Please accept this mail as an authorized signature for the MIRA SW CTRL V2.2 SPD approval. Name : Robert HOURON Funct : Sustaining Unit Mgr Badge : 237719 Date : 3-DEC-90 I N T E R O F F I C E M E M O R A N D U M Date: 14-Nov-1990 10:50 CET From: Claude Garcin @AEO GARCIN Dept: EIC-T&N-E / CSSE Tel No: 887-4058 TO: Robert HOURON @AEO ( HOURON ) CC: Philippe ROUSSIN-MOYNIER @AEO ( ROUSSIN ) Subject: A: CSSE SPD MIRA V2.2 approval Please accept this mail as an authorized signature for the MIRA SW CTRL V2.2 SPD approval. Name : Claude GARCIN Funct : CSSE ME Badge : 187854 Date : 14/11/90 I N T E R O F F I C E M E M O R A N D U M Date: 15-Nov-1990 09:23 CET From: Philippe ROUSSIN-MOYNIER @AEO ROUSSIN Dept: EIC-T&N-E PROD. MGT. Tel No: DTN:(7)887-4148 TO: Robert HOURON @AEO ( HOURON ) CC: Dominique CHABORD @AEO ( CHABORD.DOMINIQUE ) Subject: I: SPD/SSA approval for MIRA Switch Control V2.2 Please accept this mail as an authorized signature for the MIRA SW CTRL V2.2 SPD approval. Name : Philippe ROUSSIN-MOYNIER Funct : Product Manager Badge : 237679 Date : 15/11/90 SOFTWARE PRODUCT DESCRIPTION PRODUCT NAME: MicroVAX MIRA Switch Control, Version 2.2 SPD 27.86.03 DESCRIPTION System Overview MicroVAX MIRA Switch Control is the software for controlling a MicroVAX based MIRA System. A MIRA System is comprised of dual MicroVAX computers, each supplied by its own power source and mounted in a single cabinet, or in two cabinets for larger configurations. The configuration of each computer is normally identical, so that one computer is a backup for the other in the event of failure. The computers are linked via Ethernet and MIRA unique hardware. The software controls the status (Master, Standby, or Idle) of each computer. It detects a computer failure and changes the status of each computer accordingly. Designated devices which were previously connected to a failed Master computer are connected to the Standby computer, whose status then becomes Master. The user can then restart applications on the new Master and continue operation. MIRA Systems are particularly suited to dedicated control applications, rather than general purpose data processing. That is, applications that need to maintain communication with terminals and other computers, as well as full performance after a failure, or to recover without operator intervention, can do so. The two computers operate independently; for example, process and volume shadowing are not features of MIRA. A MIRA System provides the hardware and software environment required for the development of such high availability control applications. The Ethernet link can be utilized by the application programs to exchange status information and to back-up critical data on the Standby computer. Each computer has a unique Ethernet address and node name. For automatic recovery, the user application is required to maintain the Standby in a state of readiness where it can assume Mastership. The user application is also required to recover communication with the devices which have been switched and for the restart/recovery of the Master application. Switched Devices Switched Devices are those which are configured such that they can be connected to either computer. The devices are connected to the MIRA System via a common I/O distribution panel and the hardware and software controls to which computer they are assigned at any time. The operator specifies whether a device should be connected to the Master or Standby computer via a utility which creates the Switch Map File. The computer with the status Master has those devices designated by the Switch Map File as Master Devices connected to it; the computer with the status Standby has Standby Devices connected. A computer with the status Idle has no switched devices connected. Start Up The Start Up process for the complete MIRA System is normally synchronised such that the same status is assigned as the last time the MIRA System was active. This status is recorded by the Flag File; and the option is known as Flag File Management. If this option is disabled, or is the first time that the MIRA system is started, or if one of the computers fails to start correctly, then the first computer to complete the MIRA Start Up will become Master. Program and Manual Control A two position key switch on the front panel of the MIRA System, determines the system mode. Under Program Mode, the MIRA Switch Control software automatically reconfigures the Standby as Master if a failure is detected (System Failover) and swaps the system status at the request of the operator or a user application (System Swap). In Manual Mode, changes in status are inhibited and can only be effected from the front panel. Failure Detection The MIRA Switch Control software exchanges status messages via the MIRA hardware, which includes a private communications link. If the software on either computer is unable to send its message within the user-specified period, this will be detected on each computer. If it is the Master computer that has failed to send its status message and the system is in Program Mode, then a System Failover occurs. If it is the Standby which has failed, then it is made Idle. Optionally, Standby Devices can be reconnected to the Master computer. System Failover Operation In the event of a System Failover, the following occurs: ^ The Master switched devices are disconnected and the Master computer's status is changed to Idle. ^ If the feature known as "DCLOW" is enabled, the Master system is automatically powered down (thus releasing any RA type disks, so that they can be mounted on the other system). ^ If the other computer is in Standby mode, then the Master Devices are connected, and its status changed to Master. The Standby Devices may optionally be released or kept connected to the new Master. The full MIRA Switch Control software can perform a System Failover in less than two seconds, or in less than one second if Flag File Management is disabled. After the System Failover is complete, the user's application programs are responsible for failure recovery. Diagnostics should then be run on the faulty computer. This can be done without affecting the application(s) running in the new Master. Repair can be effected on the faulty system, normally without affecting the Master computer in any way. The user can provoke a System Failover through the use of an operator command or user-callable subroutine (see below). Re-start If a failed computer is restarted and the other is Master, it will become the Standby and the Standby devices reconnected. If the option is selected to retain the Standby devices on the Master after System Failure, the Standby devices will not be re-connected to the Standby until the user's application on the Master has released them. System Swap Operation Customer written application programs or the operator can command a System Swap. This operation can be disabled by the operator or an application program. It is only valid from the Master when the other computer is in Standby mode and when the system is in Program Mode. In the event of a valid System Swap, the following occurs: ^ The switched devices are disconnected from both computers. ^ The Master computer status becomes Standby and the other becomes Master. ^ The Master Devices are connected to the new Master and the Standby Devices to the new Standby. System Force Operation In Manual Mode, the operator can force a swap of the system, no matter what the status is of either computer. However, if one of the computers is Idle, then its status remains Idle. This is activated via the front panel. Summary of the Effect of Failover, Swap and Force Operations Before After Status A Status B Status A Status B ------------------------------------------- Failover | master | standby | idle | master | | master | idle | idle | idle | | standby | master | master | idle | | idle | master | idle | idle | |------------------------------------------| Swap | master | standby | standby | master | | standby | master | master | standby | |------------------------------------------| Force | master | standby | standby | master | | master | idle | standby | idle | | standby | master | master | standby | | standby | idle | master | idle | | idle | master | idle | standby | | idle | standby | idle | master | ------------------------------------------ Note: Status A and Status B differentiates the status of the two computers. On-Line Testing On-line Tests can be invoked by the operator to test the MIRA unique hardware on a system. This tests all the MIRA hardware components without actually changing the state of a switch and thus can be used without disturbing the applications running on either computer. Operator Commands A set of operator commands enables the operator to control the MIRA System. User Application Interface The User Application Interface provides a set of user-callable subroutines by which a user application requests functions and receives information via the MIRA Switch Control software which must be active. Subroutines are available for VAX PASCAL, VAX MACRO, VAX ADA VAX BASIC, VAX COBOL, VAX BLISS, VAX PLI, VAX C and VAX FORTRAN including the following functions: MRACON Connects the user application (maximum 8 simultaneous connections) MRADIS Disables System Swap Operations MRAENA Enables System Swap Operations MRAOVR Provoke System Failure MRASWA Requests a System Swap Operation MRAREL Requests that Standby Lines be released from the Master computer MRAGET Gets the MIRA system status The user applications can also be notified, if requested, of changes in system status and thus invoke the necessary recovery procedures. The Driver Interface The Driver Interface communicates with the MIRA Hardware via the Q-bus. It provides a number of functions which can be requested using system service calls and QIOs and thus enable an application to control the failure detection and switching mechanism itself. The interface gives access to the full capabilities of the MIRA hardware. Users may choose not to use the full MIRA Switch Control software, but to perform this control from within their own applications. This requires a fuller understanding of the MIRA hardware and is normally only appropriate when a high level of real-time control is required by the application. Clock Synchronization The two computer clocks can be synchronized within a few milliseconds. This feature is available via the Driver Interface or may, optionally, be managed automatically by the control software. SOURCE CODE INFORMATION The following source code modules are provided with binary, single-use license options on all magnetic distribution media: ^ Symbolic definitions for the driver interface ^ Message text ^ MIRA logic module driver ^ ADA Application Interface routines INSTALLATION Only experienced customers should attempt installation of this product. DIGITAL recommends that all other customers purchase DIGITAL's Installation Services. These services provide for installation of the software product by an experienced DIGITAL Software Specialist. HARDWARE REQUIREMENTS MicroVAX configuration as specified in the System Support Addendum (SSA 27.86.03-x). SOFTWARE REQUIREMENTS For Each MicroVAX (Two MicroVAXes per MIRA System): VMS Operating System or VAX Ada (if ADA Application I/F routines will be used) Refer to the System Support Addendum for availability and required versions of prerequisite/optional software (SSA 27.86.03-x). ORDERING INFORMATION Software Licenses: QL-09TA*-** Software Media: QA-09TAA-*5 Software Documentation: QA-09TAA-GZ Software Product Services: QT-09TA*-** * Denotes variant fields. For additional information on available licenses, services and media refer to the appropriate price book. SOFTWARE LICENSING This software is furnished under the licensing provisions of DIGITAL's Standard Terms and Conditions. For more information about DIGITAL's licensing terms and policies, contact your local DIGITAL office. License Management Facility Support This layered product supports the VMS License Management Facility. License units for this product are allocated on a CPU-capacity basis. For more information on the License Management Facility, refer to the VMS Operating System Software Product Description (25.01.xx) or the License Management Facility manual of the VMS Operating System documentation set. For more information about DIGITAL's licensing terms and policies,contact your local DIGITAL office. SOFTWARE PRODUCT SERVICES A variety of service options are available from DIGITAL. For more information contact your local DIGITAL office. SOFTWARE WARRANTY Warranty for this product is provided by DIGITAL with the purchase of a license for the product as defined in the Software Warranty Addendum of this SPD. SEPTEMBER 1990 AE-KP79D-TN