JP5157844B2 - Fault location identification system, fault location identification method - Google Patents

Description

  The present invention relates to a failure location specifying system and a failure location specifying method for specifying a failure location of a cooperative system in which a plurality of components mutually transmit and receive data and operate in cooperation.

  In recent years, in a collaborative system in which a plurality of components operate in cooperation with each other, it has become difficult to specify a fault location as the system becomes larger. As a cooperation system, there exists a vehicle-mounted system mounted in a vehicle, for example. In an in-vehicle system, a plurality of ECUs (Electronic Control Units) transmit and receive data to and from each other via a network such as a CAN (Controller Area Network) and operate in cooperation. Therefore, when a certain ECU fails, the abnormality propagates to other ECUs, and it is difficult to specify which ECU is broken.

In view of this, a mechanism for identifying a fault location in an in-vehicle system has been considered (see Patent Document 1). In the mechanism in Patent Document 1, when an abnormality diagnosis result obtained by self-diagnosis by a plurality of ECUs is stored and an abnormality diagnosis result read command is received from the outside, an input abnormality from another ECU is indicated in the abnormality diagnosis result. Check whether the information shown is included. And when the information which shows the input abnormality from other ECU is contained, the command for reading the abnormality diagnosis result which the said other ECU memorize | stored is transmitted with respect to the said other ECU, The diagnosis result obtained from the other ECU is transmitted to the transmission source of the abnormality diagnosis result read command.
JP 2006-335150 A

  However, with the mechanism shown in Patent Document 1, for example, the failure location cannot be accurately specified in the following cases.

  FIG. 22 is a schematic diagram illustrating an example of a system configuration. Boxes A, B, C, and D indicate ECUs. An arrow indicates a data flow. In the example shown in FIG. 22, there are three data flows A to B, B to C, and C to D. Here, consider a case where A fails and D is requested for an abnormality diagnosis result. At this time, it can be determined that the data flow from A to B and the data flow from C to D are abnormal, but the data flow from B to C cannot be determined. In this case, in the mechanism shown in Patent Document 1, the diagnosis result of C is returned where the diagnosis result of A should be returned. In this case, it is determined that there is no possibility of failure of A and B, and the failure location is unsuccessful.

  FIG. 23 is a schematic diagram showing an example of a system configuration different from FIG. In the example shown in FIG. 23, there are four data flows A to B, B to D, D to C, and C to B. Data is cyclically exchanged between the three ECUs B, D, and C. Here, let us consider a case where an abnormality diagnosis result is requested to D. In the mechanism shown in Patent Document 1, an input abnormality from another ECU is traced, and the process falls into an infinite loop. That is, when a request for an abnormality diagnosis result is made, D determines that information indicating an input abnormality from B is included, and transmits a command for reading the abnormality diagnosis result to B. In response to this, B determines that information indicating information indicating an input abnormality from C is included, and transmits a command for reading an abnormality diagnosis result to C. In response to this, C determines that information indicating information indicating an input abnormality from D is included, and transmits a command for reading an abnormality diagnosis result to D. Thereafter, D, B, and C cannot repeat these processes to determine an ECU that should return a diagnosis result. Therefore, no information can be obtained that leads to the identification of the failure location.

  The present invention has been made in view of the above-described problems, and its purpose is to provide all of the information necessary for specifying a fault location in a cooperative system in which a plurality of components transmit and receive data to each other and operate in a coordinated manner. It is to provide a failure location identification system or the like that can present appropriate information that leads to the identification of a failure location even in a situation that has not been obtained. It is another object of the present invention to provide a failure location specifying system that can present appropriate information that leads to the identification of a failure location, regardless of the system configuration of the cooperative system.

In order to achieve the above-described object, the first invention is a failure location identification system for identifying a failure location of a cooperative system in which a plurality of components transmit and receive data to each other and operate in cooperation with each other. A logical relationship extraction apparatus comprising: system configuration input means for inputting a configuration; and first logical expression extraction means for extracting a first logical expression indicating a universal relationship of the configurations input by the system configuration input means And data flow collecting means for collecting data flows during operation of the cooperative system, and determining whether or not the data flow collected by the data flow collecting means is normal, and extracting the determination result as a second logical expression A data flow monitoring device comprising: a second logical expression extracting means; and the first logical expression and the second logical expression as constraint conditions, Nento failure place specifying means for specifying the failure location based on the evaluation function including a binary variable indicating the success or failure, and the failure place specifying device comprising a, Ri Tona, the evaluation function, the predetermined The failure location system further includes a failure probability of a component, and is an overall probability when each component is assumed to fail independently .

In the first invention, it is desirable that the first logical expression extraction unit searches each component and extracts, as the first logical expression, a relationship in which the output is normal if the component is normal and the input is normal.
Further, the first logical expression extracting means in the first invention searches the circulation part of the data flow from the configuration of the cooperative system, and the components of the circulation part from the components in which all the components of the circulation part are normal and not the circulation part. It is desirable to extract the relationship that the output from the component in the circulation portion is normal if all the inputs to are normal, as the first logical expression.

A second invention is a failure location identification method for identifying a failure location of a cooperative system in which a plurality of components transmit and receive data to each other and operate in cooperation with each other, and a system configuration input step for inputting the configuration of the cooperative system; A first logical expression extracting step for extracting a first logical expression indicating a universal relationship of the configuration input by the system configuration input step, and a data flow collection for collecting a data flow during operation of the cooperative system A second logical expression extracting step for determining whether or not the data flow collected by the data flow collection means is normal, and extracting a determination result as a second logical expression; and the first logical expression and Using the second logical expression as a constraint condition, the failure location is specified based on an evaluation function including a binary variable indicating whether each component is normal or failure. Seen including a fault location identifying step, the of the evaluation function further comprises a failure probability of each component to a predetermined fault, characterized in that an overall probability on the assumption that each component fails independently It is a location identification method.

  According to the present invention, in a collaborative system in which a plurality of components transmit and receive data to each other and operate in a coordinated manner, it is possible to specify a fault location even in a situation where not all information necessary for specifying the fault location is obtained. It is possible to provide a failure location identifying system that can present appropriate information to be connected. Moreover, it is possible to provide a failure location specifying system or the like that can present appropriate information that leads to the identification of a failure location regardless of the system configuration of the cooperative system.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

<First Embodiment>
First, the first embodiment will be described.
FIG. 1 is a diagram showing a schematic configuration of a failure location specifying system 1. The failure location specifying system 1 is a system for specifying a failure location of a cooperative system in which a plurality of components mutually transmit and receive data and operate in cooperation. As a cooperative system, a system with a large scale (= the number of components is large) such as an in-vehicle system described later with reference to FIGS. 2 and 3 is assumed.

  As shown in FIG. 1, the failure location specifying system 1 includes a logical relationship extracting device 3, a data flow monitoring device 5, a failure location specifying device 7, and the like. The processing results of the logical relationship extraction device 3 and the data flow monitoring device 5 are used by the failure location specifying device 7. The failure location specifying device 7 presents appropriate information that leads to the specification of the failure location to the user.

  The logical relationship extraction device 3 extracts a logical relationship from the system configuration to be diagnosed. The logical relationship is expressed as a logical expression using logical operators (∧ (and), ∨ (or), ¬ (not), → (if), etc.). The data flow monitoring device 5 monitors the data flow during operation of the diagnosis target cooperative system. The failure location identification device 7 identifies the failure location based on the processing results of the logical relationship extraction device 3 and the data flow monitoring device 5.

  FIG. 2 is a diagram illustrating an in-vehicle system 11 that is an example of a cooperative system. As shown in FIG. 2, the in-vehicle system 11 includes a sensor 13, an ECU 15 (data processing device), an actuator 17, and the like. In the in-vehicle system 11, sensor values from the sensor 13 are input, and a plurality of ECUs 15 operate in cooperation by transmitting and receiving data to and from each other via an in-vehicle network such as a CAN (Controller Area Network), and are controlled by the actuator 17. Output a signal. In the present invention, the sensor 13, the ECU 15, and the actuator 17 are not distinguished. The sensor 13 is a component having no input and an output, the ECU 15 is a component having an input and an output, and the actuator 17 is a component having an input and no output. In the in-vehicle system 11, data flowing on the in-vehicle network is a data flow monitored by the data flow monitoring device 5.

  FIG. 3 is a diagram illustrating an in-vehicle system 21 that is an example of a cooperative system. As shown in FIG. 3, the in-vehicle system 21 includes a sensor 23, an ECU 25, an actuator 29, and the like. The ECU 25 has an OS (Operation System) and executes a task 27 managed by the OS. In the in-vehicle system 21, the task 27 is a component, and the data transferred in the shared memory is a data flow monitored by the data flow monitoring device 5. In the in-vehicle system 21, the data flow monitoring device 5 may be an ECU 25. That is, the ECU 25 may be configured to execute the task 27 for monitoring the data in the shared memory.

  Components included in the in-vehicle system such as the in-vehicle system 11 and the in-vehicle system 21 described above usually have a function of detecting that the data flow related to itself is abnormal. When a plurality of components operate in cooperation with each other, if a certain component fails, an abnormality is propagated to other components. Due to this abnormal propagation, it may be detected that a component that has not failed is also abnormal, and the failure location cannot be identified. The present invention is particularly useful in an in-vehicle system having such characteristics.

  FIG. 4 is a hardware configuration diagram of a computer that implements the logical relationship extraction device 3. Note that the hardware configuration in FIG. 4 is merely an example, and various configurations can be adopted depending on the application and purpose.

  In the logical relationship extraction device 3, a control unit 31, a storage unit 32, a media input / output unit 33, a communication control unit 34, an input unit 35, a display unit 36, a peripheral device I / F unit 37, etc. are connected via a bus 38. Is done.

  The control unit 31 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like.

The CPU calls a program stored in the storage unit 32, ROM, recording medium or the like to a work memory area on the RAM, executes it, drives and controls each device connected via the bus 38, and the logical relationship extraction device 3 The process to be described later is realized.
The ROM is a non-volatile memory and permanently holds a computer boot program, a program such as BIOS, data, and the like.
The RAM is a volatile memory, and temporarily stores a program, data, and the like loaded from the storage unit 32, ROM, recording medium, and the like, and includes a work area used by the control unit 31 for performing various processes.

The storage unit 32 is an HDD (hard disk drive), and stores a program executed by the control unit 31, data necessary for program execution, an OS (operating system), and the like. With respect to the program, a control program corresponding to an OS (operating system) and an application program for causing a computer to execute processing described later are stored.
Each of these program codes is read by the control unit 31 as necessary, transferred to the RAM, read by the CPU, and executed as various means.

The media input / output unit 33 (drive device) inputs / outputs data, for example, a CD drive (-ROM, -R, -RW, etc.), DVD drive (-ROM, -R, -RW, etc.), MO drive, etc. And other media input / output devices.
The communication control unit 34 has a communication control device, a communication port, and the like, is a communication interface that mediates communication between the computer and the network 39, and controls communication with other computers via the network 39.

The input unit 35 inputs data and includes, for example, a keyboard, a pointing device such as a mouse, and an input device such as a numeric keypad.
An operation instruction, an operation instruction, data input, and the like can be performed on the computer via the input unit 35.
The display unit 36 includes a display device such as a CRT monitor and a liquid crystal panel, and a logic circuit (such as a video adapter) for realizing a video function of the computer in cooperation with the display device.

The peripheral device I / F (interface) unit 37 is a port for connecting a peripheral device to the computer, and the computer transmits and receives data to and from the peripheral device via the peripheral device I / F unit 37. The peripheral device I / F unit 37 is configured by USB, IEEE 1394, RS-232C, or the like, and usually includes a plurality of peripheral devices I / F. The connection form with the peripheral device may be wired or wireless.
The bus 38 is a path that mediates transmission / reception of control signals, data signals, and the like between the devices.

  FIG. 5 is a hardware configuration diagram of the data flow monitoring device 5. Note that the hardware configuration in FIG. 5 is merely an example, and various configurations can be employed depending on the application and purpose.

  As shown in FIG. 5, the data flow monitoring device 5 includes a control unit 51, a storage unit 52, a communication interface 53, and the like.

  The controller 51 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like.

The CPU calls and executes a program stored in the storage unit 52, ROM, recording medium, or the like in a work memory area on the RAM, and drives and controls the entire data flow monitoring device 5.
The ROM is a non-volatile memory and permanently holds programs, data, and the like necessary for processing.
The RAM is a volatile memory, and temporarily stores a program, data, and the like loaded from the storage unit 52, the ROM, and the like, and includes a work area used by the control unit 51 for performing various processes.

The storage unit 52 stores a program executed by the control unit 51, data necessary for program execution, an OS (operating system), and the like.
Each of these program codes is read by the control unit 51 as necessary, transferred to the RAM, read by the CPU, and executed as various means.

  The communication interface 53 mediates communication between the data flow monitoring device 5 and an in-vehicle network 54 such as CAN. For example, when monitoring the data flow of the in-vehicle system 21, the data flow monitoring device 5 monitors data flowing through the in-vehicle network 54.

The hardware configuration of the failure location specifying device 7 includes a display unit in addition to the hardware configuration of the data flow monitoring device 5 when the failure location specifying device 7 is mounted on a vehicle. In this case, the processing result of the logical relationship extraction device 3 is stored in the storage unit 52 in advance. The processing result of the data flow monitoring device 5 is input via the in-vehicle network 54.
On the other hand, when the failure location specifying device 7 is not mounted on the vehicle, the hardware configuration of the failure location specifying device 7 is the same as the hardware configuration of the logical relationship extraction device 3. In this case, the processing results of the logical relationship extraction device 3 and the data flow monitoring device 5 are input via media, a network, or the like.
Hereinafter, the hardware configuration of the failure location specifying device 7 will be described as being similar to the hardware configuration of the logical relationship extracting device 3.

  Hereinafter, the details of the operations of the logical relationship extraction device 3, the data flow monitoring device 5, and the failure location specifying device 7 will be described with reference to FIGS.

First, details of the operation of the logical relationship extraction device 3 will be described.
The logical relationship extraction device 3 includes a system configuration input unit that inputs a system configuration to be diagnosed, and a logical formula extraction unit that extracts a logical formula indicating a universal relationship of configurations input by the system configuration input unit.

  FIG. 6 is a diagram illustrating an example of a system configuration of a diagnosis target according to the first embodiment. As shown in FIG. 6, in the present embodiment, four components operate in cooperation in series. Component A outputs data flow d1, and component B inputs data flow d1. Component B outputs data flow d2, and component C inputs data flow d2. Component C outputs data flow d3, and component D inputs data flow d3.

  FIG. 7 is a diagram illustrating a logical expression related to FIG. In FIG. 7, a logical expression (an expression using the logical operators ∧ (and), ∨ (or), ¬ (not), → (if), etc.) showing the universal relationship of the system configuration shown in FIG. It is shown. The control unit 31 (logical expression extraction unit) of the logical relationship extraction device 3 searches each component from the system configuration information input by the system configuration input unit, and if “component is normal” and “input is normal”. The relationship “output is normal” is extracted as a logical expression. However, for a component with no input, if “component is normal”, the relationship “output is normal” is extracted as a logical expression. In addition, a logical expression is not extracted for a component with no output.

  In the example of FIG. 7, the control unit 31 of the logical relationship extraction device 3 searches for the component A, and if “component A is normal”, extracts the relationship “data flow d1 as output is normal” as the logical expression 101. . Next, the control unit 31 of the logical relationship extraction device 3 searches for the component B. If “the component B is normal” and “the data flow d1 as input is normal”, “the data flow d2 as output is normal”. The relationship is extracted as a logical expression 102. Next, the control unit 31 of the logical relationship extraction device 3 searches for the component C. If “the component C is normal” and “the input data flow d2 is normal”, “the output data flow d3 is normal”. The relationship is extracted as a logical expression 103.

  Then, the control unit 31 of the logical relationship extraction device 3 converts the logical expression 101 into the logical expression 104 according to the trivial equation “X → Y = ¬X∨Y”. This conversion is for making the data easy to handle for the failure location device 7. Next, the control unit 31 of the logical relationship extraction device 3 uses the trivial equations “X → Y = ¬X∨Y” and “¬ (X∧Y) = ¬X∨¬Y” (De Morgan's law). Thus, the logical expression 102 is converted into the logical expression 105. Similarly, the control unit 31 of the logical relationship extraction device 3 converts the logical expression 103 into the logical expression 106. The logical expressions 104 to 106 are used by the failure location specifying device 7 as logical expressions indicating a universal relationship of the system configuration.

Next, details of the operation of the data flow monitoring device 5 will be described.
The data flow monitoring device 5 determines whether or not the data flow collected by the data flow collecting unit and the data flow collecting unit that collect the data flow during operation of the cooperative system is normal, and extracts the determination result as a logical expression. A logical expression extraction unit is provided. The logical expression extraction unit has a determination criterion for determining whether or not each data flow is normal. The criterion is whether the data is included in a normal range (for example, if it is numeric data, whether it is included in the range of -10 to 10), and whether the data is generated in a normal cycle. (For example, whether it occurs every 50 msec) or the like.

  FIG. 8 is a diagram showing the determination result of the data flow related to FIG. FIG. 8 shows the determination result of the data flow collected during operation of the system shown in FIG. FIG. 9 is a diagram illustrating a logical expression related to FIG.

  In the example shown in FIG. 8, the control unit 51 (data flow monitoring means) of the data flow monitoring device 5 determines that the data flow d1 and the data flow d3 are abnormal data flows, and can determine whether or not the data flow d2 is abnormal. Not. In this case, the control unit 51 (logical expression extraction means) of the data flow monitoring device 5 extracts the determination result “data flow d1 is abnormal” as the logical expression 107. Further, the control unit 51 of the data flow monitoring device 5 extracts the determination result “data flow d3 is abnormal” as the logical expression 108. The example shown in FIG. 8 is an example in which there is a data flow d2 that is difficult to determine whether it is normal or abnormal, and in Patent Document 1 of the prior art, the failure location is unsuccessful.

Next, the detail of operation | movement of the failure location identification apparatus 7 is demonstrated.
The failure location specifying device 7 uses the logical expressions extracted by the logical relationship extraction device 3 and the data flow monitoring device 5 as constraint conditions, and identifies the failure location based on an evaluation function including a binary variable indicating whether each component is normal or failure. A failure location specifying means for specifying and a failure location presentation means for presenting the failure location specified by the failure location specifying means are provided.
The failure location identification means is a binary variable x _i that satisfies the logical expression indicating the universal relationship of the system configuration extracted by the logical relation extracting device 3 and the logical expression indicating the abnormal data flow extracted by the data flow monitoring device 5. Ask for a pattern. When there are a plurality of obtained patterns, the failure location specifying means performs an evaluation based on the evaluation function, and specifies the pattern of the binary variable x _i that seems to be most appropriate as the failure location. The failure location presenting means presents the identified failure location to the user.

次式は、評価関数ｆ（ｘ_Ａ,ｘ_Ｂ,ｘ_Ｃ,ｘ_Ｄ）の一例である。

式（２）の評価関数は、正常なコンポーネントの個数を示している。一般に、コンポーネントが故障する確率は極めて低いことから、故障したと判断されるコンポーネントが多くなればなる程、起こり難いパターンとなる。従って、式（２）の評価関数を用いる場合、評価関数の値が最も大きいパターンが、最も妥当なパターンとなる。 The binary variable x _i is defined by the following equation.

The following equation is an example of the evaluation function f (x _A , x _B , x _C , x _D ).

The evaluation function of Expression (2) indicates the number of normal components. In general, since the probability of component failure is extremely low, the more components that are determined to have failed, the less likely it is to occur. Therefore, when the evaluation function of Expression (2) is used, the pattern having the largest evaluation function value is the most appropriate pattern.

Here, the pattern of the binary variable x _{i that} satisfies all of the logical expressions 104 to 108 shown in FIGS. 7 and 9 is (x _A , x _B , x _C , x _D ) = (0, 1, 1, 1). ), (0,1,1,0), (0,1,0,1), (0,0,1,1), (0,1,0,0), (0,0,1,0) ), (0,0,0,1), and (0,0,0,0). Among these, the pattern having the largest value of the evaluation function of Expression (2) is (x _A , x _B , x _C , x _D ) = (0, 1, 1, 1). Therefore, the control part 31 (failure location specifying means) of the failure location specifying device 7 specifies that only the component A has failed. And the control part 31 (failure location presentation means) of the failure location identification apparatus 7 displays on the display part 36 that only the component A has failed, for example.

式（３）の評価関数を用いる場合、評価関数の値が最も大きいパターンが、最も妥当なパターンとなる。 Also, (if previously values and statistical data of failure probability P _i of each component is present is determined) failure probability P _i of each component if known, assuming that each component fails independently, the evaluation function f (X _A , x _B , x _C , x _D ) can also be defined by the overall probability expressed by the following equation.

When the evaluation function of Expression (3) is used, the pattern with the largest evaluation function value is the most appropriate pattern.

FIG. 10 is a diagram illustrating the value of the evaluation function of Expression (3) regarding FIGS. 7 and 9. 10 assumes that the failure probability of each component is P _A = 0.01, P _B = 0.001, P _C = 0.005, and P _D = 0.01, and the logic shown in FIGS. The value of the evaluation function of Expression (3) for the pattern of the binary variable x _{i that} satisfies all Expressions 104 to 108 is shown. As shown in FIG. 10, the pattern having the largest evaluation function value in Expression (3) is (x _A , x _B , x _C , x _D ) = (0, 1, 1, 1). Therefore, the control part 31 (failure location specifying means) of the failure location specifying device 7 specifies that only the component A has failed. And the control part 31 (failure location presentation means) of the failure location identification apparatus 7 displays on the display part 36 that only the component A has failed, for example.

In general, _obtaining the pattern of the binary variable xi that gives the maximum value of the evaluation function of Expression (3) is equivalent to solving the maximum satisfiability problem. Therefore, the calculation can be performed efficiently by using the solver of the maximum satisfiability problem. Here, the maximum satisfiability problem is a problem of obtaining an assignment that maximizes the sum of weights of satisfying clauses when a set of weighted clauses is given. The section, n-number of variables y _1, ···, y _n and its negative ¬y _1, ···, from among the ¬y _n, is a logical expression connecting the some logical OR (∨) . That is, the logical expressions 104 to 108 are clauses.

  As described above, in the present embodiment, even when there is a data flow in which it is difficult to determine whether it is normal or abnormal, it is possible to accurately identify the failure location.

<Second Embodiment>
Next, a second embodiment will be described.
The failure location specifying system 1 according to the second embodiment includes a logical relationship extracting device 3, a data flow monitoring device 5, a failure location specifying device 7, and the like, as in the first embodiment. The hardware configurations of the logical relationship extraction device 3, the data flow monitoring device 5, and the failure location specifying device 7 are also the same.

  Hereinafter, the details of the operations of the logical relationship extraction device 3, the data flow monitoring device 5, and the failure location specifying device 7 will be described with reference to FIGS.

First, details of the operation of the logical relationship extraction device 3 will be described.
The logical relationship extraction device 3 includes a system configuration input unit that inputs a system configuration to be diagnosed, and a logical formula extraction unit that extracts a logical formula indicating a universal relationship of configurations input by the system configuration input unit.

  FIG. 11 is a diagram illustrating an example of a system configuration of a diagnosis target according to the second embodiment. As shown in FIG. 11, in the present embodiment, components B, C, and D operate in a cyclically cooperative manner. Component A outputs data flow d1, and component B inputs data flow d1. Component B outputs data flow d2, and component D inputs data flow d2. Component D outputs data flow d4, and component C inputs data flow d4. Component C outputs data flow d3, and component B inputs data flow d3.

  FIG. 12 is a diagram illustrating a logical expression related to FIG. In FIG. 12, a logical expression showing a universal relationship of the system configuration shown in FIG. 11 is shown. The control unit 31 (logical expression extraction unit) of the logical relationship extraction device 3 searches each component from the system configuration information input by the system configuration input unit, and if “component is normal” and “input is normal”. The relationship “output is normal” is extracted as a logical expression. However, for a component with no input, if “component is normal”, the relationship “output is normal” is extracted as a logical expression. In addition, a logical expression is not extracted for a component with no output.

  Further, the control unit 31 (logical expression extraction means) of the logical relationship extraction device 3 searches the circulation portion (= loop) of the data flow from the system configuration information input by the system configuration input means, If “all components are normal” and “related data flows that are not in the loop are normal”, the relationship “all data flows in the loop are normal” is extracted as a logical expression. Here, the loop search can be realized by a system configuration diagram as a directed graph, for example, by a depth-first search algorithm. The depth-first search is a search that extends deeply from a certain node (component in FIG. 11 or the like) until a target node is found or a node having no children is reached. In the loop search, the target node is a node that has already passed.

  In the example of FIG. 12, the control unit 31 of the logical relationship extraction device 3 searches for the component A, and if “component A is normal”, extracts the relationship “the data flow d1 as output is normal” as the logical expression 201. . Next, the control unit 31 of the logical relationship extraction device 3 searches for the component B, and if “component B is normal”, “input data flow d1 is normal”, and “input data flow d3 is normal”. A relationship “data flow d2 as output is normal” is extracted as a logical expression 202. Next, the control unit 31 of the logical relationship extraction device 3 searches for the component C. If “the component C is normal” and “the input data flow d4 is normal”, “the output data flow d3 is normal”. The relationship is extracted as a logical expression 203. Next, the control unit 31 of the logical relationship extraction device 3 searches for the component D. If “the component D is normal” and “the input data flow d2 is normal”, “the output data flow d4 is normal”. The relationship is extracted as a logical expression 204.

  Next, the control unit 31 of the logical relationship extracting device 3 detects the loop “B → D → C”, and “the components B, C, and D in the loop are normal” and “ If the data flow d1 that is not present is normal ”, the relationship“ the data flow d2 in the loop is normal ”is extracted as the logical expression 205. Next, the control unit 31 of the logical relationship extraction device 3 determines that “the loop is normal if the components B, C, and D in the loop are normal” and “the data flow d1 that is not in the loop among the related data flows is normal”. The relation “normal data flow d3” is extracted as a logical expression 206. Next, the control unit 31 of the logical relationship extraction device 3 determines that “the loop is normal if the components B, C, and D in the loop are normal” and “the data flow d1 that is not in the loop among the related data flows is normal”. The relation “normal data flow d4” is extracted as a logical expression 207.

  Then, the control unit 31 of the logical relationship extraction device 3 follows the trivial equations “X → Y = ¬X∨Y” and “¬ (X∧Y) = ¬X∨¬Y” (De Morgan's law). , Logical expressions 201-207 are converted into logical expressions 208-214. The logical expressions 208 to 214 are used by the failure location specifying device 7 as logical expressions indicating the universal relationship of the system configuration.

The means included in the data flow monitoring device 5 is the same as in the first embodiment.
FIG. 13 is a diagram illustrating the determination result of the data flow related to FIG. FIG. 13 shows the determination result of the data flow collected during operation of the system shown in FIG. FIG. 14 is a diagram illustrating a logical expression related to FIG.

  As shown in FIG. 13, the control unit 51 (data flow monitoring means) of the data flow monitoring device 5 determines that the data flows d2, d3, d4 are abnormal data flows, and determines that the data flow d1 is a normal data flow. ing. In this case, as illustrated in FIG. 14, the control unit 51 (logical expression extraction unit) of the data flow monitoring device 5 extracts the determination result “data flow d1 is normal” as the logical expression 215. Further, the control unit 51 of the data flow monitoring device 5 extracts the determination results “data flows d2, d3, d4 are abnormal” as logical expressions 216 to 218, respectively. The example shown in FIG. 14 is an example in which an abnormal data flow propagates cyclically, and in Patent Document 1 of the prior art, the failure location is unsuccessful.

The means included in the failure location specifying means is the same as in the first embodiment.
FIG. 15 is a diagram illustrating the value of the evaluation function of Expression (3) related to FIGS. 12 and 14. 15 assumes that the failure probability of each component is P _A = 0.01, P _B = 0.001, P _C = 0.005, and P _D = 0.01, and the logic shown in FIGS. shows up top five values of the evaluation function of equation (3) with respect to the pattern of the binary variables x _i that satisfies all the formulas 208-218. As shown in FIG. 15, the pattern having the largest value of the evaluation function of Expression (3) is (x _A , x _B , x _C , x _D ) = (1, 1, 1, 0). Therefore, the control unit 31 (failure location specifying means) of the failure location specifying device 7 specifies that only the component D has failed. And the control part 31 (failure location presentation means) of the failure location identification apparatus 7 displays on the display part 36 that only the component D has failed, for example.

In the case of the evaluation function of Expression (2), the upper three patterns (x _A , x _B , x _C , x _D ) = (1, 1, 1, 0), (1, 1, 0) shown in FIG. , 1) and (1, 0, 1, 1) have the same value. In this case, the control unit 31 (failure location specifying means) of the failure location specifying device 7 specifies that any one of the component B, C, or D has failed. And the control part 31 (failure location presentation means) of the failure location identification apparatus 7 displays on the display part 36 that any one of the component B, C, or D has failed, for example. As described above, even when the failure location cannot be completely specified, it is possible to present at least appropriate information that leads to the specification of the failure location.

  As described above, according to the present embodiment, it is possible to identify a failure location even when a loop exists in the system configuration.

<Third Embodiment>
Next, a third embodiment will be described.
The failure location specifying system 1 according to the third embodiment includes a logical relationship extraction device 3, a data flow monitoring device 5, a failure location specifying device 7, and the like, as in the first embodiment. The hardware configurations of the logical relationship extraction device 3, the data flow monitoring device 5, and the failure location specifying device 7 are also the same.

  FIG. 16 is a diagram illustrating an example of components according to the third embodiment. In the example shown in FIG. 16, the component A inputs data flows d1 and d2, and outputs data flows d3 and d4. Consider a case where the value of the data flow d3 is determined depending only on the data flow d2. Further, the value of the data flow d4 is determined depending on only the data flow d1.

  FIG. 17 is a diagram illustrating a logical expression related to FIG. In the example of FIG. 16, the control unit 31 of the logical relationship extraction device 3 searches for the component A. If “the component A is normal” and “the input data flow d1 is normal”, “depending on the data flow d1” The relationship that the data flow d4 that is the determined output is normal is extracted as the logical expression 301. Further, if the component A is normal and the input data flow d2 is normal, the control unit 31 of the logical relationship extraction apparatus 3 "the data flow d3 that is an output determined depending on the data flow d2 is normal". Is extracted as a logical expression 302.

  In the present embodiment, the failure location can be specified with high accuracy by extracting the logical expression in consideration of the dependency relationship between the data flows.

<Fourth embodiment>
Next, a fourth embodiment will be described.
The failure location specifying system 1 according to the fourth embodiment includes a logical relationship extraction device 3, a data flow monitoring device 5, a failure location specifying device 7, and the like, as in the first embodiment. The hardware configurations of the logical relationship extraction device 3, the data flow monitoring device 5, and the failure location specifying device 7 are also the same.

  FIG. 18 is a diagram illustrating an example of components according to the fourth embodiment. In the example illustrated in FIG. 18, the component A inputs the data flow d1 and outputs the data flow d2. Here, the determination criteria for determining whether or not the data flow d2 is an abnormal data flow are (1) whether the data is included in a normal range (= the data range is normal) or (2) a cycle in which the data is normal Let us consider the case where there are two cases (i.e., whether the cycle is normal). The normality of the data range of the data flow d2 (= R_ok (d2) in FIG. 18) depends on the normality of the data range of the data flow d1 (= R_ok (d1) in FIG. 18), and the normality of the data flow d2 Consider a case where the normality of the cycle (= P_ok (d2) in FIG. 18) depends on the normality of the cycle of the data flow d1 (= P_ok (d1) in FIG. 18).

  FIG. 19 is a diagram illustrating a logical expression related to FIG. In the example of FIG. 18, the control unit 31 of the logical relationship extraction device 3 searches for the component A. If “the component A is normal” and “the data range of the input data flow d1 is normal”, “the data flow d1 The relationship that the data range of the data flow d4, which is an output determined depending on the validity of the data range, is normal is extracted as a logical expression 401. Further, the control unit 31 of the logical relationship extraction device 3 determines “depending on the normality of the periodicity of the data flow d2” if “the component A is normal” and “the periodicity of the input data flow d2 is normal”. The relationship that the periodicity of the output data flow d3 is normal is extracted as a logical expression 402.

  In the present embodiment, the failure location can be identified with high accuracy by extracting a logical expression in consideration of the case where there are a plurality of criteria for determining whether or not the data flow is normal.

<Fifth embodiment>
Next, a fifth embodiment will be described.
The failure location specifying system 1 according to the fifth embodiment includes a logical relationship extraction device 3, a data flow monitoring device 5, a failure location specifying device 7, and the like, as in the first embodiment. The hardware configurations of the logical relationship extraction device 3, the data flow monitoring device 5, and the failure location specifying device 7 are also the same.

  FIG. 20 is a diagram illustrating an example of components according to the fifth embodiment. In the example shown in FIG. 20, the component A inputs data flows d1 and d2 and outputs a data flow d3. Here, a criterion for determining whether or not the data flows d1 and d2 are normal cannot be defined only by the values of the data flows d1 and d2, respectively, but a case can be defined by combining both. For example, consider a criterion of “data flows d1 and d2 are normal if the value obtained by dividing the data flow d1 by the data flow d2 is 1.5 or less”. A case where the data flow is determined to be abnormal based on this determination criterion will be considered.

  FIG. 21 is a diagram illustrating a logical expression related to FIG. In the example of FIG. 20, when the control unit 51 of the data flow monitoring device 5 determines that there is an abnormality based on the determination criteria defined using the data flows d1 and d2, “at least one of the data flow d1 or the data flow d2”. Is extracted as a logical expression 501.

  In the present embodiment, the failure location can be identified with high accuracy by extracting a logical expression in consideration of the case where the criterion for determining whether or not the data flow is normal is determined depending on a plurality of data flows.

  The preferred embodiments of the failure location system and the like according to the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to such examples. It will be apparent to those skilled in the art that various changes or modifications can be conceived within the scope of the technical idea disclosed in the present application, and these naturally belong to the technical scope of the present invention. Understood.

The figure which shows schematic structure of the failure location identification system 1 The figure explaining the vehicle-mounted system 11 which is an example of a cooperation system The figure explaining the vehicle-mounted system 21 which is an example of a cooperation system Hardware configuration diagram of a computer for realizing the logical relationship extraction device 3 Hardware configuration diagram of the data flow monitoring device 5 The figure which shows an example of the system configuration of the diagnostic object which concerns on 1st Embodiment The figure which shows the logical expression regarding FIG. The figure which shows the determination result of the data flow regarding FIG. The figure which shows the logical expression regarding FIG. The figure which shows the value of the evaluation function of Formula (3) regarding FIG. 7, FIG. The figure which shows an example of the system configuration of the diagnostic object which concerns on 2nd Embodiment The figure which shows the logical expression regarding FIG. The figure which shows the determination result of the data flow regarding FIG. The figure which shows the logical expression regarding FIG. The figure which shows the value of the evaluation function of Formula (3) regarding FIG. 12, FIG. The figure which shows an example of the component which concerns on 3rd Embodiment The figure which shows the logical expression regarding FIG. The figure which shows an example of the component which concerns on 4th Embodiment The figure which shows the logical expression regarding FIG. The figure which shows an example of the component which concerns on 5th Embodiment The figure which shows the logical expression regarding FIG. Schematic diagram showing an example of system configuration Schematic diagram showing an example of system configuration

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ......... Fault location identification system 3 ......... Logical relationship extraction device 5 ......... Data flow monitoring device 7 ......... Fault location identification device 31 ......... Control unit 32 ......... Storage unit 33 ......... Media input Output unit 34 ... Communication control unit 35 ... Input unit 36 ... Display unit 37 ... Peripheral device I / F unit 38 ... Bus 39 ... Network 51 ... Control unit 52 ... ... Storage unit 53 ... …… Communication interface 54 ... …… In-vehicle network

Claims (6)

A failure location identification system that identifies a failure location of a cooperative system in which multiple components transmit and receive data to each other and operate in cooperation with each other,
System configuration input means for inputting the configuration of the cooperative system;
First logical expression extraction means for extracting a first logical expression indicating a universal relationship of the configuration input by the system configuration input means;
A logical relationship extraction device comprising:
Data flow collection means for collecting data flows during operation of the cooperative system;
A second logical expression extracting means for determining whether or not the data flow collected by the data flow collecting means is normal, and extracting the determination result as a second logical expression;
A data flow monitoring device comprising:
A fault location specifying means for specifying a fault location based on an evaluation function including a binary variable indicating whether each component is normal or fault, with the first logical formula and the second logical formula as constraints
A fault location identifying device comprising:
Tona is,
The evaluation function further includes a predetermined failure probability of each component, and is an overall probability when it is assumed that each component fails independently .   2. The first logical expression extracting unit searches each component and extracts, as the first logical expression, a relationship that if the component is normal and the input is normal, the output is normal. The fault location identification system described.   The first logical expression extraction means further searches the circulation part of the data flow from the configuration of the cooperative system, and all the inputs to the circulation part components are normal from all the components of the circulation part that are normal and not the circulation part. Then, the fault location specifying system according to claim 2, wherein the relationship that the output from the component in the circulation portion is normal is extracted as the first logical expression. There is a failure location identification method for identifying the failure location of a cooperative system in which multiple components send and receive data to each other and operate in cooperation,
A system configuration input step for inputting the configuration of the cooperative system;
A first logical expression extraction step for extracting a first logical expression indicating a universal relationship of the configuration input by the system configuration input step;
A data flow collection step for collecting a data flow during operation of the cooperative system;
A second logical expression extraction step of determining whether or not the data flow collected by the data flow collection means is normal, and extracting the determination result as a second logical expression;
A failure location specifying step for specifying a failure location based on an evaluation function including a binary variable indicating whether each component is normal or failed, with the first logical formula and the second logical formula as constraints.
Only including,
The evaluation function further includes a predetermined failure probability of each component, and is an overall probability when it is assumed that each component fails independently . 5. The first logical expression extracting step searches each component, and extracts, as the first logical expression, a relationship that if the component is normal and the input is normal, the output is normal. Described fault location identification method. In the first logical expression extraction step, the circulation part of the data flow is further searched from the configuration of the cooperative system, and all the components in the circulation part are normal and the inputs to the components in the circulation part are all normal. 6. The failure location specifying method according to claim 5, wherein the relationship that the output from the component in the circulation portion is normal is extracted as the first logical expression.

Images