JP2011022774A - Availability evaluation device, computer program and availability evaluation method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To evaluate a target system with high accuracy. <P>SOLUTION: An operation model storage part 110 stores an operation model for each of one or more actions to be executed by components constituting the system to be evaluated. A simulation execution part 130 simulates system operation based on an operation model stored in the operation model storage part 110. A failure occurrence decision part 141 decides failure occurrence time based on the system operation simulated by the simulation execution part 130. A recovery decision part 142 decides recovery time based on the system operation simulated by the simulation execution part 130. An availability calculation part 149 calculates an availability evaluation value based on the failure occurrence time decided by the failure occurrence decision part 141 and the recovery time decided by the recovery decision part 142. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an availability evaluation apparatus that evaluates system availability by simulating a system to be evaluated.

  In developing a system such as a control system, before developing software or hardware, it is evaluated whether an availability requirement can be realized by using a system design model that defines an operation specification of the system. In the case of a system that returns a response to an external input in real time, such as a control system, a state transition model is suitable as a system design model, and availability is calculated using this state transition model.

JP 2006-127464 A JP 2005-316696A JP 2007-299081 A JP 2007-122039 A JP 2005-275749 A JP 2006-99308 A

Yoshihiro Toma, "Fault Tolerant System", pages 185-200, IEICE, June 1990.

In the conventional availability evaluation method, the system availability is evaluated by calculating a steady-state value. For this reason, actual values such as dynamic load fluctuations during operation cannot be taken into account, and the accuracy of availability evaluation is low.
The present invention has been made, for example, in order to solve the above-described problems, and an object thereof is to accurately evaluate an evaluation target system.

The availability evaluation apparatus according to the present invention is an availability evaluation apparatus that evaluates the evaluation target system by simulating the operation of the evaluation target system configured by one or more components.
A storage device that stores data, a processing device that processes data, an operation model storage unit, a simulation execution unit, a failure determination unit, a recovery determination unit, an availability calculation unit, and an evaluation result output unit; And
The behavior model storage unit stores a behavior model using the storage device for each of one or more actions executed by components constituting the evaluation target system. The behavior model includes an execution condition, an execution time, and an execution. The execution condition represents a condition for starting the execution of the action, the execution time represents a time taken to execute the action, and the execution result represents a result of executing the action. Represent,
The simulation execution unit simulates a system operation using the processing device based on the operation model stored in the operation model storage unit, and the system operation is an operation of the evaluation target system,
The failure occurrence determination unit determines a failure occurrence time using the processing device based on a system operation simulated by the simulation execution unit, and the failure occurrence time is a time when a failure occurs in the evaluation target system. Yes,
The recovery determination unit determines a recovery time using the processing device based on the system operation simulated by the simulation execution unit, and the recovery time is a time when the evaluation target system recovers from the failure,
The availability calculation unit calculates an availability evaluation value using the processing device based on the failure occurrence time determined by the failure occurrence determination unit and the recovery time determined by the recovery determination unit, and the availability evaluation value Is a numerical value representing the percentage of time that the system under evaluation is operating normally,
The evaluation result output unit outputs an availability evaluation result using the processing device, and the availability evaluation result represents a result of evaluating the evaluation target system, and includes an availability evaluation value calculated by the availability calculation unit. It is characterized by.

  According to the availability evaluation device of the present invention, based on the behavior model stored in the behavior model storage unit, the simulation execution unit simulates the operation of the evaluation target system, the failure occurrence time determined by the failure occurrence determination unit, and the recovery Since the availability calculation unit calculates the availability evaluation value based on the recovery time determined by the determination unit, the availability evaluation value can be calculated not as a theoretical value but as a value close to the actual operation. The system can be evaluated accurately.

1 is a system configuration diagram illustrating an example of an overall configuration of a design system 800 according to Embodiment 1. FIG. The figure which shows an example of the whole structure of the evaluation object system. FIG. 3 is a perspective view showing an example of an appearance of the availability evaluation device 100 according to the first embodiment. FIG. 3 is a diagram illustrating an example of hardware resources of the availability evaluation device 100 according to the first embodiment. FIG. 3 is a block configuration diagram showing an example of a functional block configuration of the availability evaluation device 100 according to the first embodiment. The figure which shows an example of the state transition of each component which comprises the evaluation object system. FIG. 6 shows an example of component data 610 in the first embodiment. FIG. 6 shows an example of state data 615 in the first embodiment. FIG. 6 shows an example of action data 620 in the first embodiment. FIG. 6 shows an example of event data 630 in the first embodiment. FIG. 6 shows an example of execution condition data 640 in the first embodiment. FIG. 6 shows an example of state transition data 646 in the first embodiment. FIG. 6 shows an example of input event data 650 in the first embodiment. FIG. 6 shows an example of queue data 655 in the first embodiment. FIG. 6 shows an example of acquisition event data 660 according to the first embodiment. The figure which shows an example of order conditions. FIG. 6 shows an example of order condition data 665 in the first embodiment. FIG. 6 shows an example of processing time condition data 670 according to the first embodiment. FIG. 6 shows an example of failure detection condition data 680 in the first embodiment. The flowchart figure which shows an example of the flow of the availability evaluation process S300 in Embodiment 1. FIG. FIG. 4 is a flowchart showing an example of a flow of a simulation execution process S310 in the first embodiment. FIG. 7 is a flowchart showing an example of a flow of availability calculation processing S370 in the first embodiment. FIG. 3 is a schematic diagram illustrating a state in which a simulation execution unit according to Embodiment 1 simulates an operation of an evaluation target system 700. The figure which shows an example of the state transition model in which the entrance action and exit action were described. The figure which shows an example of the state transition model which the model conversion apparatus converted.

Embodiment 1 FIG.
Embodiment 1 will be described with reference to FIGS.

FIG. 1 is a system configuration diagram showing an example of the overall configuration of a design system 800 according to this embodiment.
The design system 800 is a system for designing a system (hereinafter referred to as “design target system”). The design system 800 includes, for example, a system model design device 810, an availability evaluation device 100, and a system detailed design device 820.
The system model design device 810 designs the outline of the design target system and generates a model (hereinafter referred to as “system model”) that represents the outline of the designed design target system.
The availability evaluation apparatus 100 simulates (simulates) the operation of the evaluation target system using the system model generated by the system model design apparatus 810 as the evaluation target system. The availability evaluation apparatus 100 evaluates the evaluation target system based on the result of simulating the evaluation target system. The availability evaluation device 100 outputs a result of evaluating the evaluation target system (hereinafter referred to as “availability evaluation result”).
The availability evaluation result is fed back to the system model design apparatus 810. When the availability evaluation result does not satisfy the level required for the design target system, the system model design device 810 corrects the system model based on the availability evaluation result.
When the availability evaluation result satisfies the level required for the design target system, the system detail design device 820 designs the details of the system based on the system model.

FIG. 2 is a diagram illustrating an example of the overall configuration of the evaluation target system 700.
The evaluation target system 700 is a system that is evaluated by the availability evaluation apparatus 100. The evaluation target system 700 is a model of the design target system, and is represented by a system model generated by the system model design apparatus 810. At this stage, the design target system is in the design stage and does not have to exist.
The evaluation target system 700 includes one or more components such as two sensors 701 and 702, a sensor processing program 703, a control processing program 704, a monitoring processing program 705, a driving processing program 706, and an actuator 707, for example. A component is a device, part, program, or the like that operates independently. The components operate in cooperation by exchanging information with each other, and constitute one system as a whole. The component may be a hardware element such as the sensors 701 and 702 and the actuator 707, or may be a software element such as the sensor processing program 703.

FIG. 3 is a perspective view showing an example of the appearance of the availability evaluation device 100 in this embodiment.
The availability evaluation device 100 includes a system unit 910, a display device 901 having a display screen of a CRT (Cathode / Ray / Tube) or LCD (Liquid Crystal), a keyboard 902 (Key / Board: K / B), a mouse 903, an FDD904 (Flexible). (Disk / Drive), compact disk device 905 (CDD), printer device 906, scanner device 907, and other hardware resources, which are connected by a cable or a signal line.
The system unit 910 is a computer, and is connected to the facsimile machine 932 and the telephone 931 with a cable, and is connected to the Internet 940 via a local area network 942 (LAN) and a gateway 941.

FIG. 4 is a diagram illustrating an example of hardware resources of the availability evaluation device 100 according to this embodiment.
The availability evaluation apparatus 100 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program. The CPU 911 is connected to the ROM 913, the RAM 914, the communication device 915, the display device 901, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, the printer device 906, the scanner device 907, and the magnetic disk device 920 via the bus 912, and the hardware. Control the device. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of a storage device or a storage unit. A communication device 915, a keyboard 902, a scanner device 907, an FDD 904, and the like are examples of an input unit and an input device.
Further, the communication device 915, the display device 901, the printer device 906, and the like are examples of an output unit and an output device.

The communication device 915 is connected to a facsimile machine 932, a telephone 931, a LAN 942, and the like. The communication device 915 is not limited to the LAN 942, and may be connected to the Internet 940, a WAN (wide area network) such as ISDN, or the like. When connected to a WAN such as the Internet 940 or ISDN, the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs that execute functions described as “˜units” in the description of the embodiments described below. The program is read and executed by the CPU 911.
The file group 924 includes information, data, signal values, variable values, and parameters that are described as “determination results of”, “calculation results of”, and “processing results of” in the description of the embodiments described below. Are stored as items of “˜file” and “˜database”. The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, output, printing, and display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the CPU operations of extraction, search, reference, comparison, operation, calculation, processing, output, printing, and display. Is remembered.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. The data is recorded on a recording medium such as a magnetic disk of the disk device 920, another optical disk, a mini disk, and a DVD (Digital Versatile Disk). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In the description of the embodiments described below, what is described as “to part” may be “to circuit”, “to device”, and “to device”, and “to step” and “to”. “Procedure” and “˜Process” may be used. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described below. Alternatively, the procedure or method of “to part” described below is executed by a computer.

FIG. 5 is a block configuration diagram showing an example of a functional block configuration of the availability evaluation device 100 in this embodiment.
The availability evaluation apparatus 100 includes an behavior model storage unit 110, an input event storage unit 121, a queue model storage unit 122, an order condition storage unit 123, a processing time condition storage unit 124, a failure detection condition storage unit 125, a simulation execution unit 130, a failure Occurrence determination unit 141, recovery determination unit 142, operation time calculation unit 143, repair time calculation unit 144, operation time storage unit 145, repair time storage unit 146, average operation time calculation unit 147, average repair time calculation unit 148, availability calculation Unit 149, processing time violation determination unit 151, processing time violation storage unit 152, function constraint violation storage unit 153, and evaluation result output unit 154.

The behavior model storage unit 110 stores a behavior model using the magnetic disk device 920. The behavior model represents the behavior of the system model generated by the system model design apparatus 810. The operation of the system model is represented by, for example, a state transition of a component. That is, each component constituting the evaluation target system 700 has one or more states. The state of each component transitions when some condition is met. Each component performs some action upon state transition.
The behavior model stored in the behavior model storage unit 110 includes, for example, data representing a condition for executing an action (execution condition), a time taken to execute the action (execution time), a result of executing the action (execution result), and the like. included.
The behavior model storage unit 110 includes a component storage unit 111, a state storage unit 112, an action storage unit 113, an event storage unit 114, an execution condition storage unit 115, and a state transition storage unit 116.

  The component storage unit 111 uses the magnetic disk device 920 to store component data. The component data represents each component configuring the evaluation target system 700. The component data represents, for example, the name of the component, the initial state of the component, etc. for each of the one or more components.

  The state storage unit 112 uses the magnetic disk device 920 to store state data. The state data represents a state that can be taken by each component constituting the evaluation target system 700. Each component can have one or more states. The state data represents, for example, the name of the state, the component taking the state, etc. for each of the one or more states.

  The action storage unit 113 uses the magnetic disk device 920 to store action data. The action data represents an action executed by each component constituting the evaluation target system 700. Each component performs one or more actions. For each of one or more actions, the action data includes, for example, the name of the action, the component that executes the action, the time taken to execute the action (execution time), the content of the action (execution result), and the like. Represent.

  The event storage unit 114 uses the magnetic disk device 920 to store event data. The event data represents an event that occurs in the evaluation target system 700. An event occurs, for example, when a component executes an action. For example, the component executes an action by acquiring an event that has occurred. Thus, each component exchanges information via an event. The event may have a parameter. Each component exchanges more detailed information via event parameters. The event data represents, for each of one or more events, the name of the event, a component that generates the event, an action that generates the event (execution result), and the like.

  The execution condition storage unit 115 uses the magnetic disk device 920 to store execution condition data. The execution condition data represents a condition (execution condition) under which each component constituting the evaluation target system 700 executes each action. The execution condition includes, for example, a state and an event. When the state of the component is the state, the acquisition of the event represents a condition for executing the action. When an event has a parameter, the execution condition may include a condition (parameter condition) that the parameter of the event should satisfy. In that case, when the state of the component is the state, acquiring an event that satisfies the parameter condition represents a condition for executing the action.

  The state transition storage unit 116 stores state transition data using the magnetic disk device 920. The state transition data represents an action executed by each component when the execution condition is satisfied, an operation after the execution of the action, and the like. When the execution element satisfies the execution condition, the component may execute one action or may continuously execute a plurality of actions. In any case, the component transitions to the original state or another state after the execution of the action is finished. In addition, when the execution condition is satisfied, the component may simply transition to another state without executing the action. The state transition data represents another action executed by a constituent element after executing a certain action, a state to be changed (execution result), or the like.

  The input event storage unit 121 stores input event data using the magnetic disk device 920. The input event data represents an event (input event) input from the outside. In other words, the event represented by the input event data is not an event that occurs when a component constituting the evaluation target system 700 executes an action, but an event that occurs based on some external factor. As a result, an external input to the evaluation target system 700 is simulated. The input event data represents, for example, an event and a time when the event occurs. Alternatively, the input event data may represent an event and the probability or condition that the event will occur.

  The cue model storage unit 122 stores cue model data using the magnetic disk device 920. The queue model data represents the configuration of the event queue of each component constituting the evaluation target system 700. The configuration of the event queue is a processing procedure when the component acquires a plurality of events. For example, when an event is acquired while the component is executing an action, the event is not processed until the execution of the action ends and the component transitions to any state. When an event that has not yet been processed remains and the component acquires another event, when the component transitions to any state, it is necessary to determine which event is to be processed first. The event queue configuration includes, for example, first-in first-out (FIFO), first-in last-out (FILO), priority queue (PQ), and weighted queue (WFQ). FIFO is a processing procedure for processing an event acquired first in the order in which the events are acquired. The FILO is a processing procedure for processing a new event first, contrary to the FIFO. PQ is a processing procedure in which a priority is set for an event, and an event with a higher priority is processed first. WFQ, like PQ, gives priority to events and preferentially processes high priority events. For example, if two high priority events are processed, the next low priority event is processed. This is a processing procedure for processing a low-priority event even if a high-priority event remains.

  The order condition storage unit 123 uses the magnetic disk device 920 to store order condition data. The order condition data represents a condition (order condition) related to the order of events processed by each component constituting the evaluation target system 700. Since each component is designed to process events in an order assumed in advance, when events are acquired in an unexpected order, the events cannot be processed. The order condition is a condition for determining whether or not the order in which the component has acquired the event is within the assumption. By detecting a violation of the order condition, it is possible to detect that the component has acquired the event in an unexpected order. Thereby, when the evaluation of the evaluation target system 700 does not reach the expected level, the cause can be determined.

  The processing time condition storage unit 124 stores processing time condition data using the magnetic disk device 920. The processing time condition data represents a condition (processing time condition) regarding an interval between two events that occur in the evaluation target system 700. When an event occurs, the component that handles the event performs an action and generates another event. Therefore, the interval between the two events means the time taken to process the event. In addition, another component executes an action with respect to an event generated by the component and generates another event. Therefore, the interval between the first event and the last event means the time taken for a series of processing caused by the first event. In this manner, the time taken to process the event can be known from the event occurrence interval. The processing time condition is, for example, an upper limit or lower limit of time assumed as a time required for processing an event, an upper limit or lower limit of an average value thereof, an upper limit of standard deviation, a probability distribution, or the like. By detecting a violation of the processing time condition, it is possible to detect that it takes an unexpected time to process the event. Thereby, when the evaluation of the evaluation target system 700 does not reach the expected level, the cause can be determined.

  The failure detection condition storage unit 125 stores failure detection condition data using the magnetic disk device 920. The failure detection condition data represents a condition (failure detection condition) for determining whether the evaluation target system 700 is operating normally or a failure has occurred. For example, when there is an event that is scheduled to be generated periodically, such as a control event in the control system, when the occurrence interval of the event becomes longer than a predetermined interval, the evaluation target system 700 has a failure. It is determined that it has occurred. Conversely, if the event occurrence interval is shorter than the predetermined interval, it is determined that the evaluation target system 700 is operating normally. In addition, when a response event is scheduled to occur within a predetermined time from the occurrence of an input event, such as in a system that responds to input, the interval between the input event and the response event is a predetermined interval. If it is longer, it is determined that a failure has occurred in the evaluation target system 700. The failure detection condition represents, for example, a time range scheduled as an interval between two events.

The simulation execution unit 130 simulates the operation (system operation) of the evaluation target system 700 using the CPU 911 based on the operation model stored in the operation model storage unit 110.
The simulation execution unit 130 includes a state simulation storage unit 131, an execution condition determination unit 132, a state transition simulation unit 133, an action simulation unit 134, an event simulation unit 135, and a queue simulation unit 136.

  The state simulation storage unit 131 uses the RAM 914 for each component of the evaluation target system 700 that the simulation execution unit 130 simulates, and uses data indicating the state of the component at that time (hereinafter referred to as “state simulation data”). Memorize). The state simulation storage unit 131 stores state simulation data based on the state data stored in the state storage unit 112, for example.

The execution condition determination unit 132 uses the CPU 911 to determine whether or not the condition for executing the action of the component is satisfied for each component of the evaluation target system 700 simulated by the simulation execution unit 130. . For example, the execution condition determination unit 132 stores the execution condition based on the state simulation data stored in the state simulation storage unit 131 and the event that the order condition violation determination unit 137 described later determines that the order condition is not violated. It is determined whether or not the execution condition represented by the execution condition data stored in the unit 115 is satisfied. Using the CPU 911, the execution condition determining unit 132 outputs data representing the determined result.
Further, when the execution condition includes a parameter condition, the execution condition determination unit 132 determines that the execution condition is not satisfied because there is a violation of the parameter condition even though other conditions are satisfied. There is. In that case, the execution condition determination unit 132 outputs data representing that fact.

The state transition simulation unit 133 uses the CPU 911 to input the data output by the execution condition determination unit 132 and obtain the determination result of the execution condition determination unit 132. When the execution condition determination unit 132 determines that the execution condition is satisfied, the state transition simulation unit 133 uses the CPU 911 to change the action executed by the component and the transition destination that changes the state of the component. The state is determined. The state transition simulation unit 133 is configured based on, for example, the constituent element data stored in the constituent element storage unit 111, the state transition data stored in the state transition storage unit 116, and the data output from the execution condition determination unit 132. The action executed by the element and the transition destination state are determined. Using the CPU 911, the state transition simulation unit 133 outputs data representing the determined result.
The state simulation storage unit 131 uses the CPU 911 to input the data output by the state transition simulation unit 133 and acquires the transition destination state determined by the state transition simulation unit 133. The state simulation storage unit 131 uses the RAM 914 to store the acquired transition destination state as the state of the component.

  The action simulation unit 134 uses the CPU 911 to input the data output by the state transition simulation unit 133 and acquire the action determined by the state transition simulation unit 133. The action simulation unit 134 uses the CPU 911 to simulate an action executed by the component. For example, the action simulation unit 134 simulates the action executed by the component based on the action data stored in the action storage unit 113. Using the CPU 911, the action simulation unit 134 outputs data representing the result of executing the action.

  The event simulation unit 135 uses the CPU 911 to simulate the occurrence of an event. For example, the event simulation unit 135 executes an action based on the event data stored in the event storage unit 114, the input event data stored in the input event storage unit 121, and the data output from the action simulation unit 134. Event that occurs as well as events that are input from outside. The event simulation unit 135 uses the CPU 911 to output data representing the generated event.

  The queue simulation unit 136 uses the CPU 911 to simulate an event queue. Using the CPU 911, the queue simulation unit 136 inputs data output from the event simulation unit 135 and acquires an event generated by the event simulation unit 135. The queue simulation unit 136 stores the acquired event using the RAM 914 for each component that acquires the event. The queue simulation unit 136 receives the event retrieval request from the order condition violation determination unit 137, and stores the request using the CPU 911 in the order according to the event processing procedure represented by the queue model data stored in the queue model storage unit 122. Retrieve an event.

The order condition violation determination unit 137 uses the CPU 911 to extract the event stored in the queue simulation unit 136. The order condition violation determination unit 137 uses the CPU 911 to determine whether there is a violation of the order condition represented by the order condition data stored in the order condition storage unit 123 based on the extracted event. Using the CPU 911, the order condition violation determination unit 137 outputs data representing the extracted event and the determined result.
The execution condition determination unit 132 uses the CPU 911 to input the data output from the order condition violation determination unit 137, the event retrieved by the order condition violation determination unit 137 from the queue simulation unit 136, and the order condition violation determination unit 137. Get the judgment result. When the order condition violation determining unit 137 determines that there is no violation of the order condition, the execution condition determining unit 132 determines whether or not the execution condition is satisfied based on the acquired event.

  The failure occurrence determination unit 141 uses the CPU 911 to input the data output from the event simulation unit 135 and acquire the event generated by the event simulation unit 135. The failure occurrence determination unit 141 uses the CPU 911 to evaluate the simulation execution unit 130 based on the acquired event and the failure detection condition represented by the failure detection condition data stored in the failure detection condition storage unit 125. It is determined whether a failure has occurred in the target system 700. The failure occurrence determination unit 141 uses the CPU 911 to determine the time when the failure occurred in the evaluation target system 700 that is simulated by the simulation execution unit 130 based on the determination result. Using the CPU 911, the failure occurrence determination unit 141 outputs data representing the determination result.

  The recovery determination unit 142 uses the CPU 911 to input the data output from the event simulation unit 135 and acquire the event generated by the event simulation unit 135. Based on the acquired event and the failure detection condition represented by the failure detection condition data stored in the failure detection condition storage unit 125, the recovery determination unit 142 uses the CPU 911 to simulate the evaluation target simulated by the simulation execution unit 130 It is determined whether the system 700 is operating normally after recovering from the failure. The failure occurrence determination unit 141 uses the CPU 911 to determine the time when the evaluation target system 700 simulated by the simulation execution unit 130 is recovered from the failure based on the determination result. Using the CPU 911, the recovery determination unit 142 outputs data representing the determination result.

  Using the CPU 911, the operation time calculation unit 143 inputs the data output from the failure occurrence determination unit 141 and the data output from the recovery determination unit 142, and enters the evaluation target system 700 simulated by the simulation execution unit 130. The time when the failure occurs and the time when the failure was recovered are acquired. Based on the acquired time, the operation time calculation unit 143 uses the CPU 911 to calculate the operation time of the evaluation target system 700 that is simulated by the simulation execution unit 130. The operation time is the time during which the evaluation target system 700 has been operating normally continuously after the evaluation target system 700 starts operating normally until a failure occurs in the evaluation target system 700. Every time a failure occurs in the evaluation target system 700 that is simulated by the simulation execution unit 130, the operation time calculation unit 143 calculates the operation time. Using the CPU 911, the operation time calculation unit 143 outputs data representing the calculated operation time.

  Using the CPU 911, the operation time storage unit 145 inputs data output from the operation time calculation unit 143. The operation time storage unit 145 stores the input data using the magnetic disk device 920. The operation time storage unit 145 accumulates and stores all the data representing the operation time calculated by the operation time calculation unit 143 between the simulation execution unit 130 starting and ending simulation of the evaluation target system 700.

  Using the CPU 911, the average operation time calculation unit 147 inputs the data stored in the operation time storage unit 145, and acquires all the operation times of the evaluation target system 700 simulated by the simulation execution unit 130. The average operation time calculation unit 147 calculates the average operation time of the evaluation target system 700 simulated by the simulation execution unit 130 using the CPU 911 based on the acquired operation time. The average operation time is an average value of all operation times from when the simulation execution unit 130 starts to simulate the evaluation target system 700 to when it ends. Using the CPU 911, the average operation time calculation unit 147 outputs data representing the calculated average operation time.

  The repair time calculation unit 144 uses the CPU 911 to input the data output from the failure occurrence determination unit 141 and the data output from the recovery determination unit 142, and to the evaluation target system 700 simulated by the simulation execution unit 130. The time when the failure occurs and the time when the failure was recovered are acquired. The repair time calculation unit 144 uses the CPU 911 to calculate the repair time of the evaluation target system 700 that is simulated by the simulation execution unit 130 based on the acquired time. The repair time is the time during which the evaluation target system 700 has not been operating normally after the failure has occurred in the evaluation target system 700 until the evaluation target system 700 recovers from the failure and starts operating normally. . Whenever the evaluation target system 700 simulated by the simulation execution unit 130 recovers from a failure, the repair time calculation unit 144 calculates the repair time. Using the CPU 911, the repair time calculation unit 144 outputs data representing the calculated repair time.

  The repair time storage unit 146 uses the CPU 911 to input the data output from the repair time calculation unit 144. The repair time storage unit 146 stores the input data using the magnetic disk device 920. The repair time storage unit 146 accumulates and stores all the data representing the repair time calculated by the repair time calculation unit 144 from when the simulation execution unit 130 starts to simulate the evaluation target system 700 to when it ends.

  Using the CPU 911, the average repair time calculation unit 148 inputs the data stored in the repair time storage unit 146, and acquires all the repair times simulated by the simulation execution unit 130. Based on the acquired repair time, the average repair time calculation unit 148 calculates the average repair time of the evaluation target system 700 simulated by the simulation execution unit 130 using the CPU 911. The average repair time is an average value of all repair times from when the simulation execution unit 130 starts to simulate the evaluation target system 700 to when it ends. Using the CPU 911, the average repair time calculation unit 148 outputs data representing the calculated average repair time.

Using the CPU 911, the availability calculation unit 149 receives the data output from the average operation time calculation unit 147 and the data output from the average repair time calculation unit 148, and acquires the average operation time and the average repair time. The availability calculation unit 149 calculates an availability evaluation value using the CPU 911 based on the acquired average operation time and average repair time. The availability evaluation value is a numerical value representing the percentage of time during which the evaluation target system 700 simulated by the simulation execution unit 130 is operating normally. For example, the availability calculation unit 149 uses the CPU 911 to calculate the sum of the average operation time and the average repair time, calculates a quotient obtained by dividing the average operation time by the calculated sum, and uses the calculated quotient as the availability evaluation value. To do. Using the CPU 911, the availability calculation unit 149 outputs data representing the calculated availability evaluation value.
The availability calculation unit 149 may be configured to calculate, for example, a quotient obtained by dividing the total operation time by the total simulation time as the availability evaluation value. Here, the total simulation time is a total of the times of the evaluation target system 700 simulated by the simulation execution unit 130, and the total operation time is determined to be that the evaluation target system 700 is operating normally. It is a total of the time spent.

  The processing time violation determination unit 151 uses the CPU 911 to input the data output from the event simulation unit 135 and acquire the event generated by the event simulation unit 135. Based on the acquired event, the processing time violation determining unit 151 uses the CPU 911 to determine whether there is a violation of the processing time condition stored in the processing time condition storage unit 124. If it is determined that there is a violation of the processing time condition, the processing time violation determining unit 151 uses the CPU 911 to output data indicating the time when the violation of the processing time condition occurs, an event that violates the processing time condition, and the like.

  The processing time violation storage unit 152 uses the CPU 911 to input the data output from the processing time violation determination unit 151. The processing time violation storage unit 152 stores the input data using the magnetic disk device 920. The processing time violation storage unit 152 stores all data related to the processing time condition violation determined by the processing time violation determination unit 151 between the time when the simulation execution unit 130 starts to simulate the evaluation target system 700 and the time when the simulation execution unit 130 ends. Remember.

The function constraint violation storage unit 153 uses the CPU 911 to input the data output from the order condition violation determination unit 137, the event retrieved by the order condition violation determination unit 137 from the queue simulation unit 136, and the order condition violation determination unit 137. Get the judgment result. When the order condition violation determining unit 137 determines that there is a violation of the order condition, the function constraint violation storage unit 153 uses the magnetic disk device 920 to indicate the time when the order condition is violated, the acquired event, and the like. Remember.
Also, the function constraint violation storage unit 153 uses the CPU 911 to input the data output from the execution condition determination unit 132 and obtain the determination result of the execution condition determination unit 132. When the execution condition determination unit 132 determines that there is a violation of the parameter condition, the function constraint violation storage unit 153 uses the magnetic disk device 920 to indicate a time when the violation of the parameter condition occurs, an event that violates the parameter condition, and the like. Store data to represent.
The function constraint violation storage unit 153 is determined by the order condition violation or execution condition determination unit 132 determined by the order condition violation determination unit 137 between the time when the simulation execution unit 130 starts to simulate the evaluation target system 700 and the time when the simulation execution unit 130 ends. Accumulate and store all data related to parameter condition violations.

  Using the CPU 911, the evaluation result output unit 154 inputs the data output from the availability calculation unit 149, the data stored in the processing time violation storage unit 152, and the data stored in the function constraint violation storage unit 153, and the availability The availability evaluation value calculated by the calculation unit 149 and information on processing time violation, order condition violation, and parameter condition violation are acquired. Using the CPU 911, the evaluation result output unit 154 outputs the availability evaluation result including the acquired availability evaluation value and information on processing time violation, order condition violation, and parameter condition violation to the outside. The availability evaluation result is a result of the evaluation apparatus 100 evaluating the evaluation target system 700.

  Hereinafter, a specific example will be described.

FIG. 6 is a diagram illustrating an example of state transition of each component configuring the evaluation target system 700.
As described above, in the design system 800, the operation of the evaluation target system 700 is represented by the state transition of each component and the event exchanged between the components.

As shown in FIG. 2, the components constituting the evaluation target system 700 include sensors 701 and 702, a sensor processing program 703, a control processing program 704, a monitoring processing program 705, a drive processing program 706, and an actuator 707. And
The sensor 701 has three states (a sensor operation state 711, a sensor failure state 712, and a sensor standby state 713), and executes three actions (an initialization action 731, an observation action 732, and a repair action 733).
Similarly, the sensor 702 has three states (sensor operation state 714, sensor failure state 715, sensor standby state 716), and executes three actions (initialization action 734, observation action 735, and repair action 736).
The sensor processing program 703 has two states (observation waiting states 717 and 718), and executes four actions (sensor processing actions 737 and 739 and switching actions 738 and 741).
The control processing program 704 has one state (control state 719) and executes two actions (control action 742 and response action 743).
The monitoring processing program 705 has two states (a monitoring state 721 and a response waiting state 722), and executes two actions (a report request action 744 and a response processing action 745).
The drive processing program 706 has one state (control wait state 723) and executes one action (drive action 746).
The actuator 707 has one state (drive waiting state 724) and executes one action (operation action 747).

  An observation result event 751 occurs in the sensor 701 and affects the operation of the sensor processing program 703. An observation result event 752 occurs in the sensor 702 and affects the operation of the sensor processing program 703. Switching events 753 and 754 occur in the sensor processing program 703 and affect the operation of the sensors 701 and 702. A processing result event 755 occurs in the sensor processing program 703 and affects the operation of the control processing program 704. A report request event 756 occurs in the monitoring processing program 705 and affects the operation of the control processing program 704. A response event 757 occurs in the control processing program 704 and affects the operation of the monitoring processing program 705. A control instruction event 758 occurs in the control processing program 704 and affects the operation of the drive processing program 706. The drive event 759 occurs in the drive processing program 706 and affects the operation of the actuator 707.

  The state transition conditions 771 to 791 represent execution of an action or state transition when each event is acquired when each component is in each state.

  For example, the sensor 701 executes an initialization action 731 and an observation action 732 at the start of operation, and transitions to a sensor operation state 711. When the sensor 701 acquires a time lapse event in the sensor operation state 711, the sensor 701 executes the observation action 732 and returns to the sensor operation state 711. Further, when the sensor 701 acquires a failure event in the sensor operation state 711, the sensor 701 transitions to the sensor failure state 712 without executing an action. When the sensor 701 acquires the switching event 753 in the sensor failure state 712, the sensor 701 executes the repair action 733 and transitions to the sensor standby state 713. When the sensor 701 acquires the switching event 754 in the sensor standby state 713, the sensor 701 returns to the beginning, executes the initialization action 731 and the observation action 732, and transitions to the sensor operation state 711.

  Next, how the operation of the evaluation target system 700 in this specific example is represented in the behavior model stored in the behavior model storage unit 110 will be described. In addition, the expression format of the behavior model in the specific example described below is an example, and the behavior model storage unit 110 may be configured to store the behavior model represented by another expression format.

FIG. 7 is a diagram showing an example of the component data 610 in this embodiment.
The constituent element data 610 stored in the constituent element storage unit 111 includes a constituent element ID 611, a constituent element name 612, and an initial operation ID 613. One component is represented by a set of component ID 611, component name 612, and initial operation ID 613. The constituent element data 610 includes the same number of sets of constituent element IDs 611, constituent element names 612, and initial operation IDs 613 as the number of constituent elements constituting the evaluation target system 700.
The component ID 611 is character string data for uniquely identifying the component. The component name 612 is character string data representing the name of the component. The initial operation ID 613 is character string data representing an action to be executed first by the component. The initial operation ID 613 matches either a state ID 616 or a state transition ID 647 described later. When the initial operation ID 613 matches the state ID 616, the component indicates that the action is not executed first, and the state transitions to the state represented by the matching state ID 616. When the initial operation ID 613 matches the state transition ID 647, the component indicates that one or more actions represented by the matching state transition ID 647 are executed first.

FIG. 8 is a diagram showing an example of the state data 615 in this embodiment.
The state data 615 stored in the state storage unit 112 includes a state ID 616, a state name 617, and a belonging element ID 618. One state is represented by a set of state ID 616, state name 617, and belonging element ID 618. The state data 615 includes the same number of sets of the state ID 616, the state name 617, and the belonging element ID 618 as the total number of states of the constituent elements constituting the evaluation target system 700.
The state ID 616 is character string data for uniquely identifying the state. The state name 617 is character string data representing the name of the state. Affiliation element ID 618 is character string data representing a component having that state. The belonging element ID 618 matches one of the constituent element IDs 611. The belonging element ID 618 indicates that the constituent element identified by the matching constituent element ID 611 has the state.

FIG. 9 is a diagram showing an example of the action data 620 in this embodiment.
The action data 620 stored in the action storage unit 113 includes an action ID 621, an action name 622, an execution element ID 623, an execution time 624, and an execution content 625. One action is represented by a set of action ID 621, action name 622, execution element ID 623, execution time 624, and execution content 625. The component data 610 includes the same number of combinations of action ID 621, action name 622, execution element ID 623, execution time 624, and execution content 625 as the total number of actions executed by the components constituting the evaluation target system 700. .
The action ID 621 is character string data for uniquely identifying the action. The action name 622 is character string data representing the name of the action. The execution element ID 623 is character string data representing a component that executes the action. The execution element ID 623 matches one of the component element IDs 611. The execution element ID 623 represents that the component identified by the matching component ID 611 executes the action. The execution time 624 is numerical data representing the execution time required to execute the action. The execution time 624 may be, for example, a unit of real time such as seconds or milliseconds, or may be a unit of time in simulation execution of the evaluation target system 700 by the simulation execution unit 130. Good. The execution content 625 is character string data representing the execution content of the action. The action simulation unit 134 simulates an action executed by the component based on the execution content 625. The execution content 625 may be blank.

FIG. 10 is a diagram showing an example of the event data 630 in this embodiment.
The event data 630 stored in the event storage unit 114 includes an event ID 631, an event name 632, an occurrence action ID 633, and a delay time 634. One event is represented by a set of event ID 631, event name 632, generated action ID 633, and delay time 634. The event data 630 includes a set of event ID 631, event name 632, generated action ID 633, and delay time 634 as many as the total number of events generated in the evaluation target system 700.
The event ID 631 is character string data for uniquely identifying the event. The event name 632 is character string data representing the name of the event. The generated action ID 633 is character string data representing an action that generates the event. The generated action ID 633 matches one of the action IDs 621. The generated action ID 633 represents that the event occurs after the execution of the action identified by the matching action ID 621 is finished. The delay time 634 is numerical data representing the delay time from the end of execution of the action represented by the generated action ID 633 until the occurrence of the event. When there is no action that generates the event, such as an event input from the outside, the generation action ID 633 and the delay time 634 may be blank.

FIG. 11 is a diagram showing an example of the execution condition data 640 in this embodiment.
The execution condition data 640 stored in the execution condition storage unit 115 includes an execution condition ID 641, a condition state ID 642, a condition event ID 643, a transition destination ID 644, and a parameter condition 645. One execution condition is represented by a set of execution condition ID 641, condition state ID 642, condition event ID 643, transition destination ID 644, and parameter condition 645. The execution condition data 640 includes the combination of the execution condition ID 641, the condition state ID 642, the condition event ID 643, the transition destination ID 644, and the parameter condition 645, the same number as the total number of execution conditions in which the components constituting the evaluation target system 700 execute the action. Including.
The execution condition ID 641 is character string data for uniquely identifying the execution condition. The condition state ID 642 is character string data representing the state of the component among the execution conditions. The condition state ID 642 matches one of the state IDs 616. The condition event ID 643 is character string data representing an event acquired by the component among the execution conditions. The condition event ID 643 matches one of the event IDs 631. The condition state ID 642 and the condition event ID 643 are states in which the state of the component is identified by the state ID 616 that matches the condition state ID 642, and the event that is identified by the event ID 631 that matches the condition event ID 643. Acquisition indicates that it becomes an execution condition. The transition destination ID 644 is character string data representing an action to be executed when the execution condition is satisfied. The transition destination ID 644 matches either the state ID 616 or a state transition ID 647 described later. When the transition destination ID 644 matches the state ID 616, the component indicates that the action is not executed and the state transitions to the state identified by the matching state ID 616 when the execution condition is satisfied. When the transition destination ID 644 matches the state transition ID 647, the component indicates that one or more actions identified by the matching state transition ID 647 are executed when the execution condition is satisfied. The parameter condition 645 is character string data representing the parameter condition included in the execution condition. If the execution condition does not include a parameter condition, the parameter condition 645 may be blank. When the parameter condition 645 is not blank, it means that the event parameter identified by the event ID 631 that matches the condition event ID 643 satisfies the parameter condition represented by the parameter condition 645 as an execution condition.

FIG. 12 is a diagram showing an example of the state transition data 646 in this embodiment.
The state transition data 646 stored by the state transition storage unit 116 includes a state transition ID 647, an execution action ID 648, and a transition destination ID 649. One transition is represented by a set of state transition ID 647, execution action ID 648, and transition destination ID 649. The transition here includes not only a transition from state to state but also a transition from state to action and a transition from action to state. For example, when two actions are executed in the middle of a state transition, one state transition is a transition from the state to the first action, a transition from the first action to the next action, and the next execution. It is expressed by breaking it down into three transitions from action to state.
The state transition ID 647 is character string data for uniquely identifying the transition. The execution action ID 648 is character string data representing an action executed by the transition. The execution action ID 648 matches one of the action IDs 621. The execution action ID 648 represents executing the action identified by the matching action ID 621 in the transition. The transition destination ID 649 is character string data representing a state or action that transitions after the action represented by the execution action ID 648 is executed. The transition destination ID 649 matches either the state ID 616 or the state transition ID 647. When the transition destination ID 649 matches the state ID 616, the action represented by the execution action ID 648 is executed, and then the state transition is completed to the state identified by the state ID 616 with the matching transition destination ID 649. . If the transition destination ID 649 matches the state transition ID 647, the action represented by the execution action ID 648 is executed, then the transition identified by the state transition ID 647 matching the transition destination ID 649 is performed, and the action represented by the execution action ID 648 Represents executing. In this way, by following the transition until the transition destination ID 649 matches one of the state IDs 616, a series of actions to be executed in the state transition is represented.

FIG. 13 is a diagram showing an example of the input event data 650 in this embodiment.
The input event data 650 stored in the input event storage unit 121 includes an input event ID 651 and an input time 652. One input event is represented by a set of input event IDs 651 and input time 652. The input event data 650 includes the same number of sets of input event IDs 651 and input times 652 as the total number of input events input from the evaluation target system 700 from the outside.
The input event ID 651 (occurrence event) is character string data representing an event input from the outside. The input event ID 651 matches one of the event IDs 631. The input event ID 651 represents that an event identified by the matching event ID 631 is input from the outside. The input time 652 (occurrence time) is numerical data representing the time at which the event represented by the input event ID 651 is input.

FIG. 14 is a diagram showing an example of the queue data 655 in this embodiment.
The queue model data stored in the queue model storage unit 122 includes queue data 655 and acquired event data 660. The queue data 655 represents a queue included in each component constituting the evaluation target system 700. When a component has one queue, an event acquired by the component is processed according to a processing procedure such as FIFO or FILO. When a component has multiple queues, the event acquired by the component is classified into one of the multiple queues, and is processed according to a processing procedure such as PQ or WFQ according to the priority of each queue. Is done.
The queue data 655 includes a queue ID 656, an acquisition element ID 657, an acquisition method 658, and a priority 659. One queue is represented by a set of queue ID 656, acquisition element ID 657, acquisition method 658, and priority 659. The queue data 655 includes the same number of sets of the queue ID 656, the acquisition element ID 657, the acquisition method 658, and the priority 659 as the total number of queues included in each component included in the evaluation target system 700.
The queue ID 656 is character string data for uniquely identifying the queue. The acquisition element ID 657 is character string data representing a component having the queue. The acquisition element ID 657 matches one of the component element IDs 611. The acquisition element ID 657 indicates that the component identified by the corresponding component ID 611 has the queue. The acquisition method 658 is character string data representing a processing procedure for events classified into the queue. The priority 659 is numerical data representing the priority of a queue when one component has a plurality of queues. If one component has only one queue, the priority 659 may be blank. The priority 659 represents, for example, the priority of the queue in the PQ, and the larger the numerical value of the priority 659, the higher the priority of the queue. Alternatively, priority 659 represents the weight of that queue in WFQ.

FIG. 15 is a diagram showing an example of the acquired event data 660 in this embodiment.
Acquired event data 660 represents a queue that classifies the events that the component acquires. The acquisition event data 660 includes an acquisition queue ID 661 and an acquisition event ID 662. The acquisition event data 660 includes the same number of combinations of the acquisition queue ID 661 and the acquisition event ID 662 as the total number of events acquired by the components constituting the evaluation target system 700.
The acquisition queue ID 661 is character string data representing a queue for classifying the event represented by the acquisition event ID 662. The acquisition queue ID 661 matches one of the queue IDs 656. The acquisition event ID 662 is character string data representing events classified into the queue represented by the acquisition queue ID 661. The acquisition event ID 662 matches one of the event IDs 631. The combination of the acquisition queue ID 661 and the acquisition event ID 662 indicates that the event identified by the event ID 631 that matches the acquisition event ID 662 is classified into the queue that is identified by the queue ID 656 that matches the acquisition queue ID 661.

FIG. 16 is a diagram illustrating an example of the order condition.
In this figure, the order condition is expressed in the form of a state transition diagram. The order condition is obtained by removing the action from the behavior model and extracting only the state and the state transition.
For example, in the sensor operation state 711, the sensor 701 receives a time lapse event and a failure event, but does not accept other events.

FIG. 17 is a diagram showing an example of the order condition data 665 in this embodiment.
The order condition data 665 stored in the order condition storage unit 123 includes an order condition ID 666, a condition state ID 667, a condition event ID 668, and a transition destination ID 669. One order condition is represented by a set of order condition ID 666, condition state ID 667, condition event ID 668, and transition destination ID 669. The order condition violation determining unit 137 determines that the event satisfying the order condition when the event acquired by the component satisfies any order condition, and the event acquired by the component does not match any order condition. If not, it is determined that the event violates the order condition.
The order condition ID 666 is character string data for uniquely identifying the order condition. The condition state ID 667 is character string data representing the state of the component among the order conditions. The condition state ID 667 matches any of the component element IDs 611. The condition event ID 668 is character string data representing an event acquired by the component among the order conditions. The condition event ID 668 matches any one of the event IDs 631. The transition destination ID 669 represents the state of the transition destination where the component transitions when the order condition is satisfied. The transition destination ID 669 matches one of the component element IDs 611. The condition state ID 667, the condition event ID 668, and the transition destination ID 669 are states in which the state of the component is identified by the component ID 611 that matches the condition state ID 667, and the component element is identified by the event ID 631 that matches the condition event ID 668. When the identified event is acquired, this represents a transition to the state identified by the component ID 611 that matches the transition destination ID 669.

FIG. 18 is a diagram showing an example of the processing time condition data 670 in this embodiment.
The processing time condition data 670 stored in the processing time condition storage unit 124 includes a processing time condition ID 671, a preceding event ID 672, a subsequent event ID 673, an interval lower limit 674, and an interval upper limit 675. One processing time condition is represented by a set of processing time condition ID 671, preceding event ID 672, subsequent event ID 673, interval lower limit 674, and interval upper limit 675. The processing time condition data 670 includes the same number of processing time condition IDs 671, preceding event IDs 672, subsequent event IDs 673, interval lower limit 674, and interval upper limit 675 as the number of processing time conditions set in the evaluation target system 700.
The processing time condition ID 671 is character string data for uniquely identifying the processing time condition. The preceding event ID 672 is character string data representing the first event. The subsequent event ID 673 is character string data representing the second event. The preceding event ID 672 and the succeeding event ID 673 match any one of the event IDs 631. The preceding event ID 672 and the subsequent event ID 673 have an interval from the occurrence of an event identified by the event ID 631 whose processing time condition matches the preceding event ID 672 to the occurrence of the event identified by the event ID 631 matching the subsequent event ID 673. This is a condition for. The preceding event ID 672 and the subsequent event ID 673 may be the same. The interval lower limit 674 is numerical data representing the lower limit of the occurrence interval of two events. The interval upper limit 675 is numerical data representing the upper limit of the occurrence interval of two events. Processing time violation determination unit 151 has a case where the interval from the occurrence of the event represented by preceding event ID 672 to the occurrence of the event represented by subsequent event ID 673 is shorter than the interval represented by interval lower limit 674 or longer than the interval represented by interval upper limit 675. It is determined that the processing time is violated. Note that when the interval lower limit 674 or the interval upper limit 675 is not set, the interval lower limit 674 or the interval upper limit 675 may be blank.

FIG. 19 is a diagram showing an example of failure detection condition data 680 in this embodiment.
The failure detection condition data 680 stored in the failure detection condition storage unit 125 includes a failure detection condition ID 681, a preceding event ID 682, a subsequent event ID 683, an interval lower limit 684, and an interval upper limit 685. One failure detection condition is represented by a set of failure detection condition ID 681, preceding event ID 682, subsequent event ID 683, interval lower limit 684, and interval upper limit 685. The failure detection condition data 680 includes the same number of failure detection condition IDs 681, preceding event ID 682, subsequent event ID 683, interval lower limit 684, and interval upper limit 685 as the number of failure detection conditions set in the evaluation target system 700.
The failure detection condition ID 681 is character string data for uniquely identifying the failure detection condition. The preceding event ID 682 is character string data representing the first event. The subsequent event ID 683 is character string data representing the second event. The preceding event ID 682 and the succeeding event ID 683 match any one of the event IDs 631. The preceding event ID 682 and the succeeding event ID 683 are intervals from the occurrence of an event identified by the event ID 631 whose failure detection condition matches the preceding event ID 682 to the occurrence of the event identified by the event ID 631 matching the following event ID 683. This is a condition for. The preceding event ID 682 and the subsequent event ID 683 may be the same. The interval lower limit 684 is numerical data representing the lower limit of the occurrence interval of two events. The interval upper limit 685 is numerical data representing the upper limit of the occurrence interval of two events. The failure occurrence determination unit 141 determines that a failure has occurred in the evaluation target system 700 when the event represented by the subsequent event ID 683 occurs after the event represented by the preceding event ID 682 has occurred and before the time represented by the interval lower limit 684 has elapsed. judge. In addition, the failure occurrence determination unit 141 causes a failure in the evaluation target system 700 when the event represented by the subsequent event ID 683 does not occur even after the time represented by the upper limit interval 685 has elapsed after the event represented by the preceding event ID 682 has occurred. It is determined that The recovery determination unit 142 determines that the evaluation target system 700 has recovered from the failure when the event represented by the preceding event ID 682 occurs and the event represented by the subsequent event ID 683 occurs after the time represented by the upper limit interval 685 has elapsed. To do. In the case where the interval lower limit 684 or the interval upper limit 685 is not set, the interval lower limit 684 or the interval upper limit 685 may be blank.

FIG. 20 is a flowchart showing an example of the flow of the availability evaluation process S300 in this embodiment.
In the availability evaluation process S300, the availability evaluation device 100 evaluates the availability of the evaluation target system 700. The availability evaluation process S300 includes an initialization process S301, a simulation execution process S310, an availability calculation process S370, and an evaluation result output process S304.

  In the initialization step S301, the availability evaluation apparatus 100 uses the CPU 911 to prepare for evaluating the evaluation target system 700. For example, the availability evaluation device 100 inputs the system model generated by the system model design device 810, and the behavior model storage unit 110, the input event storage unit 121, the queue model storage unit 122, the order condition storage unit 123, and the processing time condition storage. The unit 124 and the failure detection condition storage unit 125 store an operation model, input event data 650, queue model data, order condition data 665, processing time condition data 670, and failure detection condition data 680, respectively. The operation time storage unit 145, the repair time storage unit 146, the processing time violation storage unit 152, and the function constraint violation storage unit 153 initialize and erase the stored contents.

  In the simulation execution process S310, the simulation execution unit 130 simulates the operation of the evaluation target system 700 using the CPU 911. Based on the result simulated by the simulation execution unit 130, the order condition violation determining unit 137 and the processing time violation determining unit 151 respectively determine the order condition violation and the processing time violation.

  In the availability calculation process S370, the availability evaluation apparatus 100 uses the CPU 911 to calculate an availability evaluation value.

  In the evaluation result output step S304, the availability calculation unit 149 uses the CPU 911 to display an availability evaluation result including the availability evaluation value calculated in the availability calculation process S370, the order condition violation determined in the simulation execution process S310, and the processing time violation. Output.

FIG. 21 is a flowchart showing an example of the flow of the simulation execution process S310 in this embodiment.
The simulation execution process S310 includes a clock initialization process S311, an event initialization process S312, a component selection process S313, an initial operation determination process S314, an initial state setting process S315, an initial action simulation process S316, a clock progression process S321, and an event simulation process. S322, processing time violation determination step S323, failure occurrence determination step S324, recovery determination step S325, state transition simulation step S331, order condition determination step S332, order condition violation storage step S333, execution condition determination step S334, parameter condition violation storage step S335 has an action simulation step S336.

In the clock initialization step S311, the state transition simulation unit 133 initializes the clock of the evaluation target system 700 to be simulated to 0 using the CPU 911.
In the event initialization step S312, the queue simulation unit 136 uses the CPU 911 to initialize the stored content and delete the event. In addition, the event simulation unit 135 uses the CPU 911 based on the input event data 650 stored in the input event storage unit 121 to generate a time when an event input from the outside by the evaluation target system 700 (hereinafter, “event generation time”). Reservation).

In the component selection step S313, the state transition simulation unit 133 sequentially selects unprocessed components one by one using the CPU 911 based on the component data 610 stored in the component storage unit 111. If all the components have been selected and there is no component to be selected, the process proceeds to the clock progress step S321. When an unselected component is selected, the process proceeds to the initial operation determination step S314.
In the initial operation determination step S314, the state transition simulation unit 133 uses the CPU 911 for the component selected in the component selection step S313 to store the component ID 611, the component name 612, and the initial operation stored in the component storage unit 111. A set of IDs 613 is acquired. Using the CPU 911, the state transition simulation unit 133 determines whether the acquired initial operation ID 613 matches any of the state IDs 616 or any of the state transition IDs 647. If the initial operation ID 613 matches the state ID 616, this means that the component does not execute an action first, and the process proceeds to the initial state setting step S315. If the initial operation ID 613 matches the state transition ID 647, this means that the component executes the action first, and the process proceeds to the initial action simulation step S316.

In the initial state setting step S315, the state simulation storage unit 131 uses the RAM 914 as the state of the component selected by the state transition simulation unit 133 in the component selection step S313, and the state transition simulation unit 133 in the initial operation determination step S314. Stores the initial operation ID 613 acquired.
Thereafter, the process returns to the component selection step S313.

In the initial action simulation step S316, the action simulation unit 134 uses the CPU 911 from the state transition data 646 stored in the state transition storage unit 116, and the initial operation acquired by the state transition simulation unit 133 in the initial operation determination step S314. A pair of a state transition ID 647, an execution action ID 648, and a transition destination ID 649 in which the ID 613 matches the state transition ID 647 is acquired. The state simulation storage unit 131 uses the CPU 911 from the action data 620 stored in the action storage unit 113, and the action ID 621, action name 622, execution element ID 623, execution, and the acquired execution action ID 648 match the action ID 621. A set of time 624 and execution content 625 is acquired. The action simulation unit 134 uses the CPU 911 to simulate execution of the action represented by the acquired execution content 625 for the component selected by the state transition simulation unit 133 in the component selection step S313. Further, the action simulation unit 134 uses the CPU 911 to calculate a time at which the execution of the action ends (hereinafter referred to as “transition time”) based on the acquired execution time 624. The action simulation unit 134 reserves the calculated transition time by using the CPU 911 for the component selected by the state transition simulation unit 133 in the component selection step S313.
Thereafter, the process returns to the component selection step S313.

In the clock progress step S321, the state transition simulation unit 133 uses the CPU 911 to acquire the earliest event occurrence time or transition time based on the reserved event occurrence time and transition time. Using the CPU 911, the state transition simulation unit 133 advances the clock of the evaluation target system 700 to be simulated until the acquired event occurrence time or transition time.
When the clock is advanced to the event occurrence time, the process proceeds to the event simulation process S322.
When the clock is advanced to the transition time, the process proceeds to the state transition simulation step S331.
If neither the transition time nor the event occurrence time is reserved, the simulation of the evaluation target system 700 is finished. The simulation execution unit 130 ends the simulation execution process S310.
The simulation end time may be determined in advance, and the simulation execution process S310 may be terminated when the clock of the evaluation target system 700 to be simulated has passed the simulation end time.

In the event simulation step S322, the event simulation unit 135 uses the CPU 911 to generate a reserved event. The queue simulation unit 136 uses the RAM 914 to store events generated by the event simulation unit 135.
In the processing time violation determination step S323, the processing time violation determination unit 151 uses the CPU 911 based on the processing time condition data 670 stored in the processing time condition storage unit 124 to perform the processing time violation determination unit 151 in the event simulation step S322. It is determined whether or not the event generated by violates the processing time condition. When the processing time violation determining unit 151 determines that the processing time condition is violated, the processing time violation storage unit 152 stores data relating to the processing time violation using the magnetic disk device 920.
In the failure occurrence determination step S324, the failure occurrence determination unit 141 uses the CPU 911 based on the failure detection condition data 680 stored in the failure detection condition storage unit 125 to determine whether or not a failure has occurred in the evaluation target system 700. judge. If the failure occurrence determination unit 141 determines that a failure has occurred, the failure occurrence determination unit 141 uses the CPU 911 to calculate a failure occurrence time when the failure has occurred. The failure occurrence determination unit 141 uses the magnetic disk device 920 to store the calculated failure occurrence time.
In the recovery determination step S325, the recovery determination unit 142 determines whether the evaluation target system 700 has recovered from the failure using the CPU 911 based on the failure detection condition data 680 stored in the failure detection condition storage unit 125. . When the recovery determination unit 142 determines that the recovery from the failure has occurred, the recovery determination unit 142 uses the CPU 911 to calculate the recovery time from the failure. The recovery determination unit 142 uses the magnetic disk device 920 to store the calculated recovery time. Then, it progresses to order condition determination process S332.

  In the state transition simulation step S331, the state transition simulation unit 133 uses the CPU 911 based on the state transition data 646 stored in the state transition storage unit 116, and the component that has finished executing the action executes the next action. Whether to complete the state transition by transitioning to the state. If it is determined that the next action is to be executed, the process proceeds to the action simulation step S336. When it is determined that the state transition is completed, the state simulation storage unit 131 stores the transition destination ID 649 using the RAM 914 as the state of the component that executed the action. Then, it progresses to order condition determination process S332.

  In the order condition determination step S332, the order condition violation determination unit 137 uses the CPU 911 for the component that has changed in the state transition simulation step S331 or the component that acquires the event newly generated in the event simulation step S322. An event is acquired from the queue simulation unit 136. The order condition violation determination unit 137 determines whether the acquired event violates the order condition based on the order condition data 665 stored in the order condition storage unit 123. If it is determined that there is a violation, the process proceeds to the order condition violation storage step S333. If it is determined that the order condition is satisfied, the process proceeds to the execution condition determination step S334.

  In the order condition violation storage step S333, the function constraint violation storage unit 153 stores data related to the order condition violation determined by the order condition violation determination unit 137 in the order condition determination step S332 using the magnetic disk device 920. Thereafter, the process returns to the clock progress step S321.

In the execution condition determination step S334, the execution condition determination unit 132 uses the CPU 911 to determine whether the execution condition is satisfied based on the execution condition data 640 stored in the execution condition storage unit 115.
If it is determined that the execution condition is satisfied, the process proceeds to the action simulation step S336.
If it is determined that the execution condition other than the parameter condition is satisfied but the parameter condition is violated, the process proceeds to the parameter condition violation storage step S335.
If it is determined that the execution conditions other than the parameter conditions are not satisfied, the process returns to the clock progress step S321.

  In the parameter condition violation storage step S335, the function constraint violation storage unit 153 stores data on the parameter condition violation determined by the execution condition determination unit 132 in the execution condition determination step S334 using the magnetic disk device 920. Thereafter, the process returns to the clock progress step S321.

  In the action simulation step S336, the action simulation unit 134 simulates the execution of an action using the CPU 911 based on the action data 620 stored in the action storage unit 113. Further, the action simulation unit 134 calculates a transition time at which the execution of the action ends. The action simulation unit 134 reserves the calculated transition time using the CPU 911. Thereafter, the process returns to the clock progress step S321.

FIG. 22 is a flowchart showing an example of the flow of the availability calculation process S370 in this embodiment.
The availability calculation process S370 includes a failure occurrence time acquisition step S371, an operation time calculation step S372, a recovery time acquisition step S373, a repair time calculation step S374, an average operation time calculation step S375, an average repair time calculation step S376, and an availability evaluation value calculation step. S377 is included.

  In the failure occurrence time acquisition step S371, the operation time calculation unit 143 uses the CPU 911 to acquire the failure occurrence times stored in the failure occurrence determination unit 141 one by one in order from the earliest. When all the failure occurrence times have been acquired and there is no failure occurrence time to be acquired, the process proceeds to the average operation time calculation step S375. If an unacquired failure occurrence time is acquired, the process proceeds to the operation time calculation step S372.

  In the operation time calculation step S372, the operation time calculation unit 143 calculates the operation time using the CPU 911 based on the previous recovery time and the failure occurrence time acquired in the failure occurrence time acquisition step S371. The operation time storage unit 145 stores the operation time calculated by the operation time calculation unit 143 using the magnetic disk device 920.

  In the recovery time acquisition step S373, the recovery time calculation unit 144 uses the CPU 911 to acquire the recovery times stored by the recovery determination unit 142 one by one in order from the earliest. When all the recovery times have been acquired and there is no recovery time to be acquired, the process proceeds to the average operation time calculation step S375. If an unacquired recovery time is acquired, the process proceeds to the repair time calculation step S374.

  In the repair time calculation step S374, the repair time calculation unit 144 sets the CPU 911 based on the failure occurrence time acquired by the operation time calculation unit 143 in the operation time calculation step S372 and the recovery time acquired in the recovery time acquisition step S373. Use to calculate repair time. The repair time storage unit 146 stores the repair time calculated by the repair time calculation unit 144 using the magnetic disk device 920. Thereafter, the process returns to the failure occurrence time acquisition step S371.

In the average operation time calculation step S375, the average operation time calculation unit 147 calculates the average operation time using the CPU 911 based on the operation time stored in the operation time storage unit 145.
In the average repair time calculation step S376, the average repair time calculation unit 148 calculates the average repair time using the CPU 911 based on the repair time stored in the repair time storage unit 146.
In the availability evaluation value calculation step S377, the availability calculation unit 149 calculates the average operation time calculated by the average operation time calculation unit 147 in the average operation time calculation step S375 and the average repair time calculation unit 148 in the average repair time calculation step S376. Based on the average repair time, the CPU 911 is used to calculate an availability evaluation value.

  In this example, the processing time violation is determined in the simulation execution process S310, but the event generated by the event simulation unit 135 and its time are stored, and in the availability calculation process S370, The configuration may be such that the processing time violation is determined. Similarly, in the availability calculation process S370, it may be configured to determine the failure occurrence time and the recovery time. On the contrary, in the simulation execution process S310, the operation time and the repair time may be calculated.

FIG. 23 is a schematic diagram showing how the simulation execution unit 130 in this embodiment simulates the operation of the evaluation target system 700.
In addition, each storage part of the availability evaluation apparatus 100 shall store each data shown in FIGS. 7-15 and FIGS. 17-19.
Here, “e1” to “e7” are component IDs 611, and the sensors 701 and 702, the sensor processing program 703, the control processing program 704, the monitoring processing program 705, the driving processing program 706, which are simulated by the simulation execution unit 130, Represents components such as actuator 707.

  At time “0”, each component performs an initial operation. The component (sensor 701) whose component ID 611 is “e1” executes the action (initialization action 731) whose action ID 621 is “a11” in accordance with the transition whose state transition ID 647 is “t11”. The execution time of the action “a11” is “8”. The component “e5” (monitoring processing program 705) executes the action “a51” (report request action 744) of the execution time “3” according to the transition “t51”. Other components do not perform an action first, and transition to the first state.

At time “3”, the execution of action “a51” ends, and component “e5” generates event “v51” (report request event 756). The component “e5” transitions to the state “s52” (response waiting state 722) according to the transition “t51”. Since the queue “q51” of the component “e5” is empty, the component “e5” remains in the state “s52” and waits to acquire an event.
The queue “q42” of the component “e4” (control processing program 704) receives the event “v51”. Since the queue “q42” is empty, the component “e4” immediately acquires the event “v51”. Since the component “e4” is in the state “s41” (control state 719) and the event “v51” is acquired, the order condition “o42” is satisfied and the transition condition “t42” indicated by the execution condition “c42” is satisfied Then, the action “a42” (response action 743) of the execution time “9” is executed.

  At time “8”, the execution of action “a11” ends. The component “e1” executes the next action “a12” (observation action 732) of the execution time “2” in accordance with the next transition “t12” indicated by the transition “t11”.

At the time “10”, the execution of the action “a12” ends, and the component “e1” generates the event “v11” (observation result event 751). In addition, the component “e1” generates the event “v12” (time lapse event) at time “28”, which is after “18” unit time. The event “v12” is not shown because it is an event acquired by the component “e1” itself. The component “e1” transitions to the state “s11” (sensor operation state 711) according to the transition “t12”. Since the queue “q11” of the component “e1” is empty, the component “e1” waits to acquire an event in the state “s11”.
The queue “q31” of the component “e3” (sensor processing program 703) receives the event “v11”. Since the queue “q31” is empty, the component “e3” immediately acquires the event “v11”. The component “e3” is in the state “s31” (waiting for observation 717), and since the event “v11” is acquired, the order condition “o31” is satisfied, and the transition “t31” indicated by the execution condition “c31” is displayed. Therefore, the action “a31” (sensor processing action 737) of the execution time “5” is executed.

  In this manner, the simulation execution unit 130 simulates the operation of the evaluation target system 700 by simulating the state, action, queue, and the like of each component constituting the evaluation target system 700.

In response to the occurrence of the event “v11” at time “10”, the processing time violation determining unit 151 determines whether there is a violation of the processing time condition “p1”. The first event “v31” after time “10” occurs at time “15”. The processing time violation determining unit 151 calculates that the interval between two events is “5” and determines that the processing time condition “p1” is satisfied because the interval upper limit 675 is “10” or less.
Similarly, in response to the occurrence of the event “v31” at time “124”, the processing time violation determining unit 151 determines whether there is a violation of the processing time condition “p2”. The first event “v41” after time “124” occurs at time “138”. The processing time violation determining unit 151 calculates that the interval between the two events is “14” and determines that the processing time condition “p2” is violated because the interval upper limit 675 “12” is exceeded. .

  In this way, whenever an event represented by the preceding event ID 672 occurs, the processing time violation determining unit 151 obtains the time when the event represented by the subsequent event ID 673 first occurs after that, and calculates the interval between the two events. To determine whether there is a processing time violation.

In response to the occurrence of the event “v71” at time “45”, which is the first occurrence of the event “v71”, the recovery determination unit 142 determines that the evaluation target system 700 is based on the failure detection condition “b1”. Is recovered from the failure (initialization process) and starts operating normally.
Since the event “v71” has occurred at time “65” and the interval from the previous event “v71” is “20”, the failure determination unit 141 falls under the failure detection condition “b1”. It is determined that the evaluation target system 700 continues to operate normally.
Similarly, in response to the occurrence of the event “v71” at time “85” and time “105”, the failure occurrence determination unit 141 determines that the evaluation target system 700 continues to operate normally.
At time “127”, since the next event “v71” has not yet occurred even though the interval upper limit 685 “22” has elapsed since the occurrence of the previous event “v71”, the failure occurrence determination unit 141 Falls under the failure detection condition “b1” and determines that a failure has occurred in the evaluation target system 700.
Since the event “v71” has finally occurred at time “165”, the recovery determination unit 142 determines that the evaluation target system 700 has recovered from the failure and started operating normally based on the failure detection condition “b1”. judge.

  As described above, the failure occurrence determination unit 141 and the recovery determination unit 142 determine the occurrence of a failure and the recovery from the failure every time the event represented by the preceding event ID 682 or the subsequent event ID 683 occurs.

In this example, the operation time calculation unit 143 calculates “82”, which is a difference obtained by subtracting the time “45” from the time “127”, and sets it as the first operation time. Further, the repair time calculation unit 144 calculates “38”, which is a difference obtained by subtracting the time “127” from the time “165”, and sets it as the first repair time.
The operation time calculation unit 143 may be configured to count the time “45” until the event “v71” first occurs as the first repair time.

  After the simulation execution unit 130 finishes simulating the operation of the evaluation target system 700, the average operation time calculation unit 147 sums all the operation times calculated by the operation time calculation unit 143, and the operation time calculation unit 143 calculates The average operating time is calculated by dividing by the number of operating times. The average repair time calculation unit 148 also calculates the average repair time by adding up all the repair times calculated by the repair time calculation unit 144 and dividing the sum by the number of repair times calculated by the repair time calculation unit 144. The availability calculator 149 calculates an availability evaluation value based on the average operation time calculated by the average operation time calculator 147 and the average repair time calculated by the average repair time calculator 148.

  The input event represented by the input event data 650 stored in the input event storage unit 121 represents an external input to the evaluation target system 700. For example, if the load on the evaluation target system 700 is large, the input from the outside to the evaluation target system 700 increases. Therefore, by simulating the operation of the evaluation target system 700 using a plurality of input event data 650 having different input event intervals, it is possible to simulate a change in load in the actual system. The influence that the fluctuation of the load has on the availability of the evaluation target system 700 can be measured.

  Further, since the availability evaluation apparatus 100 outputs not only the availability evaluation value but also information on functional constraint violation such as order condition violation and parameter condition violation and processing time violation as the availability evaluation result, the availability of the evaluation target system 700 If this is low, the cause can be investigated by analyzing this.

The availability evaluation apparatus 100 according to this embodiment evaluates the evaluation target system 700 by simulating the operation of the evaluation target system 700 configured by one or more components (such as the sensor 701).
The availability evaluation apparatus 100 includes a storage device (such as a magnetic disk device 920 and a RAM 914) that stores data, a processing device (CPU 911) that processes data, an operation model storage unit 110, a simulation execution unit 130, and a failure occurrence determination. Unit 141, recovery determination unit 142, availability calculation unit 149, and evaluation result output unit 154.
The behavior model storage unit 110 stores a behavior model using the storage device for each of one or more actions (such as an initialization action 731) executed by the components constituting the evaluation target system 700. The behavior model includes a set of an execution condition, an execution time, and an execution result. The execution condition represents a condition for starting execution of the action. The execution time represents the time taken to execute the action. The execution result represents the result of executing the action.
The simulation execution unit 130 simulates a system operation using the processing device based on the operation model stored in the operation model storage unit 110. The system operation is the operation of the evaluation target system 700.
The failure occurrence determination unit 141 determines a failure occurrence time using the processing device based on the system operation simulated by the simulation execution unit 130. The failure occurrence time is a time at which a failure occurs in the evaluation target system 700.
The recovery determination unit 142 determines a recovery time using the processing device based on the system operation simulated by the simulation execution unit 130. The recovery time is a time when the evaluation target system 700 recovers from the failure.
The availability calculation unit 149 calculates an availability evaluation value using the processing device based on the failure occurrence time determined by the failure occurrence determination unit 141 and the recovery time determined by the recovery determination unit 142. The availability evaluation value is a numerical value representing the percentage of time during which the evaluation target system 700 is operating normally.
The evaluation result output unit 154 outputs an availability evaluation result using the processing device. The availability evaluation result represents a result of evaluating the evaluation target system, and includes the availability evaluation value calculated by the availability calculation unit 149.

  According to the availability evaluation apparatus 100 in this embodiment, based on the behavior model stored in the behavior model storage unit 110, the simulation execution unit 130 simulates the operation of the evaluation target system 700, and the failure occurrence determination unit 141 makes a determination. Since the availability calculation unit 149 calculates the availability evaluation value based on the failure occurrence time and the recovery time determined by the recovery determination unit 142, the availability evaluation value is not a theoretical value but a value close to the actual operation. The evaluation target system 700 can be evaluated with high accuracy.

The availability evaluation device 100 in this embodiment further includes an average operation time calculation unit 147 and an average repair time calculation unit 148.
The average operation time calculation unit 147 calculates the average operation time using the processing device based on the failure occurrence time determined by the failure occurrence determination unit 141 and the recovery time determined by the recovery determination unit 142. . The average operation time is an average value of the time during which the evaluation target system 700 is operating normally.
The average repair time calculation unit 148 calculates an average repair time using the processing device based on the failure occurrence time determined by the failure occurrence determination unit 141 and the recovery time determined by the recovery determination unit 142. . The average repair time is an average value of the time during which a failure has occurred in the evaluation target system 700.
The availability calculation unit 149 uses the processing device to calculate the availability evaluation value based on the average operation time calculated by the average operation time calculation unit 147 and the average repair time calculated by the average repair time calculation unit 148. Is calculated. The availability evaluation value is a quotient obtained by dividing the average operation time by the total average time. The total average time is the sum of the average operation time and the average repair time.

  According to the availability evaluation apparatus 100 in this embodiment, the quotient obtained by dividing the average operation time by the sum of the average operation time and the average repair time is used as the availability evaluation value. A value close to can be set as the availability evaluation value, and the evaluation target system 700 can be evaluated with high accuracy.

The availability evaluation device 100 in this embodiment further includes a function constraint condition storage unit (order condition storage unit 123, execution condition storage unit 115).
The function constraint condition storage unit stores one or more function constraint conditions (order condition, parameter condition) using the storage device. The function restriction condition represents a condition that restricts execution of an action by the constituent elements constituting the evaluation target system 700.
The simulation execution unit 130 simulates a system operation using the processing device based on the behavior model stored in the behavior model storage unit 110 and the function constraint condition stored in the function constraint condition storage unit.

  According to the availability evaluation apparatus 100 in this embodiment, since the operation of the evaluation target system 700 is simulated in consideration of the function constraint conditions, it is possible to simulate the actual operation, and the evaluation target system 700 can be accurately performed. Can be evaluated.

The availability evaluation apparatus 100 according to this embodiment further includes a function constraint violation determination unit (order condition violation determination unit 137, execution condition determination unit 132).
The function constraint violation determining unit determines a function constraint violation using the processing device based on the system operation simulated by the simulation execution unit 130. The function constraint violation represents a violation of the function constraint condition.
The availability evaluation result output by the evaluation result output unit 154 includes the function constraint violation determined by the function constraint violation determination unit.

  According to the availability evaluation apparatus 100 in this embodiment, since the availability evaluation result includes a function constraint violation, when the availability evaluation value of the evaluation target system 700 is low, the cause is clarified and the evaluation target system 700 is improved. Will help.

The availability evaluation device 100 in this embodiment further includes a performance constraint condition storage unit (processing time condition storage unit 124) and a performance constraint violation determination unit (processing time violation determination unit 151).
The performance constraint condition storage unit stores one or more performance constraint conditions (processing time conditions) using the storage device. The performance constraint condition represents a condition related to performance that should be satisfied by a result of executing an action by a component constituting the evaluation target system 700.
The performance constraint violation determining unit determines a performance constraint violation using the processing device based on the system operation simulated by the simulation execution unit 130. The performance constraint violation represents a violation of the performance constraint condition.
The availability evaluation result output by the evaluation result output unit 154 includes the performance constraint violation determined by the performance constraint violation determination unit.

  According to the availability evaluation apparatus 100 in this embodiment, since the availability evaluation result includes a performance constraint violation, when the availability evaluation value of the evaluation target system 700 is low, the cause is clarified and the evaluation target system 700 is improved. Will help.

In the availability evaluation apparatus 100 in this embodiment, the execution condition stored by the behavior model storage unit 110 is a set of an element state (condition state ID 642) and an acquisition event (condition event ID 643). The element state represents the state of the component. The acquisition event represents an event that occurs in the evaluation target system. The execution condition indicates that the occurrence of the acquisition event when the state of the component is the element state is a condition for starting the action.
The execution result stored by the behavior model storage unit 110 is a set of a transition state (transition destination ID 644) and a result event (event data 630). The transition state represents the state of the component. The result event represents an event that occurs in the evaluation target system. The execution result indicates that, as a result of executing the action, the state of the component transitions to the transition state and the result event occurs.

  According to the availability evaluation apparatus 100 in this embodiment, since the operation model of the evaluation target system 700 is represented using the state transition model, the operation model of the evaluation target system 700 can be easily constructed. Can be evaluated with high accuracy.

The availability evaluation apparatus 100 in this embodiment further includes a parameter condition storage unit (execution condition storage unit 115).
The parameter condition storage unit stores one or more parameter conditions 645 using the storage device. The parameter condition represents a condition to be satisfied by an event parameter represented by the acquisition event of the execution condition for the execution condition stored in the behavior model storage unit 110, and the parameter of the acquisition event satisfies the parameter condition. Indicates that the condition is to start the action.
The simulation execution unit 130 simulates the system operation using the processing device based on the behavior model stored in the behavior model storage unit 110 and the parameter conditions stored in the parameter condition storage unit.

  According to the availability evaluation apparatus 100 in this embodiment, since the condition for the event parameter is part of the execution condition, simulation close to the actual operation can be performed, and the evaluation target system 700 is evaluated with high accuracy. can do.

The availability evaluation device 100 in this embodiment further includes an order condition storage unit 123.
The order condition storage unit 123 stores one or more order conditions (order condition data 665) using the storage device. The order condition represents a condition related to the order in which the event represented by the acquisition event of the execution condition occurs for the execution condition stored in the behavior model storage unit 110, and the order in which the acquisition event occurs satisfies the order condition. Represents a condition for starting the action.
The simulation execution unit 130 simulates system operation using the processing device based on the behavior model stored in the behavior model storage unit 110 and the order condition stored in the order condition storage unit 123.

  According to the availability evaluation apparatus 100 in this embodiment, since the conditions regarding the order of events are part of the execution conditions, simulation close to actual operation can be performed, and the evaluation target system 700 can be accurately evaluated. can do.

The availability evaluation device 100 in this embodiment further includes a processing time condition storage unit 124 and a processing time violation determination unit 151.
The processing time condition storage unit 124 stores a processing time condition (processing time condition data 670) using the storage device. The processing time condition represents a condition that the interval between two events that occur in the evaluation target system 700 should be satisfied for the behavior model stored in the behavior model storage unit 110.
The processing time violation determining unit 151 determines a processing time violation using the processing device based on the system operation simulated by the simulation execution unit 130. The processing time violation represents a violation of the processing time condition.
The availability evaluation result output by the evaluation result output unit 154 includes the processing time violation determined by the processing time violation determination unit 151.

  According to the availability evaluation apparatus 100 in this embodiment, since the availability evaluation result includes a processing time violation, when the availability evaluation value of the evaluation target system 700 is low, the cause is clarified and the evaluation target system 700 is improved. Will help.

The availability evaluation device 100 in this embodiment further includes an input event storage unit 121.
The input event storage unit 121 stores one or more input events (input event data 650) using the storage device. The input event includes a set of an occurrence event (input event ID 651) and an occurrence time (input time 652). The generated event represents an event that occurs in the evaluation target system 700. The occurrence time represents a time in simulation of the system operation. The input event indicates that the occurrence event occurs at the occurrence time.
The simulation execution unit 130 simulates the system operation using the processing device based on the operation model stored in the operation model storage unit 110 and the input event stored in the input event storage unit 121.

  According to the availability evaluation apparatus 100 in this embodiment, since the operation of the evaluation target system 700 is simulated based on the input event, the influence on the availability due to the fluctuation of the load of the evaluation target system 700 can be measured. 700 can be evaluated more accurately.

Note that, as described above, the input event storage unit 121 may be configured not to store the time at which an event occurs, but to store the conditions under which the event occurs, the probability of the event occurring, and the like. For example, the input event storage unit 121 stores a failure rate for hardware elements such as the sensor 701. The event simulation unit 135 generates a failure event of the hardware element based on the failure rate stored in the input event storage unit 121.
With such a configuration, a hardware failure can be simulated with high accuracy, and the evaluation target system 700 can be evaluated with higher accuracy.

The availability evaluation device 100 in this embodiment further includes a queue model storage unit 122.
The queue model storage unit 122 stores a queue model (queue data 655, acquired event data 660) using the storage device for each component constituting the evaluation target system 700. The queue model represents rules regarding the order in which events generated in the evaluation target system 700 are processed.
The simulation execution unit 130 simulates the system operation using the processing device based on the behavior model stored in the behavior model storage unit 110 and the queue model stored in the queue model storage unit 122.

  According to the availability evaluation device 100 in this embodiment, since the operation of the evaluation target system 700 is simulated based on the queue model, the processing procedure when a plurality of events are congested is simulated in the same manner as the actual system. Therefore, the evaluation target system 700 can be evaluated with high accuracy.

  The availability evaluation apparatus 100 in this embodiment uses a computer having a storage device that stores data, a processing device that processes data, and a computer program that causes the computer to function as the availability evaluation apparatus 100. Can be realized by executing the above computer program.

  According to the computer program that implements the availability evaluation device 100 in this embodiment, the simulation execution unit 130 simulates the operation of the evaluation target system 700 based on the operation model stored in the operation model storage unit 110, and determines whether a failure has occurred. Since the availability calculation unit 149 calculates the availability evaluation value based on the failure occurrence time determined by the unit 141 and the recovery time determined by the recovery determination unit 142, the availability evaluation value is not a theoretical value but an actual value. It is possible to realize an availability evaluation apparatus 100 that can calculate a numerical value close to that at the time of operation and can evaluate the evaluation target system 700 with high accuracy.

The availability evaluation device 100 in this embodiment evaluates the evaluation target system 700 by simulating the operation of the evaluation target system 700 configured by one or more components, and includes the following steps. .
The storage device stores an operation model for each of one or more actions executed by the components constituting the evaluation target system 700.
Based on the operation model stored in the storage device, the processing device simulates the system operation.
Based on the system operation simulated by the processing device, the processing device determines the failure occurrence time.
Based on the system operation simulated by the processing device, the processing device determines a recovery time.
Based on the failure occurrence time determined by the processing device and the recovery time, the processing device calculates an availability evaluation value.
The processing device outputs an availability evaluation result.

  According to the availability evaluation method in this embodiment, based on the operation model stored in the storage device, the processing device simulates the operation of the evaluation target system 700, and based on the determined failure occurrence time and the recovery time, Since the availability evaluation value is calculated, a numerical value close to the actual operation can be calculated as the availability evaluation value instead of a theoretical value, and the evaluation target system 700 can be evaluated with high accuracy.

The design system 800 described above is an availability calculation device that calculates whether the availability of the control system to be developed (evaluation target system 700) satisfies the requirements.
The availability calculation device creates a creation unit (system model design device 810) that creates an event sequence that is assumed to be input to the control system, and creates a state transition model that defines the operation specifications, event queue, and processing time of the control system. Creating unit (system model design device 810), description unit (system model design device 810) describing the function constraints of the state transition model, and description unit (system model design device 810) describing the performance constraints of the state transition model An execution unit (simulation execution unit 130) that executes a state transition model in response to an event input, an output unit (availability calculation unit 149) that outputs an availability calculation value from the execution result of the state transition model, and execution of the state transition model Detection unit (order condition violation determination unit 137, execution condition determination unit 132) that detects a function constraint violation from the result, and state transition Comprising detector for detecting a performance constraint violations from the result of simulation (the processing time violation determining unit 151), the evaluation unit the control system evaluates meets the availability request and (system model design apparatus 810).
Also, the availability calculation apparatus creates an event sequence that is assumed to be input to the control system in advance, or creates a probability distribution at the time of calculation.
In addition, the availability calculation device describes the function constraints of the state transition model as input / output constraints (parameter conditions) for interfaces, order constraints (order conditions) for ports, or a combination thereof.
In addition, the availability calculation device describes the performance constraint of the state transition model as an operation time constraint (processing time condition) for the waiting time in the event queue and the processing time of the transition action.
In addition, the availability calculation apparatus calculates a request achievement level that is a ratio in which the availability calculation value is a numerator and the availability request value is a denominator as a method for evaluating whether the control system satisfies the availability request.

The availability calculation device described above can take into account dynamic load fluctuations that occur during weekly, monthly, and yearly periods during system operation, so even if dynamic load fluctuations occur, the availability evaluation results High accuracy. Further, it is possible to accurately express the constraints on the components and the execution environment regarding the operation load.
As a result, in addition to the hardware failure rate, the input / output / order constraints of the interface between the component and the execution environment, and the operation time constraint of the state transition can be taken into account, and the accuracy of the availability evaluation result can be increased. it can.

  The availability calculation model creation unit (system model design device 810) creates an availability calculation model used for availability evaluation of the control system. The availability calculation model is composed of a state transition model, a function constraint, a performance constraint, and a failure rate. The state transition model creation unit (system model design apparatus 810) creates a state transition model that defines the operation specifications of the control system. The function constraint creation unit (system model design device 810) describes constraints on the interface and port of the state transition model. The performance constraint creation unit (system model design apparatus 810) describes performance constraints for the execution of state transition. The failure rate creation unit (system model design device 810) describes the failure rate of the hardware to be controlled.

The availability calculation unit (availability evaluation apparatus 100) includes a state transition model execution unit (simulation execution unit 130), an instantaneous availability calculation unit (availability calculation unit 149), a constraint violation detection unit (execution condition determination unit 132, order condition violation determination unit). 137, a processing time violation determination unit 151). The state transition model execution unit identifies the state transition corresponding to the input event, calculates the waiting time in the event queue and the processing time of the transition action, executes the transition action, and transitions to the next state. In the instantaneous availability calculation unit, the time during which the response event corresponding to the input event is normally output is accumulated as the operation time. In addition, the time from when a response event corresponding to an input event is interrupted until it is output again due to dynamic load fluctuations or hardware failure detection / switching on the components and execution environment during system operation is accumulated as the repair time. To do. For example, in the case of periodic processing, it is determined that a failure has occurred when periodic output from a component such as an actuator is not performed. Further, when the process is not a periodic process such as a process corresponding to an input from the user, it is determined that a failure has occurred when an output for the input determined by the specification is not performed. That is, it is determined that a failure has occurred when an output that is assumed as the system specification is not output.
The availability calculation unit outputs an instantaneous availability calculation value (availability evaluation value) from the ratio of the average value of operation time during operation and the average value of repair time. The formula for calculating instantaneous availability is shown below.
Instantaneous availability = average operating time / (average operating time + average repair time).
Here, the average operation time and the average repair time are values at the time of operation. “In operation” refers to a period during which the system is actually operated (for example, a unit such as a week, a month, or a year), and the instantaneous availability is a value that can be in operation.
The constraint violation detection unit detects whether the result of executing the state transition model violates the function constraint and the performance constraint, and outputs the result. The function constraint violation and the performance constraint violation are used as information for specifying the cause when it is found that the calculation result of availability is out and the request cannot be satisfied.

  The availability calculation model (operation model) has the following configuration, for example. The availability calculation model describes the behavior of components such as software (control software, monitoring software) and device drivers (sensor processing, drive processing) installed in the control system, and the execution environment such as OS and middleware for executing the components. Define in the state transition model. This state transition model defines a notation for describing the function constraints of interfaces and ports, the performance constraints of state transitions, and the failure rate of hardware such as sensors and actuators to be controlled. It also defines a notation that describes the event queue and processing time of the state transition model. The component and execution environment define one or more event queues and one or more ports for storing input events, and exchange events with each other through the event queues and ports.

The state transition model is described in the following notation, for example. The function restriction is a condition that holds for the exchange of information between the interface and the port. The performance constraint is a condition that holds for the time related to the state transition and the transition action. The event queue is the number and size of queues for storing received events, extraction rules, and the processing time is the processing time required to execute the transition action.
The state transition model may be expressed in the form of a figure. For example, the operation of the control system starts from the start state (black circle), and when the event evt (evt1, evt2, etc.) is received in the state S (S1, S2, etc.), the transition action act (act1, act2, etc.) is executed. Transition to the next state. A performance constraint (performance constraint 1, performance constraint 2, etc.) is described for state S. The time taken to execute the transition action act is described as processing time (processing time 1, processing time 2, etc.) in parentheses. Functional constraints and event queues are described as common items in one state transition model. At the end of the operation of the control system, a transition is made to the end state (double black circle), and the operation stops.

An availability calculation process in the availability calculation apparatus will be described.
First, the availability calculation unit (availability evaluation apparatus 100) inputs the event sequence created by the event sequence creation unit. Then, the state transition model execution unit (simulation execution unit 130) in the availability calculation unit reads the events in order from the top of the input event sequence, identifies the corresponding state transition, and waits in the event queue and the transition action Calculate the processing time. Then, according to the description of the transition action, an event output process to other components is executed. The event that occurs at this time is added to the event string that is input first, and is subject to event reading processing in the state transition model execution unit.
When all events have been processed and there are no more events to be read, the instantaneous availability calculation unit calculates the instantaneous availability from the calculation results of the waiting time and processing time, and outputs the value.
Then, the constraint violation detection unit detects whether the input / output event violates the function constraint, detects whether the waiting time in the event queue and the processing time of the transition action violate the performance constraint, Output the result.
Then, the availability requirement value and the instantaneous availability calculation value are compared to evaluate whether the control system satisfies the availability requirement, and the availability evaluation result is output.

The state transition model execution unit directly executes a state transition model that defines the behavior of the components (for example, control software, monitoring software, sensor processing, and drive processing) of the control system, and exchanges events between the components. When an event is input to the state transition model (for example, cyclic input), a certain component receives the event, and when the event is received, the waiting time (for example, monitoring processing time) is calculated from all the events already in the event queue. The processing time (for example, sensor processing time) concerning the transition action corresponding to the received event is calculated, and the transition action corresponding to the received event is executed. The transition action describes an event output process to another component, etc., and another component receives an event according to this description, and similarly calculates a waiting time and a processing time. Then, based on the calculation result of the waiting time and the processing time, the time during which the response event (for example, periodic output) corresponding to the input event (for example, periodic input) is normally output is integrated as the operation time. In addition, failure detection / switching is simulated based on the hardware failure rate (for example, failure detection, failure switching), and the response event corresponding to the input event is interrupted by adding the calculation results of waiting time and processing time. The time until the output is again (for example, the failure recovery from the failure of the actuator) is integrated as the repair time. The above operation is executed for a time corresponding to the operation period.
The instantaneous availability calculation unit calculates the instantaneous availability from the ratio between the average value of the operation time during system operation and the average value of the repair time.
The constraint violation detection unit detects that the waiting time in the event queue and the processing time of the transition action violate the performance constraint (for example, the sensor processing performance constraint violation), and outputs the result.
Based on the output result, the availability requirement value and the instantaneous availability calculation value are compared to evaluate whether the control system satisfies the availability requirement.

Thereby, the following effects can be acquired.
In addition to the hardware failure rate, the accuracy of the availability evaluation result can be increased by considering the functional constraints of the components and the execution environment, and the performance constraints of the state transition.
By directly executing the state transition model that defines the operation specifications of the control system, it is possible to detect the failure to meet availability requirements before developing software and hardware, and to prevent the introduction of defects in system design Can do.

In the event sequence creation and input processing in the availability calculation process, the event sequence may be a deterministic event sequence created in advance from the system operation results and the developer experience. The event string is created with a set of event type, input order, and input time. The input time may be described as a relative time from a certain time, or may be described as an absolute time.
In addition, when the system operation record is poor or when it is difficult to predict the future system operation status, the event sequence is described using a probability distribution such as an exponential distribution, and the event sequence is created at the time of calculation. Also good. In this case, the state transition model execution unit calculates the input time interval of each event using the probability distribution. The event sequence created using the probability distribution is such that the input time has a value according to the probability distribution.
By creating an event sequence representing a load variation as an event sequence, the instantaneous availability in consideration of the dynamic load variation can be calculated.

The function constraints on the interface and port of the state transition model include, for example, an input / output constraint on the interface, an order constraint on the port, or a combination thereof.
An input / output constraint for an interface is a parameter value of an input / output event and a condition that holds between the parameter values. For example, the allowable range for the parameter value of the input event. An input / output constraint violation occurs, for example, when hardware such as a sensor or an actuator fails and an abnormal value is output.
The order restriction for ports is a condition that holds for the order of input events. For example, the input order allowed for each of the two sets of events. The state transition model is created so as to satisfy these order constraints. Order constraint violation occurs when, for example, the state transition models of individual elements such as sensor processing, drive processing, and control software are correct, but when these are connected and combined and operated in parallel, an unexpected contradiction occurs. .

The performance constraint on the execution of the state transition model includes, for example, a waiting time in the event queue and an operation time constraint on the processing time of the transition action.
The operation time constraint is a condition that holds for the time from when an event is received until the execution of the transition action corresponding to the event is completed, that is, the total value of the waiting time and the processing time. For example, the condition is specified by a minimum value, maximum value, average value, standard deviation, probability distribution, and the like. When the minimum value and the maximum value allowed for the total value of the waiting time and the processing time are used as the operation time constraint, the constraint violation detection unit determines whether or not it is an operation time constraint violation for the execution of each transition action. Determine. In addition, when the average value, standard deviation, probability distribution range, etc. allowed for the total value of the waiting time and processing time are set as the operation time constraint, the constraint violation detection unit performs the execution of multiple transition actions. An average value, standard deviation, probability distribution, and the like are calculated, and it is determined whether or not the operation time constraint is violated by determining whether the average value, standard deviation, probability distribution, and the like are out of a predetermined range (for example, ± 5%).
Such a performance constraint violation is caused when, for example, individual elements such as sensor processing, drive processing, and control software are connected and combined to operate in parallel, and processing corresponding to multiple events collides with one element. This is caused by extra waiting time.

Instead of outputting the instantaneous availability calculation value (availability evaluation value) as it is, the availability calculation device may calculate and output an evaluation value for evaluating whether the control system satisfies the availability requirement. For example, the availability calculation device calculates and outputs a request achievement level that is a ratio with the availability calculation value as a numerator and the availability request value as a denominator.
The calculation formula for requirement achievement is shown below.
Instantaneous availability requirement achievement = (instantaneous availability calculation value / availability requirement value) × 100 [%].
For example, if the instantaneous availability calculation value is 0.99 and the availability requirement value is 0.999, the availability calculation apparatus sets the instantaneous availability requirement achievement to 0.99 / 0.999 × 100 = 99.1%. calculate.

  There are several variants of the state transition model notation. For example, there is a method of describing an entry action executed when entering each state of the state transition model and an exit action executed when exiting each state.

FIG. 24 is a diagram illustrating an example of a state transition model in which entry actions and exit actions are described.
In this example, “state 2” describes “processing C” as an entry action and “processing D” as an exit action.

When the system model design device 810 generates a state transition model described in such a format as a system model, for example, the availability evaluation device 100 may have a model conversion device.
The model conversion apparatus converts the state transition model described in such a format into a state transition model described in a format without an entry action or an exit action. The model conversion device generates a state transition model in which the entrance action and the exit action are converted into transition actions.
Since the entry action is a process common to all the state transitions that enter the state in which the entry action is described, the entry action is converted so as to execute the Entry action subsequent to the transition actions of all the incoming state transitions. Since the exit action is a process common to all state transitions that exit from the described state, the exit action is converted to be executed before the transition action of all the outgoing state transitions.

FIG. 25 is a diagram illustrating an example of a state transition model converted by the model conversion apparatus.
In this example, the model conversion apparatus converts “Process C” into a transition action executed after “Process A” and after “Process F”, and “Process D” before “Process B” and “Process A state transition model that does not include an entry action and an exit action is generated by converting into a transition action executed before “E”.

The availability calculation device described above converts an entry action executed when entering each state of the state transition model and an exit action executed when exiting each state into a transition action, Calculate availability.
As a result, availability can be evaluated even when an entry action and an exit action are described in the state transition model that defines the operation specifications of the control system.

  100 availability evaluation device, 110 behavior model storage unit, 111 component storage unit, 112 state storage unit, 113 action storage unit, 114 event storage unit, 115 execution condition storage unit, 116 state transition storage unit, 121 input event storage unit, 122 queue model storage unit, 123 order condition storage unit, 124 processing time condition storage unit, 125 fault detection condition storage unit, 130 simulation execution unit, 131 state simulation storage unit, 132 execution condition determination unit, 133 state transition simulation unit, 134 Action simulation unit, 135 event simulation unit, 136 queue simulation unit, 137 order condition violation determination unit, 141 failure occurrence determination unit, 142 recovery determination unit, 143 operation time calculation unit, 144 repair time calculation unit, 145 operation time storage unit, 146 Repair time storage unit, 147 Average operation time calculation 148 average repair time calculation unit, 149 availability calculation unit, 151 processing time violation determination unit, 152 processing time violation storage unit, 153 function constraint violation storage unit, 154 evaluation result output unit, 610 component data, 611 component ID, 612 Component element name, 613 Initial operation ID, 615 State data, 616 State ID, 617 State name, 618 Affiliated element ID, 620 Action data, 621 Action ID, 622 Action name, 623 Execution element ID, 624 Execution time, 625 Execution Contents, 630 Event data, 631 Event ID, 632 Event name, 633 Occurrence action ID, 634 Delay time, 640 Execution condition data, 641 Execution condition ID, 642 Condition state ID, 643 Condition event ID, 644 Transition destination ID, 645 Parameter conditions, 646 State transition data, 647 State transition ID, 648 Execution action ID, 649 Transition destination ID, 650 Input event data, 651 Input event ID, 652 Input time, 655 Queue data, 656 Queue ID, 657 Acquisition element ID, 658 Acquisition method, 659 Priority, 660 Acquisition event data, 661 Acquisition queue ID, 662 Acquisition event ID, 665 Order condition data, 666 Order condition ID, 667 Condition state ID, 668 Condition event ID, 669 Transition destination ID, 670 Process Time condition data, 671 Processing time condition ID, 672 Predecessor event ID, 673 Subsequent event ID, 674 Interval lower limit, 675 Interval upper limit, 680 Failure detection condition data, 681 Failure detection condition ID, 682 Predecessor event ID, 683 Subsequent event ID, 684 Interval lower limit, 685 Interval upper limit, 700 Evaluation target system, 701, 702 Sensor, 703 Sensor processing program, 704 Control processing program, 705 Monitoring processing program, 706 Drive processing program, 707 Actuator, 711 , 714 Sensor operation state, 712, 715 Sensor failure state, 713, 716 Sensor standby state, 717, 718 Observation wait state, 719 Control state, 721 Monitor state, 722 Response wait state, 723 Control wait state, 724 Drive wait state, 731,734 Initialization action, 732,735 Observation action, 733,736 Repair action, 737,739 Sensor processing action, 738,741 Switching action, 742 Control action, 74 3 Response action, 744 Report request action, 745 Response processing action, 746 Drive action, 747 Operation action, 751, 752 Observation result event, 753, 754 Switching event, 755 Processing result event, 756 Report request event, 757 Response event, 758 Control instruction event, 759 drive event, 761 operation event, 771-791 state transition condition, 800 design system, 810 system model design device, 820 system detailed design device, 901 display device, 902 keyboard, 903 mouse, 904 FDD, 905 CDD 906 Printer device 907 Scanner device 910 System unit 911 CPU 912 Bus 913 ROM 914 RAM 915 Communication device 92 Magnetic disk drive, 921 OS, 922 Window system, 923 Program group, 924 File group, 931 telephone, 932 a facsimile machine, 940 Internet, 941 Gateway, 942 LAN.

Claims (13)

In an availability evaluation device that evaluates the evaluation target system by simulating the operation of the evaluation target system configured by one or more components,
A storage device that stores data, a processing device that processes data, an operation model storage unit, a simulation execution unit, a failure determination unit, a recovery determination unit, an availability calculation unit, and an evaluation result output unit; And
The behavior model storage unit stores a behavior model using the storage device for each of one or more actions executed by components constituting the evaluation target system. The behavior model includes an execution condition, an execution time, and an execution. The execution condition represents a condition for starting the execution of the action, the execution time represents a time taken to execute the action, and the execution result represents a result of executing the action. Represent,
The simulation execution unit simulates a system operation using the processing device based on the operation model stored in the operation model storage unit, and the system operation is an operation of the evaluation target system,
The failure occurrence determination unit determines a failure occurrence time using the processing device based on a system operation simulated by the simulation execution unit, and the failure occurrence time is a time when a failure occurs in the evaluation target system. Yes,
The recovery determination unit determines a recovery time using the processing device based on the system operation simulated by the simulation execution unit, and the recovery time is a time when the evaluation target system recovers from the failure,
The availability calculation unit calculates an availability evaluation value using the processing device based on the failure occurrence time determined by the failure occurrence determination unit and the recovery time determined by the recovery determination unit, and the availability evaluation value Is a numerical value representing the percentage of time that the system under evaluation is operating normally,
The evaluation result output unit outputs an availability evaluation result using the processing device, and the availability evaluation result represents a result of evaluating the evaluation target system, and includes an availability evaluation value calculated by the availability calculation unit. A device for evaluating availability. The availability evaluation device further includes an average operation time calculation unit and an average repair time calculation unit,
The average operation time calculation unit calculates an average operation time using the processing device based on the failure occurrence time determined by the failure occurrence determination unit and the recovery time determined by the recovery determination unit, and the average The operation time is an average value of the time during which the evaluation target system is operating normally,
The average repair time calculating unit calculates an average repair time using the processing device based on the failure occurrence time determined by the failure occurrence determination unit and the recovery time determined by the recovery determination unit, and the average The repair time is an average value of the time when the failure occurs in the evaluation target system.
The availability calculation unit calculates the availability evaluation value using the processing device based on the average operation time calculated by the average operation time calculation unit and the average repair time calculated by the average repair time calculation unit. The availability evaluation value is a quotient obtained by dividing the average operation time by the total average time, and the total average time is a sum of the average operation time and the average repair time. Item 2. The availability evaluation device according to Item 1. The availability evaluation apparatus further includes a function constraint condition storage unit,
The function constraint condition storage unit stores one or more function constraint conditions using the storage device, and the function constraint condition represents a condition for restricting execution of an action by a component constituting the evaluation target system,
The simulation execution unit simulates a system operation using the processing device based on the operation model stored in the operation model storage unit and the function constraint condition stored in the function constraint condition storage unit. The availability evaluation device according to claim 1 or 2. The availability evaluation apparatus further includes a function constraint violation determination unit,
The function constraint violation determination unit determines a function constraint violation using the processing device based on the system operation simulated by the simulation execution unit, and the function constraint violation represents a violation of the function constraint condition,
4. The availability evaluation apparatus according to claim 3, wherein the availability evaluation result output by the evaluation result output unit includes a function constraint violation determined by the function constraint violation determination unit. The availability evaluation device further includes a performance constraint condition storage unit and a performance constraint violation determination unit,
The performance constraint condition storage unit stores one or more performance constraint conditions using the storage device, and the performance constraint condition relates to performance to be satisfied by a result of executing an action by a component constituting the evaluation target system. Represents the condition,
The performance constraint violation determination unit determines a performance constraint violation using the processing device based on the system operation simulated by the simulation execution unit, and the performance constraint violation represents a violation of the performance constraint condition,
5. The availability evaluation apparatus according to claim 1, wherein the availability evaluation result output by the evaluation result output unit includes a performance constraint violation determined by the performance constraint violation determination unit. The execution condition stored by the behavior model storage unit is a set of an element state and an acquisition event, the element state represents the state of the component, and the acquisition event represents an event that occurs in the evaluation target system. And the execution condition represents that the occurrence of the acquisition event when the state of the component is the element state is a condition for starting the action,
The execution result stored in the behavior model storage unit is a set of a transition state and a result event, the transition state represents the state of the component, and the result event represents an event that occurs in the evaluation target system. 6. The execution result of claim 1, wherein, as a result of executing the action, the state of the component transitions to the transition state, and the result event occurs. The availability evaluation apparatus according to any one of the above. The availability evaluation apparatus further includes a parameter condition storage unit,
The parameter condition storage unit stores one or more parameter conditions using the storage device, and the parameter condition is an event parameter represented by an acquisition event of the execution condition for the execution condition stored in the behavior model storage unit. Represents the condition to be satisfied, and that the parameter of the acquisition event satisfies the parameter condition represents the condition for starting the action,
The simulation execution unit simulates system operation using the processing device based on an operation model stored in the operation model storage unit and a parameter condition stored in the parameter condition storage unit. Item 7. The availability evaluation device according to Item 6. The availability evaluation apparatus further includes an order condition storage unit,
The order condition storage unit stores one or more order conditions using the storage device, and the order condition is an event represented by the execution condition acquisition event for the execution condition stored in the behavior model storage unit. Represents the condition regarding the order to be performed, and represents that the order in which the acquisition event occurs satisfies the order condition is a condition for starting the action,
The simulation execution unit simulates system operation using the processing device based on the behavior model stored in the behavior model storage unit and the order condition stored in the order condition storage unit. The availability evaluation apparatus according to claim 6 or 7. The availability evaluation apparatus further includes a processing time condition storage unit and a processing time violation determination unit,
The processing time condition storage unit stores a processing time condition using the storage device, and the processing time condition includes two events generated in the evaluation target system for the operation model stored in the operation model storage unit. Represents the condition that the interval should meet,
The processing time violation determination unit determines a processing time violation using the processing device based on the system operation simulated by the simulation execution unit, and the processing time violation represents a violation of the processing time condition,
9. The availability evaluation apparatus according to claim 6, wherein the availability evaluation result output by the evaluation result output unit includes a processing time violation determined by the processing time violation determination unit. The availability evaluation apparatus further includes an input event storage unit,
The input event storage unit stores one or more input events using the storage device, and the input event includes a combination of an occurrence event and an occurrence time, and the occurrence event occurs in the evaluation target system. Represents an event, the occurrence time represents a time in simulation of the system operation, the input event represents that the occurrence event occurs at the occurrence time,
The simulation execution unit simulates the system operation using the processing device based on the operation model stored in the operation model storage unit and the input event stored in the input event storage unit. The availability evaluation device according to any one of claims 6 to 9. The availability evaluation apparatus further includes a queue model storage unit,
The queue model storage unit stores a queue model for each component constituting the evaluation target system using the storage device, and the queue model is a rule regarding an order of processing events generated in the evaluation target system. Represents
The simulation execution unit simulates system operation using the processing device based on the behavior model stored in the behavior model storage unit and the queue model stored in the queue model storage unit. The availability evaluation device according to any one of claims 6 to 10.   The computer functions as the availability evaluation device according to any one of claims 1 to 11 when executed by a computer having a storage device for storing data and a processing device for processing data. Computer program. An availability evaluation device having a storage device that stores data and a processing device that processes data simulates the operation of the evaluation target system configured by one or more components, thereby evaluating the evaluation target system. In the evaluation method,
The storage device stores an operation model for each of one or more actions executed by components constituting the evaluation target system, and the operation model is a set of an execution condition, an execution time, and an execution result, and the execution The condition represents a condition for starting execution of the action, the execution time represents the time taken to execute the action, the execution result represents a result of executing the action,
Based on the operation model stored in the storage device, the processing device simulates the system operation, the system operation is the operation of the evaluation target system,
Based on the system operation simulated by the processing device, the processing device determines a failure occurrence time, the failure occurrence time is a time at which a failure occurs in the evaluation target system,
Based on the system operation simulated by the processing device, the processing device determines a recovery time, the recovery time is a time when the evaluation target system recovers from the failure,
Based on the failure occurrence time determined by the processing device and the recovery time determined by the recovery determination unit, the processing device calculates an availability evaluation value, and the availability evaluation value indicates that the evaluation target system operates normally. It is a numerical value that represents the percentage of time
An availability evaluation method, wherein the processing device outputs an availability evaluation result, the availability evaluation result represents a result of evaluating the evaluation target system, and includes an availability evaluation value calculated by the availability calculation unit.

Images