1. Field of the Invention
The present invention relates generally to computer systems for controlling data storage devices, and more specifically to computer systems used in fault tolerant computers, which select recovery strategies and which permit replacement of a defective data storage device with a functioning data storage device.
2. Description of the Prior Art
Fault tolerant computers are a class of computer designed to have a very high level of availability. Computers having extremely high levels of availability are particularly required for certain transaction processing applications. For example, in the banking industry, in the airline reservation industry and in financial market places, it is essential that transaction processing computers be continuously available and not lose any transactions or data.
Many parts of a transaction processing system have successfully been made extremely fault tolerant. This may be accomplished by incorporating various kinds of redundancy and fault detection within the components which comprise the transaction processing system. Several important parts of a transaction processing system including operating system software, customer application software and customer data are stored in large data storage devices, for example disk drives. However, achieving fault tolerance in data storage devices has proved difficult, because these devices present special fault tolerance problems.
A data storage subsystem, of which a data storage device may be a part, may be made fault tolerant by employing redundant data storage devices, so as to prevent data loss and system unavailability in the event that any single data storage device becomes unavailable. One technique which uses redundant data storage devices to achieve fault tolerance is called mirroring.
In a mirroring system, each logical or physical data storage device is paired with another logical or physical data storage device of the same capacity. The combination is known as a mirror pair. The mirror pair is a logical device which may be addressed by a user and behaves as a single storage device. Any action performed on the logical mirror pair which modifies the contents of the mirror pair is simultaneously performed on--i.e., mirrored on--both data storage devices comprising the mirror pair. Thus, when such a system functions normally, identical, duplicate data is stored on both data storage devices of the mirror pair. When a mirror pair exhibits normal operation as described above, it is said to be synchronized.
When one data storage device of a mirror pair fails, that failure may be detected and the mirror pair is said to lose synchronization. The failure of a single device within a system is known as a single-point failure. Multi-point failures would involve substantially simultaneous failure of more than one device of a system. However, in the case of this single-point failure, the other data storage device of the mirror pair may be used to maintain the function of the mirror pair until the failed data storage device has been repaired or replaced. During the period when the mirror is out of synchronization, the data storage subsystem is no longer tolerant of an additional single-point failure, assuming there is no additional redundancy, because an additional single-point failure turns the total failure scenario into a multi-point failure which requires multiple redundancy.
Some transaction processing systems include very large databases or very large sets of files which are preferably grouped together on a single large data storage device. Sometimes, a single data storage device of suitable size is not available. Then it may be desirable to create another logical device in the system, known as a compound logical data storage device. System software may permit the logical construction of a compound data storage device comprising several smaller data storage devices that will be referred to together as a single logical device, having a single designation, as with the logical mirror pair described above. For example, suppose a three-gigabyte, mirrored disk drive is the desired data storage device, as shown in FIG. 1. However, in this example, no three-gigabyte physical disks are available. Then three one-gigabyte physical disks may be grouped together as one logical device called a compound disk 101. In order to mirror such a compound disk, it is necessary to mirror 102 it with a compound disk 103 having the same storage capacity. Thus, a three-gigabyte compound mirrored pair 105 may comprise six one-gigabyte disks 107, 109, 111, 113, 115 and 117.
When any one physical disk (FIG. 2, 115) of a compound disk (FIG. 2, 103) fails and must be repaired or replaced, the mirror (FIG. 2, 102) for the entire mirrored compound disk (FIG. 2, 105) loses synchronization (FIG. 3, step 301), because each compound disk (FIG. 2, 101 and 103) is treated as a single logical device. That is, there is a logical device table maintained by the operating system software which describes each logical device in the system and a physical device table maintained by the operating system software which describes each physical device in the system. When any physical device comprising a logical device fails, both the physical device in the physical device table and the corresponding logical device in the logical device table are shown in their corresponding tables to have failed. Thus, the mirror must be broken between compound disks (FIG. 2, 101 and 103) and the compound disk containing the failed physical disk must then be removed from the logical device table (FIG. 3, step 303), so as to allow the failed physical disk (FIG. 2, 115) to be separately accessed and perhaps removed from the physical device table so as to permit repair or replacement. A new compound disk, including the repaired or replaced physical disk may now be created and inserted into the logical device table (FIG. 3, step 307) and rebound with the working compound disk (FIG. 2, 101) for mirroring (FIG. 3, step 309). Since the mirror for the entire compound mirrored disk lost synchronization, all data on the working compound disk must then be copied to the new compound disk to synchronize the mirror (FIG. 3, step 311). Thus, in the event of a single physical disk failure a great deal of time is often wasted copying data from one entire compound disk, to the other. Furthermore, during the entire period of time between when the mirror for the entire compound disk loses synchronization (FIG. 3, step 301) and the time when all data has been copied to the new compound disk, thus synchronizing the new mirror (FIG. 3, step 33), the system is exposed to failure resulting from any additional single-point failure of a physical disk.
Therefore, it is a general aim of the present invention to improve the fault tolerance of data storage subsystems which may include compound logical data storage devices.