JP2014153736A - Fault symptom detection method, program and device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine a fault symptom by a threshold corresponding to an operation state of a monitoring object in fault symptom detection.SOLUTION: A fault symptom detection device 1 classifies monitoring data on a monitoring object 2 during a period when no abnormality is detected about the monitoring object 2 per day of the week, time zone, date or week number to store it in a storage section (23) (14), sets an allowable range on the basis of a distribution per day of the week, time zone, date or week number of the monitoring data stored in the storage section, compares monitoring data acquired from the monitoring object 2 with an allowable range on the basis of a distribution of the monitoring data per day of the week, time zone, date or week number to which a monitoring date of that monitoring data, and detects a fault symptom of the monitoring object 2 when the monitoring data is over the upper or lower limit of the allowable range (13).

Description

  The present invention relates to a failure sign detection technique in computer system monitoring.

  In a computer system that operates for 24 hours, it is necessary to make the system stop due to a failure as short as possible. For this reason, it is required not to detect a failure after the computer system is stopped, but to detect a failure sign, and to avoid the failure before the stop and speed up the initial operation of the recovery operation.

  In the conventional fault monitoring of a computer system, an abnormality is notified after the stop of the computer system is detected or when the operating status exceeds a preset threshold.

  As one of the conventional methods of fault detection, time-series data representing the performance of the monitored system is extracted at a fixed period, stored as past time-series data in association with past metadata, and real-time time-series data is shown. A method of collating with metadata, detecting a future change, and outputting a fault is known.

  Another conventional method is to read the log information output from the target of fault management and the fault log information at the time of past faults, determine the similarity between the log information and fault log information, and There is known a method of outputting failure related information of log information.

  Furthermore, as another conventional method, monitoring information from a plurality of network devices is continuously collected as initial monitoring information, and the statistical behavior of the collected continuous information is monitored. There is known a technique for instructing the collection of a plurality of related monitoring information, which is regarded as detection of an error.

JP 2009-289221 A JP 2006-099249 A JP 2005-285040 A

  It is necessary to detect a sign before a failure actually occurs in a monitored computer system. Setting a threshold value is a problem when a failure sign is determined by a threshold value. If the set threshold is too low, false detection is likely to occur, and if it is too high, a failure occurs immediately after detection.

  Depending on the computer system, batch processing may be executed at night or the system may be temporarily stopped at a specific time, and the operating status of the computer system is not always constant. Therefore, it is necessary to change the threshold according to the changing operating situation.

  Furthermore, since a computer system is expected to operate without a failure, it is necessary to set an appropriate threshold before the failure actually occurs.

  However, according to the conventional method, a failure sign cannot be detected with a threshold corresponding to the operation status of the monitoring target, and an appropriate threshold cannot be obtained unless a failure actually occurs.

  In one aspect, the present invention provides a method, a program, and an apparatus for executing a failure sign detection that can detect a failure sign by setting a threshold value according to the operation status at the time of monitoring from the normal operation information to be monitored. That is. Furthermore, the above and other objects and novel features of the present invention will become apparent from the description of the specification and the accompanying drawings.

  In the failure sign detection method according to one embodiment, the monitoring data of the monitoring target system in a period in which no abnormality is detected in the monitoring target system is classified by day of the week, time zone, date, or week number and stored in the storage unit. Storing the monitoring data stored in the storage unit, setting an allowable range based on the distribution of the day of the week, the time zone, the date, or the number of weeks, and the monitoring data currently acquired from the monitoring target system, Compare with the allowable range based on the distribution of monitoring data of the day of the week, time zone, date, or week to which the current date belongs, and if the acquired monitoring data exceeds the upper limit or lower limit of the allowable range, the monitoring target A computer executes a process for detecting a sign of system failure.

  It is possible to realize processing for detecting a failure sign using an appropriate threshold value corresponding to the operating status of the computer system to be monitored.

It is a figure which shows the hardware structural example in one Example of a failure sign detection apparatus. It is a figure which shows the example of a functional block in one Example of the failure sign detection apparatus to disclose. It is a figure which shows the example of a data structure in one Example of the monitoring result log table. It is a figure which shows the example of a data structure in one Example of the monitoring threshold value table. It is a figure which shows the example of a data structure in one Example of a normal operation information table. It is a figure which shows the example of a data structure in one Example of an operation system table. It is a figure which shows the detection process flow of the failure sign in one Example of a failure sign detection apparatus. It is a figure which shows the example of a relationship between the monitoring result which a failure sign detection apparatus acquires, and tolerance | permissible_range. It is a figure which shows the threshold value setting process flow in one Example of a failure sign detection apparatus.

  Hereinafter, a failure sign detection apparatus that executes the failure sign detection method disclosed as one aspect of the present invention will be described.

  FIG. 1 is a diagram illustrating a hardware configuration example in one embodiment of the failure sign detection apparatus 1.

  The failure sign detection apparatus 1 includes a CPU 101, a short-term storage unit (DRAM) 102, a long-term storage unit (HDD) 103, a network interface 104, an input device (keyboard, mouse, etc.) 105, and an output device (display, printer, etc.) 106. It can be implemented as a computer connected via a network or the like.

  The failure sign detection device 1 stores information necessary for processing for detecting a failure sign of the computer system to be monitored as a file in the long-term storage unit 103, starts an execution program from the input device 105, and the started execution program is The failure sign detection process is executed based on the information (normal operation information) indicating the normal operation status of the computer system to be monitored, which is loaded into the short-term storage unit 102 and received by the network interface 104.

  The failure sign detection device 1 proceeds with the failure sign detection process while reading information from the long-term storage unit 103 to the short-term storage unit 102 as necessary. The failure sign detection device 1 stores normal operation information to be monitored in association with date and time information, and sets thresholds (upper limit value and lower limit value) indicating an allowable range corresponding to monitoring based on the stored normal operation information. When the operation information acquired in real time exceeds the allowable range at the time of monitoring, a failure sign detection is output.

  The failure sign detection device 1 includes, as normal operation information, information on the normal operation status of the computer system to be monitored, for example, the CPU usage rate and the storage area of the computer device that executes each system constituting the computer system to be monitored Use information such as usage rate and number of unprocessed data.

  The failure sign detection process execution program is provided not only on a recording medium such as a CD-ROM, CD-RW, DVD-R, DVD-RAM, DVD-RW, or flexible disk, but also at the end of a communication line. It may be stored in another storage device or a hard disk of a computer.

  FIG. 2 is a diagram illustrating an example of functional blocks in an embodiment of the disclosed failure sign detection apparatus 1.

  In one embodiment, the failure sign detection device 1 uses a computer system installed in a medical institution as a monitoring target 2 and detects a failure sign for each of the systems constituting the computer system for the monitoring target systems 2A to 2C.

  The failure sign detection device 1 includes a monitoring result acquisition unit 11, a monitoring result comparison unit 12, a normal operation information comparison unit 13, a normal operation information calculation unit 14, and a sign detection notification unit 15 in order to perform the above processing, and data storage As locations, a monitoring result log table 21, a monitoring threshold table 22, and a normal operation information table 23 are provided.

  Further, the failure sign detection device 1 may include an operating system comparison unit 16, a threshold setting unit 17, and an operating system table 24 for a data storage location.

  The monitoring result acquisition unit 11 acquires monitoring result data, which is data indicating the normal operation status, from each of the monitoring target systems 2A to 2C of the computer system that is the monitoring target 2, and sets the monitoring target and the monitoring date and time in the monitoring data. The attached monitoring result log data is recorded in the monitoring result log table 21. Note that the monitoring result data is generated by a monitoring program or the like resident in each computer device that executes the monitoring target systems 2 </ b> A to 2 </ b> C and transmitted to the failure sign detection device 1.

  FIG. 3 is a diagram illustrating a data configuration example of the monitoring result log table 21.

  The monitoring result log table 21 includes data items of facilities, monitoring date and time, monitoring target devices, monitoring items, and monitoring results. The “facility” is information for identifying a place where the computer system of the monitoring target 2 is installed. “Monitoring date / time” is information indicating the date and time when the monitoring result data is acquired, and “Monitoring target device” is information for identifying a device such as a computer device that executes each monitoring target system of the computer system of the monitoring target 2.

  The “monitor item” is information indicating an operation status item to be monitored for the monitoring target 2. For example, unprocessed data among CPU usage rate, storage area usage rate (disk usage rate), and data to be processed. (Number of unprocessed data) etc. are preset. The “monitoring result” is a value acquired at the monitoring date and time for the status of the monitoring item.

  In the example of the monitoring result log table 21 shown in FIG. 3, the head data is “electronic medical record server” constituting the computer system of the monitoring target 2 installed in “A hospital”, “February 20, 2012 00:00:00” This indicates that the monitoring result of “CPU usage rate” acquired is “32%”.

  When the monitoring result log data acquired at the current time is recorded in the monitoring result log table 21, the monitoring result comparison unit 12 compares the monitoring result of the monitoring result log data stored in the monitoring threshold table 22 with the monitoring threshold, and performs monitoring. When the result exceeds the corresponding monitoring threshold, “abnormality detection” is output.

  FIG. 4 is a diagram illustrating a data configuration example of the monitoring threshold value table 22.

  The monitoring threshold value table 22 includes data items of facilities, monitoring target devices, monitoring items, threshold values th1 and threshold values th2.

  The “facility”, “monitored device”, and “monitoring item” in the monitoring threshold table 22 are the same information as the data item of the same name in the monitoring result log table 21. The monitoring threshold values “threshold th1” and “threshold th2” are information for determining whether to output abnormality detection. One monitoring threshold may be set, and a plurality of thresholds may be set according to the stage of abnormality as shown in FIG.

  The head data of the monitoring threshold value table 22 shown in FIG. 4 includes the threshold th1 = 85% for the “CPU usage rate” of the monitoring target system “electronic medical record server” of the computer system of the monitoring target 2 installed in “A hospital”. The threshold th2 = 90% is set.

  When the monitoring result log data acquired in real time is recorded in the monitoring result log table 21, the monitoring result comparison unit 12 stores the monitoring result log data, the facility, the monitoring target device, and the monitoring item from the monitoring threshold table 22. The matching threshold th1 and threshold th2 are extracted, and “abnormality detection” is output when it is determined that the monitoring result of the monitoring result log data exceeds either the threshold th1 or the threshold th2.

  When the monitoring result of the monitoring result log data does not exceed the corresponding monitoring threshold (threshold th1 and threshold th2), the normal operation information comparison unit 13 determines the condition (day of the week) based on the monitoring date and time of the monitoring result log data. Compared with the monitoring range of the monitoring result log data and the allowable range calculated from the normal operation information with the same date, number of weeks, or time zone), "failure sign detection" is detected when the monitoring result exceeds the allowable range Is output.

  FIG. 5 is a diagram illustrating a data configuration example of the normal operation information table 23.

  The normal operation information table 23 includes data items of facilities, monitoring target devices, monitoring items, condition classification conditions, monitoring time, and allowable range.

  The “facility”, “monitored device”, and “monitoring item” in the normal operation information table 23 record the same information as the data item with the same name in the monitoring result log table 21.

  The “condition category” is a condition for applying the allowable range, and is a category for the month and day of the monitoring date. As the “condition category”, for example, a category such as a day of the week, the number of weeks, or a date is set. Each day of the week from “Sunday” to “Saturday” in the “Day of Week” condition category, the week number of each week in the “Number of Weeks” condition category, and the Monthly number in the “Day” condition category The number of days, the end of the month, etc. are set as the conditions.

  “Monitoring time” is a section for the time of the monitoring date and time, and is information indicating the central time of the monitoring time zone. For example, when the “monitoring time” is “0:00”, a predetermined time zone before and after the center at time 0:00 is the condition for the monitoring date and time.

  The “allowable range” is a range that can be considered normal and obtained from the distribution of the monitoring results in the normal operation status classified by the condition based on the date and time. In FIG. 5, the values are expressed as “lower limit value” to “upper limit value”. The calculation of the allowable range will be described later.

  The head data of the normal operation information table 23 shown in FIG. 5 includes the “CPU usage rate” of the “electronic medical record server” of the computer system of the monitoring target 2 installed in “A hospital” and the monitoring date is “Sunday” and “ When the monitoring result obtained before and after “0:00” exceeds “30% to 35%”, it is determined that a failure sign is detected.

  The normal operation information comparison unit 13 identifies a category (day of week, week number, monitoring time) for each condition category to which the monitoring date / time of the monitoring result log data belongs. Here, it is assumed that “Sunday”, “first week”, and “0:00” are specified from the monitoring date and time.

  The normal operation information comparison unit 13 adds the identified monitoring date and time and the conditions of the normal operation information table 23 to obtain the maximum upper limit value and the minimum lower limit value of the corresponding one or more allowable ranges, and monitors the result log data. When the result of monitoring exceeds the maximum upper limit value and the minimum lower limit value, “failure sign detection” is output.

  The normal operation information calculation unit 14 sets the monitoring result log data in which the monitoring result does not exceed the allowable range, that is, the monitoring result log data in which no abnormality or failure sign is detected based on the monitoring date and time. Classify according to the applicable conditions and monitoring time (time zone) for each condition category (day of the week, date, number of weeks), calculate the allowable range for each condition based on the distribution of monitoring results for each condition category, and operate normally Record in the information table 23. The normal operation information calculation unit 14 calculates a frequency distribution in a predetermined section (for example, every 5 minutes) for the monitoring result of the classified normal operation information, and obtains a monitoring result of the section (range) in which the distribution is maximum. Then, a certain upper limit value and lower limit value are determined from the obtained monitoring results and set as an allowable range.

  When the monitoring result comparison unit 12 outputs “abnormality detection” or when the normal operation information comparison unit 13 outputs “failure sign detection”, the sign detection notification unit 15 reports an abnormality in the monitoring target system of the monitoring target 2. As the information to be displayed, the output “abnormality detection” or “failure sign detection” is notified to a notification destination such as a preset monitoring system or administrator terminal.

  When the computer system installed in the new facility is the monitoring target 2, the operating system comparison unit 16 acquires information on the system configuration and the use function of the computer system newly set as the monitoring target 2 and adds the information to the operating system table 24. To do. Then, the operating system comparison unit 16 compares the configuration of the operating system included in the added computer system with the configuration and use function of the operating system included in the existing monitoring target 2 computer system, and Identify existing computer systems that match the operating system configuration at a high rate.

  FIG. 6 is a diagram illustrating a data configuration example of the operating system table 24.

  The operating system table 24 includes data items of facilities, operating system configurations, and use functions.

  The “facility” is a place where the monitoring target 2 is installed. The “operating system” is information for identifying an operating system included in the computer system that is the monitoring target 2. The “operating system” may be a software configuration such as an OS and an application program as well as hardware such as devices and apparatuses that configure the computer system.

  “Used function” is information indicating the use state of the function of the operating system provided in the computer system to be monitored 2. The state where all the functions are used (all functions) and a part of the functions are unused. The status (some functions are not used) is recorded.

  In the operating system table 24 shown in FIG. 6, the first to third data are stored in the computer system of the monitoring target 2 installed in “A hospital” and the operating system of the electronic medical record system, the medical accounting system, and the lunch system. It is included and represents that all functions are used in each operating system. The fourth to sixth data of the operation system table 24 includes an electronic medical record system, a medical accounting system, and an inspection system in the computer system of the monitoring target 2 installed in “B hospital”. This means that some functions are unused.

  The threshold setting unit 17 detects the monitoring threshold table 22 and the normal operation information table when an existing computer system that matches the configuration of the operating system of the computer system that is newly set as the monitoring target 2 at a high rate can be identified in the operating system table 24. The monitoring threshold value and normal operation information for the operating system of the computer system of the monitoring target 2 identified from 23 are extracted, and the information is copied to the monitoring threshold value and normal operation information of the computer system newly set as the monitoring target 2.

  It is assumed that a computer system installed in “C hospital” is added to the operating system table 24 as a new monitoring target 2. Further, it is assumed that the matching ratio is set to 100% (complete matching) when determining the matching between the monitoring targets. In this case, in the operating system table 24 shown in FIG. 6, the configuration of the computer system of “C hospital” is the same as the computer system of “A hospital” of the existing monitoring target 2, “operating system” and “usage function”. I'm doing it. The threshold value setting unit 17 extracts the monitoring threshold value and the normal operation information for the computer system “A hospital” from the monitoring threshold table 22 and the normal operation information table 23 and copies them to the monitoring threshold data and the normal operation information for “C hospital”. To do.

  On the other hand, when a computer system installed in “D hospital” is added to the operating system table 24 as a new monitoring target 2, a computer system of “D hospital”, a computer system of “A hospital”, and an “operating system configuration” "Are the same, but some of the" used functions "do not match. Therefore, the threshold setting unit 17 generates the monitoring threshold data and the normal operation information of the computer system “D hospital” by setting a predetermined initial value without using the information of the other existing monitoring target 2.

  FIG. 7 is a diagram showing a failure sign detection processing flow in one embodiment of the failure sign detection apparatus 1.

  The monitoring result acquisition unit 11 of the failure predictor detection apparatus 1 starts from the monitoring target device that executes each monitoring target system of the computer system of the monitoring target 2 at fixed time intervals from the monitoring target device, the monitoring target device, the monitoring date and time, the monitoring item The monitoring result data including the result is acquired and the management result log table 21 is updated (step S1).

  The monitoring result comparison unit 12 acquires monitoring threshold values (threshold value th1, threshold value th2) corresponding to the added monitoring result log data from the monitoring threshold value table 22 (step S2), and the monitoring result of the monitoring result log data sets the monitoring threshold value. It is determined whether it has exceeded (step S3).

  When the monitoring result does not exceed the monitoring threshold value (N in Step S3), the normal operation information comparison unit 13 normalizes the allowable range of normal operation information corresponding to the monitoring result log data that does not exceed the monitoring threshold value. It is acquired from the operation information table 23 (step S4), and it is determined whether the monitoring result exceeds the allowable range (upper limit value or lower limit value) of the acquired normal operation information (step S5).

  When the monitoring result does not exceed the acquired allowable range (upper limit value and lower limit value) (N in step S5), the normal operation information calculation unit 14 adds a condition corresponding to the monitoring date and time to the monitoring result log data. In addition, the normal operation information in which the allowable range (upper limit value and lower limit value) of the same normal operation information is set is calculated (step S6), and the normal operation information table 23 is updated with the calculated normal operation information ( Step S7).

  Whether the monitoring result of the monitoring result data exceeds any of the monitoring threshold values (threshold th1 or threshold th2) in step S3 (Y in step S3), or the monitoring result is in an allowable range in step S5. If any one of (the upper limit value or the lower limit value) is exceeded (Y in Step S5), the sign detection notification unit 15 notifies the predetermined notification destination of the abnormality information including the output abnormality detection or failure sign detection. (Step S8).

  FIG. 8 is a diagram illustrating an example of the relationship between the monitoring result acquired by the failure sign detection apparatus 1 and the allowable range.

  The graph shown in FIG. 8 shows the monitoring result (n) of the “CPU usage rate” of the monitoring result log data acquired by the failure sign detection apparatus 1 on one day (0:00 to 24:00) on which the monitoring target installed in the hospital is located. %) Over time and the allowable range. The horizontal axis of the graph indicates the passage of time, and the vertical axis indicates “CPU usage rate (%)”.

  As shown in the graph of FIG. 8, the operating rate of the system around 12:00 (corresponding to the lunch break time) is lower than the time zone before and after that, and the monitoring result (CPU usage rate) obtained from the monitoring target 2 is also like this Reflect the situation. Therefore, in this monitoring target 2, a failure sign cannot be accurately detected unless the threshold value of the allowable range around 12:00 am is set lower than the time zone before and after that.

  The failure sign detection device 1 determines the corresponding allowable range based on the normal operation information divided by the condition classification based on the date and time and the monitoring time, that is, the measured value indicating the operation status at the normal time. Therefore, in the failure sign detection device 1, as shown in FIG. 8, in accordance with the unit of a certain day, the fluctuation according to the time of the normal operation status of the monitoring target 2 is reflected in the setting of the allowable range. Similarly, the graph shown in FIG. 8 may be used as a graph showing the fluctuations of the specific day of the week or the day for each time zone, and the horizontal axis may be a graph showing the fluctuations of the day in a certain month or week. The failure sign detection device 1 can set an allowable range according to the normal operating status of the monitoring target 2.

  FIG. 9 is a diagram illustrating a threshold value setting process flow in one embodiment of the failure sign detection apparatus 1.

  The operating system comparison unit 16 of the failure sign detection device 1 acquires information (operating system information) indicating the operating system of the monitoring target 2 from the operating system table 24 (step S11), and operates the computer system that is newly set as the monitoring target 2. It is determined whether the system configuration matches with the acquired operating system information (configuration of the operating system) of the existing monitoring target 2 at a high rate (step S12).

  When it is determined that the configuration of the operating system of the new monitoring target 2 matches the acquired operating system information of the existing monitoring target 2 at a high rate (Y in step S12), the threshold setting unit 17 The monitoring threshold value and the normal operation information of the monitoring target device corresponding to each operation system of the monitoring target 2 are acquired from the monitoring threshold value table 22 and the normal operation information table 23, respectively (step S13), and the acquired monitoring threshold value and normal operation information are stored. At the same time, monitoring threshold value data and normal operating information for the operating system of the new monitoring target 2 are generated, and the monitoring threshold value table 22 and the normal operating information table 23 are updated (step S14).

  If it is not determined that the configuration of the operating system of the new monitoring target 2 matches the acquired operating system information of the existing monitoring target 2 at a high rate (N in step S12), the process ends.

  As described above, the disclosed failure sign detection device 1 can set an allowable range according to the operating status that changes depending on the date and time for each operating system that is configured as a monitoring target.

  Further, the failure sign detection device 1 can set an allowable range corresponding to the operation status based on only the operation status at the normal time for the monitoring target 2 that is operated without an abnormal state. .

  Therefore, according to the failure sign detection device 1, it is possible to determine whether the monitoring result is within an allowable range based on the threshold value corresponding to the operation status of the monitoring target, thereby realizing more accurate failure sign detection. can do.

  The failure sign detection device 1 described above may be realized by any combination of constituent elements. A plurality of components may be realized as one member, and one component may be configured from a plurality of members. Further, the failure sign detection device 1 is not limited to the above-described embodiment, and various improvements and changes may naturally be made without departing from the gist of the present invention.

DESCRIPTION OF SYMBOLS 1 Failure sign detection apparatus 11 Monitoring result acquisition part 12 Monitoring result comparison part 13 Normal operation | movement information comparison part 14 Normal operation | movement information calculation part 15 Predictive detection notification part 16 Operating system comparison part 17 Threshold setting part 21 Monitoring result log table 22 Monitoring threshold value table 23 Normal operation information table 24 Operating system table 2 Monitoring target 2A to 2C Monitoring target system

Claims (4)

The monitoring data of the monitored system in a period in which no abnormality is detected for the monitored system is classified and stored in the storage unit by day of the week, time zone, date, or number of weeks,
Set the allowable range based on the distribution of the day of the week, time zone, date, or number of weeks of the monitoring data stored in the storage unit,
The monitoring data currently acquired from the monitoring target system is compared with the allowable range based on the distribution of the monitoring data of the day of the week, the time zone, the date, or the week to which the current date belongs, and the acquired monitoring data Detecting a predictive failure of the monitored system when an upper limit or a lower limit of an allowable range is exceeded;
A failure sign detection method characterized in that a computer executes processing. Storing the configuration of the monitored system in the storage unit;
When the configuration of the system to be newly monitored coincides with the configuration of the monitored system at a high rate, the day of the week, the time zone, the date, or the week of the monitoring data of the monitored system stored in the storage unit Use the tolerance based on the distribution for each number as the tolerance of the newly monitored system,
The failure sign detection method according to claim 1. The monitoring data of the monitored system in a period in which no abnormality is detected for the monitored system is classified and stored in the storage unit by day of the week, time zone, date, or number of weeks,
Set the allowable range based on the distribution of the day of the week, time zone, date, or number of weeks of the monitoring data stored in the storage unit,
The monitoring data currently acquired from the monitoring target system is compared with the allowable range based on the distribution of the monitoring data of the day of the week, the time zone, the date, or the week to which the current date belongs, and the monitoring data is the allowable range Detecting a predictive failure of the monitored system when an upper limit or a lower limit is exceeded,
A failure sign detection program for causing a computer to execute processing. A storage unit that classifies and stores monitoring data of the monitoring target system in a period in which no abnormality is detected for the monitoring target system, by day of week, time zone, date, or week number;
A normal operation information calculation unit that sets an allowable range based on the distribution of the day of the week, the time zone, the date, or the number of weeks of the monitoring data stored in the storage unit;
The monitoring data currently acquired from the monitoring target system is compared with the allowable range based on the distribution of the monitoring data of the day of the week, the time zone, the date, or the week to which the current date / time belongs. A normal operation information comparison unit that detects a failure sign of the monitored system when the upper limit or lower limit of the allowable range is exceeded;
A failure sign detection device comprising:

Images