1. Field of the Invention
This invention relates to a computer system containing a plurality of data processing systems connected over a network for distributed data processing. More specifically, this invention relates to a data processing method as well as the systems on which the data processing method is implemented.
2. Description of the Prior Art
It is required that industrial systems such as chemical or steel plants, traffic control systems, and power systems including nuclear power plants, always be controlled correctly. This requires that data be processed in the correct sequence when controlling these systems.
One of the means to control these systems is to use a plurality of distributed data processing systems. This control means has a group of control units, each having a data processing system. These data processing systems are connected over a network to exchange control data (control messages) among them and to operate control units. For this type of control means, it should be noted that a plurality of data pieces sent from the sending system are not always received by the receiving system in the sequence in which they are sent. If the receiving system do not receive them in the sequence in which they are sent and control them in different sequence, the system safety may be affected.
For example, assume that two data processing systems connected over a computer network control an reactor as shown in FIG. 8. The reactor 100, which contains the heater 101, heats the materials fed from the materials feed pipe 102 and ejects a resulting product into the product ejection pipe 103. The materials feed pipe 102 has the flow adjustment valve 104 to adjust the feed speed. This materials feed pipe 102 and the flow adjustment valve 104 may be controlled by two data processing systems, one contained in this control unit and the other connected to this data processing system over a network. For example, the first data processing system is installed in the central control room of the plant, and the second data processing system is installed on the control unit to run two programs: "the materials feed control program" and "the flow adjustment valve control program". The second data processing system uses these two programs to control the temperature and the flow amount in the plant in accordance with messages from the first data processing system. Assume that the first data processing system sends the command "Open flow-adjustment valve 10 degrees" and then the command "Feed 20 Kg of materials to reactor". That is, the first data processing system sends the "flow" command and "materials" command in this sequence.
However, the second data processing system may receive the "materials" command and then the "flow" command because these two commands are sent along two different paths. Upon receiving the "materials" command, the second data processing system starts "the materials feed control program" and, before adjusting the flow, feeds 20 Kg of materials into the reactor. This is not the sequence intended by the first data processing system. This incorrect sequence of operation causes an abnormal reaction, endangering the safe plant operation.
To ensure the safe plant operation, the data processing system is sometimes duplicated to allow the overall system operation to continue even if an error occurs in the hardware constituting one of those systems. For example, assume that three data processing systems are connected to a computer network and that "the materials feed control program" and "the flow adjustment valve control program" stored in the second data processing system control the temperature and flow amount in the plant according to the control messages from the first data processing system. The third data processing system also contains these two programs to allow the whole plant system operation to continue even when a hardware error occurs in the second or third data processing system.
In a configuration described above, assume that the first data processing system sends the command "Open flow-adjustment valve 10 degrees" and then the command "Feed 20 Kg of materials to reactor".
However, the second data processing system and the third data processing system may receive the commands in different sequences because these two commands are sent along two different paths: that is, in some cases, the former receives the "materials" command and then the "flow" command while the latter may receive the "flow" command and then the "materials" command. Upon receiving the "materials" command, the second data processing system starts "the materials feed control program" and, before adjusting the flow, feeds 20 Kg of materials to the reactor. This is not the sequence intended by the first data processing system. On the other hand, the third data processing system first starts "the flow adjustment valve control program" and then feeds 20 Kg of materials to the reactor. This is the sequence intended by the first data processing system. This means that, even if the same commands are received by the second data processing system and the third data processing system as sent by the first data processing system, the consistency of the process cannot be maintained. As a result, if the third data processing system which has received the sequence of commands correctly fails, the commands received by the second data processing system, one of the duplicated systems, are executed. This results in an abnormal reaction and endangers the safe plant operation.
To eliminate an inconsistency in the sequence of operation, a data processing system containing a sequencer, which specifies the sequence of messages, has been devised heretofore. This sequencer makes it possible to send the commands to all the data processing systems in the same sequence, eliminating the inconsistency. More specifically, this sequencer sends to all the data processing systems a command specifying the sequence of messages (hereafter called a processing sequence command) on which the sequence of message operation of each data processing system is based.
Generally, a sequencer sends the processing sequence command based on the sequence in which the sequencer received the messages. Other data processing systems store the messages received from the sequencer for a while and, after receiving the sequence command from the sequencer, processes the sequence of messages based on the sequence command.
For system safety, the sequencer is also duplicated. That is, a plurality of sequencers are connected to a network, each in one of two modes: "operation mode" and "standby mode". A data processing system containing a sequencer in "the operation mode" (hereafter called an operation mode sequencer) controls the units of the whole plant system. On the other hand, while the data processing system containing the operation mode sequencer is active, a data processing system containing a sequencer in "the standby mode" (hereafter called standby mode sequencer) is in the standby state and does not send the message processing sequence command. That is, when an operation mode sequencer receives a plurality of messages, the sequence in which the sequencer receives the messages is sent to a standby mode sequencer and other data operating systems.
However, a conventional data processing system containing a sequencer has the following problem. When the data processing system containing "the operation mode sequencer" fails, some other data processing system must take over the processing of the failed data processing system in order to continue to control various kinds of plant system. To take over the processing successfully, the conventional system has a predetermined sequencer. And, the operation mode sequencer sends message processing sequence information to the data processing system of each control unit as well as to the predetermined standby mode sequencer. This requires the operation mode sequencer to continually send message processing sequence information to the standby mode sequencer.
However, neither messages are always sent over a network in the same sequences, nor is message processing sequence information. That is, the operation mode sequencer and the standby mode sequencer on the network do not always synchronize with each other just because the former sends message processing sequence information to the latter. Therefore, it is necessary to monitor that the operation mode sequencer and the standby mode sequencer are consistent in the message processing sequence. This requires the two sequencers to exchange synchronization messages.
This synchronization message is exchanged between the operation mode sequencer and a standby mode sequencer independently. This requires the operation mode sequencer to send a synchronization message in addition to message processing sequence information, increasing the overall system load. In addition, a complicated or critical system where a plurality of standby mode sequencers are provided must do synchronization processing more frequently, further degrading the system performance.
As described above, in a system according to the prior art, one or more specific data processing systems are decided to be standby mode sequencers previously and a synchronization process is needed between the standby mode sequencers and the operation mode sequencer. This increases the load on the system.
In addition, in a conventional system, a single sequencer manages message processing sequence information on all the data processing systems on the network. This increases the network processing load as more and more messages are exchanged among data processing systems, degrading the overall system performance.
This invention seeks to solve the problems associated with the prior art described above. It is an object of this invention to eliminate the need to synchronize between the operation mode sequencer and the standby mode sequencer in a plurality of data processing systems connected over network each other and to provide a data processing method and a data processing system which enhance the system processing capability.
It is another object of this invention, when an operation mode sequencer fails or stops, to allow one of the other data processing systems on the network to automatically take over the processing of the failed or stopped operation mode sequencer in order to eliminate the need for reserving a standby mode sequencer.
It is still another object of this invention, when a plurality of data processing systems on the network contain different types of program, to provide a plurality of operation mode sequencers according to the type of program to be executed in order to distribute the load among the operation mode sequencers.