SE9703132A0 - Software model for a distributed processor system - Google Patents

Abstract

SUMMARY OF THE INVENTION An object of the invention is to provide a method for automatic recovery from multiple permanent errors in processors in a distributed processor system used in an application environment of a telecom system which has high accessibility requirements while allowing the telecom system to maintain system maintenance. is planned or not. Another object of the invention is to utilize available processor resources at the same time as the invention allows a heterogeneous processor environment, due in part to the introduction of flight technology in a system that grows with time and in part to the individual requirements of different parts of an application running on the processor system. Another object of the invention is to provide a method for rapid recovery in the event that several processors go sand in a distributed processor system used in a telecom system environment by providing an initial configuration of all processors and by providing, for each processor in the system, a contingency plan to be used in the event that the processor in question is sanding. An emergency plan is the body with the help of which software objects, which are installed on a broken processor, are distributed to. A number of processors in the system said that the load is divided between. • • •• • the processors.

Description

NAME OF THE INVENTION Software model for a distributed processor system APPLICANT Name and address.

If a representative is missing, also state your telephone number.

For legal entity, state organization number. TELEFONAKTIEBOLAGET LM ERICSSON 126 25 Stockholm Organization number INVENTOR Name and address Lars Ulrik Jensen Erik Dahbergsgatan 55,115 57 Stockholm REPRESENTATIVE Name, address and telephone number x Signed Authorizing Officers have the following listed Swedish agents represent me in this patent as an attorney who r6 the patent that may have been granted.

Applicants authorize the following Swedish agents by separate power of attorney.

DR LUDWIG BRANN PATENTBYRA AB Box 1344,751 43 UppsalaTel- 018-568900 The ombud's ref no. StamansokningarI Begard lopdag 9504396-41995-12-08 REQUEST FOR ITS REVIEW News review of an international type xxxx APPENDICESDescription, patent claims and summary in triplicate Uppsala 1997-08-29 FEE ..6 drawings in3 copies Place, date

Power of attorney copy - - Sequence list on diskette EPO's program Patent In Priority Certificate IK DR LUDWIG BRANN D Gi, v0 Cu, PATENTBYRA AB -, 4, - x 7 PAYMENT PAY Application fee SEK 3,800 Application fee with ITS review SEK 7,000 Additional fee, SEK 100 for each patent ten, SEK Diary certificate: SEK 20 Postgiron Bankgiro x Signature Hans-1Ake Svanfeldt Check in Cash Postal addressBesoksadressTelefonTelexTelefaxTelegramPostgiroBankgiro Box 505Valhallavagen 13608-782 25 001797808-666 02 86PATOREG1 5624-•50 •• • •••: ••••••••• •••••••• • •• • • • • • • ••• •• •• ••• • • • • • •••: " TECHNICAL FIELD The present invention relates to a software model for a distributed, fault-tolerant, reconfigurable processor system in a telecommunication network...................................

TECHNICAL BACKGROUND In public telecommunications systems, there are many different processors that perform various tasks, such as monitoring activity on subscriber lines, setting up and releasing connections, traffic control, system maintenance and taxation. Groups of processors are interconnected by means of a network which is separate from the telecommunication network or which forms part of it. In modern telecommunication networks there are network elements, such as a selector, a database, a processor, which are distributed on several physical elements in the physical network which form the telecommunication network. For an application such as POTS (Plain Old Telephony Service), GSM (Global System for Mobile Communications), VLL (virtual leased lines), BISDN (broadband digital night with integrated services) set up a distributed processor or a distributed database as a single entity. The distributed units are said to be transparent from a distribution point of view.

• • •• • • • • • • • •• • •• • • • • • • A major requirement placed on processor-based control systems for public telecommunications systems is system availability. This means that the system must be accessible to serve its users. In the AX-10 telephone system, the system is allowed to be inaccessible for only two hours below 40 Ai. Converted • to minutes per year, this corresponds to approximately 3 minutes. Modern .. ••• •• • •• ••• • • • • telecommunication systems have met higher demands on access- ••• • ••• • •• 41; •••••••: • • • • ••••••• •• •••••••• •• • •• •• •• ••• • •• •• •• • ••• 2: •••: •••• ••••: •• ••• lighet. Nevertheless, modern telecommunication systems require that planned maintenance work, which can take time, be able to be carried out with long time intervals, for example with time intervals of the order of about 1 month.

In general, both improved system availability and longer repair time (MTTR) are sought after. Long average time between repairs is undesirable and allows repairs to be carried out on working days (Monday to Friday) and during working hours (from 08.00 to 17.00) and allows scheduled maintenance. These requirements mean that the telecommunication system must be able to tolerate a processor going down and that, before it has been repaired, a second processor is allowed to go down but that the system must be able to tolerate this and still be operational. In the worst case, and before the first other failed processors have been repaired, the system must be able to tolerate a third, fourth and additional processors going down, but the system must still be accessible despite the broken processors.

U.S. Pat. No. 4,710,926 relates to an error prevention method in a distributed processor system according to which method backup processors take over the functions of broken processors. A backup processor serves as a replacement for a 25 or more active processors. When a spare processor is taken into service, it no longer serves as a spare processor for the flag • •• • another processor in the system. In case of error handling, all • •• • •• • • • functions executing on the broken processor are transferred to the backup • • • • processor. The function of the old backup processor to be a "• server processor is transferred to a second backup processor in •". •• • the system. ". •• • •• • • • • •• ••• • 4 • • • 006 000 • • 64 •• • • • • •• 006 3 This known system thus requires two or more spare processors. When a spare processor is when it is activated, it does not perform any jobs. When activated, it starts performing jobs - provided it works, ie does not show any errors. It is necessary to run test programs that verify that the backup processors are working. However, this is not renamed the patent specification.

U.S. Patent 4,412,281 discloses a distributed, fault-tolerant, reconfigurable signal processing system that includes many identical, interconnected subsystem elements that share the major processing job. The sub-system elements are redundantly connected to each other by double buses. Some subsystem elements serve as backup system elements and are ready to take over the jobs performed on a broken subsystem element. A spare subsystem element has the task of alien performing control of all its own functions to verify that they work. By periodically rotating spare subsystem elements and active subsystem elements, a distributed operating system ensures that all subsystem elements 20 perform the said control of their own functions, whereby even minor errors can be detected. Broken elements in the sub-system are taken out of service and replaced with a spare element without the system going down. . The signal processing system thus uses spare sub-system elements that do not participate in the overall processing tasks. • • • • •• • 66 • • • • • • .. •: • () connector address is associated with a virtual address, which replaces the "." • connector address when a fault condition is detected. ". na. The method used for reconfiguration when a broken element is detected and replaced with a spare element utilizes distinct connector addresses for each element in the system. En ••• •••• ••• I: .41% •••• •••• •••• • • • • • • • • • • • •• ••• • • ••• SUMMARY OF THE INVENTION An object of the invention is to provide a method for automatic recovery from multiple permanent defects in processors in a single invention............................... distributed processor system used in an application environment in a telecom system that has high accessibility requirements while the telecom system must allow system maintenance, whether this is planned or not.

Another object of the invention is to utilize available processor resources at the same time as the invention allows a heterogeneous processor environment, due in part to the introduction of flight technology in a system that grows with time and in part to the individual requirements set by different parts of an application. on the processor system.

Another object of the invention is to provide a method for rapid recovery in the event that several processors go sand in a distributed processor system used in a telecom system environment by providing an initial configuration of all processors and by providing, for each processor in the system, a disaster plan to be used in the event that the processor in question goes sand. An emergency plan is the body with the help of which software objects, which are installed on a broken processor, are distributed to. A number of processors in the system said that the load is divided between. • • •• • the processors.

Another object of the invention is to provide new contingency plans for the system with working processors, of which "•: * 10 may in themselves have installed software objects from a broken •". •• • processor, so as to colorize the system too fast ". • • • • •• • • • • • ••• • •• •• • • ••: • •• •• •• *. * •• • • ••• .. • •••• • • •: •• • • •• •••••••• •• •• •• •• • •• •• •• •• • : •• •• • • ••• ••• recovery in the act of annu a processor in the system goes sander.

Another object of the invention is to provide a method of the above kind which takes the system back to its original configuration of processors and software objects when the system's broken processor or processors after repair or replacement have been reinserted. Another object of the invention is to provide a software model which allows software objects to be moved from a broken processor to a working processor by restarting the software objects on the working processor. A software model can also kill a software object that is installed on a processor and can restart the software object on a repaired, previously broken, processor that has been put back in the system. The latter second occurs primarily when the system returns to its initial configuration and the objects installed on the operating processors are to be returned to the repaired processors.

In accordance with the invention, a model of the telecommunication system is created, which model comprises a hardware model of the controlling processors and of the controlled hardware equipment 25 as well as a software model which stands and fits in the hardware model of the telecommunication system.

In accordance with the invention, a first algorithm is used to unravel the contingency plans for each of the operating processors either by the initial configuration. of any of the configurations that occur after a processor has been sanded. ••• • • ••• ••• • • • • • 41.0 • • •• ••• • ••• • • • • In accordance with the invention, a second algorithm is used which, on the basis of a current configuration, calculates a delta configuration, which out the applied to the current configuration, returns the initial configuration of the system.

In the software model used for the software objects, there are no configuration dependencies encapsulated in the software objects, which means that the software objects can be moved from one processor to another in which processor configuration is hoisted.

BRIEF DESCRIPTION OF THE DRAWINGS An illustrative embodiment of the invention will be described below in connection with the accompanying drawings, in which.

••. • • • • •• • • • Z • • "• • •• • • • • • Fig.

FIG.

FIG.

Fig. 1 2 3 4 •• • • • • is a block diagram showing a distributed processor system in an initial configuration, is a block diagram showing the processor system in Fig. 1 in a current configuration after one of the processors has probed, is a block diagram of the processor system in Fig.1 in a second current configuration after two processors Ott sOnder, is a flow chart showing the method in accordance with the invention, 7 ••• •• •• • • ••: • •• •• • ••• •• • • ••• ••• •••• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Fig. Is a block diagram of a distributed processor system in which some of the processors control hardware equipment; Fig. 6 is a schematic view of a modularized software object; 6B-D are block diagrams showing three different types of software objects, Fig. 7 is a block diagram showing how the hardware and software models according to the invention fit together in a single model of the telecommunication system, and Fig. 8 is a block diagram showing the hardware model in accordance with the invention.

DETAILED DESCRIPTION OF THE INVENTION Fig. 1 shows a number of distributed processors P1, P2, P3 and P4 which communicate with each other over a night Ni. The processors form part of a telecommunication network (not shown). The network Ni can form part of the named telecommunication network not shown. Each processor contains a processor unit PE and mine M. Software objects 1, 2, 3 ... 18 are installed on the processors; objects 1, 2, 3 on processor P1, objects 4-7 on • • • •• • • • • • • • • • • • • • • • • The software for an application running in the telecommunication network includes software objects (Fig. 6B -D), which ings in software-. modules (Fig. 6A). The modularized software objects are • • allocation-independent objects that can be moved freely between the processors. A modularized software object is independent of processor P2, objects 8-12 on P3 and objects 13-18 on P4. 8 •• •• • •• ••• • • • • • 000 000 0000 •• • • • •• 000 :: • • OS •• • • •• 000000.0 00 • other modularized software objects. A software object typically contains a process and persistent data. Persistent data is data that survives a reboot of the software object. Software objects can communicate with each other. One job requested by an application typically involves many software objects on different processors and is executed by some or all of the processes. The application does not know how the software objects are distributed on the various processors. Modularized persistent data can be stored in a database. In the same way as the processor system is distributed, the database can also be distributed over a number of memories M on many processors, preferably on the memories in all processors P1, P2, P3 and P4. These database partitions are designated DB1, DB2, DB3, and DB4 and include a working memory (RAM). From an application point of view, the distributed nature of the database is transparent. Persistent data must be able to be stored securely. This can be achieved through conventional backup technology, for example by storing the data on a disk. However, a new and preferred alternative is to store a mirror copy of each modularized software object in a database partition on a processor separate from the one on which the object is installed. More specifically, the mirror copy of habitual modularized software object is stored in the database partition of the processor designated in the disaster plan of the processor on which the modularized software object, the original, executes. In this way, copies of the modularized can be persistent. . • • •• the data is stored securely on another processor in the event of. • the processor on which the original is stored is running. 4 • • • • •. • The way in which objects 1-18 are distributed on the process. •. P1-P4 is called the initial configuration of the distributed processor system and is shown in the attached Table 1, ur • ••• • •••••••••••••: ••••••••. ••••••• ••••••••••• • •• • •••••••••••••• ••• 9: .. *: •••••••••: •• ••• which shows that objects 1, 2 and 3 are installed on processor Pl.

The initial configuration must not disappear if the flag processor 5 sander. For this reason, the initial configuration and the mirror copy of it are stored in the manner described above. Instead of implementing the initial configuration in the form of a table, it can be implemented in the form of so-called pairs. For example, the pairs (1,1), (1,2), (1,3) correspond to the information that appears from the first row in Table 1.

In order for the recovery time for the processor system, and therefore also for the telecommunication system, to be short if one processor is running, there must be a disaster plan for each processor running solid. Since it is not possible to predict which processor will go sandy, there must be a disaster plan for each processor. An emergency plan contains directives regarding the processors to which the software objects on the broken processor are to be moved. A disaster plan, shown in Table 2, 20 designates the processors to which the objects installed on the processor P1 are to be moved in the event that the processor P1 breaks down. Another disaster plan contains information that tells you where to move the objects installed on processor P2 if P2 is solid. Similarly, there is a disaster plan that. 25 must be followed if processor P3 is sanding. This disaster plan. • • •• • is shown in Table 4. Finally, there is a disaster plan, Table 5, • which takes care of the case that occurs in the act of pro- • • •• • •• •. • • cessor P4 gar without.

•. • Processor P1 gar without. .

Assume that processor P1 is probing. The processor system must recover quickly from the error and therefore they must on the process ••• • • ••• 10 SID • • •• ••• II 4 • ••• • • • • • • • • •• • 4.0 • • ••• • t •• ■ •• • II • • • • • • I •• • • • •• 00 • IS • • • • • • •• • • • • • •••• •• • •••• • • sorn P1 installed the software objects 1, 2, 3 are moved to the processors P2 and P4 in accordance with the disaster plan for P1. More specifically, the software objects 1 and 3 are to be moved to the processor P2 and the software object 2 is to be moved to the processor P4. This is achieved by removing the software objects 1-3 from the processor P1 and by creating and starting the software objects 1, 3 on the processor P2 and on the processor P4 creating and starting the software object 2. This of course requires that execution capacity is available on the processors P2 10 and P4 . If such capacity is not available, the system cannot recover from the processor error. In the following, it is assumed that the necessary processor capacity is available and that the system thus recovers from the error. The system will now have the co-configuration shown in Fig. 2 and Table 6. Based on this configuration, which is now called the current configuration, new disaster plans must be created so that the system can quickly recover from any of the other processors. gar sander. To this end, new contingency plans are being produced which provide directives as to which processors the software objects installed 20 pA a broken processor are to be moved. Since it is not possible to predict which of the three operational processors P2-P4 will provide probes, it is necessary to create disaster plans for each of the operational processors. Table 8 is the new disaster plan. 5 (CP-P2 ') for processor P2, Table 9 the new disaster plan • • •• • (CP-P3') for processor P3 and Table 10 the new disaster plan • • • • (CP-P4 ') for processor P4.

• • ••. • • • • • • • In the same way as the original disaster plans, the • - •: ° 310 new disaster plans and their mirror copies are stored in the way described above. ••• •••••: •••••••• • •••••••• •••••••• ••• • •• • • • •• •• • •• • •• •• ••• • • • •• • •• •• •• • • • ••• • • 11 • •• • •• •• •••• •• It should be noted that the preparation of new disaster plans for the current configuration saves memory compared to the following theoretical concept conceivable scheme: assume that the system consists of four processors and that the system is designed so that it tolerates that two processors are probes. Since it is not possible to predict which processor goes probes first and which processor goes probes as number two, one must create as many disaster plans as the number of different ones depending on which two elements can be selected from a group of four elements. These 10 mAste disaster plans are stored in the database. Thus, twenty-four disaster plans must be created and stored. This storage requires a lot of memory space. The memory space grows faster than exponentially with the number of processors the system can tolerate. 15 During the period from the time the Aterhamt system progressed until new contingency plans were prepared and stored in the database, the system was vulnerable. During this period, no processors gA sander. Should a processor fail during this period, the system will not be available. .2 • •• •: • When a PI processor is removed from the system after it has been removed and repaired, the system must return to the initial configuration. This can be done either by cloth all the software objects in the current configuration and by creating and starting all the software objects on the processors in the system. In the proposed embodiment of the invention, only the objects which have been moved away from the first processor and which now execute on other processors are first clothed. Then these are recreated and started on the processor Pl. To find these objects, a delta configuration table is created by subtracting the initial configuration from the current configuration. guration with the exclusion of the processor Pl. By subtracting •• • •• ••• • • • •. 12 ••• ••• •• .::: 7. ••. "': •••. •:. •• .. •'. •••••••••: ••• .. • Table 1 from Table 6 is obtained from the delta configuration shown in Fig. 7. The row relating to the broken processor P1 is not included in the subtraction, the delta configuration shows that objects 1 and 3 on processor P2 and that object P2 The processor P4 must be clothed on the respective processors, then they must be recreated and started on the repaired processor P1. When the objects are recreated, the system will run in the same way as it did in the initial configuration and the system retrieval time will be short. In the following example, it is assumed that the processor P1 is probing and then that the processor P2 is probing. In connection with the previous example, it is first assumed that the system is in operation with the same configuration as in Fig. 1. that disaster plans have been created for each of the processors P1-P4, that the processor P1 fails, that the remaining objects on the processor P1 are moved to the operational processors in accordance with the disaster plan in Table 2, that the system recovers and is in operation, that new disaster plans are created for the processors P2, P3 and P4, that the processor P1 is removed and left for repair. . It is now assumed that the processor P2 fails. Thus, the new disaster plan, which here together with the processor P2, i.e. the new disaster plan in Table 8, must be followed. According to this disaster plan 25, objects 1, 3 and 4 must be moved to processor P3 and objects 5-7 must be moved to processor P4. In the same way as • • ▪ • previously, the software objects on processor 2 are removed and moved •• • • • Over to processors P3 and P4. The system will now be •• • • • In operation and run with the configuration shown in Fig. 3 ". And Table 11. In accordance with the invention it is now necessary •" • • to prepare new emergency plans for each of processors P3 and P4. ••• • • • • 13 • Of • .60: • • • • • 000 •: • • • • •••••••• • • • • • • • •• • 000 ••• During the period from the processor P2 in until new disaster plans for the processors P3 and P4 have been prepared and stored in the system, the system will be vulnerable. Thus, if either P3 or P4 fails, the system will be inaccessible. Now it is assumed that this does not occur. Istdllet the system in operation with the configuration shown in Fig. 3 and Table 11.

Now the processor P2 is removed from the system and left for repair. It is then assumed that the processors P1 and P2 are repaired and that they are put back into the system. It will now be necessary to kill objects 1-7 and processors P3 and P4 and to recreate and start them on their respective original processors P1 and P2. Using a delta configuration obtained by subtracting the initial configuration from the current configuration in Fig. 1, with the exception of the broken processors P1 and P2 this time, the objects that must be clothed will be identified; ± this case 17. More specifically, objects 1, 3, 4 pA processor P3 and objects 2, 5, 6, 7 pA processor P4 must be moved Over. The way in which these objects are to be distributed on the processors P1 and P2 is given by the initial configuration table. Thus, objects 1, 2, 3 are created and started on processor P1 and objects 4-7 are created and started on processor P2. The system has now recovered from the connection of the two repaired processors and •. • • "• is now assumed to be in operation.

• • • • •• • •• • • • • • In the above examples, a processor system with four processors has been described. The invention An equal choice applicable to •:% 39 processor systems containing TWO, THREE, FOUR or MORE PRO- • ••• • • ••• •• • •• • ••• • • • • • processors. The last example described a processor system that tolerated two processor failures. Invention Procedure ••. * :. "..: 7 .. •: •••••••• •: •• ••• is equally applicable to processor systems that tolerate three or more processor failures. Each time -en processor fails, its software objects are moved to other working processors in the system and new disaster plans for the working processors are created.The last example illustrates that a processor consisting of four processors can be in operation with 50% of the processors failing.The application will still execute Although with a reduced capacity.If the processor system is a selector in a telephone exchange 10, the telephone traffic will still be running and the spar will occur at low traffic volume.This is a new and unique feature not found in the flag of the above mentioned US patents and , as far as the applicant is aware, no one has been able to achieve this before.

A first algorithm is used to create disaster plans from the initial configuration in the event that a first processor fails or from the current configuration in the event that an additional processor fails. The first algorithm 20 contains parameters relating to the capacity of a processor, parameters relating to the size of the memory of a processor, parameters relating to how much processor capacity (machine cycles per process to execute) and memory the individual moved objects require, as well as parameters regarding the quality of service .

• • •• • • • • • A second algorithm is used to return the system to its initial configuration. This second algorithm has already been described above and was called delta configuration. • • • • • • •• • • • • • •• "•: • 50 Different methods can be used to detect a broken process- • ••• • • ••• •• • •• ••• • • • • sor, for example, the "heartbeat method" in accordance with the aforementioned U.S. Patent 4,710,926. A preferred method in a 14 • .. •. ° :. ".. :: •••••••• •: •• ••• typical telecomnet, however, is to monitor the lines that connect the processors to each other in the network Ni. In connection with the two examples described above, it was described that software objects that were installed on a failed processor were transferred to two processors. Of course, the objects of the failed processor can also be distributed on three or more processors in the system. In exceptional cases, all software objects can be moved Over to a single processor in the event that the system consists of two operational processors and one of these fails.

When the system is in operation, all the processors are operational and have more capacity and more memory than what is required for them to perform their jobs with calculated capacity, ie they must have capacity and memory Over to take over objects from one or more processors and to take over application jobs that are being executed. This ensures that all processors are operational and no test program needs to be run to verify this. Furthermore, the capacity of the system will exceed the calculated capacity, which means that the system will have "spare capacity" that can be used to take care of additional application jobs; there is no clod "reserve" capacity. For the application, a failed processor will only cause the system capacity to be reduced; have-net will not cloth the system.

•. ••. As an alternative to dimensioning the system with an active "reserve" capacity that can be used to take care of ••. ••• additional application jobs, the system can be designed with no •. • • • active "reserve" capacity and with all processors working with dimensioned capacity. When a processor crashes. . ••• • • ••• •• • •• • ••• • • • • the system to work with reduced capacity. 16 ••• ••• ••••• • •• • • •• •• •• •: ••••••• :.

• ••• • •• • • • • • •• • •• •••••••• •• •• •• •• •• • •••••••••• • • • •• •• • ••• • •• Fig. 4 is a flow chart showing the method steps performed in accordance with the invention. There is always an initial configuration in which all modularized Software objects are mapped on individual processors. The initial configuration is created by the system vendor or system operator and stored in the system. This is indicated in box 20. Next, disaster plans must be created ± according to the first algorithm. There must be as many disaster plans as processors in the system. Furthermore, mirror copies of persistent database objects must be created. This is indicated in box 21. In a preferred embodiment, the habitual processor creates its own disaster plan, i.e. the disaster plan that the system is to use in the event of the processor failing. At-garden ensures that the work of creating the disaster plans is fully distributed. Then a processor crashes, box 22. The software objects on the crashed processor must be moved to operational processors using the disaster plan for the crashed processor. The term "move Over" object means that new copies of the software objects on the failed processor are created and started on the processors to which they are to be moved Over in accordance with the disaster plan. This is indicated in box 23. Box 23 thus represents the system's recovery from the failed processor. The system is now operational and a new configuration, called the current configuration, is emerging. The current configuration is also stored in a memory by a distributed processor. While the • • • •• • system is in operation, new disaster plans are being created for the functional. • • capable processors, box 24. Now the system has recovered • • •. - • its ability to withstand a new processor failure. Aven spegelko- •. • •. •. • piors of the new disaster plans are stored in the database. If a new F..30 processor fails, it returns to operation 22, indicated by the arrow • • • • The failed processor (s) box 26 is then repaired, and put back in the system, box 26. About two ••• • • • • •• • • •• •••• •• •••• •• • • • • • • • • • • • • • • • • •• • ••• • • •• • •••• •• • • • • ••••• ••• •• • • ••• ••• ••• •• •••• •• or several processors have failed is assumed that they are repaired and sdtts back into the system at the same time. Theoretically, it is of course possible to repair failed processors one at a time and that they are put back into the system one at a time. From a practical point of view, however, this is a reversal. The final step in the process, box 27, is to return the system to its initial configuration using the second algorithm. In the examples described above, it has been assumed that software objects 1-18 do not control any hardware equipment. Examples of hardware equipment controlled by software modules are I / O devices, interfaces to the subscriber line, processors to the subscriber lines, tone decoders, voice messaging equipment, conference equipment. Hardware dependencies of this kind create restrictions on the software modules. A software module involved in controlling a hardware equipment connected to one or more processors cannot be transferred to any processor in the system but must be transferred to a processor having access to this hardware equipment. Disaster plans must be created with this in Atanke.

A telecom system can usually continue to operate despite loss of certain means, but the services provided by the telecom system can be hampered. • 17 • • •• • • • • • • • •• • • • • • To the extent possible, a disaster plan must thus allocate organ-controlling software objects to processors that have access to the controlled organs. If this is not possible, the F-10 modularized software objects that control the devices must be excluded from the disaster plan. An excluded software object is always of the type shown in Fig. 6C.

•• • • ••• •• • • •• •••• •• •••• •• • •• •• • • • • • • • • •• ••• • ••• • • ••• •••• •• • • • • •••••: • •• • • •• •• ••• •• •••• •• Fig. 6B illustrates a software object that containsA function part ( execution part) and a part with persistent data (persistent data part). The software object in Fig. 6C contains the functional part of the software object in Fig. 6B and the software object in Fig. 6D contains the persistent data part of the same software object as shown in Fig. 6B. The software objects in Figs. 6C and 6D together form a pair and they have the same key. The key is the logical address of the software object shown in Fig. 6B to the database and the key will therefore also be the logical address of the two software objects in Figs. 6C and 6D in the database. It is the software object in Fig. 6C that controls a device. It is in this software object that there is a hardware dependency.

An excluded software object in a current configuration must be blocked, ie other software objects must not be able to communicate with it. In a preferred embodiment, blocking is accomplished by setting the persistent data portion of the software object in Fig. 6D to the blocked state. A blocked state is marked by placing a flag in the software object. It should be noted that it is not the organ control software object 6C that is blocked but its persistent twin software object in Fig. 6D. By examining the condition of a software object before the application starts communicating with the software object, the application can handle blocked means RA in an orderly manner. • • • 18 • • • • • • • • • • • n as an alternative to to block software objects with s • • stand flag in the database representation of the software object, r.8.0 the software object can be blocked in the address tables contained in the • •• ••• to • ••• •• • •• •• • • • • and the processors' operating system.The operating system of a processor has an address table for its own software objects.19 • .0 9 SOO :: t •• O. • 0.0 00. • •: 000: ... I. • • 9 • • e .4. .

•• • • • • • • ID 0 .0 .. • 00.

The address tables are used when messages are sent to the operating system software objects.

The concept of quality of service includes the fact that the processors in a processor system can be of two types, fault-tolerant processors (FTP processors) and non-FTP processors. An FTP processor, which usually includes dual processors, continues to execute its jobs even if a simple hardware failure occurs in the hardware controlled by the FTP processor. When the error occurs, an alarm is triggered but the program does not crash. By means of means which are not described in the present invention because they do not form a flawed part of this invention, it is possible to take an FTP processor out of service, so that they can be repaired, in a controlled manner using the disaster plans. . The services provided by the application will not be interrupted. As an example, it can be mentioned that in a telecom system no traffic disruptions will occur; pagende leash not to be broken. Thus, system recovery following the removal of an FTP processor will not disrupt delivered services. By combining the present invention with the FTP processors described above, it is possible to achieve very high system availability as well as very high service reliability when hardware errors occur. In short, the purpose of the service quality parameter is to support FTP processors for software that requires very high service performance. • •. .reliability. An FTP processor will thus mask an internal hardware failure, but the FTP processor must be repaired before new internal hardware failures occur. • r.e.0 Fig. 5 shows a processor system similar to that in Fig. 1, whereby • there is a nat Ni to which processors P1-P4 have access and can communicate with each other. Although not shown in Fig. •• •• •• • • • • • • • • • • • • • • • • • • • • • • _ ••• •••• •••: .41% • ••• •• • • •• • •• • •••: • • • ••• .. • • •: • • •••• • • •• • •••• • • • • •• • ••• ••• 5 it is assumed that the software objects 1-18 are distributed on the process oxen P1-P4 in the same way as shown in Fig. 1. Furthermore, a means D1 is shown to be connected to the processor P1. There is also a second nat N2 to which processors P2 and P4 have access. A means processor D6 is a device used to connect means D2 and D3 to the network N2. The organ processor D6 thus controls the devices D2 and D3. Another means processor D7 connects devices D4 and D5 to the network N2 and thus controls them. There are software objects that connect the devices D1, D2, D3 ... 10 D7 to the processor system. As an example, the software object 1 is assumed to control the means D1. If P1 fails, none of the processors P2-P4 can control the means D1. Thus, the object 1 cannot be moved Over to any of the processors P2-P4. However, as far as means D2-D7 are concerned, software objects controlling some or some of these means must be installed on a processor capable of communicating with these means. The means D2-D5 can be controlled via the network N2 and thus software objects which control some or some of these means can be installed on any of the processors P2 and P4. Processors P1 and P3, on the other hand, cannot be considered. In summary, a software object that connects hardware to the system must be installed on a processor that has access to this hardware.

Typical examples of a device of the type D1 are the processor P1 itself. Another example is a hardware device, such as a UART device. If the processor PI fails or cm the hardware device that the processor P1 controls fails, the software object representing the processor P1 or a software object representing the failed hardware cannot be moved • • • • • • • • • • • • • • • •. 00 Over to any of the processors P2-P4 because the latter ••• .. - • 4041 • • .094t • the processor Pl. However, the processor system must tolerate that the PI "••• • • • • • can not gain control over the damaged hardware or Over 21 ••• • •• ••••• • ••: •• •• ••••• ••: • ••• ••• • •: • •• •••• •••••••• •• ••: •. ••••••• •• •••• • • • 1: •• fails if the system is to be redundant If the software object representing processor P1 fails, the software object representing processor P1 must be blocked and cannot be accessed by any other software object.

Consider Fig. 1. Each processor P1-P4 has its own object that describes the processor. More specifically, object 1 represents processor P1, object 4 processor P2, object 8 processor P3 and object 13 processor P4. All of these hardware dependencies are described exactly by the hardware model on which the software model of Fig. 7 is installed. Thus, the model shows that none of these objects 1, 4, 8 and 13 can be moved Over to the other processor in the system. The first algorithm works on the hardware model with installed software and will thus take into account all hardware dependencies when it creates new disaster plans. The processor 1's disaster plan, shown in Table 1, will therefore remain the same except that object 1 disappears. In the disaster plan for processor 2 (Table 3) the object 4 will disappear and the disaster plan for the processor 3 20 the object 8 will disappear. In the disaster plan for the processor P4, the object 13 will disappear. A smaller number of objects than what has been described previously will thus remain on the respective processors when a processor fails. If, for example, the processor P1 breaks down, the object 1 must be blocked from accessing other software objects. This means that no other software objects are allowed to communicate with the software object 1.

The model according to the invention will always be left to the system • • • •• • •• • • • • • the system is in operation even if hardware equipment is probing and not •. "• • can be controlled by his or her software objects. ". time it at the higher level of the system turns out that the system 22 ••• • •• • •• •• ••:. ••. '"•: • ••• .. • • • • • •••• •••• •• • • •• • • • • ■ • ■ •• •• • • ••• ••• is not in operation, can not even deliver services with reduced quality, then the reason for this is to be found in lack of redundancy and the model can not change this fact.5 In Fig. EA the software model of the modularized software object is shown.The software model consists of a class bendmnd configObj which has the operations construct () and destruct (). Construct () and destruct () are used to create a single modular software object, respectively, The modular software object has been described above in connection with Figs. 6B-6D.

The hardware model of the system shown in Fig. 1 is described with reference to Fig. 8. The hardware model 30 describes the physical means and their locations in the system. The hardware model 30 includes a class Processor 31 which generates objects representing the processors P1-P4, a class CPPool 32 which generates objects representing ndtet Ni, a class DevX 33 which generates objects which represent nat N2 and a class ConfigObj 34 which generates objects representing the software objects, shown in Fig. 6B, by the above-mentioned means; including the body processors. The ConfigObj 35 class generates objects that represent the software objects of the modularized software object in Fig. 6A but does not form part of the hardware model.

The model shows that the processors are connected to Ni and to N2. The model also shows that software that does not have any devices can be installed on all processors that can be connected to you, while software that controls devices must be installed on processors • • • •• • • • • • • • • • • • • • • • • • r which can be connected to N2. The model defines the restrictions • • ••• • • ••• •• • •• ••• • • • • for habit hardware-dependent software objects. Connecting ConfigObj to DevX (Organ X) not only includes hardware 23: "" :: •. ' ": • • • 00 • 00 00 0000 00 devices in the hardware model but at the same time the organ control software objects are installed in the model.

• • ••• •••••••••• •••• • •• •• • • • • • • •••• III • IS • II ... •• 11. ••• • I; .11 •: •••••• ••• •••• Table 1 INITIAL CONFIGURATON PROCESSOR ID OBJECT ID 1 1,2,3 2 4,5,6,7 3 8,9,10 , 11, 12 4 13, 14,15,16, 17, 18 Table 2 DISASTER PLAN for processor 1 (KP-P1) OBJECT ID PROCESSOR ID 1 2 2 4 3 2 Table 3 DISASTER PLAN for processor 2 (KP-P2) OBJECT ID PROCESSOR ID 4 1 3 6 3 7 4 • • • • • • 24 ••• ••••• ••••••• • •••• ••••••• • • • • • • •• •• • •• ••: •• *. * ••• .. • •: • •••••••• • • •: •• ••• ••• Table 4 DISASTER PLAN for processor 3 (KP-P3) OBJECT ID PROCESSOR ID 8 1 9 1 2 11 4 12 4 Table DISASTER PLAN for processor 4 (KP-P4) OBJECT ID PROCESSOR ID 13 2 14 1 2 '16 1 17 2 18 1 • •• • • • • • ••• • • ••• •••••••••••• • •••••••• •• •• •• • •• •• • •••• • ••• • • • •• •• •• •• •• • • ••• 26: *. •: ••••••••• • •• ••• Table 6 CURRENT CONFIGURATION TABLE when processor 1 is broken PROCESSOR ID OBJECT ID 2 1, 3,4,5,6, 7 3 8, 9,10,11 12 4 2, 13, 14,15,16, 17, 18 Table 7 PARTICIPATION CONFIGURATION for proc essor 1 PROCESSOR ID OBJECT ID 2 1,3, 3 - 4 2 •• • • • • • ••• • • • •: ••• •• • • •• •• • •••• • • • • •• •• • •• •• •• • 27 • ••: •• •• 7 • ••• • • • •• •••••••• •• •• • •• •: •• • ••• ••• Table 8 New DISASTER PLAN FOR PROCESSOR 2 (KP-P2 ') OBJECT ID PROCESSOR ID 1 3 3 3 4 3 4 6 4 7 4 Table 9 • • • •• • •• • • • • • • •• • • • • ••• • • ••• ••• • • • • New DISASTER PLAN for processor 3 (KP-P3 ') - OBJECT ID PROCESSOR ID 8 2 9 2 4 11 4 12 4 • • • •• ••• • ••• • • •• ••• • •••• •• • • • • • ••••• 28 4001 • • • • • • • • • . • • •• • • •• •• 0 • • • Table New DISASTER PLAN for processor 4 (KP-4 ') OBJECT ID PROCESSOR ID 2 2 13 2 14 2 2 16 3 17 3 18 3 Table 11 New CURRENT. CONFIGURATION TABLE when processor 2 is broken PROCESSOR ID OBJECT ID 3 1, 3, 4, 8,9,10, 11, 12 4 2, 5, 6, 7, 13,14,15, 16, 17, 18 •• • WE%•••: •••• •••• •••• •••• • • • •• ••• • ••• • • •• •••• •••• •• • • • • •••••:: 7 .. ••••• •: •• •••

Claims (21)

CLAIMS 1. Software model for a distributed processor system in a software-driven telecommunication system, which includes Svalve hardware, including first processors, other organ controlling processors and means controlled by the other processors as software may be characterized by a software-produced model of the system's hardware cooperating with a software developed model of the system's software. Software model according to claim 1, characterized in that the software of the software model is divided into software modules, called software objects, that the software modules are provided with properties that make them movable between processors in the processor system, that the software modules are assigned individual identities, that processors are assigned individual identities. that the habit processor has its own identity, and that the software modules are installed on different of the said first and second processors for producing an initial configuration. Software model according to claim 2, characterized in that the habitual software module is provided with at least two functions, one of which creates the software object and the other kills the software object. 29 1. • • 2. •• 3. • • 4. • 5. • • 6. •• 7. • •• • 8. • • 9. • 10. • ..... 11. • 4. A software model according to claim 3, characterized in that software modules that are independent of hardware comprise a resource object. Software model according to claim 1, characterized by 1.. 2. • •. •. • that the initial configuration is created by mapping software • • •• • ••• 6. • • 7. • • ject, which executes on an individual processor, is mapped to the named •• • •• ••• •••: • • •• ••• 00. •••• 8. •: •• •• •• • 9. • 10. •. • •••• ■■ • 11 • individual processor and that said mapping is repeated for each of the processors in the processor system. Software model according to claim 4, characterized in that the redistribution step comprises the creation and start of the software objects redistributed in accordance with the disaster plan for the failed processor. Software model according to claim 6, characterized in that first software objects controlling hardware equipment, which the failed processor controls, are first redistributed, and then software objects which do not control hardware equipment are redistributed. Software model according to claim 7, characterized by blocking of software objects which exhibit a hardware dependency and which execute on a failed processor against access from software objects which execute on other operable processors in the processor system. Software model according to claim 8, characterized in that a processor having a hardware dependency is represented by a software object. 1. • • 2. • • 3. • • 4. • • • •• ••• • ••• • • •• -Go ,. • ••••• •• •• •• •••••:: ••••••: • • • ••• •• •• •••• •• SUMMARY A procedure for automatic recovery from multiple permanent processor failures in a distributed processor system, in particular software-driven telecommunications systems. The method involved generating an initial configuration describing each processor and software object executing thereon, and, for each processor, establishing a contingency plan to be followed in the event of the processor failing. An emergency plan contains information indicating how the software objects executing on the failed processor should be redistributed on functional processors in the system. If a processor fails, its software objects are moved to operational processors in accordance with the disaster plan for the failed processor. A hardware and software model of the processor system and its software is described. A software object that carried a hardware dependency is handled by the model. 31 5. • 6. • • 7. • • 8. • • • • • 9. • 10. • • 11. •• 12. • •• • 13. • • 14. • 15. • •• • 16. • • 17. • • 18. •• 19. • 20. • •••: •• :: •••% it. ••: ••• .:: ••:. ::. ••• :: ••: •••••• 21. • ••• • • :::: • ••:. • ::: 7 .. ': •••• ••••••