The present invention generally relates to a remote copy system, and particularly relates to a remote copy system that copies data between storage systems located respectively at two remote sites.
In recent years, the importance of corporate information systems and the data used therein is increasing, and disaster recovery technology for recovering data in computer systems that failed due to a disaster or the like is attracting attention. A remote copy system is known as representative technology for performing disaster recovery.
For instance, Japanese Patent Laid-Open Publication No. 2005-18506 (Patent Document 1) discloses technology where a storage system receives data sent from a host computer and writes the data in its own storage apparatus, and also transfers such data to another storage system positioned in a physically remote location in order to store the data.
More specifically, this technology relates to a computer system having a primary host computer and a primary storage system connected thereto at a primary site, and a secondary host computer and a secondary storage system connected thereto at a secondary site that is located remotely from the primary site. When the primary storage system receives data with a creation timestamp from the primary host computer, it writes the data in its own volume, and further writes the data and its timestamp as a journal in its own journal volume. The secondary storage system reads the journal in the primary storage system, and temporarily stores the data with the timestamp in a journal volume of the secondary storage system in the same update sequence as the volumes of the primary storage system. The secondary storage system then retrieves the data from the journal volume and writes it into the volume. With this computer system, if a failure occurs in the primary site or in a communication line between the primary storage system and the secondary storage system, the journals stored in the journal volume that the secondary storage system received before the failure are reflected in the copy destination volume of the secondary storage system. As a result of adopting this kind of configuration, even if an active computer system encounters a disaster and is subject to a system failure, the data copied to a storage system positioned at a physically remote location can be used to recover the computer system in a relatively short period of time.
With the technology described in Patent Document 1, the time pertaining to the journal that was last reflected in the secondary volume is set as the recovery point objective (RPO). The set recovery point objective is presented to the user of a computer system at the time of recovery, but there is a problem in that such time cannot necessarily be used as a valid recovery point objective.
More specifically, journals that have not yet been reflected in the secondary volume among the journals that the secondary storage system received can be reflected in the secondary volume while maintaining the same update sequence as the primary volume even after a failure occurs in the primary site or in the communication line between the primary site and the secondary site. Thus, although the time pertaining to the journal that was last reflected in the secondary volume immediately before the occurrence of a failure should be set as the recovery point objective under normal circumstances, there are cases where the journals that have already been received by the secondary storage system are subsequently reflected in the secondary volume, and the time pertaining to the journal that was reflected after the occurrence of a failure is set as the recovery point objective.
Further, if the latest time among the time pertaining to the journals that the secondary storage system received is deemed to be the recovery point objective, there are cases where such time is invalidated due to a failure occurring in the secondary journal volume or the remote copy being temporarily suspended.
Such an inaccurate recovery point objective will cause the loss of data, and it may not be possible to recover the computer system to its complete original conditions.
In addition, the user of a computer system must constantly determine whether the presented recovery point objective is valid or invalid, and was excessively burdened with recovery operations.