The present invention relates generally to a replicated controller and a fault recovery method thereof. More specifically, the invention relates to a replicated controller and a fault recovery method thereof which can recover failure without interrupting operation of an objective equipment to be controlled upon occurrence of failure in the replicated controller.
A controller controlling equipment, such as a power converter, is required high reliability since influence of failure becomes more significant for greater objective equipment to be controlled. Therefore, in the controller for controlling a large scale equipment, it has been taken a method to enhance reliability of control by replicating the controllers to provide a plurality of mutually identical controllers in a plurality of systems, so that even if failure is caused in one system of controllers, control is performed by using a normal output from the controller in the remaining systems.
As a fault recovery method when failure is caused in the conventional replicated controller, a transfer region storing control data necessary for fault recovery. is provided in each system of the replicated controllers. Upon occurrence of failure in a certain system, the data in the transfer region is transferred to the system, in which failure is caused, during a vacant period in a processing of the normal system, with maintaining control of the equipment by the output of the normal system, and the system, in which failure is caused, is restarted after completion of transfer of the data. By this, it becomes possible to restore the faulty system into the normal state without interrupting operation of the objective equipment to be controlled, and whereby to provide the controller with high reliability.
However, when the conventional fault recovery method for the replicated controller is applied to the controller for the equipment performing processing at a short operating period, it becomes impossible to transfer all data within vacant time in one operating period. If the data in the transfer region is transferred over a plurality of operating periods, the data updated by the normal system during a plurality of operating periods, in which data of the transfer region is transferred to the faulty system, cannot be transferred to the faulty system to make it impossible to match all data in the transfer region with data in the normal system. For this reason, it is inherently necessary to inhibit updating of data in the normal system while the data in the transfer region is transferred to the faulty system to make it impossible to continue control of the equipment.