JP2645880B2 - System clock duplication method - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION [Summary] The present invention relates to a system clock duplication method in which a system clock is further duplicated in an apparatus having a duplicated configuration, which prevents a system down due to a system clock failure and does not affect a normal group. In order to improve the reliability of the system in this way, a system clock duplication method for synchronizing the two groups in a device that is duplicated by two groups, and generating a system clock for each group Provide a circuit, synchronize the system clocks of both circuits, stop the system clock and control of the failed group in which the system clock has failed, notify the normal group of the occurrence of the failure, and switch to the control by the normal group. group It resets all locations that affect the normal group, normal group constituting all the locations affected by failure group to reset.

[Industrial applications]

The present invention relates to a system clock duplex system in which a system clock is further duplicated in an apparatus having a duplex configuration.

[Conventional technology]

2. Description of the Related Art In information processing apparatuses, high-density and miniaturization have been increasing in recent years along with technological advances in hardware. As a result, an apparatus which has conventionally been constituted by one locker has been incorporated into one locker with functions of two or more conventional apparatuses.

In multiple sets of devices incorporated in one rocker, the parts that require high reliability have a redundant configuration, and even if a failure occurs in one of the redundant configurations, the other system can continue processing normally. The system is prevented from going down due to a failure.

However, even in one rocker unit in which the functions of a plurality of devices are aggregated in this way, the system clock is configured as one and used as a system clock common to each device and each redundant component. . This is due to the fact that the system clock is usually composed of a crystal oscillator, which is generally highly reliable, easy to synchronize between two duplicated systems and devices, and that the configuration of the system clock is simplified. It is.

This is the same in one duplicated information processing apparatus, and one system clock is shared as each system clock of two duplicated systems.

[Problems to be solved by the invention]

In a conventional duplex information processing apparatus or a group of the information processing apparatuses, a single system clock is used.

For this reason, as described above, there are advantages such as a simple configuration of the system clock, a double structure portion and easy synchronization between the devices, but on the other hand, when a failure occurs in the system clock, the dual system is used. There is a problem in that each device in the system goes down, causing a system down. In particular, when the system clock is one for a system that is an aggregate of many devices, the reliability of the system clock is not improved even though the system scale is increased. There was a problem of lowering.

The present invention also provides a system having a duplex configuration in which the system clock is further duplicated to prevent a system down due to a system clock failure, and to prevent a system clock failure in one system from affecting the processing in the other system. It is an object of the present invention to provide a system clock duplication method that improves reliability.

[Means for solving the problem]

Means adopted by the present invention to solve the above-mentioned problem will be described with reference to FIG. FIG. 1 is a block diagram showing the basic configuration of the present invention.

In FIG. 1, reference numeral 10 denotes an entire apparatus, which is duplicated by both systems of groups 10A and 10B. This device 10
A single device or an aggregate of a plurality of devices is regarded as one device.

Reference numerals 11 and 12 denote system clock generation circuits of groups 10A and 10B, which generate system clocks in a synchronous relationship.

Reference numerals 13 and 14 denote logic circuits of groups 10A and 10B, which control the device 10 by a duplex configuration of both groups.

Reference numerals 15 and 16 denote clock failure detection circuits of the groups 10A and 10B, which detect a system clock failure occurring in the group to which the group belongs and notify the own group and other groups.

Reference numerals 17 and 18 denote clock mask circuits of the groups 10A and 10B, which stop the system clock supplied to the logic circuits of the own group in response to the notification of the occurrence of the system clock failure of the own group.

The system clock duplication method of the present invention is implemented by the device 10 of FIG. 1 and is configured as follows.

That is, in a device (10) duplexed by two groups (10A, 10B), both groups (10A, 10B)
(A) a system clock generating circuit (13, 14) is provided for each group (10A, 10B), and both system clock generating circuits (13, 14) Synchronizing the system clocks of (b), when a failure is detected in one group of system clocks, stop the system clock of the failed group and control by the group;
The other normal groups are notified of the occurrence of the system clock failure, and the processing is switched to processing performed only by the other normal groups. (C) In the failed group, all the parts that affect the other normal groups are reset. It is configured as follows.

(Operation)

During normal operation, the system clock generation circuits 11 and 12 of the groups 10A and 10B generate the system clocks in a synchronized state, respectively, and supply them to the logic circuits 11 and 12 through the clock mask circuits 17 and 18.

During normal operation, no clock failure is detected from the clock failure detection circuits 15 and 16, so the clock mask circuit
17 and 18 supply the input system clock to the logic circuits 13 and 14 without masking.

The logic circuits 13 and 14 have a duplicated configuration, perform the same operation at the same timing according to each system clock supplied from the system clock generation circuits 11 and 12, and normally perform a predetermined operation (for example, the group 10A side). The processing and control performed by the device 10 are executed using the logic circuit 11).

Next, an operation when a system clock failure occurs will be described. If a failure occurs in the system clock generation circuit 11 of the group 10A currently being controlled, a clock failure detection circuit
15 detects the system clock failure occurring in its own group, notifies the logic circuits 13 and 14 and the clock mask circuit 17 and controls the device 10 from the control by the group 10A to the control by the group 10B using only the logic circuit 12 Switch to.

When receiving the clock failure occurrence notification, the clock mask circuit 17 masks the failed system clock from the system clock generation circuit 13 and blocks the system clock from going to the logic circuit 13. As a result, it is possible to avoid a secondary failure caused by the system clock generation circuit 11 continuing to output the failed system clock.

When the logic circuit 13 receives the clock failure detection notification from the clock failure detection circuit 15, the logic circuit 13 of the group 10B
Reset all points that affect.

As a result, the occurrence and stop of a clock failure in the system clock generation circuit 11
Even if an erroneous signal is set in a part that affects the 10B logic circuit 14, for example, an interface part, these signals are all reset, so that a malfunction due to the occurrence and stop of the system clock failure is prevented. Can be.

On the other hand, upon receiving the clock failure detection notification from the clock failure detection circuit 15 of the group 10A, the logic circuit 14 of the group 10B resets all the parts affected by the logic circuit 13 of the failed group 10A.

As a result, even if the faulty clock in the system clock generating circuit 11 may cause an error in the logic circuit 14 of the group 10B due to the faulty clock during the period from its generation to the stop, all of the errors are reset. So that it can be returned to an error-free state.

Conversely, the system clock generator 12 on the group 10B side
When a failure occurs, the clock failure detection circuit 16 detects the system clock failure that has occurred in its own group, notifies the logic circuits 14 and 13 and the clock mask circuit 18 and controls the device 10 in the same manner as described above. The control is switched to the control by the group 10A using only the logic circuit 13.

As described above, since the system clock is further duplicated in the apparatus having the duplicated configuration, interruption of processing due to a system clock failure and system down can be eliminated.

In addition, because the effect of the system clock failure of one of the duplicated groups on the processing of the other group is eliminated, even if a failure occurs in the system clock of one group, the processing of the device is normally performed by the other group. The reliability of the device can be further improved in combination with the above (1).

〔Example〕

An embodiment of the present invention will be described with reference to FIG. 2 and FIG. FIG. 2 is an explanatory diagram of a configuration of an embodiment of the present invention, and FIG. 3 is an explanatory diagram of a logic circuit of the embodiment.
Hereinafter, an embodiment of the present invention will be described with an example in which the execution apparatus is a device control apparatus.

(A) Configuration and operation of the implementing device In FIG. 2, the device 10, the group 10A and the group 10
B, system clock generation circuits 11 and 12, logic circuit 13 and
14, Clock failure generation circuits 15 and 16, Clock mask circuit
17 and 18 are as described in FIG.

Reference numeral 20 denotes a higher-level device of the device 10, reference numeral 21 denotes a channel for handling data transfer between the higher-level device 20 and the device 10, and reference numeral 30 denotes a device unit having a device such as a magnetic disk under the device 10.

In the system clock generating circuit 11, reference numeral 111 denotes a high-precision oscillator such as a crystal oscillator. 11
Reference numeral 2 denotes a frequency dividing circuit for dividing the oscillation frequency of the reference oscillator 11 to a predetermined system clock frequency. Reference numeral 113 denotes a delay adjustment circuit, which is a system clock generation circuit 11 for groups 10A and 10B.
And the delay amount between the two system clocks generated by the control unit 12 is adjusted. A pulse width adjustment circuit 114 adjusts the pulse width of the system clock so as to have a predetermined pulse width.

In the system clock generating circuit 12, a PLL circuit 121 receives a clock generated by the frequency dividing circuit 112 of the system clock generating circuit 11, and generates a system clock whose frequency and phase are synchronized with the clock. When the reference oscillator 111 of the system clock generator 11 stops oscillating due to a failure, the PLL circuit 121 keeps the synchronization state before the oscillation was stopped and runs on its own. Therefore, the PLL circuit 121 forms an independent system clock resonator on the group 10B side that generates a system clock synchronized with the system clock on the group 10A side.

Reference numeral 122 denotes a pulse width adjustment circuit which adjusts the system clock generated by the PLL circuit 121 so as to have a predetermined pulse width.
The pulse width adjustment circuits 114 and 122 have the same configuration.

In the clock failure detection circuits 15 and 16, 151 and 161
Is a PLL circuit that outputs a system clock synchronized with the input system clock. Reference numerals 152 and 162 denote comparison circuits which compare the system clocks on the input and output sides of the PLL circuit 151 by, for example, exclusive OR to detect the presence or absence of a clock failure, and generate an error signal when the clock failure is detected. When the system clock stops or a frequency shift occurs, the exclusive OR outputs "1", so that a clock failure is detected and the error signal goes to the high (H) level. When a clock failure is not detected, the level becomes low (L).

In the clock mask circuits 17 and 18, 171 and 181
AND gates, 172a to 172m and 182a to 182m are clock buffers, and 173 and 183 are NOT circuits. AND gate 171 and 1
The reference numeral 81 opens when the error signals from the clock failure detection circuits 15 and 16 are off (L level) and passes the system clocks from the system clock generation circuits 13 and 14.

In this configuration, the reference oscillator 1 of the normal group 10A
The oscillation output of 11 is frequency-divided by a frequency dividing circuit 112 to a predetermined system clock frequency, then delayed by a delay adjusting circuit 113, adjusted to a predetermined pulse width by a pulse width adjusting circuit 114, and output as a system clock. .

On the other hand, the PLL circuit 121 of the group 10B receives the clock generated by the frequency dividing circuit 112 of the system clock generating circuit 11, generates a system clock whose frequency and phase are synchronized with the clock, and generates the system clock by the pulse width adjusting circuit 122. The pulse width is adjusted to a predetermined pulse width, and a system clock is output.

The generation timing of the system clock of the system clock generation circuit 11 is adjusted by the delay adjustment circuit 113 so that the generation timings of both system clocks generated by the system clock generation circuits 11 and 12 of the groups 10A and 10B match. Therefore, the normal groups 10A and 10B
The two system locks are correctly synchronized.

In a normal state, since there is no abnormality in both system locks generated by the system clock generation circuits 11 and 12, the error signals generated by the clock failure detection circuits 15 and 16 are turned off (L level). This L level error signal is NOT
Since the signal is inverted to the H level in the circuit 173, the AND gates 171 and 181 are opened, and the system clock is supplied to the clock buffer 172.
Via a to 172m and 182a to 182m, logic circuits 11 and 12
Is supplied to each necessary part in the inside.

The logic circuits 13 and 14 have a duplex configuration, operate at the same timing in response to a system clock from the corresponding system clock generation circuits 11 and 12, and normally operate one of the logic circuits (hereinafter referred to as a logic on the group 10A side). The control is performed using a circuit 13).

The logic circuit 13 receives a command from the host device 20 via the channel 21 and controls data transfer between a predetermined device in the subordinate device 30 and the host device 20.

Next, when a failure occurs (for example, stops) in the reference oscillator 111 on the group 10A side, the error signal of the clock failure detection circuit 15 turns on, and the AND gate 171 and the logic circuits 13 and 14 are turned on.
From the dual configuration control by the group 10A to the group 10 using only the logic circuit 14.
Switch to B side single control.

The ADN gate 171 on the group 10A side closes when the error signal is turned on, and blocks the faulty system clock from going to the logic circuit 13. This prevents a secondary failure caused by the system clock generation circuit 13 continuing to output the failed system clock.

Further, when the error signal is turned on, the logic circuit 13 resets all the portions that affect the logic circuits 14 of the group 10B (the details will be described in the next section (B)).

On the other hand, when a failure occurs in the system clock of the group 10A, the PLL circuit 121 of the group 10B keeps the synchronization state before the failure and runs on its own.
It operates normally even if a failure occurs in the system clock of the group 10A.

When receiving the error signal from the group 10A, the logic circuit 14 on the group 10B side resets all the parts affected by the logic circuit 13 in the failed group 10A (the details will be described in the next section (B)). ).

As described above, even if a system clock failure occurs on the group 10A side, the control operation of the device 10 continues normally without interruption of processing by the group 10B side and without malfunction.

(B) Configuration and Operation of Logic Circuit Referring to FIG. 3, logic circuits 13 of groups 10A and 10B
And 14 will be described.

In the logic circuits 13 and 14, 131 and 141 channel adapters (hereinafter referred to as CAs) are used to connect the logic circuits 13 and 14 to the host device.
Controls data transfer to and from 20.

132 and 142 are service adapters (hereinafter referred to as SA),
Transmission and reception of various control signals (including error signals) to the logic circuits 13 and 14 are performed.

Reference numerals 133 and 143 denote shared storage (hereinafter, referred to as SS) and shared memories commonly accessed by the groups 10A and 10B, and share a common memory (not shown).

Reference numerals 134 and 144 denote resource managers (hereinafter referred to as RMs) for managing resources (resources) such as CA and SS in the logic circuits 13 and 14. The RMs 134 and 144 are connected by a copy bus 135, and a copy process is performed so that the contents are always the same.

SS133 and 143 and RM134 and 144 are groups 10A and 1
0B to form a common module of a dual configuration that can be accessed in common, and CA 131 and CA 131 of the logic circuit 13 via a common bus 136.
Connected to the SA 132 and connected to the CA of the logic circuit 14 through the common bus 146.
Connected to 141 and SA142. One of the duplicated SSs 133 and 143 and the RMs 134 and 144 normally operates as a primary and the other is in a standby state as a secondary, but the contents are always the same as the primary.

137 and 147 are device adapters (hereinafter indicated by DA),
Data transfer between the logic circuits 13 and 14 and the subordinate device 30 is controlled. DA137 is connected to common bus 136 and DA14
7 is connected to the common bus 146.

In this configuration, when a failure occurs in the system clock on the group 10A side, the clock failure detection circuit 15 generates an error signal and the failed system clock is supplied to the logic circuit 13 as described in the above section (A). And stops sending error signals to the logic circuits 13 and 14.
The occurrence of a system clock failure on the group 10A side is notified.

Upon receiving the error signal from the clock failure generating circuit 15, the SA 132 of the logic circuit 13 stops the subsequent data transfer control of the CA 131 and the DA 137. In addition, SS133,143 and RM134,144
Group 10A where the system clock failure occurred
Reset all signals on the side port.

When a failure occurs in the system clock on the group 10A side, the clock mask circuit 17 blocks the failure system clock from going to the logic circuit 13. 13 malfunctions, and there is a danger that the malfunction signal state is maintained because the system clock stops. For example, there is a risk that the group 10B after switching the common modules SS143 and RM144 becomes inaccessible.

However, as described above, by resetting all the signals on the ports on the group 10A side, this erroneous signal state is released and SS143 and RM are returned from the normal group 10B side.
144 become accessible.

On the other hand, when the SA 142 of the logic circuit 14 on the group 10B side receives an error signal from the group 10A side, the SA 142 and the DA 147
To take over data transfer control. Further, the SA 142 uses the error signal from the group 10A as an interrupt signal, interrupts the process currently being executed, starts a diagnostic program, and diagnoses the common module.

As a result, even if a malfunction occurs due to one to several cycles of the failure system clock received from the occurrence of the failure to the stop of the system clock in the group 10A, the error caused by the malfunction can be corrected. . Since the system clock failure may or may not occur once during the processing of the device 10, this interrupt may or may not occur once during the processing, so that it can be considered that there is almost no effect on the processing.

As described above, the logic circuit 1 on the normal group 10B side
When the control is switched to the control by 4, the data transfer is performed by only one of SS143 and RM144.

In addition, the SA 132 notifies the operator of the occurrence of a failure in the system clock of the group 10A by display or sense information. The operator turns off the power at a convenient timing such as after the processing is completed, repairs the fault occurrence location on the group 10A side, and after the recovery from the fault, returns to the original duplex configuration to perform the data transfer control.

In the above, the embodiment in the case where a failure has occurred in the system clock of the group 10A has been described.However, when the failure has occurred in the system clock generation circuit 12 of the group 10B, the clock failure detection circuit 16 has occurred in the own group. Detects a system clock failure and sets the clock mask circuit 18
And to the logic circuit and 13. Thus, as in the case of the above-described embodiment, the system clock of the group 10B is stopped, and the process of switching the control in the device 10 to the single control by the group 10A using only the logic circuit 13 is performed.

〔The invention's effect〕

As described above, according to the present invention, the following effects can be obtained.

(1) Since the system clock is further duplicated in the duplicated configuration device, interruption of processing due to a system clock failure and system down can be eliminated.

(2) Since the influence of the system clock failure of one of the duplicated groups on the processing of the other group is eliminated, even if a failure occurs in the system clock of one group, the processing of the device is performed by the other group. Is performed normally, and the reliability of the device can be further improved in combination with the above (1).

[Brief description of the drawings]

FIG. 1 is a diagram illustrating the principle of the present invention, FIG. 2 is an explanatory diagram of a configuration of an embodiment of the present invention, and FIG. 3 is an explanation of a logic circuit of the embodiment. 1 to 3, 10... Device, 10 A, 10 B... Group, 11, 12... System clock generation circuit, 13, 14... Logic circuit, 15, 16. , 18 …… Clock mask circuit, 20
... Higher-level device, 21 ... channel, 30 ... device section.

Claims (2)

(57) [Claims] 1. In a device (10) duplexed by two groups (10A, 10B), both groups (10A, 10B)
(A) a system clock generating circuit (13, 14) is provided for each group (10A, 10B), and both system clock generating circuits (13, 14) Synchronize the system clock of (b) When a failure is detected in one group of system clocks, stop the system clock of the group in which the failure occurred and control by the group, and change the system clock to another normal group. Notifying the occurrence of a system clock failure and switching to processing by only other normal groups, (c) resetting all the parts of the failed group that affect other normal groups, and (d) normalizing Other groups are affected by the failed group in response to the notification of the occurrence of the system clock failure. The all reset, system clock duplexing scheme, wherein a. 2. One group (10A) includes a reference oscillator (1A).
11) is provided to generate the system clock of the group (10A), and the other group receives the output of the reference oscillator (111) by the PLL circuit (121) and receives one group (10A).
2. The system clock duplication method according to claim 1, wherein a system clock synchronized with said system clock is generated.