CN111290783B - Cascade failure cause imaging system based on SysML model - Google Patents
Cascade failure cause imaging system based on SysML model Download PDFInfo
- Publication number
- CN111290783B CN111290783B CN202010154011.0A CN202010154011A CN111290783B CN 111290783 B CN111290783 B CN 111290783B CN 202010154011 A CN202010154011 A CN 202010154011A CN 111290783 B CN111290783 B CN 111290783B
- Authority
- CN
- China
- Prior art keywords
- failure
- cause
- event
- cascade
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/74—Reverse engineering; Extracting design information from source code
Abstract
A cascade failure cause patterning system based on a SysML model, comprising: the system establishes an interactive relation of a system function state based on SysML, generates a failure reverse cause chain by using a cascade failure cause searching algorithm, integrates the failure reverse cause chain into a tree structure of the failure cause, extracts a cascade failure mapping relation and root failure from a graph, and generates a minimum cut set of the cascade failure cause; the invention combines the SysML model with the MBSA method to develop the security analysis and establish the macroscopic and integral cognition to the dynamic security state of the system.
Description
Technical Field
The invention relates to a technology in the field of safety demanding systems, in particular to a cascade failure causative patterning system of a system modeling language (SysML (Systems Modeling Language, system modeling language) model based on an Object Management Group (OMG).
Background
Security is an important aspect of system development. For safety-critical systems, one of the important links in safety analysis is to find the underlying/root cause of the failure in the system failure context. Under the background of increasingly higher system function synthesis and design complexity, the coupling relation between physical components is further enhanced, and greater challenges are brought to failure modeling and failure relation expression. In addition, the factors such as cascade failure, common mode failure and the like which are comprehensively introduced further increase the difficulty of failure reason positioning. In the prior art, a static analysis mode is adopted to conduct root failure reasoning, and failure reasons are unfolded into a parallel tree-shaped branch structure through a local view angle. The occurrence sequence of various failure reasons and the cascade relation among the failure reasons in the actual running process of the system can lead to the change of the safety analysis result, and meanwhile, the running mechanism and the configuration switching of the system can both influence the safety analysis process, so that the dynamic development sequence of the events can not be displayed.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention provides a cascade failure cause patterning system based on a SysML model, which is used for carrying out security analysis by combining the SysML model with a MBSA (model based safety analysis) method and establishing macroscopic and integral cognition on the dynamic security state of the system.
The invention is realized by the following technical scheme:
the invention establishes an interactive relation of system function states based on SysML and generates a failure reverse cause chain by using a cascade failure cause searching algorithm, the failure reverse cause chain is integrated into a tree structure of failure causes, and then a cascade failure mapping relation and root cause failure are extracted from a graph and a minimum cut set of the cascade failure causes is generated.
The invention relates to a cascade failure cause imaging system based on a SysML model, which comprises: the system comprises an operation state model construction unit, a model reading and analyzing unit, a failure cause searching unit and a failure cause display unit, wherein: the model reading and analyzing unit is connected with the failure cause searching unit and transmits model relation set and top failure event information, and the failure cause searching unit is connected with the failure cause display unit and transmits failure reverse cause chain starting event and intermediate event, failure cause tree structure and minimum cut set information, and the failure cause display unit performs graphical display of failure cause searching results.
The operation state model construction unit comprises: the system comprises an operation state model construction module and a model interaction relation extraction module, wherein the operation state model construction module is connected with the model interaction relation extraction module and transmits a state diagram set of an operation state model, the model interaction relation extraction module is connected with a model reading and analyzing unit, analyzes the state diagram set, extracts operation state model and model interaction information, and transmits the operation state model and model interaction information to a model relation storage unit to serve as background information of cascade failure search.
The model reading and analyzing unit comprises: the system comprises a model relation storage module and a top-level failure event setting module, wherein: the model relation storage module receives the interaction information of the running state model and the model from the running state model construction unit, and the model relation storage module and the top-layer failure event setting module are respectively connected with the failure cause searching unit and transmit a model relation set serving as a searching background and a top-layer failure event serving as a searching starting point.
The failure cause searching unit comprises: the system comprises a cascade failure search module, a root failure search module, a failure reverse cause chain generation module, a failure cause tree structure generation module and a minimum cut set generation module, wherein: the cascade failure search module and the root failure search module are respectively connected with the failure reverse cause chain generation module, the cascade failure event and the root failure event are transmitted to the cascade failure search module and the root failure search module, the failure reverse cause chain generation module is integrated and processed to obtain a failure reverse cause chain, the failure reverse cause chain connected with the failure reverse cause chain generation module is further analyzed by the failure cause tree structure generation module to obtain a failure cause tree structure capable of being graphically displayed, and the failure reverse cause chain generation module is connected with the failure cause display unit and transmits an initial event and an intermediate event of the cause chain so as to display the cause chain.
The failure cause tree structure comprises: and the AND gate, the OR gate, the root failure and the cascade failure mapping relation are transmitted to a failure cause display unit connected with the failure cause tree structure generation module by the failure cause tree structure generation module, and the failure cause tree structure generation module are respectively and graphically displayed by the corresponding submodules.
The failure cause display unit includes: the failure reverse cause chain display module, the failure cause tree structure display module and the minimum cut-set display module, wherein: the failure reverse cause chain display module receives an initial event and an intermediate event of the cause chain transmitted by the failure reverse cause chain generation module from the failure cause search unit so as to display the cause chain, the failure reverse cause chain generation module is respectively connected with the failure cause tree structure generation module and the minimum cut set generation module, the failure reverse cause chain set and the root cause event are transmitted, the minimum cut set is processed by the minimum cut set generation module, and the minimum cut set is transmitted to the minimum cut set display module connected with the minimum cut set generation module so as to be displayed in a centralized manner.
The failure cause tree structure display unit comprises: the system comprises an AND gate display module, an OR gate display module, a root failure display module and a cascade failure mapping relation display module, wherein: the system comprises an AND gate display module, a failure cause tree structure generation module, a cascade failure mapping relation information and a cascade failure mapping relation.
The cascade failure cause searching algorithm is as follows: selecting a top-level unexpected event, recursively tracing forward cause events of the top-level unexpected event, skipping searching when a cascade relation exists to cause all upstream influences of the event until all possible cause branches are traversed, combining recursion results to a recursion function of a father node layer by layer, and finally generating a failure reverse cause chain containing a failure propagation path grammar structure.
The failure reverse-direction cause chain comprises: all node elements in the failure cause searching process represent propagation paths of cascade failures in sequence.
The node elements include: status and trigger events; the grammar structure of the arrangement sequence is expressed as follows: state-state, state-trigger event, and trigger event-state.
The tree structure comprises: cascade failure propagation paths and root failures.
The root cause failure refers to: the root cause of the top layer failure event under the influence of cascade failure is eliminated, and the end event of the chain is captured through failure reverse cause.
The cascade failure propagation path is represented by a state node and a trigger event node, and the connection relation of each node is represented by an AND gate branch and an OR gate branch and cascade failure mapping relation, wherein: the AND gate represents a combination of the current state and the trigger event, and the OR gate represents a causative structure that exists in parallel.
The AND gate branch is a logic structure which shows that failure transmission needs to meet all conditions at the same time, and is specifically formed by the following steps: 1. traversing elements of the failure reverse cause chain from front to back, setting a first state element as an AND gate top event when encountering a structure of a state-trigger event, setting a second state element as a first branch structure under the AND gate, setting a trigger event element as a second branch structure under the AND gate, and carrying out the next step; when the structure is not encountered, continuing to extend the tree structure; 2. and judging the forward element of the trigger event, when the forward element exists in the trigger event, cutting off the forward element of the trigger event and constructing a new tree branch by taking the forward element as a starting point, and when the forward element does not exist in the trigger event, judging that the trigger event element is the bottom-layer root failure.
The forward element is the end state of the transition relation where the upstream influence event of the trigger event is located.
The OR gate branch is a logic structure which shows that failure transmission needs to meet any condition, and is specifically formed by the following steps: 1. traversing elements of the failure reverse-cause chain from front to back, and when one element is encountered to exist in other failure reverse-cause chains and is in a state, all elements before the element are consistent with the existing chain and elements behind the element are inconsistent, carrying out the next step; 2. judging the existing or gate condition of the element, and setting the or gate at the position of the element and setting the subsequent element of the element in the chain as one of branches of the or gate when the or gate does not exist; when a new chain is traversed, a branch with the same father node as the existing OR gate is encountered, and the original OR gate branch is directly expanded below the OR gate.
The cascade failure mapping relation is a connecting line from a root failure to a cascade failure, and the objects at the beginning and the end are an influence event and a trigger event, wherein: the influence events exist in the upstream failure transfer relation, the trigger events exist in the downstream failure transfer relation, the cascade influence of the same upstream failure can lead a plurality of transfer relations containing derivative trigger events at the downstream to be triggered, and the two independent failure causes form a complete failure propagation path due to the mapping that the influence events established in the tree structure point to the trigger events.
The minimum cut set is a set which covers all root failures and has unique combination relation by extracting all root failures of a tree structure, combining the root failures through Cartesian products, and screening in a mode of removing duplicate events, sequencing out of a sequence and removing derivative cut sets.
Technical effects
The invention integrally solves the problems that the complex system combines the cascade failure propagation relationship to locate failure under the background of design comprehensive mechanism and configuration dynamic change, and the fault tree cut sets are obtained by static search, so that the occurrence sequence of the events cannot be represented.
Compared with the prior art, the invention can realize the dynamic reasoning of the failure propagation path and the root cause failure, visually observe the failure propagation path and the root cause failure in a visual mode, establish the system perception of the failure derivatization process, be beneficial to optimizing the design and inhibit the failure propagation from the angles of avoiding the critical root cause failure and blocking the propagation path; meanwhile, the minimum cutset element generated by the method can represent the occurrence sequence of failure, so that more accurate description of the multi-failure combination condition is realized, and a designer is facilitated to make a failure slowing strategy in a matching way; the invention can realize the automatic analysis and comprehensive evaluation of the safety state of the complex system. The method is mainly used for verifying the rationality of the design and the effectiveness of safety measures in the system development stage, and can carry out comparative analysis on the rationality of different design configurations from the safety perspective and optimize the system design.
Drawings
FIG. 1 is a schematic illustration of the present invention;
FIG. 2 is a schematic diagram of the conversion of the SysML model to a dynamic failure causative structure;
FIG. 3 is a schematic diagram of a first state indirect cascade relationship;
FIG. 4 is a schematic diagram of a second state indirect cascade relationship;
FIG. 5 is a schematic diagram of a cascade failure cause search algorithm;
FIG. 6 is a schematic diagram of a failure reverse-cause chain syntax structure resolution;
FIG. 7 is a schematic diagram of a cascade failure AND gate configuration;
FIG. 8 is a schematic diagram of a failure cause patterning algorithm;
FIG. 9 is a schematic diagram of a failure cause tree structure;
FIG. 10 is a schematic diagram of a failure cause tree structure that labels the cascade relationship of failures;
FIG. 11 is a schematic diagram of a minimal cut set search algorithm;
FIG. 12 is a schematic diagram of a dual redundancy switch function process;
FIG. 13 is a schematic diagram of a functional process trunk branch operational state transition relationship;
FIG. 14 is a schematic diagram of a functional process backup branch operational state transition relationship;
FIG. 15 is a schematic diagram of a minimal cut set search result;
FIG. 16 is a schematic diagram of a cascade failure cause patterning system based on the SysML model.
Detailed Description
As shown in fig. 1 and fig. 2, the present embodiment relates to a cascade failure cause patterning system based on a SysML model, which uses a system modeling language, sysML, to describe a system function operation state model, adopts a state machine principle, describes a explicit-implicit cascade relationship of a system operation state by combining a trigger event and an influence event, and extracts and stores the relationship by a database; outputting a failure propagation path into a cascade failure reverse cause chain mode through a cascade failure cause search algorithm comprising a three-layer nested structure; further, a reverse cause tree structure of cascade failure is established, the cause of failure is represented by the trigger event and the gate branch structure in the current state, the parallel cause structure is represented by the gate, the cascade failure mapping relation and the root failure can be marked in the structure, the minimum cut set of the top-level unexpected event is generated,
the embodiment relates to a patterning method of the system, which comprises the following steps:
step one, establishing an interaction relation of system function states based on SysML.
The interactive relation is based on various running processes of the system function through the state diagram of the SysML model, and the running mechanism of the system is represented by the state combination and the transfer relation, so that the mutual influence of the functions is realized.
The state diagram comprises: state and state transition relationships, which combine to represent a particular operating mechanism of a process of the system.
The set of state diagrams is a set of system operation processes, and one state diagram represents one operation process.
The states are divided into: idle, running, degraded, and disabled to represent normal and abnormal states of the system.
The state transfer relationship is a state cascade relationship which adopts a triggering event and an influence event to combine and represent a functional process, and the state cascade relationship is divided into a direct cascade relationship and an indirect cascade relationship, wherein: the direct cascade relation is presented in the form of a combination of trigger events and influence events in the adjacent state transition relation, the transition between each state in the same process can be directly carried out, or the conditions which are required to be met in the transition process are represented by the trigger events, the influence caused by the transition is represented by the influence events, the abstraction level of the trigger events in the same combination is lower than or equal to the level of the influence events, and the association rule is provided; the indirect cascade relationship is represented by a mapping relationship pair of an influence event in an upstream state transition relationship and a trigger event in a downstream transition relationship caused by the influence event.
The triggering event is a condition for state transition in the failure mode.
The influencing event is an influence caused by state transition in the failure mode.
The trigger event and the association rule of the influence event are mutually coupled with the system running state frame, have an upstream-downstream relation, the influence event in the upstream combination covers the trigger event in the downstream combination, one influence event triggers a plurality of downstream guiding trigger events at the same time, one trigger event can trigger a plurality of subsequent influence events successively, and meanwhile, the two rules are combined to further increase the expression of the state cascade relation type, so that the interactive relation among the database storage models is realized.
The failure mode is derived from the system failure mode and impact analysis (FMEA) and component inherent, and transitions to a failure state or related abnormal state based on the model abstraction level enhancement.
The specific expression form of the indirect cascade relation is as follows: 1. a state transition induces simultaneous transitions of multiple states. Specifically, the triggering event that will affect the transition between two states of the process will cause a plurality of process-specific state transition conditions to be triggered simultaneously, as shown in fig. 3. 2. A state transition is accompanied by a cascade transition of subsequent states. Specifically, the triggering event at the moment generates a corresponding influence event, and the triggering event of other processes at the next moment is further triggered, so that the propagation of influence is realized, as shown in fig. 4.
The association relation between the model information and the model stored in the database is shown in the following table:
TABLE 1 model information
| Model name | Fields |
| Model type | Object_Type |
| Construction shape | Stereotype |
| Model membership | Parent_ID |
Table 2 model association relationship
| Model association relationship type | Fields |
| Model association relation construction model | Stereotype |
| Association relation beginning and end | Start_Object_ID,End_Object_ID |
| State transition trigger event | trigger |
| State transition influencing events | effect |
And step two, generating a failure reverse cause chain by using a cascade failure cause searching algorithm based on the interaction relation.
The algorithm comprises three layers from inside to outside for implementing circulation, namely an inner layer, a middle layer and an outer layer, and causes searching is carried out through a cascade failure reverse causes searching algorithm, wherein:
the inner layer searches a state transition relation where a forward influence of an event occurs, performs reverse depth-first search on a state matrix corresponding to a specific state by recursion, searches all forward influences which cause the trigger event to take effect in a global range according to the trigger event and an influence event mechanism in the transition relation in the process of the reverse depth-first search, and further recursion is performed according to the state of a transition relation terminal where the trigger event occurs, so that forward tracing of a cascade influence relation is realized;
the middle layer is a top layer calling mechanism, forward searching is carried out according to an input appointed state and a trigger event as starting points, and a corresponding root failure chain is generated;
the outer layer carries out further forward search on the cause relation of each current state branch which cannot be completely traversed due to the jump relation of the trigger event and the transfer event in the search process on the basis of direct cause factor search, and combines the cause relation with the original search result to obtain a complete plurality of chains covering all cause root events and failure propagation paths.
The reverse cause search algorithm selects the top layer unexpected event, and performs reverse search on the upstream state according to the following steps, as shown in fig. 5:
1) It is determined whether the event has a forward state.
When the forward state exists, selecting one of the elements of the forward state set as a branch by adopting a depth priority strategy, carrying out reverse search, and when the forward state does not exist, directly jumping to the step 4).
2) And judging whether a trigger condition exists in the transition relation between the event and the forward state.
When the triggering condition does not exist, further carrying out forward recursion search by taking the forward state as a starting point; when a trigger condition exists, step 3) is entered.
3) Searching an upstream influence event of the trigger event according to the combination of the trigger event and the influence event, storing the current state to an independent set when the upstream influence exists, jumping to the end state of the transfer relation where the influence event is located, and further carrying out forward recursion searching; and when no upstream influence exists, setting the triggering event as the source failure of the bottom layer, ending the layer of recursion, returning the search result to the upper layer of recursion function, and entering step 4).
4) It is determined whether the set of upstream nodes of the node has been fully accessed.
And when the access is not completed, after the branch search is completed, carrying out cause search of the next forward state of the node until all the upstream state sets of the node are traversed, combining the final search results in the form of event chains, and further returning the final search results to an upper-layer search function until the final search results return to the top-layer unexpected event, and summarizing the final search results into reverse failure reverse cause chain sets.
5) Because the trigger event-influence event chain of the cascade relation causes the search result to jump halfway, branches which cannot be traversed exist, the cause relation of the initial end state branch of the transfer relation of the trigger event in the search process is searched forward on the basis of the direct cause chain and combined with the original search result, and finally the cause chain which completely covers all cause root failures and failure propagation paths is obtained.
The recursion includes three main loops: the first loop traverses each upstream node of the node under the condition of determining a searching starting point, and further recursion is carried out when the transition state does not have a triggering condition; a second loop traversing each upstream node of the node, and jumping to a transfer relation in which the influence is located for further recursion forward when a trigger condition exists in the transfer state and an upstream influence exists; and a third loop, traversing each upstream node of the node, setting the triggering condition as a source failure when the triggering condition exists in the transition state and the upstream influence does not exist, and returning the cause searching result to the upper layer for recursion to search other upstream nodes.
The end conditions of the recursion are: there is no upstream impact of searching to the start state node of the process, or of a trigger event for a certain transition. And returns the search results to the upper-level recursive function.
Step three, integrating the failure reverse cause chain into a graphical tree structure of failure cause, and extracting a cascading failure mapping relation and a root failure from the graph.
The failure reverse-direction cause chain comprises: all node elements in the failure cause searching process represent propagation paths of cascade failures in sequence.
The node elements include: status and trigger events; the arrangement sequence is expressed by the relation of adjacent elements, and the specific grammar structure is expressed as follows: the state-state, the state-trigger event and the trigger event-state capture the failure cascade jump action through the combination of three grammar structures, and the tail end of the chain represents the root failure.
The three grammars are specifically: first syntax: when the state is directly connected with the state and the connection object at the downstream of the latter node is not a trigger event, the connection object is expressed as a direct transfer relationship between the two nodes; second syntax: when the states are directly connected with each other, the connection object at the downstream of the next node is a trigger event, the next node is the current state, and the previous node is the updated state, which is caused by the current state under the influence of the trigger event; third syntax: the trigger event is directly connected to a state, indicating that the downstream state switch resulted in the trigger event, which is the current state after the switch.
The model in the second grammar forms an AND gate which leads to state change, the updated state is an AND gate top event, and the current state and the trigger event are subordinate branches of the AND gate; meanwhile, the downstream state of the trigger event is a corresponding state which is traced back upwards to other processes by influencing the relation between the event and the trigger event and causes the trigger event to be activated, so that further reverse causation search is carried out.
As shown in fig. 6, this embodiment represents the reasoning process of the top layer failure cause by the following two failure reverse causation chains:
final:state15 state14 PRO2FAIL state13 state12 PRO1FAIL state11 state6 state5 state3PHY1FAIL state9 state8 TRIGG1;
final:state15 state14 PRO2FAIL state13 state12 PRO1FAIL state11 state6 state5 state4PHY2FAIL。
for example, by using the event-caused chain of fig. 6, the failure reverse-caused chain is parsed according to the failure reverse-caused chain syntax, so as to obtain the failure-caused tree shown in fig. 9 and 10, and the tree structure can know that the trigger 1 event of PROCESS1 and the PHY2FAIL event of PROCESS0 are the source failures, which would result in that the functions of the top-level PROCESS4 cannot be normally implemented.
As shown in fig. 8, in this embodiment, the failure cause patterning algorithm traverses all failure reverse cause chains to generate a failure cause patterning structure, and the failure cause patterning algorithm includes the following steps:
1) And judging the position of the initial event of the chain.
When the chain shares an initial event with the existing chain or the initial event of the chain exists in the existing tree structure, positioning a searching starting point to the position, further constructing a tree structure, and carrying out forward-backward searching on the chain; when the chain starting event does not exist in any existing tree structure, setting an independent tree branch drawing cause structure taking the starting event as a starting point.
2) The chain elements traverse from front to back.
And (3) comparing each element of the chain with the existing chain direction in sequence, and when one element in the chain exists in other causative chains and is in a state, all the elements in front of the element are consistent with the existing chain, and the elements behind the element are inconsistent, entering step (3).
3) And judging whether the node has an OR gate or not.
If the element does not exist, setting an OR gate at the position of the element, and setting the subsequent element of the element in the chain as one of branches of the OR gate; when a new chain is traversed, branches with the same father node as the existing OR gate exist, the original OR gate branches are directly expanded.
4) It is determined whether the node has an and gate, as shown in fig. 8.
For any element in the chain, when a state-trigger event structure exists, setting a first state element as an AND gate top event, setting a second state element as a first branch structure under an AND gate, setting a trigger event element as a second branch structure under the AND gate, and entering the step 5); when there is no state-trigger event structure, the tree structure continues to extend downward.
5) It is determined whether a forward element is present for the trigger event.
When a forward element exists, cutting off the position of the forward element of the triggering event, constructing a new tree branch by taking the new tree branch as a starting point, and carrying out further forward search, wherein the forward element is represented as the end state of the transition relation of the upstream influence event of the triggering event; when no forward element is present, the trigger event element is the underlying root cause failure.
6) And labeling the cascade failure mapping relation and the root failure.
And marking the cascade failure mapping relation in the tree structure according to the triggering condition and the influence relation of the cascade failure to represent the propagation path, and marking the root cause failure to represent the root cause causing the top layer failure.
The root failure is obtained by capturing the cascade skip action of failure and gradually tracing forward, the node is represented as a trigger event form at the bottom of the failure cause tree structure, and the node is highlighted and marked in the figure.
The cascade failure propagation path is represented by an AND gate branch and an OR gate branch and cascade failure mapping relation, wherein: the AND gate represents a combination of the current state and the trigger event, and the OR gate represents a causative structure that exists in parallel.
The AND gate structure takes the failure state as a top event, takes the current state of the system as two branches under the AND gate structure when the trigger event and the event are triggered, wherein the trigger event can be further reversely searched to the upstream to cause the trigger event to occur, covers the state transition chain which is affected, the trigger event can be continuously and forwardly traced back to jump to the trigger reasons of other subtrees, and the current state can be further traced back in the existing structure until the initial end state/bottom layer causation event of the current process is reached.
The cascade failure mapping relation is a connecting line from a root failure to a cascade failure, and the objects at the beginning and the end are an influence event and a trigger event, wherein: the influence events exist in the upstream failure transfer relation, the trigger events exist in the downstream failure transfer relation, the cascade influence of the same upstream failure can lead a plurality of transfer relations containing derivative trigger events at the downstream to be triggered, and the two independent failure causes form a complete failure propagation path due to the mapping that the influence events established in the tree structure point to the trigger events.
And step four, generating a minimum cut set of cascade failure causes based on the tree structure.
As shown in fig. 11, the minimum cut set is obtained by extracting all root failures of a tree structure, combining the root failures through cartesian products, and screening in a manner of removing duplicate name events, ordering out-of-order queues and removing derivative cut sets to obtain a set which covers all root failures and has unique combination relation, and the specific operation is as follows:
1) And removing the rename event.
Events that are repeatedly triggered inside the same minimal cut set due to redundant structures and system configurations are excluded.
2) The out-of-order queue is ordered.
Traversing the set of the existing minimum cut sets, and removing the cut sets with the same semantics caused by the out-of-order event.
3) Derivative cutsets are excluded.
And refining the inclusion relation of different minimum cut sets, and removing the high-order cut sets containing the same information.
As shown in fig. 12, taking the aircraft traffic monitoring process as an example, a dual redundant combination of states and minimum cutset possible when the on-board equipment integrated monitoring system computer (issu 1, issu 2) completes the process is presented, wherein issu 2 is a cold store of issu 1, and the state of issu 1 is monitored by a monitor.
As shown in fig. 13 and 14, state machine models of the traffic threat calculation processes performed by the issu 1 and the issu 2 are shown, respectively, and include judgment structures of monitor states and redundancy switching mechanisms.
For the embodiment, the state of the first device is monitored through the monitor under the dual-redundancy cold storage mechanism, when the first device fails and the failure state can be successfully monitored, the second device is switched to the cold storage, and the second device can still complete the expected function after being started. However, if the monitor fails earlier than the first device as a hidden failure, the backup mechanism is not valid, the upper layer function cannot be completed, and the search result of the minimum cut set includes the monitor.
As shown in fig. 15, taking the failure of the top traffic monitoring function as an example, the minimum cut set obtained by the system analysis is divided into the following four cases:
as shown in the above table, for the security mechanism, the minimum cutset under normal and abnormal conditions of the monitor is represented by cutsets 7 and 10, respectively, on the premise of the first device internal failure (issu 1 INNERFAIL).
The two minimum cutsets include the occurrence sequence of the event, and the second device cannot be started on the premise that the monitor cannot monitor the failure of the first device, and the monitor is a hidden failure, if the failure sequence is earlier than the failure of the first device, the monitor cannot be switched to the second device, the monitor is in a monitor state, if the failure sequence is later than the failure of the first device, the monitor can still normally perform the monitoring function at the moment, so that the monitor is in a monitor state, and the failure mode of the second device can be further collected.
The minimum cut set list compares the rationality of the design, and the satisfaction of the safety requirement is verified through screening the minimum cut set order. When the single point failure does not cause disastrous effect, whether a first-order cut set exists in the minimum cut set causing the disastrous failure can be judged, and when the first-order cut set does not exist, the system design is proved to meet the safety requirement.
Which of the above components/modules/algorithms/operations is inventive for the present invention, never disclosed and its working is different from any prior document description: 1. taking cascade failure as a concern point, and directly carrying out search of failure cause through a system design model; 2. the reverse cause tree structure is designed, and structuring and visualization of a trace-back path of a top-layer failure event to a bottom-layer failure cause are realized; 3. the automatic generation of the minimal cut set in the minimal cut set extraction module contains failure event occurrence sequence information.
The system takes a functional operation process as a modeling object, takes a state diagram as a medium, captures the safety state correlation relationship between design models through the triggering event-influencing event relationship pair, designs a reverse cause search algorithm, recursively extracts failure cascade relationship among different operation process models, and deduces the root cause of failure.
The system uses an AND gate structure formed by combining the logic relations of the existing state, the trigger event and the updated state as a main expression form, uses cascade relation mapping connection pairs of the downstream trigger event and the upstream influence event as a tie, and jumps and traces to a forward process according to the influence relation of failure until the root failure is obtained by searching and marked in the graph, thereby representing a complete failure propagation path crossing a plurality of running processes through a graphical structure.
Based on the system search, the state is used as a failure expression mode, the occurrence sequence of a plurality of failures is converted into the combination of the normal/abnormal states of the failure events at the moment, and a dynamic structure containing the occurrence sequence of the events is formed, so that the occurrence condition of the top-layer failure event caused by the failure combination of a specific sequence can be accurately extracted.
Compared with the prior art, the system has stronger coupling with the design process compared with the failure cause analysis method of the traditional fault tree, and can dynamically analyze the cascade propagation relationship of failure by combining with the design model; the method can visualize the failure cascade relation, and represents the comprehensive influence of all functional processes in the global range on the top failure event through the propagation path; meanwhile, the minimum cutset generated by the method has richer failure sequence information, and can describe the failure mechanism more accurately.
The foregoing embodiments may be partially modified in numerous ways by those skilled in the art without departing from the principles and spirit of the invention, the scope of which is defined in the claims and not by the foregoing embodiments, and all such implementations are within the scope of the invention.
Claims (7)
1. A cascade failure cause patterning system based on a SysML model, comprising: the system comprises an operation state model construction unit, a model reading and analyzing unit, a failure cause searching unit and a failure cause display unit, wherein: the model reading and analyzing unit is connected with the failure cause searching unit and transmits model relation set and top failure event information, the failure cause searching unit is connected with the failure cause display unit and transmits failure reverse cause chain starting event and intermediate event, failure cause tree structure and minimum cut set information, and the failure cause display unit performs graphical display of failure cause searching results; the graphical system establishes an interaction relation of system function states based on SysML, generates a failure reverse cause chain by using a cascade failure cause searching algorithm, integrates the failure reverse cause chain into a tree structure of failure causes, extracts a cascade failure mapping relation and root cause failure from a graph, and generates a minimum cut set of the cascade failure causes;
the cascade failure cause searching algorithm is as follows: selecting a top-level unexpected event, recursively tracing forward cause events of the top-level unexpected event, skipping and searching when a cascade relation exists to cause all upstream influences of the event until all possible cause branches are traversed, combining recursion results to a recursion function of a father node layer by layer, and finally generating a failure reverse cause chain comprising a failure propagation path grammar structure;
the failure reverse-direction cause chain comprises: all node elements in the failure cause searching process represent the propagation paths of cascade failures in the arrangement sequence of all nodes;
the node elements include: status and trigger events; the grammar structure of the arrangement sequence is expressed as follows: state-state, state-trigger event, and trigger event-state;
the tree structure comprises: cascading failure propagation paths and root failures, wherein: the cascade failure propagation path is represented by a state node and a trigger event node, the connection relation of each node is represented by an AND gate branch and an OR gate branch and cascade failure mapping relation, the AND gate represents the combination of the current state and the trigger event, and the OR gate represents a cause structure which exists in parallel; root cause failure refers to: the root cause of the top layer failure event under the influence of cascade failure is eliminated, and the end event of the reverse failure cause chain is captured;
the cascade failure mapping relation is a connecting line from a root failure to a cascade failure, and the objects at the beginning and the end are an influence event and a trigger event, wherein: the influence events exist in an upstream failure transfer relation, the trigger events exist in a downstream failure transfer relation, the cascade influence of the same upstream failure can lead a plurality of transfer relations containing derivative trigger events at the downstream to be triggered, and the two independent failure causes form a complete failure propagation path by the mapping of the influence events established in the tree structure to the trigger events;
the minimum cut set is a set which covers all root failures and has unique combination relation by extracting all root failures of a tree structure, combining the root failures through Cartesian products, and screening in a mode of removing duplicate events, sequencing out of a sequence and removing derivative cut sets.
2. The cascade failure cause imaging system based on the SysML model according to claim 1, wherein said operation state model construction unit comprises: the system comprises an operation state model construction module and a model interaction relation extraction module, wherein the operation state model construction module is connected with the model interaction relation extraction module and transmits a state diagram set of an operation state model, the model interaction relation extraction module is connected with a model reading and analyzing unit, analyzes the state diagram set, extracts operation state model and model interaction information, and transmits the operation state model and model interaction information to a model relation storage unit to serve as background information of cascade failure search.
3. The system for patterning cascading failure causes based on the SysML model as claimed in claim 1, wherein said model reading and parsing unit comprises: the system comprises a model relation storage module and a top-level failure event setting module, wherein: the model relation storage module receives the interaction information of the running state model and the model from the running state model construction unit, and the model relation storage module and the top-layer failure event setting module are respectively connected with the failure cause searching unit and transmit a model relation set serving as a searching background and a top-layer failure event serving as a searching starting point.
4. The system for patterning cascade failure causes based on the SysML model according to claim 1, wherein said failure cause search unit comprises: the system comprises a cascade failure search module, a root failure search module, a failure reverse cause chain generation module, a failure cause tree structure generation module and a minimum cut set generation module, wherein: the cascade failure search module and the root failure search module are respectively connected with the failure reverse cause chain generation module, the cascade failure event and the root failure event are transmitted to the cascade failure search module and the root failure search module, the failure reverse cause chain generation module is integrated and processed to obtain a failure reverse cause chain, the failure reverse cause chain connected with the failure reverse cause chain generation module is further analyzed by the failure cause tree structure generation module to obtain a failure cause tree structure capable of being graphically displayed, and the failure reverse cause chain generation module is connected with the failure cause display unit and transmits an initial event and an intermediate event of the cause chain so as to display the cause chain;
the failure cause tree structure comprises: and the AND gate, the OR gate, the root failure and the cascade failure mapping relation are transmitted to a failure cause display unit connected with the failure cause tree structure generation module by the failure cause tree structure generation module, and the failure cause tree structure generation module are respectively and graphically displayed by the corresponding submodules.
5. The system for patterning cascade failure causes based on the SysML model according to claim 1, wherein said failure cause display unit comprises: the failure reverse cause chain display module, the failure cause tree structure display module and the minimum cut-set display module, wherein: the failure reverse cause chain display module receives an initial event and an intermediate event of the cause chain transmitted by the failure reverse cause chain generation module from the failure cause search unit so as to display the cause chain, the failure reverse cause chain generation module is respectively connected with the failure cause tree structure generation module and the minimum cut set generation module, the failure reverse cause chain set and the root cause event are transmitted, the minimum cut set is processed by the minimum cut set generation module, and the minimum cut set is transmitted to the minimum cut set display module connected with the minimum cut set generation module so as to be displayed in a centralized manner.
6. The cascade failure cause imaging system based on the SysML model according to claim 1, wherein said failure cause tree structure display unit comprises: the system comprises an AND gate display module, an OR gate display module, a root failure display module and a cascade failure mapping relation display module, wherein: the system comprises an AND gate display module, a failure cause tree structure generation module, a cascade failure mapping relation information and a cascade failure mapping relation.
7. The cascade failure cause imaging system based on SysML model as claimed in claim 1, wherein the AND gate branch is a logic structure which shows that all conditions need to be satisfied simultaneously for failure transmission, and is specifically formed by the following steps:
1) Traversing elements of the failure reverse cause chain from front to back, setting a first state element as an AND gate top event when encountering a structure of a state-trigger event, setting a second state element as a first branch structure under the AND gate, setting a trigger event element as a second branch structure under the AND gate, and carrying out the next step; when the structure is not encountered, continuing to extend the tree structure;
2) Judging a forward element of a trigger event, when the forward element exists in the trigger event, cutting off the forward element of the trigger event and constructing a new tree branch by taking the forward element as a starting point, and when the forward element does not exist in the trigger event, judging that the trigger event element is a bottom root failure;
the forward element is the end state of the transition relation where the upstream influence event of the trigger event is located;
the OR gate branch is a logic structure which shows that failure transmission needs to meet any condition, and is specifically formed by the following steps:
(1) traversing elements of the failure reverse-cause chain from front to back, and when one element is encountered to exist in other failure reverse-cause chains and is in a state, all elements before the element are consistent with the existing chain and elements behind the element are inconsistent, carrying out the next step;
(2) judging the existing or gate condition of the element, and setting the or gate at the position of the element and setting the subsequent element of the element in the chain as one of branches of the or gate when the or gate does not exist; when a new chain is traversed, a branch with the same father node as the existing OR gate is encountered, and the original OR gate branch is directly expanded below the OR gate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010154011.0A CN111290783B (en) | 2020-03-07 | 2020-03-07 | Cascade failure cause imaging system based on SysML model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010154011.0A CN111290783B (en) | 2020-03-07 | 2020-03-07 | Cascade failure cause imaging system based on SysML model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111290783A CN111290783A (en) | 2020-06-16 |
| CN111290783B true CN111290783B (en) | 2023-04-28 |
Family
ID=71025775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010154011.0A Active CN111290783B (en) | 2020-03-07 | 2020-03-07 | Cascade failure cause imaging system based on SysML model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111290783B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112464463B (en) * | 2020-11-23 | 2022-09-06 | 上海交通大学 | Flight process-based simulation implementation method for parameter-oriented functional model |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07129375A (en) * | 1993-11-05 | 1995-05-19 | Hitachi Ltd | Method and device for programming system state transition |
| CN104298803A (en) * | 2013-07-15 | 2015-01-21 | 波音公司 | System and method for assessing cumulative effects of a failure in an aircraft |
| CN108376221A (en) * | 2018-02-27 | 2018-08-07 | 哈尔滨工业大学 | A kind of software system security verification and appraisal procedure based on AADL model extensions |
| CN110502211A (en) * | 2019-08-02 | 2019-11-26 | 中国航空无线电电子研究所 | A kind of AADL model construction method based on SysML module map |
| CN110765568A (en) * | 2019-08-23 | 2020-02-07 | 清华大学 | Complex system design and security analysis integration method based on SysML |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8862491B2 (en) * | 2009-01-15 | 2014-10-14 | International Business Machines Corporation | System and method for creating and expressing risk-extended business process models |
-
2020
- 2020-03-07 CN CN202010154011.0A patent/CN111290783B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07129375A (en) * | 1993-11-05 | 1995-05-19 | Hitachi Ltd | Method and device for programming system state transition |
| CN104298803A (en) * | 2013-07-15 | 2015-01-21 | 波音公司 | System and method for assessing cumulative effects of a failure in an aircraft |
| CN108376221A (en) * | 2018-02-27 | 2018-08-07 | 哈尔滨工业大学 | A kind of software system security verification and appraisal procedure based on AADL model extensions |
| CN110502211A (en) * | 2019-08-02 | 2019-11-26 | 中国航空无线电电子研究所 | A kind of AADL model construction method based on SysML module map |
| CN110765568A (en) * | 2019-08-23 | 2020-02-07 | 清华大学 | Complex system design and security analysis integration method based on SysML |
Non-Patent Citations (2)
| Title |
|---|
| Hong Sun等.The Mechanical Properties of Naturally Deposited Soft Soil under True Three-Dimensional Stress States.Geotechnical Testing Journal.2019,1370-1383. * |
| 吴建民等.基于原型仿真的航空电子系统螺旋式开发方法.系统工程与电子技术.2007,(第03期),160-163. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111290783A (en) | 2020-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101945009B (en) | Positioning method and device of power communication network fault based on case and pattern matching | |
| CN107272646B (en) | Press fault diagnosis system based on expert system | |
| CN105095048A (en) | Processing method for alarm correlation of monitoring system based on business rules | |
| CN112771550A (en) | Automatic generation of efficient rule set implementations | |
| Zawawy et al. | Log filtering and interpretation for root cause analysis | |
| CN111290783B (en) | Cascade failure cause imaging system based on SysML model | |
| BRPI1002927B1 (en) | SYSTEM DIAGNOSTIC DEVICE | |
| CN110032463A (en) | A kind of system fault locating method and system based on Bayesian network | |
| CN109936479A (en) | Control plane failure diagnostic system and its implementation based on Differential Detection | |
| CN115858226A (en) | Intelligent operation and maintenance system based on artificial intelligence | |
| CN112069649A (en) | Electric vehicle EPS system reliability evaluation method based on Model Driven Architecture (MDA) | |
| CN111368441B (en) | Dynamic analysis method for cascade failure propagation effect based on SysML model | |
| CN111639436B (en) | System fault propagation model modeling method | |
| CN112559237A (en) | Operation and maintenance system troubleshooting method and device, server and storage medium | |
| CN115857469A (en) | Industrial equipment fault knowledge base construction method and device and fault diagnosis method and system | |
| KR101993635B1 (en) | Cause tracing system for intelligent autonomous system | |
| Yan et al. | Monitoring web service networks in a model-based approach | |
| Gardner et al. | Pattern discovery and specification techniques for alarm correlation | |
| Górski | Extending safety analysis techniques with formal semantics | |
| Khan et al. | Synergizing reliability modeling languages: BDMPs without repairs and DFTs | |
| CN112147974B (en) | Alarm root cause diagnosis method based on chemical process knowledge automation | |
| Zhu et al. | Reliability and safety assessment with AltaRica for complex aircraft systems | |
| JP4414298B2 (en) | Defect case registration search device | |
| CN107038086A (en) | The hot standby control logic safety analytical method of safety computer platform | |
| Bracchi et al. | Combining propagation information and search tree visualization using ilog opl studio |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |