JP2017174471A - System analyzer, design defect analyzer, fault mode analyzer, fault tree analyzer, autonomous operation device, and autonomous operation control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a system analyzer with which it is possible to perform appropriate analysis on a system in which input/output relations are dynamically determined.SOLUTION: The present invention is designed for a system in which the internal state changes by input and output for input changes in accordance with a change in the internal state, comprising: state transition model construction means for constructing, on the basis of state transition rules of the system, a state transition model that includes a plurality of state values that the system can assume and a transition path between the state values; initial state value setting means for setting an initial state value that satisfies a prescribed start time condition from among the plurality of state values; final state value setting means for setting a final state value that satisfies a prescribed end time condition from among the plurality of state values; and state transition path presence determination means for determining whether or not there exists in the state transition model a state transition path for reaching the initial state value from the final state value.SELECTED DRAWING: Figure 30

Description

  The present invention relates to a system analysis device, a design failure analysis device, a failure mode analysis device, a failure tree analysis device, an autonomous operation device, and an autonomous operation control system.

  In recent years, it has become known that a dynamic input / output relationship analysis method called a model checking method is effective. This incorporates a configuration in which the input / output relationship is dynamically determined by the uncertainty of the response time of each subsystem and the internal state, and covers the dynamic behavior that can be taken by the integrated system as a whole. This is a method for searching for the existence of a state corresponding to a defect that violates the safety requirement.

  The model checking method uses a state transition model constructed by combining state values that uniquely determine the state of the target integrated system and state transition rules corresponding to the input / output relations of each subsystem. This is a dynamic input / output relationship analysis method in the sense that a state transition sequence corresponding to a defect is found from the inside.

  In FIG. 1, a start condition that gives a set of state values that can be taken at the start of processing, and a state that can be taken at the end of processing, to find a fault that violates the functional requirements and safety requirements of the target state transition model In this example, the condition at the end of giving a set of values is reduced to the problem of determining whether or not there is a transition path connecting two sets of states.

  FIG. 2 shows a method for constructing a state transition model. The system state transition model is composed of state values that are defined together with inputs to the system, internal states, and outputs from the system, and state transition rules for internal states. The state transition rule includes a function that determines an output value from an input and an internal state, and a function that updates the internal state (that is, calculates the next internal state).

  FIG. 3 is a state transition graph in which each state value that can be taken by the state transition model and its transition possibility are expressed by a directed graph. The dynamic input / output relationship analysis method using this state transition model is a state transition from a set of initial state values satisfying an appropriate start time condition to a set of final state values satisfying an end time condition corresponding to a defect. It can be rewritten as the problem of determining the presence or absence of a column. This example has a feature that when a certain internal state is taken, the transition destination state differs depending on the input value, so that a state transition graph having a plurality of transition destination states is obtained.

  Specific application examples include dynamic input / output relationship analysis techniques such as design failure analysis, failure mode effect analysis, and failure tree analysis. In this case, the normal condition that should be satisfied corresponding to the functional requirement is set as the starting condition, and the hazard condition corresponding to the violation of the functional requirement and the safety requirement defined in accordance with the operation mode of the system is terminated. Set as a condition.

  It is a design defect to discover that there is a state transition path that starts from a set of start states that satisfy the start time condition and reaches the set of end state values that satisfy the end time condition even if any failure mode does not occur It is analysis of.

  Also, for a single failure mode that can occur at any timing starting from a set of start states that satisfy the start time condition, the presence / absence of a state transition path that reaches the set of end state values that satisfy the end time condition is determined. This is failure mode effect analysis.

  In addition, for a combination of transitions to one or more failure modes that can occur at any timing starting from the starting state value that satisfies the starting condition, a set of final state values that satisfy the specified ending condition is reached. The failure tree analysis determines whether or not there is a combination of failure modes in which there exists a state transition path.

  FIG. 4 shows a specific procedure for searching for a state transition sequence. In this method, one of the initial state values satisfying the start condition is appropriately selected, and a plurality of reachable transition destination state values corresponding to the degree of freedom of the input value are exhaustively searched. . Subsequently, each state transition path is expanded in the form of a tree shown in FIG. 5, and it is determined whether or not there is a state transition path that can reach a set of final state values that violate the end-time condition.

  In the above procedure, it is possible to incorporate the internal state that is a dynamic factor that changes the input / output relationship of each subsystem, and replace the process that has been performed using failure mode effect analysis and failure tree analysis. It is a technique. In the present specification, this is called a forward state transition route search method. Although it is a static input / output analysis method, a similar method is described in Patent Document 1.

Japanese Patent Laid-Open No. 06-095881

  However, for example, as shown in FIG. 6, when the number of state values that the system can take is sufficiently large and the number of state values that satisfy the termination condition is sufficiently small for all possible state values, The size of the state transition path tree as shown in FIG.

  In addition, the model checking method requires a lot of computer resources, particularly a high-speed calculation capability for evaluating comprehensively reachable state values, and a large-capacity memory for storing all the state values. For this reason, using the model checking method limits the scale of a system that can be applied and analyzed in a finite time.

  The increase in the amount of calculation is that the number of initial state values that need to be set in order to cover the state transition paths is enormous, and it is necessary to construct the state transition paths by setting the initial state values individually. And a search method in which the number of state transition paths expanded from an appropriately selected initial state value also increases exponentially in accordance with the number of state transition steps corresponding to the search depth. This is due to the problem.

  In order to ensure that the safety requirements are satisfied at the final stage of system design, it is necessary to verify that there is no desired state transition path. It is necessary to verify that all state transition paths are covered using the forward state transition path search method, and none of them reach the set of final states that satisfy the end time condition. Therefore, an enormous amount of large-capacity memory that covers all the state transition paths and stores them is eventually required.

  There is also a simulation as an attempt to perform a similar analysis by introducing dynamic factors. In this simulation, parameters for uncertain factors are set one by one so as to eliminate the uncertainty introduced by the model checking method, and one state transition path is individually evaluated. However, since the amount of computation required to cover all the parameters roughly matches the amount of computation required for the forward state transition path search method, the simulation is similar to the model checking method. It is difficult to apply to a practical scale system under constraints.

  In addition, when the static input / output relationship analysis method is applied to a system in which the input / output relationship is dynamically determined, a fault that should not actually occur due to a dynamic factor is erroneously detected. There is a possibility that a detection failure may occur, for example, a failure that could actually occur due to a dynamic factor cannot be detected and is not detected and a potential failure remains.

  Therefore, an object of the present invention is to provide a system analysis apparatus capable of performing appropriate analysis on a system in which an input / output relationship is dynamically determined.

  The present invention is directed to a system in which an internal state changes according to an input, and an output corresponding to the input changes in accordance with the change in the internal state, and a plurality of systems that can be adopted based on a state transition rule of the system State transition model construction means for constructing a state transition model including a state value and a transition path between each state value, and an initial state value for setting an initial state value satisfying a predetermined start time condition from the plurality of state values A setting means; a final state value setting means for setting a final state value satisfying a predetermined end time condition from the plurality of state values; and in the state transition model, from the final state value to the initial state value. State transition path presence / absence determining means for determining whether or not a state transition path to reach exists.

  The present invention can perform an appropriate analysis for a system in which the input / output relationship is dynamically determined.

The figure which shows the search of the state transition path | route under constraint conditions. The figure which shows the system which has a dynamic input-output relationship. The figure which shows the state transition model expressed as a directed graph. The figure which shows the state transition route search method of a forward direction. The figure which shows the search tree obtained as a result of the state transition route search method of a forward direction. The figure which shows a large-scale state transition model. The figure which shows the search tree obtained as a result of the state transition route search method of a reverse direction. The figure which shows the state transition route search method of a reverse direction. The figure which shows the state transition route search method of the reverse direction converted into SAT. The figure which shows the state transition rule expressed on the state transition model. The figure which shows conversion from a state transition rule to a logical expression. The figure which shows the integrated system comprised by interconnecting a some subsystem. The figure which shows the input-output signal list | wrist of an integrated system. The figure which shows the input-output signal list of a subsystem, and the connection signal name which is called a subsystem. The figure which shows the state transition rule for every subsystem. The figure which shows the structure of the state value of the whole integrated system. The figure which shows the state transition route search method of the reverse direction applicable to the some subsystem which operate | moves asynchronously. The figure which shows an example of an integrated system. The figure which shows the starting / end sequence of the integrated system which the operator intended. The figure which shows the malfunction of starting and completion | finish of an integrated system contrary to an operator's intention. The figure which shows the state transition model of the autonomous system which mounts an automatic recovery function. The figure which shows the determination processing flow of the automatic recovery possibility after a failure of a subsystem. The figure which shows the determination processing flow of starting possibility. The figure which shows the determination processing flow of a possibility of a stop. The figure which shows the judgment processing flow of the possibility of hazard generation at the time of normal operation. The figure which shows the determination processing flow of operation | movement continuation possibility. The figure which shows an autonomous operation control system. The figure which shows cooperation of an operator and an autonomous system. The figure which shows operation | movement of the autonomous system at the time of a system failure. The figure which shows a system analysis apparatus.

  Embodiments of the system analysis apparatus using the present invention will be described below.

  Prior to the description of this embodiment, the concept will be described.

  First, if a state transition model is used, functional requirements and safety requirements can be described uniformly. In other words, the functional requirements can be mainly regarded as a constraint condition for the input / output relationship of the entire system in a normal operation state without hardware failure. In addition, by abstracting the state transition model in this way, it is not necessary to distinguish whether the means for realizing the functional requirement is hardware or software. In particular, since software can only implement one process at each time, the software process itself is a state transition model as it is.

  On the other hand, the safety requirement can be regarded as a constraint on the input / output relationship and the state value of the entire system when a hardware failure occurs. For example, when a signal for switching the failure mode defined for each hardware is taken in as a kind of external input signal, the input / output relationship at the time of failure can be added to the input / output relationship at the time of normal operation. With this in mind, the safety requirement can be uniformly described as a constraint on the input / output response of the system to which an external input for selectively generating a failure mode is added. In this way, it is understood that the failure mode analysis device and the failure tree analysis device are one implementation form of the system analysis device.

  If unified in this way, defects that violate the functional requirements and safety requirements expressed in the form of I / O responses are cases where these constraints are not satisfied in the process from the start of processing to the end of processing. Become. Therefore, finding such a defect can be redefined as a search problem for a state transition path under a predetermined constraint condition.

  The state transition model that represents the system has individual end-time conditions that are set based on the system operation mode against the number of state values that satisfy the start-time condition that is satisfied when the continuous operation is possible. There is a feature that the number of state values satisfying the condition is sufficiently reduced.

  In fact, out of all possible state values of the system, the number of transition destination state values that can be transitioned from the set of start state values that satisfy the start condition can vary within the range of the input value freedom and the start condition. The number of degrees of freedom in the internal state increases. Therefore, the number of state values that satisfy the start condition increases.

  On the other hand, the number of transition destination state values that can be transitioned from the state value that satisfies the termination condition cannot be continued with the internal state update regardless of the input value, so the transition destination state value remains the same state value. Stay within a small set of state values that either exist or satisfy the exit condition. Accordingly, the number of state values that satisfy the termination condition remains small.

  In this case, the size of the state transition path tree is sufficiently reduced by using the reverse state transition path search technique instead of the forward state transition path search technique used in the model checking method. By using this property, it is possible to reduce the amount of calculation resources required for reverse searching for a desired state transition path.

  In fact, as shown in FIG. 7, the number of state transition paths traced in the reverse order depends on the number of state values satisfying the end-time condition and the number of transition steps until the state value satisfying the start-time condition is reached in the reverse order. Determined. In the state transition graph, the number of transition steps decreases if the number of steps that go from the inside of the set of final state values that satisfy the end time condition to the outside and reach the inside of the set of start state values that satisfy the start time condition is small . Therefore, if the number of start state values that satisfy the start time condition occupies much of the space of all possible state values, and the number of end state values that satisfy the end time condition is sufficiently small, the number of transition steps As a result, the desired state transition path can be reversely searched with a small amount of calculation resources.

  A system analysis apparatus created according to such a concept will be specifically described below. In this embodiment, a system constituted by only one system including input / output and internal state is set as an analysis target. In this system, an internal state changes according to an input, and an output corresponding to the input changes according to the change of the internal state.

  The system analysis apparatus according to the present embodiment constructs a state transition model that constructs a state transition model including a plurality of state values that can be taken by the system and transition paths between the state values based on the state transition rules of the system. Means (corresponding to the analysis unit in FIG. 30), initial state value setting means for setting an initial state value satisfying a predetermined start time condition from a plurality of state values, and a predetermined end time from among the plurality of state values A final state value setting means for setting a final state value that satisfies a condition, and a state transition path presence / absence determination that determines whether or not a state transition path that reaches the initial state value from the final state value exists in the state transition model Means. These system state transition rules, start-time conditions, end-time conditions, and arbitrary constraints are input from the setting unit shown in FIG.

  By the way, FIG. 3 used in the forward state transition path search method is a method for tracing the state transition path in reverse order from the state value set satisfying the end time condition and searching for the start state value set satisfying the start time condition. There is also a method of reducing to a graph search method using a state transition model such as However, this method may still require a lot of computing resources. This is because a given state transition rule uniquely defines a transition destination state in the forward direction, but does not uniquely give a transition source state in the reverse direction. Therefore, if the problem of generating a state transition graph and reversely searching the transition source state is reduced to a graph search problem, if the number of all state values that the system can take is sufficiently large, this state transition model is This is because the amount of computer memory required for storing in the form of a graph becomes enormous in proportion to the number of state values and the number of edges indicating whether or not transition between two states is possible.

  Instead, state transition rules, end conditions, and start conditions are set as constraints in the form of logical formulas that the expected state transition sequence should satisfy, and a solution that satisfies these constraints is efficiently searched. If a SAT solver that can be used is used, if the presence or absence of this state transition sequence is determined, a small amount of calculation resources is required.

  Therefore, the system analysis apparatus of the embodiment is configured to perform a reverse state transition path search with the aid of the SAT solver, and includes means for converting the system state transition rules into a logical expression. A satisfiability solution of the satisfiability determination problem constructed with the time condition and the end condition as constraints is calculated using a SAT solver, and the satisfiability solution is output as a state transition path. The logical expression conversion means and the SAT solver described above are provided in the analysis unit. Using a given state transition model, start condition, and end condition, search for a state transition path in the reverse direction from any state value that satisfies the end condition, and reach the state value that satisfies the start condition An example of a method for determining the presence or absence of a route is shown in FIG.

  This method is based on a graph search problem that explicitly holds the individual state values constituting the state transition path. In other words, the end state value that satisfies the end condition is set as the start point of the state transition path, the transition source state that can reach the end state in one step is recursively reverse-searched, and the transition source that satisfies the start condition is satisfied. The state transition sequence is exhaustively expanded until a state is discovered.

  As described above, since the graph search method requires a large amount of calculation resources, FIG. 9 shows an alternative method for reducing the amount of calculation resources by converting the same processing into a satisfiability determination problem.

  In step 901, the state value is defined by combining the input / output signal value and the internal state. In step 902, a reverse search range is set. As an example, there is a method of designating an upper limit of the number of state transition steps for backward searching from the final state. There is also a method of adding a constraint condition to the state transition sequence so as not to search for a specific set of state values.

  In step 903, a desired state transition sequence is declared as an indefinite value within the search range specified in step 902. In step 910 described later, this state transition sequence is calculated by a SAT solver.

  In steps 904 to 905, two consecutive state values x [t] and x [t + 1] constituting the state transition sequence declared as the indefinite value are obtained from the state transition rule corresponding to the input / output relationship of the system. Are set from t = 1 to t = T, respectively.

  FIG. 11 shows the constraint conditions corresponding to the state transition rules in the state transition graph given the state values and transition conditions as shown in FIG. FIG. 11 illustrates the relationship of giving the transition destination state value x [t + 1] from the combination of the current state value x [t] and the transition condition in the form of a logical expression. In general, many SAT solvers used in step 910 often accept input in the form of a logical expression illustrated in FIG.

  In step 906 to step 907, a constraint condition corresponding to a functional requirement and operational limit of the system is set for each state value x [t = 1... T] of the state transition sequence. As a setting method of the constraint condition, generally, an allowable range is additionally set for an input value that is one component of the state value, or the range of the reverse search is limited as exemplified in step 902. For example, setting a constraint for each state value in the state transition sequence.

  In step 908, the start condition of the state transition sequence is set as a constraint condition that the start condition is satisfied. In step 909, the condition for termination is set as a constraint condition for the final state of the state transition sequence.

  In step 910, using the SAT solver, the presence or absence of a state transition sequence that satisfies all the constraints set up to this step and is declared indefinite in step 903 is searched.

  If the SAT solver determines that there is no such state transition sequence, that is, if the constraint condition cannot be satisfied, the process proceeds to step 911. In this case, since there is no state transition sequence leading to a set of state values satisfying a predetermined end condition, the end condition is determined from any initial condition that satisfies the start condition within the search range specified in step 902. It can be verified that the state value to be satisfied is not reached (that is, the event that satisfies the condition at the end does not occur).

  Conversely, if the SAT solver finds a state transition sequence that satisfies all of the above-described constraints, the process proceeds to step 912. In this case, it can be verified that starting from an arbitrary state value satisfying the start time condition and reaching the state value satisfying the end time condition, that is, a failure event that satisfies the end time condition occurs. Since the SAT solver returns a specific value of the indeterminate value declared in 903, the failure event is reported in the form of a time chart or the like displaying the state value for each transition step.

  As described above, according to the present embodiment, it is possible to perform an appropriate analysis on a system in which the input / output relationship is dynamically determined.

  In particular, it is a dynamic input / output relationship analysis method that introduces an internal state for switching the operation mode that defines the individual input / output relationship, and is more than the amount of computational resources required for the forward state transition path search method. With a small amount of computing resources, determine whether there is a state transition path that can reach the end state set that satisfies the specified end time condition from the start state set that satisfies the specified start time condition. A transition path can be output.

  In the present embodiment, an example in which a reverse state transition path search method is applied to an integrated system configured by interconnecting a plurality of subsystems including input / output and internal states is shown.

  Here, the subsystem means a system in which an internal state changes according to an input, and an output corresponding to the input changes according to the change in the internal state. An integrated system means a system in which subsystems that are not necessarily operated in synchronization with each other are interconnected.

  In the case of such an integrated system, the above-described problem becomes more remarkable. That is, in the case of a dynamic integrated system, the number of transition destination state values that can be transitioned from each state value in one state transition step further increases, and the state transition path tree becomes even larger. In addition, the static input / output relationship analysis method is used when the response time and input / output relationship of each subsystem is static, that is, when the input to a subsystem satisfying the predetermined functional requirements is unique. This is effective when it can be assumed that an output satisfying the above is determined, but this assumption is not satisfied in a dynamic integrated system. Therefore, it is not practical to apply the static input / output relationship analysis method to the dynamic integrated system, and the problem of detection failure becomes more remarkable.

  From the above, even for an integrated system consisting of multiple subsystems that operate in parallel, the amount of computational resources required by existing model checking techniques can be reduced, and detection failures can be suppressed. A technique that can be used is effective.

  Prior to the description of this embodiment, the concept will be described.

  FIG. 12 shows an integrated system in which n subsystems are interconnected. FIG. 13 shows the connection relationship between the input / output signal list of the integrated system as a whole and the internal signal list in the integrated system.

  FIG. 14 shows a list of input / output signals of individual subsystems and connection relationships with internal signal values in the integrated system. An input to the entire integrated system is always an input to one of the subsystems, and an output from the integrated system is always an output from one of the subsystems.

  FIG. 15 shows the input / output relationship of each subsystem. For each subsystem, a state transition rule (transfer function) that uniquely gives an output signal value and a transition destination internal state value to a combination of an input value and an internal state is designed. As shown in step 901, the internal state values of the integrated system of FIG. 12 can be defined as shown in FIG.

  Next, it will be explained that the state transition model of the integrated system may be expressed as having a degree of freedom in which these multiple subsystems operate asynchronously and in parallel.

  Since state values defined for an actual integrated system originally change in real time, they are not unconditionally associated with a state transition model in discrete time. However, if the state value associated with each subsystem is expressed as a digital value, only the update order of the state value associated with each subsystem is extracted, so that the integration that actually changes in real time The state value transition path of the system is associated one-to-one with the state transition path in the discrete time state transition model in which the state value changes in discrete time.

  The state value may be a continuous value that is an analog value. Actually, by dividing a continuous state space into sections and assigning discrete values to the individual sections, the continuous values can be associated with the discrete values on a one-to-one basis.

  When the system is configured as a single subsystem, or when all subsystems update state values synchronously with the same I / O response time, as shown in the first embodiment, It is only necessary to consider the uncertainty of the input value that is a part. In addition, subsystem groups in which the state transition rules corresponding to the input / output relationship are implemented in hardware have a sufficiently short input / output response time because the output value is uniquely determined in a sufficiently short time for the input value update. Since these subsystem groups always update the state value at each discrete time, they are associated with each other so that the state value is updated synchronously at each discrete time.

  On the other hand, when state transition rules corresponding to input / output relations are implemented in software, the input / output response time of each subsystem that performs input / output responses in real time is limited although the input / output response time of each software is limited. It is uncertain in the sense that it is not as short as time, nor is it a fixed input / output response time. The state values associated with such subsystems are asynchronous in the sense that they are not updated at every discrete time step, and this uncertainty regarding the update time of the state values, that is, the update order. It is necessary to incorporate a degree of freedom.

  If the upper and lower limits of the I / O response time of the subsystem in which the state transition rule is implemented in software is known or specified, the update point of the state value associated with each subsystem Add a constraint on the degree of freedom. Under the constraint of the input / output response time, the update order may be limited only to the scheduling order.

  An extension of the state transition sequence calculation flow shown in FIG. 9 corresponds to FIG.

  Steps 1701 to 1703 correspond to steps 901 to 903.

  In step 1704, a synchronous execution set is constructed so as to cover the degrees of freedom regarding the update order of the state values of each subsystem so as to be associated with the state transition model in discrete time. Here, the synchronous execution set is a set of subsystems whose state values are updated synchronously at each discrete time among n subsystems constituting the integrated system. Then, the synchronous execution set is comprehensively selected and added to the synchronous execution list.

  The list of subsystems to be included in the synchronous execution set at each discrete time is based on the response time of the subsystem that performs real-time input / output responses, and the relative length of each subsystem and the Decide in consideration of determinism.

  In step 1705, for each discrete time t, one synchronous execution set registered in the synchronous execution list is selected, and in step 1706, the state value associated with the subsystem registered in the synchronous execution set is updated. However, the state value associated with the unregistered subsystem is not updated, and the same state value is taken over. In this way, the logical expression W of the constraint condition between the transition source state value and the transition destination state value is set from the state transition rule and the synchronous execution set at the discrete time t.

  Steps 1706 and 1707 are performed on all the synchronous execution lists of the synchronous execution list corresponding to the discrete time t, and the logical expression W of these constraint conditions is generated. This is set for all discrete times t.

  In step 1708, the logical sum obtained for each entry in the synchronous execution list is set as a constraint condition. In step 1709, one synchronization execution set is selected from the synchronization execution list.

  Step 1710 corresponds to step 906, and step 1711 corresponds to step 907. Step 1711 corresponds to Step 908 and Step 1712 corresponds to Step 909. Step 1714 corresponds to Step 910, sets the logical product of the logical expressions set in Steps 1707, 1709, 1710 to 1713, and satisfies all constraint conditions using the SAT solver. The presence / absence of the state transition sequence is searched. Step 1715 corresponds to step 911, and step 1716 corresponds to step 912.

  In this embodiment, an integrated system 1801 as shown in FIG. 18 is targeted, and a method for analyzing a design defect by applying a reverse state transition path search method is shown.

  Prior to the description of this embodiment, the background will be described.

  Conventionally, there is an integrated system configured by interconnecting a group of subsystems having advanced information processing functions and various functions. When designing such an integrated system, it cannot be easily discovered at the stage where the functional requirements of individual subsystems are individually defined, but the system integration stage is reached, and subsystems are interconnected and operated. There is a defect that will be exposed for the first time. This failure is broadly classified into cases where the functional requirements imposed on the system are not met and safety requirements are impaired.

  The complexity of system design that leads to such defects is not only due to the scale of the system, but also to the design philosophy that generalizes hardware and consolidates the mechanism for realizing predetermined functional requirements and safety requirements into software. It comes from the end.

  Nonetheless, instead of designing dedicated hardware for a wide variety of functions, the cost of building an architecture that implements various functional requirements in software on a platform built by reusing general-purpose hardware The reduction effect is significant, and this trend will continue.

  In order to design a large-scale system in a short period of time with a view to reusing design information, it is effective to perform design work in parallel by division of labor for each subsystem. For this purpose, a design method has been adopted in which divided functional requirements are assigned to each subsystem and interconnected via an appropriate interface. However, it is not clarified when the functional requirements of the integrated system as a whole are broken down into functional requirements of each subsystem, or through an interface between multiple functional requirements or an interface that connects the connecting subsystem and the connecting subsystem. Inconsistencies in the integration of processing contents realized in this way may lead to the above-mentioned problems.

  In existing system designs that have relied on dedicated hardware as the means to achieve the main functional requirements, the number of functional requirements assigned to each hardware subsystem is singular or small, and the input / output relationships and responses of each subsystem. Both time and I / O specifications for interfaces between subsystems have been clearly defined. For this reason, since there is only a definite response time and a predictable input / output response operation, it is difficult to reveal defects due to conflicts between functional requirements and interface mismatch.

  However, in the process of accumulating many major functional requirements in software, many functional requirements are divided and assigned to multiple subsystems, so multiple functional requirements are implemented in software in one subsystem. It will be. In this case, a design that takes into consideration the nature of processing that can be realized by software is required.

  The first property is that only one input / output processing operation can be performed at a time. For this reason, when multiple functional requirements assigned to individual subsystems cannot be executed at the same time, a failure becomes apparent in the form of conflicts between functional requirements, and unspecified I / O is in the form of inconsistent I / O interfaces. A defect becomes apparent.

  The second property is that the response time is non-deterministic. In particular, the functional requirements of the integrated system are realized by operating a plurality of subsystem groups implemented in software in parallel, but since the response time of each subsystem is non-deterministic, at the time of system integration, The operation of the entire integrated system, which should be realized as the overall behavior of each subsystem, may become indeterminate. This can also cause trouble.

  The third property is that the output of the software implementation unit becomes unpredictable due to a malfunction of the software itself or an input that is not specified. This can make it difficult to find these deficiencies, especially when testing systematic integrated systems to verify violations of functional or safety requirements.

  In fact, even when these defects are discovered, it is often difficult to reproduce the defects because of the predictability of the response time of each subsystem.

  It is one of the problems in designing a highly reliable system to confirm that there is no such problem in an integrated system that requires high safety. In such a system, internal redundancy is provided to cope with hardware failure, and it is set as a safety requirement to remain in a safe state in the event of a failure or to be able to continue operation. Implement. When implementing software processing so that redundant hardware functions effectively in response to hardware failure, there is no side effect associated with software implementation as described above, which violates safety requirements related to fault-tolerant functions. It is preferable to discover and deal with.

  The design failure analysis apparatus of the present embodiment is effective for the above-described situation, and will be specifically described below.

  The design failure analysis apparatus according to the present embodiment targets an integrated system in which a plurality of systems are interconnected, sets functional requirements that should be satisfied when the integrated system is normal, as a start condition, and sets an abnormal condition of the integrated system as an end condition. The state transition path presence / absence determining means determines whether there is a state transition path that reaches the initial state value from the final state value in the state transition model. When it is determined that there is a state transition path that reaches the initial state value from the value, it is determined that there is a design failure of the integrated system.

  First, the integrated system 1801 in FIG. 18 that is an analysis target of the design failure analysis apparatus of this embodiment will be described. The integrated system 1801 is configured by interconnecting a controller 1803, an actuator 1804, a control target 1806, a sensor 1807, and a safety monitor 1805, and the integrated system 1801 is operated by an operation device 1802. Note that the operation device 1802 may have an operation content determined by an input from the operator or an operation content determined by processing in the operation device 1802.

  The operation device 1802 and the integrated system 1801 are connected asynchronously via the illustrated interface. Since the operation device 1802 performs input according to an operation procedure prescribed by the operator or the operation order changes depending on the processing in the operation device 1802, the state transition that changes the internal state assigned for each operation order It can be expressed as a model.

  An interface between the operation device 1802 and the integrated system will be described. The boot signal is a level signal for controlling start / stop of the integrated system. The grant signal is a pulse signal that instructs the start and end of the operation after startup, and the command signal is a pulse signal that issues a control command after the operation starts. When a command signal is input from the operation device 1802 to the controller, the controller that receives the command signal outputs a control command Control input signal to the actuator. The error signal is a pulse signal related to error information received by the operation device 1802 when an error occurs in the integrated system.

  Individual subsystems constituting the integrated system have an internal state for each operation mode. In addition, since the input / output response times of the actuator, the controlled object, and the sensor are sufficiently short, it is considered that they operate synchronously in real time.

  On the other hand, the input / output response of the controller and safety monitor is implemented by software, so the input / output response time is indeterminate. Therefore, these two subsystems and the three subsystems that operate synchronously are interconnected in a state of operating asynchronously with each other.

  The operation device 1802 has an internal state corresponding to a predetermined operation procedure, and the state value transitions from Off to the state value Boot, and the boot signal is set to 1. Subsequently, transition is made to the state value Grant, and while the boot signal is kept at 1, 1 is set to the grant signal which is a pulse signal. While the state value is transiting to Operate, an appropriate control command is continuously set to the command signal value. When the integrated system 1805 is to be stopped, the state is changed to the state value Shutdown, 1 is again set to the grant signal which is a pulse signal, and finally the state value Off is changed to clear the boot signal value to 0. When error information that is a pulse signal is received via the error signal when the state value is Operate, the state value Error_handling is entered and the grant signal value that is a pulse signal is used to terminate the operation of the integrated system. Set 1 and then transition to state value Shutdown.

  When the controller 1803 receives a boot signal from the operation device 1802 while the internal state is in the stopped state (Off), the controller 1803 updates the internal state value to Idle. At this time, both the output signals Control_input and monitor_enable are set to 0. When the grant signal is received from the operation device 1802 when the internal state is Idle, the internal state value is changed to Operate and the monitor_enable signal is set to 1.

  The safety monitor 1805 receives a monitor_enable signal that is a level signal instructing operation start / end from the controller 1803, and changes the internal state value from Off to On. Only when the internal state value is On, the actuator_enable signal, which is a level signal, is set to 1 in order to permit the operation of the actuator.

  The actuator 1804 changes the internal state value to On only when the actuator_enable which is a level signal from the safety monitor is set to 1, and receives the input signal Control_input from the controller and outputs the Physical_effect signal.

  As long as the internal state value of the controller is in Operate, the command signal value received from the operation device 1802 is set in Control_input. In response to this Control_input signal, the actuator inputs a Physical_effect signal to the controlled object, and the sensor measures the state of the controlled object and outputs a Y_out signal value to the safety monitor. The safety monitor appropriately processes the value received from the sensor and outputs a Y_out_mon signal to the controller.

  If the measurement value received from the sensor by the safety monitor is abnormal, the internal state value is changed to Stop, the actuator_enable signal, which is a level signal, is cleared to 0, and the Y_out_mon signal that informs the controller of the abnormal value is output. To do. At the same time, the internal state value is updated to Off so that the actuator cannot be continuously operated to ensure the safety of the entire integrated system.

  If the Y_out_mon signal value is not abnormal, the controller continues the operation while maintaining the internal state value as Operate, and if it is an abnormal value, the controller updates the internal state value to the Error_handling value. When the grant signal which is a pulse signal is received from the operation device 1802 when the internal state value is Operate, the internal state value is updated to Idle, and the operation ends. Subsequently, when the boot signal value, which is a level signal, is set to 0, the internal state value is updated to Off, the controller stops operating, and the entire integrated system stops.

  With respect to the integrated system 1801 designed in this way, system analysis by the system analysis apparatus of this embodiment will be described. The verifier sets safety requirements that the entire integrated system is safe even if a sensor failure occurs, and wants to verify that this is realized. Specifically, when the safety monitor detects an abnormal value due to a sensor failure, the verifier receives the error signal value from the integrated system and clears the boot signal value to 0 according to a predetermined operation procedure. Suppose you want to verify that the integrated system is safe by stopping it.

  FIG. 19 shows a time chart of an operation order that satisfies this safety requirement, which is assumed at the time of design. According to FIG. 19, the operator's internal state State_Operator value transitions to Off, Boot, Grant, and Operate, and through a sensor failure that occurs during operation of the integrated system, transitions to Error_handling, Shutdown, and Off, and ends. It is designed with that in mind.

  However, FIG. 20 shows that this system analysis apparatus can find out that this integrated system may not operate as expected.

  In this verification example, the verifier assumes that all of the internal states that can be taken during normal operation without a failure are taken as a start condition, the operator's internal state State_Operator is in the Off state, and the integrated system is It is set as an end condition that the operation is continued, that is, that the internal state value State_Control of the controller is Operate.

  When the verifier inputs the setting of such conditions to the system analysis device using the input device, the system analysis device performs analysis according to the procedure shown in FIG.

  The synchronous execution set and the synchronous execution list in step 1704 in FIG. 17 will be described. First, the operation device 1802, the controller 1803, and the safety monitor 1805 are subsystems that can operate asynchronously. A system that responds in real time, such as an actuator or a sensor (in some cases, a controlled object) can also be regarded as one analog subsystem (real-time response subsystem). Therefore, the integrated system 1801 shown in FIG. 18 includes a controller 1803, a safety monitor 1805, and the above-described real-time response subsystem as subsystems.

  The operation device 1802 is not a subsystem included in the integrated system 1801, but can be regarded as a subsystem that operates asynchronously in that the operation of the operator and the integrated system 1801 are asynchronous.

  These four subsystems may or may not synchronize with each other. When they operate in synchronism, they are grouped as one synchronous execution set. As shown in Table 1, there are eight patterns of such synchronous execution sets, which are registered in the synchronous execution list.

  Then, the system analysis device outputs the result to the output device in the form of a time chart shown in FIG. In FIG. 20, a state transition route to a final state that satisfies the end time condition is presented in the form of a time chart.

  Here, the integrated system 1801 has a sufficiently large number of state values that can be taken by the subsystem and the integrated system, and it becomes complicated to express these state values with a directed graph as shown in FIG. Has been. However, the directed graph and the time chart are essentially the same in the sense that the state value and the state transition path are displayed. For example, each of the signal values in a line obtained by dividing the time chart vertically for each discrete time is shown. A set represents one state value. This time chart is one of the state transition paths obtained as a result of the state transition path search in the reverse direction under the specified start time condition and end time condition, and a plurality of SAT solvers can be obtained using the same search condition. When a state transition path is found, a time chart corresponding to each state transition path is output.

  In FIG. 20, the operation device 1802 sets the grant signal, which is a pulse signal, to end the operation of the integrated system, a sensor failure occurs in the integrated system, and error information is then sent to the operation device 1802. It can be found that the time point when the error signal value is set to 1 to transmit the error is different from the assumed update order as shown in FIG.

  The cause of this failure is that the operation device 1802 and the integrated system operate asynchronously with each other, and the operation device 1802 tries to terminate the integrated system before acquiring error information. This is because there is a degree of freedom in the update order of the process for receiving a grant signal from the apparatus 1802 and the process for transmitting error information to the operation apparatus 1802.

  In particular, the internal state that controls the input / output relationship of the controller cannot receive this even though it has received the grant signal value from the operation device 1802 immediately after setting the error signal value to 1. Transition to state value Idle.

  This is because when the software that updates the internal state value of the controller is executing the process of setting the error signal value to 1, it simultaneously acquires that the grant signal value received from the operation device 1802 is 1. Due to the nature of software implementation that it is not possible to transition to an appropriate state value.

  Therefore, the pulse signal grant value received at this time causes the internal state value of the controller to transition from Idle to Operate.

  On the other hand, the operation device 1802 or the operator cannot know this, and changes the controller state value State_Control from Operate to Idle and clears the boot signal value to 0 to stop the operation. However, the controller whose state value State_Control has transitioned to Operate cannot obtain the state signal Off even if it acquires that the boot signal, which is a level signal from the operation device 1802, is 0. The state value Operate has been maintained. From the generated time chart, it becomes clear that the above-mentioned safety requirement has been violated.

  One factor causing this design failure is the design of the interface that connects the operation device 1802 and the integrated system. In particular, in order to control the start and end of the operation of the integrated system, the grant signal value is used as a pulse signal. It has been implemented.

  In this embodiment, using the design failure analysis method described in the third embodiment, after a failure occurs in a subsystem constituting the integrated system, it is determined whether the integrated system can continue to operate except for the failed portion. An autonomous operation device having a function of performing automatic recovery if possible is shown.

  The autonomous operation device of this embodiment includes a system analysis device as described in other embodiments, and an integrated system in which a plurality of systems are interconnected, and a system failure is detected during operation of the integrated system. Failure detection means to detect, restriction condition addition means to add the exclusion of the system in which the failure occurred as a restriction condition, and possibility of continuation of operation to determine the continuity of operation in a state where the failed system is excluded by the system analyzer A function means that the integrated system satisfies when the integrated system is normal is set as a start condition, an abnormal state of the integrated system caused by a system failure is set as an end condition, and the operation continuity determining means is a state transition If the path presence / absence determining means determines that there is a state transition path that reaches the initial state value from the final state value, the operation can be continued. A constant.

  FIG. 21 shows the state transition of the entire integrated system including the process from the stop state to the state transition at the normal operation, and the state satisfying the end conditions END1 and END2 corresponding to the hazard due to the failure of the subsystem. A graph is shown.

  It is assumed that, through the failure analysis shown in the third embodiment, it is verified that there is no state transition path that reaches the state satisfying the end conditions END1 and END2 in the combination of subsystem failures assumed at the time of design.

  At this time, we want to realize a function that removes the cause of the failure and autonomously determines whether or not the operation can be continued from the time when it is detected that the subsystem constituting the integrated system has caused some kind of failure and has performed an unpredictable operation. .

  If at least one of the assumed failure modes occurs, it can be verified at the design stage that the hazard state is not reached. However, it is not certain whether this integrated system can continue to operate depending on the type of failure and the combination of subsystems in which the failure has occurred.

  If an explicit failure recovery procedure is not incorporated in advance, even if there is a system reconfiguration method that can actually continue operation, it must be stopped to meet the safety requirements. As a result, the operating rate of the integrated system may not be sufficiently increased.

  However, after performing appropriate processing for the failed subsystem, for example, stopping the function, it must be possible to reach the normal operating state from the stopped state, to be able to reach the stopped state from the normal operating state, There is no state transition path to reach the state corresponding to the end conditions END1 and END2 corresponding to the hazard condition from the normal operation state after designating the internal state of the subsystem that has caused the failure as a function stop state. If it can be verified, it can continue to operate while satisfying the safety requirements despite the failure of the subsystem. Therefore, if this is determined by the integrated system on its own, the self-recovery / operation can be resumed without the manual operation of the operator or the designer.

  FIG. 22 shows a specific determination procedure.

  In step 2201, first, the failed subsystem k is identified. Subsequently, in step 2202 and step 2203, a constraint condition REMOVE_FAULT that designates a state (for example, a stopped state) that can eliminate the influence of the failed subsystem k is set. Then, in the subsequent processing, it is determined whether the operation can be continued while eliminating the influence of the subsystem k.

  In step 2204, the possibility of activation is determined. That is, it is determined whether or not there exists a state transition sequence X (t) that satisfies a start process start condition from the stop state and continues a state that cannot be changed to the normal operation state. The detailed processing procedure is as described in FIG. If there is a state transition sequence that satisfies the constraints described in step 2204, it means that it may not be possible to start, so it can be determined that the operation cannot be continued, so the process transitions to step 2208 and the process ends. To do. Conversely, if there is no state transition sequence that satisfies the constraint conditions described in step 2204, it can be seen that the startup process can always be started at least from the stopped state.

  In this case, subsequently, in step 2205, the possibility of stoppage is determined. That is, it is determined whether or not there exists a state transition sequence X (t) that satisfies the stop process start condition from the normal operation state and continues the state that cannot be changed to the stop state.

  The detailed processing procedure is as shown in FIG. If there is a state transition sequence that satisfies the constraint condition described in step 2205, it means that it may not be possible to stop safely. Therefore, the process proceeds to step 2208 and the process is terminated.

  Conversely, if there is no state transition sequence that satisfies the constraint condition described in step 2205, it can be seen that the stop process can always be completed at least from the normal operation state. In this case, subsequently, in step 2206, it is determined whether or not there is a state transition sequence that causes a safety requirement violation corresponding to the hazard conditions 1 and 2.

  The detailed processing procedure is as shown in FIG. If there is a state transition sequence that satisfies the constraints described in step 2206, it may be determined that the operation cannot be continued because there may be a transition to a hazard state during normal operation. The process ends.

  Conversely, if there is no state transition sequence that satisfies the constraint conditions described in step 2206, it can be seen that no hazard occurs at least during normal operation.

  In this case, subsequently, in step 2207, it is determined whether the normal operation can be continued.

  The detailed processing procedure is as shown in FIG. If there is a state transition sequence that satisfies the constraints described in step 2207, it can be seen that the normal operation may be interrupted in a manner that deviates from the normal operation state during the operation. The process ends.

  Conversely, if there is no state transition sequence that satisfies the constraint conditions described in step 2207, normal operation can be continued, so a transition is made to step 2209 to start a series of startup processing that is a process of restarting the operation. Automatic recovery ends when the normal operation state is reached.

  FIG. 23 shows a specific procedure for constructing a constraint condition to be evaluated in step 2204.

  In step 2301, a constraint condition for instructing activation of the integrated system is set.

In step 2302, a constraint condition NORM2 that defines the stop state and a constraint condition NORM3 that defines the activation process state are set.
In step 2303, a constraint condition that eliminates the failed subsystem k is added, and the presence or absence of a state transition sequence that satisfies this constraint condition is determined using a SAT solver. If there is no satisfactory solution, the process proceeds to step 2306 to end the process.

  On the other hand, if there is a satisfactory solution, it has been found that the startup process can be started at least from the stopped state, and thus the process proceeds to step 2304.

  In step 2304, whether or not there is one or more state values in addition to the failure condition of the subsystem k being excluded and not satisfying the constraint conditions corresponding to the hazard conditions 1 and 2, and the constraint condition giving the normal operation state. Whether or not is determined using a SAT solver.

  If there is no state value that satisfies the constraint conditions described in step 2304, the process proceeds to step 2306 to end the process.

  On the other hand, if it exists, there is a state where the operation can be continued without satisfying the hazard conditions 1 and 2, and the process proceeds to Step 2305.

  In step 2305, after the failed subsystem k is excluded, it is determined whether or not there is a state transition sequence in which a state incapable of transitioning to the normal operation state continues after startup.

  If such a state transition sequence exists, it is understood that even if the start process is started after exiting the stop state, it is understood that the operation continuation state cannot be maintained continuously, so the process proceeds to step 2306 and the process is terminated. .

  On the contrary, when such a state transition sequence does not exist, it can be seen that the normal operation state can be reached after startup without fail, so that the process proceeds to step 2307 and ends.

  FIG. 24 shows a specific procedure for constructing a constraint condition to be evaluated in step 2205.

  In step 2401, a constraint condition for instructing stop of the integrated system is set.

  In step 2402, it is determined whether or not there is a state value corresponding to a normal operation state that does not satisfy the constraint conditions corresponding to the hazard conditions 1 and 2, while excluding the failed subsystem k.

  If there is no such state value, it can be seen that hazard 1 or 2 is caused during normal operation, so that the process proceeds to step 2405 and ends.

  On the other hand, when such a state value exists, since it is found that there is at least one state value that can continue operation without satisfying the hazard conditions 1 and 2, the process proceeds to step 2403.

  In step 2403, it is determined whether or not there is a state value corresponding to a stopped state that does not satisfy the hazard conditions 1 and 2, while excluding the failed subsystem k.

  If it is found that such a state value does not exist, it cannot be safely stopped, so that the process proceeds to step 2405 and ends.

  On the other hand, when such a state value exists, since it is found that there is at least one stop state that does not satisfy the hazard conditions 1 and 2, the process proceeds to step 2404.

  In step 2404, a state transition sequence that remains in a normal stop state that does not satisfy the hazard conditions 1 and 2 without reaching the safe stop state that does not satisfy the hazard conditions 1 and 2 while eliminating the failed subsystem k. The presence or absence of is determined.

  If such a state transition sequence exists, it is understood that the stop state cannot be reached safely even if the normal operation state is exited, and therefore it is determined that the stop state cannot be safely reached.

  Conversely, when such a state transition sequence does not exist, it can be seen that the stop state can be safely reached if the stop process is started. Therefore, the process proceeds to step 2406 and ends.

  FIG. 25 shows a specific procedure for constructing a constraint condition to be evaluated in step 2206.

  In step 2501, it is determined whether or not there is a state value that is in a normal operation state and does not satisfy the hazard conditions 1 and 2, while excluding the failed subsystem k.

  If no such state value exists, the process proceeds to step 2504 and the process is terminated.

  On the other hand, when such a state value exists, it is found that there is at least one state in which the operation can be continued without satisfying the hazard conditions 1 and 2, and the process proceeds to step 2502.

  In step 2502, it is determined whether there is a state value that satisfies the hazard condition 1 or 2 instead of the normal operation state while excluding the failed subsystem k.

  If such a state value does not exist, there is no state that satisfies the hazard state in the first place, so the process proceeds to step 2505 to end the process.

  On the other hand, if such a state value exists, it can be seen that there is a state transition sequence that reaches the state corresponding to the hazard condition 1 or 2 during normal operation, so the process proceeds to step 2504 and ends. To do.

  FIG. 26 shows a specific procedure for constructing a constraint condition to be evaluated in step 2207.

  In step 2601, it is determined whether or not there is a state value corresponding to a normal operation state that does not satisfy the hazard conditions 1 and 2 while excluding the failed subsystem k.

  If no such state value exists, the process proceeds to step 2603 and the process is terminated.

  Conversely, when such a state value exists, the process proceeds to step 2602.

  In step 2602, a state transition path that deviates from the normal operation state that does not satisfy the hazard conditions 1 and 2 under the additional condition that the input for instructing the start of the stop process is not set while eliminating the failed subsystem k. The presence or absence of is determined.

  If there is such a state transition path, it can be seen that there is a case where the normal operation is interrupted by the hazard 1 or 2, so the process proceeds to step 2603 and the process is terminated.

  On the other hand, when such a state transition path does not exist, it is understood that the normal operation can be continued without reaching the state corresponding to the hazard conditions 1 and 2, so that the process proceeds to step 2604 and the processing is performed. finish.

  As described above, according to the present embodiment, by adding the failure mode defined for each subsystem to the operation mode, there is no false detection / non-detection of a problem that was a problem in the static input / output relationship analysis method. Integrated system design failure analysis, failure mode effect analysis and failure tree analysis can be performed.

  In the present embodiment, the operator operates the autonomous operation device described in the fourth embodiment via the operation device, and the operator and the autonomous operation device cooperate with each other to continue the operation in the event of a subsystem failure. This shows an autonomous operation control system that realizes a cooperation function with an operator who can safely stop the operation.

  As shown in FIG. 27, the autonomous operation control system of the present embodiment includes an autonomous operation device and an operation device that operates the autonomous operation device, and the autonomous operation device cannot be operated continuously by the operation continuity determination unit. If it is determined, an error signal is transmitted to the operation device. If it is determined that the operation can be continued by the operation continuity determination means, a warning signal is transmitted to the operation device, and autonomous operation is performed. continue.

  As an example, a vehicle having an automatic traveling function may be an autonomous operation device, and a passenger may be an operator. In another example, a construction work machine that operates via a communication path for remote control may be an autonomous operation device, and a worker in a remote location may be an operator.

  FIG. 28 shows operation modes of the operator and the autonomous system.

  An autonomous system (integrated system) has three types of operation modes, ie, an autonomous operation mode, a manual operation mode, and a stop state, as a part of the internal state. The operation device monitors the integrated system when the internal state is the autonomous operation mode, waits when the internal state is the stop state, and transitions to the manual operation mode when the operation state is the manual operation mode. Enter into the integrated system. The operation device can input an instruction to stop the operation as necessary, and can transition the internal state of the integrated system to the stop state.

  When a failure of the subsystem occurs when the integrated system is in the autonomous operation mode, the operation device is integrated using the automatic recovery function of the autonomous operation device described in the fourth embodiment as shown in FIG. It is determined whether or not autonomous operation cannot be continued due to a failure of a subsystem constituting the system. When the operation cannot be continued, the autonomous operation device transmits a stop request as one form of error information, and the operation device in the standby or monitoring state starts a manual operation to stop the integrated system.

  On the other hand, if the operation can be continued, the autonomous operation device completes the automatic recovery process, transmits warning information to the operation device, and then continues the autonomous operation. The operator may stop the integrated system as necessary.

  INDUSTRIAL APPLICABILITY The present invention can be used for safety analysis of a highly reliable redundant computer system having a fault tolerance function and a large-scale control system in which an electric / mechanical / information control system is integrated. It can also be used to identify root factors that cause defects in hardware and software integrated design environments, especially for analysis of design defects. Furthermore, it can also be used for the function that automatically diagnoses the cause of the failure, treats the cause of the failure, and automatically restores the system state to continue operation after the subsystem that constitutes the autonomous operation device has an unspecified failure. .

1801 Integrated system 1802 Integrated system operator 1803 Controller 1804 Actuator 1805 Safety monitor 1806 Control target 1807 sensor which is part of the integrated system

The present invention is directed to a system in which an internal state changes according to an input, and an output corresponding to the input changes in accordance with the change in the internal state, and a plurality of systems that can be adopted based on a state transition rule of the system State transition model construction means for constructing a state transition model including a state value and a transition path between each state value, and an initial state value for setting an initial state value satisfying a predetermined start time condition from the plurality of state values A setting means; a final state value setting means for setting a final state value satisfying a predetermined end time condition from the plurality of state values; and in the state transition model, from the final state value to the initial state value. It includes a state transition path existence determining means for determining whether reaching a state transition path exists, and to apply the reverse state transition route search method to forward a state transition path search method, the state The transfer path presence / absence determining means sets the state transition rule, the start time condition, and the end time condition as a constraint condition in a logical form that should be satisfied by a state transition sequence expected as a solution, and satisfies the constraint condition. using a SAT solver capable of searching for a solution, it determines the presence or absence of the state transition path.

Claims (7)

Targeting a system in which an internal state changes according to an input and an output corresponding to the input changes according to the change in the internal state,
Based on the state transition rules of the system, state transition model construction means for constructing a state transition model including a plurality of state values that can be taken by the system and transition paths between the state values;
An initial state value setting means for setting an initial state value satisfying a predetermined start time condition from the plurality of state values;
A final state value setting means for setting a final state value satisfying a predetermined end time condition from the plurality of state values;
A system analysis apparatus comprising: a state transition path presence / absence determining unit that determines whether or not a state transition path that reaches the initial state value from the final state value exists in the state transition model. The system analysis device according to claim 1,
Means for converting a state transition rule of the system into a logical expression;
A satisfiability solution of a satisfiability determination problem constructed using the logical expression, the start condition, and the end condition as constraints is calculated using a SAT solver, and the sufficiency solution is output as the state transition path A system analysis device characterized by: A design failure analysis apparatus including the system analysis apparatus according to claim 1,
Targeting an integrated system in which a plurality of such systems are interconnected,
Set the functional requirements that should be satisfied when the integrated system is normal as the start condition,
The abnormal condition of the integrated system is set as the termination condition,
The state transition path presence / absence determining means determines whether or not a state transition path reaching the initial state value from the final state value exists in the state transition model;
When the state transition path presence / absence determining unit determines that there is a state transition path that reaches the initial state value from the final state value, it is determined that a design failure of the integrated system exists. Design failure analysis device. A failure mode analysis device including the system analysis device according to claim 1,
Targeting an integrated system in which a plurality of such systems are interconnected,
A failure state adding means for adding a failure state to the internal state of the system;
The failure state is the start condition,
The abnormal condition of the integrated system is set as the termination condition,
When the state transition path presence / absence determining unit determines that there is a state transition path that reaches the initial state value from the final state value, it is determined that an abnormal state of the integrated system occurs due to a failure of the system. Failure mode analysis apparatus characterized by the above. A failure tree analysis device including the system analysis device according to claim 1,
Targeting an integrated system in which a plurality of such systems are interconnected,
A failure state setting means for setting the system to a failure state;
Set the functional requirements to be satisfied when the integrated system is normal as the start condition,
The abnormal condition of the integrated system is set as the termination condition,
When the state transition path presence / absence determining unit determines that there is a state transition path that reaches the initial state value from the final state value, it is determined that an abnormal state of the integrated system occurs due to a failure of the system. Failure tree analysis device characterized by the above. An autonomous operation device including the system analysis device according to claim 1,
An integrated system in which a plurality of the systems are interconnected;
Failure detection means for detecting a failure of the system during operation of the integrated system;
Restriction condition adding means for adding exclusion of the system in which the failure has occurred as a restriction condition;
An operation continuity determination means for determining the operation continuity in a state in which the failed system is excluded by the system analysis device;
Set the functional requirements to be satisfied when the integrated system is normal as the start condition,
The abnormal condition of the integrated system that occurs due to a failure of the system is the end condition,
The operation continuation possibility determining means determines that the operation can be continued when the state transition path presence / absence determining means determines that there is a state transition path that reaches the initial state value from the final state value. An autonomous operation device characterized by the above. The autonomous operation device according to claim 6;
An operation device for operating the autonomous operation device,
The autonomous operation device transmits an error signal to the operation device when it is determined that the operation cannot be continued by the operation continuity determination unit.
An autonomous operation control system that transmits a warning signal to the operation device and continues an autonomous operation when the operation continuability determination unit determines that the operation can be continued.

Images