JP5376133B2 - Fault tree analysis generation method, fault tree analysis generation system, and program - Google Patents

Description

  The present invention relates to a fault tree analysis generation method and a fault tree analysis generation system.

  An example of a conventional software fault tree analysis (FTA) method and system is described in Patent Document 1 and Non-Patent Document 1.

  As shown in FIG. 10, the software fault tree generation apparatus described in Patent Document 1 includes a software block diagram creation unit, a hardware block diagram creation unit, a software behavior description creation unit, an extended activity diagram creation unit, , A deviation analysis unit, a software fault tree generation unit, and the like.

  The software fault tree generation apparatus having such a configuration operates as follows.

  First, create a software block based on the software product specifications, generate a software behavior description and an extended activity from this, extract abnormal operating factors from the extended activity by the deviation analysis unit, and extract this. Use it to generate software fault trees.

  However, the software fault tree generation device described in Patent Document 1 does not consider complex fault events that occur due to some normal states. In other words, this fault tree generation device is not suitable for analyzing complex fault events in many software systems modeled as a state transition system.

  As a technique for solving such a complex failure event, the technique of Non-Patent Document 1 using formal specification description and verification has been proposed. However, the technique of Non-Patent Document 1 is limited to formal specification description and formal verification.

  On the other hand, model checking of state machine diagrams has been well studied in recent years. However, this model check focuses on verifying whether the model derived from the design meets the formal specification, rather than analyzing the failure on a particular system. That is, given a fault in the system, model checking can lead to whether the system is secure under some initial configuration. However, it is not possible to derive what causes the failure. And it is suitable for fault tree analysis.

JP 2001-184232 A (page 6-7, FIG. 1)

Mukoken Fumi, Ogata Kazuhiro, Kou Wei, Futaki Atsuyoshi, “From fault tree analysis to OTS / CafeOBJ system specification description and verification” Computer Software, Vol.23, No.3 (July 2006)

  Fault tree analysis (FTA) is generally not suitable for analysis of state transition systems, and there have been few attempts to integrate state transition diagrams with fault tree analysis (FTA).

  At the system design stage, fault tree analysis diagrams are typically created from detailed and accurate design specifications or diagrams to ensure the correctness and completeness of the analysis. It is recognized in the industry that system operation diagrams play an important role in creating a hardware failure tree analysis.

  However, in the case of software state transition systems, state machine diagrams can be considered as one promising candidate for generating fault trees, but this problem has not been addressed before.

  Therefore, the present invention has been invented in view of the above problems, and an object thereof is to provide a fault tree analysis generation method and system for generating a fault tree analysis from a state transition model.

  The present invention for solving the above problems is a fault tree analysis generation method for generating a fault tree analysis diagram from a state transition model represented by an event and a transition, wherein the state transition model is defined as at least one logical expression. A fault tree analysis generation method that generates a fault tree analysis by interpreting and using a given event as a top event based on the logical expression.

  The present invention for solving the above problems is a fault tree analysis generation system that generates a fault tree analysis from a state transition model represented by events and transitions, and interprets the state transition model as at least one logical expression. And a fault tree analysis generation system that generates a fault tree analysis generation unit that generates a fault tree analysis with a given event as a top event based on the logical expression.

  The present invention for solving the above problems is a program for generating a fault tree analysis from a state transition model represented by events and transitions, and interprets the state transition model as at least one logical expression. And a failure tree analysis generation process for generating a failure tree analysis with a given event as a top event based on the logical expression.

  According to the present invention, a fault tree analysis can be generated from a state transition model.

FIG. 1 is a block diagram of a fault tree analysis generation system according to an embodiment. FIG. 2 is a flowchart of the embodiment. FIG. 3 is a diagram for explaining a logical expression of the present embodiment. FIG. 4 is a diagram for explaining a logical expression of the present embodiment. FIG. 5 is a diagram for explaining a logical expression of the present embodiment. FIG. 6 is a state machine diagram of the embodiment. FIG. 7 is a diagram for explaining logical expressions of three related transitions. FIG. 8 is a diagram showing a logical expression obtained by interpreting the state machine diagram of FIG. FIG. 9 is a failure tree analysis diagram of the embodiment. FIG. 10 is a diagram for explaining a related technique.

  Embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a block diagram of a fault tree analysis generation system according to the present embodiment.

  As shown in FIG. 1, the fault tree analysis generation system includes a state machine diagram input unit 110, a classification unit 120, a state transition interpretation unit 130, a storage unit 140, a user interface unit 150, and a fault tree analysis generation. Unit 160 and output unit 170.

  Each of these units generally operates as follows.

  The state machine diagram input unit 110 inputs a state machine diagram (state transition model) of the target system.

  The classification unit 120 classifies events and transitions in the state machine diagram. Specifically, events are classified into internal events and external events. Transitions are classified into independent transitions and related transitions.

  The state transition interpreter 130 interprets the state machine diagram as a set of logical expressions.

  The storage unit 140 stores a logical expression of the state machine diagram generated by the state transition interpretation unit 130.

  By the user interface unit, the user inputs a classification of a related transition in the state machine diagram (synchronous transition or asynchronous transition). The user interface unit also inputs an event that is a top event to be analyzed by the failure tree analysis generated by the failure tree analysis generation unit 160. In addition, information for classifying external events into basic failure events or basic normal events is also input.

  The failure tree analysis generation unit 160, based on the logical expression stored in the storage unit 140 and the information input by the user interface unit, uses the event input by the user interface unit as a top event. Generate tree analysis.

  The output unit 170 outputs a tree analysis of the generated fault.

  Next, the overall operation of the present embodiment will be described in detail with reference to the flowcharts of FIGS.

  First, the state machine diagram of the system is read by the state machine diagram input unit 110 (step A1).

  Next, the classification unit 120 classifies each event of the state machine diagram into an internal event and an external event (step A2). Further, the classification unit 120 classifies each transition of the state machine diagram into an independent transition and a related transition (step A2).

  Here, an internal event is an event that occurs in an action corresponding to a transition. On the other hand, an external event refers to an event for which no event has occurred in the state machine diagram. However, an external event not only triggers some transitions externally, but also includes transition guard conditions that are not defined in the state machine diagram.

  An independent transition refers to a transition without a trigger or a transition that is triggered by a trigger but does not transmit a message that triggers another transition by the transition.

  The related transition refers to a transition in which a message is transmitted and received between two or more transitions. For example, the transition is activated by a message from a certain transition. However, if a transition is triggered by a message from several different transitions and the transition sends another message to another transition, both the transition that sends the message and the transition that receives the message are also relevant transitions.

  Messages are sent and received either synchronously or asynchronously. Therefore, the related transition is classified as a synchronous transition or an asynchronous transition. This classification is defined by the user via the user interface unit 150 (step A3).

  The interpreter 130 interprets the state machine diagram as a set of logical expressions based on the event and transition classification (step A4).

  There are two types of logical expressions: an equation corresponding to the composite state of the state transition diagram and a transition rule (one-step logic interpretation) corresponding to the transition. Each state and each event in the state machine diagram is interpreted in a logical expression as a state predicate and an event predicate.

  Here, the composite state is defined as a logical sum of sub-states constituting the composite state. A state that is not such a composite state is a state that is in a sibling relationship (another state that belongs to the same object and is in a relationship that is located at the same level). FIG. 3 shows an interpretation pattern of the composite state.

  In general, the left side of a transition rule consists of a combination of two parts. One part is a state configuration that represents the original state and a guard condition that refers to the state of another target. The other parts are a trigger event and a guard condition that refers to an external event of the corresponding transition.

  Similarly, the right side of the transition rule consists of two parts. One part is a state configuration representing a transition destination state. The other part is a message event generated by the transition destination action.

  However, the above-described transition rule is slightly different depending on the difference in transition.

  In order to illustrate the difference, FIG. 3 shows an example of transition rules of independent transition, asynchronous transition, and synchronous transition in a system including the target A and the target B.

  When the composite state includes two or more transition regions, a transition to a closed state indicates a transition to an internal state in each region. A transition to a final state within an area indicates completion within that area.

  For example, assume that the object state machine diagram includes three states, S0, S1, and S2, and that S1 is a composite state that includes two regions. Each region of S1 has two substates. The subregions of the first region are S11 and S12, and the subregions of the second region are S13 and S14. S11 and S13 are in an initial state, and S12 and S14 are in a final state.

  Here, the first transition triggered by e1 is S0 to S1. Then, this transition can be expressed as S0∧e1 → S11∧S13. The transition from S1 to S2 can be expressed as S12∧S14 → S2. Note that the second transition is a completion transition without a trigger event.

  The logical expression obtained by interpreting the state machine diagram is stored in the storage unit 140.

  Subsequently, user information necessary for generating a failure tree analysis diagram is input via the user interface unit 150 (step A6). In this step, three types of user information are input. That is, it is information related to the classification of the top event for failure tree analysis and the basic failure event and the basic normal event related to the external event of the state machine diagram.

  All external events in the state machine diagram are treated as basic events of failure tree analysis (corresponding to leaves in the failure tree analysis diagram) that cannot be further decomposed. The basic normal event is treated as a conditional event and is connected to the Inhibit-gate of the fault tree analysis diagram.

  Each basic failure event is defined by a circle in the failure tree analysis diagram, and each condition event is defined by an ellipse in the failure tree analysis diagram.

  The decomposed top event is first checked to see if it contains a basic event. When a basic event is included, it is simplified by AND-gate or INHIBIT-gate according to the classification of the basic event (step A7).

  The three basic events include a basic failure event and a basic normal event defined by the user, and an initial setting of a state machine diagram which is one of the basic normal events. A simplified pattern for these basic events is shown in FIG.

  The reason for simplification is that it corresponds to an event (leaf) that is not considered in pattern matching by a logical expression and cannot be further decomposed in a fault tree analysis diagram.

  As for the simplified intermediate event, it is checked whether or not the intermediate event or a part thereof matches the right part of the logical expression (transition rule). If there is a match (YES), the left part of the matched logical expression is used to decompose the OR-gate of one or more branches (Step A8).

  Pattern matching and decomposition can be classified into three types according to a simplified structure of intermediate events.

  First, if the event is a compound state predicate, find the equation whose right side of the equation (logical expression) matches the compound state predicate. Then, using the left part of the equation (combination of several substates), it is decomposed into several substates and connected by OR-gate. This is an effective technique for making it easier to see the fault tree analysis.

  Second, if the event does not contain any asynchronous messages, find all transition rules (logical expressions) that match the event. Then, using the left part of the matched transition rule, break the event into several sub-events. If multiple transition rules are found, connect them with an OR-gate. Connect with a line.

  Third, if the event includes an asynchronous message, then find a transition rule (logical expression) that matches at least a part of the state configuration. Then, using the left part of the matched transition rule, break the event into several sub-events. If multiple transition rules are found, connect them with an OR-gate. Connect with a line.

  Three matching patterns of failure events to be decomposed are shown in FIG.

  If there is no logical expression that matches the intermediate failure event, this failure event cannot be analyzed in the given state machine diagram, and the path for this failure event is removed from the logic gate (step A9).

  Steps A7-A9 are performed by the fault tree generator 160.

  Finally, after pattern matching and decomposition, it is checked whether all the leaves of the fault tree analysis diagram are represented by basic events.

  If all the leaves of the fault tree analysis diagram are represented by basic events, the generation of the fault tree analysis is terminated, and the fault tree analysis diagram is presented by the output unit 170 (step A10). Otherwise, repeat steps A7 to A9.

  Examples of the present invention will be described.

  In this embodiment, a crossing control system that controls a crossing where a train and a road intersect will be described as an example.

  The railroad crossing control system in the present embodiment first transmits a cutoff request signal to the railroad crossing control device in order to ensure the safety of the railroad crossing before the train enters the railroad crossing. When the level crossing control device receives the cutoff request signal, the level crossing signal is switched and the cutoff machine is closed. When the breaker closes, the railroad crossing is secured for a certain period of time. And the signal of the passage permission which shows permission of passage of a train is transmitted to a train. After the train passes the railroad crossing, a passing completion signal indicating that the train has passed the railroad crossing is transmitted to the railroad crossing control device. Then, the crossing control device that has received the passage completion signal opens the breaker and transitions to the initial state.

  However, when the passage completion signal cannot be received, a car or the like cannot pass unless the breaker is opened forever. Therefore, the breaker waits for several minutes to open.

  In such a system, several unexpected failure events can occur. For example, a train driver may stop the train either illegally or due to a malfunction, ignoring the train stop signal, or causing a railroad crossing control device or railroad rail failure due to an unknown hardware failure. Such as when you can't.

A state machine diagram of such a train, railroad crossing control device, and breaker is shown in FIG. For simplicity of explanation, it is assumed that all message actions in the transition of FIG. 6 are synchronized (synchronous transition).
Further, the general interpretation of the logical expressions of the three synchronous transitions of state A, state B, and state C is as shown in FIG. 7 for the two synchronous transitions shown in FIG.

  The state machine diagram can be interpreted as a set of logical expressions based on the above-described rules for generating logical expressions as shown in FIG.

  As an example, an explanation will be given of interpretation into a logical expression between transitions (e1 / B.i1 transition) between the state A1 and the state A2 shown in FIG.

  First, since the occurrence of the event e1 is not defined in the state machine diagram, the event e1 is an external event. In the state machine diagram, since event i1 is an event that occurs in the action corresponding to the transition, event i1 is an internal event.

  In this embodiment, since all message actions of transition in the state machine diagram are assumed to be synchronized, the transition between the state A1 and the state A2 is a synchronous transition.

  The system then looks for a transition to receive message i1 and finds a transition of i1 / C.a1 between state B1 and state B2. This transition between the state B1 and the state B2 is also a synchronous transition, and this transition sends the message a1 to the composite state C (for the same reason as the transition between the state A1 and the state A2 described above). .

  The system then looks for a transition that receives message a1 and finds a transition due to a1 between state c1 and state c2. If the transition does not send any message, the correlation transition search ends.

そして、これらの遷移を、図７の同期遷移に関する解釈パターンに適用することにより、下記式に示されるように、図８の（１）、（２）、（３）式が得られる。

このようにして、図６に示される状態機械図を図８に示す論理式のセットと解釈する。 After the search, the three correlation transitions are shown below.

Then, by applying these transitions to the interpretation pattern relating to the synchronous transition of FIG. 7, the expressions (1), (2), and (3) of FIG. 8 are obtained as shown in the following expression.

In this way, the state machine diagram shown in FIG. 6 is interpreted as a set of logical expressions shown in FIG.

  Next, suppose that the most dangerous top event is A30C0 in this level crossing control system. That is, the train is on the railroad crossing (A3), the circuit breaker is opened (C0), and the train collides with the car or the person.

  This dangerous situation cannot be solved by conventional FTAs. This is because both A3 and Co are independent failure events, and if they do not occur at the same time, they are the normal state of the train and the normal state of the circuit breaker.

  In such an example, the user may have external events as events e2 (train brake failure), e3 (ignore driver's stop signal), e5 (timeout), e6 (crossing control device failure) and e7 ( Assume that a breaker failure is defined as a basic failure event, and events e1 (a train approaches a railroad crossing and sends a cut-off request signal) and e4 (passing a train crossing) are defined as basic normal events.

  The initial setting of the state machine diagram is A1∧B1∧C1.

  When the user inputs the failure top event (A3∧C0) and the above user information, a failure tree analysis diagram as shown in FIG. 9 can be generated based on the logical expression interpreted from the state machine diagram. it can.

  As described above, the state machine diagram can be interpreted as a logical expression, and a fault tree analysis can be generated from the logical expression.

  In the above description of the embodiment and examples, the information processing apparatus is configured by hardware. However, even with a normal computer, the CPU performs the same operation as the operation described in the above embodiment. It can also be implemented by a program to be performed.

  Although the present invention has been described with reference to the preferred embodiments and examples, the present invention is not necessarily limited to the above-described embodiments and aspects, and various modifications can be made within the scope of the technical idea. I can do it.

110 State machine diagram input unit 120 Classification unit 130 State transition interpretation unit 140 Storage unit 150 User interface unit 160 Fault tree analysis generation unit 170 Output unit

Claims (13)

A fault tree analysis generation method in a fault tree analysis system including a composite state composed of a plurality of states and generating a fault tree analysis diagram from a state transition model represented by events and transitions,
The fault tree analysis system classifies the events of the state transition model into internal events or external events, classifies the transitions of the state transition model into independent transitions or related transitions, and classifies the internal events, external events, independent Interpreting the state transition model as at least one logical expression based on a transition or related transition ;
The failure tree analysis generation method generates a failure tree analysis in which a given event is a top event based on the logical expression. The fault tree analysis system interprets the logical expression of the related transition based on information on whether the transition is a synchronous transition or an asynchronous transition.
The fault tree analysis generation method according to claim 1 . The fault tree analysis system has input means for inputting information on whether the transition is a synchronous transition or an asynchronous transition,
The fault tree analysis system specifies whether the transition is a synchronous transition or an asynchronous transition based on the information input from the input unit.
The fault tree analysis generation method according to claim 2 . The failure tree analysis generation method according to claim 1 , wherein the failure tree analysis system generates a failure tree analysis based on information on whether the external event is a failure event. The failure tree analysis system has input means for inputting information as to whether the external event is a failure event,
The failure tree analysis system identifies whether the external event is a failure event based on the information input from the input unit.
The fault tree analysis generation method according to claim 4 . A fault tree analysis generation system for generating a fault tree analysis from a state transition model including a composite state composed of a plurality of states and represented by an event and a transition,
The state transition model event is classified as an internal event or an external event, the state transition model transition is classified as an independent transition or a related transition, and the state is determined from each classified internal event, external event, independent transition or related transition. State transition interpretation means for interpreting the transition model as at least one logical expression;
A fault tree analysis generation system comprising fault tree analysis generation means for generating a fault tree analysis with a given event as a top event based on the logical expression. The fault tree analysis generation system according to claim 6 , wherein the state transition interpretation unit interprets a logical expression of the related transition based on information on whether the transition is a synchronous transition or an asynchronous transition. The fault tree analysis generation system according to claim 7 , further comprising an input unit configured to input information on whether the transition is a synchronous transition or an asynchronous transition. The fault tree analysis generation system according to claim 7 , wherein the fault tree analysis generation unit generates a fault tree analysis based on information about whether the external event is a fault event. The fault tree analysis generation system according to claim 9 , further comprising an input unit configured to input information indicating whether the external event is a fault event. A program that generates a tree analysis of a fault from a state transition model represented by events and transitions , including a composite state composed of a plurality of states
Classifying the events of the state transition model into internal events or external events, classifying the transitions of the state transition model into independent transitions or related transitions, and based on each classified internal event, external event, independent transition or related transition, and state transitions interpretation process to interpret the state transition model as at least one or more logical expressions,
A program for causing an information processing apparatus to execute a failure tree analysis generation process for generating a failure tree analysis with a given event as a top event based on the logical expression. The state transition interpretation process interprets a logical expression of the related transition based on information on whether the transition is a synchronous transition or an asynchronous transition.
The program according to claim 11. The failure tree analysis generation process generates a failure tree analysis based on information about whether the external event is a failure event.
The program according to claim 11.

Images