JP2953639B2 - Backup device and method thereof - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a backup apparatus and a backup method suitable for use in a system in which a plurality of active units and their common standby unit are connected via a network.
In particular, the present invention relates to an apparatus and a method capable of achieving high performance and high reliability.

[0002]

2. Description of the Related Art In recent years, computer systems have become large-scale and wide-area, and have shifted to distributed systems using networks. In addition, the processing form is mainly online transaction processing, and most services are 24 hours 3 hours.
He is heading for 65 consecutive days. Therefore, there is a demand for higher performance and higher reliability of a system using such a network.

In order to achieve higher performance and higher reliability, a computer system uses a FEP (Front End Processor) to execute communication processing with a host performing general business processing.
And a high-speed LAN (local area network). By realizing FEP by the hot standby method, high performance and
High reliability has been achieved. The hot standby method is a method in which a backup FEP is always in a standby state, and when a failure occurs in any one of the FEPs, the processing is continued in the backup FEP.

Similarly, there is a system that employs a backup system in which some main systems and a standby system for backup are connected by a high-speed LAN, and when a failure occurs in the main system, processing is continued in the standby system. .

[0005] For example, according to the catalog of the HP9000 series (trade name) of HP, this series supports the n-to-1 backup method as a Switch / Over function. This means that n main systems (active units) and one standby system (stand-by unit) are connected via LAN.
When a failure occurs in the active device, the spare device takes over the control of the disk of the active device from that point on. The spare machine usually executes a process (for example, a batch process) that is not related to the processing of the active machine. When a failure occurs in the active unit, the process of the standby unit is aborted (shut down), and the standby unit is rebooted. And
The spare unit takes over the control of the disk of the active unit.

On the other hand, “Nikkei Electronics 199
No. 2.5.18 No. 554 ”contains the IBM HA
/ 6000 and HANFS / 6000 (trade name) are disclosed. These are almost the same as the above-mentioned Switch / Over function of HP, and the standby unit runs a relatively low-priority application. If a failure occurs in the active unit, the standby unit is rebooted at once. I have.

[0007] Further, there is an FEP in which a fault tolerant computer (FTC) is introduced. For example, as described in “Fault-Tolerant System by Maruzen and Gray”, Tandem uses a dual configuration of the shared disk device itself in the fault-tolerant system.

[0008]

In the above-mentioned conventional system, the shared disk device is duplicated, and the n active devices and one spare device share the shared disk device.
Therefore, access to the shared disk device competes with another active device, and the frequency of accessing the shared disk device increases. As a result, there is a problem that the time for reading from and writing to the shared disk device is lengthened, and the performance is reduced.

Further, in the above conventional example, usually, the standby unit executes a process irrelevant to the processing of the active unit. The active device has not acquired control data in the middle of execution necessary for restarting from the point of occurrence of a failure as much as possible. Therefore, when a failure occurs in the active device, the standby device has to abort the process and reboot once.

Further, since the process of the active machine in which the failure has occurred is aborted and the processing is restarted from the beginning, there has been a problem that the stop time of the system is prolonged to about 15 minutes.

SUMMARY OF THE INVENTION An object of the present invention is to solve such a conventional problem and reduce contention for access to a disk drive.
It is an object of the present invention to provide an n: 1 backup apparatus and method for improving performance.

It is a further object of the present invention to provide an n: 1 backup apparatus and a method thereof that can take over a process that is being executed even if a failure occurs in an active device.

[0013]

SUMMARY OF THE INVENTION In a system composed of n active machines and a spare machine which is a common spare thereof, a disk device shared by all the active machines and the spare machine is provided. This shared disk device is divided into n + 1 areas for each of the active unit and the spare unit. The active device reads from the internal disk device and writes to the internal disk device and the shared disk device.

The active device stores a received message, a processor register, line information, and a process execution state as checkpoint data when a write I / O is issued. Thereafter, when a failure occurs in the active unit, the standby unit detects the failure of the active unit and takes over the processing of the active unit from the check point.

[0015]

According to the present invention, a system may be used in which n active devices and one common standby device are connected by a high-speed LAN. The shared disk device shared by the active device and the spare device has a duplex configuration with a disk device built in the active device and the spare device.
Therefore, the active device can read from the internal disk device and write to the internal disk device and the shared disk device. As a result, unlike the related art, the contention of the shared disk does not cause much contention, and the performance can be improved.

When a failure occurs in the active unit, the standby unit detects the failure of the active unit due to a missing alive message. The spare unit resets the failed active unit. The spare device can read from the shared disk device and take over the processing.

By this means, the spare unit can check the checkpoint data stored in the shared disk device (information on the message being executed, information on the message waiting for I / O, the I / O processing is completed and the ready state is established). By referring to the information of the electronic message of the current
A message waiting for / O and a message in a ready state can be restarted.

Further, even if a failure occurs in the active device, the spare device refers to the checkpoint data stored in the shared disk device, so that the standby device can execute a message or I / O waiting from the latest checkpoint. , And all of the ready messages. As a result, even if a failure occurs in the active unit, the standby unit
It becomes possible to read the processor register, the line information and the execution state of the process, and restart the takeover process of all messages.

In addition, access to the shared disk device is performed only by writing, access competition is reduced, and performance can be improved.

[0020]

Embodiments of the present invention will be described below with reference to the drawings. First, a system configuration and a hardware configuration of the present embodiment will be mainly described with reference to FIGS.

FIG. 1 is a system configuration diagram of a high-performance and high-reliability system according to an embodiment of the present invention. The system according to the present embodiment includes seven working machines (11 to 17), one spare machine (10) that is a common spare thereof, and a working machine (11).
17) and a high-speed LAN connecting the standby unit (10)
(1) is provided. Further, a communication processing server (2) is provided and connected to the high-speed LAN (1).

The communication processing server (2) is provided with the active devices (11 to 11).
17) Or spare machine (10) and 21 terminals (7-0)
To 7-20) for transmission and reception of messages.

The communication processing server (2) includes an active communication processing server (2-0), a standby communication processing server (2-1), and a communication processing server disk device (2-
2) and a timer (2-3). Timer (2
-3) indicates a time stamp (numbering 7 in FIG. 30 described later) in the received message.
Used to give 3). Communication processing server (2)
Of the working machines (11 to 17)
Time stamp (73) of the message being executed on the terminal (7)
-0 to 7-20) and the conversion table (2-4) between the active devices (11 to 17) are stored. The conversion table (2-4) will be described later in detail with reference to FIG.

The line switching device (3) is used for switching between the active communication processing server (2-0) or the standby communication processing server (2-1) and a large number of terminals (7).

The disk subsystem (4) is connected to the active units (11 to 17) and the standby unit (10) so that the shared disk unit (5) can access them.
The shared disk device (5) is a disk device shared by the active devices (11 to 17) and the standby device (10).

FIG. 2 is a configuration diagram of the working machines (11 to 17) and the spare machine (10) of FIG. In the following, the working machine (1
This will be described using 1) as an example.

The working machine (11) has a processor (11-
1), memory (11-2), input / output processing device (hereinafter, I
OP) (11-3), the disk controller (11-
4), a LAN adapter (11-5), and a built-in disk device (11-6).

The other working machines (12 to 17) or the spare machine (10) have the same configuration as the working machine (11). The working machine (12 to 17) or the spare machine (10) is, like the working machine (11), a processor (12-1 to 17-1,.
10-1), memory (12-2 to 17-2, 10-)
2), IOP (12-3 to 17-3, 10-3), disk controller (12-4 to 17-4, 10-4), LA
N adapters (12-5 to 17-5, 10-5) and built-in disk devices (12-6 to 17-6, 10-6).

FIG. 3 is a diagram showing the assignment of the shared disk device (5) in FIG. In the system of this embodiment, since the number of active devices is seven and the number of spare devices is one, the shared disk device (5) is divided into eight.

The area (5-1) of the first shared disk unit (5) is used for the active unit (11) and stores the same contents as the internal disk unit (11-6) of the active unit (11). , A dual configuration. The area (5-2) of the next shared disk device is duplicated with the built-in disk device (12-6) of the active device (12). In the following order, the area (5-x) of the shared disk device has a duplex configuration by storing the same contents as the internal disk device (1x-6) of the active device (1x). The area (5-0) of the last shared disk device is made redundant with the built-in disk device (10-6) of the spare device (10).

FIG. 4 is a diagram showing a flow of data reading / writing in the system according to the embodiment, and is a diagram showing characteristics of the embodiment. In the figure, an active device (11) and an active device (17) are illustrated, and a disk subsystem (4) is further illustrated.
And a shared disk device (5). The arrow is
The flow when reading data and the flow when writing data are shown.

As shown in FIG. 3, in this embodiment,
The disk device is duplicated by a shared disk device (5) and a built-in disk device (11-6 to 17-6) of the active device (11 to 17) or the standby device (10). Then, as shown in FIG. 4, the read processing from the disk device is performed at a high access speed and the other active device (1
1 to 17) and the built-in disk device (11-6 to 17-6) which does not compete with the spare device (10). The writing process is performed on the internal disk device (11-
6 to 17-6) and the shared disk device (5). In this way, the performance of the system can be improved.

Further, in this embodiment, the disk device (5,
11-6 to 17-6), checkpoint data (FIG. 18) is stored so as not to interrupt the message processing (numbering 730 in FIG. 25). The details of the checkpoint data will be described later in detail.
These are the data necessary for taking over the received telegram, processor register, line information, telegram status, process execution status, and data to be written to the disk device. In addition, the check point is determined by the disk device (5, 11-6).
To 17-6).

FIG. 5 is a block diagram of the disk control device in the working machine or the spare machine in FIG. Working machine (11-1
7) and each disk controller (10) of the spare machine (10).
-4 to 17-7) have the same configuration, so the disk controller (17-4) of the active unit 7 (17) is used here.
Will be described as an example.

The disk controller (17-4) includes a processor (17-4-1), a memory (17-4-2), a buffer (17-4-3), and a disk controller (17-4-1).
4-4).

The disk controller (17-4) owns read data and write data for the internal disk device (17-6) and the shared disk device (5). Normally, data is read from the internal disk device (17-6).
Do from. The read data is stored in a buffer (17-4).
-3) is stored in the reception queue (17-4-5). In addition, data is written in the internal disk device (17
-6) and the shared disk device (5). The data to be written is stored in the transmission queue (17-4-6) in the buffer (17-4-3).

FIG. 6 is a configuration diagram of the LAN adapter in the working machine or the spare machine in FIG. Working machine (11-17)
And each LAN adapter (10-5 to
17-5) have the same configuration, and therefore, the LAN adapter (17-4) of the active device 7 (17) will be described here as an example.

The LAN adapter (17-5) includes a processor (17-5-1), a memory (17-5-2), a buffer (17-5-3), and a LAN controller (17-5-5).
4).

In the buffer (17-5-3) of the LAN adapter (17-5), a message receiving queue (17-
5-5) and a transmission queue (17-5-6). As a result, the message received from the other working machine (12 to 17) or the standby machine (10) and the other working machine (12 to 1) are received.
7) Or own a message to be transmitted to the standby unit (10). The message received from the terminal (7) is stored in the message reception queue (17-5-5), and the message to be transmitted to the terminal (7) is stored in the transmission queue (17-5-6). Is stored.

FIG. 7 is a configuration diagram of the communication processing server (2) of FIG. The communication processing server (2) includes an active communication processing server (2-0), a standby communication processing server (2-1), and a disk device (2) of the communication processing server shared by these.
-2) and a timer (2-3).

The active communication processing server (2-0) includes a processor (2-0-1), a memory (2-0-2), a buffer (2-0-3), and a line controller (2-0-4). ) And a disk controller (2-0-7). The standby communication processing server (2-1) is the active communication processing server (2-0).
It has the same configuration as.

In the buffer (2-0-3) of the active communication processing server (2-0), a message receiving queue (2-0-
5) and a transmission queue (2-0-6), and owns the message received from the terminal (7) and the message to be transmitted to the terminal (7). That is, the message receiving queue (2-0-
5) stores the message received from the terminal (7), and the transmission queue (2-0-6) stores the message to be transmitted to the terminal (7). The same applies to the standby communication processing server (2-1).

FIG. 8 is a diagram showing a conversion table of the communication processing server (2) and the terminal (7). This conversion table is stored in the disk device (2-2) of the communication processing server in FIG.
Is stored in The conversion table is a table showing which terminal is connected to which active device when the communication processing server (2) connects the terminal (7) to the active device, and the correspondence between them. For example, the active device (11) is connected to the terminal (7-0,
7-7, 7-14). Hereinafter, other working machines (1
2 to 17) are also connected to the terminal (7) as shown in the conversion table.

FIG. 9 is a block diagram of the line switching device (3) shown in FIGS. 1 and 7. The line switching device (3) is provided with a line switching circuit as shown. Standby communication processing server (2
When -1) detects a failure of the active communication processing server (2-0), the standby communication processing server (2-1) switches the line switching device (3) by using the contention prevention circuit (3-0). .

FIG. 10 is a block diagram of the disk subsystem (4) shown in FIGS. 1, 4 and 5. The disk subsystem (4) includes a processor (4-1) and a memory (4-
2), IOP (4-3), shared disk device controller (4
-4), and a built-in disk device control unit (4-5-0)
4-5-7).

The shared disk control unit (4-4) controls writing and reading to and from the shared disk device (5) and owns each data. Internal disk device controller (4
−5-0 to 4-5-7) are the working machines (11 to 11), respectively.
17) or connect with the spare machine (10) to receive write data to each built-in disk device (10-6 to 17-6) or transmit read data.

The hardware configuration of the system according to the present embodiment has been described above with reference to FIGS.

Next, with reference to FIG. 11, a description will be given of the state transition between the active unit and the standby unit. FIG. 11 is a state transition diagram of the working machine and the spare machine having the above-described configuration.

In this embodiment, the built-in disk units (10-6) are provided in all the active units and the spare units (10-17), respectively.
~ 17-6), and all working machines and spare machines (1
0 to 17) are provided with a shared disk device (5). For this reason, failures are divided into system failures and disk failures. The disk failure (failure of the disk device) is determined by the failure of the shared disk device (5) and the internal
6 to 17-6).

The system failure is a failure that affects the working machine (11 to 17) or the spare machine (10). When a system failure occurs in any of the active devices (11 to 17), switching to the standby device (10) is essential.
Hereinafter, a system failure is simply referred to as a failure. In the case of a disk failure in the internal disk device (10-6 to 17-6), the processing can be continued by interrupting access to the internal disk device (1x-7).

As a result, the working machine and the spare machine (10-17)
Is provided with the following five states (100 to 104).

The working state (150) is a state in which processing is being executed normally as a working machine. Semi-active state (151)
Indicates that the built-in disk device (11-6 to 17-6) or the shared disk device (5) has a fault, but one of the disk devices is being accessed and the process is being executed. The standby state (152) is a state where the processing can be immediately taken over even if a failure occurs in the active devices (11 to 17). The offline state (153) is a state where the system is disconnected from the system due to occurrence of a failure or maintenance. The restoration state (154) is
It is in a state of recovery from a failure or a state of startup.

Next, the working machine (11-17) and the spare machine (1
The state transition of 0) will be described.

If a failure occurs in the internal disk units (11-6 to 17-6) in the active state (150), access to the internal disk units (11-6 to 17-6) is interrupted and the semi-active state is established. Transit to (151) (state transition 1
55). Shared disk device (5) in active state (150)
, The access to the shared disk device (5) is interrupted, and the state transits to the semi-active state (151) (state transition 155). When a failure occurs in the active state (150), the state transitions to the offline state (153) (state transition 157), and the standby unit (10) transitions from the standby state (152) to the active state (150) (state transition 15).
8).

When a failure occurs in the semi-active state (150), the state transits to the offline state (153) (state transition 1).
60), the standby unit (10) transits from the standby state (152) to the working state (150) (state transition 158). In the semi-active state (151), the internal disk device (11-6 to 17)
−6) or when the shared disk device (5) recovers,
The state transits to the working state (150) (state transition 156).

When a failure occurs in the standby state (152),
Transition to the offline state (153) (state transition 15
9). When a failure occurs in the restoration state (154), the state transits to the offline state (153) (state transition 163).
When the restoration is completed from the offline state (153), the state transits to the restoration state (154) (state transition 164). When an alive message is received, the repair status (1
54) to the standby state (152) (state transition)
162).

The alive message is a message sent from the active unit (11 to 17) to the standby unit (10) to indicate that the own unit is in the active state (150). is there. The standby unit (10) constantly checks the alive message from each active unit, and when this is not sent, can know that a failure has occurred in the active unit. Conversely, the standby unit (10) is used to indicate that the own unit is in operation.
Alive message is sent to each of the active devices (1
1 to 17) can check this to detect a failure of the standby unit (10).

Next, the mode and mode transition of the disk device will be described with reference to FIG. FIG. 12 is a diagram showing modes and mode transitions of the internal disk devices (11-6 to 17-6) and the shared disk device (5).

Built-in disk device (11-6 to 17-6)
And the shared disk device (5) include five modes (170 to 174) of a dual mode (170), a single mode (171), a quasi-dual mode (172), a restoration mode (173), and a down mode (174). )
Is provided.

The dual mode (170) indicates a state in which the internal disk devices (11-6 to 17-6) and the shared disk device (5) are normal. In this mode, data is read from the internal disk devices (11-6 to 17-6) and written to the internal disk devices (11-6 to 17-6) and the shared disk device (5). Single mode (171)
This indicates a state in which a failure has occurred in the internal disk device (11-6 to 17-6) or the shared disk device (5), and only one disk device (5 or 11-6 to 17-6) executes processing.

In the quasi-dual mode (172), the internal disk units (11-6 to 17-6) recover from the internal disk unit failure, and the recovered internal disk units (11-6 to 11-6) recover.
17-6) shows a state in which the contents of the shared disk device (5) are being copied. Alternatively, the shared disk device (5)
Has recovered from the shared disk device failure, and the built-in disk device (11-6 to 17-
This shows a state in which the contents of 6) are being copied. The data is read from the normal disk device, and the internal disk device (11-6 to 1-6) is read.
7-6) or write to the shared disk device (5).

The recovery mode (173) is a state in which both the internal disk devices (11-6 to 17-6) and the shared disk device (5) have been recovered from an initial state or a failure. The down mode (174) indicates that both the internal disk devices (11-6 to 17-6) and the shared disk device (5) are in a failure state due to a failure or maintenance.

Next, referring to FIGS. 13 to 19, the registers and data areas used in the active units (11 to 17) and the standby unit (10) will be described.

As the registers, the status register (250) of the working machine or the spare machine in FIG. 13, the interrupt register (251) in FIG. 14, the alive register (252) of the working machine in FIG. 15, and the alive register of the spare machine in FIG. Register (25
3), the checkpoint data register (25
4), and a copying-in-progress register (255) are required. Also, the checkpoint data area (270 to 277) in FIG. 19 is required as a data area.

Of these registers, the status register (250), the interrupt register (251), the alive register of the active unit (252), the alive register of the standby unit (253), and the checkpoint data register (254) are the active registers. Machine (11-17) and spare machine (10)
Provided every time. Specifically, each memory (10-2
To 17-2).

The copy-in-progress register (255) and the checkpoint data (270 to 277) are stored in the active device (11 to 1).
7) and a spare machine (10), and a disk drive (5, 1
0-6 to 17-6).

FIG. 13 is a diagram showing the status register of the working machine or the spare machine. The working machine (11-17) or the spare machine (10) has a status register (250-0).
２５０250-7). Status register (250)
Indicates the state of the working machine or the spare machine (FIG. 11).

Bit 5 of the status register (250) is the active status (150), bit 4 is the semi-active status (shared disk device failure) (151), and bit 3 is the semi-active status (internal disk device failure). (152), bit 2 is in standby state (152), bit 1
Indicates whether the device is in the repair state (154), and bit 0 indicates whether the device is in the offline state (153). Bits 7-6 are not used.

FIG. 14 is a diagram showing an interrupt register of a working machine or a spare machine. The working machine (11 to 17) or the spare machine (10) has the interrupt register (251
-0 to 251-7). Interrupt register (25
1) is the working machine (11 to 17) or the spare machine (1
0) indicates whether an interrupt has occurred and a type of the interrupt.

Bit 6 of the interrupt register (251) is
Indicates the presence or absence of a level 6 emergency failure interrupt. Bit 4 is
Indicates whether there is a level 4 failure interrupt. Bit 2 indicates a level 2 timer interrupt. The priority is highest in level 7 and lower in order. Here, the level 7, the level 5, the level 3, and the level 1 are not used.

Similarly, in the processor (4-1) of the disk subsystem (4), the interrupt register (2)
51-9) is used.

FIG. 15 is a diagram showing the alive register of the active device. The alive registers (252-1 to 252-7) of the active units (11 to 17) are used to monitor whether the standby unit (10) is operating normally from each active unit. Alive registers (252-1 to 252-7)
Only bit 0 is used. If this value is "1", it means that the alive message has been transmitted, and if this value is "0", it means that the alive message has not been transmitted.

The alive register (252-1 to 252-1) of the active device
Monitoring of the operation of the standby unit (10) according to 252-7) is performed as follows. That is, the spare machine (10)
An alive message is periodically transmitted to the active devices (11 to 17). Specifically, the alive message in this case means that the standby unit (10) periodically sets the bit 0 of each of the alive registers (252-1 to 252-7) of the active units (11 to 17) (in this embodiment, (Every 1 second). Each of the active devices (11 to 17) refers to its own alive register (252-1 to 252-7) at a predetermined cycle (every two seconds in this embodiment). If bit 0 of the alive registers (252-1 to 252-7) is "1", the alive message from the standby unit (10) continuously arrives, and the standby unit (10) operates normally. You can see that there is.

FIG. 16 is a diagram showing an alive register of the spare machine. Alive register (25
3) is used to monitor whether the active devices (11 to 17) from the standby device (10) are operating normally. The alive register (253) of the spare machine stores each of the active machines (11 to 1).
7) are provided corresponding to 7), and only bit 0 is used for each. If the value of this bit 0 is "1", it means that the alive message has been transmitted, and if it is "0", it means that the alive message has not been transmitted.

The operation of each active unit (11 to 17) is monitored by the alive register (253) of the standby unit as follows. That is, each working machine (11-17)
An alive message is periodically transmitted to the backup device (10). The alive message in this case is, specifically,
This means that each working machine (11-17) sets the corresponding bit 0 of the alive register (253) of the spare machine (10) to "1" periodically (every second in this example). The standby unit (10) refers to its own alive register (253) at a predetermined cycle (every 2 seconds in this example). If the corresponding bit 0 of the alive register (253) is "1", since the alive messages from the active devices (11 to 17) continuously arrive, the active devices (11 to 17) operate normally. You can see that it is doing.

FIG. 17 shows the checkpoint data register. Each of the working machines (11 to 17) and the spare machine (10) has a checkpoint data register (254-0 to 254-7).

FIG. 18 shows a checkpoint data area. Each of the working machines (11 to 17) and the spare machine (10) has a checkpoint data area (270-0 to 270-7). The checkpoint data area is divided into eight areas. In order from the top, a checkpoint data area (270), a checkpoint data area (271),..., A checkpoint data area (277) are set.

The checkpoint data refers to the current machine (1
1 to 17) or various data to be stored in the checkpoint data area at the time of writing (checkpoint) from the spare machine (10) to the disk device (5, 11-6 to 17-6). For example, the information includes a received message, a processor register, line information, a state of the message, data necessary for a process of taking over a process execution state, and data to be written to a disk device. These checkpoint data are stored in the checkpoint data area every time a checkpoint is reached.For example, when a failure occurs in a certain active device and the spare device takes over the processing,
Using the checkpoint data stored as described above, the processing can be restarted from the checkpoint.

The checkpoint data registers (254-0 to 254-7) in FIG. 17 are registers indicating whether or not the previously stored checkpoint data has been updated. For each checkpoint data area (270 to 277) shown in FIG. 18, if "1", the checkpoint data for that area has been updated; if "0", the checkpoint data for that area has not been updated. Means

If all checkpoint data is stored every time a checkpoint is reached, the processing load increases. Therefore, the checkpoint data area is divided into eight areas, and only the necessary data area is updated. ing.

FIG. 19 is a diagram showing a register during copying. The copying register (255) indicates whether copying is being performed between the shared disk and the built-in disk. Bit 0 of the copying-in-progress register (255) indicates whether or not the disk unit (10-6) of the standby unit (10) is copying. Bit 1 is the disk unit (11) of the active unit (11).
-6) indicates whether copying is in progress. The same applies to the following, where bit 7 is the disk unit (17-
6) indicates whether copying is in progress. Each bit is “1” to indicate that copying is in progress, and “0” to indicate that copying is not in progress.

Next, referring to FIGS. 20 and 21, registers used in the disk subsystem (4) will be described. The registers used in the disk subsystem (4) include a disk status register (24
0), and a write data register (241).
These registers (240, 241) are stored in the memory (4-2) of the disk subsystem (4).

FIG. 20 is a diagram showing the disk status register (240). Bit 0 of the disk status register (240) indicates whether the internal disk device (10-6) of the spare unit (10) has a failure or is normal. Bit 1
Indicates whether the internal disk unit (11-6) of the active unit (11) is faulty or normal. The same applies to the following, and bit 7 indicates whether the internal disk device (11-7) of the active device (17) is faulty or normal. All bits are normal for "0", "1"
Indicates failure.

FIG. 21 shows a write data register (24
It is a figure which shows 1). Write data register (241)
Bit 0 indicates whether or not there is write data in the spare unit (10). Bit 1 indicates whether there is write data in the active device (11). The same applies to bit 7
Indicates whether there is write data in the active device (17). Each bit is “0” to indicate no write data,
"1" indicates that there is write data. The write data register (241) is used only for the periodic interrupt method shown in FIG. 33 described later, and is not used for the event interrupt method shown in FIG.

Next, with reference to FIGS. 22 to 24, the circuit configuration of the working machines (12 to 17) and the spare machine (10) will be described in further detail.

FIG. 22 shows the processor (11-1), the memory (11-2) and the IOP (1) of the active device (11).
It is a detailed circuit diagram of 1-3). The description mainly focuses on the working machine (11). Working machine (12-17) and spare machine (10)
Has the same configuration as the working machine (11).

The processor (11-1) uses, for example, a 68000 microprocessor manufactured by Motorola. The internal registers of the microprocessor (11-1) are data registers DR0 to DR7 (500-1 to 50).
7-1), address registers AR0 to AR6 (510-
1 to 516-1), the stack pointer AR7 (520-
1), a status register SR (521-1), and a program counter PC (522-1).

The signal lines of the microprocessor (11-1) include data lines D0 to D7 (540-1) and address lines A
1 to A23 (541-1) and an interrupt line (IPL0
2) (543-1 to 545-1). W / R
For the line (546-1), "H" indicates a read cycle, and "L" indicates a write cycle.

The IOP (11-3) is a processor (57)
0-1), buffer (571-1), ROM (572-
1) and a RAM (573-1). The buffer (571-1) stores a message transmitted from the processor (11-1) to the terminal (7) and data to be written to the internal disk device (11-6) or the shared disk device (5). .

In addition, a timer (530-1), an address decoder (531-1), and an interrupt encoder (5
32-1) is provided.

FIG. 23 is a diagram showing a timer interrupt control circuit of the active unit (11). The timer (530-1) is provided with a clock (550-1). Clock (55
0-1) increments the counter by (+1) every 10 ms. For example, when an interrupt occurs after a lapse of one second, an interrupt is generated in the processor (11-1) when the counter value reaches 100.

Thus, the processor (11-1)
Can generate a timer interrupt.

In FIGS. 22 and 23, the working machine (11)
Of (5 **-1) of (5 **-1)
-2) and (5 **-7) of the working machine (17) in the following order:
And (5 **-0) of the spare machine (10).

FIG. 24 is a diagram showing a memory map of the working machine or the spare machine. The memory maps (581-1 to 581-7) of the working machines (11 to 17) and the memory map (581-0) of the spare machine (10) are the same, and are as follows. (0) 16-(0FFFFFF) 16 ..... monitoring area (20
0) (100000) 16 to β ... OS area (201) β to γ ... User program area (20
2) γ to (FFFFFF) 16..., Reserved area (203) Note that (****) 16 indicates hexadecimal notation.

Next, with reference to FIGS. 25 to 27, the software configuration of the active units (11 to 17), the spare unit (10) and the disk subsystem (4) will be described.

FIG. 25 is a diagram showing a software configuration of the active device.

The active devices (11 to 17) are provided with an interrupt (70
0) is received and the interrupt type is analyzed (701). The fault interrupt (703) is executed at interrupt level 4, the timer interrupt (702) is executed at interrupt level 2, and the message processing (730) is executed at level 0.

In the failure interrupt (703), the processing for disconnecting the spare unit (711), the processing for connecting the spare unit (712), the failure processing for the shared disk unit (713), the restoration processing for the shared disk unit (714), the built-in disk Device failure processing (715) and internal disk device repair processing (71)
Execute 6).

When a failure occurs in the spare unit (10), the active units (11 to 17) disconnect the spare unit (711).
Is executed, and the standby unit (10) is placed in the offline state (153).
And Then, the processing is continued only by the active devices (11 to 17).

When the standby unit (10) recovers from the failure, the active units (11 to 17) execute the standby unit connection process (712) and place the standby unit (10) in the standby state (152).
Then, the operation returns to the backup operation using the active system (11 to 17) and the standby unit (10).

When the failure of the shared disk device (5) is detected, the active devices (11 to 17) execute the shared disk device failure processing (713). As a result, the failure of the shared disk device (5) is detected by the other active devices (11 to 17).
To the standby machine (10). And the current machine (11
17) closes the shared disk device (5) and continues processing using only the built-in disk devices (11-6 to 17-6).

Upon receiving the restoration of the shared disk device (5), the active devices (11 to 17) execute the restoration process (714) of the shared disk device. As a result, the current machine (11
To 17) are built-in disk devices (11-6 to 17-6)
From the disk device to the shared disk device (5).

Upon detecting a failure in the internal disk device (11-6 to 17-6), the active devices (11 to 17) execute a failure process (715) for the internal disk device. As a result, the working machines (11 to 17) are connected to the internal disk device (11).
-6 to 17-6) are closed, and processing is continued using only the shared disk device (5).

Upon receiving the restoration of the internal disk units (11-6 to 17-6), the active units (11 to 17) execute the internal disk unit restoration processing (716). As a result, the active devices (11 to 17) are connected to the shared disk device (5).
Then, the contents of the disk device are copied to the internal disk devices (11-6 to 17-6).

In the timer interrupt (702), the standby unit (1
The transmission process (721) of the alive message for the failure detection of 0) and the reception confirmation process of the alive message (722) for the alive message are executed.

The transmission process (721) of the alive message of the standby unit is a process of periodically transferring the alive message to the standby unit (10). The process of confirming the reception of the alive message of the standby unit (722) is performed by the active unit (11-1).
7) is a process for checking whether or not an alive message has been received within a predetermined time after receiving the last alive message from the standby unit (10).

When the processing of the interrupt level 4 (710) and the processing of the interrupt level 2 (720) are completed,
The active devices (11 to 17) execute the message processing (730).

In the message processing (730), the writing process to the disk device (5, 11-6 to 17-6) is set as a check point, and the check point data (80) is transferred to the disk device (5, 11- 6-17-
6).

FIG. 26 is a diagram showing a software configuration of the standby unit (10). The spare machine (10) is an active machine (1
An interrupt (750) is received in the same manner as in 1) to 17). By the interrupt type analysis processing (751), the timer interrupt (7
52) or failure interrupt (753).

In the failure interrupt (753), the active device (11
When a failure occurs in steps (.about.17) and a failure interrupt (753) is received, the standby unit (10) checkspoint data (FIG. 1).
With reference to 8), a takeover process (761) from the active device in which the failure has occurred is executed.

In the timer interrupt (752), an alive message transmission process (771) and an alive message reception confirmation process (772) are executed. The alive message transmission process (771) is a process for periodically transferring the alive message from the active device (11) to the active device (17). Alive message reception confirmation processing (7
72) is a process for checking whether or not the standby unit (10) receives the last alive message from the active units (11 to 17) and receives the alive message within a predetermined time.

FIG. 27 is a diagram showing a software configuration of the disk subsystem.

The disk subsystem (4) receives the interrupt (800) and analyzes the interrupt type (80).
1). Emergency interrupt (804) is at interrupt level 6,
The fault interrupt (803) is executed at interrupt level 4 and the timer interrupt (802) is executed at interrupt level 2 respectively.

In the emergency failure interrupt (804), a read process (811) from the internal disk device of the active device in which a failure has occurred in the internal disk device (11-6 to 17-6) is executed. In the failure interrupt (803), the writing process (8) to the shared disk device (5) by the event interrupt method is performed.
21) is executed. In the timer interrupt (802), a write process (821) to the shared disk device (5) is executed by the periodic interrupt method.

The processing of the above interrupt level 6 (815),
When the processing of the interrupt level 4 (810) and the processing of the interrupt level 2 (820) are completed, if the spare unit (10) is in the semi-active state, the disk subsystem (4) A copy process to the device (831) is executed.

FIG. 28 is a diagram showing an outline of the message processing in the active devices (11 to 17). When the execution of the message processing (730) is started, a message is received from the terminal (7). This state is called a reception state (261). Then, necessary data is read from the disk devices (11-6 to 17-6, 5), and this state is called a read state (262). A predetermined process is executed for the received message, and the processing result is written to the disk device (11-6 to 17-6, 5). This state is called a write state (263). Lastly, a response is returned to the terminal (7), but a state in which ACK is not received from the terminal (7) is referred to as a transmission state (264), and a state in which ACK is received is referred to as a transmitted state (265).

FIG. 29 is a diagram showing a message management table (260). From FIG. 28, the states of the message are the reception state (261), the reading state (262), and the writing state (26).
3), transmitting state (264) and transmitted state (26)
It is divided into 5) and managed. This message management table (26
0) manages these five states.

FIG. 30 is a diagram showing a message format (70). The message is composed of a number (71) of the active devices (11 to 17), a message body (72), and a time stamp (73).

Hereinafter, three operation examples (operation examples 1 to 3) of the system of the present embodiment described with reference to FIGS. 1 to 30 will be described.

<Operation Example 1> First, the working machines (11 to 17)
In the following, a description will be given of a case where a failure occurs and a handover to the spare machine (10) is required, and a case where the failure is repaired.

FIG. 31 is a diagram showing a communication processing procedure of the active units (11 to 17), the standby unit (10), the communication processing server (2), and the terminal (7) when the active unit (11) fails. is there. Hereinafter, an outline of processing when a failure occurs in the active device (11) will be described.

The spare unit (10) periodically sends an alive message in order from the active unit (11) to the active unit (17) (process 900). Working machine (11) to working machine 7 (1
7) similarly sends an alive message to the standby unit (10) (process 901). By sending alive messages to each other in (Process 900) and (Process 901), the active devices (11 to 17) and the standby device (10) can detect a failure.

The terminal (7) sends the message (71) to the communication processing server (2) (process 902). In the communication processing server (2), the communication processing server (2-0) and the standby communication processing server (2-1) receive the message. The active communication processing server (2-0) attaches a time stamp (73) to the message, and attaches the time stamp (73) to the communication processing server disk device (2).
-2). Then, the active communication processing server (2-
0) refers to the conversion table (2-4) and transmits a message to the designated active device (in this case, the active device (11)) (process 903).

Then, it is assumed that a failure has occurred in the active device (11) (process 904). The current machine (1
The alive message from 1) to the standby device (10) is not transferred (process 905). Thereby, the standby unit (10) detects a failure of the active unit (11) (Process 9).
06). The spare machine (10) is connected to all other working machines (11
16) is notified of the occurrence of the failure (process 907).

The spare unit (10) checks the checkpoint data (8) stored in the shared disk device (5).
With reference to (0), the takeover process (761) of the active device (11) in which the failure has occurred is executed (process 908). The checkpoint data (80) is data necessary for taking over the received telegram, processor register, line information, telegram status, process execution status, and data to be written to the disk device.

In the received message, the body (72) and the time stamp (73) of the message are used as check point data. The state of the message is as shown in FIGS. 28 and 29. The line information and the execution state of the process are controlled by an OS (operating system).

Based on this information, the spare machine (10) can take over the process.

When this process (761) is completed, the standby unit (10) sends a request to the active communication processing server (2-0).
The transmission message is sent (process 909). And the terminal (7)
, The processing result is reported, and the time stamp of the completed message (73)
Is stored in the communication processing server disk device (2-2) (process 910). The standby communication processing server (2-1)
The time stamp (73) of the message for which processing has been completed is periodically deleted by referring to the disk device (2-2) for the communication processing server (processing 911).

When the active unit (11) recovers from the failure (904), the active unit (11) changes from the offline state (153) to the recovery state (1).
The process transitions to (54) (process 912), and the completion of restoration is notified to the standby unit (10) (process 913). Then, the standby unit (10) notifies the active unit (11) of the completion of the restoration (process 914). The working machine (11) is in the repair state (154).
To the standby state (152) (process 915).
As described above, the device that was the spare machine (10) becomes the working machine, and the repaired working machine (11) newly becomes the spare machine.

The detailed processing procedures of the active machine (11), the other active machines (12 to 17), and the spare machine (10) in which a fault occurs will be described below. The procedure will be described separately for the handover process of the device and the resynchronization process. Processing procedure during normal operation

FIG. 32 is a diagram showing a processing procedure during normal operation.

The terminal (7) is connected to the active communication processing server (2-
0) and transmits a message to the standby communication processing server (2-1) (process 920). The active communication processing server (2-0) and the standby communication processing server (2-1) add a time stamp (73) to the message.
Is given. Then, the active communication processing server (2-0)
Refers to the conversion table (2-4) between the terminal (7) and the active devices (11 to 17) to specify the active device (1
The message is transmitted to 1) (process 921).

The message processing (73) executed by the active device (11)
The procedure of 0) is shown below.

Upon receiving the message, the active unit (11) reads out necessary data from the internal disk unit (11-6) (process 923). Further, predetermined processing is performed on the received message, and writing processing to the disk device (11-6, 5) is performed. The data at this time is referred to as checkpoint data (80), and is stored in the internal disk device (11-
6) and write to the shared disk device (5). Writing to the shared disk device (5) is performed by transmitting write data to the sub-disk system (4) (process 926). When the message processing (730) is completed,
The working unit (11) reports the processing result to the terminal (7) (processing 927, 928).

Next, the processing procedure of the disk subsystem (4) will be described.

The processing procedure of the disk subsystem (4) includes a periodic interrupt method and an event interrupt method described below. When emphasizing the processing capacity of the subdisk system (4), it is preferable to employ a periodic interruption method with a small overhead, while it is preferable to adopt an interruption method in consideration of the response time. Hereinafter, the periodic interrupt method and the event interrupt method will be described separately.

(A) Periodic interruption method FIG. 33 is a diagram showing a processing procedure of the disk subsystem (4) during normal operation by the periodic interruption method.

When a write request occurs, an event interrupt (803) causes a write data register (241) to be generated.
Turn on the specified bit of. In the case of the working machine (11), it is set to (02) 16 (process 1000). Next, the write data (89) to the disk device and the checkpoint data are stored in the disk controller (4-4) of the disk subsystem (4) (process 1001). And A
The CK is returned to the active device (11) (process 1002).

The sub-disk system (4) periodically refers to the write data register (241), and the following processing (processing 1011) until this value becomes (00) 16 (processing 1010). 1012).
First, write data (89) and checkpoint data to the disk device are written from the disk controller (4-4) of the sub-disk system (4) to the shared disk device (5) (process 1011). Then, the designated bit of the write data register (241) is turned off (process 101).
2).

(B) Event Interruption Method FIG. 34 is a diagram showing a processing procedure of the disk subsystem (4) during normal operation by the event interruption method.

When a write request occurs, the write data and checkpoint data are stored in the disk control unit (4-4) of the subdisk system (4) (Process 1).
021), write data and checkpoint data are written from the buffer of the subdisk system (4) to the shared disk device (5) (process 1022). And AC
K is returned to the active device (11) (process 1023).

According to the above two methods, the working machine (11)
Checkpoint data (80) can be obtained. Further, double writing to the internal disk device (11-6) and the shared disk device (5) becomes possible.

Next, an outline of a system in which the standby unit (10) detects a failure of the active unit (11) will be described with reference to FIGS. 35 to 37. Similarly, it is possible to detect a failure of the active devices (12 to 17). In addition, the active machines (11 to 17) are used as spare machines (1 to 17).
The same applies to the method of detecting the fault of 0).

FIG. 35 is a diagram showing a failure detection method for the active devices (11 to 17) using an alive message. The active devices (11 to 17) transmit an alive message (90
1) is transferred to the standby unit (10). The spare machine (10)
If the next alive message (901) is not received within 2 seconds after receiving the last alive message (90
5) It is determined that a failure has occurred in the active device.

Hereinafter, a detailed processing procedure when a failure (904) occurs in the active unit (11) and the standby unit (10) detects the failure of the active unit (11) will be described.

FIG. 36 is a flowchart of the alive message transmission process of the active device (11). The active device (11) starts the alive message transmission process (822) every second by the timer interrupt (702). In this process, the active unit (11) changes the register corresponding to the active unit (11) among the alive registers (253) of the standby unit (10) from (00) 16 to (01) 16 (Process 1).
100).

FIG. 37 is a flow chart of the alive message reception confirmation processing of the standby unit (10). The standby unit (10) starts the alive message reception confirmation process (772) two seconds after the last alive message (901) is received from the active unit (11).

In this processing, the standby unit (10) stores the active unit (1) in its own alive register (253).
It is determined whether the register corresponding to 1) is (01) 16 (process 1110). If the alive register (253) is (01) 16, the active unit (11) is determined to be normal, and the alive register is set to (00) 16 (process 111).
1). On the other hand, the alive register (253) is set to (0
1) If it is not 16, it is determined that a failure has occurred in the active device (11) (process 1112). Other working machines (12-1
The same applies to the failure detection of 7). In addition, the current machine (11-1
The same applies to the detection of a failure in the standby unit according to 7).

Next, with reference to FIG. 38, a description will be given of a procedure for taking over the spare unit (10) when the active unit (11) fails.

The standby unit (10) detects the failure of the active unit (11) by the alive message (Step 120).
0), and notifies the active communication processing server (2-0) of the occurrence of the failure (process 1201). Next, the status of the active device (11) is changed from (20) 16 to (01) 16 in the status register (250-1), thereby bringing the active device (11) into the offline state (153) (process 1202). Then, the state register (250-0) of the standby unit (10) is changed from (04) 16 to (20) 16, thereby setting the standby unit (10) to the working state (150) (process 1203).

Next, the standby unit (10) interrupts the alive message transmission processing (771) and the alive message reception confirmation processing (772) (processing 1204). The shared disk device (5) is read, and checkpoint data of the message being executed is searched (process 1205). Then, it is determined whether the message being executed has been executed up to the checkpoint (process 1206). If the process has been executed up to the check point, the process is restarted from the check point (process 1207). If the execution has not been performed up to the checkpoint, the message is restarted from the beginning (processing 120
8). The spare unit (10) starts copying from the spare unit area (5-0) of the shared disk unit (5) to the internal disk unit (10-6) of the spare unit (10) (Process 12).
09).

FIG. 39 is a detailed flowchart of the process of resuming from the check point in (process 1207) of FIG.

In (Process 1207), first, the takeover information of the checkpoint data of the shared disk device (5) is read, and DR0-DR7 (500-507), AR
0-AR6 (510-516), AR7 (520), S
R (521) and PC (522) are set to the processor (31-1) of the standby unit (10), which is a standby system. SR
If (521) is set, the interrupt level becomes 0 (process 1220). DR0-DR7 (500-507),
AR0-AR6 (510-516), AR7 (52
The values of (0), SR (521), and PC (522) are the values of (Process 1206), and are the values immediately before the execution of the writing process to the disk.

Processor (10-1) of spare machine (10)
Resumes from the point of write processing to the disk (checkpoint) by the RTE instruction (processing 122).
1).

On the other hand, the active device (11) in which the failure has occurred is reset and transits to the offline state (153). Then, the system is prevented from rebooting until the faulty part is repaired.

The spare unit (10) is shown in FIGS.
Step 2 is executed.

FIG. 40 is a flow chart of the copy process of the standby unit (10). First, the register during copying (2
55) is set to (01) 16 (process 1230), and the copy completion pointer is set to (000000) 16 (process 123)
1). 1 kB copy is performed at a time (processing 123
2) When the 1 kB copy is completed, the current copy completion pointer is updated to (000200) 16 (process 12).
33).

When the value of the copy completion pointer is (FFFFF)
F) When 16 is reached (processing 1234), the copy is completed (processing 1235), and the copy-in-progress register (255) is set to (00) 16 (processing 1236). If the value of the copy completion pointer is not (FFFFFF) 16 yet, processing 1
Returning to 232 (processing 1237), copying is performed again.

FIG. 41 is a flow chart of the writing process of the disk device of the spare machine. First, referring to the copy completion pointer, it is determined whether or not the area is a copy completed area (process 1240). If the copying is completed, the data is written to the shared disk device (5) and the internal disk device (10-6) (process 1241). If the copy has not been completed, write only to the shared disk device (5) (Process 1
242).

FIG. 42 is a flow chart of a reading process of the disk device of the spare machine. First, referring to the copying-in-progress register (255) (processing 1250), if copying is completed, the data is read from the internal disk device (10-6) (processing 1251). If the copy has not been completed, the data is read from the shared disk device (5) (Process 12
52).

When a failure occurs in the standby unit, the active unit detects this, notifies all other active units, and disconnects the standby unit.

Re-Synchronization Processing Procedure Finally, with reference to FIG. 43, a processing procedure in the case where the active device (11) has recovered from a failure will be described.

FIG. 43 is a flow chart from when the old active unit (11-a) recovers from the failure and when it performs the backup operation with the new active unit (10-a). Here, the active device (11) in which the failure has occurred is referred to as the old active device (11-a). The spare machine (10) is called a new working system (10-a).

When the old active unit (11-a) starts the restoration and the restoration is completed, the state transitions from the offline state (153) to the restoration state (154) (processing 1400). Then, the new active unit (10-a) is notified of the completion of the restoration (process 14).
01). The new active device (10-a) receives this (processing
1402), the new working machine (10-a) is replaced with the old working machine (11-a).
a) requesting transition to the standby state (152) (processing
1403). Upon receiving this request, the old active unit (11-a) changes the status register (250-1) from (01) 16 to (02) 16, thereby restoring the status (154).
To the standby state (152) (processing 140
4). The old working machine (11-a) and the new working system (10-a)
-A) starts exchanging alive messages (process 1405).

<Operation Example 2> Next, in the system of the present embodiment described with reference to FIGS. 1 to 30, the processing when a failure occurs in the internal disk unit (11-6) of the active unit (11) will be described. I do.

In this case, the standby unit (10) is in the standby state (1
52), it is also possible to take over the processing to the spare machine (10). However, takeover is not possible unless the standby machine (10) is in the standby state (152). Therefore, here, a description will be given of a process in which the internal disk device (11-6) of the active device (11) is closed and executed only by the shared disk device (5).

FIG. 44 is a diagram showing a processing procedure when a failure occurs in the internal disk device. The active device (11) detects a failure of the internal disk device (11-6) by an external interrupt (process 1601). The working machine (11) has a built-in disk device (11-) in the disk subsystem (4).
Inform 6) that a failure has occurred (processing 160).
2).

On the other hand, the disk subsystem (4) sets the disk status register (240-1) to (02) to indicate that a failure has occurred in the internal disk unit (11-6) of the active unit (11). 16 (processing 161)
0).

The active unit (11) is provided with the disk controller (1).
1-4) is reset (processing 1603). And
The status register (250-1) of the active device (11) stores (2
From (0) 16 to (08) 16, the quasi-active state (built-in disk device failure) (151).

Hereinafter, the disk subsystem (4)
Performs a read process by an emergency interrupt (804) as shown in FIG. 27 in response to a read request or a write request of the active device (11) (811). The write process is performed by a timer interrupt (802) or an event interrupt (803), as in the normal state (a state in which no failure has occurred) (821).

FIG. 45 is a diagram showing a processing procedure when the internal disk device restoration is completed. When the repair of the internal disk unit (11-6) is completed in the active unit (11) (processing
1650), the active device (11) notifies the disk subsystem (4) of the completion of the restoration (process 1651).

On the other hand, the disk subsystem (4) clears the corresponding bit of the disk status register (240-1). Specifically, the disk status register (240-1) is changed from (02) 16 to (00) 16 (process 1660).

The active unit (11) starts copying from the shared disk unit (5) to the internal disk unit (11-6) (processing 1652). When the copy processing is completed, the working machine (11) starts copying from the disk subsystem (4) (processing 1653). When the copy from the disk subsystem (4) is completed, the disk subsystem (4) sets the disk status register (2
40) The corresponding bit is cleared. Further, the status register is changed from (08) 16 to (20) 16, and the status changes from the semi-active status (internal disk failure) (151) to the active status (150) (process 1654).

<Operation Example 3> Next, in the system of the present embodiment described with reference to FIGS.
The processing when a failure occurs in the shared disk device (5) will be described. Here, the shared disk device (5)
Will be described, and processing executed only by the internal disk devices (11-6 to 17-6) will be described.

FIG. 46 is a diagram showing a processing procedure when a failure occurs in the shared disk device. When the active unit (11) detects a failure of the shared disk device (5) (processing 1700), the active unit (11) is connected to the other active units (12 to 17) and the standby unit (1).
0) is notified that a failure has occurred in the shared disk device (5) (process 1701).

On the other hand, the other active devices (12 to 17) change the status registers (250-2 to 250-7) from (20) 16 to (10) 16 and the semi-active status (shared disk device failure). (151) (Processing 1710). The spare machine (10) sets the status register (250-0) to (04).
Transits from 16 to (01) 16 and goes offline (153)
(Processing 1710).

The working unit (11) resets the disk subsystem (4). Then, the working machine (11) updates the status register (250-1) from (20) 16 to (10) 16.
To the semi-active state (shared disk device failure) (15
1) (process 1703).

FIG. 47 is a diagram showing a processing procedure when the restoration of the shared disk device is completed. When the active device (11) detects the completion of the restoration of the shared disk device (5) (processing 175)
0), the active device (11) notifies the other active devices (12 to 17) of the completion of restoration (processing 1751).

Working machine (12-17) and spare machine (10)
Stores the contents of the internal disk device (12-6 to 17-6) in the designated area (5-2 to 5-
7, 5-0) (processing 1760). When the processing is completed, the working machines (12 to 17) change the status registers (250-2 to 250-7) from (10) 16 to (2).
0) The state transits to 16 and becomes the working state (150) (Process 1)
761). In the spare unit (10), the status register (250-0) transits from (01) 16 to (04) 16,
A standby state is set (processing 1710).

The working machine (11) has a built-in disk device (1
1-6) to the designated area (5-
1) (processing 1752). When this processing is completed, the active unit (11) changes the status registers (10) 16 to (20) 16 to the semi-active state (shared disk failure).
Transition from (151) to working state (150) (Process 1)
753).

<Other Embodiment> Next, another embodiment of the present invention will be described.

FIG. 48 is a system configuration diagram according to the second embodiment of the present invention. As shown in the figure, in the system of this embodiment, a host computer (8) is provided. The host computer (8) is composed of an active host (8-0) and a spare host (8-1).
2) is provided.

FIG. 49 is a configuration diagram of the working machine and the spare machine in this embodiment. Compared to FIG. 2, in the present embodiment, a line adapter (11-7) is added to the active unit and the standby unit.

FIG. 50 is a configuration diagram of a line adapter according to this embodiment. Line adapter (10-7 to 17-7)
Have the same configuration, the line adapter (17-7) of the active device (17) will be described as an example. The line adapter (17-7) includes a processor (17-7-1), a memory (17-7-2), a buffer (17-7-3), and a LAN control unit (17-7-4). .

The buffer (1) of the line adapter (17-7)
7-7-3) includes a message receiving queue (17-7-).
7) and a transmission queue (17-7-7).
Terminal (7) is in the message receiving queue (17-7-7).
From the transmission queue (17-7).
-7) stores a message to be transmitted to the terminal (7).

Hereinafter, referring to FIGS. 48 to 50, the second
An example will be described.

The disk subsystem (4) and the shared disk device (5) used in the first embodiment are not used. Instead, the disk device (8-2) of the host computer (8) is used. Further, the communication processing server (2) used in the first embodiment is not used. Instead, line adapters (10-7 to 17-7) are provided for the active units (11 to 17) and the standby unit (10). Then, the line switching device (3) directly outputs the active devices (11 to 1).
7) and the spare machine (10) are switched.

As a result, similar to the configuration of the first embodiment, the working disks (11 to 17) and the standby device (10) are provided with the built-in disk units (10-6 to 17-6). Then, the content is the same as that of the disk device (8-2) of the host, thereby forming a duplex configuration. The processing procedure may be the same as in the first embodiment.

[0189]

According to the present invention, in the n-to-1 backup configuration, the active device reads necessary data from its own internal disk, and writes the processing result and takeover information to the shared disk and its own internal disk. When a failure occurs in the active device, the standby device can take over the processing of the failed active device by reading the takeover information from the shared disk. Further, the spare device copies the contents of the shared disk to its own internal disk, and when it is finished, reads the content from the internal disk device. As described above, in the present invention, the contention with other active devices occurs only in the writing process to the shared disk device, but the processing capability is improved as compared with the conventional system competing in both the reading process and the writing process of the shared disk. It becomes possible.

[Brief description of the drawings]

FIG. 1 is a system configuration diagram according to a first embodiment of the present invention.

FIG. 2 is a configuration diagram of a working machine and a spare machine.

FIG. 3 is an allocation diagram of disk devices.

FIG. 4 is a diagram showing features of the present invention.

FIG. 5 is a configuration diagram of a disk control device.

FIG. 6 is a configuration diagram of a LAN adapter.

FIG. 7 is a configuration diagram of a communication processing server.

FIG. 8 is a diagram illustrating a conversion table between a communication processing server and a terminal;

FIG. 9 is a configuration diagram of a line switching device.

FIG. 10 is a configuration diagram of a disk subsystem.

FIG. 11 is a state transition diagram.

FIG. 12 is a diagram showing modes and mode transitions of a disk device.

FIG. 13 shows a status register.

FIG. 14 is a diagram showing an interrupt register.

FIG. 15 is a diagram showing an alive register of an active device.

FIG. 16 is a diagram showing an alive register of a spare machine.

FIG. 17 is a diagram showing a checkpoint data register.

FIG. 18 is a diagram showing a checkpoint data area.

FIG. 19 is a diagram showing a register during copying.

FIG. 20 is a diagram showing a disk status register.

FIG. 21 is a diagram showing a write data register.

FIG. 22 is a detailed circuit diagram of a processor, a memory, and an IOP.

FIG. 23 is a diagram showing a control circuit for a time interruption.

FIG. 24 is a diagram showing a memory map.

FIG. 25 is a diagram showing a software configuration of an active device.

FIG. 26 is a diagram showing a software configuration of a spare machine.

FIG. 27 is a diagram showing a software configuration of a disk subsystem.

FIG. 28 is a diagram illustrating an outline of a message processing;

FIG. 29 is a diagram showing a message management table.

FIG. 30 is a format diagram of a message.

FIG. 31 is a diagram showing a communication processing procedure.

FIG. 32 is a diagram showing a processing procedure during normal operation.

FIG. 33 is a diagram showing a processing procedure (periodic interrupt method) of the disk subsystem during normal operation.

FIG. 34 is a diagram showing a processing procedure (event interrupt method) of the disk subsystem during normal operation.

FIG. 35 is a diagram showing a failure detection method using an alive message.

FIG. 36 is a flowchart of an alive message transmission process.

FIG. 37 is a flowchart of an alive message reception confirmation process.

FIG. 38 is a flow chart of a takeover process of a spare machine.

FIG. 39 is a detailed flowchart of (Process 1207).

FIG. 40 is a flowchart of a copy process performed by a spare machine.

FIG. 41 is a flowchart of a copy process of a disk device of a spare machine.

FIG. 42 is a diagram illustrating a reading process from a disk device of a spare machine.

FIG. 43 is a diagram showing a resynchronization processing procedure.

FIG. 44 is a diagram showing a processing procedure when an internal disk device fails.

FIG. 45 is a diagram showing a processing procedure at the time of repairing a failure in an internal disk device.

FIG. 46 is a diagram showing a processing procedure when a failure occurs in the shared disk device.

FIG. 47 is a diagram depicting a processing procedure at the time of restoration of a shared disk device failure;

FIG. 48 is a system configuration diagram according to a second example of the present invention.

FIG. 49 is a configuration diagram of an active unit and a standby unit in the system configuration diagram of the second embodiment.

FIG. 50 is a configuration diagram of a line adapter.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... High-speed LAN, 2 ... Communication processing server, 2-0 ... Active communication processing server, 2-1 ... Standby communication processing server, 2-2 ...
Disk device for communication processing server, 2-3 ... timer, 2-
4 terminal conversion table, 3 line switching device, 3-0 conflict prevention circuit, 4 disk subsystem, 5 shared disk, 6 line, 7 terminal, 8 host computer,
8-0: working host, 8-1: spare host, 8-2: shared disk device of host, 10: spare machine, 11-17 ...
Working machine to working machine, 70: message format, 71: working machine number, 72: message body, 73: time stamp, 240: disk status register, 241: write data register, 250: status register, 251: interrupt register, 252: Alive register of the active device, 253: Alive register of the spare device, 254: Checkpoint data register, 255: Register during copying, 270 to 27
7 Checkpoint data area.

────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Toshiyuki Kinoshita 1099 Ozenji Temple, Aso-ku, Kawasaki City, Kanagawa Prefecture Hitachi, Ltd. System Development Laboratory (56) References JP-A-2-297643 (JP, A) JP-A Sho 55-115151 (JP, A) (58) Field surveyed (Int. Cl. ⁶ , DB name) G06F 3/06

Claims (15)

(57) [Claims] In a system in which n active machines and a spare machine which is a common spare are connected by a network,
A built-in disk device is provided for all the active devices and the spare devices, and a shared disk device shared by all the active devices and the spare devices is provided, and the shared disk device is provided for the n active devices and the spare devices. Correspondingly n +
A backup device, which is divided into one area, and duplexes each area of the shared disk device and a built-in disk device of an active device or a spare device corresponding to the area. 2. The backup device according to claim 1, wherein the active device reads data from the internal disk device of the active device and writes the data to the internal disk device and the shared disk device when the active device is normal. 3. The built-in disk device and the shared disk device as checkpoint data of a received message, a processor register, line information, a status of a message, and information for taking over processing of a process execution state. The backup device according to claim 1, wherein the backup device is stored in the backup device. 4. The n active devices send an alive message to the standby device, and the standby device detects a failure of each active device by confirming reception of the alive message. 4. The backup device according to claim 1, wherein: 5. The standby unit sends an alive message to each of the n active units, and the active unit detects a failure of the standby unit by confirming reception of the alive message. The backup device according to any one of claims 1 to 4, wherein: 6. The apparatus according to claim 1, wherein upon detecting a failure in the active unit, the standby unit reads out checkpoint data necessary for restarting the failure process of the active unit from the shared disk device. 6. The backup device according to any one of items 5 to 5. 7. The spare unit copies contents of a disk unit of the active unit in which a failure has occurred from a shared disk unit to a built-in disk unit of the spare unit during a failure recovery process of the active unit. Item 7. The backup device according to any one of Items 1 to 6. 8. The system according to claim 1, wherein when the failure of the standby unit is detected, the active unit notifies all other active units that the standby unit has a failure, and disconnects the standby unit from the system. 8. The backup device according to any one of claims 1 to 7. 9. The active device, when detecting a failure in the internal disk device, closes the internal disk device, performs a read process from the shared disk device, and performs a write process to the shared disk device. Claim 1
9. The backup device according to any one of items 1 to 8. 10. A process according to claim 9, wherein the process of reading from said shared disk device is performed prior to the process of writing and copying to another shared disk device.
The backup device according to item 1. 11. When the active device detects a failure in the shared disk device, it notifies all other active devices, and all the active devices read and write data from their own internal disk devices, and 11. The backup device according to claim 1, wherein processing is continued. 12. The backup device according to claim 1, wherein, when the active device in which the failure has occurred is repaired from the failure, all the other active devices are notified of the failure repair, and transition to a standby state. . 13. When the shared disk device is repaired,
13. The backup device according to claim 1, wherein all active devices copy the contents of a built-in disk device to a shared disk device. 14. The backup device according to claim 1, wherein the shared disk device is a disk device of a host configured by a hot standby system including an execution host and a standby host. 15. In a system in which n active machines and a spare machine, which is a common spare thereof, are connected via a network, all of the active machines and the spare machines are provided with built-in disk units, and all of the active machines and the spare machines are provided. A shared disk device shared by the shared disk device and the spare device, the shared disk device is divided into n + 1 areas corresponding to the n active devices and the spare device, and the respective areas of the shared disk device are divided into n + 1 areas. A backup method comprising duplicating an internal disk device of an active device or a spare device corresponding to the area.