Some existing information processing systems are made up of two or more information processing apparatuses uniformly configured to provide the same functions by, for example, running the same set of software programs. This redundant system configuration is for the purpose of a higher degree of fault tolerance, so that even if one information processing apparatus fails, another information processing apparatus can take over its processing tasks. The information processing apparatus currently responsible for the service is called, for example, a “primary,” “active,” or “working” subsystem. The remaining information processing apparatus is called a “secondary,” “standby,” or “backup” subsystem.
The secondary apparatus is not necessarily inactive. For quick failover operation and shorter system down time, some redundant systems are configured to maintain the secondary information processing apparatus in operable state even when the primary information processing apparatus is working properly. The secondary information processing apparatus may even keep supplied with the same input data that the primary information processing apparatus receives during the normal operation.
There is proposed, for example, a dual-redundant monitoring system that monitors wireless equipment and the like by using two computers, one for “working” and the other for “backup.” In this system, a detector device sends alarm data to both the working computer and backup computer when a failure is found in the monitored equipment. The two computers produce their respective statistical data. While two sets of statistical data are present, a switch selects the one produced by the working computer and sends it out to a printer.
There is also proposed a multi-server computing system formed from an active server and a standby server. The standby server has a database whose content is consistent with the active server's. This multi-server computing system is coupled with a terminal computer, which requests both the active and standby servers to update their databases. The two servers update their respective databases in accordance with the requests. The active server then returns a response to the requesting terminal computer, whereas the standby server does not. See, for example, the following documents:    Japanese Laid-open Patent Publication No. 64-13637    Japanese Laid-open Patent Publication No. 2000-148563
Suppose now that a redundant system includes a primary information processing apparatus and a secondary information processing apparatus, configured to receive the same input data when they are in normal condition. It is only the primary information processing apparatus that actually performs requested actions (e.g., outputting data to printer, returning response). One issue in this redundant system is how to implement switchover from primary to secondary when the primary apparatus encounters a failure.
In the case of the first-mentioned dual-redundant monitoring system, an external switch performs switchover between the working computer and backup computer. In the case of the second-mentioned multi-server computing system, each server is supposed to be aware of whether it is an active server or a standby server. Switchover may take place according to an external command (e.g., reconfiguration command from the user), with the possibility of a large delay before switchover is finished.
It is noted that the primary and secondary information processing apparatuses are not always be able to receive input data exactly at the same time. Such timing differences would complicate the system's decision of which apparatus is to execute actions in the case of failure. For this reason, the switchover is preferably controlled so as not to cause duplicated actions for a single input of data. That is, the then-primary information processing apparatus may have finished some actions in response to received data. It is preferable for the new primary information processing apparatus to avoid executing these actions again.