JP4983806B2 - System monitoring apparatus and monitoring method using dual timer - Google Patents

Description

  The present invention relates to a system monitoring method, and in a system that regularly performs processing corresponding to an interrupt from a timer, it appropriately detects a timer failure and performs necessary processing such as system shutdown. The present invention relates to a system monitoring apparatus and a monitoring method that can be performed.

  When it is desired to cause the system to periodically perform some operation, a method of interrupting a CPU of a processor that periodically controls the system using a timer is generally used. Further, in order to increase the reliability of the system, even if it costs a little, it is a technique that is often used to double or triple the control for improving the reliability. The same applies to the timer that interrupts the CPU, and there is the following document as a conventional example in which the timer is duplicated in order to increase the reliability of the timer.

In Patent Literature 1, different timeout periods are set for the two timers with the configuration shown in FIG. As shown in FIG. 2, a value of A is set as the timeout time for the timer T1, and a value of B is set as the timeout time for the timer T2. Here, A <B. Here, it is assumed that the timer is configured to count up from 0 and raise an interrupt when the set timeout time is reached. After the timer is set and A time elapses, the timer T1 times out and the CPU is interrupted. When interrupted, the CPU reads the timer value of timer T2. Assuming that the read timer value is A ′, if timer 2 is normal, the relationship of A <A ′ should be established. Therefore, timer T2 times out before timer T1,
-After timer T1 times out, the timer value of timer T2 does not satisfy the relationship of A <A '.
If this is detected, it can be determined that the timer has failed.

  In Patent Document 1, if it is determined that the timer T1 has timed out and both timers are operating normally, the next time the timer T2 is set to the timeout time A and the timer T1 is set to the timeout time B. The timer function is replaced every time. Therefore, in order to cause the CPU to perform processing necessary for work that should be originally executed in response to one interrupt from the timer, it is necessary to set the timer twice, and the processing is complicated.

  FIG. 3 shows a configuration in Patent Document 2 as another prior art, and FIG. 4 shows a time chart. In this document, a timeout time is set to the two timers T1 and T2 so that the timer T1 times out first. First, the timer T1 times out, but the MPU receives an interrupt, turns on the work flag, and resets the timeout time so that the timer T1 times out after the timer T2 times out. Next, when the timer T2 times out and an interrupt occurs, the MPU checks whether the work flag is ON. If it is ON, the MPU turns the work flag OFF. At this time, if the work flag is originally OFF, it is determined that the timer T1 has failed. Next, if normal, the timer T1 times out again and an interrupt occurs. The MPU confirms whether the work flag is OFF, and determines that the timer T2 has failed if it is ON. In the case of OFF, the process returns to the original, and the timeout time is set so that the timer T1 and the timer T2 time out first. Also in Patent Document 2, it is necessary to set the timer three times, for example, to make the MPU perform the processing necessary for the work to be executed in response to one interrupt from the timer, and the processing is complicated. It was.

  As described above, in the conventional techniques of Patent Document 1 and Patent Document 2, it is necessary to set the timer multiple times each time in order to cause the processor to perform processing necessary for work to be executed in response to the interrupt from the timer. There is a problem that the processing becomes complicated.

In both patent documents, it is impossible to determine which of the duplicated timers has failed, and there is a problem that the only method is basically to shut down the system when a timer failure occurs. It was. In Patent Document 2, it is described that a failure timer can be determined, but this determination corresponds to a case where the timer fails and no longer raises an interrupt. There is a problem that a failure timer cannot always be discriminated when an interrupt is quickly raised.
JP-A-60-059447 “Microcomputer system” JP-A-11-65986 “Timer Fault Detection System, Detection Method, and Recording Medium Recording Program for Executing Detection Method”

  In view of the above-described problems, an object of the present invention is to reduce the time-out time setting overhead for a timer and to determine a faulty timer among duplicated timers.

  The system monitoring apparatus of the present invention outputs an interrupt signal from a timer and causes a processor in the monitoring target system to execute a predetermined process, and the time intervals are mutually equal for each common time interval (2T). At least two timers that repeat an operation of outputting an interrupt signal at a time point shifted by half (T) using a timeout time reload function, and the processor inputs an interrupt signal from one of the two timers. Each time is repeated, it is determined whether or not two timers have failed.

  The system monitoring apparatus of the present invention further includes a flag register that stores a flag indicating an identifier of the timer that has output the interrupt signal in response to the input of the interrupt signal from any one of the timers. Corresponding to the input of the next interrupt signal, the identifier of the timer that output the interrupt signal is compared with the stored contents of the flag register to determine the presence or absence of a timer failure.

  Furthermore, the system monitoring apparatus of the present invention further includes a memory for storing a time indicated by a system clock provided in the system in response to the input of interrupt signals from the two timers, and the processor includes the timer described above. Based on the result of the comparison of the identifiers and the time difference between the time indicated by the system clock when the next interrupt signal is input and the previous interrupt signal input time stored in the memory, the fault timer among the duplicated timers Identify.

  In this way, in the present invention, the timeout time setting for the timer is basically performed using the reload function of the timer, and the overhead for setting the timeout time for the timer can be reduced.

  In addition, by comparing the identifier of the timer that output the interrupt signal and the stored contents of the flag register, for example, the timer that no longer outputs the interrupt signal can be identified, or the time when the interrupt signal is input and the time when the previous interrupt signal is input By comparison, for example, it becomes possible to identify a failure timer that raised an interrupt at a time interval greatly different from 2T as a set timeout time.

  According to the present invention, it is possible to significantly reduce the time-out time setting overhead for the timer as compared with the prior art by using the time-out time reload function for the timer. It is also possible to identify the failure timer among the duplicated timers using the contents stored in the flag register and the time indicated by the system clock. It is also possible to continue system operation using this, which greatly contributes to improving the practicality of a system monitoring device using a duplex timer.

It is a block diagram of the system monitoring system in the first conventional example. It is explanatory drawing of the timeout time setting method in a 1st prior art example. It is a configuration block diagram of a system monitoring method in a second conventional example. It is explanatory drawing of the timeout time setting method in the 2nd prior art example. It is a block diagram of the configuration of the first embodiment. It is a flowchart of the main routine of the timer failure detection process in a 1st Example. It is a flowchart of the interruption process 1 with respect to FIG. It is a flowchart of the interruption process 2 with respect to FIG. It is a block diagram of a first example of a reliable timer. It is a block diagram of a second example of the high reliability timer. It is a block diagram of the configuration of the second embodiment. It is a flowchart of the interruption process 1 in a 2nd Example. It is a flowchart of the interruption process 2 in a 2nd Example. It is a block diagram of the configuration of the third embodiment. It is a flowchart of the interruption process 2 in a 3rd Example.

  FIG. 5 is a block diagram showing the configuration of the first embodiment of the present invention. In the figure, the first embodiment includes two timers 1 and 2, an interrupt controller 3, and a processor 4. The processor 4 and the two timers 1 and 2 are connected by a bus 5. An interrupt notification signal is supplied to the interrupt controller 3, and an interrupt control signal is supplied from the interrupt controller 3 to the processor 4. The processor 4 includes a CPU 6 that determines whether or not a timer has failed in response to an interrupt from the timers 1 and 2 and performs processing necessary for executing a predetermined operation as interrupt processing. Needless to say, a ROM, a RAM, an input / output unit, and the like are provided as the memories that do not.

  In FIG. 5, the system monitoring apparatus using the duplex timer of the present invention can be considered to be composed of timers 1 and 2 and the interrupt controller 3, and one processor system having all the components shown in FIG. It can also be considered that it is formed on a chip.

  The interrupt controller 3 outputs an interrupt signal (notification) from the timer 1 and the timer 2 at the same time, or an interrupt signal is output from one timer and the other interrupt processing is being executed. An arbitration operation is performed when an interrupt signal is output from the timer, and as a result of the arbitration operation, an interrupt control signal indicating the identifier of the timer that output the interrupt signal is output to the CPU 6 inside the processor 4. The timer failure detection method of the present invention is not directly related.

  6 to 8 are flowcharts of the timer failure detection process in the first embodiment. First, when processing is started in the main routine of FIG. 6, the timeout time of timer 1 is set to T and the timeout time of timer 2 is set to 2T in step S1. At this time, timer 1 is set to a state without a reload function, and timer 2 is set to a state with a reload function. The reload function is a function that automatically resets a timeout time preset in the reload register to the timer and continues the function as a timer when the timer times out. In step S1, the timeout time is 2T. The timer 2 set to the time-out time out every time 2T, and an interrupt signal is periodically given to the interrupt controller 3.

  Subsequently, in step S2, an interrupt waiting state from the timer 1 is entered. Here, when an interrupt signal is output from the timer 1, that is, when an interrupt is raised, the interrupt processing 1 is executed by the CPU 6. The contents of an interrupt table held in a memory (not shown) inside the processor 4 are set.

  When the time T elapses from the start point of the main routine of FIG. 6, the timer 1 times out and an interrupt is raised to start the interrupt process 1 of FIG. 7 as a subroutine. In the interrupt process 1, first, in step S6, the timeout time of the timer 1 is set to 2T instead of T at the time of starting the main routine, and the timer 1 is set with a reload function. Further, at the time of the next interrupt, a flag register for storing a previous timer flag as a flag for identifying which timer has been interrupted last time is, for example, timer 1, timer 2 and interrupt controller 3 "0" as the identifier of the timer 1 that raised the interrupt at this time is set as a flag in the flag register via the bus 5 by the CPU 6 in the processor 4 The

  Subsequently, in step S7, the contents of the above-described interrupt table are changed to execute the interrupt process 2 in response to the interrupt, and a process for performing a predetermined operation to be originally executed for the timer interrupt is started. And a return to the main routine is performed. As a result of the above processing, the timer 1 and the timer 2 are in common and output an interrupt signal to the interrupt controller 3 at the same time interval 2T and when they are shifted from each other by half the time interval, that is, by the time T. .

  Subsequently, in step S3 of FIG. 6, the timer 1 or the timer 2 waits for an interrupt. When the two timers are operating normally, the timer 2 further times out after time T, and interrupt processing 2 is executed by raising an interrupt.

  FIG. 8 is a flowchart of interrupt processing 2 as a subroutine. When the interrupt process 2 starts, first, the identifier (timer ID) of the timer that raised the interrupt is checked in step S10, and in step S11, it is determined whether or not the timer ID matches the value of the previous timer flag. .

  If the operation of the timer is normal, the value of the timer ID is “1” as the ID of timer 2 and the value of the previous timer flag is “0”. First, in step S12, the value of the previous timer flag is inverted, that is, “1”, and finally, the processing necessary for the work to be executed in response to the timer interrupt is started, and the return to the main routine is performed. Done.

  While the timer continues to operate normally, after a time T, the timer 1 times out and the same interrupt process 2 is repeated. As a failure of the timer, for example, when the timer 1 fails and no interrupt is given, the interrupt is continuously raised from the timer 2. Alternatively, if the timer 1 is timed out in a shorter time than the set time, depending on the degree of the time-out, an interruption will be continuously generated from the timer 1 after a certain amount of time has elapsed. .

  As described above, when an interrupt is continuously generated from one of the timers due to the failure of the timer, it is determined in step S11 in FIG. 8 that the values of the timer ID and the previous timer flag match, and in step S13, the system is determined. Is stopped.

  If it is possible to determine which of the two timers, timer 1 and timer 2, has failed, it is possible to disconnect the failed timer and continue the system operation using a non-failed timer. Depending on the failure method, there are both cases in which an interrupt is continuously generated from the timer that has failed and a case in which an interrupt is continuously generated from the timer that has not failed. In the example, the failure timer cannot be identified, and the system is stopped when one of the timers fails.

  In the first embodiment, a system monitoring function that is functionally equivalent to that of the conventional example can be realized. In the conventional example, it is necessary to set at least two timeout periods for the timer every time in response to one timer interrupt process. However, in the first embodiment, the timer reload function is used. As a result, the number of times of setting the timeout time can be greatly reduced, and the overhead of setting the timeout time in the system monitoring apparatus can be remarkably reduced.

  In the embodiment of FIG. 5, in order to use two general timers having a reload function, it is necessary to first set T as a timeout time for timer 1 and then set 2T. In order to further simplify the processing, the high-reliability timer shown in FIG. 9 or FIG. 10 is used. For example, when the system starts up, the CPU 6 gives two timers 1 and 2 only one command to the two timers. The timeout time can be set once.

  FIG. 9 is a block diagram of a first configuration example of the high reliability timer. In the figure, the high-reliability timer 10 is composed of two timers 11 and 12, and the same command is given to the two timers from the CPU 6 of FIG. An interrupt signal is supplied from the timer 11 and the timer 12 to the interrupt controller 3, respectively, as in FIG.

  Of the two timers 11 and 12, the timer 12 has the same configuration as a general timer having a reload function. That is, when a command for setting 2T as a timeout time is given from the CPU 6 to the timer 12, the value 2T is stored in the reload register 15 and set to the counter 16 via a selector, for example. . Assuming that the counter 16 is a down counter, when the count time reaches 2T and the count value reaches “0”, an interrupt signal is output from the 0 detection circuit 17 to the interrupt controller 3. become. At the time of detection of 0, a set signal is given from the 0 detection circuit 17 to a set terminal (not shown) of the counter 16, the stored contents of the reload register 15 are set in the counter 16, and the countdown operation is continued. .

  On the other hand, the timer 11 further includes a right 1-bit shift circuit 18 as a configuration unique to the present invention. In the timer 11, when a command for setting the time 2T is given from the CPU 6 via the bus 5, the right 1-bit shift circuit 18 performs an operation of dividing the value by 2, and the value of the time T as the execution result is calculated. For example, the counter 16 is set via a selector, and when the count time of the counter 16 reaches T and the count value becomes “0”, an interrupt signal is given from the 0 detection circuit 17 to the interrupt controller 3. At the time of command input, the reload register 15 stores the value of time 2T. When a set signal is given from the 0 detection circuit 17 to the counter 16, the value of the time 2T stored in the reload register 15 is set in the counter 16 via the selector, and the countdown operation of the counter 16 is performed. Will be done.

  FIG. 10 is a configuration block diagram of a second example of the high reliability timer. In the figure, the high-reliability timer 20 includes two timers 21 and 22. These two timers are not general ones conventionally used, and each has a left 1-bit shift circuit 25 and has a configuration unique to the present invention.

  A command instructing to set the time T as a timeout time is given to the high-reliability timer 20 in FIG. 10 from the CPU 6 in FIG. On the timer 21 side, the value of the time T is set in the counter 16, and the value 2T doubled by the left 1-bit shift circuit 25 that performs an operation of multiplying 2 is stored in the reload register 15. When the count value of the counter 16 becomes “0”, the contents of the reload register 15 are set in the counter 16 as described above.

  On the timer 22 side, the value of 2T is obtained by the left 1-bit shift circuit 25 when the command is input from the CPU 6, and the value is set as it is in the counter 16. At the same time, the value of 2T is also stored in the reload register 15. The When the counter 16 counts down and “0” as a count value is detected by the 0 detection circuit 17, the contents stored in the reload register 15 are set in the counter 16 and the countdown operation is continued.

  In the first embodiment described above, the failed timer of the two timers cannot be identified, so that the system operation is stopped when a timer failure is detected. On the other hand, an embodiment in which the failure of one of the two timers can be identified, and even if one of the timers fails, the operation of the system can be continued using the function of the other timer. Will be described as a second embodiment. Although the flag register is provided in the system monitoring apparatus in the first embodiment, it is naturally possible to provide the flag register in the processor 4 of FIG.

  FIG. 11 is a block diagram of the configuration of the second embodiment. 5 is different from FIG. 5 showing the first embodiment in that a system clock 30 indicating a unified time for the entire system is further connected to the bus 5. In the second embodiment, the CPU 6 in the processor 4 compares the timer ID and the value of the previous timer flag in the first embodiment with the time when the interrupt control signal is given from the interrupt controller 3. And, for example, by comparing the value of the previous interrupt control signal input time (Tprev) stored in a memory (not shown) in the system monitoring device, it is determined which of the two timers has failed. Will be processed.

The flowchart of the main routine of the timer failure detection process in the second embodiment is the same as that in FIG. 6 for the first embodiment, and a description thereof will be omitted.
FIG. 12 is a flowchart of interrupt processing 1 in the second embodiment. The process shown in FIG. 6 is started when an interrupt from the timer 1 is generated, as in step S2 of FIG. 6 in the first embodiment. First, in step S16, as in step S6 of FIG. After the time-out time of the timer 1 is set to 2T, the state with the reload function is set, and the value of the previous timer flag is set to “0” indicating the identifier of the timer 1, step S17 in FIG. In addition to the processing in step S7, the value Tnow of the current time indicated by the system clock is read, the value is stored in a memory (not shown) that stores the value of Tprev, and the process returns to the main routine.

  FIG. 13 is a flowchart of interrupt processing 2 in the second embodiment. When an interrupt from timer 1 or timer 2 is raised in step S3 of FIG. 6 as the main routine, the identifier (timer ID) of the timer that raised the interrupt is checked in step S20, and the instruction of the system clock 30 of FIG. The time value (Tnow) to be read is read, and in step S21, it is determined whether or not the timer ID matches the value of the previous timer flag.

  If the two values do not match, it is determined that the operation of the timer is normal, the value of the previous timer flag is inverted in step S22, and the value of Tnow is stored in the memory storing the value of Tprev in step S23. Is substituted, a process necessary for the original work to be executed in response to the timer interrupt is started, and a return to the main routine is performed. While the two timers are operating normally, the processing from step S20 to step S23 is repeated as interrupt processing 2.

  When a failure occurs in either the timer 1 or the timer 2, interrupts are continuously generated from the same timer as described above. If an interrupt is generated from the same timer, it is determined in step S21 that the timer ID value matches the value of the previous timer flag, and in step S24, the value of the memory that stores the current time Tnow and Tprev values. Is calculated as Tdiff, and it is determined in step S25 whether or not the value matches the steady interrupt period 2T of the two timers. Actually, it is considered that there is a certain amount of error. For example, if it is in the range of about ± 10%, it is determined that Tdiff matches 2T, and the timer that did not raise an interrupt in step S26 has failed. The timer is disconnected, the timeout time of the timer that gave the interrupt is reset to T, and the reload function is enabled. Then, the value of Tnow is assigned to the memory for storing Tprev, processing necessary for the original operation for the timer interrupt is started, and the process returns to the main routine.

  If it is determined in step S25 that the value of the timer ID does not match 2T in the determination in step S25 after it is determined in step S21 that the value of the timer ID matches the value of the previous timer flag, the value of Tdiff in step S27. Is determined within a range of error of ± 10%, and if it is determined that they match, the time-out time has been reset to T in step S26 before. Assuming that the other timer is operating normally, the value of Tnow is assigned to the memory storing Tprev in step S23, and the processing necessary for the original work corresponding to the timer interrupt is started, and the process returns to the main routine. Return is made.

  If the timer breaks in such a way that an interrupt is raised in a time shorter than the set timeout time, Tdiff becomes a value that does not match 2T or T, for example. For example, an interrupt from the timer 1 is raised in step S2 of FIG. 6 of the main routine, the interruption process 1 of FIG. 12 is completed, and an interruption from the timer 1 is interrupted before an interruption from the timer 2 is raised in step S3 of the main routine. If it is determined that the timer ID and the value of the previous timer flag match in step S21 of FIG. 10, if the value of Tdiff does not match 2T or T, the process of step S28 is performed. It is determined whether or not the timer that has not raised an interrupt, here the timer 2 is in operation, and if it is in operation, the timer that has issued the interrupt in step S29, that is, the timer 1 is disconnected and a return to the main routine is performed. At this time, if the timer 2 that has not given an interrupt is not in operation, it is determined in step S30 that both timers have failed, and an instruction to stop the system is issued.

  When the timer 1 is disconnected in step S29 and the timer 2 is in operation, if the interrupt from the timer 2 is raised again in step S3 of FIG. 6 of the main routine, the timer ID is the identifier of the timer 2 in step S21. Since the value of the previous timer flag remains the identifier of timer 1, it is determined that they do not match, the value of the previous timer flag is inverted in step S22, and Tprev is stored in step S23. Tnow is stored in the memory, processing necessary for the original operation for the timer interrupt is started, and a return to the main routine is performed.

  Since timer 1 has already been disconnected, the next interrupt detected in step S3 of FIG. 6 of the main routine is an interrupt from timer 2. When this interruption occurs, it is determined in step S21 that the values of the timer ID and the previous timer flag match, the value of Tdiff obtained in step S24 is determined to be about 2T in step S25, After the process of S26, a return to the main routine is performed. However, since the timer that did not raise the interrupt, that is, the timer 1, has already been disconnected, the timer disconnecting process is omitted, and the return to the main routine is performed after the other processes are performed.

  As described above, in the second embodiment, it is possible to determine which of the two timers has failed by utilizing a system clock that indicates a uniform time in the entire system, and one timer fails. Even then, the system operation can be continued. However, if system operation is continued using a monitoring function with one timer, for example, even if the remaining timer fails and no interrupt is raised, it cannot be detected and the failure detection function does not work sufficiently. The operation using one timer is an emergency evacuation procedure when it is difficult to stop the system, for example. Basically, when a failure of one timer is detected, for example, an alarm is generated to alert the system administrator, and when it is time to stop the system, the operation of the system is stopped. It is necessary to perform repairs such as replacement.

  In the second embodiment, a timer failure is determined using a system clock that uniformly indicates the time in the system. However, it is not always necessary to use the system clock, and a similar counter is mounted on the system. Of course, it is possible to use it. Furthermore, it is naturally possible to provide a memory for storing the time indicated by the system clock in the processor 4 of FIG. 11 instead of in the system monitoring apparatus.

Next, a third embodiment will be described. In the third embodiment, the system monitoring system of the present invention is applied to a highly reliable embedded multiprocessor system. FIG. 14 is a configuration block diagram of the third embodiment. In the figure a plurality, here four processor elements (PE) _{4 0 4 3,} and the shared memory 35 constitute a multi-processor system, for each processor element _{4 0-4 3,} As in the first embodiment of FIG. 5, the interrupt controller 3 is connected.

In the third embodiment, in order to improve the reliability of the multi-processor system, four processor elements (PE) 4 ₀ 4 _3, there determined time each predetermined in the shared memory 35 to Data, that is, survival information is updated. Each PE checks the survival information of each PE written in the shared memory 35 by a check routine that is activated in response to an interrupt from the timer, and if any PE has not been updated, the PE is faulty. to decide.

  The survival information written in the shared memory 35 may be any data as long as it is updated every time there is an interrupt from the timer, and a local timer value built in each PE can also be used. . When the timer is not duplicated in the third embodiment, if the timer fails, the check routine is not started inside each PE, and it becomes impossible to detect the PE failure.

  In the third embodiment, the master PE is determined among a plurality of PEs, here four PEs, and the master PE is separated from the faulty PE, thereby ensuring the reliability of the system. Any method may be used for determining the master PE. For example, a rule that the PE with the smallest identifier (ID) becomes the master may be used. Since the master PE may fail, for example, a rule that the PE with the next smallest ID after the master PE becomes the next master candidate is determined. If the master PE fails, the next master candidate PE becomes the master candidate. It is assumed that the PE is disconnected and thereafter operates as a master PE.

The main routine of the timer failure detection process in the third embodiment and the flowchart of the interrupt process 1 are the same as those in FIGS. 6 and 7 for the first embodiment. However where the respective PE4 ₀ 4 ₃ of FIG. 14 main routine of FIG. 6, the interrupt processing 1 in Fig. 7, and the interrupt handling 2 as described in FIG. 15 shall be essentially performed, as described above For example, it is assumed that only the master PE performs processing necessary for detaching a faulty PE or for an emergency stop instruction for the entire system. Although it is possible for only the master PE to execute all of the main routine, interrupt processing 1, and interrupt processing 2, since it is troublesome to take over the processing when the master PE fails, the processing including the main routine is performed here. The flowchart will be described on the assumption that most of these are executed in parallel by each PE.

  FIG. 15 is a flowchart of interrupt processing 2 in the third embodiment. When there is an interrupt from the timer 1 or timer 2 in the main routine, ie, step S3 in FIG. 6, the interrupt process 2 starts. First, in step S35, the ID of the timer that raised the interrupt is checked. The survival information of all PEs (the value of each PE's individual shared memory), including the survival information of each PE, is checked, and the number of PEs determined to be failed in step S37 is “0”, “1”, or more. Is determined.

  If the number of failed PEs is “0”, the master PE is also normal, and each PE determines whether or not it is a master PE in step S38. Execute the return operation. Only the master PE executes the processing from step S39.

  That is, in step S39, the master PE determines whether or not the timer ID checked in step S35 matches the value of the previous timer flag. If not, the timer operates normally. As a result, the value of the previous timer flag is inverted and the process returns to the main routine.

  If the timer ID and the value of the previous timer flag match in step S39, processing similar to that in steps S24 to S30 in FIG. 13 for the second embodiment is performed in steps S41 to S47. That is, Tdiff is calculated using the time indicated by the system clock in the second embodiment (of course, the system clock value may be used in this embodiment as well), but in the third embodiment, step S41 is performed. In step S42, the value of Tdiff is calculated from the survival information stored in the shared memory. In step S42, it is determined whether the value is about 2T including an error within ± 10%. In S43, the timer that did not raise the interrupt is disconnected, and the timeout time of the timer that raised the interrupt is reset to T. Then, in step S40, the value of the previous timer flag is inverted, and the main routine Return to is made.

  If the value of Tdiff is not about 2T, it is determined in step S44 whether or not the value is about T. If it is about T, one timer is already disconnected, and the operation continues with the remaining timers. It is determined that it has been performed, and a return to the main routine is performed. If it is not about T, it is determined in step S45 whether or not the timer that did not raise an interrupt is in operation, and if it is in operation, the timer that raised the interrupt in step S46 is disconnected. Return to the main routine. If the timer that did not raise the interrupt is not in operation, both timers have failed, and an emergency stop instruction for the system is issued in step S47.

  If the number of PEs determined to be faulty in step S37 is one, it is determined in step S50 whether the faulty PE is the master PE. It is determined whether or not it is a PE, and if it is not a master PE, a return to the main routine is performed.

  If it is determined in step S50 that the master PE has failed, it is determined in step S52 whether or not it is a candidate for the next master PE, and if it is not the candidate, a return to the main routine is performed. If it is a candidate and if it is determined in step S51 that it is a master PE, the faulty PE is separated by the master PE (or a new master PE) in step S53, and the previous timer flag is set in step S40. The value is inverted and a return to the main routine is made.

  Here, when the number of PEs determined to be faulty is one, processing for timer fault detection such as comparison of the timer ID and the value of the previous timer flag is not executed. That is, for example, if the PE failure determination is repeated at a short time interval of about 1 ms, it is considered that the probability that both the PE and the timer will fail during the short time interval is very small. In the case where the number of PEs determined to be faulty is only one, processing necessary for timer fault detection is not performed.

  If the number of PEs determined to be faulty in step S37 is 2 or more, the timer ID is compared with the value of the previous timer flag in step S60. If they match, the timer has failed. Interrupts are continuously raised in a time shorter than a predetermined cycle, and it is determined that the survival information of each PE has not been updated. In step S61, it is determined whether or not it is the master PE. If it is not the master PE, a return to the main routine is performed. If it is the master PE, it is determined in step S62 whether or not the timer that did not raise an interrupt is operating. If not, both timers have failed, so in step S63. An emergency stop is instructed to the system. If it is in operation, the timer that raised the interrupt in step S64 is disconnected, the timeout time of the timer that did not raise the interrupt is reset to T, and the value of the previous timer flag is inverted in step S40 After that, a return to the main routine is performed.

  If it is determined in step S60 that the values of the timer ID and the previous timer flag do not match, it is determined that a plurality of PEs have failed at the same time, and emergency stop processing is performed in the following steps. That is, in step S65, it is determined whether the PE is a normal PE that has not failed and the PE having the smallest ID among the normal PEs. If these two conditions are satisfied, an emergency stop instruction is issued in step S63. . In FIG. 14, an emergency stop is instructed when two of the four PEs fail.

  If the condition of step S65 is not satisfied, for example, if it is a faulty PE, it is determined in step S66 whether all the PEs are faulty and whether it is a master PE. In that case, a return to the main routine is performed. When all the PEs are faulty, the processing content after the return is not clear, but here, if the condition of step S66 is not satisfied, a return to the main routine is performed. If the condition in step S66 is satisfied, an emergency stop instruction is issued to the system in step S63. Here, only a single PE has instructed the emergency stop process, but since it is an emergency, all PEs may instruct the emergency stop process.

  As described above, in the third embodiment, the reliability of the system can be improved by duplicating the timer in the system that detects the failure of each processor element constituting the multiprocessor system in response to the interrupt from the timer. It becomes possible.

Claims (9)

A system monitoring device that outputs an interrupt signal from a timer and causes a processor in the monitored system to execute a predetermined process,
For each common time interval, two timers that repeat the operation of outputting an interrupt signal when the time intervals deviate from each other by using a timeout time reload function are provided,
Each time the processor repeats input of an interrupt signal from one of the two timers, the processor determines whether the two timers are faulty ,
The two timers each have a reload register for storing the timeout time,
One timer further includes a right 1-bit shift circuit,
In response to a command sent from the processor at the time of starting the system to request the setting of a timeout time of the same and same time interval value, the counter in the one timer is connected to the counter via the right 1-bit shift circuit. A system monitoring apparatus using a duplex timer , wherein half the time interval is set as a count-out time . The system monitoring device further includes a flag register that stores a flag indicating an identifier of the timer that has output the interrupt signal in response to an interrupt signal input from one of the two timers,
In response to the next interrupt signal input from the timer, the processor compares the identifier of the timer that has output the next interrupt signal with the stored contents of the flag register to determine the presence or absence of a timer failure. The system monitoring apparatus using the duplex timer according to claim 1. The system monitoring device further includes a memory for storing a time indicated by a system clock provided in the system in response to an interrupt signal input from one of the two timers,
The processor is duplicated based on the comparison result of the timer identifier and the time difference between the time indicated by the system clock when the next interrupt signal is input and the previous interrupt signal input time stored in the memory. 3. A system monitoring apparatus using a duplex timer according to claim 2, wherein a failure timer is identified among the timers . A system monitoring device that outputs an interrupt signal from a timer and causes a processor in the monitored system to execute a predetermined process,
For each common time interval, two timers that repeat the operation of outputting an interrupt signal when the time intervals deviate from each other by using a timeout time reload function are provided,
Each time the processor repeats input of an interrupt signal from one of the two timers, the processor determines whether the two timers are faulty,
The two timers each have a reload register for storing the timeout time,
One of the two paths between the bus from the processor and the counter in the one timer, on the path through the reload register, is left between the bus and the reload register. A 1-bit shift circuit,
The other timer is connected between the bus and the connection point of the two routes, the route through the reload register and the route through the reload register, between the bus from the processor and the counter in the other timer. A left 1-bit shift circuit,
In response to a command sent from the processor at the time of starting the system and requesting setting of a half value of the time interval as the timeout time, the counter in the one timer is not passed through the reload register. system monitoring apparatus using a double reduction timer you characterized in that the setting of the counting-out time is performed by the path. A system monitoring method for outputting an interrupt signal from a timer and causing a processor in a monitored system to execute a predetermined process,
Two timers each include a reload register for storing the timeout time, and one timer further includes a right 1-bit shift circuit,
In response to a command that is sent from the processor at the time of starting the system and requests the setting of the timeout time of the same time interval value, the counter in the one timer is connected to the counter via the right 1-bit shift circuit. Set half the time interval as the countout time,
The two timer, for each of the common time interval, the operation to output the interrupt signal when said time interval is shifted half together repeated with reload function timeout period,
System monitoring using a duplex timer, wherein the processor determines the presence or absence of a failure of the two timers each time an interrupt signal from one of the two timers is repeatedly input Method. When the system is started up, the processor sets, as a timeout time for the timer , half of the same time interval common to the one timer to disable the reload function, and sets the same time interval to the other timer. Set the value of to enable the reload function,
When the said one of the timer outputs a first interrupt signal, the time-out period of one timer said the value of the same time interval, according to claim 5, characterized in that resetting the reload function as an effective System monitoring method using a dual timer. In response to the input of the interrupt signal from one of the two timers, a flag indicating the identifier of the timer that output the interrupt signal is stored in the flag register,
In response to the next interrupt signal input from the timer, the processor compares the identifier of the timer that has output the next interrupt signal with the stored contents of the flag register to determine the presence or absence of a timer failure. The system monitoring method using a duplex timer according to claim 5 . In response to the input of an interrupt signal from one of the two timers, the time indicated by the system clock provided in the system is stored in the memory,
The processor is duplicated based on the comparison result of the timer identifier and the time difference between the time indicated by the system clock when the next interrupt signal is input and the previous interrupt signal input time stored in the memory. 8. The system monitoring method using a duplex timer according to claim 7, wherein a failure timer is identified among the timers. A system monitoring device that outputs an interrupt signal from a timer and causes each processor in the monitoring target multiprocessor system to execute a predetermined process,
Two timers that repeat the operation of outputting an interrupt signal at the same common time interval and at a time shifted from each other by half of the time interval by using a reload function of a timeout time,
Each time at least one processor in the multiprocessor system repeats input of an interrupt signal from one of the two timers, it determines whether or not the two timers have failed ,
The two timers each have a reload register for storing the timeout time,
One timer further includes a right 1-bit shift circuit,
In response to a command sent from the at least one processor when the multiprocessor system is started to request the setting of a timeout time of the same and same time interval value, the counter in the one timer has the right A system monitoring apparatus using a duplex timer, wherein a half value of the time interval is set as a count-out time via a 1-bit shift circuit .

Images