereinafter, steps S85 to S95 as described above
After that, the execution of the failure-time degraded operation firmware is started (S100).

First, the operation firmware for degrading at the time of failure is
An operation of acquiring a measured temperature value of the substrate to be monitored from the temperature sensor 34 is performed. However, the fault-time degraded operation firmware does not store the board temperature measurement value itself in the RAM 22. The faulty degraded operation firmware determines whether the board temperature is normal or abnormal based on the monitored temperature value only once. That is, the fault degraded operation firmware determines that the board temperature is abnormal if the single board temperature exceeds 80 ° C., otherwise determines that the board temperature is normal, and determines whether the measured temperature value is normal / abnormal. Is stored in the RAM 22 only. Then, if the faulty degraded operation firmware determines that the board temperature is abnormal exceeding 80 ° C., the system is stopped. That is all for this example.
This is the processing performed in processing S100 in FIG.

In this example, the faulty degraded operation firmware provides the temperature monitoring function by limiting the processing to the minimum necessary for continuing the operation. That is, unlike the normal operation firmware, the fault-time degraded operation firmware does not display an error message. Neither detection nor display is performed for the low temperature abnormality. When a request is made by the operator, the judgment result stored in the RAM 22 is read out from the RAM 22 by the faulty degraded operation firmware, displayed on the LCD 36, and notified.

Here, for example, if the normal operation firmware has a bug in the processing of the temperature value for 10 seconds when judging whether the temperature value is normal or abnormal, the system may be stopped due to the bug. On the other hand, the faulty degraded operation firmware does not determine whether the operation is normal or abnormal based on the temperature value for 10 seconds in the first place, and therefore does not include the same bug. Therefore, the operation of the device can be continued by switching the normal operation firmware to the faulty degraded operation firmware.

The normal operation firmware is set at 80 ° C.
It has a process of notifying to the outside when a temperature abnormality exceeds the limit, which may have a bug. If there is a bug there, there is a possibility that the system hangs up when executing the notification processing to the outside in the normal operation firmware. On the other hand, since the faulty degraded operation firmware does not have the notification process to the outside, there is no possibility that such a bug is included. Therefore, the operation of the device can be continued by switching the normal operation firmware to the faulty degraded operation firmware.

As described above, the normal operation firmware and the faulty degraded operation firmware all have different functional specifications, and the program codes created based on the functional specifications are also different from each other. Therefore, the bugs included in both are different, and even if a bug appears in the normal operation firmware, the bug is not basically included in the faulty operation firmware. Further, since the faulty degraded operation firmware is limited to functions essential for the continuation of the operation of the normal operation firmware, the program scale is reduced, the number of included bugs is reduced, and a failure is less likely to occur.

That is, in a situation where a bug has occurred in the normal operation firmware, the faulty degraded operation firmware does not cause the same failure, and the probability of occurrence of a new bug is low. As a result, the operation can be continued although it is limited to the minimum functions. In the present apparatus, while performing such degenerated operation, it is possible to investigate the cause of the bug of the normal operation firmware that has appeared and to remove the cause. That is, the present data processing apparatus can prevent the entire system from going down, and is extremely effective particularly in applications requiring high reliability and fault tolerance.

The present device also provides an improved failsoft configuration. In other words, according to the present device, the component that covers the range specified as having a failure is switched to another component that realizes only the essential function. In this case, the functions other than the essential functions in the failure specific range are lost, but unlike the conventional fail software, the essential functions are maintained and the operation of the system is continued. In addition, the essential functions provided and maintained by the faulty operation firmware are expressed by codes different from those required by the normal operation firmware, so if the coding of the essential functions of the normal operation firmware has a bug, Also, after switching, no failure occurs due to the same cause.

In the example described above, the device is composed of two firmwares, that is, the high-function normal operation firmware 40A and the low-function fault degraded operation firmware 4A.
0B is shown, but the essence of the present invention is not limited to this, and also includes a configuration having three or more firmwares having different functional specifications.

For example, a configuration in which firmware C is added to firmware A and B in the above example will be described. Here, the firmware A, B, and C are created in this order based on a function specification in which the function level gradually changes from a high function to a low function. These three firmwares differ from each other in the bugs contained therein, as in the two cases described above. Therefore, the firmware is usually operated with the high-performance firmware A, and if a failure occurs, the function is somewhat reduced. If a new bug occurs during the operation of the firmware B, and a new bug occurs during the operation of the firmware B, an operation mode of switching to the low-function firmware C and continuing the operation is possible. Thereby, reliability and fault tolerance are further improved. It will be apparent from the description of these three cases that the same applies to the case of four or more firmwares.

[Second Embodiment] FIG. 5 is a processing flowchart for checking the firmware execution state according to the present embodiment. In FIG. 5, the firmware includes firmware main processing routines S150 to S175 and timer interrupt handler processing S200 to S215.
In the main processing routine, after the initialization, a series of processing S155 to S175 is repeated in an infinite loop. During this loop, the execution check counter 2 on the RAM 22
Processing to count up 50 (count processing S16
5) is also included, and the count value is continuously updated during normal times, that is, while this loop is repeated. The timer interrupt handler is started at a fixed cycle by a timer interrupt and performs timer interrupt processing. This includes a process of checking the count value of the execution check counter 250 (counter check process S205). If it is determined in the counter check process S205 that the count value has stopped without being updated for a certain period of time or more, it is determined that the count value is in an abnormal state (S210). Is started (S215).

Here, for example, it is assumed that a runaway occurs due to a bug in the normal operation firmware and the system hangs up while checking the input data value in the main processing routine of the normal operation firmware. In this case, the loop of the main processing routine does not loop, and the execution check counter 250 on the memory is not updated. On the other hand, since the timer interrupt handler is periodically started by the timer interrupt regardless of the state of the main processing, it is started several times and detects a stop of the count value of the execution check counter 250 after a certain time. Upon detection of this stop, the timer interrupt handler activates firmware switching processing.
As a result, the faulty degraded operation firmware is activated and executed instead of the normal operation firmware. As described in the above embodiment, since the faulty degraded operation firmware does not have the same bug as the normal operation firmware that has been executed until then, the system stops momentarily due to the switching operation, but immediately The normal state is restored, and processing continues.

As described above, in this embodiment, a failure that occurs in the main processing of the firmware is detected by using the function of the firmware itself.

[Third Embodiment] Next, an example of a process at the time of startup after firmware switching according to a third embodiment of the present invention will be described. The configuration of the data processing device is as follows:
Since this is the same as the first embodiment, FIG. 1 will be referred to as needed in the following description.

Normally, when the power is turned on, the data processing apparatus executes an initialization process S150 at the beginning of the started normal operation firmware, as shown in FIG. 5, whereby the system is initialized and checked. On the other hand, when a failure occurs in the normal operation firmware and the data processing device is restarted to switch to the failure-time degraded operation firmware, the power remains on.

As described above, when switching the firmware, the faulty degraded operation firmware coded differently from the normal operation firmware in which the fault is detected is loaded from the ROM 30B onto the RAM 22 and executed by the CPU 20. In the activation of the faulty degraded operation firmware, unlike the case of the activation of the normal operation firmware when the power is turned on, the initialization processing S150 is already performed by the normal operation firmware that has been executed in the system. It is possible to omit the initialization processing of the unit.

This embodiment realizes high-speed firmware switching by omitting a part of the initialization processing. In the present embodiment, for example, the processing of initializing the monitoring device, initializing the memory, and initializing the conversion table can be omitted.

For example, regarding the initialization of the memory, check bit generation for parity and ECC (Error Checking and Correcting) is executed only once after the power is turned on, so that the consistency of the check bits is ensured, so that the check bit generation is executed again. No need. In addition, WRITE / READ /
It is often sufficient for the operation check by COMPARE to be executed once after the power is turned on. The processing start instruction for which the initial value is set to the monitoring device 26 can be omitted when the monitoring processing is already being executed.

When the conversion data table for processing is shared between the normal operation firmware and the faulty degraded operation firmware, the initialization of those tables can be omitted. For example, when a character code to be used is encrypted and processed by an external specification, a conversion table between the character code and the code after encryption may be stored in a common format from addresses 10000 to 20000. In this case, it is not necessary to communicate with the outside again to create the conversion table.

Therefore, it is possible to omit these initialization processes as necessary to speed up the switching process.
If omitted, it is registered in the omitted process list, and the process is executed based on it.

FIG. 6 is a processing flowchart of the initialization processing at the time of starting the firmware according to the present embodiment. First, CPU
Initialization of various registers of registers (S300) and initialization of registers of programmable devices (S305) are performed. Thereafter, initialization steps of the monitoring device, the memory, and the conversion table are performed.

In the initialization processing of the monitoring apparatus, the omission processing list is referred to (S310). If the processing is not registered in this list, the initialization processing is executed (S315). On the other hand, if it is registered in the omission process list, the initialization process S315 is skipped, and the process proceeds to the memory initialization process.

Also in the memory initialization processing, first, the omission processing list is referred to (S320). If the processing is not registered in this list, the initialization processing is executed (S325). On the other hand, if it is registered in the omission processing list, the initialization processing S325 is skipped.

Next, an input / output port initialization process is executed (S330), and subsequently, the process proceeds to a conversion table initialization process.

Also in the conversion table initialization processing, it is determined whether or not the processing is omitted based on the omission processing list (S335). If the process is not registered in the list, a conversion table initialization process is executed (S340). On the other hand, when the process is registered in the omitted process list, the initialization process S340 is skipped.

As shown in the figure, for example, the CPU initializes registers (S300) and initializes registers of programmable devices such as a memory controller (30).
5) The initialization of the input / output ports (S330) is an initialization process necessary even at the time of switching the firmware, and these are executed without being omitted.

[0071]

According to the data processing device of the present invention,
A normal operation program and a failure reduction operation program having a function specification lower than the function specification of the normal operation program are held. Since the functions corresponding to the normal operation program and the fault reduction operation program are all expressed by different codings, the same bug can be prevented from being included. Therefore, when a failure occurs during the execution of the normal operation program, by switching to the failure reduction operation program with a lower function specification than the normal operation program, the failure due to the same bug does not occur, and the normal operation program During the correction, the processing can be continued normally without causing the system to go down, and the effect that the fault tolerance and reliability of the data processing device can be improved can be obtained.

Further, according to the data processing device of the present invention, the normal operation program counts according to the progress of the main processing, and the processing failure determining means determines the failure based on the fact that the count value is not updated normally. Is detected.
Thus, an effect is obtained that a failure can be easily checked.

According to the data processing device of the present invention, in the activation of the switched faulty degraded operation firmware, a predetermined switching unnecessary initialization process of the firmware initialization process is omitted. As a result, high-speed firmware switching becomes possible, and the effect that the down time of the system can be further reduced can be obtained.

According to the data processing apparatus of the present invention, a hardware failure of the data processing apparatus is detected based on the recurrence of the failure after switching to the failure-time degraded operation program, and the relevant part of the hardware is identified. Is disconnected. As a result, the range of faults to be dealt with is expanded, and the effect of further improving fault tolerance and reliability is obtained.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an overall schematic configuration of a data processing device according to a first embodiment of the present invention.

FIG. 2 is a flowchart illustrating the operation of the present apparatus.

FIG. 3 is a process flowchart when a failure occurs in the apparatus.

FIG. 4 is an explanatory diagram showing an example of a function specification for creating a substrate temperature monitoring function for monitoring a substrate temperature and performing a predetermined action.

FIG. 5 is a processing flowchart for checking a firmware execution state according to a second embodiment of the present invention.

FIG. 6 is a processing flowchart of initialization processing at the time of starting firmware according to a third embodiment of the present invention.

FIG. 7 is a block diagram illustrating a configuration of a conventional data processing device.

FIG. 8 is a principle diagram of a semiconductor memory device according to another related art.

[Explanation of symbols]

20 CPU, 22 RAM, 24 nonvolatile memory,
26 monitoring device, 28 system bus, 30A, 30B
ROM, 32 switching means, 34 temperature sensor, 36
LCD, 40A Normal operation firmware, 40B
Faulty degraded operation firmware.

Claims (7)

[Claims] 1. A data processing apparatus having a processor for executing a program, a first program storage means for storing a normal operation program, and a failure degeneration of a function specification lower in function than the function specification of the normal operation program A second program storage unit for storing an operation program; a program selection unit for selecting one of the normal operation program and the failure-time degraded operation program as an execution program; and detecting a failure during execution of the normal operation program The function of the faulty fallback operation program and the function of the normal operation program corresponding thereto are created based on the function specifications different from each other. The whole is represented by different coding from each other, When a failure in the normal operation program is detected by the serial processing failure determining means, by switching the execution program to the disaster degenerate operation program from the normal operation program, the data processing apparatus according to claim. 2. The program according to claim 1, wherein the normal operation program and the fault reduction operation program are firmware stored in a read-only memory or software stored in a magnetic recording medium, respectively. Data processing device. 3. The normal operation program counts in accordance with the progress of the main processing, and the processing failure determination means determines a failure based on the fact that the count value is not updated properly. The data processing device according to claim 1 or 2, which performs the processing. 4. The data processing apparatus according to claim 3, wherein said processing failure determination means is configured by a timer interrupt processing for performing a processing of determining whether the count value is updated normally. 5. A method according to claim 1, wherein when the faulty reduced operation program is switched by the program selecting means, a predetermined switching unnecessary initialization process in the faulty reduced operation program initialization process is omitted. The data processing device according to claim 1 or 2, wherein 6. The switching-time unnecessary initialization process includes a memory initialization process for creating a check bit of a memory or an operation check, an initialization process for the processing failure determination unit, or the normal operation program and the time of the failure. 6. The method according to claim 5, further comprising at least one of initialization processing of the conversion data table when the conversion data table for processing is shared with the reduced operation program.
The data processing device according to claim 1. 7. A hardware failure of the data processing device is detected based on a reoccurrence of the failure after switching to the failure reduction operation program by the program selecting means, and a part of the hardware related to the failure is separated. The data processing apparatus according to claim 1, further comprising a hardware failure removing unit.