Currently, in many storage subsystems, a technique for enhancing reliability, for example, such as a RAID (Redundant Arrays of Independent (or Inexpensive) Disks) technique, is adopted to provide reliability that exceeds the reliability of a single HDD. However, along with the recent advancement of the information-oriented society, there are cases where the reliability provided by the RAID technique is not sufficient.
One example for improving the availability of the subsystem and coping with such situation, as disclosed in Patent Literature 1, constitutes an information system using multiple (such as two) storage subsystems (hereinafter referred to as subsystem A and subsystem B), wherein data is duplicated in subsystem A and subsystem B. According to the information system disclosed in Patent Literature 1, the volume is subjected to duplex writing to subsystem A and subsystem B, wherein the host is configured to access the volume of subsystem A at normal times. When the host fails to access (process the I/O of) the volume of subsystem A, the access destination is switched so as to access the volume of subsystem B, to thereby enable operation to be continued.
One of the conditions required in such duplex configuration system is to prevent the host from accessing erroneous data. Patent Literature 1 discloses an example of a case where the volume duplication (copy) between subsystems A and B has failed due to the disconnection of the link between subsystems A and B. As a considerable case, the host performs operation using the volume of subsystem A for a while, and when failure occurs in the subsystem A, the host A switches to access the subsystem B. At this point of time, however, since the volume in subsystem B only stores data that is older than the volume in subsystem A, it is preferable to perform control so as not to receive accesses from the host.
According to the information system taught in Patent Literature 1, this problem is solved by providing and using a failure detecting volume that can be accessed from both subsystems A and B. When subsystem A fails to perform the volume duplicating process, subsystem A reads the contents of the failure detecting volume to check whether a failure information flag has been written thereto by subsystem B or not. When a failure information flag has not been written, subsystem A writes the failure detection flag therein, and thereafter, resumes the process related to the access request from the host.
Furthermore, when failure occurs to subsystem A, the host switches the access destination from subsystem A to subsystem B. Then, subsystem B reads the contents of the failure detecting volume, and checks whether a failure information flag has been written by subsystem A. In this case, since the failure information flag is written, subsystem B returns a response to the host notifying that the I/O had failed. This arrangement enables the host to be prevented from reading old data.