JP3760278B2 - Multiplexing system - Google Patents

Description

BACKGROUND OF THE INVENTION
[0001]
  The present invention relates to a multiplexing system having an execution system and a standby system. In particular, the shared data is transferred from the execution system to the standby system, the standby system checks the pattern of the shared data, and monitors the system mutually to be sound. The present invention relates to the control of a multiplexing system that confirms the performance.
[Prior art]
[0002]
  In a conventional redundant system having an active system and a standby system, when the power of the active system is cut off, the system is switched to the standby system where the power supply is operating normally, and an instruction or command from the standby system is sent to the plant or control target. Operation and monitoring operations were continued.
[0003]
  Also, a part of the local memory is allocated as shared memory, and the execution system CPU device transfers the data to be written to the shared memory to the standby system CPU device via the dedicated matching bus (DCM bus), and the shared data of both systems The standby CPU device checks the data pattern in the shared memory of the executing CPU device and checks the soundness of each other using the matching method of the duplex system that matches the two.
[0004]
  As a means for the standby CPU device to check the soundness of the execution system, the standby software issues a transfer request signal so as to transfer the shared data to the execution system CPU device, and in the execution system shared memory. The data pattern was acquired. Transfer requests by these software are made as necessary for data acquisition.
[0005]
  further,As memory backup operation,In the event of a power failure in the active system or when the power switch is turned off, the memory bus is electrically disconnected according to the memory protection request signal generated based on the power failure warning signal (POP signal), and the external refresh controller Memory content retention method that starts operation and backs up memoryIt has been known.
[0006]
  In this method, at the time of a power failure, the execution CPU device performs data backup processing and power failure processing of the local memory, and a power failure signal (PAVL signal) from the execution power supply device stops the operation of the DCM control unit. Until the DCM bus is electrically disconnected, the operation of transferring the data in the shared memory to the standby CPU device is continued in response to a transfer request from the standby system via the DCM bus.
[0007]
  As a technique related to the power failure processing of the duplex system at the time of a power failure, Japanese Patent Laid-Open No. 6-318160 discloses that an execution system processor performs a power failure processing as an interrupt processing based on a power failure warning signal output due to an interruption of the execution system power supply, A method is shown in which shared data including internal register information is transferred to a standby system and the execution system is shifted to a stopped state. However, it does not show a countermeasure for power down of both systems due to power switch operation mistake.
[0008]
  Japanese Laid-Open Patent Publication No. 9-305424 discloses a duplication system matching in which the execution system CPU device transfers data to be written to the shared memory to the standby system CPU device via the DCM bus, and makes the shared data of both systems coincide. Shows the conversion method.
[Problems to be solved by the invention]
[0009]
  FIG. 8 is a block diagram showing an internal configuration of the CPU device 100 in the conventional duplex system. The execution system CPU device 100 of the duplex system includes a local memory 110 that stores programs and data, a DCM control unit 120 that includes a buffer 122 that controls data transfer to the standby system, and the execution system CPU device 100 and the standby system CPU device. 200 is connected to / disconnected from the DCM bus 300, which is a common bus connecting to the memory 200, the memory bus 112 connecting the local memory 110 and the DCM control unit 120, and the memory bus 112 based on the power failure warning signal 011 from the power supply device 010. A timing generation circuit 140 that outputs a command signal to perform, an external refresh control unit 160 that controls a self-refresh operation as a backup unit of the local memory 110 such as a DRAM or SDRAM after disconnecting the memory bus 112 in the event of a power failure, Each directive to and It consists of processor 150. to run your operations.
[0010]
  The processor 150 can read / write the entire area of the local memory 110 in the CPU device 100.
[0011]
  The standby CPU device 200 can read / write data from / to a partial area in the local memory 110 via the DCM bus 300 and the DCM control unit 120 without going through the processor 150.
[0012]
  The local memory 110 sets a partial area of the memory as the upper limit address and the lower limit address value, and then writes the data into the main area, that is, the shared memory 111 from the processor 150, the data is stored in the buffer 122 of the DCM control unit 120, and the DCM The control unit 120 has a function of transferring the stored data to the standby CPU device 200 and matching the data in the shared memory 111 of both systems.
[0013]
  FIG. 9 is a timing chart showing the operation timing after a power failure in the conventional duplex system.
[0014]
  After the AC input 013 is cut off due to the power interruption at the time of the running system power failure, the running system power supply device 010 outputs the power failure warning signal 011 to the CPU device 100 and outputs the power failure signal 012 after a certain time. Until the power failure signal 012 is output, power can be supplied to the CPU device 100 with the electric charge stored in the capacitor in the power supply device 010. However, after the power failure signal 012 is output, the power supply voltage from the power supply device 010 decreases. After a while, it becomes impossible to supply power to the CPU device 100, and operation becomes impossible.
[0015]
  When the CPU device 100 detects the power failure warning signal 011, the timing generation circuit 140 outputs a memory protection request signal 141 after a predetermined time. In response to the memory protection request signal 141, the memory bus 112 connecting the DCM control unit 120 and the local memory 110 is electrically disconnected, and the connection is switched to the external refresh control unit 160.
[0016]
  After the switching, the external refresh control unit 160 starts a self-refresh operation and executes a content holding operation in the local memory 110. Further, when receiving the power failure notice signal 011 as an interrupt signal, the processor 150 performs stop processing.
[0017]
  Furthermore, when the CPU device 100 detects the power failure signal 012 after a certain time, the CPU 100 turns off the changeover switch in the DCM control unit 120 and disconnects the DCM control unit 120 and the DCM bus 300.
[0018]
  After the DCM bus 300 is disconnected, the standby CPU device 200 is electrically disconnected, and data transfer in the shared memory 111 to the standby system becomes impossible.
[0019]
  There are two methods for transferring data in the shared memory 111. The first method is a method in which when the execution system CPU device 100 processor 150 writes data to the shared memory 111 in the local memory 110 based on the contents of software processing, the written data is transferred to the standby system. It is. In the second method, when the DCM control unit 120 of the execution system CPU device 100 receives the transfer request signal 301 or the transfer request pattern 301 from the other system CPU device 200 via the DCM bus 300, the execution system local memory This is a method for transferring data in 110 shared memory 111 to a standby system.
[0020]
  For the second method, the software of the standby CPU device 200 issues a transfer request signal 301 (or data pattern) to acquire data in the shared memory 111 of the executing CPU device 100, and the DCM control unit 120 When the transfer request signal 301 is received, a master operation is performed, data in the shared memory 111 in the local memory 110 is read, and the read data is transferred to the standby system via the DCM bus 300 and written.
[0021]
  However, in this conventional method, when the standby power supply device 020 is shut off after the active power supply device 010 is shut off, the power of both systems is down and the operation to the plant or the controlled object is stopped. was there.
[0022]
  Further, when the software processing of the standby system CPU device 200 monitors the power failure warning signal 011 of the active power supply device 010, it stops issuing the transfer request signal 301 based on the detection of the power failure warning signal 011. Even if the method is adopted, depending on the issue cycle and timing, the transfer request signal 301 overlaps from the standby CPU device 200 during the indefinite data period due to the disconnection of the memory bus 112, and the executing DCM control unit 120 transfers the shared memory 111 to the shared memory 111. Since the read operation is executed, there is a problem that undefined data is transferred to the standby CPU device 200.
[0023]
  Further, since the processor 150 of the execution system CPU device 100 executes the interrupt process (stop process) when the power failure notice signal 011 is received as an interrupt signal, the occurrence of the interrupt process causes an influence due to a decrease in control processing capability. There is a need for improvement.
[0024]
  In this way, when the standby power supply is normal when power is cut off due to a power failure in the conventional running system, control can be taken over normally, but when the standby power supply is shut off, both Since the power supply of the system is turned off, the power supply of both systems is down, and control cannot be continued.
[0025]
  These cases may also occur due to a power switch operation error.
[0026]
  In addition, there is an indefinite data period at a timing before the active power supply apparatus shuts off the DCM bus by a power failure signal. This period occurs when the memory bus is disconnected by a memory protection request signal. If the transfer request timing for acquiring data in the shared memory from the standby CPU device and the indefinite data period in the execution CPU device overlap during this period, the indefinite data in the execution system is transferred to the standby CPU. Transfer to device. As a result, the standby CPU device receives an incorrect data pattern and erroneously detects an error due to inconsistency of the matched data.
[0027]
  Even if the standby system adopts means to monitor the power failure warning signal of the active system, the standby software processing is based on the timing when the power failure warning signal is detected.Transfer request signalIs issued, it is difficult to completely avoid the overlap with the indefinite data period, and a method for solving them is required.
[0028]
  The purpose of the present invention is to prevent the standby system power from being accidentally shut down even if there is a power switch operation error, etc., in order to avoid power down of the entire system of the multiplexed system when the power of the active system is shut down. It is to provide a multiplexing system with means for protecting.
[0029]
  Another object of the present invention is to prevent indefinite data transfer in the shared memory when there is an indefinite data period due to power-off of the execution system, occurrence of an abnormality in the DCM bus or memory bus, plan switching operation of the execution system, etc. It is an object of the present invention to provide a multiplexing system having means for performing the above.
[Means for Solving the Problems]
[0030]
  In order to achieve the above object, the present invention provides a multiplexed system comprising an execution system and a standby system each including a CPU device and at least one power supply device. A power supply unit that monitors the state of the system power supply and outputs a power protection control signal, and that powers each system shuts off the AC input according to at least the operation status of the power switch of the own system and the power protection control signal. A multiplexing system that has a power protection unit including a shut-off switch, and the power protection control signal is a control signal that keeps the own power shut-off switch ON regardless of the operation status of the power switch when the partner power is off suggest.
[0031]
  The other system monitoring unit includes a control register for controlling the own system power supply device and a status register reflecting the own system power failure warning signal status and the other system power failure warning signal status. The power protection unit includes the power switch and the other system. An AND circuit that calculates the logical product of the power failure notice signal and the power protection control signal from the other system monitoring unit, and a power cutoff switch that shuts off the AC input according to the output of the AND circuit.
[0032]
  In order to achieve the above-mentioned other objects, the present invention is a multiplexing system comprising an execution system and a standby system each including a CPU device and at least one power supply device. A shared data matching circuit (DCM control unit) that transfers the shared data to the standby system via the bus and matches the memory contents of the entire system, and the standby CPU device receives the shared data in the execution CPU device. In a multiplexing system that issues a transfer request signal via a matching bus (DCM bus) to acquire, transfers shared data from the execution CPU device to the standby CPU device, and matches the memory contents, the execution system The DCM controller ofIf there is a transfer request from the standby system during the period when undefined data is transferred due to an event such as a power failure, abnormality, or plan change in the active system,For the standby system via the matching bus (DCM bus)Outputs a response command indicating that the running system is in an indefinite data periodA multiplexing system as a control unit is proposed.
[0033]
  The standby system CPU device issues an execution system after issuing a transfer request signal during the system switching process of the execution system.Received from theAt system switchover by response commandThe shared data being transferred for matchingIf it is determined that it is a transfer request during a period that may be inconsistent,The matching operation is stopped.
[0034]
  The DCM control unit has a power failure warning signal indicating power failure from the power supply and the DCM bus.Match operation status andThe other system monitoring unit monitors the DCM bus based on the power failure warning signal output from the power supply device when the running system power supply is cut off.Matching behaviorWhen the status is monitored and the shared data is transferred by the transfer request from the standby system and it is determined that the DCM bus is occupied,Matching behaviorWait until is finished,Matching behaviorAfter determining that the process has been completed, the system shifts to the memory backup operation of the active system and switches to the memory backup operation.Matching behaviorIt is the monitoring part which synchronizes.
[0035]
  The present invention also providesA multiplexing system comprising an execution system and a standby system each including a CPU device and at least one power supply device, the matching bus from the execution system ( DCM bus ) Shared data matching circuit that transfers shared data to the standby system via the network and matches the memory contents of all systems ( DCM controller ) A matching bus for the standby CPU device to acquire shared data in the executing CPU device ( DCM bus ) In a multiplexing system that issues a transfer request signal via the CPU, transfers the shared data from the active CPU device to the standby CPU device, and matches the memory contents,The execution system CPU device isBased on a power failure warning signal caused by an event such as a power failure, abnormality, or plan change in the running systemA command signal for disconnecting the DCM bus is output to the DCM control unit, and at the same time, a memory protection request signal is output to disconnect the memory bus connecting the DCM control unit and the memory, before the DCM control unit shifts to the memory backup operation. We propose a multiplexing system that is a CPU device that shuts off the partner system at the timing and makes no response to the partner system that requested the transfer after disconnecting the DCM bus.
[0036]
  The standby system CPU device is a period in which the shared data that is being transferred to be matched at the time of system switching may become inconsistent due to no response from the executing system after issuing a transfer request signal during system switching processing of the executing system If it is determined that the request is a middle transfer request, the matching operation is stopped.
[0037]
  The DCM control unit includes an other-system monitoring unit that monitors a power failure notice signal indicating a power-off from the power supply device and a matching operation state on the DCM bus. The matching operation state of the DCM bus is monitored based on the power failure warning signal output from the network, and when the shared data is transferred by the transfer request from the standby system and it is determined that the DCM bus is occupied, the matching operation is performed. This is a monitoring unit that waits until the process is completed, shifts to the memory backup operation of the execution system after determining that the matching operation is completed, and synchronizes the switching to the memory backup operation and the matching operation.
[0038]
  According to the present invention, when each multiplex system has a power source and the power source of the active system power supply is switched off to the standby system, the standby system is switched by the standby system power switch. Since it is equipped with a mechanism that protects the power supply from being shut off, it is possible to prevent simultaneous power-down of the entire system due to operational mistakes or human error.
[0039]
  In addition, the power supply status is monitored by software processing, and if a power failure notice state is detected, the CPU device can be arbitrated to control power reset and protection, so software processing has priority over conventional interrupt methods. The influence on the normal control processing can be eliminated.
[0040]
  Furthermore, in a redundant system that transfers soundness data to each other to check soundness, to obtain soundness data from the execution system by software processing of the standby CPU deviceMatching bus ( DCM bus ) ViaWhen a transfer request signal is issued and undefined data is about to be transferred when a power failure, bus failure, or system plan switchover occurs,Matching bus ( DCM bus ) ViaIt is possible to prevent hardware from reporting to the standby system with a response command corresponding to power failure, bus abnormality, system plan switching occurrence, and transferring indefinite data to the standby system.
[0041]
  Therefore, since the standby CPU device does not receive the unexpected indefinite data transferred from the execution system CPU device, it is not erroneously detected as an error on the execution system CPU device and the DCM bus due to the mismatch of the matching data. Mutual system can monitor each other normally.
DETAILED DESCRIPTION OF THE INVENTION
[0042]
  Next, an embodiment of a multiplexing system according to the present invention will be described with reference to FIGS.
[0043]
  Here, the present invention will be described by taking a duplex system as an example, but the present invention is also effective in a multiplexing system of triple or higher. In that case, the dual system power down event in the redundant system is an all system power down event.
[0044]
  Further, the power supply devices of each system may be multiplexed. That is, either the active system or the standby system may include a plurality of power supply devices.
Embodiment 1
[0045]
  FIG. 1 is a system diagram showing the overall configuration of an embodiment of a duplex system according to the present invention. FIG. 2 is a block diagram showing the internal configuration of the power supply device 010 and the CPU device 100 in Embodiment 1 of the duplex system according to the present invention. The execution system CPU device 100 of the duplex system includes a local memory 110 that stores programs and data, a DCM control unit 120 that includes a buffer 122 that controls data transfer to the standby system, and the execution system CPU device 100 and the standby system CPU device. 200 is connected to and disconnected from the memory bus 112 based on a power failure warning signal 011 from the power supply device 010, a DCM bus 300 that is a common bus for connecting to the 200, a memory bus 112 that connects the local memory 110 and the DCM control unit 120 A timing generation circuit 140 that outputs a command signal to perform, an external refresh control unit 160 that controls a self-refresh operation as a backup unit of the local memory 110 such as a DRAM or SDRAM after disconnecting the memory bus 112 in the event of a power failure, Each directive to and It consists of processor 150. to run your operations.
[0046]
  The processor 150 can read / write the entire area of the local memory 110 in the CPU device 100.
[0047]
  The standby CPU device 200 can read / write data from / to a partial area in the local memory 110 via the DCM bus 300 and the DCM control unit 120 without going through the processor 150.
[0048]
  The local memory 110 sets a partial area of the memory as the upper limit address and the lower limit address value, and then writes the data into the main area, that is, the shared memory 111 from the processor 150, the data is stored in the buffer 122 of the DCM control unit 120, and the DCM The control unit 120 has a function of transferring the stored data to the standby CPU device 200 and matching the data in the shared memory 111 of both systems.
[0049]
  The configuration of the power supply device 010 of this embodiment, the output timing of the output signals (the power failure warning signal 011 and the power failure signal 012), and the basic configuration in the CPU device 100 are quite similar to those of the conventional circuit of FIG.
[0050]
  However, the first embodiment is greatly different from the conventional one in that an additional system monitoring unit 121 is additionally installed in the DCM control unit 120 and a power protection unit 015 is newly provided in the power supply device 010.
[0051]
  The other system monitoring unit 121 reflects the control register 124 that controls the own system power supply device 010, the own system power outage notice signal 011 state (own system POP), and the other system power outage notice signal 021 state (partner system POP). The register 125 is operated by an instruction from the processor 150 based on software processing of the CPU device 100.
[0052]
  Power supply unit 010InsideThe power protection unit 015 calculates the logical product of the manually operated power switch 014, the counterpart power failure warning signal 021, and the power protection control signal from the other system monitoring unit 121, and outputs the AND circuit 19 to the AND circuit 19. Accordingly, it includes a power cut-off switch 017 that cuts off the AC input 013 and a capacitor 18 that holds electric charge, and supplies the power supply voltage VCC 016 to the CPU device 100 in a steady state.
[0053]
  Therefore, even when the power supply is cut off due to the operation of the power switch 014 of the own system (execution system), it is possible to prevent the standby system power supply device 020 from being shut off and to prevent both systems from powering down.
[0054]
  The software of the execution system CPU device 100 monitors the status register 125 in the other system monitoring unit 121. For example, when the power supply of the standby power supply device 020 is alive when the power supply switch 014 of the active power supply device 010 is pressed and the power supply is shut off, the status register 125 of the other system monitoring unit 121 sets the active system POP. = “OFF” Standby system POP = “ON”, and when the software detects this state, execution system power-off processing is entered.
[0055]
  Specifically, when the software sets the own power supply CTL = 'reset' to the control register 124, the power protection control signal 126 becomes 'H' and the partner power failure notice signal 021 is OFF (standby system). Since the power supply is normal), the AND circuit 019 disconnects the power cut-off switch 017.
[0056]
  As a result, the power supply voltage VCC016 generated based on the AC input 013 is not supplied after the capacitor 018 is discharged, and the power supply is completely cut off.
[0057]
  On the other hand, even if an attempt is made to shut off the execution system power supply when the standby system power is off, the AND condition is not satisfied in the AND circuit 019. Therefore, the power cut-off switch 017 is not disconnected in hardware, and the execution system Even if the power switch 014 is turned off, the power supply voltage VCC 016 continues to be supplied.
[0058]
  Similarly, the software of the standby system CPU device 200 monitors the other system monitoring unit 221 and, in the above state, the status register 225 detects that the standby system POP = “ON” execution system POP = “OFF”. Then, the standby power supply protection process is started.
[0059]
  Specifically, when the software sets the own power supply CTL = 'protection' for the control register 224, the power supply protection control signal 226 becomes 'L' and the counterpart power supply notice signal 011 is turned ON (execution system). Therefore, the AND circuit 029 protects the power cut-off switch 027 and the power cut-off switch 027 is not disconnected by hardware. Therefore, the standby power supply voltage VCC 026 continues to be supplied.
[0060]
  According to the first embodiment, it is possible to monitor the power-off state for both systems and execute the reset / protection instruction for the local power supply device. In order to avoid power down of both systems of the system, the power supply can be protected so that the power supply of the standby system is not cut off accidentally.
[0061]
  If the power of one system is shut off, turning off the power of the other system will lead to the power of both systems going down, causing the system to stop and causing a serious accident. Due to the protection mechanism provided in FIG. 2, AC input is not blocked by hardware by manual operation of the power switch, and system down due to human error can be prevented.
Embodiment 2
[0062]
  FIG. 3 is a block diagram showing an internal configuration of the CPU device 100 in the second embodiment of the duplex system according to the present invention.
[0063]
  The internal configuration of the other system monitoring unit 121 is basically the same as that of the first embodiment, except that it includes means for monitoring the transfer request signal 301 from the standby system CPU device 200 and the operation state. . Therefore, it is possible to prevent hardware from transferring undefined data when the transfer request signal 301 is received from the standby system during the undefined data period, which has been a problem in the past.
[0064]
  FIG. 4 is a timing chart showing operation timing after a power failure in the second embodiment of the duplex system according to the present invention. FIG. 5 is a flowchart showing the processing procedure of the other system monitoring unit after a power failure in the second embodiment of the duplex system according to the present invention.
[0065]
  The operation of the other system monitoring unit 121 in the DCM control unit 120 when the execution system is powered off will be described with reference to FIGS.
[0066]
  (A) After the AC input 013 is cut off due to a power failure, the software of the execution system CPU device 100 monitors the state of the power failure warning signal 011 from the power supply device 010. When the software of the execution system CPU device 100 detects the power failure notice signal 011, it issues a local power control command in the other system monitoring unit 121, and the other system monitoring unit 121 executes the following operation.
[0067]
  (B) The other system monitoring unit 121 in the DCM control unit 120 is issued on the DCM bus 300 by the software processing of the standby CPU device 200.Matching behaviorIs monitored by hardware.
[0068]
  If it is determined that data transfer to the standby system has been made based on the transfer request from the standby system, the system waits until the transfer (access cycle) is completed, and detects that the transfer (access cycle) is completed. At the time, a power supply reset command signal for the power supply device 010 is output to the power supply device 010, and at the same time, a power supply protection control signal 126 is output to the timing generation circuit 140.
[0069]
  However, a certain time interval is required until the processor 150 outputs the power protection control signal 126 from the detection of the power failure warning signal 011.
[0070]
  In a system that executes a power failure process (stop / save process) when the processor 150 of the CPU device 100 detects a power failure of the active system, it is necessary to access the memory after the power failure warning signal 011 is detected. is there.
[0071]
  Specifically, the register value in the processor 150 and the data in the cache 150 are saved in the local memory 110 at the time of a power failure, the memory is accessed by power failure processing from an I / O other than the CPU device 100, or the so-called death to the shared memory 111 is performed. Since data such as information is written and a transfer report process to the standby CPU device 200 occurs, a certain processing time is required until the memory bus 112 is disconnected in order to execute these processes reliably. Because it becomes.
[0072]
  In the second embodiment, in order to manage these timings, the other system monitoring unit 121 includes a timer unit, and controls to output the power protection control signal 126 after the time measured by the timer unit. Equipped with.
[0073]
  The time set here depends on the processing time of the software and is determined by the promise between the hardware side and the software side. As software processing, power failure and evacuation processing must be completed within this time.
[0074]
  (C) When the power generation protection control signal 126 is detected after the power failure warning signal 011 is input, the timing generation circuit 140 outputs the memory protection request signal 141, disconnects the memory bus 112, and shifts to the refresh operation by the external refresh control unit 160. .
[0075]
  Up to this point, the matching operation by writing to the shared memory 111 has been stopped, but the buffer 122 in the DCM control unit 120 contains data to be transferred to the standby CPU device 200. From then on, the DCM control unit 120 continues to match these data until the timing of the power failure signal 012 output from the power supply device 011.
[0076]
  (D) When the transfer request signal 301 by the standby software processing is received at the timing after (C), the other system monitoring unit 121 in the DCM control unit 120 executes the execution to the standby CPU device 200. Issue a response command indicating that the system is in an indefinite period due to a power failure.
[0077]
  Therefore, the standby CPU device 200 determines that the transfer request is made during an indefinite data period,Stop the matching operation.
[0078]
  For the error processing after the standby CPU device 200 receives the error command, a procedure such as reporting an error to the host processor can be considered, but the present invention is not limited to this procedure.
[0079]
  Moreover, although the response procedure at the time of a power failure was demonstrated in this Embodiment 2, this invention is not limited to the operation | movement at the time of a power failure. Similarly, when a response command indicating that the execution system is being switched is reported to the standby CPU apparatus 200, the standby CPU apparatus 200 also determines the status of the execution system based on the response result. JudgingStop the matching operation.
[0080]
  (E) After detecting the power failure signal 012 from the power supply device 010, the other system monitoring unit 121 in the DCM control unit 120 outputs a command to disconnect the DCM bus 300. Therefore, the DCM control unit 120 is completely disconnected from the standby CPU device 200.
[0081]
  In the second embodiment, according to a transfer request from the standby systemdata transferThe power protection control signal 126 is output to the timing generation circuit 140 so that the memory bus 112 is not disconnected in the middle ofMatching behaviorAt the time of termination, the memory bus 112 is switched to the external refresh control unit 160 to perform the refresh operation, the unit to prevent the power failure of both systems as in the first embodiment, and the DCM control unit 120 in the DCM control unit 120 after the memory bus 112 is disconnected. When only the data stored in the buffer 122 is transferred and the transfer request signal 301 issued from the other CPU device 200 is received during the indefinite data period, the execution CPU device 100 responds with an error command, Since a means for reporting to the standby system CPU device 200 that the indefinite data period is being provided is provided, the standby system power supply device 020 is protected from power shutdown when the execution system power supply is interrupted, and both system power supplies are prevented from being down. it can.
[0082]
  Further, even when the software of the standby CPU device 200 issues a data transfer request in the shared memory 111 during the memory bus 112 disconnection period, the standby CPU device 200 returns an error response from the executing CPU device 100. When received, transfer of indefinite data to the standby CPU device 200 can be prevented by hardware.
[0083]
  Since the software reads the status register of the other system monitoring unit 121 and determines the power-off without using an interrupt as in the conventional method, the software process is given priority and the influence on the control process can be reduced.
Embodiment 3
[0084]
  FIG. 3 is a block diagram showing an internal configuration of the CPU device 100 according to the third embodiment of the duplex system according to the present invention.
[0085]
  The internal configuration of the other system monitoring unit 121 is basically the same as that of the first embodiment, except that it has a function of monitoring the transfer request signal 301 from the standby system CPU device 200 and the operation state. . Therefore, it is possible to prevent hardware from transferring undefined data when the transfer request signal 301 is received from the standby system during the undefined data period, which is a problem in the conventional method.
[0086]
  FIG. 6 is a timing chart showing the operation timing after a power failure in Embodiment 3 of the duplex system according to the present invention. FIG. 7 is a flowchart showing a processing procedure of the other system monitoring unit after a power failure in the third embodiment of the duplex system according to the present invention.
[0087]
  The operation of the other system monitoring unit 121 in the DCM control unit 120 when the execution system is powered off will be described with reference to FIGS.
[0088]
  (A) After the AC input 013 due to a power failure is cut off, the software of the execution system CPU device 100 monitors the state of the power failure warning signal 011 from the power supply device 010. When the software of the execution system CPU device 100 detects the power failure notice signal 011, it issues its own power control command in the other system monitoring unit 121, and the other system monitoring unit 121 operates as follows.
[0089]
  (B) The other system monitoring unit 121 in the DCM control unit 120 is issued on the DCM bus 300 by the software processing of the standby CPU device 200.Matching behaviorIs monitored by hardware.
[0090]
  If it is determined that data transfer to the standby system has been made based on the transfer request from the standby system, the system waits until the transfer (access cycle) is completed, and detects that the transfer (access cycle) is completed. At the time, a power reset command signal to the power supply device 010 is output to the power supply device 010, and at the same time, a power failure protection control signal 126 is output to the timing generation circuit 140, and the DCM bus 300 is disconnected.
[0091]
  In the third embodiment, the procedure at the time of a power failure has been described, but the present invention is not limited to the operation at the time of a power failure. Similarly, when the bus abnormality of the memory bus 112 or the DCM bus 300 occurs, the process of disconnecting the DCM bus 300 can be performed.
[0092]
  (C) When the power generation protection control signal 126 is detected after the power failure warning signal 011 is input, the timing generation circuit 140 outputs the memory protection request signal 141, disconnects the memory bus 112, and shifts to the refresh operation by the external refresh control unit 160. .
[0093]
  By this time, the matching operation by writing to the shared memory 111 must be stopped.
[0094]
  In addition, the operation of transferring the data stored in the buffer 122 in the DCM control unit 120 to the standby system must be executed by the DCM bus 300 cutoff timing (B).
[0095]
  (D) When the transfer request signal 301 is received from the standby system at a timing subsequent to (C), the DCM bus 300 is in an electrically disconnected state. The system monitoring unit 121 does not recognize a transfer request from the standby system.
[0096]
  When the standby system CPU device 200 detects no response, it determines that the transfer is requested during an indefinite data period at the time of a power failure of the execution system and when a bus abnormality occurs,Stop the matching operation.
[0097]
  For the error processing executed by the standby CPU device 200 after this series of processing, procedures such as reporting an error to the host processor can be considered, but the present invention is not limited to these procedures.
[0098]
  As described above, in the third embodiment, a transfer request from the standby system is used.data transferThe power protection control signal 126 is output to the timing generation circuit 140 so that the memory bus 112 is not disconnected in the middle ofMatching behaviorAt the time of completion, the DCM bus 300 is disconnected, and at the same time, the memory bus 112 is switched to the external refresh control unit 160 to execute the refresh operation, and the means for preventing the power failure of both systems as in the first embodiment is provided. When the system power supply disconnection occurs, the standby system power supply apparatus 020 is protected from the power supply interruption, and the software of the standby system CPU apparatus 200 issues a data transfer request in the shared memory 111 during the disconnection period of the memory bus 112 In addition, it is possible to prevent the standby system CPU device 200 from detecting the non-response from the execution system CPU device 100 and transferring undefined data to the standby system CPU device 200 in terms of hardware.
[0099]
  In the third embodiment, the software reads the status of the other-system monitoring unit 121 and determines the power cut-off without using an interrupt as in the conventional method. Therefore, the software process is given priority and the influence on the control process is affected. Less.
【The invention's effect】
[0100]
  According to the present invention, when each multiplex system has a power source and the power source of the active system power supply is switched off to the standby system, the standby system is switched by the standby system power switch. Since it is equipped with a mechanism that protects the power supply from being shut off, it is possible to prevent simultaneous power-down of the entire system due to operational mistakes or human error.
[0101]
  In addition, the power supply status is monitored by software processing, and if a power failure notice state is detected, the CPU device can be arbitrated to control power reset and protection, so software processing has priority over conventional interrupt methods. The influence on the normal control processing can be eliminated.
[0102]
  Furthermore, in a duplex system that transfers soundness data to each other to check soundness, a transfer request signal is issued to acquire soundness data from the execution system through software processing of the standby CPU device, and the power failure of the execution system When undefined data is about to be transferred when a bus error or system plan change occurs, it is reported to the standby system with a response command corresponding to a power failure, bus error or system plan switch, and the undefined data is transferred to the standby system. This can be prevented by hardware.
[0103]
  Therefore, since the standby CPU device does not receive the unexpected indefinite data transferred from the execution system CPU device, it is not erroneously detected as an error on the execution system CPU device and the DCM bus due to the mismatch of the matching data. Mutual system can monitor each other normally.
[Brief description of the drawings]
[0104]
FIG. 1 is a system diagram showing the overall configuration of an embodiment of a duplex system according to the present invention.
FIG. 2 is a block diagram showing an internal configuration of a power supply device 010 and a CPU device 100 in Embodiment 1 of the duplex system according to the present invention.
FIG. 3 is a block diagram showing an internal configuration of a CPU device 100 in Embodiments 2 and 3 of the duplex system according to the present invention.
FIG. 4 is a timing chart showing operation timing after a power failure in Embodiment 2 of the duplex system according to the present invention.
FIG. 5 is a flowchart showing a processing procedure of another system monitoring unit after a power failure in Embodiment 2 of the duplex system according to the present invention.
FIG. 6 is a timing chart showing the operation timing after a power failure in the third embodiment of the duplex system according to the present invention.
FIG. 7 is a flowchart showing a processing procedure of another system monitoring unit after a power failure in Embodiment 3 of the duplex system according to the present invention.
FIG. 8 is a block diagram showing an internal configuration of a CPU device 100 in a conventional duplex system.
FIG. 9 is a timing chart showing operation timing after a power failure in a conventional duplex system.
[Explanation of symbols]
[0105]
010 Execution system power supply device
011 Power outage warning signal
012 Execution system power failure signal
013 Execution system AC input
014 Execution system power switch
015 Execution system power supply protection unit
016 Execution system power supply voltage
017 Execution system power cutoff switch
018 Execution system capacitor
019 execution system AND circuit
020 Standby power supply
021 Standby power failure warning signal
022 Standby power failure signal
023 Standby AC input
024 Standby power switch
025 Standby power protection unit
026 Standby power supply voltage
027  Standby power cutoff switch
028  Standby capacitor
029  Standby AND circuit
100 Execution system CPU device
110 Execution system local memory
111 Execution system shared memory
112 Execution system memory bus
120 Execution system shared data matching circuit (DCM control unit)
121 Execution system other system monitoring part
122 Execution system buffer
124 execution control register
125 Execution status register
126 Execution system power protection control signal
140 Execution System Timing Generation Circuit
141 Execution system memory protection request signal
150 Execution system processor
160 Execution system external refresh control unit
200 Standby CPU device
210 Standby local memory
211 Standby shared memory
212 Standby memory bus
220 Standby system shared data matching circuit (DCM control unit)
221 Standby system monitoring system
222 Standby buffer
224 Standby control register
225 Standby status register
226 Standby power protection control signal
240 Standby system timing generation circuit
241 Standby memory protection request signal
250 Standby processor
260 Standby external refresh control unit
300 DCM bus
301 Transfer request signal

Claims (6)

A multiplexing system comprising an execution system and a standby system each including a CPU device and at least one power supply device, wherein shared data is transferred from the execution system to the standby system via a matching bus (DCM bus). A shared data matching circuit (DCM control unit) that transfers and matches the memory contents of all systems is provided, and the matching CPU (DCM bus) is used by the standby CPU device to acquire the shared data in the executing CPU device. In a multiplexing system that issues a transfer request signal via the CPU, transfers the shared data from the active CPU device to the standby CPU device, and matches the memory contents,
When there is a transfer request from the standby system during a period in which indefinite data is transferred due to an event such as a power failure, abnormality, or plan switching of the execution system, the execution system DCM controller ), And a control unit that outputs a response command indicating that the execution system is in an indefinite data period to the standby system. The multiplexing system according to claim 1, wherein
When the standby CPU device issues a transfer request signal during the system switching process of the executing system and the response command received from the executing system determines that the shared data being transferred for matching at the time of system switching is invalid. A multiplexing system, which is a CPU device that stops the matching operation when it is determined that the transfer request is during a period that can be matched. The multiplexing system according to claim 1 or 2,
The DCM control unit includes an other system monitoring unit that monitors a power failure notice signal indicating power failure from the power supply device and the matching operation state on the DCM bus,
The other system monitoring unit monitors the matching operation state of the DCM bus based on the power failure warning signal output from the power supply device when the execution system power supply is cut off, and transfers the shared data in response to a transfer request from the standby system. If it is determined that the bus is occupied, it waits until the matching operation is completed, and after determining that the matching operation is completed, it shifts to the memory backup operation of the execution system and switches to the memory backup operation. A multiplexing system characterized by being a monitoring unit that synchronizes the matching operation. A multiplexing system comprising an execution system and a standby system each including a CPU device and at least one power supply device, wherein shared data is transferred from the execution system to the standby system via a matching bus ( DCM bus ). A shared data matching circuit ( DCM control unit ) that transfers and matches the memory contents of all systems is provided, and the matching CPU ( DCM bus ) is used for the standby CPU device to acquire shared data in the executing CPU device In a multiplexing system that issues a transfer request signal via the CPU, transfers the shared data from the active CPU device to the standby CPU device, and matches the memory contents,
The execution system CPU device outputs a command signal for disconnecting the DCM bus to the DCM control unit based on a power failure warning signal caused by an event such as a power failure, abnormality or plan change of the execution system, and simultaneously outputs a memory protection request signal Disconnecting the memory bus connecting the DCM control unit and the memory, the DCM control unit shuts off the partner system at the timing before transitioning to the memory backup operation, and for the partner system that requested the transfer after disconnecting the DCM bus And a non-response CPU device. The multiplexing system according to claim 4, wherein
After the standby system CPU device issues a transfer request signal during the system switching process of the execution system, the shared data being transferred to match at the time of system switching becomes inconsistent due to no response from the execution system. A multiplexing system, which is a CPU device that stops the matching operation when it is determined that the request is a transfer request during an acquisition period. The multiplexing system according to claim 4 or 5,
The DCM control unit includes an other system monitoring unit that monitors a power failure notice signal indicating power failure from the power supply device and the matching operation state on the DCM bus,
The other system monitoring unit monitors the matching operation state of the DCM bus based on the power failure warning signal output from the power supply device when the execution system power supply is cut off, and transfers the shared data in response to a transfer request from the standby system. When it is determined that the bus is occupied, it waits until the matching operation is completed. And a monitoring unit which shifts to the memory backup operation of the execution system after determining that the matching operation is completed, and synchronizes the switching to the memory backup operation and the matching operation. .

Images