JP2019066927A - Failure countermeasure system and failure countermeasure method - Google Patents

Abstract

To enable failure cause estimation and failure handling recommendation of high precision, in a failure countermeasure system.SOLUTION: A failure handling recommendation device of a failure countermeasure system extracts the failure cause of a failure report corresponding to a failure phenomenon similar to failure information of an analysis object system. A failure cause analyzer extracts the failure cause, based on a failure cause analysis rule from the failure information of the analysis object system. The failure cause analyzer receives the failure cause of the failure report corresponding to the failure phenomenon similar to the failure information of the analysis object system from the failure handling recommendation device, and extracts and outputs the failure cause similar to the failure cause based on the failure cause analysis rule, from the failure cause of the received failure report. The failure handling recommendation device outputs information on the failure report corresponding to the failure cause extracted as the failure cause similar to the failure cause based on the failure cause analysis rule, from the failure cause of the failure report by the failure cause analyzer.SELECTED DRAWING: Figure 7

Description

  The present invention relates to a fault countermeasure system and a fault countermeasure method, and more particularly, to a fault countermeasure system and a fault countermeasure method suitable for analyzing a cause of a fault and automatically generating a proper fault countermeasure report.

  Recent advances in information processing technology have increased the importance of IT systems such as communications and data processing, and when system stability and failures occur, the cause is quickly analyzed and measures taken Is being sought. Under such circumstances, attempts have been made to apply the conventional cause analysis method to failure analysis of IT systems.

  For example, Patent Document 1 discloses a technology for performing failure cause analysis (Root Cause Analysis: RCA) based on rules when identifying a failure that occurs in an IT system. Further, Patent Document 2 discloses a fault analysis system for improving fault analysis accuracy by utilizing existing data on faults.

JP 2012-256355 A JP, 2016-51447, A

  When analyzing the cause of failure that has occurred in an IT system, in RCA as described in Patent Document 1, the operation management system acquires and acquires an “event” indicating that an abnormality has occurred from a managed system. By applying the event to a predetermined analysis rule, the cause of failure and the location of failure are estimated.

  This analysis rule is created based on the past fault information and the knowledge of the rule creator, but it occurs when the past fault information is insufficient or the knowledge of the rule creator is insufficient. Can not create a rule to estimate the correct cause of failure or failure point from the failure, and high-precision failure cause analysis is difficult.

  In general, in the IT system, a system maintenance person or a repair worker creates a failure report describing the target system name at the time of failure occurrence, the contents of the phenomenon, the contents of correspondence, the cause analysis result. In Patent Document 2, by utilizing the above-described fault report, a past fault report related to the phenomenon content is identified at the time of fault occurrence, and a maintenance cause is presented with a countermeasure for the fault cause and fault.

  When utilizing the past fault report, a search is performed on the database where the fault report is stored based on the fault phenomenon content input at the time of fault occurrence, but if the phenomenon content is ambiguous, many similar faults It may be considered that a report is recommended or a fault report unrelated to the contents of a phenomenon is recommended, and it may be considered that it becomes difficult to make a highly accurate fault countermeasure recommendation.

  The object of the present invention is to provide a failure countermeasure system capable of highly accurate failure cause estimation and failure countermeasure recommendation even if the number and accuracy of failure cause analysis rules are insufficient and the quality of failure report is not high enough. It is to do.

  The configuration of the failure countermeasure system according to the present invention is preferably a failure countermeasure system which receives the failure information of the analysis target system and outputs the failure countermeasure, and outputs the failure cause based on the failure report based on the failure information. It has a failure handling recommendation device and a failure cause analysis device that outputs a failure cause based on failure information and failure cause analysis rules, and the failure handling recommendation device responds to failure phenomena similar to the failure information of the analysis target system. The failure cause analysis device extracts the failure cause from the failure information of the analysis target system based on the failure cause analysis rule, and the failure cause analysis device analyzes the failure cause recommendation device Receive the fault cause of the fault report corresponding to the fault information similar to the fault information of the system, and from the fault cause of the received fault report, the fault cause Based on the analysis rules, the fault cause similar to the fault cause is extracted and output, and the fault handling / recommendation device is similar to the fault cause based on the fault cause analysis rule from the fault cause of the fault report by the fault cause analyzer. Information of fault report extracted as fault cause and corresponding to fault cause is output.

  According to the present invention, it is possible to provide a failure countermeasure system capable of highly accurate failure cause estimation and failure countermeasure recommendation even when the number and accuracy of failure cause analysis rules are insufficient and the quality of failure report is not high enough. can do.

FIG. 1 is a block diagram showing a functional configuration of a failure countermeasure system according to a first embodiment. FIG. 2 is a block diagram showing the configuration of an analysis target system 300. It is a figure which shows an example of a failure report management table. It is a figure which shows an example of a failure cause analysis rule. It is a figure which shows an example of a failure event list. It is a figure which shows an example of a root cause event list. It is a general chart which shows the processing outline in each failure handling recommendation device of Embodiment 1, and failure cause analysis device. It is a flowchart which shows the detail of failure countermeasure recommendation process S102. It is a flowchart which shows the detail of failure cause analysis processing S105. It is a flowchart which shows the detail of common failure cause group extraction processing. It is a general chart which shows each processing outline in a fault handling recommendation device and fault cause analysis device of a 2nd embodiment. It is a flowchart which shows the detail of common failure cause group extraction / isolation | separation processing.

  Hereinafter, each embodiment according to the present invention will be described using FIGS. 1 to 12.

Embodiment 1
As will be described in detail below, in this embodiment, the failure cause group included in the failure report group recommended by the failure handling / recommendation device at the time of failure occurrence is compared with the failure cause group estimated by the failure cause analysis device; By extracting only the failure report that includes the common failure cause and the common failure cause among the analysis results of both systems, it is possible to realize highly accurate failure countermeasure recommendation and failure cause analysis.

First, the functional configuration of the failure countermeasure system according to the first embodiment will be described with reference to FIG.
In the failure countermeasure system, a failure countermeasure recommendation device 200, a failure cause analysis device 210, an analysis target system 300, and an input / output terminal 290 are connected via a network 280 such as the Internet or a LAN (Local Area Network).

  The fault handling / recommending device 200 includes functional units such as a fault information input unit 201, a similar fault collection unit 202, a fault cause extraction unit 204, and a result output unit 205, and holds a fault report management table 203 as data. Further, the failure cause analysis device 210 includes a failure information input unit 211, failure multistage analysis management unit 212, failure detailed information collection unit 213, failure detailed information 214, failure cause analysis unit 215, common failure cause extraction unit 218, failure analysis results Each function unit of the output unit 219 is provided, and a failure cause analysis rule 216 and an analysis result management table 217 are held as data.

The failure countermeasure recommendation device 200 and the failure cause analysis device 210 are both realized by a general information processing device, for example, a PC (Personal Computer) or a server device, and the function of each functional unit is an HDD (Hard Disk Drive) or The program stored in the auxiliary storage device such as SDD (Solid State Drive) is loaded onto the main storage device, and the processor of the device executes the program as an instruction word. In addition, a part or all of the program may be realized by dedicated hardware. In FIG. 1, although it is illustrated as being realized by the device of the failure countermeasure / recommendation device 200 and the failure cause analysis device 210, It may be realized by a single information processing apparatus, or a plurality of failure countermeasure / recommendation apparatuses 200 and failure cause analysis apparatuses 210 may be connected to the system.

  The input / output terminal 290 inputs data to the analysis target system 300, the failure countermeasure recommendation device 200, and the failure cause analysis device 210, and also receives data from the analysis target system 300, the failure countermeasure recommendation device 200, and the failure cause analysis device 210. It is an information processing apparatus to display. Although one input / output terminal 290 is illustrated in FIG. 1, a plurality of input / output terminals 290 may be provided.

  The analysis target system 300 is a system analyzed by the failure countermeasure / recommendation device 200 and the failure cause analysis device 210. The analysis target system 300 is, for example, a network system or a component (element) of another system, and may be physical or virtual. Also, the granularity may be arbitrary as an apparatus unit (for example, a server apparatus), a board unit mounted on the apparatus, or a circuit unit in the board.

Next, a specific example of the analysis target system will be described using FIG.
In this embodiment, a network system configured of communication devices 301 to 303 and communication paths 309 to 311 is assumed as an example of the analysis target system 300 targeted by the failure countermeasure system.

  A network system here is a system which consists of a plurality of communication devices and communication paths. The communication device has a data transmission / reception function for exchanging data with another device, and may be, for example, a router installed in a communication facility for the purpose of providing a cloud service.

  Further, the communication path is a communication medium for devices to exchange data, and in this embodiment, the communication paths 309 to 311 are assumed to be, for example, 10 Gigabit Ethernet (registered trademark, hereinafter the same) optical fibers. However, any bandwidth and standard communication channel may be used.

  The communication devices 301 to 303 include a transceiver 306, and the transceiver 306 includes a receiver 307 and a transmitter 308. The communication devices 301 to 303 receive data from another device at the reception unit 307, and transmit data to the other device from the transmission unit 308.

  Next, a data structure used in the failure countermeasure system according to the first embodiment will be described with reference to FIGS. 3 to 6.

First, the fault report management table will be described with reference to FIG.
The failure report management table 203 is a table for storing failure reports in the failure handling / recommendation device 200, and configures a record for each failure report. This failure report is data that is summarized about causes and measures for each failure phenomenon content.

  As shown in FIG. 3, the failure report management table 203 includes a failure report ID 501, a reporter ID 502, an occurrence date 503, a phenomenon content 504, a failure cause 505, a countermeasure 506, a cancellation date 507, a keyword (symptom content) 508, a keyword. (Failure cause) 509, keyword (measures) 510 each field is included.

The failure report ID 501 is a field for storing identification information that uniquely identifies a failure report.
The reporter ID 502 is a field for storing identification information that uniquely identifies a reporter who registers a failure report.
The date of occurrence 503 is a field for storing the date and time when the fault occurred in the fault target.
The phenomenon content 504 is a field for storing failure phenomenon content information. The phenomenon content information is, for example, information in which a system maintenance person describes a failure phenomenon such as “system down after work xx”.
The failure cause 505 is a field for storing failure cause information. The failure cause information is information in which the system maintenance person describes the cause of the failure.

The countermeasure 506 is a field for storing countermeasure information. The countermeasure information is information describing the countermeasure taken by the system maintainer for the fault.
The cancellation date and time 507 is a field for storing the cancellation date and time. The cancellation date is the date when the failure is resolved by the countermeasure.
A keyword (phenomenon content) 508 is a field for storing a word obtained from the phenomenon content information of the phenomenon content 504 by morphological analysis.
A keyword (failure cause) 509 is a field for storing a word obtained from failure cause information of the failure cause 505 by morphological analysis. The keyword (cause of failure) 509 is used as an extraction word for comparing the failure cause information included in the failure report obtained as a result of the failure object recommendation and the content of the root cause event obtained as a result of failure cause analysis.
A keyword (measure) 510 is a field for storing a word obtained from the measure information of the measure 506 by morphological analysis.

The use and meaning of each keyword will be described in detail later.
The input / output terminal 290 operated by the system maintenance person may execute morphological analysis for extracting the above-mentioned keyword, and a server (not shown) for managing the failure report management table 203 executes morphological analysis You may

Next, the failure cause analysis rule will be described with reference to FIG.
The failure cause analysis rule 216 is a rule of IFTHEN format for analyzing the cause of the failure of the analysis target system 300 possessed by the failure cause analysis device 210, and is composed of a plurality of rules 701, as shown in FIG. Each rule comprises an IF unit 702 and a THEN unit 703. In the THEN part, a root cause event estimated by analysis is described, and in the IF part 702, a failure cause analysis from the analysis target system 300 as a condition event for estimating the root cause event described in the THEN part 703 The failure event notified to the device 210 is described.

  In the configuration example of the analysis target system 300 shown in FIG. 2, when considering a system failure, it is assumed that the component of the transceiver 306 and the components of the communication devices 301 to 303 are components as components and these defects are the root cause event. There is.

  Rule 1 and rule 2 in FIG. 4 are rules for estimating a failure of the transceiver 306, rule 3 and rule 4 are rules for estimating a failure of the communication devices 301 to 303.

Next, the failure event list will be described using FIG.
As shown in FIG. 5, the failure event list 2141 has respective fields of failure event number 801, keyword (failure event) 802, and failure event content 803. The keyword (failure event) 802 is a field for storing a word obtained from the content of the failure stored in the failure event content 803 by morphological analysis. Further, the failure event list 2141 is included in the failure detailed information 214, and the failure detailed information collecting unit 213 uses the failure event number 801 collected from the analysis target system 300 by the failure information input unit 211 as a key to the failure event list 2141. It is possible to specify the details of the failure event that has occurred by searching.

Next, the root cause event list 2142 will be described using FIG.
The root cause event list 2142 has fields of a root cause event number 901, a keyword (root cause event) 902, and a root cause event content 903. A keyword (root cause event) 902 is a field for storing a word obtained from the root cause event content 903 by morphological analysis, and failure cause information included in the failure report management table 203 obtained as a result of failure countermeasure recommendation, Used as an extraction word to compare the contents of the root cause event obtained as a result of failure cause analysis (detailed later). Further, the root cause event list 2142 is included in the failure detail information 214, and the failure detail information collection unit 213 is identified by searching the root cause event list 2142 with the root cause event number 901 as a key. The details can be identified.

  Next, processing of the failure countermeasure system according to the first embodiment will be described with reference to FIGS. 7 to 10.

  First, an outline of processing of each of the fault handling / recommending device and the fault cause analyzing device will be described with reference to FIG. In addition, in the general chart of FIG. 7, the double line represents parallel processing.

  First, a system maintenance person inputs fault information regarding the analysis target system 300 into the fault handling / recommending device 200 (S101). Here, as the failure information, the failure handling / recommending device 200 receives failure phenomenon information, which is text data describing the content of the failure phenomenon, and a failure event indicating that a failure to be acquired from the analysis target system has occurred. .

  Next, the failure handling / recommending device 200 executes failure handling / recommendation (S102). The detailed processing procedure of the failure countermeasure recommendation will be described later with reference to FIG.

  Then, the failure countermeasure / recommendation device 200 extracts failure cause group (a) from the failure report group (A) recommended in S102, and transmits it to the failure cause analysis device 210 (S103).

  On the other hand, a system maintenance person inputs a failure event related to the analysis target system 300 into the failure cause analysis device 210 (S104). Here, the failure cause analysis apparatus 210 receives, as failure information, failure phenomenon information which is text data in which the content of the failure phenomenon is described, and a failure event indicating that a failure acquired from the analysis target system has occurred. .

  Next, the failure cause analysis device 210 performs failure cause analysis (S105). The detailed processing procedure of failure cause analysis processing will be described later with reference to FIG. Then, the failure cause analysis device 210 compares the estimated failure cause group (b) with the transmitted failure cause group (a) extracted in S103, and only the common failure cause is the failure cause group (a). Extract as b) (S106). Next, the failure cause analysis device 210 outputs failure cause groups (ab) as an estimation result (S109).

  In addition, the failure countermeasure / recommendation device 200 extracts a failure report group including the failure cause group (a · b) extracted in S106 (S107), and outputs a failure report group (A · B) as an extraction result (S108) .

Next, the details of the failure handling recommendation process S102 in FIG. 7 will be described.
First, the fault information input unit 211 of the fault handling / recommendation device 200 receives fault information (S401). Here, the fault information is fault phenomenon information input by the system maintenance person when a fault occurs, and the fault phenomenon information includes the date and time of occurrence of the fault and the contents of the fault phenomenon.

  Next, the similar failure collection unit 202 acquires, from the failure report management table 203, a failure report including a phenomenon content that is similar to the phenomenon content included in the failure information and the keyword appearance tendency (S402).

  Specifically, the similar failure collection unit 202 morphologically analyzes the phenomenon content included in the failure information, and extracts the words included in the phenomenon content. Then, the similar failure collection unit 202 generates a vector indicating the presence or absence of the extracted word. Here, when the extraction word is, for example, five words W1 to W5, the vector V0 is V0 = (1, 1, 1, 1, 1). The vector element “1” indicates the presence of this vector, and “0” indicates the absence. Hereinafter, this vector is referred to as a word analysis vector.

  Similarly, the similar failure collection unit 202 generates, for each entry of the failure report management table 203, a word analysis vector V1 indicating presence / absence of the extracted words W1 to W5 in the phenomenon content of the failure report. Specifically, for example, the similar failure collection unit 202 uses the word group stored in the keyword (phenomenon content) 508 of the failure report management table 203 to detect presence / absence of the extracted words W1 to W5 in the phenomenon content of the failure report. Generate a word analysis vector indicating. For example, it is assumed that the word analysis vector V1 in a certain entry is V1 = (1, 0, 0, 0, 1). At this time, the word analysis vector V1 means that the extracted words W1 and W5 exist and the extracted words W2 to W4 do not exist.

The similar obstacle collection unit 202 obtains an inter-vector distance (for example, Euclidean distance) using the word analysis vector V0 and the word analysis vector V1.
When the word analysis vector V0 = (x ₁ , x ₂ ,..., X _n ) and the word analysis vector V ₁ = (y ₁ , y ₂ ,..., Y _n ), the distance d (V 0, V 1) between V 0 and V 1 Is obtained by the following (Equation 1).

  In the present embodiment, it is considered that the phenomenon content included in the failure information and the phenomenon content of the failure report are more similar as the inter-vector distance is shorter. The similar failure collection unit 202 obtains an inter-vector distance for each entry of the failure report management table 203, and acquires a failure report whose entry is less than a threshold. The acquired fault report is referred to as a "similar fault report". Here, the similar fault report is obtained using the threshold, but the similar fault collection unit 202 obtains the top n (n is an integer of 1 or more) fault reports in ascending order of the inter-vector distance as a similar fault report. You may

Next, the process proceeds to common failure cause group extraction processing of FIG. 7 (S403).
Here, the failure report group (A) recommended by S102 shown in FIG. 7 is this similar failure report.

Next, details of the failure cause analysis processing S105 will be described with reference to FIG.
First, the fault information input unit 211 of the fault cause analysis device 210 receives fault information from the analysis target system 300 (S601). Here, the failure information is a failure event that indicates the occurrence of a failure that the failure analysis system acquires from the analysis target system 300.

  Next, the failure cause analysis unit 215 extracts, from the failure cause analysis rules 216, an analysis rule including the failure event received by the IF unit 702 (S602). A conditional event for estimating a root cause event registered in the THEN unit 703 is registered in the IF unit 702. That is, in the process of S602, the candidate of the root cause event on the condition of the received failure event is specified.

  Furthermore, the failure cause analysis unit 215 determines the certainty factor of the root cause event registered in the THEN unit 703 of the rule extracted in S603 (S603), and among the root cause events for which the certainty factor determination is performed, the certainty factor is Extract only root cause events above the threshold. The degree of certainty is based on the number of failure events registered in the IF unit 702 of the extracted rule as a denominator, and the number of failure events received in S602 among the failure events registered in the IF unit 702 of the extracted rule as a numerator. Calculated by calculating.

  Next, the process proceeds to common failure cause group extraction processing of FIG. 7 (S604).

Next, details of the common failure cause group extraction processing will be described using FIG.
The details of the common failure cause group extraction process are for describing the processes of S103, S106, and S107 in FIG. 7 in more detail. The common failure cause group extraction process is a process of outputting only a more accurate analysis result by extracting a common failure cause from the analysis results of the failure countermeasure / recommendation device 200 and the failure cause analysis device.

  First, the failure cause extraction unit 204 of the failure handling / recommending device 200 extracts the keyword (failure cause) 509 of the failure report management table 203 recommended in S102 (S1001).

  Next, the common failure cause extraction unit 218 of the failure cause analysis device 210 extracts a keyword (root cause event) 902 of the root cause event estimated in S105 (S1002).

  Next, the common failure cause extraction unit 218 uses the word group stored in the failure keyword (failure cause) 509 of the failure report management table 203 shown in FIG. 3 to perform word analysis indicating presence / absence of the extracted words W1 to Wn. A vector V0 is generated (S1003). Similarly, a word analysis vector V1 indicating the presence or absence of the extracted words W1 to Wn is generated using the word group stored in the keyword (root cause event) 902 of the root cause list 2124 shown in FIG.

  Then, the common disorder cause extraction unit 218 obtains an inter-vector distance (for example, Euclidean distance) using the word analysis vector V0 and the word analysis vector V1 (S1004). The common failure cause extraction unit 218 considers that the failure cause content included in the failure report and the root cause event content included in the root cause event are more similar as the distance between vectors is shorter, when the distance between vectors is equal to or less than the threshold. Common to the failure cause stored in the keyword (failure cause) 509 from which the word analysis vector V0 is generated and the root cause event content stored in the keyword (root cause event) 902 from which the word analysis vector V1 is generated Identify the cause of the failure.

  Further, the common failure cause extraction unit 218 performs the processing of S1001 to S1004 on all combinations of the failure report and the root cause event extracted in S102 and S105.

That is, the word analysis vector of the failure keyword (failure cause) 509 of the extracted i-th entry in the failure report management table 203 is V0 _i, and the keyword of the extracted j-th entry in the root cause list 2124 (root cause Assuming that the word analysis vector of event) 902 is V1 _j , i and j such that d (V0 _i , V1 _j ) <T are extracted assuming that the threshold is T for all combinations of i and j.

Then, a fault report including the common fault cause identified in S1004 is extracted (S1005).
In addition, the common failure cause extraction unit 218 extracts a root cause event including the common failure cause specified in S1004 (S1006).

  Based on the above, processing in a specific case in the failure countermeasure system of the present embodiment will be described using FIGS. 7, 8, 9 and 10. FIG.

  The contents described in FIG. 3 are stored in the failure report management table 203, and the rules described in FIG. 4 are stored in the failure cause analysis rule 216.

First, a fault occurs, and a system maintenance person transmits two fault information to the fault handling / recommending device 200 (FIG. 7: S101). At this time, in the first fault information, the first phenomenon content “communication is disconnected in the communication path 13 and an abnormality alarm is generated in the transmitter 11A and the receiver 11Z of the communication device 1” is the second fault information. In this case, it is assumed that the second phenomenon content “communication break occurs in the communication path 13 and the communication path 23” is included.
Next, the failure handling / recommending device 200 starts failure handling / recommending processing (FIG. 7: S102).

  On the other hand, the failure information input unit 211 of the failure cause analysis device 210 receives the failure information transmitted by the system maintenance person at S101 (FIG. 8: S402).

  Next, the similar fault collection unit 202 of the fault handling / recommending device 200 performs morphological analysis on the phenomenon content included in the fault information, extracts a word included in the phenomenon content, and generates a vector indicating presence or absence of the extracted word (FIG. 8: S403). Here, the extracted words of the first phenomenon content are six words of “communication path 13” “communication disconnected” “communication device 1” “transmission unit 11A” “transmission unit 11Z” “abnormal alarm”, and the word analysis vector V0 is V0 = (1, 1, 1, 1, 1, 1).

  Then, for each entry of the failure report management table 203, the similar failure collection unit 202 uses the word group stored in the failure report keyword (phenomenon content) 508 to detect presence / absence of the extracted word of the first phenomenon content. Generate a vector V1 as shown. The keyword (phenomenon content) of failure report ID R1 is “communication path 13” “communication disconnected” “communication device 1” “transmission unit 11A” “transmission unit 11Z” “abnormal alarm”, word analysis vector V1 (R1 ) Becomes V1, (R1) = (1, 1, 1, 1, 1, 1). Here, the word analysis vector in the entry where the failure report ID is R1 is expressed as V1 (R1). In addition, keywords (phenomenon content) of failure report ID R2 are "communication device 13" "communication path 23" "communication disconnection", and word analysis vector V1 (R2) is V1 (R2) = (1, 1) , 0, 0, 0, 0).

  Next, the similar obstacle collection unit 202 obtains the inter-vector distance using the word analysis vector V0 and the word analysis vector V1, and acquires the obstacle report whose entry is less than the threshold. Here, the threshold is 0 or less. When calculating the inter-vector distance by taking the Euclidean distance, it is calculated by taking the square root of the sum of the squares of the differences between the word analysis vector V0 and the elements of the word analysis vector V1. That is, the distance between the word analysis vector V0 and the word analysis vector V1 (R1) is 0, and the distance between the word analysis vector V0 and the word analysis vector V1 (R2) is 2. Since it is only the word analysis vector V1 (R1) that the threshold value is 0 or less, the fault report with the fault report ID R1 is identified as the “similar fault report”.

  Similarly, a vector indicating the presence or absence of the extracted word is generated also for the second phenomenon content. Here, the extracted words of the second phenomenon content are three words of “communication path 13”, “communication path 23”, and “communication disconnection”, and the word analysis vector V0 is V0 = (1, 1, 1). Next, for each entry of the failure report management table 203, the similar failure collection unit 202 uses the word group stored in the failure report keyword (phenomenon content) 508 to detect the presence or absence of the extracted word of the second phenomenon content. Generate a word analysis vector V1 to indicate. The keyword (phenomenon content) of failure report ID R1 is “communication path 13” “communication disconnected” “communication device 1” “transmission unit 11A” “transmission unit 11Z” “abnormal alarm”, word analysis vector V1 (R1 ) Becomes V1 (R1) = (1, 0, 1). In addition, keywords (phenomenon content) of failure report ID R2 are "communication device 13" "communication path 23" "communication disconnection", and word analysis vector V1 (R2) is V1 (R2) = (1, 1) , 1).

Next, the similar obstacle collection unit 202 obtains the inter-vector distance using the word analysis vector V0 and the word analysis vector V1, and acquires the obstacle report whose entry is less than the threshold. The distance between the word analysis vector V0 and the word analysis vector V1 (R1) is 1, and the distance between the word analysis vector V0 and the word analysis vector V1 (R2) is 0. Since it is only the word analysis vector V1 (R2) that the threshold value is 0 or less, the fault report with the fault report ID R2 is specified as the “similar fault report”.
Then, the failure countermeasure recommendation process is ended, and the process proceeds to the process of S103 of FIG. 7 (FIG. 8: S404).

  Next, the failure countermeasure / recommendation device 200 extracts a keyword (failure cause) 509 from the failure reports R1 and R2 identified in S102 (FIG. 7: S103).

On the other hand, when a failure occurs, the failure cause analysis device 210 receives a failure event from the analysis target system 300 (FIG. 7: S104). Here, it is assumed that the failure cause analysis device 210 has received two failure events “EV-14” and “EV-10”.
In response to this, the failure cause analysis device 210 starts failure cause analysis processing (FIG. 7: S105).
First, the fault information input unit 211 of the fault cause analysis device 210 receives the fault events “EV-14” and “EV-10” (FIG. 9: S601).

  Next, the failure cause analysis unit 215 extracts an analysis rule including the failure event “EV-10” or “EV-14” received by the IF unit in the failure cause analysis rule 216 (FIG. 9: S602). Here, among the analysis rules described in FIG. 4, rule 1 and rule 2 are extracted.

Next, the failure cause analysis unit 215 determines the degree of certainty of the root cause event of the extracted failure cause analysis rule 216, and extracts only the root cause having a certainty degree or more (FIG. 9: S603). In the present embodiment, root cause events with a certainty factor of 1/3 or more are extracted. In the rule 1, since one received failure event is included among the three failure events described in the IF unit, the certainty factor is 1/3. Further, in the rule 2, since two received failure events are included among the three failure events described in the IF unit, the certainty factor is 2/3. Root cause events CE-1 and CE-5 having a certainty factor of 1/3 or more are extracted.
Then, the failure cause analysis process is completed, and the process proceeds to the process of S106 of FIG. 7 (FIG. 9: S604).

  Next, the failure cause analysis device 210 compares the failure cause group extracted from S103 with the failure cause group extracted from S105, and extracts only the failure cause having the same failure cause content (FIG. 7: S106).

  Then, the failure countermeasure / recommendation device 200 extracts a failure report including the common failure cause extracted in S106.

  Here, the common failure cause group extraction processing of S103 and S106 to S107 will be described in detail based on the processing procedure of FIG.

  First, the fault cause extraction unit 204 of the fault handling / recommending device 200 extracts a keyword (fault cause) 509 from the fault reports R1 and R2 identified in S102 (FIG. 10: S1001).

  On the other hand, the common failure cause extraction unit 218 of the failure cause analysis device 210 extracts the keywords (root cause events) 902 of the root cause events CE-1 and CE-5 estimated in S105 (FIG. 10: S1002).

  Next, the common failure cause extraction unit 218 determines whether or not the extracted words exist from the keyword (failure cause) 509 extracted in S1001 and the keyword (root cause event) 902 extracted in S1002 and the word group stored in the keyword. Word analysis vectors V0 and V1 are generated (FIG. 10: S1003).

  The word group of the keyword (failure cause) 509 of the failure report R1 extracted in S1001 becomes two words of “transceiver 11” and “hardware failure”, and the word analysis vector V0 is V0 (R1) = (1, 1, It becomes 1).

  Next, for each keyword (root cause event) 902 extracted in S1002, a word analysis vector V1 indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of R1 of the failure ID of the failure report is generated. The word group of the keyword (root cause event) 902 of the root cause event CE-1 is "transceiver 11" "hardware failure" and the word analysis vector V1 (R1) (CE-1) = (1, 1) . Here, the word analysis vector indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of the failure ID R1 of the failure report in the word of the root cause event CE-1 is expressed as V1 (R1) (CE-1) did.

  Also, the word group of the keyword (root cause event) 902 of the root cause event CE-5 is “transceiver 31” “hardware failure”, and the word analysis vector V1 (R1) (CE-5) = (0, 1) It becomes.

  Similarly, the word group of the keyword (failure cause) 509 of the failure report R2 extracted in S1001 becomes two words of “communication device 3” and “hardware failure”, and the word analysis vector V0 is V0 (R2) = (1, 1).

  Next, a word analysis vector V1 indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of the failure report R2 is generated for each keyword (root cause event) 902 extracted in S1002. The word group of the keyword (root cause event) 902 of the root cause event CE-1 is “transceiver 11” “hardware failure” and the word analysis vector V1 (R2) (CE-1) = (0, 1) . In addition, the word group of the keyword (root cause event) 902 of the root cause event CE-5 is “transceiver 31” “hardware failure” and the word analysis vector V1 (R2) (CE-5) = (0, 1) It becomes.

  Next, the common fault cause extraction unit 218 obtains the inter-vector distance using the word analysis vector V0 and the word analysis vector V1 generated in S1003. When the inter-vector distance is less than or equal to the threshold value, the common fault cause is identified. (FIG. 10: 1004). Here, in the present embodiment, the threshold value is set to zero. The inter-vector distance is calculated by taking the Euclidean distance, and is calculated by taking the square root of the sum of the squares of the differences between the word analysis vector V0 and the word analysis vector V1.

  Here, the inter-vector distance is calculated for each word analysis vector V1 generated from the keyword (root cause event) 902 extracted in S1002 with respect to the word analysis vector V0 generated from the keyword (failure cause) 509 extracted in S1001. First, the distance between the word analysis vector V0 (R1) and the word analysis vector V1 (R1) (CE-1) is zero. Next, the distance between the word analysis vector V0 (R1) and the word analysis vector V1 (CE-5) is 1. Further, the distance between the word analysis vector V0 (R2) and the word analysis vector V1 (R2) (CE-1) is one. Furthermore, the distance between the word analysis vector V0 (R2) and the word analysis vector V1 (R2) (CE-5) is 1. The threshold value is 0 or less because the word analysis vector V0 (R1) and the word analysis vector V1 (R1) (CE-1), the fault report R1 that is the generation source of the word analysis vector V0 (R1) A keyword (failure cause) 509 and a keyword (root cause event) 902 of the root cause event CE-1 which is a generation source of the word analysis vector V1 (R1) (CE-1) are specified as common failure causes.

Then, the failure cause extraction unit 204 extracts the failure report R1 including the common failure cause (FIG. 10: S1005).
Further, the common failure cause extraction unit 218 extracts the root cause event CE-1 including the common failure cause (FIG. 10: S1006).
By the above processing, the failure countermeasure recommendation device 200 outputs the failure report R1 as a report group including common failure causes, and the failure cause analysis device 210 outputs a root cause event CE-1 as a common failure cause group (FIG. 7: S108, S109).

Second Embodiment
Hereinafter, Embodiment 2 of the present invention will be described with reference to FIGS. 11 and 12.
In the first embodiment, the failure cause group included in the failure report recommended by the failure handling / recommendation device and the failure cause group estimated by the failure cause analysis device include failure cause groups and failure causes other than the common failure cause group. It was to output a fault report.

In the present embodiment, the failure cause group included in the failure report recommended by the failure handling / recommendation device and the failure cause group estimated by the failure cause analysis device include failure cause groups and failure causes other than the common failure cause group. It also outputs fault reports. In this way, even when the common failure cause group is not the root cause, the system maintainer or the system administrator can refer to the failure cause group other than the common failure cause group as the second failure cause group. It becomes possible to carry out the segmentation efficiently.
In the present embodiment, description will be made focusing on differences from the first embodiment.

The configuration of the failure countermeasure system is the same as that shown in FIG. 1 of the first embodiment. The analysis target system 300 also takes the example of the first embodiment. The data structure is also the same as that shown in the first embodiment. Here, the processing of the failure countermeasure system of the first embodiment will be described using FIGS. 11 and 12.

First, an outline of each process in the failure countermeasure / recommendation device and failure cause analysis device of the second embodiment will be described with reference to FIG.
About S101-S107 in the figure, it is the same as that of processing shown in FIG. 7 of Embodiment 1.
Here, the failure countermeasure / recommendation device 200 excludes the failure report group (A, B) including the common failure cause extracted in S107 from the failure report group (A) extracted in S102 into a failure report group {(( A)-(AB) is output (S110).

  In addition, the failure cause analysis device 210 removes the common failure cause group (a · b) extracted in S106 from the failure cause group (a) extracted in S103 as the failure cause group {(a) − Output as (a · b)} (S111).

Further, the failure cause analysis device 210 is the failure cause group {(b) − (24) from the failure cause group (b) extracted in S105 excluding the common failure cause group (a · b) extracted in S106. Output as (a · b)} (S112).
By the above-described processing, the failure countermeasure recommendation device 200 and the failure cause analysis device 210 can also output analysis results other than the failure report including the common failure cause and the common failure cause.

Next, the common failure cause extraction / separation processing in FIG. 12 of the second embodiment will be described in detail using FIG.
S1001 to S1006 in the figure are the same as the processing shown in FIG. 10 of the first embodiment.
Here, the common failure cause extraction unit 218 of the failure cause analysis device 210 extracts a word group stored in the keyword (root cause event) 902 for all the entries included in the root cause event list of the failure detailed information 214. (S1007).

  Next, the common failure cause extraction unit 218 generates a word analysis vector V0 indicating presence / absence of the extracted words W1 to Wn using the word group stored in the keyword (failure cause) 509 extracted in S1001 (S1003). -1). Similarly, a word analysis vector V1 indicating presence / absence of the extracted words W1 to Wn is generated using the word group stored in the keyword (root cause event) 902 extracted in S1007 (S1003-1).

  Then, the common disorder cause extraction unit 218 obtains the inter-vector distance (for example, the Euclidean distance) using the word analysis vector V0 and the word analysis vector V1. As the distance between vectors is shorter, it is considered that the fault cause contents included in the fault report and the root cause event contents included in the root cause event are similar. The common failure cause extraction unit 218 identifies, as the common failure cause group (a), a root failure event including the keyword (root cause event) 902 from which the word analysis vector V1 is generated, when the inter-vector distance is less than the threshold (S1008).

Furthermore, the common failure cause extraction unit 218 excludes the common failure cause group (a) specified in S1008 from the common failure cause group (a, b) specified in S1004 into the common failure cause group {(a)-( a, b)} is specified (S1009).
The processes of S1003-0 and S1004 are the same as the processes of S1003 and S1004 in FIG.

  Further, the fault cause extraction unit 204 extracts the fault report group {(A) − (A · B)} excluding the fault report group (A · B) from the failure report group (A) extracted in S102 in S1005. (S1010).

  Further, the common failure cause extraction unit 218 excludes the common failure cause group (a, b) extracted in S1006 from the common failure cause group (b) estimated in S105, and sets the common failure cause group {(b) − (a · b) It specifies as (S1011).

  Based on the above, processing in a specific case in the failure countermeasure system of the present embodiment will be described using FIGS. 7, 8, 9 and 10 of the first embodiment.

  The contents described in FIG. 3 of the first embodiment are stored in the failure report management table 203, and the rules described in FIG. 4 are stored in the failure cause analysis rule 216.

  After the occurrence of a failure, the processing from FIG. 7: S101 to FIG. S: S604 is the same as the processing description in the specific case of the first embodiment.

Next, common failure cause group extraction / separation processing configured of S103, S106 to S107, and S110 to S112 in FIG. 11 will be described in detail based on the procedure of FIG.
Here, the fault cause extraction unit 204 extracts a keyword (fault cause) 509 of the entry whose fault report ID of the fault report identified in S102 is R1 and R2 (FIG. 12: S1001).

  Next, the common failure cause extraction unit 218 extracts the keywords (root cause events) 902 of the root cause events CE-1 and CE-5 estimated in S105 (FIG. 12: S1002).

  Next, the common failure cause extraction unit 218 determines whether or not the extracted words exist from the keyword (failure cause) 509 extracted in S1001 and the keyword (root cause event) 902 extracted in S1002 and the word group stored in the keyword. Word analysis vectors V0 and V1 are generated (FIG. 12: S1003-0).

  The word group of the keyword (failure cause) 509 of the failure report R1 extracted in S1001 becomes two words of “transceiver 11” and “hardware failure”, and the word analysis vector V0 is V0 (R1) = (1, 1, It becomes 1).

  Next, a word analysis vector V1 indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of the failure report R1 is generated for each keyword (root cause event) 902 extracted in S1002. The word group of the keyword (root cause event) 902 of the root cause event CE-1 is "transceiver 11" "hardware failure" and the word analysis vector V1 (R1) (CE-1) = (1, 1) . Also, the word group of the keyword (root cause event) 902 of the root cause event CE-5 is “transceiver 31” “hardware failure”, and the word analysis vector V1 (R1) (CE-5) = (0, 1) It becomes.

  Similarly, the word group of the keyword (failure cause) 509 of the failure report R2 extracted in S1001 becomes two words of “communication device 3” and “hardware failure”, and the word analysis vector V0 is V0 (R2) = (1, 1).

  Next, a word analysis vector V1 indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of the failure report R2 is generated for each keyword (root cause event) 902 extracted in S1002. The word group of the keyword (root cause event) 902 of the root cause event CE-1 is “transceiver 11” “hardware failure” and the word analysis vector V1 (R2) (CE-1) = (0, 1) . In addition, the word group of the keyword (root cause event) 902 of the root cause event CE-5 is “transceiver 31” “hardware failure” and the word analysis vector V1 (R2) (CE-5) = (0, 1) It becomes.

  Next, the common fault cause extraction unit 218 obtains the inter-vector distance using the word analysis vector V0 and the word analysis vector V1 generated in S1003-0, and if the inter-vector distance is less than or equal to the threshold value, the common fault cause And (FIG. 12: 1004). Here, the threshold value is set to 0 in the present embodiment. The inter-vector distance is calculated by taking the Euclidean distance, and is calculated by taking the square root of the sum of the squares of the differences between the word analysis vector V0 and the word analysis vector V1.

  Here, the inter-vector distance is calculated for each word analysis vector V1 generated from the keyword (root cause event) 902 extracted in S1002 with respect to the word analysis vector V0 generated from the keyword (failure cause) 509 extracted in S1001. First, the distance between the word analysis vector V0 (R1) and the word analysis vector V1 (R1) (CE-1) is zero. Next, the distance between the word analysis vector V0 (R1) and the word analysis vector V1 (CE-5) is 1. Further, the distance between the word analysis vector V0 (R2) and the word analysis vector V1 (R2) (CE-1) is one. Furthermore, the distance between the word analysis vector V0 (R2) and the word analysis vector V1 (R2) (CE-5) is 1. The threshold value is 0 or less because the word analysis vector V0 (R1) and the word analysis vector V1 (R1) (CE-1), the fault report R1 that is the generation source of the word analysis vector V0 (R1) A keyword (failure cause) 509 and a root cause event CE-1 which is a generation source of the word analysis vector V1 (R1) (CE-1) are specified as common failure causes.

  Next, the common failure cause extraction unit 218 extracts a word group stored in the keyword (root cause event) 902 for all the entries registered in the root cause event list 2142 in FIG. 6 (FIG. 12: S1007).

  Next, the common failure cause extraction unit 218 determines presence / absence of the extracted word from the keyword (failure cause) 509 extracted in S1001 and the keyword (root cause event) 902 extracted in S1007 and the word group stored in the keyword. Word analysis vectors V0 and V1 are generated (FIG. 12: S1003-1).

  The word group of the keyword (failure cause) 509 of the failure report R1 extracted in S1001 becomes two words of “transceiver 11” and “hardware failure”, and the word analysis vector V0 is V0 (R1) = (1, 1, It becomes 1).

Next, for each keyword (root cause event) 902 extracted in S1007, a word analysis vector V1 indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of the failure report R1 is generated. The word group of the keyword (root cause event) 902 of the root cause event CE-1 is "transceiver 11""hardwarefailure" and the word analysis vector V1 (R1) (CE-1) = (1, 1) . Similarly, when generating the word analysis vector V1 for the root cause events CE-2 to CE-9, V1 (R1) (CE-2) = (0,1), V1 (R1) (CE-3) = ( 0, 1)
V1 (R1) (CE-4) = (0,1), V1 (R1) (CE-5) = (0,1), V1 (R1) (CE-6) = (0,1), V1 (V) R1) (CE-7) = (0, 1), V1 (R1) (CE-8) = (0, 1), V1 (R1) (CE-9) = (0, 1).

  Similarly, the word group of the keyword (failure cause) 509 of the failure report R2 extracted in S1001 becomes two words of “communication device 3” and “hardware failure”, and the word analysis vector V0 is V0 (R2) = (1, 1).

  Next, a word analysis vector V1 indicating the presence or absence of the extracted word of the keyword (failure cause) 509 of the failure report R2 is generated for each keyword (root cause event) 902 extracted in S1002. The word group of the keyword (root cause event) 902 of the root cause event CE-1 is “transceiver 11” “hardware failure” and the word analysis vector V1 (R2) (CE-1) = (0, 1) . Similarly, when generating the word analysis vector V1 for the root cause events CE-2 to CE-9, V1 (R2) (CE-2) = (0,1), V1 (R2) (CE-3) = (0) , 1), V1 (R2) (CE-4) = (0,1), V1 (R2) (CE-5) = (0,1), V1 (R2) (CE-6) = (0,1) ), V1 (R2) (CE-7) = (0,1), V1 (R2) (CE-8) = (0,1), V1 (R2) (CE-9) = (1,1) Become.

  Next, the common fault cause extraction unit 218 obtains the inter-vector distance using the word analysis vector V0 and the word analysis vector V1 generated in S1003-1, and if the inter-vector distance is less than or equal to the threshold value, the common fault cause And (FIG. 12: 1008). The inter-vector distance is calculated by taking Euclidean distance, as in S1004.

  The inter-vector distance is calculated for each word analysis vector V1 generated from the keyword (root cause event) 902 extracted in S1007, with respect to the word analysis vector V0 generated from the keyword (failure cause) 509 extracted in S1001.

  First, the distance between the word analysis vector V0 (R1) and the word analysis vector V1 (R1) (CE-1) is zero. Next, the distance between the word analysis vector V0 (R1) and the word analysis vector V1 (R1) (CE-2) is one. Similarly, for the word analysis vectors V1 (R1) (CE-3) to V1 (R1) (CE-9), the distances to the word analysis vector V0 (R1) are all 1.

  The distance between the word analysis vector V0 (R2) and the word analysis vector V1 (R2) (CE-1) is one. Similarly, the distances from the word analysis vectors V1 (R2) (CE-2) to V1 (R2) (CE-8) to the word analysis vectors V0 (R2) are all one. The distance between the word analysis vector V0 (R2) and the word analysis vector V1 (R2) (CE-9) is zero.

  Next, root cause event CE-1 and word origin of word analysis vectors V1 (R1) (CE-1) and V1 (R2) (CE-9) whose inter-vector distance is less than or equal to 0 which is a threshold value CE-9 is identified as the common failure cause group (a).

Next, among the root cause events CE-1 and CE-9 identified in S1008, the common fault cause extraction unit 218 removes the root cause event except for the root cause event CE-1 including the common fault cause group identified in S1004. Identify CE-9 (FIG. 12: S1009, output C)
Next, the common failure cause extraction unit 218 extracts the root cause event CE-1 identified in S1004 (FIG. 12: S1006, output D).
Next, the common failure cause extraction unit 218 extracts the root cause event CE-5 except for the root cause events CE-1 and CE-5 identified in S105 and the root cause event CE-1 extracted in S1006 (FIG. 12: S1011, output E).

  Next, the failure cause extraction unit 204 extracts a failure report R1 including the keyword (failure cause) 509 identified in S1004 (FIG. 12: S1005, output B).

  Further, the fault cause extraction unit 204 extracts the fault report R2 except the fault report R1 identified in S1005 among the fault reports R1 and R2 identified in S102 (FIG. 12: S1010, output A).

200 ... fault handling recommendation device, 210 ... fault cause analysis device, 290 ... input / output terminal, 280 ... network, 300 ... analysis target system,
201 ... fault information input unit, 202 ... similar fault collection unit, 203 ... fault report management table, 204 ... fault cause extraction unit, 205 ... result output unit,
211: Failure information input unit, 212: Failure multistage analysis management unit, 213: Failure detail information collection unit, 214: Failure detail information, 215: Failure cause analysis unit, 216: Failure cause analysis rule, 217: Analysis result management table, 218 ... common failure cause extraction unit, 219 ... failure analysis result output unit

Claims (8)

It is a failure countermeasure system which outputs the failure countermeasure based on the failure information of the analysis target system,
A fault handling and recommending device that outputs the fault cause based on the fault information from the fault information;
And a failure cause analysis device that outputs a failure cause based on failure information and failure cause analysis rules,
The failure countermeasure / recommendation device extracts the failure cause of the failure report corresponding to the failure phenomenon similar to the failure information of the analysis target system,
The failure cause analysis device extracts a failure cause from the failure information of the analysis target system based on the failure cause analysis rule,
The failure cause analysis device receives the failure cause of the failure report corresponding to the failure phenomenon similar to the failure information of the analysis target system from the failure countermeasure / recommendation device, and causes the failure cause from the failure cause of the received failure report. Extract and output failure cause similar to failure cause based on analysis rule
The fault countermeasure / recommendation device outputs information on a fault report corresponding to the fault cause extracted from the fault cause of the fault report by the fault cause analysis device as a fault cause similar to the fault cause based on the fault cause analysis rule. A fault countermeasure system characterized by   The similarity between the failure cause based on the failure cause analysis rule and the failure cause based on the failure cause analysis rule is characterized by judging by the closeness of the distance of the word analysis vector having the failure cause keyword as the vector element. The failure countermeasure system according to claim 1.   The failure countermeasure system according to claim 1, wherein the failure analysis rule of the failure cause analysis device is a rule of IFTHEN format in which a failure phenomenon is an IF part and a failure cause is a THEN part. It is a failure countermeasure method which outputs failure countermeasure on the basis of failure information of an analysis target system as input.
A fault information receiving step of receiving fault information including a first phenomenon content indicating a fault phenomenon of the analysis target system;
From a fault report for each fault including a second symptom content indicating a fault phenomenon, a fault cause and a fault coping method, a fault including the second phenomenon content similar to the first phenomenon content included in the fault information A first failure countermeasure recommendation step of extracting a report as first failure report information;
A first failure cause extraction step of extracting first failure cause information based on a failure event indicating occurrence of a failure and a predetermined failure cause analysis rule;
A failure characterized in having a second failure cause extraction step of extracting a failure cause similar to the failure cause included in the first failure report information among the first failure cause information as a second failure cause information. Countermeasure.   The determination of the cause of the fault similar to the fault cause included in the first fault report information among the first fault cause information is the fault included in the first fault cause information and the first fault report information. 5. The fault countermeasure method according to claim 4, wherein the judgment is made based on the closeness of the distance of each word analysis vector having a keyword included in the cause as an element.   The first fault report output step of outputting a fault report including fault causes similar to the fault cause included in the first fault report information among the first fault cause information as second fault report information The fault countermeasure method according to claim 4, characterized in that   The method according to claim 4, further comprising a third failure cause extraction step of extracting failure cause information not including the second failure cause information as the third failure cause information among the first failure cause information. How to deal with problems.   5. The fault according to claim 4, further comprising a second fault report output step of outputting fault report information excluding the second fault cause report information among fault reports as third fault report information. Countermeasure.

Images