[go: up one dir, main page]

WO2015111142A1 - Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome - Google Patents

Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome Download PDF

Info

Publication number
WO2015111142A1
WO2015111142A1 PCT/JP2014/051178 JP2014051178W WO2015111142A1 WO 2015111142 A1 WO2015111142 A1 WO 2015111142A1 JP 2014051178 W JP2014051178 W JP 2014051178W WO 2015111142 A1 WO2015111142 A1 WO 2015111142A1
Authority
WO
WIPO (PCT)
Prior art keywords
state
state transition
failure
condition
integrated system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2014/051178
Other languages
English (en)
Japanese (ja)
Inventor
昌能 西
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Priority to PCT/JP2014/051178 priority Critical patent/WO2015111142A1/fr
Priority to CN201480073114.7A priority patent/CN105917316B/zh
Priority to JP2015558626A priority patent/JPWO2015111142A1/ja
Publication of WO2015111142A1 publication Critical patent/WO2015111142A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3604Analysis of software for verifying properties of programs
    • G06F11/3608Analysis of software for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation

Definitions

  • the present invention relates to a system analysis device, a design failure analysis device, a failure mode analysis device, a failure tree analysis device, an autonomous operation device, and an autonomous operation control system.
  • a dynamic input / output relationship analysis method called a model checking method is effective.
  • This incorporates a configuration in which the input / output relationship is dynamically determined by the uncertainty of the response time of each subsystem and the internal state, and covers the dynamic behavior that can be taken by the integrated system as a whole. This is a method for searching for the existence of a state corresponding to a defect that violates the safety requirement.
  • the model checking method uses a state transition model constructed by combining state values that uniquely determine the state of the target integrated system and state transition rules corresponding to the input / output relations of each subsystem. This is a dynamic input / output relationship analysis method in the sense that a state transition sequence corresponding to a defect is found from the inside.
  • the condition at the end of giving a set of values is reduced to the problem of determining whether or not there is a transition path connecting two sets of states.
  • FIG. 2 shows a construction method of the state transition model.
  • the system state transition model is composed of state values that are defined together with inputs to the system, internal states, and outputs from the system, and state transition rules for internal states.
  • the state transition rule includes a function that determines an output value from an input and an internal state, and a function that updates the internal state (that is, calculates the next internal state).
  • FIG. 3 is a state transition graph expressing each state value that can be taken by the state transition model and its transition possibility with a directed graph.
  • the dynamic input / output relationship analysis method using this state transition model is a state transition from a set of initial state values satisfying an appropriate start time condition to a set of final state values satisfying an end time condition corresponding to a defect. It can be rewritten as the problem of determining the presence or absence of a column.
  • This example has a feature that when a certain internal state is taken, the transition destination state differs depending on the input value, so that a state transition graph having a plurality of transition destination states is obtained.
  • the presence / absence of a state transition path that reaches the set of end state values that satisfy the end time condition is determined. This is failure mode effect analysis.
  • the failure tree analysis determines whether or not there is a combination of failure modes in which there exists a state transition path.
  • FIG. 4 shows a specific procedure for searching for a state transition sequence.
  • one of the initial state values satisfying the start condition is appropriately selected, and a plurality of reachable transition destination state values corresponding to the degree of freedom of the input value are exhaustively searched.
  • each state transition path is expanded in the form of a tree shown in FIG. 5, and it is determined whether or not there is a state transition path that can reach a set of final state values that violate the end-time condition.
  • the model checking method requires a lot of computer resources, particularly a high-speed calculation capability for evaluating comprehensively reachable state values, and a large-capacity memory for storing all the state values. For this reason, using the model checking method limits the scale of a system that can be applied and analyzed in a finite time.
  • the increase in the amount of calculation is that the number of initial state values that need to be set in order to cover the state transition paths is enormous, and it is necessary to construct the state transition paths by setting the initial state values individually.
  • an object of the present invention is to provide a system analysis apparatus that can perform an appropriate analysis on a system in which an input / output relationship is dynamically determined.
  • the present invention is directed to a system in which an internal state changes according to an input, and an output corresponding to the input changes in accordance with the change in the internal state, and a plurality of systems that can be adopted based on a state transition rule of the system
  • State transition model construction means for constructing a state transition model including a state value and a transition path between each state value, and an initial state value for setting an initial state value satisfying a predetermined start time condition from the plurality of state values
  • a setting means a final state value setting means for setting a final state value satisfying a predetermined end time condition from the plurality of state values; and in the state transition model, from the final state value to the initial state value.
  • State transition path presence / absence determining means for determining whether or not a state transition path to reach exists.
  • the present invention can perform an appropriate analysis for a system in which the input / output relationship is dynamically determined.
  • route under constraint conditions The figure which shows the system which has a dynamic input-output relationship.
  • the figure which shows the state transition route search method of a forward direction The figure which shows the search tree obtained as a result of the state transition route search method of a forward direction.
  • the figure which shows conversion from a state transition rule to a logical expression The figure which shows the integrated system comprised by interconnecting a some subsystem.
  • the functional requirements can be mainly regarded as a constraint condition for the input / output relationship of the entire system in a normal operation state without hardware failure.
  • the state transition model by abstracting the state transition model in this way, it is not necessary to distinguish whether the means for realizing the functional requirement is hardware or software.
  • the software process since software can only implement one process at each time, the software process itself is a state transition model as it is.
  • safety requirements can be regarded as constraints on input / output relationships and state values of the entire system when a hardware failure occurs. For example, when a signal for switching the failure mode defined for each hardware is taken in as a kind of external input signal, the input / output relationship at the time of failure can be added to the input / output relationship at the time of normal operation.
  • the safety requirement can be uniformly described as a constraint on the input / output response of the system to which an external input for selectively generating a failure mode is added.
  • the failure mode analysis device and the failure tree analysis device are one implementation form of the system analysis device.
  • the state transition model that represents the system has individual end-time conditions that are set based on the system operation mode against the number of state values that satisfy the start-time condition that is satisfied when the continuous operation is possible. There is a feature that the number of state values satisfying the condition is sufficiently reduced.
  • the number of transition destination state values that can be transitioned from the set of start state values that satisfy the start condition can vary within the range of the input value freedom and the start condition.
  • the number of degrees of freedom in the internal state increases. Therefore, the number of state values that satisfy the start condition increases.
  • the number of transition destination state values that can be transitioned from the state value that satisfies the termination condition cannot be continued with the internal state update regardless of the input value, so the transition destination state value remains the same state value.
  • the number of state values that satisfy the termination condition remains small.
  • the size of the state transition route tree is sufficiently reduced by using the reverse state transition route search method.
  • the number of state transition paths traced in the reverse order depends on the number of state values satisfying the end-time condition and the number of transition steps until the state value satisfying the start-time condition is reached in the reverse order. Determined.
  • the number of transition steps decreases if the number of steps that go from the inside of the set of final state values that satisfy the end time condition to the outside and reach the inside of the set of start state values that satisfy the start time condition is small .
  • the desired state transition path can be reversely searched with a small amount of calculation resources.
  • a system constituted by only one system including input / output and internal state is set as an analysis target.
  • an internal state changes according to an input
  • an output corresponding to the input changes according to the change of the internal state.
  • the system analysis apparatus constructs a state transition model that constructs a state transition model including a plurality of state values that can be taken by the system and transition paths between the state values based on the state transition rules of the system.
  • Means (corresponding to the analysis unit in FIG. 30), initial state value setting means for setting an initial state value satisfying a predetermined start time condition from a plurality of state values, and a predetermined end time from among the plurality of state values
  • a final state value setting means for setting a final state value that satisfies a condition, and a state transition path presence / absence determination that determines whether or not a state transition path that reaches the initial state value from the final state value exists in the state transition model Means.
  • FIG. 3 used in the forward state transition path search method is a method for tracing the state transition path in reverse order from the state value set satisfying the end time condition and searching for the start state value set satisfying the start time condition.
  • this method may still require a lot of computing resources. This is because a given state transition rule uniquely defines a transition destination state in the forward direction, but does not uniquely give a transition source state in the reverse direction.
  • this state transition model is This is because the amount of computer memory required for storing in the form of a graph becomes enormous in proportion to the number of state values and the number of edges indicating whether or not transition between two states is possible.
  • state transition rules, end conditions, and start conditions are set as constraints in the form of logical formulas that the expected state transition sequence should satisfy, and a solution that satisfies these constraints is efficiently searched. If a SAT solver that can be used is used, if the presence or absence of this state transition sequence is determined, a small amount of calculation resources is required.
  • the system analysis apparatus of the embodiment is configured to perform a reverse state transition path search with the aid of the SAT solver, and includes means for converting the system state transition rules into a logical expression.
  • a satisfiability solution of the satisfiability determination problem constructed with the time condition and the end condition as constraints is calculated using a SAT solver, and the satisfiability solution is output as a state transition path.
  • the logical expression conversion means and the SAT solver described above are provided in the analysis unit.
  • This method is based on a graph search problem that explicitly holds the individual state values constituting the state transition path.
  • the end state value that satisfies the end condition is set as the start point of the state transition path, the transition source state that can reach the end state in one step is recursively reverse-searched, and the transition source that satisfies the start condition is satisfied.
  • the state transition sequence is exhaustively expanded until a state is discovered.
  • FIG. 9 shows an alternative method for reducing the amount of calculation resources by converting the same processing into a satisfiability determination problem.
  • step 901 the state value is defined by combining the input / output signal value and the internal state.
  • step 902 a reverse search range is set.
  • a method of designating an upper limit of the number of state transition steps for backward searching from the final state there is also a method of adding a constraint condition to the state transition sequence so as not to search for a specific set of state values.
  • step 903 a desired state transition sequence is declared as an indefinite value within the search range specified in step 902.
  • this state transition sequence is calculated by a SAT solver.
  • FIG. 11 shows the constraint conditions corresponding to the state transition rules in the state transition graph given the state values and transition conditions as shown in FIG.
  • FIG. 11 illustrates the relationship of giving the transition destination state value x [t + 1] from the combination of the current state value x [t] and the transition condition in the form of a logical expression.
  • many SAT solvers used in step 910 often accept input in the form of a logical expression illustrated in FIG.
  • a constraint condition corresponding to the system functional requirement and operational limit is set.
  • an allowable range is additionally set for an input value that is one component of the state value, or the range of the reverse search is limited as exemplified in step 902. For example, setting a constraint for each state value in the state transition sequence.
  • step 908 the start condition of the state transition sequence is set as a constraint condition that the start condition is satisfied.
  • the condition for termination is set as a constraint condition for the final state of the state transition sequence.
  • step 910 the SAT solver is used to search for the presence or absence of a state transition sequence that satisfies all the constraints set up to this step and is declared as an indefinite value in step 903.
  • step 911 If the SAT solver determines that there is no such state transition sequence, that is, if the constraint condition cannot be satisfied, the process proceeds to step 911.
  • the end condition is determined from any initial condition that satisfies the start condition within the search range specified in step 902. It can be verified that the state value to be satisfied is not reached (that is, the event that satisfies the condition at the end does not occur).
  • step 912 it can be verified that starting from an arbitrary state value satisfying the start time condition and reaching the state value satisfying the end time condition, that is, a failure event that satisfies the end time condition occurs. Since the SAT solver returns a specific value of the indeterminate value declared in 903, the failure event is reported in the form of a time chart or the like displaying the state value for each transition step.
  • an appropriate analysis can be performed on a system in which an input / output relationship is dynamically determined.
  • it is a dynamic input / output relationship analysis method that introduces an internal state for switching the operation mode that defines the individual input / output relationship, and is more than the amount of computational resources required for the forward state transition path search method.
  • a transition path can be output.
  • the subsystem means a system in which an internal state changes according to an input, and an output corresponding to the input changes according to the change in the internal state.
  • An integrated system means a system in which subsystems that are not necessarily operated in synchronization with each other are interconnected.
  • the above-described problem becomes more prominent. That is, in the case of a dynamic integrated system, the number of transition destination state values that can be transitioned from each state value in one state transition step further increases, and the state transition path tree becomes even larger.
  • the static input / output relationship analysis method is used when the response time and input / output relationship of each subsystem is static, that is, when the input to a subsystem satisfying the predetermined functional requirements is unique. This is effective when it can be assumed that an output satisfying the above is determined, but this assumption is not satisfied in a dynamic integrated system. Therefore, it is not practical to apply the static input / output relationship analysis method to the dynamic integrated system, and the problem of detection failure becomes more remarkable.
  • FIG. 12 shows an integrated system in which n subsystems are interconnected.
  • FIG. 13 shows the connection relationship between the input / output signal list of the integrated system as a whole and the internal signal list in the integrated system.
  • FIG. 14 shows a list of input / output signals of each subsystem and the connection relationship with internal signal values in the integrated system. An input to the entire integrated system is always an input to one of the subsystems, and an output from the integrated system is always an output from one of the subsystems.
  • FIG. 15 shows the input / output relationship of each subsystem.
  • a state transition rule transfer function
  • the internal state values of the integrated system of FIG. 12 can be defined as shown in FIG.
  • state transition model of the integrated system may be expressed as having a degree of freedom in which these multiple subsystems operate asynchronously and in parallel.
  • -State values defined for an actual integrated system originally change in real time, and are therefore not unconditionally associated with a state transition model in discrete time.
  • the state value associated with each subsystem is expressed as a digital value, only the update order of the state value associated with each subsystem is extracted, so that the integration that actually changes in real time
  • the state value transition path of the system is associated one-to-one with the state transition path in the discrete time state transition model in which the state value changes in discrete time.
  • the status value may be a continuous value that is an analog value. Actually, by dividing a continuous state space into sections and assigning discrete values to the individual sections, the continuous values can be associated with the discrete values on a one-to-one basis.
  • subsystem groups in which the state transition rules corresponding to the input / output relationship are implemented in hardware have a sufficiently short input / output response time because the output value is uniquely determined in a sufficiently short time for the input value update. Since these subsystem groups always update the state value at each discrete time, they are associated with each other so that the state value is updated synchronously at each discrete time.
  • the update point of the state value associated with each subsystem Add a constraint on the degree of freedom.
  • the update order may be limited only to the scheduling order.
  • FIG. 17 is an extension of the state transition sequence calculation flow shown in FIG.
  • Steps 1701 to 1703 correspond to steps 901 to 903.
  • a synchronous execution set is constructed so as to cover the degree of freedom regarding the update order of the state values of each subsystem so as to be associated with the state transition model in discrete time.
  • the synchronous execution set is a set of subsystems whose state values are updated synchronously at each discrete time among n subsystems constituting the integrated system. Then, the synchronous execution set is comprehensively selected and added to the synchronous execution list.
  • the list of subsystems to be included in the synchronous execution set at each discrete time is based on the response time of the subsystem that performs real-time input / output responses, and the relative length of each subsystem and the Decide in consideration of determinism.
  • step 1705 for each discrete time t, one synchronous execution set registered in the synchronous execution list is selected, and in step 1706, the state value associated with the subsystem registered in the synchronous execution set is updated. However, the state value associated with the unregistered subsystem is not updated, and the same state value is taken over. In this way, the logical expression W of the constraint condition between the transition source state value and the transition destination state value is set from the state transition rule and the synchronous execution set at the discrete time t.
  • Steps 1706 and 1707 are performed on all the synchronous execution lists of the synchronous execution list corresponding to the discrete time t, and the logical expressions W of these constraint conditions are generated. This is set for all discrete times t.
  • step 1708 the logical sum of the logical expressions obtained for each entry in the synchronous execution list is set as a constraint condition.
  • step 1709 one synchronization execution set is selected from the synchronization execution list.
  • Step 1710 corresponds to step 906, and step 1711 corresponds to step 907.
  • Step 1711 corresponds to Step 908 and Step 1712 corresponds to Step 909.
  • Step 1714 corresponds to Step 910, sets the logical product of the logical expressions set in Steps 1707, 1709, and 1710 to 1713, and uses the SAT solver to satisfy all constraint conditions. Declare undefined values in Step 1703 The presence / absence of the state transition sequence is searched.
  • Step 1715 corresponds to step 911, and step 1716 corresponds to step 912.
  • an integrated system 1801 as shown in FIG. 18 is targeted, and a method for analyzing a design defect by applying a reverse state transition route search method is shown.
  • the first property is that only one input / output processing operation can be performed at a time. For this reason, when multiple functional requirements assigned to individual subsystems cannot be executed at the same time, a failure becomes apparent in the form of conflicts between functional requirements, and unspecified I / O is in the form of inconsistent I / O interfaces. A defect becomes apparent.
  • the second property is that the response time is non-deterministic.
  • the functional requirements of the integrated system are realized by operating a plurality of subsystem groups implemented in software in parallel, but since the response time of each subsystem is non-deterministic, at the time of system integration, The operation of the entire integrated system, which should be realized as the overall behavior of each subsystem, may become indeterminate. This can also cause trouble.
  • the third property is that the output of the software implementation section becomes unpredictable due to a malfunction of the software itself or an input that is not specified. This can make it difficult to find these deficiencies, especially when testing systematic integrated systems to verify violations of functional or safety requirements.
  • the design failure analysis apparatus is effective for the above-described situation, and will be specifically described below.
  • the design failure analysis apparatus targets an integrated system in which a plurality of systems are interconnected, sets functional requirements that should be satisfied when the integrated system is normal, as a start condition, and sets an abnormal condition of the integrated system as an end condition.
  • the state transition path presence / absence determining means determines whether there is a state transition path that reaches the initial state value from the final state value in the state transition model. When it is determined that there is a state transition path that reaches the initial state value from the value, it is determined that there is a design failure of the integrated system.
  • the integrated system 1801 of FIG. 18 that is an analysis target of the design failure analysis apparatus of this embodiment will be described.
  • the integrated system 1801 is configured by interconnecting a controller 1803, an actuator 1804, a control target 1806, a sensor 1807, and a safety monitor 1805, and the integrated system 1801 is operated by an operation device 1802.
  • the operation device 1802 may have an operation content determined by an input from the operator or an operation content determined by processing in the operation device 1802.
  • the operation device 1802 and the integrated system 1801 are connected asynchronously via the illustrated interface. Since the operation device 1802 performs input according to an operation procedure prescribed by the operator or the operation order changes depending on the processing in the operation device 1802, the state transition that changes the internal state assigned for each operation order It can be expressed as a model.
  • the boot signal is a level signal for controlling start / stop of the integrated system.
  • the grant signal is a pulse signal that instructs the start and end of the operation after startup, and the command signal is a pulse signal that issues a control command after the operation starts.
  • the controller When a command signal is input from the operation device 1802 to the controller, the controller that has received the command outputs a control command Control input signal to the actuator.
  • the error signal is a pulse signal related to error information received by the operation device 1802 when an error occurs in the integrated system.
  • the individual subsystems that make up the integrated system have internal states for each operating mode.
  • the input / output response times of the actuator, the controlled object, and the sensor are sufficiently short, it is considered that they operate synchronously in real time.
  • the input / output response of the controller and safety monitor is implemented by software, so the input / output response time is indeterminate. Therefore, these two subsystems and the three subsystems that operate synchronously are interconnected in a state of operating asynchronously with each other.
  • the operation device 1802 has an internal state corresponding to a predetermined operation procedure, changes the state value from Off to the state value Boot, and sets the boot signal to 1. Subsequently, transition is made to the state value Grant, and while the boot signal is kept at 1, 1 is set to the grant signal which is a pulse signal. While the state value is transiting to Operate, an appropriate control command is continuously set to the command signal value.
  • the state is changed to the state value Shutdown, 1 is again set to the grant signal which is a pulse signal, and finally the state value Off is changed to clear the boot signal value to 0.
  • Controller 1803 updates the internal state value to Idle when it receives a boot signal from operation device 1802 when the internal state is in the stopped state (Off). At this time, both the output signals Control_input and monitor_enable are set to 0. When the grant signal is received from the operation device 1802 when the internal state is Idle, the internal state value is changed to Operate and the monitor_enable signal is set to 1.
  • the safety monitor 1805 receives a monitor_enable signal that is a level signal instructing operation start / end from the controller 1803, and changes the internal state value from Off to On. Only when the internal state value is On, the actuator_enable signal, which is a level signal, is set to 1 in order to permit the operation of the actuator.
  • the actuator 1804 transitions the internal state value to On only when the actuator_enable level signal from the safety monitor is set to 1, receives the input signal Control_input from the controller, and outputs the Physical_effect signal.
  • the command signal value received from the operation device 1802 is set in Control_input.
  • the actuator inputs a Physical_effect signal to the controlled object, and the sensor measures the state of the controlled object and outputs a Y_out signal value to the safety monitor.
  • the safety monitor appropriately processes the value received from the sensor and outputs a Y_out_mon signal to the controller.
  • the internal state value is changed to Stop, the actuator_enable signal, which is a level signal, is cleared to 0, and the Y_out_mon signal that informs the controller of the abnormal value is output. To do. At the same time, the internal state value is updated to Off so that the actuator cannot be continuously operated to ensure the safety of the entire integrated system.
  • the controller continues the operation while maintaining the internal state value as Operate, and if it is abnormal, the controller updates the internal state value to the Error_handling value.
  • the grant signal which is a pulse signal is received from the operation device 1802 when the internal state value is Operate
  • the internal state value is updated to Idle, and the operation ends.
  • the boot signal value which is a level signal, is set to 0
  • the internal state value is updated to Off, the controller stops operating, and the entire integrated system stops.
  • the verifier sets safety requirements that the entire integrated system is safe even if a sensor failure occurs, and wants to verify that this is realized. Specifically, when the safety monitor detects an abnormal value due to a sensor failure, the verifier receives the error signal value from the integrated system and clears the boot signal value to 0 according to a predetermined operation procedure. Suppose you want to verify that the integrated system is safe by stopping it.
  • Fig. 19 shows a time chart of the operation sequence that satisfies this safety requirement, which was assumed at the time of design.
  • the operator's internal state State_Operator value transitions to Off, Boot, Grant, and Operate, and through a sensor failure that occurs during operation of the integrated system, transitions to Error_handling, Shutdown, and Off, and ends. It is designed with that in mind.
  • FIG. 20 shows that this system analysis apparatus can find out that this integrated system may not operate as expected.
  • the verifier assumes that all of the internal states that can be taken during normal operation without a failure are taken as a start condition, the operator's internal state State_Operator is in the Off state, and the integrated system is It is set as an end condition that the operation is continued, that is, that the internal state value State_Control of the controller is Operate.
  • the system analysis device When the verifier inputs the setting of such conditions to the system analysis device using the input device, the system analysis device performs analysis according to the procedure shown in FIG.
  • the operation device 1802, the controller 1803, and the safety monitor 1805 are subsystems that can operate asynchronously.
  • a system that responds in real time, such as an actuator or a sensor (in some cases, a controlled object) can also be regarded as one analog subsystem (real-time response subsystem). Therefore, the integrated system 1801 shown in FIG. 18 includes a controller 1803, a safety monitor 1805, and the above-described real-time response subsystem as subsystems.
  • the operation device 1802 is not a subsystem included in the integrated system 1801, but can be regarded as a subsystem that operates asynchronously in that the operation of the operator and the integrated system 1801 are asynchronous.
  • These four subsystems may or may not synchronize with each other. When they operate in synchronism, they are bundled as one synchronous execution set. As shown in Table 1, there are eight patterns of such synchronous execution sets, which are registered in the synchronous execution list.
  • system analysis device outputs the result to the output device in the form of a time chart shown in FIG.
  • FIG. 20 a state transition route to a final state that satisfies the end time condition is presented in the form of a time chart.
  • the integrated system 1801 has a sufficiently large number of state values that can be taken by the subsystem and the integrated system, and it becomes complicated to express these state values with a directed graph as shown in FIG. Has been.
  • the directed graph and the time chart are essentially the same in the sense that the state value and the state transition path are displayed.
  • each of the signal values in a line obtained by dividing the time chart vertically for each discrete time is shown.
  • a set represents one state value.
  • This time chart is one of the state transition paths obtained as a result of the state transition path search in the reverse direction under the specified start time condition and end time condition, and a plurality of SAT solvers can be obtained using the same search condition.
  • a time chart corresponding to each state transition path is output.
  • the operation device 1802 sets the grant signal, which is a pulse signal, to end the operation of the integrated system, a sensor failure occurs in the integrated system, and error information is then sent to the operation device 1802. It can be found that the time point when the error signal value is set to 1 to transmit the error is different from the assumed update order as shown in FIG.
  • the cause of this failure is that the operation device 1802 and the integrated system operate asynchronously with each other, and the operation device 1802 tries to terminate the integrated system before acquiring error information. This is because there is a degree of freedom in the update order of the process for receiving a grant signal from the apparatus 1802 and the process for transmitting error information to the operation apparatus 1802.
  • the pulse signal grant value received at this point has caused the internal state value of the controller to transition from Idle to Operate.
  • the operation device 1802 or the operator cannot know this, and changes the controller state value State_Control from Operate to Idle and clears the boot signal value to 0 to stop the operation.
  • the controller whose state value State_Control has transitioned to Operate cannot obtain the state signal Off even if it acquires that the boot signal, which is a level signal from the operation device 1802, is 0.
  • the state value Operate has been maintained. From the generated time chart, it becomes clear that the above-mentioned safety requirement has been violated.
  • the grant signal value is used as a pulse signal. It has been implemented.
  • the autonomous operation device of this embodiment includes a system analysis device as described in other embodiments, and an integrated system in which a plurality of systems are interconnected, and a system failure is detected during operation of the integrated system.
  • Failure detection means to detect failure detection means to detect, restriction condition addition means to add the exclusion of the system in which the failure occurred as a restriction condition, and possibility of continuation of operation to determine the continuity of operation in a state where the failed system is excluded by the system analyzer
  • a function means that the integrated system satisfies when the integrated system is normal is set as a start condition, an abnormal state of the integrated system caused by a system failure is set as an end condition, and the operation continuity determining means is a state transition If the path presence / absence determining means determines that there is a state transition path that reaches the initial state value from the final state value, the operation can be continued.
  • FIG. 21 shows the state transition of the entire integrated system including the process from the stop state to the state transition at the normal operation, and the state satisfying the end conditions END1 and END2 corresponding to the hazard due to the failure of the subsystem. A graph is shown.
  • Example 3 Suppose that it has been verified through the failure analysis shown in Example 3 that there is no state transition path that reaches a state satisfying the end conditions END1 and END2 in the combination of subsystem failures assumed at the time of design.
  • FIG. 22 shows a specific determination procedure.
  • step 2201 first, the failed subsystem k is identified. Subsequently, in step 2202 and step 2203, a constraint condition REMOVE_FAULT that designates a state (for example, a stopped state) that can eliminate the influence of the failed subsystem k is set. Then, in the subsequent processing, it is determined whether the operation can be continued while eliminating the influence of the subsystem k.
  • a constraint condition REMOVE_FAULT that designates a state (for example, a stopped state) that can eliminate the influence of the failed subsystem k is set. Then, in the subsequent processing, it is determined whether the operation can be continued while eliminating the influence of the subsystem k.
  • step 2204 the possibility of activation is determined. That is, it is determined whether or not there exists a state transition sequence X (t) that satisfies a start process start condition from the stop state and continues a state that cannot be changed to the normal operation state.
  • the detailed processing procedure is as described in FIG. If there is a state transition sequence that satisfies the constraints described in step 2204, it means that it may not be possible to start, so it can be determined that the operation cannot be continued, so the process transitions to step 2208 and the process ends. To do. Conversely, if there is no state transition sequence that satisfies the constraint conditions described in step 2204, it can be seen that the startup process can always be started at least from the stopped state.
  • step 2205 it is determined whether or not there exists a state transition sequence X (t) that satisfies the stop process start condition from the normal operation state and continues the state that cannot be changed to the stop state.
  • step 2205 If there is a state transition sequence that satisfies the constraint condition described in step 2205, it means that it may not be possible to stop safely. Therefore, the process proceeds to step 2208 and the process is terminated.
  • step 2205 it can be seen that the stop process can always be completed at least from the normal operation state.
  • step 2206 it is determined whether or not there is a state transition sequence that causes a safety requirement violation corresponding to the hazard conditions 1 and 2.
  • step 2206 If there is a state transition sequence that satisfies the constraints described in step 2206, it may be determined that the operation cannot be continued because there may be a transition to a hazard state during normal operation. End the process.
  • step 2206 Conversely, if there is no state transition sequence that satisfies the constraint conditions described in step 2206, it can be seen that no hazard occurs at least during normal operation.
  • step 2207 it is determined whether the normal operation can be continued.
  • step 2207 The detailed processing procedure is as described in FIG. If there is a state transition sequence that satisfies the constraints described in step 2207, it can be seen that the normal operation may be interrupted in a manner that deviates from the normal operation state during the operation. End the process.
  • step 2207 normal operation can be continued, so a transition is made to step 2209 to start a series of startup processing that is a process of restarting the operation. Automatic recovery ends when the normal operation state is reached.
  • FIG. 23 shows a specific procedure for constructing a constraint condition to be evaluated in step 2204.
  • step 2301 a constraint condition for instructing activation of the integrated system is set.
  • step 2302 a constraint condition NORM2 that defines a stop state and a constraint condition NORM3 that defines a startup process state are set. Whether or not there is a state transition sequence satisfying the constraint condition is determined. If there is no satisfactory solution, the process proceeds to step 2306 to end the process.
  • step 2304 whether or not there is one or more state values in addition to the failure condition of the subsystem k being excluded and not satisfying the constraint conditions corresponding to the hazard conditions 1 and 2, and the constraint condition giving the normal operation state. Whether or not is determined using a SAT solver.
  • step 2306 If there is no state value that satisfies the constraint conditions described in step 2304, the process proceeds to step 2306 to end the process.
  • Step 2305 the process proceeds to Step 2305.
  • step 2305 after the failed subsystem k is excluded, it is determined whether or not there is a state transition sequence in which a state incapable of transitioning to the normal operation state continues after startup.
  • FIG. 24 shows a specific procedure for constructing the constraint condition to be evaluated in step 2205.
  • step 2401 a constraint condition for instructing stop of the integrated system is set.
  • step 2402 the presence or absence of a state value corresponding to the normal operation state that does not satisfy the constraint conditions corresponding to the hazard conditions 1 and 2 is determined while eliminating the failed subsystem k.
  • Step 2403 it is determined whether or not there is a state value corresponding to a stop state that does not satisfy the hazard conditions 1 and 2, while excluding the failed subsystem k.
  • step 2405 If it is found that such a state value does not exist, it cannot be safely stopped, so the process proceeds to step 2405 to end the process.
  • step 2404 a state transition sequence that remains in a normal stop state that does not satisfy the hazard conditions 1 and 2 without reaching the safe stop state that does not satisfy the hazard conditions 1 and 2 while eliminating the failed subsystem k. The presence or absence of is determined.
  • FIG. 25 shows a specific procedure for constructing the constraint condition to be evaluated in step 2206.
  • step 2501 the presence or absence of a state value that does not satisfy the hazard conditions 1 and 2 in the normal operation state is determined while excluding the failed subsystem k.
  • step 2504 If there is no such state value, the process proceeds to step 2504 to end the process.
  • step 2502 it is determined whether there is a state value that satisfies the hazard condition 1 or 2 instead of the normal operation state while eliminating the failed subsystem k.
  • step 2505 If there is no such state value, there is no state that satisfies the hazard state in the first place, so the process proceeds to step 2505 to end the process.
  • FIG. 26 shows a specific procedure for constructing the constraint condition to be evaluated in step 2207.
  • Step 2601 it is determined whether or not there is a state value corresponding to a normal operation state that does not satisfy the hazard conditions 1 and 2 while excluding the failed subsystem k.
  • step 2603 If no such state value exists, the process proceeds to step 2603 and the process is terminated.
  • step 2602 a state transition path that deviates from the normal operation state that does not satisfy the hazard conditions 1 and 2 under the additional condition that the input for instructing the start of the stop process is not set while eliminating the failed subsystem k. The presence or absence of is determined.
  • failure mode defined for each subsystem by adding the failure mode defined for each subsystem to the operation mode, there is no false detection / non-detection of a problem that was a problem in the static input / output relationship analysis method. Integrated system design failure analysis, failure mode effect analysis and failure tree analysis can be performed.
  • the operator operates the autonomous operation device described in the fourth embodiment via the operation device, and the operator and the autonomous operation device cooperate with each other to continue the operation in the event of a subsystem failure.
  • the autonomous operation control system of the present embodiment includes an autonomous operation device and an operation device that operates the autonomous operation device, and the autonomous operation device cannot be operated continuously by the operation continuity determination unit. If it is determined, an error signal is transmitted to the operation device. If it is determined that the operation can be continued by the operation continuity determination means, a warning signal is transmitted to the operation device, and autonomous operation is performed. continue.
  • a vehicle having an automatic traveling function may be an autonomous operation device, and a passenger may be an operator.
  • a construction work machine that operates via a communication path for remote control may be an autonomous operation device, and a worker in a remote location may be an operator.
  • FIG. 28 shows operation modes of the operator and the integrated system.
  • the integrated system has three types of operation modes as an internal state: an autonomous operation mode, a manual operation mode, and a stop state.
  • the operation device monitors the integrated system when the internal state is the autonomous operation mode, waits when the internal state is the stop state, and transitions to the manual operation mode when the operation state is the manual operation mode. Enter into the integrated system.
  • the operation device can input an instruction to stop the operation as necessary, and can transition the internal state of the integrated system to the stop state.
  • the operation device When a failure of the subsystem occurs when the integrated system is in the autonomous operation mode, the operation device is integrated using the automatic recovery function of the autonomous operation device described in the fourth embodiment as shown in FIG. It is determined whether or not autonomous operation cannot be continued due to a failure of a subsystem constituting the system. When the operation cannot be continued, the autonomous operation device transmits a stop request as one form of error information, and the operation device in the standby or monitoring state starts a manual operation to stop the integrated system.
  • the autonomous operation device completes the automatic recovery process, transmits warning information to the operation device, and then continues the autonomous operation.
  • the operator may stop the integrated system as necessary.
  • the present invention can be used for safety analysis of a highly reliable redundant computer system having a fault-tolerant function and a large-scale control system that integrates electrical, mechanical, and information control systems. It can also be used to identify root factors that cause defects in hardware and software integrated design environments, especially for analysis of design defects. Furthermore, it can also be used for the function that automatically diagnoses the cause of the failure, treats the cause of the failure, and automatically restores the system state to continue operation after the subsystem that constitutes the autonomous operation device has an unspecified failure. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

 La présente invention a pour but de proposer un dispositif d'analyse de système apte à réaliser une analyse appropriée d'un système dans lequel des relations d'entrée/sortie sont déterminées de manière dynamique. La présente invention, concernant un système dans lequel un état interne change en raison d'une entrée, et une sortie pour l'entrée change en réponse au changement de l'état interne, comporte : un moyen de construction de modèle de transition d'état pour construire, sur la base de règles de transition d'état du système, un modèle de transition d'état comprenant une pluralité de valeurs d'état que le système peut adopter et un chemin de transition entre chacune des valeurs d'état ; un moyen de réglage de valeur d'état initial pour régler une valeur d'état initial qui satisfait une condition de temps de début prescrite parmi la pluralité de valeurs d'état ; un moyen de réglage de valeur d'état de fin pour régler une valeur d'état de fin qui satisfait une condition de temps de fin prescrite parmi la pluralité de valeurs d'état ; et un moyen de détermination de présence de chemin de transition d'état pour déterminer si un chemin de transition d'état pour atteindre la valeur d'état initial à partir de la valeur d'état de fin est ou non présent dans le modèle de transition d'état.
PCT/JP2014/051178 2014-01-22 2014-01-22 Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome Ceased WO2015111142A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/JP2014/051178 WO2015111142A1 (fr) 2014-01-22 2014-01-22 Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome
CN201480073114.7A CN105917316B (zh) 2014-01-22 2014-01-22 系统解析装置、设计不当解析装置、故障模式解析装置、故障树解析装置、自主动作装置及自主动作控制系统
JP2015558626A JPWO2015111142A1 (ja) 2014-01-22 2014-01-22 システム解析装置、設計不良解析装置、故障モード解析装置、故障ツリー解析装置、自律動作装置及び自律動作制御システム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/051178 WO2015111142A1 (fr) 2014-01-22 2014-01-22 Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome

Publications (1)

Publication Number Publication Date
WO2015111142A1 true WO2015111142A1 (fr) 2015-07-30

Family

ID=53680974

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/051178 Ceased WO2015111142A1 (fr) 2014-01-22 2014-01-22 Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome

Country Status (3)

Country Link
JP (1) JPWO2015111142A1 (fr)
CN (1) CN105917316B (fr)
WO (1) WO2015111142A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016039076A1 (fr) * 2014-09-11 2016-03-17 日立オートモティブシステムズ株式会社 Dispositif d'inspection de programme, dispositif d'inspection de logiciel, données de contrainte de satisfaction et support d'informations
WO2021038826A1 (fr) * 2019-08-30 2021-03-04 株式会社日立製作所 Dispositif de construction de modèle de transition d'état et système autonome
CN115577577A (zh) * 2022-12-09 2023-01-06 中国人民解放军军事科学院系统工程研究院 一种计算系统的可靠性评估方法和系统
JP2024011427A (ja) * 2022-07-14 2024-01-25 株式会社日立製作所 自律制御装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113435794B (zh) * 2021-08-26 2021-11-19 山东大拇指喷雾设备有限公司 一种基于图像处理的喷嘴铸件后处理智能监测方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS63196944A (ja) * 1987-02-12 1988-08-15 Hitachi Ltd ル−ル検証方式
JPH0695881A (ja) * 1992-09-16 1994-04-08 Kawasaki Heavy Ind Ltd 機械装置類故障診断エキスパートデータ用ルールベース作成システム
JP2010181212A (ja) * 2009-02-04 2010-08-19 Toyota Central R&D Labs Inc 故障診断システム、故障診断方法

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6408262B1 (en) * 1998-03-27 2002-06-18 Iar Systems A/S Method and an apparatus for analyzing a state based system model
US8234522B2 (en) * 2008-09-04 2012-07-31 Telcordia Technologies, Inc. Computing diagnostic explanations of network faults from monitoring data
CN103412224B (zh) * 2013-08-23 2016-06-22 哈尔滨工业大学 基于定性模型的电气系统建模方法以及故障诊断系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS63196944A (ja) * 1987-02-12 1988-08-15 Hitachi Ltd ル−ル検証方式
JPH0695881A (ja) * 1992-09-16 1994-04-08 Kawasaki Heavy Ind Ltd 機械装置類故障診断エキスパートデータ用ルールベース作成システム
JP2010181212A (ja) * 2009-02-04 2010-08-19 Toyota Central R&D Labs Inc 故障診断システム、故障診断方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SATOSHI HIRATSUKA ET AL.: "On-Board Diagnosis Chip for Enbedded Systems", EMBEDDED SYSTEMS SYMPOSIUM 2007 RONBUNSHU, vol. 2007, no. 8, 18 October 2007 (2007-10-18), pages 185 - 192 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016039076A1 (fr) * 2014-09-11 2016-03-17 日立オートモティブシステムズ株式会社 Dispositif d'inspection de programme, dispositif d'inspection de logiciel, données de contrainte de satisfaction et support d'informations
WO2021038826A1 (fr) * 2019-08-30 2021-03-04 株式会社日立製作所 Dispositif de construction de modèle de transition d'état et système autonome
JP2024011427A (ja) * 2022-07-14 2024-01-25 株式会社日立製作所 自律制御装置
CN115577577A (zh) * 2022-12-09 2023-01-06 中国人民解放军军事科学院系统工程研究院 一种计算系统的可靠性评估方法和系统

Also Published As

Publication number Publication date
CN105917316A (zh) 2016-08-31
CN105917316B (zh) 2018-11-16
JPWO2015111142A1 (ja) 2017-03-23

Similar Documents

Publication Publication Date Title
CN105974879B (zh) 数字仪控系统中的冗余控制设备、系统及控制方法
US9172589B2 (en) Method for configuring a distributed avionics control system
EP2137583B1 (fr) Détection et empêchement de défauts en ligne dans des systèmes de commande d'usine distribués
US9405644B2 (en) Redundant automation system
KR20190079809A (ko) 결함 주입 테스트 장치 및 그 방법
WO2015111142A1 (fr) Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome
US10520935B2 (en) Distributed control system, control device, control method, and computer program product
RU2413975C2 (ru) Способ и вычислительная система отказоустойчивой обработки информации критических функций летательных аппаратов
EP3940474A1 (fr) Système de commande
CN103959251A (zh) 模拟执行方法、程序和系统
JP6343071B2 (ja) システム解析装置、設計不良解析装置、故障モード解析装置、故障ツリー解析装置、自律動作装置及び自律動作制御システム
Ye et al. Predictability analysis of distributed discrete event systems
Wang et al. Reliability analysis for flight control systems using probabilistic model checking
CN106339553B (zh) 一种空间飞行器的重构飞行控制方法及系统
KR102023164B1 (ko) 알티오에스 마이컴의 오에스 태스크의 모니터링 방법
CN106445852B (zh) 一种基于自监控架构的任务间通讯装置与方法
Pattanaik et al. Recovery and reliability prediction in fault tolerant automotive embedded system
Yang et al. A combination method for integrated modular avionics safety analysis
KR20120102240A (ko) 이중화 plc 시스템 및 이의 데이터 동기화 방법
Grichi et al. ROCL: New extensions to OCL for useful verification of flexible software systems
Sirjani et al. Actors for Timing Analysis of Distributed Redundant Controllers
Alho et al. Software fault detection and recovery in critical real-time systems: An approach based on loose coupling
Pignal An analysis of hardware and software availability exemplified on the IBM 3725 communication controller
Swern et al. The effects of latent faults on highly reliable computer systems
Dong et al. Safety simulation and analysis for complex systems concurrency based on petri net and stateflow model

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14879300

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015558626

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14879300

Country of ref document: EP

Kind code of ref document: A1