CN111290783A - SysML model-based cascade failure cause graphical system - Google Patents
SysML model-based cascade failure cause graphical system Download PDFInfo
- Publication number
- CN111290783A CN111290783A CN202010154011.0A CN202010154011A CN111290783A CN 111290783 A CN111290783 A CN 111290783A CN 202010154011 A CN202010154011 A CN 202010154011A CN 111290783 A CN111290783 A CN 111290783A
- Authority
- CN
- China
- Prior art keywords
- failure
- cause
- event
- model
- gate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/74—Reverse engineering; Extracting design information from source code
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
Abstract
A cascade failure cause graphical system based on a SysML model, comprising: the system comprises an operation state model construction unit, a model reading and analyzing unit, a failure cause searching unit and a failure cause display unit, wherein the system establishes an interactive relation of system function states based on SysML and generates a failure reverse cause chain by using a cascade failure cause searching algorithm, the failure reverse cause chain is integrated into a tree structure of failure causes, and then a cascade failure mapping relation and a root cause failure are extracted from a graph to generate a minimum cut set of the cascade failure causes; the invention uses the SysML model to combine with the MBSA method to develop the security analysis and establish the macroscopic and overall cognition to the dynamic security state of the system.
Description
Technical Field
The invention relates to a technology in the field of safety demanding Systems, in particular to a graphical system for cascade failure cause of a system Modeling Language (SysML) model based on an Object Management Group (OMG).
Background
Security is an important aspect of system development. For security-critical systems, one of the important components of security analysis is to find the underlying/root failure that caused the failure in the context of a system failure. Under the background that the system function synthesis and the design complexity are increased day by day, the coupling relation between the physical components is further enhanced, and greater challenges are brought to failure modeling and failure relation expression. In addition, the difficulty of positioning failure causes is further increased by factors such as cascade failure, common mode failure and the like which are comprehensively introduced. In the prior art, root cause failure is inferred by adopting a static analysis mode, and failure reasons are expanded into a parallel tree-shaped branch structure through a local view angle. The occurrence sequence of various failure reasons and the cascade relation among the failure reasons in the actual operation process of the system lead to the change of the safety analysis result, and meanwhile, both the system operation mechanism and the configuration switching influence the safety analysis process and cannot show the dynamic development sequence of events.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a cascade failure cause graphical system based on a SysML model, safety analysis is carried out by combining the SysML model with an MBSA (model based safety analysis) method, and macroscopic and overall cognition on the dynamic safety state of the system is established.
The invention is realized by the following technical scheme:
the invention establishes the interactive relation of the system function state based on SysML, generates the failure reverse cause chain by using the cascade failure cause search algorithm, integrates the failure reverse cause chain into the tree structure of the failure cause, extracts the cascade failure mapping relation and the root cause failure from the graph and generates the minimum cut set of the cascade failure cause.
The invention relates to a cascade failure cause graphical system based on a SysML model, which comprises: the device comprises an operation state model construction unit, a model reading and analyzing unit, a failure cause searching unit and a failure cause display unit, wherein: the operation state model building unit is connected with the model reading and analyzing unit and transmits the operation state model and the model interaction information, the model reading and analyzing unit is connected with the failure cause searching unit and transmits the model relation set and the top layer failure event information, the failure cause searching unit is connected with the failure cause display unit and transmits the failure reverse cause chain starting event and the middle event, the failure cause tree structure and the minimum cut set information, and the failure cause display unit displays the failure cause searching result in a graphic mode.
The operation state model building unit comprises: the system comprises an operation state model building module and a model interactive relation extraction module, wherein the operation state model building module is connected with the model interactive relation extraction module and transmits a state diagram set of the operation state model, the model interactive relation extraction module is connected with a model reading and analyzing unit, the operation state model and the model interactive information are extracted after the state diagram set is analyzed, and the operation state model and the model interactive information are transmitted to a model relation storage unit to serve as background information of cascade failure search.
The model reading and analyzing unit comprises: the system comprises a model relation storage module and a top failure event setting module, wherein: the model relation storage module receives the interaction information of the running state model and the model from the running state model construction unit, and the model relation storage module and the top failure event setting module are respectively connected with the failure cause searching unit and transmit a model relation set serving as a searching background and a top failure event serving as a searching starting point.
The failure cause searching unit comprises: the system comprises a cascade failure search module, a root failure search module, a failure reverse cause chain generation module, a failure cause tree structure generation module and a minimum cut set generation module, wherein: the cascade failure search module and the root failure search module carry out judgment on cascade failure and root failure through a failure cause search algorithm according to a top layer failure event, the cascade failure search module and the root failure search module are respectively connected with the failure reverse cause chain generation module and transmit the cascade failure event and the root failure event to the failure reverse cause chain generation module, the failure reverse cause chain generation module carries out integration processing and obtains a failure reverse cause chain, the failure reverse cause chain generation module connected with the failure reverse cause chain generation module further analyzes the failure reverse cause chain to obtain a failure cause tree structure capable of being graphically displayed, and the failure reverse cause chain generation module is connected with the failure cause display unit and transmits an initial event and a middle event of the cause chain to display the cause chain.
The failure cause tree structure comprises: and the mapping relation of the AND gate, the OR gate, the root cause failure and the cascade failure is transmitted to a failure cause display unit connected with the failure cause tree structure generation module by the failure cause tree structure generation module, and the corresponding sub-modules respectively carry out graphical display.
The failure cause display unit comprises: the reverse cause chain display module that fails, the tree structure display module that fails and cuts a set display module for the minimum that causes, wherein: the failure reverse cause chain display module receives a starting event and an intermediate event of a cause chain transmitted by a failure reverse cause chain generation module from the failure cause search unit so as to display the cause chain, the failure reverse cause chain generation module is respectively connected with the failure cause tree structure generation module and a minimum cut set generation module, a failure reverse cause chain set and a root cause event are transmitted, the minimum cut set is processed by the minimum cut set generation module, and the minimum cut set is transmitted to the minimum cut set display module connected with the minimum cut set display module for centralized display.
The failure cause tree structure display unit comprises: and gate display module, OR gate display module, root fail display module and cascade fail mapping relation display module, wherein: the system comprises an AND gate display module, an OR gate tree structure generation module, a root cause tree structure generation module, a cascade failure mapping relation display module and a failure cause tree structure generation module, wherein the AND gate display module is connected with the failure cause tree structure generation module in the failure cause search unit and receives an AND gate top event and AND gate branch information, the OR gate display module is connected with the failure cause tree structure generation module and receives an OR gate top event and OR gate branch information, the root cause failure display module is connected with the failure cause tree structure generation module and receives root cause failure information, and the cascade failure mapping relation display module is connected with the failure cause tree structure generation module.
The cascade failure cause search algorithm is as follows: selecting a top-level unexpected event, recursively tracing the forward causative event, skipping and searching all upstream influences which cause the event to occur when a cascade relation exists until all possible causative branches are traversed, combining recursive results layer by layer to a recursive function of a father node, and finally generating a failure reverse causative chain containing a failure propagation path syntactic structure.
The failure reverse cause chain comprises: all node elements in the searching process of the failure cause, and the arrangement sequence of all nodes represents a propagation path of the cascade failure.
The node elements include: status and triggering events; the syntactic structure of the arrangement sequence is expressed as: state-state, state-trigger event, and trigger event-state.
The tree structure includes: cascading failure propagation paths and root failures.
The root cause failure is as follows: and eliminating the root cause of the top layer failure event under the influence of cascade failure, and capturing the end event of the chain through failure reverse cause.
The cascade failure propagation path is represented by a state node and a trigger event node, and the connection relationship of each node is represented by an AND gate branch and/or a gate branch and cascade failure mapping relationship, wherein: the AND gate represents a combination of the current state and the trigger event, or the gate represents a causal structure that exists in parallel.
The AND gate branch is a logic structure which shows that failure transmission needs to meet all conditions at the same time, and is formed by the following steps: 1. traversing elements of the failure reverse cause chain from front to back, setting a first state element as an AND gate top event when encountering a state-trigger event structure, setting a second state element as an AND gate subordinate first branch structure, setting a trigger event element as an AND gate subordinate second branch structure, and carrying out the next step; when the structure is not met, continuing to extend the tree structure; 2. judging the forward element of the trigger event, when the trigger event has the forward element, cutting off the forward element of the trigger event and constructing a new tree branch by taking the forward element as a starting point, and when the trigger event does not have the forward element, taking the trigger event element as a bottom root and failing.
The forward element is the end state of the transition relationship in which the upstream impact event of the trigger event is located.
The OR gate branch is a logic structure which shows that failure transmission needs to meet any condition, and is formed by the following steps: 1. traversing the elements of the failure reverse cause chain from front to back, and when one element exists in other failure reverse cause chains and is in a state, all the elements before the element are consistent with the existing chain, and the elements after the element are inconsistent, performing the next step; 2. judging the existing OR gate condition of the element, and if the existing OR gate does not exist, arranging the OR gate at the position of the element and setting the subsequent element of the element in the chain as one of the branches of the OR gate; when a branch having the same parent node as the existing or gate is encountered while traversing the new chain, the original or gate branch is expanded directly below the or gate.
The cascade failure mapping relation is a connection from a root failure to a cascade failure, and the starting and end objects are an influence event and a trigger event, wherein: the influence events exist in an upstream failover relation, the trigger events exist in a downstream failover relation, the cascade influence of the same upstream failure can cause a plurality of downstream failover relations containing derivative trigger events to be triggered, and the influence events established in two independent failure cause tree structures point to the mapping of the trigger events to form a complete failure propagation path.
The minimum cut set is a set which covers all root failures and has a unique combination relation by extracting all the root failures of the tree structure, combining the root failures through Cartesian product and screening in a mode of removing duplicate events, sorting out of order queues and excluding derivative cut sets.
Technical effects
The invention integrally solves the problems that the complex system is combined with the cascading failure propagation relation to position failure under the background of designing a comprehensive mechanism and dynamically changing the configuration, and the fault tree cut set is obtained by static search and can not express the occurrence sequence of events.
Compared with the prior art, the method can realize dynamic reasoning on the failure propagation path and the root failure, visually observe the failure propagation path and the root failure in a visual mode, establish system perception on the failure derivation process, contribute to optimization design, and inhibit failure propagation from the angle of avoiding key root failure and blocking the propagation path; meanwhile, the minimum cut set element generated by the method can show the occurrence sequence of failure, so that more accurate description of the multi-failure combination condition is realized, and designers can make a failure mitigation strategy in a matching way; the invention can realize automatic analysis and comprehensive evaluation of the safety state of the complex system. The method is mainly used for verifying the rationality of design and the effectiveness of safety measures in the system development stage, and can carry out comparative analysis on the rationality of different design configurations and optimize system design from the safety perspective.
Drawings
FIG. 1 is a schematic view of the present invention;
FIG. 2 is a schematic diagram of the transformation of the SysML model to a dynamic failure causative structure;
FIG. 3 is a diagram illustrating a first state indirect cascade relationship;
FIG. 4 is a diagram of a second state indirect cascade connection mode;
FIG. 5 is a schematic diagram of a cascading failure cause search algorithm;
FIG. 6 is a schematic diagram of syntax structure analysis of a chain of reverse causes of failure;
FIG. 7 is a schematic diagram of a cascade fail AND gate architecture;
FIG. 8 is a graphical algorithm diagram of a failure cause;
FIG. 9 is a schematic diagram of a tree structure of a failure cause;
FIG. 10 is a schematic diagram of a failure cause tree structure labeled with a failure cascade relationship;
FIG. 11 is a schematic diagram of a minimal cut set search algorithm;
FIG. 12 is a diagram illustrating a dual redundancy switch function process;
FIG. 13 is a diagram illustrating a functional process trunk branch operating state transition relationship;
FIG. 14 is a diagram illustrating a functional process backup branch operational state transition relationship;
FIG. 15 is a diagram of a minimal cut set search result;
FIG. 16 is a diagram of a graphical system of cascading failure causes based on the SysML model.
Detailed Description
As shown in fig. 1 and fig. 2, the embodiment relates to a cascade failure cause graphical system based on a SysML model, a system modeling language SysML is used to describe a system function operation state model, a state machine principle is adopted, a explicit-implicit cascade relation of a system operation state is described by a combination of a trigger event and an influence event, and the relation is extracted and stored by a database; outputting the failure propagation path into a form of a cascade failure reverse cause chain by a cascade failure cause search algorithm comprising a three-layer nested structure; further, a reverse cause tree structure of cascade failure is established, causes of failure are expressed through a trigger event and an AND gate branch structure in the current state, a parallel cause structure is expressed through an OR gate, a cascade failure mapping relation and root cause failure can be marked in the structure, a minimum cut set of top-layer unexpected events is generated,
the embodiment relates to a graphical method of the system, which comprises the following steps:
step one, establishing an interactive relation of system function states based on SysML.
The interaction relation is based on various operation processes of the SysML model expressing system functions through a state diagram, and the interaction of the functions is realized by expressing the operation mechanism of the system through state combination and transfer relation.
The state diagram comprises: states and state transition relationships, both in combination, represent a specific operating mechanism of a process of the system.
The set of the state diagrams is a set of system operation processes, and one state diagram represents one operation process.
The states are divided into: idle, running, degraded, and failed to represent normal and abnormal states of the system.
The state transition relation is a state cascade relation which adopts a triggering event and an influence event to combine and express a functional process, and the state cascade relation is divided into a direct cascade relation and an indirect cascade relation, wherein: the direct cascade relation is presented in the form of a combination of a trigger event and an influence event in the adjacent state transition relation, the transition between each state in the same process can be directly carried out, or the condition which must be met in the transition process is represented by the trigger event, the influence brought by the transition is embodied by the influence event, the abstract level of the trigger event in the same combination is lower than or equal to the level of the influence event, and the combination has an association rule; the indirect cascade relation is represented by the mapping relation pair of the influence event in the upstream state transition relation and the trigger event in the downstream transition relation caused by the influence event.
The trigger event is a condition of state transition in the failure mode.
The influence event is the influence caused by state transition in the failure mode.
The association rules of the trigger events and the influence events are mutually coupled with a system running state framework and have an upstream-downstream relationship, the influence events in an upstream combination cover the trigger events in a downstream combination, one influence event triggers a plurality of downstream guidance trigger events at the same time, one trigger event can trigger a plurality of subsequent influence events in succession, and the combination of the two rules can further increase the expression of the state cascade relationship types, so that the interaction relationship between the models is stored through a database.
The failure modes are inherent in system failure mode and impact analysis (FMEA) and components, and transition into failure states or related abnormal states according to the improvement of the model abstraction level.
The specific expression form of the indirect cascade relation is as follows: one state transition induces simultaneous transitions of multiple states. Specifically, influencing the transition between two states of the process will cause the triggering events of the transition conditions of the specific states of the process to be triggered simultaneously, as shown in fig. 3. Secondly, one state transition is accompanied by the cascade transition of the subsequent state. Specifically, the trigger event at this time generates a corresponding influence event, and causes the trigger events of other processes at the next time to be further triggered, thereby implementing propagation of influence, as shown in fig. 4.
The model information and the model association relationship stored in the database are shown in the following table:
TABLE 1 model information
| Model name | Field(s) |
| Type of model | Object_Type |
| Structural form | Stereotype |
| Model membership | Parent_ID |
TABLE 2 model Association
| Model incidence relation type | Field(s) |
| Model incidence relation construction model | Stereotype |
| Initial and final ends of association relation | Start_Object_ID,End_Object_ID |
| State transition trigger event | trigger |
| State transition impact events | effect |
And secondly, generating a failure reverse cause chain by using a cascading failure cause search algorithm based on the interaction relation.
The algorithm comprises three layers of implementation cycles from inside to outside, namely an inner layer, a middle layer and an outer layer, and causes search is carried out through a cascading failure reverse cause search algorithm, wherein:
the inner layer searches a state transition relation where a forward influence causing a certain event is located, recursion is adopted to perform reverse depth-first search on a state matrix corresponding to a specific state, in the process of the reverse depth-first search, according to a trigger event and an influence event mechanism, when the transition relation has the trigger event, all the forward influences causing the trigger event to take effect are searched in a global range, and further recursion is performed according to the terminal state of the transition relation where the trigger event is located, so that forward tracing of the cascade influence relation is realized;
the middle layer is a top layer calling mechanism, forward search is carried out according to the input specified state and the triggering event as starting points, and a corresponding root cause failure chain is generated;
on the basis of direct cause factor search, the outer layer further searches the cause relations of all current state branches which cannot be completely traversed due to the jump relation of the trigger event and the transfer event in the search process in a forward direction, and combines the cause relations with the original search results to obtain a plurality of chains which are complete and cover all cause root events and failure propagation paths.
The reverse cause search algorithm selects a top-level undesired event, and performs reverse search on an upstream state of the top-level undesired event according to the following steps, as shown in fig. 5:
1) it is determined whether a forward state exists for the event.
And if the forward state exists, adopting a depth-first strategy to select one of the elements of the forward state set as a branch to carry out reverse search, and if the forward state does not exist, directly jumping to the step 4).
2) And judging whether a triggering condition exists in the transition relation between the event and the forward state.
When no trigger condition exists, further carrying out forward recursive search by taking the forward state as a starting point; when the trigger condition exists, step 3) is entered.
3) Searching an upstream influence event of the trigger event according to the combination of the trigger event and the influence event, storing the current state to an independent set when the upstream influence exists, jumping to the tail end state of a transfer relation where the influence event is located, and further carrying out forward recursive search; and when no upstream influence exists, setting the triggering event as the failure of the bottom layer root source, ending the recursion of the layer, returning the search result to the upper layer recursion function, and entering the step 4).
4) It is determined whether the set of upstream nodes for the node has been fully accessed.
And when the access is not completed, after the branch search is completed completely, carrying out cause search of the next forward state of the node until all upstream state sets of the node are traversed, combining the final search results in an event chain form, further returning the final search results to an upper-layer search function until the final search results return to a top-layer unexpected event, and summarizing the final search results into a reverse failure reverse cause chain set.
5) Because the trigger event-influence event chain of the cascade relation causes the search result to skip midway, and branches which cannot be traversed exist, on the basis of directly causing the chain, the cause relation of the starting end state branch of the transfer relation where the trigger event is involved in the search process is searched forward and is combined with the original search result, and finally, the cause chain which completely covers all cause source failure and failure propagation paths is obtained.
The recursion includes three main loops: the first loop is used for traversing each upstream node of the node under the condition determined by the search starting point, and further recursing forwards when the transition state does not have a triggering condition; the second loop is used for traversing each upstream node of the nodes, and when a trigger condition exists in the transfer state and an upstream influence exists, the second loop jumps to the transfer relation where the influence exists to further recur forwards; and a third loop, traversing each upstream node of the node, setting the triggering condition as a root failure when the triggering condition exists in the transfer state and no upstream influence exists, returning a cause search result to the upper recursion, and carrying out search of other upstream nodes.
The end condition of the recursion is as follows: there is no upstream impact to search for a starting state node to the process, or a triggering event for a transition. And returns the search results to the upper recursive function.
And step three, integrating the failure reverse cause chains into a graphical tree structure of failure causes, and extracting a cascade failure mapping relation and root cause failure from the graph.
The failure reverse cause chain comprises: all node elements in the searching process of the failure cause, and the arrangement sequence of all nodes represents a propagation path of the cascade failure.
The node elements include: status and triggering events; the arrangement order is expressed by the relationship of adjacent elements, and the specific syntactic structure is expressed as follows: the method comprises the steps of state-state, state-trigger event and trigger event-state, failure cascade jump actions are captured through the combination of three grammar structures, and the tail end of a chain shows root failure.
The three grammars are specifically: the first syntax: when the state is directly connected with the state and a connection object at the downstream of the next node is not a trigger event, the two nodes are in a direct transfer relationship; the second syntax is: when the states are directly connected with each other and a connection object at the downstream of the next node is a trigger event, the next node is in the current state and the previous node is in the updated state, and the current state is caused under the influence of the trigger event; the third syntax: the trigger event is directly connected with the state, which indicates that the downstream state switching causes the trigger event, and the state is the current state after switching.
The model in the second grammar forms an AND gate which causes state change, the updated state is an AND gate top event, and the current state and the trigger event are subordinate branches of the AND gate; meanwhile, the downstream state of the trigger event is a corresponding state which leads the trigger event to be activated in other processes by tracing back the relation between the influence event and the trigger event, and further reverse cause search is carried out.
As shown in fig. 6, the present embodiment represents the reasoning process of the cause of the top layer failure by two failure reverse-cause chains:
final:state15 state14 PRO2FAIL state13 state12 PRO1FAIL state11state6 state5 state3PHY1FAIL state9 state8 TRIGG1;
final:state15 state14 PRO2FAIL state13 state12 PRO1FAIL state11state6 state5 state4PHY2FAIL。
taking the event cause chain of fig. 6 as an example, analyzing the failure reverse cause chain according to the failure reverse cause chain syntax to obtain the failure cause tree shown in fig. 9 and fig. 10, wherein the tree structure can be used to know that the TRIGG1 event of PROCESS1 and the PHY2FAIL event of PROCESS0 are root failures, which will result in that the function of the top-level PROCESS4 cannot be normally realized.
As shown in fig. 8, in this embodiment, a failure-cause graphical algorithm traverses all failure reverse-cause chains to generate a failure-cause graphical structure, and the failure-cause graphical algorithm includes the following steps:
1) and judging the position of the starting event of the chain.
When the chain and the existing chain share the starting event or the starting event of the chain exists in the existing tree structure, the searching starting point is positioned to the position, the tree structure is further constructed, and the chain is searched from front to back; when the chain starting event does not exist in any existing tree structure, an independent tree branch drawing cause structure taking the starting event as a starting point is set.
2) The chain elements perform a self-forward-backward traversal.
Comparing each element of the chain with the existing chain direction in sequence, and entering step 3 when one element in the chain exists in other causative chains and is represented as a state, the element and all elements before the element are consistent with the existing chain, and the elements after the element are inconsistent.
3) It is determined whether or gate exists for the node.
If the element does not exist, an OR gate is arranged at the position of the element, and a subsequent element of the element in the chain is arranged as one of the branches of the OR gate; when a branch with the same father node as the existing OR gate exists during traversing the new chain, the original OR gate branch is directly expanded.
4) And judging whether the AND gate exists in the node or not, as shown in FIG. 8.
For any element in the chain, when a state-trigger event structure exists, setting a first state element as an AND gate top event, setting a second state element as an AND gate subordinate first branch structure, setting a trigger event element as an AND gate subordinate second branch structure, and entering step 5); when no state-trigger event structure exists, the tree structure continues to be extended downward.
5) It is determined whether a forward element exists for the trigger event.
When a forward element exists, truncation is carried out from the position of the forward element of the trigger event, a new tree branch is constructed by taking the forward element as a starting point, further forward search is carried out, and the forward element is expressed as the tail end state of the transfer relation of the upstream influence event of the trigger event; when there is no forward element, the trigger element fails for the underlying root cause.
6) And marking the mapping relation of the cascade failures and the root failures.
And according to the triggering condition and the influence relation of the cascade failure, marking a cascade failure mapping relation in the tree structure to express a propagation path, and marking a root failure to express a root cause of the top layer failure.
The root cause failure is obtained by capturing failure cascade jump actions and gradually tracing forwards, and is expressed as a node in the form of a trigger event at the bottom of a tree structure caused by failure, and the node is highlighted and displayed in a graph for marking.
The cascade failure propagation path is represented by an AND gate branch and/or a gate branch and cascade failure mapping relationship, wherein: the AND gate represents a combination of the current state and the trigger event, or the gate represents a causal structure that exists in parallel.
The AND gate structure takes a failure state as a top event, takes a trigger event and the current state of the system when the event is triggered as two branches under the AND gate structure, wherein the trigger event can be further searched backwards to the upstream to cause the trigger event to occur and covers an affected state transition chain, the trigger event can be continuously traced forwards to jump to the trigger reason of other subtrees, and the current state can be further traced forwards in the existing structure until the state of the starting end/the bottom cause event of the current process is reached.
The cascade failure mapping relation is a connection from a root failure to a cascade failure, and the starting and end objects are an influence event and a trigger event, wherein: the influence events exist in an upstream failover relation, the trigger events exist in a downstream failover relation, the cascade influence of the same upstream failure can cause a plurality of downstream failover relations containing derivative trigger events to be triggered, and the influence events established in two independent failure cause tree structures point to the mapping of the trigger events to form a complete failure propagation path.
And fourthly, generating a minimum cut set of the cascade failure causes based on the tree structure.
As shown in fig. 11, the minimal cut set is a set that covers all root failures and has a unique combination relationship, which is obtained by extracting all the root failures of the tree structure, combining the root failures by cartesian product, and screening in a manner of removing duplicate events, sorting out of order queues, and excluding derivative cut sets, and specifically operates as follows:
1) and removing the duplicate events.
Events triggered repeatedly within the same minimal cut set due to redundant structures and system configurations are excluded.
2) And sorting the out-of-order queue.
And traversing the set of the existing minimum cut sets, and removing the cut sets with the same semantics caused by the disorder events.
3) The derived cutsets were excluded.
And refining the inclusion relation of different minimal cut sets and removing high-order cut sets containing the same information.
As shown in fig. 12, an aircraft traffic monitoring process is taken as an example, and a possible state combination and a minimal cut set are shown when a dual redundant integrated on-board equipment monitoring system computer (isup 1, isup 2) completes the process, wherein isup 2 is a cold reserve of isup 1, and the state of isup 1 is monitored by a monitor.
As shown in fig. 13 and 14, state machine models of the execution of the traffic threat calculation process by the ispu 1 and the ispu 2 are shown, respectively, including the monitor states and the decision structure of the redundant switching mechanism.
For the embodiment, the state of the first equipment is monitored through the monitor under the dual-redundancy cold storage mechanism, when the first equipment fails and can be successfully monitored in the failure state, the first equipment is switched to the second equipment for cold storage, and the second equipment can still complete the expected function after being started. However, if the failure time of the monitor as a hidden failure is earlier than the failure time of the first device, the backup mechanism is invalid, the upper layer function cannot be completed, and the search result of the minimum cut set of the monitor comprises the monitor.
As shown in fig. 15, taking the top-level traffic monitoring function failure as an example, the minimum cut set obtained by the system analysis is divided into the following four cases:
as shown in the above table, for the security mechanism, which is mainly embodied by cut-sets 7 and 10, the minimal cut-set under normal and abnormal conditions of the monitor is represented, respectively, on the premise of the first device internal failure (ispu 1 innefail).
The two minimal cut sets comprise the occurrence sequence of events, the second device cannot be started on the premise that the monitor cannot monitor the failure of the first device, the monitor is hidden failure, if the failure sequence of the monitor is prior to the failure of the first device, the monitor cannot be switched to the second device, the monitor is in a monitor state, and if the failure sequence of the monitor is later than the failure of the first device, the monitor can still normally perform a monitoring function at the moment, so that the monitor is in a monitor state, and the failure modes of the second device can be further collected.
And comparing the rationality of the design by the minimum cut set list, and verifying the satisfaction of the safety requirement by screening the minimum cut set order. When the single point failure does not cause catastrophic influence, whether a first-order cut set exists in the minimal cut set causing the catastrophic failure can be judged, and when the first-order cut set does not exist, the system design is proved to meet the safety requirement.
Which of the above components/modules/algorithms/operations are original to the invention, never disclosed and do not work in the same way as any prior document: 1. directly carrying out search of failure causes through a system design model by taking cascade failure as a focus; 2. designing a reverse cause tree structure to realize the structurization and visualization of a tracing path from a top failure event to a bottom failure cause; 3. the minimal cut set automatically generated in the minimal cut set extraction module contains failure event occurrence sequence information.
The system takes a functional operation process as a modeling object, takes a state diagram as a medium, captures the safety state correlation relationship between design models by triggering event-influence event relationship pairs, further designs a reverse cause search algorithm, recursively extracts the failure cascade relationship between different operation process models, and further deduces the root cause of failure.
The reverse cause tree structure of the system takes an AND gate structure formed by combining the logic relations of the existing state, the trigger event and the updated state as a main expression form, a cascade relation mapping connecting line pair of a downstream trigger event and an upstream influence event is taken as a link, and the system jumps back to a forward process according to the influence relation of failure until the root failure is obtained by searching and is marked in a graph, so that a plurality of complete failure propagation paths for running the process are expressed through a graphical structure.
After the system is searched, the occurrence sequence of a plurality of failures is converted into the combination of normal/abnormal states of the failure events at the moment by taking the state as a failure expression mode, and a dynamic structure containing the occurrence sequence of the events is formed, so that the occurrence condition of the top failure event caused by the failure combination of a specific sequence can be accurately extracted.
Compared with the prior art, compared with the failure cause analysis method of the traditional fault tree, the method has stronger coupling with the design process, and can be combined with the design model to dynamically analyze the cascade propagation relation of the failure; the method can visualize the failure cascade relation and express the comprehensive influence of all functional processes in the global scope on the top failure event through the propagation path; meanwhile, the minimal cut set generated by the method has richer failure sequence information, and can describe the failure mechanism more accurately.
The foregoing embodiments may be modified in many different ways by those skilled in the art without departing from the spirit and scope of the invention, which is defined by the appended claims and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (7)
1. A graphical system for cascading failure causes based on a SysML model, comprising: the device comprises an operation state model construction unit, a model reading and analyzing unit, a failure cause searching unit and a failure cause display unit, wherein: the operation state model building unit is connected with the model reading and analyzing unit and transmits the information, the model reading and analyzing unit is connected with the failure cause searching unit and transmits the model relation set and the top failure event information, the failure cause searching unit is connected with the failure cause display unit and transmits the failure reverse cause chain starting event, the middle event, the failure cause tree structure and the minimum cut set information, and the failure cause display unit displays the failure cause searching result graphically; the graphical system establishes an interactive relation of system function states based on SysML, generates a failure reverse cause chain by using a cascading failure cause search algorithm, integrates the failure reverse cause chain into a tree structure of failure causes, extracts a cascading failure mapping relation and a root cause failure from a graph and generates a minimum cut set of cascading failure causes;
the cascade failure cause search algorithm is as follows: selecting a top-level unexpected event, recursively tracing a forward causative event of the top-level unexpected event, skipping and searching all upstream influences which cause the event to occur when a cascade relation exists until all possible causative branches are traversed, combining recursive results layer by layer to a recursive function of a father node, and finally generating a failure reverse causative chain containing a failure propagation path syntactic structure;
the failure reverse cause chain comprises: all node elements in the searching process of the failure cause, and the arrangement sequence of all nodes represents the propagation path of the cascade failure;
the node elements include: status and triggering events; the syntactic structure of the arrangement sequence is expressed as: state-state, state-trigger event and trigger event-state;
the tree structure includes: a cascading failure propagation path and a root failure, wherein: the cascade failure propagation path is represented by a state node and a trigger event node, the connection relation of each node is represented by an AND gate branch or a gate branch and cascade failure mapping relation, the AND gate represents the combination of the current state and the trigger event, or the gate represents a cause structure existing in parallel; root cause failure means: eliminating the root cause of the top layer failure event under the influence of cascade failure, and capturing the end event of the chain caused by failure reverse;
the cascade failure mapping relation is a connection from a root failure to a cascade failure, and the starting and end objects are an influence event and a trigger event, wherein: the method comprises the following steps that an influence event exists in an upstream failure transfer relation, a trigger event exists in a downstream failure transfer relation, a plurality of transfer relations containing derivative trigger events at the downstream can be triggered due to the cascade influence of the same upstream failure, and two independent failures cause the influence events established in a tree structure to point to the mapping of the trigger events to form a complete failure propagation path;
the minimum cut set is a set which covers all root failures and has a unique combination relation by extracting all the root failures of the tree structure, combining the root failures through Cartesian product and screening in a mode of removing duplicate events, sorting out of order queues and excluding derivative cut sets.
2. The SysML model-based cascading failure cause graphical system as recited in claim 1, wherein the operating state model building unit comprises: the system comprises an operation state model building module and a model interactive relation extraction module, wherein the operation state model building module is connected with the model interactive relation extraction module and transmits a state diagram set of the operation state model, the model interactive relation extraction module is connected with a model reading and analyzing unit, the operation state model and the model interactive information are extracted after the state diagram set is analyzed, and the operation state model and the model interactive information are transmitted to a model relation storage unit to serve as background information of cascade failure search.
3. The SysML model-based cascading failure cause graphical system of claim 1, wherein the model reading and parsing unit comprises: the system comprises a model relation storage module and a top failure event setting module, wherein: the model relation storage module receives the interaction information of the running state model and the model from the running state model construction unit, and the model relation storage module and the top failure event setting module are respectively connected with the failure cause searching unit and transmit a model relation set serving as a searching background and a top failure event serving as a searching starting point.
4. The SysML model-based cascade failure cause graphical system of claim 1, wherein the failure cause search unit comprises: the system comprises a cascade failure search module, a root failure search module, a failure reverse cause chain generation module, a failure cause tree structure generation module and a minimum cut set generation module, wherein: the cascade failure search module and the root failure search module carry out judgment on cascade failure and root failure through a failure cause search algorithm according to a top layer failure event, the cascade failure search module and the root failure search module are respectively connected with the failure reverse cause chain generation module and transmit the cascade failure event and the root failure event to the failure reverse cause chain generation module, the failure reverse cause chain generation module carries out integration processing and obtains a failure reverse cause chain, the failure reverse cause chain generation module connected with the failure reverse cause chain generation module further analyzes the failure reverse cause chain to obtain a failure cause tree structure capable of carrying out graphical display, and the failure reverse cause chain generation module is connected with the failure cause display unit and transmits an initial event and a middle event of the cause chain to display the cause chain;
the failure cause tree structure comprises: and the mapping relation of the AND gate, the OR gate, the root cause failure and the cascade failure is transmitted to a failure cause display unit connected with the failure cause tree structure generation module by the failure cause tree structure generation module, and the corresponding sub-modules respectively carry out graphical display.
5. The SysML model-based cascade failure cause graphical system of claim 1, wherein the failure cause display unit comprises: the reverse cause chain display module that fails, the tree structure display module that fails and cuts a set display module for the minimum that causes, wherein: the failure reverse cause chain display module receives a starting event and an intermediate event of a cause chain transmitted by a failure reverse cause chain generation module from the failure cause search unit so as to display the cause chain, the failure reverse cause chain generation module is respectively connected with the failure cause tree structure generation module and a minimum cut set generation module, a failure reverse cause chain set and a root cause event are transmitted, the minimum cut set is processed by the minimum cut set generation module, and the minimum cut set is transmitted to the minimum cut set display module connected with the minimum cut set display module for centralized display.
6. The SysML model-based cascading failure cause graphical system of claim 1, wherein the failure cause tree structure display unit comprises: and gate display module, OR gate display module, root fail display module and cascade fail mapping relation display module, wherein: the system comprises an AND gate display module, an OR gate tree structure generation module, a root cause tree structure generation module, a cascade failure mapping relation display module and a failure cause tree structure generation module, wherein the AND gate display module is connected with the failure cause tree structure generation module in the failure cause search unit and receives an AND gate top event and AND gate branch information, the OR gate display module is connected with the failure cause tree structure generation module and receives an OR gate top event and OR gate branch information, the root cause failure display module is connected with the failure cause tree structure generation module and receives root cause failure information, and the cascade failure mapping relation display module is connected with the failure cause tree structure generation module.
7. The SysML model-based cascade failure cause graphical system as recited in claim 1, wherein the AND gate branch is a logic structure that represents that failure transmission needs to satisfy all conditions at the same time, and is formed by the following steps:
1) traversing elements of the failure reverse cause chain from front to back, setting a first state element as an AND gate top event when encountering a state-trigger event structure, setting a second state element as an AND gate subordinate first branch structure, setting a trigger event element as an AND gate subordinate second branch structure, and carrying out the next step; when the structure is not met, continuing to extend the tree structure;
2) judging the forward element of the trigger event, when the trigger event has the forward element, cutting off the forward element of the trigger event and constructing a new tree branch by taking the forward element as an initial point, and when the trigger event does not have the forward element, taking the trigger event element as a bottom root and failing;
the forward element is the tail end state of the transfer relation where the upstream influence event of the trigger event is located;
the OR gate branch is a logic structure which shows that failure transmission needs to meet any condition, and is formed by the following steps:
① traversing the elements of the failure reverse cause chain from front to back, when encountering that an element exists in other failure reverse cause chains and is presented as a state, all elements before the element are consistent with the existing chain and the elements after the element are inconsistent, then carrying out the next step;
② determines the existing OR gate condition of the element, sets an OR gate at the position of the element and sets the element following the element in the chain as one of the branches of the OR gate when no OR gate exists, and expands the original OR gate branch directly under the OR gate when a branch having the same parent node as the existing OR gate is encountered while traversing the new chain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010154011.0A CN111290783B (en) | 2020-03-07 | 2020-03-07 | Cascade failure cause imaging system based on SysML model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010154011.0A CN111290783B (en) | 2020-03-07 | 2020-03-07 | Cascade failure cause imaging system based on SysML model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111290783A true CN111290783A (en) | 2020-06-16 |
| CN111290783B CN111290783B (en) | 2023-04-28 |
Family
ID=71025775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010154011.0A Active CN111290783B (en) | 2020-03-07 | 2020-03-07 | Cascade failure cause imaging system based on SysML model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111290783B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112464463A (en) * | 2020-11-23 | 2021-03-09 | 上海交通大学 | Flight process-based simulation implementation method for parameter-oriented functional model |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07129375A (en) * | 1993-11-05 | 1995-05-19 | Hitachi Ltd | Method and device for programming system state transition |
| US20100179847A1 (en) * | 2009-01-15 | 2010-07-15 | International Business Machines Corporation | System and method for creating and expressing risk-extended business process models |
| US20150019187A1 (en) * | 2013-07-15 | 2015-01-15 | The Boeing Company | System and method for assessing cumulative effects of a failure |
| CN108376221A (en) * | 2018-02-27 | 2018-08-07 | 哈尔滨工业大学 | A kind of software system security verification and appraisal procedure based on AADL model extensions |
| CN110502211A (en) * | 2019-08-02 | 2019-11-26 | 中国航空无线电电子研究所 | A kind of AADL model construction method based on SysML module map |
| CN110765568A (en) * | 2019-08-23 | 2020-02-07 | 清华大学 | Complex system design and security analysis integration method based on SysML |
-
2020
- 2020-03-07 CN CN202010154011.0A patent/CN111290783B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07129375A (en) * | 1993-11-05 | 1995-05-19 | Hitachi Ltd | Method and device for programming system state transition |
| US20100179847A1 (en) * | 2009-01-15 | 2010-07-15 | International Business Machines Corporation | System and method for creating and expressing risk-extended business process models |
| US20150019187A1 (en) * | 2013-07-15 | 2015-01-15 | The Boeing Company | System and method for assessing cumulative effects of a failure |
| CN104298803A (en) * | 2013-07-15 | 2015-01-21 | 波音公司 | System and method for assessing cumulative effects of a failure in an aircraft |
| CN108376221A (en) * | 2018-02-27 | 2018-08-07 | 哈尔滨工业大学 | A kind of software system security verification and appraisal procedure based on AADL model extensions |
| CN110502211A (en) * | 2019-08-02 | 2019-11-26 | 中国航空无线电电子研究所 | A kind of AADL model construction method based on SysML module map |
| CN110765568A (en) * | 2019-08-23 | 2020-02-07 | 清华大学 | Complex system design and security analysis integration method based on SysML |
Non-Patent Citations (2)
| Title |
|---|
| HONG SUN等: "The Mechanical Properties of Naturally Deposited Soft Soil under True Three-Dimensional Stress States" * |
| 吴建民等: "基于原型仿真的航空电子系统螺旋式开发方法" * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112464463A (en) * | 2020-11-23 | 2021-03-09 | 上海交通大学 | Flight process-based simulation implementation method for parameter-oriented functional model |
| CN112464463B (en) * | 2020-11-23 | 2022-09-06 | 上海交通大学 | Flight process-based simulation implementation method for parameter-oriented functional model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111290783B (en) | 2023-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107272646B (en) | Press fault diagnosis system based on expert system | |
| JP3808893B1 (en) | Fault diagnosis device, program and recording medium | |
| CN106452908B (en) | A method of building onboard networks dynamically associate Fault Management System | |
| CN110032463B (en) | System fault positioning method and system based on Bayesian network | |
| CN101945009A (en) | Positioning method and device of power communication network fault based on case and pattern matching | |
| CN111368441B (en) | Dynamic analysis method for cascade failure propagation effect based on SysML model | |
| CN115756901A (en) | Business decision processing method and rule engine system thereof | |
| Yan et al. | Monitoring web service networks in a model-based approach | |
| KR101993635B1 (en) | Cause tracing system for intelligent autonomous system | |
| CN111290783B (en) | Cascade failure cause imaging system based on SysML model | |
| Lamperti et al. | Diagnosis of deep discrete-event systems | |
| Gardner et al. | Pattern discovery and specification techniques for alarm correlation | |
| CN115857469A (en) | Industrial equipment fault knowledge base construction method and device and fault diagnosis method and system | |
| Górski | Extending safety analysis techniques with formal semantics | |
| CN102281103A (en) | Optical network multi-fault recovering method based on fuzzy set calculation | |
| CN114020556A (en) | Distributed transaction link tracking system based on micro-service architecture | |
| Reuss et al. | Knowledge engineering for decision support on diagnosis and maintenance in the aircraft domain | |
| Ghariani et al. | A functional graph approach for alarm filtering and fault recovery for automated production systems | |
| CN107038086A (en) | The hot standby control logic safety analytical method of safety computer platform | |
| Zhu et al. | Reliability and safety assessment with AltaRica for complex aircraft systems | |
| CN111596893A (en) | Software requirement extraction method and device, computer equipment and readable storage medium | |
| JP4414298B2 (en) | Defect case registration search device | |
| Yuan et al. | The missile flight control system reliability analysis based on hybrid fault trees | |
| Macchion et al. | A hybrid knowledge-based system for technical diagnosis learning and assistance | |
| Pill et al. | Extending automated FLTL test oracles with diagnostic support |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |