JP5660503B2 - Consistency inspection device, consistency inspection method, and program - Google Patents

Description

  The present invention relates to a consistency inspection apparatus for inspecting consistency of a case that is a consistency inspection target.

  It is important that systems such as plants, airplanes, railways, and large-scale information processing systems are designed and constructed so that they can operate without problems. However, in such a complicated system, the number of cases may be very large, and items such as each operation may be complicatedly entangled. Therefore, in such a complex system, it may be difficult to confirm whether or not the expected operation is covered. As a result, it has been a difficult task to design and build the system without problems. On the other hand, there is also a problem that, by overlooking an abnormality related to only one of a huge number of items, the influence may affect the entire system, and may greatly affect human lives and organizations.

  In recent years, as a document for sharing a possible problem and a countermeasure for the problem with such a system, it has been made to create a document of a type called an “assurance case”. . The Assurance case is a document that shows the results of studies on the reliability and safety of the system. Therefore, the above-mentioned problems related to the system result in accuracy problems related to the assurance case. Note that a method called GSN (Goal Structure Notation) is used as a method of describing the Assurance case strictly and clearly by specifying the structure. In the GSN, the Assurance case is a structure of a directed acyclic graph that connects nodes that are Goals, Strategies, Evidence, Contexts, and Undeveloped Goals. (For example, see Non-Patent Document 1).

Tim Kelly, Rob Weaver, “The Goal Structure Notation-A Safe Argment Notation”, In DSN-2004: Processed of the Dependable Systems 200

However, the Assurance case is usually a huge document with tens of thousands of pages, and the integrity of the document may be broken here and there. Further, it is very difficult to manually check the consistency. Furthermore, as mentioned above, since the Assurance case targets various things such as plants and airplanes, even if special software for inspecting one Assurance case is developed, You may not be able to inspect the Assurance case. In such a case, it is necessary to develop inspection software for each subject of the Assurance case, which increases the cost. In addition, when the notation method of the Assurance case is changed, there is a problem that the software for the inspection must be changed accordingly.
Generally speaking, it has been required to accurately and accurately inspect the consistency of a case that is a consistency inspection target such as an Assurance case by a highly versatile method.

  The present invention has been made to solve the above-described problems, and an object thereof is to provide a consistency inspection apparatus and the like that can automatically inspect the consistency of a case that is a consistency inspection target. .

In order to achieve the above object, the consistency check apparatus according to the present invention decomposes a goal node corresponding to an object, an evidence node corresponding to a basis for proving the object, and one goal node into one or more goal nodes. Cases that have a directed acyclic graph structure including a strategy node that is to be checked for consistency are described using a term corresponding to each node and an operator corresponding to the parent-child relationship of each node. By a test object storage unit that stores test target information, which is information described in an artificial language that is a target of certification test, a test unit that performs proof test on the test target information, and a test unit An inspection result output unit for outputting a result of the certification inspection.
With such a configuration, it is possible to automatically inspect by the certification inspection by describing the case to be inspected for consistency in an artificial language. Therefore, even if the inspection target is a huge amount, the inspection can be easily performed. In addition, since the inspection is performed by proof inspection, that is, inspection by a proof checker using a theorem proof support system, it is not necessary to independently develop inspection software, and the inspection can be performed by a highly versatile method.

  Further, in the consistency check device according to the present invention, the check target information includes model information including definitions of each item included in the check target information, and discussion structure information indicating a structure of a directed acyclic graph corresponding to the check target information. You may have.

Further, in the consistency check device according to the present invention, it is information indicating each node of the directed acyclic graph corresponding to the check target information and the parent-child relationship between the nodes, and information on a case that is a check target of the consistency. Depending on the graph storage unit that stores the graph information and the parent-child relationship pattern of each node of the graph information, each node of the graph information is converted into a term, and the parent-child relationship of each node is converted into an operator and converted And a translation unit that accumulates later inspection target information in the inspection target storage unit.
With such a configuration, a case described using a graph can be converted into inspection object information and a proof inspection can be performed. Therefore, for example, even a person who is unfamiliar with an artificial language can obtain a result of a proof test corresponding to the case by describing the case that is the subject of the consistency check using a graph that is easier to handle than the artificial language. Will be able to.

In the consistency check apparatus according to the present invention, the directed acyclic graph further includes a context node corresponding to context information relating to a case that is a consistency check target, and a directed acyclic graph corresponding to the check target information. Information indicating each node of the graph and the parent-child relationship between the nodes, a graph storage unit for storing graph information that is information of a case that is a consistency check target, a check target information, a term and an operator A translation unit that converts each item of the inspection object information into a node, converts each operator into a parent-child relationship of each node, and accumulates the converted graph information in the graph storage unit You may prepare.
With such a configuration, the inspection object information can be converted into graph information. Therefore, the case described in the artificial language can be seen with the graph information that is easy to understand visually.

In the consistency checking device according to the present invention, the artificial language may be an artificial language based on a constructive type theory.
With such a configuration, the case itself described in the artificial language can be executed as a program.

  The consistency inspection apparatus according to the present invention may further include an execution unit that executes inspection target information that has been inspected for errors by proof inspection by the inspection unit.

In the consistency inspection apparatus according to the present invention, the execution unit executes the inspection target information, so that the item corresponding to each node of the case that is the consistency inspection target and the parent and child of each node are obtained from the inspection target information. Inspection target information in a format that explicitly describes an operator according to the relationship may be generated.
With such a configuration, it is possible to convert the inspection target information into graph information by converting the inspection target information into a format in which terms and operators are explicitly described before or during translation. become.

In the consistency inspection apparatus according to the present invention, the inspection object storage unit also stores a conversion program according to the process of converting the inspection object information into the graph information, and the translation unit executes the conversion program to thereby inspect the inspection object. Information may be converted into graph information.
With such a configuration, conversion of information by the translation unit is realized by the conversion program.

Further, in the consistency checking device according to the present invention, the inspection target information and the conversion program may be described in the same artificial language based on the structural type theory.
With such a configuration, the conversion program itself can be the subject of certification inspection, and conversion processing can be performed by the inspected conversion program.

In the consistency checking device according to the present invention, the term of the inspection target information includes a meta variable, and the artificial language may be an artificial language of an interactive proof support system.
With such a configuration, even for inspection object information including meta variables (for example, inspection object information being created), a certification inspection can be performed at that stage. As a result, at that stage, it can be confirmed whether or not the inspection object information is appropriately configured.

  According to the consistency inspection apparatus and the like according to the present invention, the consistency of a case to be inspected for consistency, such as an assurance case, can be inspected by a certification inspection. Therefore, it is possible to automatically inspect with high accuracy by a highly versatile method.

The block diagram which shows the structure of the consistency inspection apparatus by Embodiment 1 of this invention. The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The flowchart which shows operation | movement of the consistency inspection apparatus by the embodiment The figure for demonstrating the structure of the case and argument in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the graph information in the embodiment The figure which shows an example of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the information taken in into inspection object information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the information taken in into inspection object information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the error in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the error in the embodiment The figure which shows an example of the display of the graph information in the embodiment The figure which shows an example of the test object information in the embodiment The figure which shows an example of the display of the error in the embodiment Schematic diagram showing an example of the appearance of the computer system in the embodiment The figure which shows an example of a structure of the computer system in the embodiment

  Hereinafter, a consistency inspection apparatus according to the present invention will be described using embodiments. In the following embodiments, components and steps denoted by the same reference numerals are the same or equivalent, and repetitive description may be omitted.

(Embodiment 1)
A consistency inspection apparatus according to Embodiment 1 of the present invention will be described with reference to the drawings. The consistency checking device according to the present embodiment checks the consistency of a case described in an artificial language by performing a proof check on the case to be checked for consistency.

  FIG. 1 is a block diagram showing a configuration of a consistency inspection apparatus 1 according to this embodiment. The consistency inspection apparatus 1 according to the present embodiment includes an inspection object storage unit 11, an inspection unit 12, an inspection result output unit 13, an execution unit 14, a graph storage unit 15, a translation unit 16, and a display unit 17. And a reception unit 18.

  The inspection object storage unit 11 stores inspection object information. The inspection target information is information in which a case that is a consistency inspection target is described in an artificial language that is an object of certification inspection. The case to be inspected for consistency may be, for example, the aforementioned assurance case or safety case, or other cases. The case has a structure of a directed acyclic graph including a plurality of nodes. The types of nodes that can appear in the structure are at least a goal node corresponding to the purpose, an evidence node corresponding to the basis for verifying the purpose, and one goal node broken down into one or more goal nodes Strategy nodes are included. The plurality of nodes may further include a context node corresponding to context information regarding a case to be checked for consistency. The plurality of nodes may further include unachieved goals that have not yet been proved. In the present embodiment, a case where a case that is a consistency check target has a goal node, a strategy node, an evidence node, and a context node will be mainly described. Since each node included in the structure of the directed acyclic graph is connected to have the structure of the directed acyclic graph, each node has one or a plurality of parent nodes. However, since it is acyclic, when a node is traced in the parent direction or the child direction, it does not return to the original node. In the directed acyclic graph structure, the root node may be singular or plural. In the following description of the present embodiment, it is assumed that there is a single root node in the directed acyclic graph. Note that a directed acyclic graph with a single root node can be considered by dividing it into a plurality of directed acyclic graphs with a single root node. A directed acyclic graph having a plurality of root nodes can be considered as a combination of two or more directed acyclic graphs having a single root node. Also, the directed acyclic graph having a single root node may be, for example, a tree structure or not. In the case of a tree structure, each node has a single parent node. In the present embodiment, the case where the directed acyclic graph has a tree structure will be mainly described. In the directed acyclic graph, a goal node that is a root node (this goal node may be referred to as a “top goal node”) is used as one or more other goal nodes (this goal node is referred to as a “subgoal node”). It may be called) to reach the evidence node that is a leaf node. As known in the GSN, the top goal node is usually decomposed into a plurality of subgoal nodes, which are repeated, and finally the leaf-side subgoal node is proved by the evidence node. Therefore, each subgoal node is proved, and as a result, the top goal node is proved. Normally, when a single goal node is decomposed into a plurality of goal nodes, it is decomposed by the strategy node. In addition, a goal node whose leaf-side structure leading to the evidence node is not determined is an unachieved goal node. Further, context information of the entire case to be checked for consistency or partial context information of the case is indicated by the context node.

  The inspection target information is information in which a case having a directed acyclic graph structure including a plurality of nodes is described using a term corresponding to each node and an operator corresponding to the parent-child relationship of each node. is there. Further, the inspection object information is information described in an artificial language that is the object of the certification inspection as described above. The artificial language is an artificial language that can perform a proof test. The artificial language may or may not be an artificial language based on constructive type theory. In the present embodiment, the case where the artificial language is an artificial language based on constructive type theory will be mainly described. As such an artificial language, for example, Agda, Coq, NuPRL and the like are known. In the present embodiment, the case where the artificial language based on the constructive type theory is Agda will be mainly described. Further, the inspection target information may be information including model information including definitions of each item included in the inspection target information and discussion structure information indicating a structure of a directed acyclic graph corresponding to the inspection target information. . In this embodiment, the case will be mainly described. The discussion structure information is information in which the parent-child relationship of each node in the case of the consistency check target is described in an artificial language. The model information may be, for example, information in which all of the model information is not included in the discussion structure information, all of the model information may be included in the discussion structure information, or a part of the model information. May be included in the discussion structure information. Hereinafter, of the model information, information included in the discussion structure information may be referred to as local model information, and information not included in the discussion structure information may be referred to as global model information. Therefore, all of the model information may be global model information, all of which may be local model information, or may include global model information and local model information. Further, the discussion structure information included in the examination target information may be information including a generation function (generation program) of argument structure information corresponding to the structure of a specific directed acyclic graph and an argument value. . In that case, the specific parent-child relationship of the node is not shown depending on the argument structure information itself, but the argument value included in the argument structure information is applied to the generation function included in the argument structure information, By executing the generation function, discussion structure information corresponding to the structure of the specific directed acyclic graph is generated, so the discussion structure information that actually indicates the specific parent-child relationship of the nodes Can be considered to be the same as given. The discussion structure information corresponding to the structure of the specific directed acyclic graph is obtained by explicitly including a term corresponding to each node of the case to be checked for consistency and an operator corresponding to the parent-child relationship of each node. Is the discussion structure information in the format described in. Note that the execution function 14 executes the generation function. Further, the inspection target information may include an execution program related to information used in the certification inspection. In that case, when the proof check is performed, the execution program is executed, and the proof check is performed using the execution result. The execution result may be, for example, information obtained at that time or other information. Specifically, by executing the execution program, values at the time (for example, temperature, pressure, sensor values, etc.) may be acquired, and proof inspection may be performed using them. . Note that the execution program 14 is executed by the execution unit 14.

  Here, the structure of the case described by the inspection object information will be briefly described. As shown in FIG. 9A, one case has a goal node that is a root node and an argument that is a sub-tree structure that is a child of the goal node, or the goal node is a root node. And a context node whose parent is the goal node. As shown in FIG. 9B, the argument has a strategy node that is a root node and one or more cases that are children of the strategy node, is an evidence node itself, or is a strategy. It has a partial argument whose node is the root node and a context node whose parent is the strategy node. A strategy node that does not have a case that is a child node is the same as an evidence node. However, in the present embodiment, such a strategy node is treated as an evidence node. Since the case to be checked for consistency has the structure shown in FIG. 9, it can be described by the parent-child relationship of the goal node, strategy node, evidence node, and context node as described above. it can. In addition, although the case where the case has a tree structure has been described in FIG. 9, as described above, the case may be a directed acyclic graph. Therefore, in that case, for example, the evidence node may have two or more parent nodes.

  Next, with respect to the information to be examined when the case shown in FIG. 9 is described in Agda, which is an artificial language based on the constructive type theory, the extended Backus-Nau Form (EBNF; ISO / IEC 14977: 1996). The categories of cases, arguments, goals, strategies, evidences, and contexts of Agda are represented as Case, Argent, Goal, Strategy, Evidence, and Context. Then, Case is described as follows, corresponding to FIG.

Case :: = Goal∋Argent
｜ CONTEXT [Context / Case]

  Note that “:: =” is an EBNF notation that indicates that the category on the left side is configured as the right side, and “|” is a notation indicating “or”. In the case of the above formula, one Case is configured as “g「 a ”from one Goal“ g ”and one Argon“ a ”, or one Context“ s ”and one Case“ d ”. To “CONTEXT [s / d]”. Also, corresponding to FIG. 9B, the Argent is described as follows.

Argent :: = Strategy { · Case }
｜ Evidence
｜ CONTEXT [Context / Argent]

Here, { } is an EBNF notation indicating repetition of 0 or more. “∋”, “•”, or CONTEXT [/] is an operator. Further, Goal, Strategy, Evidence, and Context are terms. Therefore, since the case indicated by the parent-child relationship of each node and the inspection object information describing the case in the artificial language are associated as described above, an arbitrary case can be associated with the artificial language (in this case, Agda). Can be described using.

The definition of each operator described above will be briefly described. First, the definition of “∋” in Agda is as shown in the following two lines.
_∋_: (A: Set) → (a: A) → A
A∋a = a

  Therefore, the Agda notation “A∋a” indicates the same value as “a” and clearly indicates that the type of a is A. The definition of the operator “∋” is explained in words. “Only when the first argument A is a type and the second argument a is an A type, the type check is performed. Can be said to be an operator that returns as Therefore, when an operator similar to “∋” is defined in an artificial language based on a constructive type theory other than Agda, an operator having such properties may be defined.

Next, the definition of “·” in Agda is as follows.
__: {A: Set} → {B: A → Set} → (f: (a: A) → Ba) → (a: A) → Ba
f · a = fa

  Therefore, the Agda notation “f · a” indicates the same value as “fa” (result of applying the argument “a” to the function “f”) while clearly indicating the distinction between the function part and the argument part. The definition of the operator “•” is described in words. “When the first argument f is a function, the type of the function is (x: A) → Bx, and the second argument a is the A type. In this case, it can be said that the operator returns a fa (value of Ba type) as a value. Therefore, when an operator similar to “·” is defined in an artificial language based on a constructive type theory other than Agda, an operator having such properties may be defined.

  Next, CONTEXT [s / x] is an operator that adds context information (character string) s to case x and argument x. Therefore, CONTEXT [s / x] is x. Therefore, when an operator similar to CONTEXT [/] is defined in an artificial language based on a constructive type theory other than Agda, an operator having such properties may be defined.

  The process in which inspection object information is memorize | stored in the inspection object memory | storage part 11 does not ask | require. For example, the inspection target information may be stored in the inspection target storage unit 11 via a recording medium, and the inspection target information transmitted via a communication line or the like is stored in the inspection target storage unit 11. The inspection object information input via the input device may be stored in the inspection object storage unit 11, or the inspection object information obtained by converting the graph information by the translation unit 16 may be inspected. It may be stored in the target storage unit 11. The storage in the inspection object storage unit 11 may be temporary storage in a RAM or the like, or may be long-term storage. The inspection object storage unit 11 can be realized by a predetermined recording medium (for example, a semiconductor memory, a magnetic disk, an optical disk, or the like).

  The inspection unit 12 performs a certification inspection on the inspection target information. This certification test is prepared in advance in an artificial language for performing a certification test. The inspection unit 12 is realized by a function called a proof checker in such an artificial language. The inspection unit 12 can acquire the presence or absence of an error by proof inspection. Further, when there is an error, the inspection unit 12 may also acquire information indicating the location of the error. The information indicating the location of the error may be, for example, a line number in the inspection target information or a column number added thereto, and the number of characters from the reference position or the data capacity (for example, the number of bytes) Etc.) or a combination thereof. The function of the inspection unit 12 is known as a proof checker as described above, and a detailed description thereof is omitted.

  The inspection result output unit 13 outputs the result of the certification inspection performed by the inspection unit 12. The result of the certification check may include, for example, information indicating the presence / absence of an error, and may include information indicating the location of the error when an error exists, or the result of another certification check. May be included. When an error location is indicated by the result of the certification inspection, for example, a row number or a column number may be displayed so that the error location may be identified, and a highlight display (for example, underline or The location of the error may be indicated by highlighting in bold, etc., or the color of other portions may be changed), and moving the cursor to the beginning of the error location The location of the error may be indicated by other methods. Here, the output may be, for example, display on a display device (for example, a CRT or a liquid crystal display), transmission via a communication line to a predetermined device, printing by a printer, or audio output by a speaker. Alternatively, it may be stored in a recording medium or delivered to another component. Note that the inspection result output unit 13 may or may not include a device (for example, a display device or a printer) that performs output. Moreover, the test result output unit 13 may be realized by hardware, or may be realized by software such as a driver that drives these devices.

  The execution unit 14 executes the inspection target information that has been inspected for errors by the proof inspection by the inspection unit 12. The execution of the inspection object information is performed, for example, when converting the inspection object information described later into graph information. When the inspection target information is executed at the time of conversion from the inspection target information to the graph information, the execution unit 14 uses the argument structure information in the argument structure information including the generation function and the argument value as described above. By applying the value to the generation function and executing it, the discussion structure information indicating the specific parent-child relationship of the nodes, that is, the term corresponding to each node of the case whose consistency is to be checked, and the parent-child of each node The discussion structure information may be generated in a format that explicitly describes an operator corresponding to the relationship. The generation function is executed at the time of conversion from inspection object information to graph information. The execution of the generation function may be performed collectively, for example, at the time of conversion from the inspection target information to the graph information, or may be performed sequentially as the conversion process proceeds. . In any case, the execution unit 14 may perform at least the execution for generating the discussion structure information indicating the specific parent-child relationship of the nodes, and may not perform any further execution.

  The execution unit 14 may execute the inspection target information at the time of the certification inspection by the inspection unit 12. As described above, in the case where the inspection target information includes an execution program related to information used in the certification inspection, the execution unit 14 executes the execution program when the certification inspection of the inspection target information is performed. Then, the execution result may be passed to the inspection unit 12. Then, the inspection unit 12 performs a proof inspection using the execution result.

  The graph storage unit 15 stores graph information. The graph information is information indicating each node of the directed acyclic graph corresponding to the inspection target information and the parent-child relationship between them. Further, the graph information is information on a case that is an object of consistency check. The information to be inspected is written in an artificial language, so it may be difficult for an unfamiliar person to understand. However, this graph information is information that can visually understand the parent-child relationship of nodes. Therefore, it is easy to understand even if you are not an expert. This graph information indicates information indicating the nature of each node (for example, information indicating whether each node is a goal node, a strategy node, or an evidence node) and the parent-child relationship of each node. Any information including information may be used. Therefore, the graph information may be, for example, information having information on each node and link information indicating the parent-child relationship of the node, or information on each node including information indicating the parent node. Information of each node including information indicating child nodes may be used. Thus, the structure of the graph information does not matter. The graph information may be described in a markup language such as XML, or may be information in other data formats.

  The process in which the graph information is stored in the graph storage unit 15 does not matter. For example, the graph information may be stored in the graph storage unit 15 via the recording medium, or the graph information transmitted via the communication line or the like may be stored in the graph storage unit 15. The graph information input via the input device may be stored in the graph storage unit 15, or the graph information obtained by converting the inspection target information by the translation unit 16 is stored in the graph storage unit 15. It may come to be. The storage in the graph storage unit 15 may be temporary storage in a RAM or the like, or may be long-term storage. The graph storage unit 15 can be realized by a predetermined recording medium (for example, a semiconductor memory, a magnetic disk, an optical disk, etc.).

  The translation unit 16 performs conversion between the inspection target information and the graph information. For example, the translation unit 16 may convert the inspection object information into graph information, accumulate the converted graph information in the graph storage unit 15, convert the graph information into inspection object information, and convert the inspection object information after conversion. May be stored in the inspection object storage unit 11, or both of the processes may be performed. In the present embodiment, a case where the translation unit 16 performs both processes will be mainly described. When converting the inspection target information into the graph information, the translation unit 16 converts each item of the inspection target information into a node according to the pattern of the term and the operator, and converts each operator into a node. Convert to the parent-child relationship of each node. In addition, when converting the graph information into the inspection target information, the translation unit 16 converts each node of the graph information into a term according to the parent-child relationship pattern of each node of the graph information, and the parent-child relationship of each node. Is converted to an operator. Details of the conversion process by the translation unit 16 will be described later using a flowchart.

  The display unit 17 displays the inspection target information stored in the inspection target storage unit 11 and the graph information stored in the graph storage unit 15. When displaying the inspection object information, the display unit 17 may display the inspection object information as it is. On the other hand, when displaying the graph information, the display unit 17 may generate an image of a directed acyclic graph in which the parent-child relationship of each node is known, and display the image. The graph information may be displayed as it is. Note that a method for generating an image of a directed acyclic graph from a node and information indicating the parent-child relationship of the node is already known, and detailed description thereof is omitted. The display unit 17 may display other information. For example, the execution result by the execution unit 14 may be displayed. The display unit 17 may or may not include a display device (for example, a CRT or a liquid crystal display) that performs such display. The display target may be displayed on another device. In that case, the display unit 17 may transmit information to be displayed to the outside of the apparatus. The display unit 17 may be realized by hardware, or may be realized by software such as a driver that drives a display device.

  The receiving unit 18 receives instructions and information. For example, the accepting unit 18 may accept the inspection target information and change the inspection target information stored in the inspection target storage unit 11 accordingly. For example, the reception unit 18 may perform reception regarding graph information and change the graph information stored in the graph storage unit 15 accordingly. Further, for example, the receiving unit 18 may receive an instruction for inspection and an instruction for translation, and in response, may instruct the inspection unit 12 and the translation unit 16 to inspect and translate.

As a system in which the graph information stored in the graph storage unit 15 is changed according to the information received by the receiving unit 18 and the display unit 17 displays the nodes and links according to the changed graph information. D-Case Editor is known. Therefore, detailed description regarding the change of the graph information and the display of the graph information is omitted. For details of the D-Case Editor, refer to the following URL, for example. Note that “D” in D-Case indicates Dependability.
URL: http: // www. il. is. s. u-tokyo. ac. jp / deos / dcase / D-Case_Editor. html

  For example, the reception unit 18 may receive information input from an input device (for example, a keyboard, a mouse, a touch panel, etc.), may receive information transmitted via a wired or wireless communication line, Information read from a predetermined recording medium (for example, an optical disk, a magnetic disk, a semiconductor memory, etc.) may be received. The reception unit 18 may or may not include a device (for example, a modem or a network card) for reception. The receiving unit 18 may be realized by hardware, or may be realized by software such as a driver that drives a predetermined device.

  The inspection object storage unit 11 and the graph storage unit 15 may be realized by the same recording medium, or may be realized by separate recording media. In the former case, the area storing the inspection object information is the inspection object storage unit 11, and the area storing the graph information is the graph storage unit 15.

Next, the operation of the consistency inspection apparatus 1 will be described using the flowchart of FIG.
(Step S101) The inspection unit 12 determines whether to perform a certification inspection. And when performing a certification | authentication inspection, it progresses to step S102, and when that is not right, it progresses to step S104. For example, the inspection unit 12 may determine that the inspection is performed when an instruction for inspection is received by the reception unit 18, or may determine that the inspection is performed at other timing.

  (Step S <b> 102) The inspection unit 12 performs a certification inspection on the inspection object information stored in the inspection object storage unit 11. And the inspection result is acquired.

  (Step S103) The inspection result output unit 13 outputs the inspection result by the inspection unit 12. Then, the process returns to step S101.

  (Step S <b> 104) The receiving unit 18 determines whether information related to the inspection target information has been received. If information related to the inspection target information is received, the process proceeds to step S105, and if not, the process proceeds to step S107.

  (Step S <b> 105) The receiving unit 18 changes the inspection target information stored in the inspection target storage unit 11 according to the received information regarding the inspection target information. The change may be, for example, accumulation of inspection object information, deletion of inspection object information, or partial change of inspection object information.

  (Step S106) The display unit 17 displays the inspection object information after the change. Then, the process returns to step S101.

  (Step S107) The reception unit 18 determines whether information related to graph information has been received. If information related to the graph information is received, the process proceeds to step S108, and if not, the process proceeds to step S110.

  (Step S108) The accepting unit 18 changes the graph information stored in the inspection target storage unit 11 in accordance with the information related to the accepted graph information. The change may be, for example, accumulation of graph information, deletion of graph information, or partial change of graph information.

  (Step S109) The display unit 17 displays the changed graph information. Then, the process returns to step S101.

  (Step S110) The translation unit 16 determines whether to convert the inspection object information into graph information. And when performing the conversion, it progresses to step S111, and when that is not right, it progresses to step S113. For example, the translation unit 16 may determine that the conversion is performed when the reception unit 18 receives an instruction to convert the inspection target information into the graph information, or the conversion may be performed at other timing. You may decide to do.

  (Step S111) The translation unit 16 converts the inspection object information into graph information. Detailed processing of the conversion will be described later using the flowchart of FIG.

  (Step S112) The display unit 17 displays the converted graph information. Then, the process returns to step S101.

  (Step S113) The translation unit 16 determines whether to convert the graph information into the inspection target information. And when performing the conversion, it progresses to step S114, and when that is not right, it returns to step S101. For example, the translation unit 16 may determine that the conversion is performed when the reception unit 18 receives an instruction for conversion from the graph information to the inspection object information, or the conversion is performed at other timing. You may decide to do.

  (Step S114) The translation unit 16 converts the graph information into inspection object information. Detailed processing of the conversion will be described later with reference to the flowchart of FIG.

  (Step S115) The display unit 17 displays the inspection target information after conversion. Then, the process returns to step S101.

  In the flowchart of FIG. 2, the process is terminated by powering off or a process termination interrupt. Further, in the flowchart of FIG. 2, when converting the inspection object information into the graph information, it should be confirmed that there is no problem by the proof inspection by the inspection unit 12. Therefore, when proceeding from step S110 to step S111, a proof check is performed, and only when it is confirmed that there is no problem, the process proceeds to step S111, and when there is a problem, the process may return to step S101.

FIG. 3 is a flowchart showing details of the process of translation from the inspection target to the graph (step S111) in the flowchart of FIG.
(Step S <b> 201) The translation unit 16 specifies a place where a description corresponding to a case is made in the inspection target information stored in the inspection target storage unit 11. Usually, the location is a range corresponding to the directed acyclic graph in the discussion structure information. The location of the description may be, for example, storing the location of the description on a recording medium (not shown), or setting a flag or the like at the specified location. May be stored in a recording medium (not shown) or other specific information.

  (Step S202) The execution unit 14 determines whether to execute inspection target information. And when performing, it progresses to step S203, and when that is not right, it progresses to step S204. Note that the execution unit 14 determines that the inspection target information is to be executed when the case is described using some generation function in the inspection target information, and the term or operator is not explicitly described. In some cases, it may be determined not to execute.

  (Step S203) The execution unit 14 executes the inspection target information. In other words, by executing a generation function included in the inspection target information, the inspection target information in a form that explicitly describes terms and operators is generated. The inspection target information after the execution may be accumulated in the inspection target storage unit 11.

  (Step S204) The translation unit 16 performs a description process according to the case specified in Step S201, that is, a process for converting the description according to the case into graph information. Details of this processing will be described later with reference to the flowchart of FIG.

  (Step S205) The translation unit 16 determines whether or not to perform processing for adding a node or the like to the graph information stored in the graph storage unit 15. If the process of adding a node or the like is performed, the process proceeds to step S206. If not, the process returns to the flowchart of FIG. For example, the translation unit 16 may determine that the process of adding a node or the like is performed when the model information is included in the inspection target information, and the discussion structure information includes information indicating other than the parent-child relationship of the nodes. In such a case, it may be determined that processing for adding a node or the like is performed, or in other cases, processing for adding a node or the like may be performed.

  (Step S206) The translation unit 16 adds information such as a node to the graph information stored in the graph storage unit 15. And it returns to the flowchart of FIG. Specifically, the translation unit 16 may add a context node corresponding to model information, a case name, or the like to the graph information, may add information corresponding to the model information to the graph information, or Other information may be added to the graph information. In addition, when information other than a node is added, when the graph information is displayed, the added information may not be displayed. That is, the graph information may include at least a part of the inspection target information as invisible information.

  In the flowchart of FIG. 3, the case where the execution unit 14 executes the generation function in step S203 to convert the inspection target information into a form in which terms and operators are explicitly described has been described. May be. For example, as described above, the conversion may be performed sequentially in the translation process. In the flowchart of FIG. 3, the translation unit 16 sequentially accumulates information obtained by converting the inspection target information into graph information in the graph storage unit 15, but this need not be the case. The translation unit 16 may sequentially accumulate a part of the graph information on a recording medium (not shown), and after the graph information is completed, it may be accumulated in the graph storage unit 15 in a lump.

FIG. 4 is a flowchart showing details of the description processing (step S204) according to the case in the flowchart of FIG.
(Step S301) The translation unit 16 specifies a pattern of a case to be processed. As shown in FIG. 9A, this is usually a goal and argument pattern or a case and context pattern. This pattern can be specified by reading a pattern stored in advance on a recording medium (not shown) and performing pattern matching. The pattern is, for example, a pattern of “g∋t1” or “CONTEXT [s / t2]”. g is an arbitrary goal term, t1 is an arbitrary argument, t2 is an arbitrary case, and s is an arbitrary context term.

  (Step S302) The translation unit 16 generates a node corresponding to the identified pattern. For example, when the pattern “g∋t” is specified, the translation unit 16 generates a goal node corresponding to “g” accordingly. For example, when the pattern “CONTEXT [s / t]” is specified, the translation unit 16 generates a context node corresponding to “s” accordingly.

  (Step S303) The translation unit 16 determines whether or not the remaining part other than that generated in step S302 is a case. For example, when the pattern “g∋t” is specified, the translation unit 16 determines that the remaining part other than the goal node corresponding to “g” is an argument “t” that is not a case. On the other hand, for example, when the pattern “CONTEXT [s / t]” is specified, the translation unit 16 determines that the remaining part other than the context node corresponding to “s” is the case “t”. And when the remaining part is a case, it progresses to step S304, and when that is not right, it progresses to step S305.

  (Step S304) The translation unit 16 executes description processing corresponding to the case for the remaining part. This process is shown in the flowchart of FIG. That is, the translation unit 16 recursively executes the description process according to the case.

  (Step S305) The translation unit 16 executes a description process according to the arguments for the remaining part. Details of the processing will be described later with reference to the flowchart of FIG.

  (Step S306) The translation unit 16 generates a link between the node generated in step S302 and the remaining portion. The direction of the link is in accordance with the pattern specified in step S301. Then, the process returns to the upper flowchart. For example, when the pattern “g∋t” is specified, the translation unit 16 generates a link whose parent node is the goal node corresponding to “g” and whose child is the root node of the argument corresponding to “t”. . For example, when the pattern “CONTEXT [s / t]” is specified, the translation unit 16 uses the context node corresponding to “s” as a child, and the root node (goal node) of the remaining case “t”. Creates a parent link.

FIG. 5 is a flowchart showing details of the description processing (step S305) according to the arguments in the flowchart of FIG.
(Step S401) The translation unit 16 specifies an argument pattern to be processed. As shown in FIG. 9 (b), this is typically a strategy and case pattern, an evidence pattern, or an argument and context pattern. This pattern can be specified by reading a pattern stored in advance on a recording medium (not shown) and performing pattern matching. The pattern is, for example, a pattern of “f · t ₁ · t ₂ ... · T _n ” or “CONTEXT [s / t]”. In the former pattern, when n is 1 or more, f is a term of an arbitrary strategy, t _{1 and the} like are terms according to an arbitrary case, and when n is 0, f is , Any evidence term. In the latter pattern, t is an arbitrary argument term, and s is an arbitrary context term.

(Step S402) The translation unit 16 generates a node corresponding to the specified pattern. For example, when the pattern “f · t ₁ · t ₂ ... T _n ” with n ≧ 1 is specified, the translation unit 16 generates a strategy node corresponding to “f” accordingly. For example, when the pattern “f · t ₁ · t ₂ ... · T _n ” of n = 0 is specified, the translation unit 16 generates an evidence node corresponding to “f” accordingly. For example, when the pattern “CONTEXT [s / t]” is specified, the translation unit 16 generates a context node corresponding to “s” accordingly.

  (Step S403) The translation unit 16 determines whether the generated node is a leaf node, that is, an evidence node. If it is a leaf node, the process returns to the upper flowchart, and if not, the process proceeds to step S404.

(Step S404) The translation unit 16 determines whether or not the remaining part other than that generated in step S403 is a case. For example, when the pattern “f · t ₁ · t ₂ ... T _n ” with n ≧ 1 is specified, the translation unit 16 determines that the remaining part other than the strategy node corresponding to “f” is the case “t”. ₁ ”,“ t ₂ ”,...,“ T _n ”. For example, when the pattern “CONTEXT [s / t]” is specified, the translation unit 16 determines that the remaining part other than the context node corresponding to “s” is the argument “t”. And when the remaining part is a case, it progresses to step S405, and when that is not right, it progresses to step S408.

  (Step S405) The translation unit 16 executes description processing corresponding to the case for the remaining part. This process is shown in the flowchart of FIG.

(Step S406) The translation unit 16 generates a link between the node generated in step S402 and the remaining portion. The direction of the link is in accordance with the pattern specified in step S401. Then, the process returns to the upper flowchart. For example, when the pattern “f · t ₁ · t ₂ ... T _n ” with n ≧ 1 is specified, the translation unit 16 becomes the parent of the strategy node corresponding to “f”, and the process is performed in step S405. A link in which the root node (goal node) of the performed case is a child is generated.

(Step S407) The translation unit 16 determines whether there is a case that has not yet been processed. If it exists, the process returns to step S405 to execute a description process corresponding to the case. If not, the process returns to the upper flowchart. If a pattern “f · t ₁ · t ₂ ... T _n ” with n ≧ 1 is specified in step S401, the processes in steps S405 and S406 are repeated n times.

  (Step S <b> 408) The translation unit 16 executes a description process corresponding to the argument for the remaining part. This process is shown in the flowchart of FIG. That is, the translation unit 16 recursively executes a description process according to the argument.

  (Step S409) The translation unit 16 generates a link between the node generated in step S402 and the remaining portion. The direction of the link is in accordance with the pattern specified in step S401. Then, the process returns to the upper flowchart. For example, when the pattern “CONTEXT [s / t]” is specified, the translation unit 16 has a context node corresponding to “s” as a child, and the root node (strategy node or strategy node) of the remaining argument “t”. Evidence node) creates a parent link.

FIG. 6 is a flowchart showing details of the process of translation from the graph to the inspection object (step S114) in the flowchart of FIG.
(Step S501) The translation unit 16 identifies a root node in the graph information stored in the graph storage unit 15. In the present embodiment, since a directed acyclic graph with one root node is handled, this root node is specified as one. The root node is a node that does not have a parent node. Therefore, it is determined whether or not a parent node exists in each node using information indicating nodes and links included in the graph information, and a node determined to have no parent node becomes a root node. The identification of the root node may be, for example, storing information identifying the root node in a recording medium (not shown), or setting a flag or the like in association with the root node. Or other specific may be sufficient.

  (Step S502) The translation unit 16 performs processing related to the case where the node identified in Step S501 is the root node. Details of this processing will be described later with reference to the flowchart of FIG.

  (Step S503) The translation unit 16 determines whether there is information to be added to the inspection target information. If it exists, the process proceeds to step S504, and if not, the process returns to the flowchart of FIG.

  (Step S504) The translation unit 16 adds information included in the graph information to the inspection target information. For example, when invisible information is included in the graph information, model information corresponding to the invisible information may be added to the inspection target information. For example, when the graph information includes a context node corresponding to model information, a case name, or the like, the model information, case name, or the like included in the context node may be added to the inspection target information. And it returns to the flowchart of FIG.

  In the flowchart of FIG. 6, the translation unit 16 sequentially accumulates the information obtained by converting the graph information into the inspection target information in the inspection target storage unit 11, but this need not be the case. The translation unit 16 may sequentially accumulate a part of the inspection target information on a recording medium (not shown), and after the inspection target information is completed, the translation unit 16 may store the information in the inspection target storage unit 11 collectively. Further, when the graph information is translated into the inspection object information, the graph information may not include information corresponding to the model information. In such a case, the graph information may be translated into a portion corresponding to the discussion structure information of the inspection target information, and thereafter, information corresponding to the model information may be appropriately added to the inspection target information.

FIG. 7 is a flowchart showing details of the case processing (step S502) in the flowchart of FIG.
(Step S601) The translation unit 16 sets the counter i to 1.

  (Step S602) The translation unit 16 identifies a parent-child relationship pattern for the i-th link whose parent is the root node of the case being processed. As shown in FIG. 9A, this is usually a pattern of a parent goal node and a child argument, or a pattern of a parent goal node and a child context node. When the child is an argument, specifically, the child root node is a strategy node or an evidence node. This pattern can be specified by reading a pattern stored in advance on a recording medium (not shown) and performing pattern matching. The pattern is, for example, a pattern in which (parent node, child node) is (goal node, strategy node), pattern (goal node, evidence node), or pattern (goal node, context node). It is.

  (Step S603) The translation unit 16 determines whether the link destination of the i-th link is an argument. For example, when a pattern (goal node, strategy node) or (goal node, evidence node) is specified in step S602, the translation unit 16 determines that the link destination is an argument, and in step S602, the pattern (goal node). When the node or context node is specified, the translation unit 16 determines that the link destination is the context node, that is, it is not an argument. If the link destination is an argument, the process proceeds to step S604, and if not, the process proceeds to step S605.

  (Step S604) The translation unit 16 performs processing related to an argument in which the link destination node of the i-th link is the root node. Details of this processing will be described later with reference to the flowchart of FIG.

  (Step S605) The translation unit 16 generates a term corresponding to the context node that is the link destination of the i-th link. The term is a term corresponding to “s” of the operator CONTEXT [s /].

  (Step S606) The translation unit 16 generates an operator according to the pattern specified for the i-th link. For example, when a pattern (goal node, strategy node) or (goal node, evidence node) is specified, the translation unit 16 (term of goal node) ∋ (argument term with strategy node as root node) And the operator “∋” that becomes (goal node term) ∋ (argument term with the evidence node as a root node). For example, when a pattern (goal node, context node) is specified, the translation unit 16 uses an operator that becomes CONTEXT [(context node term) / (case node with the goal node as the root node)]. CONTEXT [/] is generated.

  (Step S607) The translation unit 16 increments the counter i by 1.

  (Step S608) The translation unit 16 determines whether there is an i-th link whose parent is the root node of the case to be processed. And when it exists, it returns to step S602, and when it does not exist, it progresses to step S609.

  (Step S609) The translation part 16 produces | generates the term of the goal node which is a root node of the case used as a process target.

  (Step S610) The translation unit 16 determines whether there is only one of the i-1 links having an argument at the link destination, and all others have other nodes such as contexts at the link destination. If so, the process proceeds to step S611. If not, the process proceeds to step S612.

(Step S611) The translation unit 16 is subject to processing using the argument term, the linked term, the operator, and the goal node term that is the root node generated in Steps S604 to S606 and S609. Generates the term For example, when all non-argument children are context nodes, the translation unit 16 uses the goal node as a root node as a term of a case.
CONTEXT [(context node item 1) /
CONTEXT [(context node item 2) /
...
CONTEXT [(context node term {i-2}) /
(Goal node term) ∋ (argument term)
] ...]]
Is generated. Here, when i ≧ 2 and i = 2, the operator CONTEXT [/] is not used. Even when there are non-argument children other than the context node, a case term is similarly generated by using the operator generated in step S606 instead of the above CONTEXT [/]. Then, the process returns to the upper flowchart.

  (Step S612) The translation unit 16 generates an “error case term” indicating that a graph that does not match the case structure has been processed. As the “error case term”, select the one that always results in an error as a result of the certification inspection. The “error case term” may include information specifying the root node of the case in which an error has occurred, or may include a term that is a translation result of each child. Then, the process returns to the upper flowchart.

  In step S612, the translation unit 16 may output a warning that a graph that does not match the case structure has been processed, or may abnormally terminate step S114 including the processing of the upper flowchart. Good.

FIG. 8 is a flowchart showing details of the argument processing (step S604) in the flowchart of FIG.
(Step S701) The translation unit 16 determines whether a link destination node exists in the root node of the argument to be processed. If a link destination node exists, the process proceeds to step S702; otherwise, the process proceeds to step S710.

  (Step S702) The translation unit 16 sets the counter j to 1.

  (Step S703) The translation unit 16 specifies a parent-child relationship pattern for the j-th link whose parent is the root node of the argument to be processed. As shown in FIG. 9 (b), this is usually the pattern of the parent strategy node and child case, or the pattern of the parent strategy node and child context node is the parent evidence node and child. This is the pattern of the context node. When the child is a case, specifically, the child root node is a goal node. This pattern can be specified by reading a pattern stored in advance on a recording medium (not shown) and performing pattern matching. The pattern is, for example, a pattern in which (parent node, child node) is (strategy node, goal node), pattern (strategy node, context node), or pattern (evidence node, context node) It is.

  (Step S704) The translation unit 16 determines whether the link destination of the j-th link is a case. For example, when the pattern (strategy node, goal node) is specified in step S703, the translation unit 16 determines that the link destination is a case, and the pattern (strategy node, context node) is specified in step S703. The translation unit 16 determines that the link destination is a context node, that is, not a case. If the link destination is a case, the process proceeds to step S705; otherwise, the process proceeds to step S706.

  (Step S705) The translation unit 16 performs processing related to a case where the goal node that is the link destination of the j-th link is the root node. This process is shown in the flowchart of FIG.

  (Step S706) When the link destination of the j-th link is a context node, for example, the translation unit 16 generates a term corresponding to the context node. The term is a term corresponding to “s” of the operator CONTEXT [s /].

  (Step S707) The translation unit 16 generates an operator according to the pattern specified for the j-th link. For example, when a pattern (strategy node, goal node) is specified, the translation unit 16 generates an operator “·” that becomes (a strategy node term) · (a case node having a goal node as a root node). To do. Also, for example, when a pattern (strategy node, context node) is specified, the translation unit 16 uses an operator that becomes CONTEXT [(term node of context node) / (argument term having a strategy node as a root node)]. CONTEXT [/] is generated.

  (Step S708) The translation unit 16 increments the counter j by 1.

  (Step S709) The translation unit 16 determines whether there is a j-th link whose parent is the root node of the argument to be processed. And when it exists, it returns to step S703, and when it does not exist, it progresses to step S710.

  (Step S710) The translation unit 16 generates a term corresponding to the root node of the argument that is the processing target. For example, if the argument to be processed is an evidence node, an evidence term is generated. If the root node of the argument to be processed is a strategy node, the term of the strategy node is set. Generate.

(Step S711) The translation unit 16 generates an argument term to be processed using the case term, the link destination term, the operator, and the root node term generated in steps S705 to S707 and S710. To do. That is, when there is no link in the root node of the argument to be processed, that is, when the process proceeds from step S701 to step S710, the translation unit 16 determines that the term itself generated in step S710 is the argument term. To do. On the other hand, when there is a link at the root node of the argument to be processed, for example, the translation unit 16 further generates the case generated in step S705 when all the non-case children are context nodes. Are the case term 1, the case term 2,..., The case term k, and the context node terms generated in step S706 are the context node term 1, the context node term 2,. k, m ≧ 0, j−1 = k + m), and as an argument term to be processed,
CONTEXT [(context node term 1) /
CONTEXT [(context node term 2) /
...
CONTEXT [(context node term m) /
(Strategy or evidence term generated in step S710)
・ (Case item 1)
・ (Case item 2)
...
・ (Case item k)
] ...]]
Is generated. If there are non-context children other than the context node, an argument term is similarly generated using the operator generated in step S707 instead of the above CONTEXT [/]. Then, the process returns to the upper flowchart.

  If the root node of the argument is an evidence node and k> 0, an “error argument term” indicating that a graph that does not match the structure of the argument has been processed is generated as in step S612. Alternatively, step S114 may be abnormally terminated including the processing of the upper flowchart.

  Further, the translation processing described using the flowcharts of FIGS. 3 to 8 is an example, and the inspection target information may be translated into graph information by other processing, or the graph information may be converted into inspection target information. You may translate. The translation process in the flowcharts of FIGS. 3 to 8 is a process when the case has a tree structure. Processing in the case where the case has a directed acyclic graph structure will be described later.

  Next, the operation of the consistency inspection apparatus 1 according to the present embodiment will be described using a specific example. In this specific example, a case will be described in which the artificial language based on the constructive type theory is Agda and the consistency check target is a de-case. DeeCase is a specific example in which the concept of the aforementioned case is partially expanded. Further, in this specific example, a case will be described in which a de-case that is a consistency inspection target has a tree structure. The original notation of the “D-Case” concept is “D-Case”. However, in order to avoid confusion with the D-Case defined below as a specific example of the above-mentioned “Case”, it is described here with kana. .

Further, the description in this specific example will be described in more detail. D-Case (case described above), Argent, Goal, Strategie, and Evidence are as follows.
D-Case :: = Goal∋Argent
｜ CONTEXT [Context / D-Case]
Argent :: = Strategy { · D-Case }
｜ Evidence
｜ CONTEXT [Context / Argent]
Goal :: = FormalGoal
| << FormalGoal / Description >>
Strategie :: = FormalStategy
| <Formal Strategie / Description>
Evidence :: = FormalEvidence
｜ <FormalEvidence / Description>

  Note that Context is a description. Further, Formal Strategy and FormalEvidence are Agda terms (expressions in the Agda language). Further, “FormalGoal” is a Set-type Agda term, and “Description” is a String-type Agda term. Thus, when the description can be described, it is possible to display the description character string in association with the node when the inspection target information is translated into the de-case graph information.

The inspection target information in this specific example can include a definition for naming the D-Case. In addition, this definition can include parameters. The utility of being able to refer to the defined D-Case by its name will be described later.
In this specific example, D-Case is defined by declaration of a function definition in the Agda language. The general description of the latter is as follows.
FunctionDefinition :: = [ TypeSignature ]
Function Clause
{ FunctionClasse }
{ Pragma }
TypeSignature :: = FunctionName: AgdaType
Function Clause
:: = LeftHandSide = RightHandSide
LeftHandSide :: = FunctionName { Pattern }
Pattern :: = PatternVariable
｜ ConstructorName { Pattern }

Here, [ ] is EBNF notation indicating an option. Also, AgdaType is a Set-type Agda term, PatternVariable is an Agda identifier, ConstructorName is an Agda constructor identifier, and RightHandSide is an expression of Agda. The FunctionDefinition is composed of TypeSignature, one or more FunctionClasses, and zero or more Pragmas. TypeSignature defines a function name and its type. If the type can be inferred from the FunctionClassuse, the TypeSignature may be omitted. FunctionClasse connects the left side (LeftHandSide) and the right side (RightHandSide) with an equal sign. The left side is a function name to which 0 or more of Pattern is applied. Pattern is a PatternVariable (variable) or a constructor identifier applied to zero or more sub-Patterns. The right side is an Agda term used by PatternVariable that appears on the left side. Pragma is a command for the Agda language processing system that processes the function definition declaration, and attaches specific information to the function to be defined.

In this example, the concept of consistency check is also extended to include a deecase definition. The concept itself is information before being described as examination target information in an artificial language (Agda), but the components of information to be included are expressed in EBNF notation for convenience as follows.
D-Case Declaration :: = SingleCluseDecl
SingleClauseDecl
:: = SingleClauseSignature DeeCase SingleClauseSignature
:: = DCaseName { Pattern }
{ PatternVariableDecl }
PatternVariableDecl
:: = PatternVariable Agda Type
The SingleClauseSignature is a D-Case name D-CaseName as defined, a Pattern of zero or more arguments that it can take, zero or more PatternVariableDecls with information about each PatternVariable and its type in the Pattern. Consists of The SingleClauseDecl is composed of a SingleClauseSignature and a de-case including each PatternVariable as a parameter. This is a function definition in the above description, and corresponds to FunctionDefinition having only one FunctionClasse. (Note that the PatternVariable type may not be AgdaType but can be converted to it. In this specific example, AgdaType is used for simplicity.)

Also, in this specific example, when the deaase declaration is expressed as a directed acyclic graph corresponding to the discussion structure information, the DCaseName included in the SingleClaseSignature is used as a child node of the root node of the deaase graph in the deacase declaration. Assume that a context node having information of { Pattern } { PatternVariableDecl } is generated. In the context node, DCaseName { Pattern } is included in the context as a Clause, and { PatternVariableDecl } indicating each parameter and its type is included in the context as Parameters.

  Next, in the inspection object information described in Agda, specific description processing (step S201) according to the case will be briefly described. First, in this specific example, Pragma “{− # DCASE FunctionName root # −}” is added to the function definition of the function FunctionName, which adds information that includes a description according to the case. The translation unit 16 finds a FunctionDefinition having such a Pragma in the inspection object information. Here, the case where such FunctionDefinition has only one FunctionClass will be described. The Agda term that is the RightHandSide of this FunctionClass is specified as D-Case. Since this is a description corresponding to the case in step S201, the processing from step S202 onward in the flowchart of FIG. 3 is executed. As a result, a deaase graph (graph information) corresponding to the D-Case is obtained.

Further, in this specific example, the translation unit 16 is extended to convert one such FunctionDefinition as a whole into a graph of one DeeCase declaration (SingleClauseDecl). Specifically, the translation unit 16, a FunctionName of LeftHandSide the DCaseName of SingleClauseSignature, the {Pattern} of LeftHandSide and {Pattern} of SingleClauseSignature, from LeftHandSide and TypeSignature, using the function of Agda proof checker, the SingleClauseSignature {PatternVariableDecl } Is generated by constructing a Single ClauseSignature. The translation unit 16 makes this a context node as described above, and adds it as a child to the root node of the graph corresponding to the Agda term that is RightHandSide.

  Next, details will be described based on one specific D-Case in this specific example. The user operates the keyboard to input the inspection target information 200 shown in FIG. 10. The inspection target information 200 is received by the receiving unit 18, stored in the inspection target storage unit 11, and displayed by the display unit 17. Suppose that it was done (steps S104-S106). In FIG. 10, the inspection target information 200 includes model information 201 and discussion structure information 202. In the model information 201, it is declared that TopGoal, SubGoal-A, and SubGoal-B have a Set type, that is, each is a type. Since the Agda language treats propositions as types, this declaration declares each as a goal. Moreover, it is declared that topState has a function type that obtains SubGoal-A type data, obtains SubGoal-B type data, and returns TopGoal type data. Further, it is declared that Evidence-A has a SubGoal-A type, and Evidence-B has a SubGoal-B type. Further, in the discussion structure information 202, the dea graph information of the tree structure shown in FIG. 11 is described in Agda. It should be noted that the inspection object information 200 shown in FIG. 10 has no error. Therefore, even if the user inputs an instruction to perform a proof check on the inspection target information and the check unit 12 performs a proof check accordingly (Steps S101 and S102), no error is detected (Step S101). S103). For example, in the discussion structure information 202, it is assumed that Evidence-A is mistakenly written as Evidence-B. When a certification inspection is performed on such inspection target information 200 (steps S101 and S102), it is detected that “Evidence-B” in “SubGoal-A∋Evidence-B” of the discussion structure information 202 is an error. Then, the location of Evidence-B is highlighted (step S103). The highlight display may be, for example, displaying the portion in red. Note that characters that are not highlighted are displayed in non-red characters. The user can easily grasp the existence of an error by viewing the highlighted “Evidence-B”, and the error can be rewritten by rewriting the evidence-B to evidence-A. It can be eliminated (steps S104 to S106).

Next, a process for translating the inspection object information 200 into graph information will be described. The data format of the graph information used in this specific example conforms to the XML format used by the D-Case Editor referred to in the above description. Assume that the user inputs an instruction to the inspection apparatus 1 to translate the inspection object information into graph information in the state where the inspection object information 200 shown in FIG. 10 is stored in the inspection object storage unit 11. Then, the instruction is received by the receiving unit 18 and passed to the translation unit 16. And the translation part 16 judges that it is a timing which translates test object information into graph information (step S110), and performs the process which translates test object information into graph information (step S111). Specifically, the translation unit 16 specifies Pragma {-# DCASE my-D-Case root #-} in the inspection target information 200 and acquires a function name (FunctionName) “my-D-Case”. Moreover, the translation part 16 specifies "my-D-Case" which is LeftHandSide using the function name, and specifies D-Case which is RightHandSide linked | related with the equal sign (step S201). . That is, the specified D-Case is
TopGoal∋
topStrategy
・ (SubGoal-A∋Evidence-A)
・ (SubGoal-B∋Evidence-B)
It is.

  Thereafter, the translation unit 16 instructs the execution unit 14 to determine whether to execute the inspection target information 200 via a route (not shown). Then, the execution unit 14 refers to the inspection target information 200 stored in the inspection target storage unit 11 and determines that it is not necessary to execute the discussion structure information 202 because there is no portion described in the program. (Step S202), and the result is passed to the translation unit 16 via a route (not shown).

  Upon receiving the determination result, the translation unit 16 performs a description process (step S204) according to the case for the D-Case. Specifically, the translation unit 16 specifies a pattern “g∋t” by pattern matching (step S301), and generates a goal node corresponding to g of the pattern (step S302). That is, the translation unit 16 generates node information 301 corresponding to TopGoal in the graph information 300 illustrated in FIG. 12A. In the node information 301, type = “Goal” indicates that the node is a goal node. In the case of a strategy node, type = “Strategy”, in the case of an evidence node, type = “Evidence”, and in the case of a context node, type = “Context1” (instead of “Context”) The reason why it is “Context 1” will be described later). id = “001” is an identifier of a node, and is given so that each node can be identified when the node is generated. In this specific example, it is assumed that id is incremented by 1 each time information of each node is generated. “name =“ G1 ”” is the name of the node displayed when displaying the graph information. The name of this node is also appropriately generated when the node is generated. In this specific example, the first character of the type and a number are combined and generated so as not to overlap. value = “TopGoal” is the value of the term in the inspection object information 200. Note that although no information is included between the tag <dcase: description> and the tag </ dcase: description>, the goal term was described as << FormalGoal / Description >> In that case, the Description will be included between both tags. Also when generating information of another node, the translation unit 16 generates type, id, and name, and generates information of the node by reading the description and the value of the term from the inspection target information 200. To do.

Next, the translation unit 16 determines whether or not the rest is a case. In this case, since the pattern “g∋t” has been specified in step S301, the rest is an argument, so the translation unit 16 determines that the rest is not a case, and processes the description according to the argument. (Steps S303 and S305). Specifically, the translation unit 16 uses the remaining part, topStrategy.
・ (SubGoal-A∋Evidence-A)
・ (SubGoal-B∋Evidence-B)
For pattern, a pattern of “f · t ₁ · t ₂ ” is specified by pattern matching (step S401), and since n = 2, a strategy node corresponding to f of the pattern is generated (step S402). That is, the translation unit 16 generates node information 302 corresponding to topStrategy in the graph information 300 illustrated in FIG. 12A. The generation method of the node information 302 is the same as the generation method of the node information 301 described above. After that, because the pattern “f · t ₁ · t ₂ ” is specified in step S401, the translation unit 16 determines that the generated node is not a leaf and the rest is a case (steps S403 and S404). ₁ is SubGoal-A−Evidence-A
The description process according to the case is performed (step S405).

Specifically, the translation unit 16 specifies a pattern “g∋t” by pattern matching (step S301), and generates a goal node corresponding to g of the pattern (step S302). That is, the translation unit 16 generates node information 303 corresponding to SubGoal-A in the graph information 300. Then, the translation unit 16 determines that the remainder is an argument, and performs a description process according to the argument (steps S303 and S304). Specifically, the translation unit 16 uses the remaining part of the evidence-A.
Is identified by pattern matching (step S401), and since n = 0, an evidence node corresponding to f of the pattern is generated (step S402). That is, the translation unit 16 generates node information 304 corresponding to the evidence-A in the graph information 300. Thereafter, the translation unit 16 has generated the evidence node, and thus determines that the leaf is a leaf (step S403), and generates a link from the goal node (SubGoal-A) to the evidence node (Evidence-A) (step S306). . That is, the translation unit 16 generates link information 311 from SubGoal-A to Evidence-A in the graph information 300 illustrated in FIG. 12B. In the link information 311, source = “003” is an identifier of a link source node, that is, a node of SubGoal-A. Further, target = “004” is an identifier of a link destination node, that is, a node of Evidence-A. id = “Link-003-004” is a link identifier, and is generated using a link source node identifier and a link destination node identifier at the time of link generation so that each link can be identified. . “name =“ Link-003-004 ”” is the name of the link, and in this specific example, is the same as the identifier of the link. Also when generating information of other links, the translation unit 16 generates source, target, id, and the like using the link source identifier and the link destination identifier.

Then, since the processing of the description in accordance with the case corresponding to _{t 1} is terminated, the translation unit 16 generates a link between its case, a strategy node corresponding to TopStragegy (step S406). That is, the translation unit 16, from topStragegy in the graph information 300 shown in FIG. 12B, to generate a link information 312 corresponding to the links to the subgoal-A is the root of _{t 1.}

Then, the translation unit 16, since there is a case _{t 2} of the untreated (step S407), SubGoal-B∋Evidence-B its _{t 2}
For, as in the case of _{t 1,} it performs a process described in accordance with the case (step S405).

Specifically, the translation unit 16 identifies the pattern “g∋t” (step S301), and generates node information 305 corresponding to the goal node corresponding to g of the pattern (step S302). Then, the translation unit 16 determines that the remainder is an argument, and performs a description process according to the argument (steps S303 and S304). Specifically, the translation unit 16 uses the remaining part of the evidence-B.
Is identified (step S401), and node information 306 corresponding to the evidence node corresponding to f of the pattern is generated (step S402). After that, the translation unit 16 has generated the evidence node, and thus determines that it is a leaf (step S403), and link information 313 corresponding to the link from the goal node (SubGoal-B) to the evidence node (Evidence-B). Is generated (step S306). Then, since the processing of the description in accordance with the case corresponding to _{t 2} is completed, the translation unit 16, from TopStragegy, generates information 314 of the link corresponding to the link up subgoal-B is the root of _{t 2} (step S406).

  With these processes, the process of generating each node and each link below the topStorage is completed, so the translation unit 16 determines the link corresponding to the link from the goal node (TopGoal) to the strategy node (topStorage) that is the root of the argument. Information 315 is generated (step S306).

  After that, the translation unit 16 determines that a tag corresponding to the model information 201 or a context node corresponding to the name of the D-Case is added because the model information or the name of the D-Case exists in the inspection target information 200. (Step S205), according to the link from the goal node of TopGoal, which is the root of D-Case, to the context node, and the node information 307 corresponding to the context node including “my-D-Case” corresponding to LeftHandSide Link information 316 is generated. In the context node information 307, type = “text2” is set in order to distinguish it from the context node generated from the operator CONTEXT [/]. In the context node generated from the context node generated from the operator CONTEXT [/], type = “context1” is assumed. Also, in the context node, the LeftHandSide information (in this case, the name of D-Case) is not included in the value but is included in the description. Further, the translation unit 16 generates property information 321 corresponding to the model information 201 in the graph information 300 (step S206). In this way, the graph information 300 is generated. In the property information 321, “&#xD; &#xA;” is a character code of a line feed, and “&#8594;” is a character code of a right arrow “→”. In addition, tags related to the D-Case at the beginning and the rear end of the graph information 300, tags described before and after the node and link information, and the like may be generated at the beginning of generating the graph information 300. Alternatively, it may be generated after tags such as nodes, links, and properties are generated. Thereafter, the display unit 17 reads the graph information 300 stored in the graph storage unit 15, acquires the parent-child relationship of each node, and displays the image of FIG. 11 showing the parent-child relationship of each node (step S112). . In FIG. 11, nodes 211, 214, and 216 with type = “Goal” are displayed as rectangles, nodes 213 with type = “Strategie” are displayed as parallelograms, and nodes with type = “Evidence”. Nodes 215 and 217 are displayed as ellipses, and a node 212 where type = “ContextN” (N is an integer equal to or greater than 1) is displayed as a rounded rectangle. These graphics are stored in a recording medium (not shown), and the display unit 17 may display the graphics corresponding to each node by appropriately reading the graphics. The display unit 17 generates and displays a character string corresponding to the node type (type), the node name (name), the node value (value), and the node description (Description) in the figure. To do. The display unit 17 also generates and displays link graphics (arrow graphics) 221 to 226 connecting the nodes in accordance with the information of each link included in the graph information 300. In this way, the user can know the graph information 300 corresponding to the inspection target information 200. In this specific example, the model information is all invisible information in the graph information, and thus is not displayed in the graph.

  The graph information 300 described in XML shown in FIGS. 12A and 12B is different from the XML notation used in the actual D-Case Editor in details, but is substantially the same. is there. In the graph information, there is no limitation on the method for indicating the parent-child relationship of each node included in the case. Therefore, it goes without saying that the graph information may be indicated by a data structure other than that shown in FIGS. 12A and 12B. When the graph information 300 described in XML is displayed graphically as shown in FIG. 11, the display of the character string specified by the description tag and the display of the value shown in FIG. It may be possible to switch, or alternatively, both may be displayed together. Even in the former case, for the context node, the character string specified by the description tag may be continuously displayed.

  Next, a process for translating graph information into inspection object information will be described. Here, it is assumed that the graph storage unit 15 stores the graph information 300 shown in FIGS. 12A and 12B. Note that the graph information 300 may be input by the user using a D-Case Editor or the like (steps S107 to S109), for example. Then, it is assumed that the user inputs an instruction for translating the graph information into the inspection target information to the consistency inspection apparatus 1. Then, the instruction is received by the receiving unit 18 and passed to the translation unit 16. And the translation part 16 judges that it is a timing which translates graph information into test object information (step S113), and performs the process which translates graph information into test object information (step S114). Specifically, the translation unit 16 refers to the link information 311 to 316 of the graph information 300, and identifies a node that exists in the source but does not exist in the target, that is, a root node (step S501). In this case, the node with id = “001” becomes the root node. Since the root node is also the root node of the de-case graph, the translation unit 16 performs the case processing (step S502). Specifically, the first link information 315 whose id = “001” is the specified root node is specified, and the source node and the target node are specified. In this case, the source node is a goal node, and the target node is a strategy node. Therefore, the translation unit 16 specifies a pattern of (parent node, child node) = (goal node, strategy node) (steps S601 and S602). In this case, since the link destination is an argument, the translation unit 16 performs an argument process (steps S603 and S604). Specifically, since link information 312 and 314 with the root node of the argument (the strategy node with id = “002”) as the link source exists, the translation unit 16 determines that the link destination node is the root node of the argument. It is determined that it exists (step S701), and the information 312 of the first link among the links is specified (steps S702 and S703). Moreover, the translation part 16 judges whether the link destination of the specified link is a case (step S704). That is, the translation unit 16 obtains the link target id = “003” from the specified link information 312 and specifies the node information 303 of the id = “003”. Since the node type (type) included in the specified node information 303 is a goal, the translation unit 16 determines that the link destination is a case. Then, the linked case is processed (step S705).

Specifically, the translation unit 16 specifies the information 311 of the first link whose source is the root node (node of id = “003”) of the case to be processed, the source node, and the target The node and the relationship, that is, the pattern of (parent node, child node) = (goal node, evidence node) is specified (steps S601 and S602). In this case, since the link destination is an argument, the translation unit 16 performs an argument process (steps S603 and S604). Specifically, since there is no link information whose link source is the root node of the argument (evidence node with id = “004”), the translation unit 16 determines that there is no link destination node in the root node of the argument. Judgment (step S701), a term corresponding to the root node, that is,
Evidence-A
Is generated (step S710). This term is generated using the value of node information 304 of the root node. In this case, the term becomes an argument term as it is (step S711). Thereafter, the translation unit 16 generates an operator “∋” corresponding to the pattern (goal node, evidence node) of the link information 311 with the node (evidence node with id = “004”) as a link destination (step). S606). Further, since there is no more link destination in the goal node with id = “003” (steps S607 and S608), the translation unit 16 has node information 303 corresponding to the goal node with id = “003”. Is used to generate a term “SubGoal-A” corresponding to the node (step S609). Since the link destination argument is one and there is no term other than the link destination argument (step S610), the translation unit 16 uses the link destination argument term and the goal node term as the operator " A term of a case connected by “∋” is generated (step S611). The case term is
SubGoal-A∋Evidence-A
It becomes. Thereafter, the translation unit 16 generates an operator “·” corresponding to the pattern (strategy node, goal node) of the link information 312 with the goal node of id = “003” as the link destination, and temporarily generates this Are stored in a recording medium (not shown) (step S707). Also, the translation unit 16 specifies the information 314 of the second link whose link source is the strategy node with id = “002” (steps S708, S709, and S703). Further, the translation unit 16 determines that the link destination is a case because the link destination of the identified link is a goal node with id = “005” (step S704). Then, the linked case is processed (step S705). Similar to the above-described processing, by the processing in this case, the translation unit 16 uses the operator “∋” corresponding to the term corresponding to the evidence node with id = “006” and the link pattern having the evidence node as the link destination. ”, A term corresponding to the goal node of id =“ 005 ”which is the link source of the link, and an operator“ · ”corresponding to the link pattern having the goal node as the link destination, The data is temporarily stored in a recording medium (not shown) (step S707). Thereafter, the translation unit 16 generates a term corresponding to the strategy node with id = “002” (step S710). Since there are only two case terms at the link destination, the translation unit 16 generates an argument term that connects the two case terms at the link destination and the strategy node term with the operator “·”, respectively. (Step S711). The argument term is
topStorage
・ (SubGoal-A∋Evidence-A)
・ (SubGoal-B∋Evidence-B)
It becomes. Since the argument processing with the strategy node with id = “002” as the root node is completed, the translation unit 16 generates the operator “∋” corresponding to the link information 315 to which the strategy node is the link destination. (Step S606) Further, a term “TopGoal” corresponding to the goal node of id = “001”, which is the root node of the entire case, is generated (Steps S607 to S609). Since the link destination argument is one and there is no term other than the link destination argument (step S610), the translation unit 16 uses the link destination argument term and the goal node term as the operator " A term of a case connected by “∋” is generated (step S611). The case term is
TopGoal∋
topStorage
・ (SubGoal-A∋Evidence-A)
・ (SubGoal-B∋Evidence-B)
It becomes. Note that the graph information 300 includes node information 307 corresponding to the context node and link information 316 corresponding to the node, but since the context type is “Context 2”, the translation unit No. 16 does not perform processing for generating the normal operator CONTENT “/”. Since the node information 307 of type = “Context 2” and the property information 321 exist, the translation unit 16 determines that there is information to be added to the inspection target information (step S503), and type = ” The description “my-D-Case” of the node information 307 of Context2 ”is the left side, and the left side and the above-described description of the above-mentioned D-Case are connected with an equal sign. Also, the model information is read from the property information 321 and added to the inspection object information (step S504). As a result, the final inspection target information is as follows. In this way, the translation from the graph information to the inspection object information is performed.

poster
TopGoal SubGoal-A SubGoal-B: Set
topStrategy: SubGoal-A->SubGoal-B-> TopGoal
Evidence-A: SubGoal-A
Evidence-B: SubGoal-B
my-D-Case =
TopGoal∋
topStorage
・ (SubGoal-A∋Evidence-A)
・ (SubGoal-B∋Evidence-B)

  This inspection target information is displayed by the display unit 17 (step S115), and the user can add or change the inspection target information as appropriate. In addition, by performing an inspection, an inappropriate location can be detected (steps S101 to S103).

  Here, the translation part 16 can translate inspection object information into graph information, and can also translate graph information into inspection object information. Therefore, the translation part 16 can also translate inspection object information into graph information, and can also translate the graph information into inspection object information after that. In that case, the inspection object information before translation and the inspection object information translated from the graph information may be the same or different. For example, as will be described later, when the execution unit 14 executes the translation of the inspection target information into the graph information, the two pieces of inspection target information are usually different.

[Execution of inspection target information]
In the specific example described above, the case where execution by the execution unit 14 is unnecessary when the inspection target information is translated into the graph information has been described. However, as described above, the execution is performed after the execution by the execution unit 14 is performed. You may go. In this case, for example, it is assumed that the inspection object information shown in FIG. 13 is stored in the inspection object storage unit 11. In this case, the description according to D-Case is
instruction-on-NG step base 3
However, this is due to the generation function (program) “instruction-on-N” defined in the upper part of the description and the four arguments “G”, “step”, “base”, “3”. It is described. Therefore, when the inspection object information in FIG. 13 is translated into graph information, the translation unit 16 specifies the above description according to the case (step S201), and the execution unit 14 determines that the execution is necessary. (Step S202), the generation function (program) is executed (Step S203).

Specifically, since the specific values of the arguments are “G”, “step”, “base”, “3”, the generation function (program) “instruction-on-N” is repeatedly applied. It becomes as follows.
instruction-on-NG step base 3
= G 3∋step 2
・ Induction-on-NG step base 2
= G 3∋step 2
・ (G 2∋step 1
・ Induction-on-NG step base 1)
= G 3∋step 2
・ (G 2∋step 1
・ (G 1∋step 0
・ Induction-on-NG step base 0))
= G 3∋step 2
・ (G 2∋step 1
・ (G 1∋step 0
・ (G 0∋base)))

  Therefore, finally, similar to the inspection object information 200 of FIG. 10, inspection object information (discussion structure information) in a form in which terms and operators are explicitly described can be obtained, and the translation unit 16 can obtain the inspection object information. The target information can be translated into graph information displayed as shown in FIG. In this example, the discussion structure information in a form that explicitly describes all terms and operators before translation is generated and then translated. However, as described above, the translation process is performed. However, it goes without saying that the execution may be performed sequentially. For example, when “induction-on-NG step base 2” is translated, it is executed to obtain “G2 step 1 • induction-on-NG step base 1”, and “induction-on-on” When translating “−NG step base 1”, it may be executed to obtain “G 1 ∋step 0 • induction-on-NG step base 0”. As described above, the argument value is simply changed by generating the argument structure information in a form in which the terms and operators are explicitly described by the execution unit 14 or by performing translation while generating the argument structure information. Thus, there is a merit that it is possible to generate graph information corresponding to the latest case or a case to be displayed graphically. For example, in the case of the above-described example, “G step base 3” in the inspection target information is appropriately changed to “G step base 2”, “G step base 5”, etc., and then the translation process is started. The user can view the directed acyclic graph according to the changed case.

  In addition, as described above, a discussion structure in a format that explicitly describes a term and an operator using a generation function that generates a discussion structure information in a format that explicitly describes the term and an operator and a specific value of an argument. Even in the case of generating information, the proof check may be performed on the description using the generation function and the specific value of the argument. If there is no error in the proof check, it is guaranteed that appropriate graph information corresponding to the result of executing the generation function can be obtained.

Here, the inspection object information (discussion structure information) having the generation function and the specific value of the argument is generally described as follows. In terms of correspondence with the above example, “induction-on-N” corresponds to “generator”, and “G”, “step”, “base”, “3” are “v ₁ ”,. Corresponds to “v _n ”. The type of “generator” is
(X ₁ : ParameterType ₁ ) →
_{(X 2:} ParameterType 2) →
...
(X _n : ParameterType _n ) →
G x ₁ x ₂ ... x _n
That is, the value of parameter _v 1, ..., Calculating the "generator v ₁ ... v _n" when the _{v n,} v 1, ..., _v in case the goal "G _v 1 ... _{v n"} corresponding to the _n Corresponding discussion structure information (which explicitly describes terms and operators) is generated.
myLatestDCase: G v ₁ ... v _n
myLatestDCase = generator v ₁ ... v _n
{-# DCASE myLatestDCase root #-}

[Extended execution 1]
Next, in addition to executing the calculation of the discussion structure information in which terms and operators are explicitly described, the execution unit 14 may be capable of executing a normal calculation at the same time, and its merit. explain. In Agda, from type D and predicate G that takes D type arguments (that is, “G: D → Set”), “D type value d and proof of G d (argument structure corresponding to D-Case) The type Σ D G whose value is a set of “) pairs of p)” can be constructed. Here, it is assumed that the function “output-and-DCase: (x: ParameterType) → ΣDG” is defined (for simplicity, the argument is one). This function calculates a D-type value from the value of x and at the same time returns a proof that the calculated value satisfies G. Therefore, by setting the discussion structure information as follows, a certain result “myLatestOutput” corresponding to the parameter value v is calculated, and at the same time, the discussion structure is “myLatestDCase” indicating that the result satisfies the predicate G. Information (which is an explicit description of terms and operators) will be generated. Further, the discussion structure information can be translated into graph information by the translation unit 16, and in this case, the discussion structure information can be displayed graphically.
myLatest: ΣD G
myLatest = output-and-Dcase v

myLatestOutput: D
myLatestOutput = first-component myLatest

myLatestDCase: G myLatestOutput
myLatestDCase = second-component myLatest
{-# DCASE myLatestDCase root #-}

  In this case, the execution unit 14 executes the discussion structure information, thereby generating a certain calculation result value (myLatestOutput) and a discussion structure (myLestestDCase) indicating that the value is correct. Therefore, as described above, compared to the case of generating discussion structure information in which terms and operators are explicitly described, the value is calculated, and the generated terms and operators are explicitly It is added that the argument structure information described is a proof of the calculated value. In this case, since the program for calculating the value and the proof (the program for generating an explicit description of the discussion structure information) are integrated, “This D-Case really calculates this value. The advantage is that you don't have to worry about whether it is based on the program you used.

[Execution extension 2]
The above can be further expanded to generate a D-Case indicating that the calculated value is correct in relation to the specific value of the parameter. In this case, the calculation result type D and predicate G depend on the parameter values,
D: ParameterType → Set
(Indicates that the result type can change depending on the parameter value)
G: (x: ParameterType) → D x → Set
(A predicate that takes two parameters, the value of the result and the value of the result type, that is, the relationship between the input value and the output value of the calculation, ie (where D-Case indicates that it is true) Indicates the calculation specifications)
It becomes.

And
output-and-DCase: (x: Parameter Type) → Σ (D x) (G x)
If the result type D and the predicate G depend on the parameter x, it can be extended by describing the argument structure information as follows.
myLatest: Σ (D v) (G v)
myLatest = output-and-Dcase v

myLatestOutput: D v
myLatestOutput = first-component myLatest

myLatestDCase: G v myLatestOutput
myLatestDCase = second-component myLatest
{-# DCASE myLatestDCase root #-}

  In this case, the execution unit 14 executes the discussion structure information, so that a certain value (myLatestOutput) having a type corresponding to the specific value v of the parameter, the value indicating that the value is correct, v, Thus, a discussion structure (myLestestDase) having a top goal (GvmyLatestOutput) corresponding to is generated. Therefore, the latest argument structure indicating that myLatestOutput is correct in relation to the latest parameter v is obtained.

  Here, the discussion structure information to be executed described in “Execution object information execution”, “Execution extension 1”, and “Execution extension 2” is referred to as information A. In the above, the information A including the specific value v of the parameter may be stored in the inspection target storage unit 11 in any process. The timing for translating the inspection object information including the information A into the graph information that triggers the execution of the information A depends on the determination in step S110 of the translation unit 16 as described above.

[Execution extension 3]
The generation of the information A including the specific value v of the parameter and the translation into the graph information (including the execution of the information A) may be mechanically controlled in the consistency checking apparatus 1. This control description (program) is called information B. The information B may include a part of the information A other than the specific value of the parameter as it is. The information B is stored in the inspection object storage unit 11, and when executed by the execution unit 14, an external input is acquired (for example, a sensor reading value at that time), and a specific value v of the parameter based on the input Is generated on the inspection object storage unit 11, and the calculation related to the information A is executed as in the previous stage, and the discussion structure information in which terms and operators are explicitly described is the calculation result. It is a program that performs a process of translating into graph information. In addition, the execution of the information B may output other calculation results of the generated information A to the outside (for example, controlling the actuator with the myLatestOutput), and perform processing from input acquisition to translation / output It may be repeated. As described above, when the translation is performed by executing the information B, the inspection target storage unit 11 also stores a conversion program corresponding to the process of converting the inspection target information into the graph information. 16 may be considered to convert the inspection object information into graph information by executing the conversion program. Further, the inspection object storage unit 11 also stores a program for execution by the execution unit 14, and the execution unit 14 may execute the inspection object information by executing the program. Alternatively, in addition to the translation unit 16 being able to use the function of the execution unit 14, it is recursive that the execution unit 14 calls the function of the translation unit 16 or the execution unit 14 calls its own function. It may be considered that the configuration is possible. In addition, in the case of the extension 3 of this execution, the part other than the information A in the information B may or may not be described in the same artificial language based on the same constructive type theory as the information A. . That is, the inspection object information and the conversion program may or may not be described in the same artificial language based on the structural type theory. Further, the inspection target information and the program for the execution unit 14 to execute may or may not be described in the same artificial language based on the structural type theory.

[Execution extension 4]
Further, as described above, the execution unit 14 executes a program included in the inspection target information or an external program specified by the inspection target information in the certification inspection, and the execution result is used for the certification inspection. Good. In that case, for example, when performing proof inspection of information to be inspected according to the assurance case related to the furnace, the actual temperature of the furnace is obtained by executing an external program, and the obtained furnace temperature It is also possible to perform proof inspection using. In addition, for example, when performing verification inspection of information to be inspected according to an Assurance case related to a system, a query for a database containing design information and operation result data of the system is executed as an external program. A proof check can also be performed based on this. Also, for example, the description “automatic certification program P” is allowed as evidence E for a goal G, and the external program P is executed for G at the time of certification examination. As a result, the original discussion structure information G∋E It is also possible to determine the inspection result. Further, when such execution is performed, the inspection target information may include a program to be executed, or an external program may be called. In Agda, it is possible to perform certification inspection using a function (plug-in mechanism) for calling such an external program. For that, please refer to the following document.

  Literature: Yoshifumi Yuasa, Yoshinori Tanabe, Toshifusa Sekizawa, Koichi Takahashi, "Verification of the Deutsch-Schorr-Waite Marking Algorithm with Modal Logic", Second International Conference, Verified Software: Theories, Tools, Experiments (VSTTE 2008), LNCS 5295, p. 115-129, 2008

Next, a specific example in the case where parameter information (Parameters) is included in the context will be briefly described. Assume that the inspection object information is as shown in FIG. In this case, DCaseName { Pattern } { PatternVariableDecl } becomes “example-with-params X e1 e2” which is the left side of the equal sign. The parameters are X, e1, and e2. The translation unit 16 indicates that the type of each parameter is “X: System”, “e1: X is-designed-dependent”, and “e2: X is-developed-collective”. Judgment is made from the example-with-params type shown in (3 lines above the number). This is done by performing type inference, a common technique in the implementation of constructive type theory such as Agda. Therefore, in the process of step S206,
Clause
example-with-params X e1 e2
Parameters
(X: System)
(E1: X is-designed-dependent)
(E2: X is-developed-correctly)
A context node containing is generated. As described above, in the graph information, the type of the information of the node corresponding to this context node is “Context2”. Further, the display of the graph information obtained by translating the inspection target information shown in FIG. 15 is as shown in FIG. In FIG. 16, the above-described Clause and Parameters are included in the context node that is a child node of the root node.

  Further, in the specific example described above, the case where the model information 201 is included in the property information 321 in the graph information 300 has been described, but this need not be the case. A context node corresponding to the model information 201 may be generated. The context node is also preferably generated as a child node of the root node in the discussion structure information. In addition, the context node including the model information can be distinguished from other context nodes so that the description included in the context node is converted into model information when the graph information is translated into the inspection target information. It is preferable that Specifically, in the information of the node corresponding to the context node, the distinction may be made by setting the type to “Context3”.

Further, let syntax may be used in the inspection object information. By using the let syntax, a local declaration in the discussion structure information can be made. For example, the above-described D-Case and Argent may be expanded as follows.
D-Case :: =
｜ let
FormalContext
[ ContextDescription ]
in
D-Case
Argent :: = ...
｜ let
FormalContext
[ ContextDescription ]
in
Argent

In addition, ... shows the description of the above-mentioned D-Case and Argent. Specifically, for example, the discussion structure information 202 can be described using the let syntax as follows.
my-D-Case = let
T1 = TopGoal
T2 = topStrategy
S1 = SubGoal-A
S2 = SubGoal-B
E1 = Evidence-A
E2 = Evidence-B
in
T1∋T2 ・ (S1∋E1) ・ (S2∋E2)

  In the above example, TopGoal, topStorage, etc. are declared in T1 and T2 between let and in, and terms are described in T1 and T2 in the D-Case below in. Note that local model information may be described using the let syntax. That is, local model information may be included between let and in. When translating the inspection object information into graph information, the description between the let and in may be included in a context node that is a child node of the root node in D-Case or Argon below in. . At that time, the context node including the description of the let syntax is different from the other context nodes so that the description included in the context node is converted into the let syntax when the graph information is translated into the inspection target information. It is preferable that they can be distinguished. Specifically, in the information of the node corresponding to the context node, the type may be distinguished by setting “type” to “Context4”.

  An example in which the inspection target information has a module structure will be briefly described. 17A and 17B, “open C-DefSys” or “open C-SystemSafe” is between the let syntax in and the in of the let syntax in the test target information (strictly, the discussion structure information of the test target information). "It is included. This means a declaration that information described in the modules “C-DefSys” and “C-SystemSafe” is referred to in a term following “in” below in. In addition, although the module in this example is about model information, it cannot be overemphasized that the information described in a module is not limited to it. That is, the module may be used for model information and may be used for discussion structure information. Thus, the range in which the module is used in the inspection object information does not matter. By using the module structure for the description of the inspection object information, the advantage of the module structure in the software description can be introduced into the description of the inspection object information. For example, maintainability is improved by collecting related information in one place, versatility is improved by defining a module with parameters, and by constructing each module after defining the interface between modules It is possible to divide the work reliably and to synthesize the work result mechanically.

The arguments may also have patterns other than those described above. For example, the argument may be configured using an operator such as ∀Intro or → Intro as follows.
Argent :: = ...
｜ ∀Intro {Domain} (Lambda-D-Case)
| → Intro {Domain} (Lambda-D-Case)
Lambda-D-Case :: = λ (Agda variable name) → D-Case
Domain :: = Set type Agda term In addition, ... indicates the description of the above-mentioned Argent. When “e (x)” is an Agda term including the variable “x”, the λ notation “λ x → e (x)” receives “e (v)” ( This is an Agda term representing a function that returns a value of e (x) when v is substituted for x.

  The operator “∀Intro” is “∀ (x: D) → P (x)”, that is, “P (x) holds for all D-type values x” (P takes a D-type value as an argument). Used to construct a description of an argument indicating a goal in the form of a predicate). In constructive type theory, giving a proof of this form of proposition means giving a function that takes an arbitrary value x of type D and returns a proof of P (x). The operator ∀Intro takes one type D as the first argument and one such function λ notation “λ x → (P (x) ∋Argent (x))” as the second argument, and the goal “ An Agda notation “∀Intro {D} (λx → (P (x) ∋Argent (x))” indicating an argument indicating ∀ (x: D) → P (x) ”is formed as an Agda term. The meaning is the same as the function itself as the second argument.As an argument, “x is introduced as a variable representing a value of an arbitrary D type, and the goal P (x) is indicated by the argument Argument (x)”. It is an argument.

Similarly, the operator “→ Intro” is used to construct an argument description indicating a goal in the form of “G ₁ → G ₂ ”, that is, “G ₂ if G ₁ ” (G ₁ and G ₂ are goals). Use. In constructive type theory, giving a proof of this form of proposition means giving a function that takes an arbitrary proof h of G ₁ and returns a proof of G ₂ . The operator → Intro takes one goal G ₁ as the first argument and λ notation “λ h → (G ₂ ∋Argent (h))” of one such function as the second argument. An Agda notation “→ Intro {G ₁ } (λ h → (G ₂ ∋Argent (h)))” of an argument indicating “G ₁ → G ₂ ” is constructed. The argument is the same as the function itself, and the argument is “assuming that the evidence of G ₁ is given, this is represented as h, and G _{2 is represented} by the argument Argent (h).” The argument Argent (h) in medium, so that it is possible to use h as evidence of G _1.

An example of simple inspection object information using both of them, Intro and → Intro, is shown in FIG. Strictly speaking, FIG. 18 shows only the discussion structure information. In short, the discussion structure information in FIG. 18 proves Pn → Pn for any natural number n in order to prove Pn → Pn for all natural numbers n. Then, in order to prove Pn → Pn for the arbitrary natural number n, a proof p of Pn is assumed, and the formation of Pn is proved by using the proof p. When translating the discussion structure information shown in FIG. 18, in step S401 of the flowchart of FIG. 5, the translation unit 16 performs “∀Intro {D} (λ x → t)” or “→ Intro {G ₁ }. (Λh → t) ”is specified as a kind of strategy and remaining case patterns. In both cases, the remaining case is the “t” part, and the information of the other part is translated into information of the strategy node and context nodes that are children of the strategy node. Specifically, when the pattern “∀Intro {D} (λ x → t)” is specified in step S401, the translation unit 16 has the value attribute “Introduction an assumption” in step S402. Information of a strategy node, information of a context node whose description attribute is “Assumption x: D”, and information of a link whose strategy node is “source” and whose context node is “target” are generated. Then, the translation unit 16 determines that the node generated in step S402 is not a leaf and the remaining “t” is a case, and performs a description process for t according to the case (steps S403 to S405).
If the pattern “→ Intro {G ₁ } (λ h → t)” is specified in step S401, the translation unit 16 uses the strategy whose value attribute is “Assume the antecedent” in step S402. The node information, the information of the context node whose description attribute is “Assumption h: G ₁ ”, and the information of the link whose strategy node is “source” and whose context node is “target” are generated. Then, the translation unit 16 determines that the node generated in step S402 is not a leaf and the remaining “t” is a case, and performs a description process for t according to the case (steps S403 to S405). Thus, the result of translating the inspection object information of FIG. 18 into the graph information is as shown in FIG. The value in the strategy node may be other than those. However, it is preferable that the pattern of ∀Intro {D} is different from the pattern of → Intro {G ₁ }. This is to enable appropriate translation from the graph information to the inspection object information. In addition, it is preferable that the context node generated in this way is distinguishable from other context nodes. Specifically, in the information of the node corresponding to the context node, the distinction may be made by setting the type to “Context 5”. Note that the argument processing (FIG. 8) when the graph information of the argument having the strategy node generated according to ∀Intro or → Intro as the root node is translated into the inspection target information is as follows.コ ン テ キ ス ト A context node (for example, a node whose type attribute is “Context5”) generated in response to the processing of Intro or → Intro is referred to as a “context node indicating an Assumption” in distinction from a normal context node. To do. In step S703, if the link pattern is (strategy node, goal node) or (strategy node, normal context node), the process proceeds as described above. When the link pattern is (strategy node, context node indicating Assumption), the description attribute of the context node has the form of “Assumption x: D”. In step S706, the variable name “x” of Agda and the Set type will be used. Agda term “D” is generated, and no operator is generated in step S707. In step S710, if the value attribute of the root node of the argument is “Introduction an assumption”, “∀Intro {D}” is generated as a strategy term, and if “Assume the antecedent”, “→ Intro {D} "is generated. Here, “D” is the term generated in step S706 for the pattern of the link to the context node indicating the Assumption. In step S711, as an argument term,
CONTEXT [(context node term 1) /
CONTEXT [(context node term 2) /
...
CONTEXT [(context node term m) /
(Term of strategy generated in step S710) (λ x → (case term))
] ...]]
Is generated. Here, (context node term i) is a term generated in step S706 for a link pattern to a normal context node, and (case term) is generated in step S705 for a link pattern to a goal node. The term “x” is the variable name generated in step S706 for the pattern of the link to the context node indicating the Assumption. The D-Case is generated by the process in the case of step S705. In this way, translation can be performed for other operators and terms other than those described in the specific example. Similarly, terms and operators other than those described in the present embodiment are used as appropriate in the inspection object information in the same manner, and the translation from the inspection object information to the graph information, or from the graph information to the inspection object. Needless to say, translation into information may be performed. As described here, terms and nodes correspond, and operators and links do not always correspond. That is, at the time of translation, the correspondence between the inspection object information and the graph information may be performed using the correspondence relationship other than those.

Further, in the specific example described above, it has been described that an error is detected by a certification check when Evidence-A is mistakenly written to Evidence-B. It can be said that the error is related to an error in how to apply the inference rule. Here, as another example, it will be described that an error whose classification is not appropriate is detected in the certification examination. First, it is assumed that the MachineHazard shown in FIG. 20 is stored in the inspection object storage unit 11 as part of the model information. In FIG. 20, 10 hazard types from Mechanical to Combination are defined below “data HazardType: Set where”. Below that, a general strategy “Argue _- over _- HazardType” is defined to indicate a goal of the form “P (t) for all hazard types t” (P is a predicate that takes hazard types as arguments). ing. This strategy indicates a goal by indicating subgoals for 10 cases such as “when t is a mechanical hazard”, “when t is an electrical hazard”,. 21A and 21B are information indicating a part of the inspection target information stored in the inspection target storage unit 11. In the fifth line of FIG. 21A, “open import MachineHazard” is described, and the MachineHazard of FIG. 20 is read in this inspection target information. In addition, “t hazards _- are _- examined” is defined as a specific predicate corresponding to the parameter P (t) of the general strategy “Argue _- over _- HazardType” described above, and the t is defined as a specific hazard type “Mechanical”, “ Descriptions of 10 sub-cases for 10 sub-goals when “Electrical”,..., “Combination” are given, “level2-Mechanical”, “level2-Electric”,..., “Level2-Combination”. Further, in FIG. 21B, the discussion structure information for the case division into 10 cases according to the strategy “Argue _- over _- HazardType” is specifically described. The graph information corresponding to the discussion structure is shown in FIG. 22, and there are 10 goal nodes corresponding to 10 hazard types as child nodes of the strategy node “Argu _- over _- HazardType”. Yes. Assume that the inspection unit 12 performs a verification inspection on the inspection target information shown in FIGS. 21A and 21B and is confirmed at a time when there is no error. Thereafter, according to the change of the situation, in the definition of MachineHazard in FIG. 20, as shown by the position of the arrow in FIG. 23, Terrorism is further added to the HazardType, and the definition of the strategy “Argue _- over _- HazardType” is also 11 However, suppose that the discussion structure information in FIGS. 21A and 21B is forgotten to be updated and inconsistency is introduced into the inspection target information. After that, when the inspection unit 12 performs proof inspection again, in this case, HazardType in the model information includes Error, but since the discussion structure information does not include Error, an error is detected. It will be. As a result, for example, by adding a description corresponding to Terrorism in the discussion structure information, the user can correct the inspection target information (discussion structure information) so that no error occurs. As described above, it is possible to check whether the case classification in the case of the consistency inspection target is performed as prescribed in advance by the certification inspection.

Next, as an example of an error other than the above description, it will be described that an error with a different numerical unit is detected in a certification test. First, it is assumed that the inspection target information shown in FIG. 24 is stored in the inspection target storage unit 11 as part of the model information. In this inspection object, different types are defined for the metric weight unit kg (kilogram) and the yard / pound weight unit lb (pound). Therefore, the case myWeight isLightThan 100 lb∋myEvidence
In the case of “100 lb” included in the goal, the types do not match. For this reason, when the certification inspection is performed on the inspection object information shown in FIG. 24, an error is detected as shown in FIG. FIG. 25 shows the result of the certification inspection displayed by the inspection result output unit 13. In the upper part of FIG. 25, the error part is underlined and the cursor is positioned at the head of the error part, thereby clearly indicating the error part. Also, by looking at the first line (the fifth line from the bottom of FIG. 25) of the inspection results shown from the fifth line from the bottom to the third line from the bottom of FIG. 25, the location of the error (file name: Knows the line number, column number), and by looking at the third line (the third line from the bottom of FIG. 25), "100 lb" has the expected type "MetricWeight" By checking the second line (the fourth line from the bottom of FIG. 25), the ImperialWeight of the type “100 lb” is converted to MetricWeight. You can know the details of the error to the effect. As described above, in the inspection object information, by appropriately defining and describing what is desired to be the object of the proof inspection, the desired object can be the object of the proof inspection.

  In addition, when describing accurately in the Agda language, the operator and the argument must all be separated by white space, and white space is required before and after the colon and equal signs. In the example, there is a part where the blank is omitted for convenience of explanation.

  As described above, according to the consistency inspection apparatus 1 according to the present embodiment, the consistency of a case to be inspected for consistency such as an assurance case is automatically inspected by a proof inspection (proof check). can do. Therefore, if the application of inference rules is inappropriate, the case is different from the case specified in advance, or the unit used is different, the error should be detected. Can do. As a result, the error can be corrected and a consistent case can be constructed. In addition, by performing the automatic inspection using the theorem proof support system, it is not necessary to develop original software for performing the inspection. Further, by converting the inspection object information described in the artificial language into the graph information by the translation unit 16, even a person unfamiliar with the description in the artificial language can easily grasp the structure of the case. It becomes like this. In addition, since graph information can be translated into information to be inspected, a user who is not familiar with the artificial language edits the case in the graph information and inspects the graph information according to the edited case. It is also possible to generate inspection object information described in an artificial language by translating into object information. It is also possible to check whether there is an error in the case generated in the graph information by performing a proof test on the inspection target information translated in this way.

  In addition, a case that is a subject of consistency check such as an assurance case is finally proved by evidence that is a leaf. Therefore, when the evidence is changed, etc., it is possible to easily verify whether the consistency of the case subject to the consistency inspection is guaranteed by performing a proof inspection on the inspection target information using the evidence after the change. Can be confirmed. In such a case, it can be considered that consistency is inspected using evidence as input data.

  In the present embodiment, the case where the case has a tree structure has been described particularly in the processes related to translation shown in the flowcharts of FIGS. 3 to 8. However, as described above, the case is a directed acyclic graph. It may have a structure. Therefore, here, the inspection object information corresponding to the case having the structure of the directed acyclic graph will be described, and the processing in the case of translating such inspection object information into the graph information, and such graph information A process for translating into inspection object information will be described. In the case of having a directed acyclic graph structure, a certain node has two or more parent nodes. In that case, as shown in FIG. 26, in the inspection target information, it is declared that the root node of the subgraph shared using the let syntax, that is, the node having two or more parent nodes is shared. Note that sharing that node means sharing a subgraph whose root node is that node. As a specific description, as shown in FIG. 26, when Evidence-A is shared, Evidence-A is defined as “myShareEvidence”. Pragma {-# DCASE mySharedEvidence shared #-} in the next line of the definition indicates a declaration that the subgraph is shared. The presence of this Pragma can be distinguished from a let syntax including local model information and the like. In the discussion structure after “in”, myShareEvidence appears twice, and is defined as “Evidence-A” as defined between let and in. In the specific example in which the Agda language is used as an artificial language for describing the inspection target information, it is assumed that the goal node, strategy node, and evidence node have two or more parent nodes, but there are two or more context nodes. Is not assumed to have any parent node. When a context node has two or more parent nodes, an ancestor node common to all of the parent nodes is set as the parent node of the context node so that the context node does not have two or more parent nodes. It is because it can be made. In addition, as a child node of the goal node, a plurality of nodes other than the context node do not exist.

  When the inspection target information corresponding to the case having the structure of the directed acyclic graph is translated into the graph information, when the let syntax exists in the inspection target information, the let syntax is shared by the nodes. Judge whether it is something or something else. The determination can be made using the aforementioned Pragma. Then, in the case of the let syntax for node sharing, the translation unit 16 temporarily defines the definition described between let and in (“myShareEvidence = Evidence-A” in the example of FIG. 26). Remember me. In the process of generating a node corresponding to the myShareEvidence item (steps S302 and S402), the translation unit 16 determines whether or not the node already exists. Is generated. On the other hand, if it already exists, the node may not be generated and the process may return to the upper flowchart. By doing so, when a term corresponding to a shared node appears for the first time, a node corresponding to that term is generated as usual, but for the second and subsequent occurrences of that term. Thus, the node itself is not generated, and only the link to the node generated at the first appearance is generated. The graph information obtained by translating the inspection target information shown in FIG. 26 is as shown in FIG. In FIG. 27, it can be seen that the node of Evidence-A is shared.

Next, a process when the graph information corresponding to FIG. 27 is translated into the inspection object information will be described. In this case, the translation unit 16 refers to the graph information and determines whether there is a shared node, that is, a node having two or more parent nodes (for example, an Evidence-A node). Specifically, the translation unit 16 may determine that there is a shared node when there is information on two or more links having a certain node as a target node. In this case, a node that is a target node based on information of two or more links is a shared node. Then, the translation unit 16 defines a definition (for example, “sharedEvidence = Evidence-A”, etc.) for giving a new name (for example, “sharedEvidence”, etc.) to the term corresponding to the subgraph below the shared node. Generate. The name may be, for example, a combination of “shared” and information indicating the type of node (for example, “Goal”, “Strategie”, “Evidence”, etc.). In addition, when the names overlap (for example, when there are two or more shared evidence nodes), information such as “1” or “2” may be appropriately added to the end of the name. Good. Next, the translation unit 16 specifies a position (node) at which the definition is inserted. The node to be identified is
(Condition 1) There is one route from the root node (Condition 2) A node that satisfies the two conditions that there are two or more ancestors of the shared node among the child nodes of the node . As a method for specifying the node to be specified, for example, the following processing may be performed. First, a determination target node is set as a root node. Further, it is determined whether there is one node that is an ancestor of the shared node or two or more child nodes of the node to be determined. If there are two or more, the node to be determined becomes the node to be specified. On the other hand, if there is one, that one node (this node is a child node of the root node) is determined as a determination target node. Further, similarly to the above-described processing, it is determined whether there is one node that is an ancestor of the shared node among the child nodes of the determination target node, or whether there are two or more nodes. If there are two or more, the node to be determined becomes the node to be specified. On the other hand, if there is one, that one node is set as a determination target node. This process may be repeated until the node to be determined becomes the node to be specified. Then, after the node to be specified can be specified, processing for generating inspection target information from the graph information is performed in the same manner as described above. In this case, a term with a defined name is generated for the shared node. In addition, after the process of translation into the inspection target illustrated in FIG. 6 is finished, the term “t” corresponding to the subgraph below the specific target node is defined as the term “t” corresponding to the previously generated shared subgraph “ Replace with a term of let syntax including “sharedEvidence = (term of shared subgraph)”. Specifically, the term t is replaced with the term let.
sharedEvidence = (shared subgraph term)
{-# DCASE sharedEvidence shared #-}
in
t
Replace with. In this way, the translation from the graph information having the structure of the directed acyclic graph to the inspection object information can be performed. Note that generation of the let syntax in the inspection target information may be performed when a term or an operator is sequentially added to the inspection target information. That is, when a term corresponding to a specific target node is generated, a let syntax including a term definition corresponding to a shared subgraph is generated, and further generation processing of subsequent terms and operators is continued. You may do it. Here, in the case of the example of FIGS. 26 and 27, the node to be specified is a strategy node corresponding to topStorage.

Further, in the present embodiment, by using a meta variable, proof inspection may be performed on incomplete inspection target information and incomplete graph information corresponding to a case that is a consistency inspection target. For this purpose, it is preferable to use an artificial language of an interactive proof support system as an artificial language that describes information to be examined. This is because, in the case of an interactive proof-supporting artificial language, the inspection unit 12 can perform proof inspection (proof check) even on inspection target information having a term including a meta variable. The above-mentioned Agda language is an example of an interactive proof support system artificial language. Here, the meta variable is a placeholder that indicates the part that is finally officially described in the incomplete (under construction) term, that is, “This part is currently in an undecided opening state. However, in the future, it is a placeholder that indicates a portion that will be filled with a specific partial term. Note that the inspection object information including the meta variable may or may not be translated from the graph information. As the latter case, for example, when the user inputs inspection object information as a description in an artificial language, a meta variable may be used. In this way, by performing proof inspection on inspection object information described using meta variables, there is an error in the inspection object information in the process of creation (or graph information in the process of creating the translation source of the inspection object information). If there is an error, the inspection object information (or the graph information of the translation source of the inspection object information) can be appropriately corrected so as to eliminate the error. Therefore, it is preferable that the proof inspection of the inspection target information including the meta variable is performed every time the inspection target information is changed. In addition, when graph information has been created, every time changes are made to the graph information that is being created, translation and proof inspection of the information to be inspected, including the meta-variable terms after translation, must be performed. Is preferred. Please refer to the following information for proof inspection of inspection object information including meta variables.
Information: Ulf Norell. Type checking in the presence of meta-variables. In TYPES 2007, Cividal del Friuli, Italy, May 2007 (conference url: http://users.dimi.uniud.it/types07/)
Information: Catarina Coquad and Thierry Coquad. Structured type theory. In Workshop on Logical Frameworks and Meta-languages, Paris, France, September 1999 (workshop url: http://www.site.uttawa.ca/~Laffle)

  Here, an example of inspection object information including meta variables and graph information will be briefly described. FIG. 28 is an example of inspection object information including meta variables. In FIG. 28, the meta variable {! ! } Is used. Therefore, in this case, the term of the goal node “TopGoal” or less is undecided. Note that the inspection object information in FIG. 28 may be considered to be obtained by translating the graph information according to FIG. In FIG. 29, since the child node side of the goal node is undetermined, an evidence node having value = “?” Is set. The translation unit 16 converts the evidence node having value = “?” Into the meta variable {! ! } Shall be converted into a term. Even if the inspection unit 12 performs a proof inspection on the inspection target information in FIG. 28, no error is detected. The proof check is a proof check by a proof checker of an interactive proof support system.

  Next, it is assumed that the user newly sets a strategy node term or the like for the goal node term “TopGoal” and the inspection target information is as shown in FIG. Also in this case, the user changes the graph information using D-Case Editor or the like, and as a result, the graph information corresponding to FIG. 31 is generated, and the translation result of the graph information is shown in FIG. You may think that it is inspection object information. In the inspection target information in FIG. 30, the subgoal node terms “SubGoal-A” and “SubGoal-B” are undecided, and a meta variable {! ! } Is set. Also in this case, no error is detected even if the certification inspection is performed on the inspection object information in FIG.

  Furthermore, it is assumed that the user newly sets the evidence node term “Evidence-A” for the subgoal node term “SubGoal-A” and the inspection target information is as shown in FIG. Also in this case, the user changes the graph information using D-Case Editor or the like, and as a result, the graph information corresponding to FIG. 33 is generated, and the translation result of the graph information is shown in FIG. You may think that it is inspection object information. Also in this case, no error is detected even if the certification inspection is performed on the inspection object information in FIG.

  On the other hand, in the inspection object information shown in FIG. 30, the user tries to input “Evidence-B” as the evidence node term corresponding to the subgoal node term “SubGoal-A” as shown in FIG. Suppose that In this case, since the types of SubGoal-A and Evidence-B are different, the checking unit 12 returns an error as a result of the certification check and refuses to accept the input. Then, the user looks at the inspection result shown in the lower three lines of FIG. 35 displayed by the inspection result output unit 13 to determine the location of the error (“file name: line number, column number” described in the first line). ) And the content of the error (described in the third line "(input item) Evidence-B has an error when confirming that it has type SubGoal-A (expected)) “Okay”, “(input term type) SubGoal-B cannot be converted to SubGoal-A (when both are viewed as Set type elements)”) Will be able to. As a result, the user can change the inspection object information as shown in FIG. 32 in order to eliminate the error. Note that the term to be included in the meta variable may or may not include the meta variable. FIG. 34 shows a case where the evidence node term “Evidence-B” including the meta variable is set.

  When a user tries to input an untyped term in a meta variable in the description in an artificial language, the input operation itself is rejected as described above, but incorrect graphical editing in D-Case Editor etc. Is not rejected in itself, but the error is revealed when it is verified through translation. Even in this case, an error can be found at an early stage by checking the consistency of an incomplete case. Suppose that the user sets “Evidence-B” as an evidence node corresponding to the subgoal node “SubGoal-A” in the graph information corresponding to FIG. 31 as shown in FIG. The user can translate the graph information into the inspection object information shown in FIG. 37 by the translation unit 16 while the case is incomplete. Also in this case, since the type of SubGoal-A and Evidence-B is different, the inspection unit 12 returns an error as a result of the certification inspection. Then, the user can know the location of the error and the content of the error by looking at the inspection result shown in FIG. 38 displayed by the inspection result output unit 13. As a result, the user can change the inspection object information as shown in FIG. 32 in order to eliminate the error.

  As described above, in the inspection target information, it is allowed to describe the term including the meta variable, and the inspection target information including the meta variable is also verified, so that the inspection target information being created or It is possible to check whether there is an error in the graph information. If there is an error, it can be corrected to appropriate inspection object information or graph information. On the other hand, if there is no error, it is possible to know that there is a possibility that inspection object information and graph information without error can be constructed by appropriately constructing inspection object information and graph information thereafter. In the above description, the handling of the model information at the time of translation from the graph information to the inspection object information was not particularly mentioned, but the model information exists as invisible information in the graph information as described above, for example, The model information that is invisible information may be included in the inspection target information, and in the graph information, the model information is set according to the content of the context node, and the model information is included in the inspection target information. Alternatively, the model information may not be generated when the graph information is translated into the inspection target information, and the model information may be separately input as a description in an artificial language after the translation. In the above description, the graph information including the evidence variable having only the meta variable has been described as the graph information including the meta variable, but this need not be the case. For example, the goal node or strategy node terms may be metavariables, or the terms themselves may appear as part of those terms rather than metavariables. Alternatively, in the notation of graph information that accepts not only nodes and links but also “subgraphs” as components of graph information, by associating meta-variables with uncertain subgraphs, “undefined arguments” and “undefined cases” May handle. In addition, in each series of inspection object information referred to in the above description, the module name is different for each inspection object information or a different comment is described for each inspection object information. It is for convenience to record various aspects, and it may be considered that the same module name is used and no comment exists.

  In the consistency inspection apparatus 1 according to this embodiment, the execution unit 14 is provided and the inspection target information is executed. However, this need not be the case. In the case where it is not necessary to perform the execution regarding the inspection target information, the consistency inspection apparatus 1 may not include the execution unit 14. Further, in the case where the execution relating to the inspection target information is not performed, the inspection target information may be described in an artificial language based on a type theory that is not a structural type theory.

  Moreover, although this embodiment demonstrated the case where both the translation from inspection object information to graph information and the translation from graph information to inspection object information were performed, it may not be so. The translation unit 16 may perform any one of the translations. In addition, when the translation does not need to be performed, the consistency checking device 1 may not include the translation unit 16 and the graph storage unit 15.

  In the present embodiment, the configuration in which the consistency inspection apparatus 1 includes the display unit 17 and the reception unit 18 has been described, but this need not be the case. When the consistency inspection apparatus 1 does not have the display unit 17, the consistency inspection apparatus 1 inspects whether there is an error in the inspection object information stored in the inspection object storage unit 11, for example. Only a device may be used. Further, when the consistency inspection apparatus 1 does not have the receiving unit 18, the consistency inspection apparatus 1 determines whether there is an error in the inspection target information provided by, for example, an externally removable recording medium. It may be a device for inspecting.

  In addition, the types of nodes, the types of operators and terms described in the present embodiment are examples, and it is needless to say that other types of nodes, types of operators and terms may exist. In addition, among the information possessed by a case to be checked for consistency, such as an Assurance case, the more the range described in an artificial language such as Agda, that is, the range described in the information to be checked, the more consistent The scope of inspection will also be expanded. Therefore, it is preferable to describe a larger range in the inspection object information.

  In the present embodiment, the case where the model information has only the declaration of poster has been mainly described. Needless to say, the model information may include other declarations. The model information may include, for example, a data type definition, a record type definition, a function definition, or an import declaration of another module, which is a declaration of a type other than poster.

  In the above-described embodiment, the case where the consistency checking apparatus 1 is a stand-alone has been described. However, the consistency checking apparatus 1 may be a stand-alone apparatus or a server apparatus in a server / client system. Good. In the latter case, the output unit, the display unit, and the reception unit may output information, display information, or receive input via a communication line.

  In the above embodiment, each process or each function may be realized by centralized processing by a single device or a single system, or may be distributedly processed by a plurality of devices or a plurality of systems. It may be realized by doing.

  In the above embodiment, the information exchange between the components is performed by one component when, for example, the two components that exchange the information are physically different from each other. It may be performed by outputting information and receiving information by the other component, or when two components that exchange information are physically the same, one component May be performed by moving from the phase of the process corresponding to to the phase of the process corresponding to the other component.

  In the above embodiment, information related to processing executed by each component, for example, information received, acquired, selected, generated, transmitted, or received by each component In addition, information such as threshold values, mathematical formulas, addresses, etc. used by each component in processing is retained temporarily or over a long period of time on a recording medium (not shown) even when not explicitly stated in the above description. It may be. Further, the storage of information in the recording medium (not shown) may be performed by each component or a storage unit (not shown). Further, reading of information from the recording medium (not shown) may be performed by each component or a reading unit (not shown).

  In the above embodiment, when information used by each component, for example, information such as a threshold value, an address, and various setting values used by each component may be changed by the user Even if it is not specified in the above description, the user may be able to change the information as appropriate, or it may not be. If the information can be changed by the user, the change is realized by, for example, a not-shown receiving unit that receives a change instruction from the user and a changing unit (not shown) that changes the information in accordance with the change instruction. May be. The change instruction received by the receiving unit (not shown) may be received from an input device, information received via a communication line, or information read from a predetermined recording medium, for example. .

  In the above embodiment, when two or more components included in the consistency inspection apparatus 1 include a communication device or an input device, the two or more components have a physically single device. Or may have separate devices.

  In the above embodiment, each component may be configured by dedicated hardware, or a component that can be realized by software may be realized by executing a program. For example, each component can be realized by a program execution unit such as a CPU reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory. In addition, the software which implement | achieves the consistency inspection apparatus 1 in the said embodiment is the following programs. In other words, this program is a directed acyclic including a goal node corresponding to an objective, an evidence node corresponding to a basis for proving the objective, and a strategy node that decomposes one goal node into one or more goal nodes. The case of the consistency check target having a graph structure is information described using a term corresponding to each node and an operator corresponding to the parent-child relationship of each node. A computer that can access an inspection object storage unit that stores information to be inspected, which is information described in an artificial language, an inspection unit that performs proof inspection on the inspection object information, and outputs a result of proof inspection by the inspection unit It is a program for functioning as an inspection result output unit.

  In the program, the functions realized by the program do not include functions that can be realized only by hardware. For example, a function that can be realized only by hardware such as a modem or an interface card in an output unit that outputs information is not included in at least the function realized by the program.

  Further, this program may be executed by being downloaded from a server or the like, and a program recorded on a predetermined recording medium (for example, an optical disk such as a CD-ROM, a magnetic disk, a semiconductor memory, or the like) is read out. May be executed by Further, this program may be used as a program constituting a program product.

  Further, the computer that executes this program may be singular or plural. That is, centralized processing may be performed, or distributed processing may be performed.

  FIG. 39 is a schematic diagram showing an example of the appearance of a computer that executes the program and realizes the consistency checking apparatus 1 according to the embodiment. The above-described embodiment can be realized by computer hardware and a computer program executed on the computer hardware.

  39, a computer system 900 includes a computer 901 including a CD-ROM (Compact Disk Read Only Memory) drive 905 and an FD (Floppy (registered trademark) Disk) drive 906, a keyboard 902, a mouse 903, a monitor 904, and the like. Is provided.

  FIG. 40 is a diagram showing an internal configuration of the computer system 900. 40, in addition to the CD-ROM drive 905 and the FD drive 906, a computer 901 is connected to an MPU (Micro Processing Unit) 911, a ROM 912 for storing a program such as a bootup program, and the MPU 911. A RAM (Random Access Memory) 913 that temporarily stores program instructions and provides a temporary storage space, a hard disk 914 that stores application programs, system programs, and data, and an MPU 911 and a ROM 912 are interconnected. And a bus 915. The computer 901 may include a network card (not shown) that provides connection to a LAN, WAN, or the like.

  A program for causing the computer system 900 to execute the function of the consistency checking device 1 according to the above-described embodiment is stored in the CD-ROM 921 or the FD 922, inserted into the CD-ROM drive 905 or the FD drive 906, and the hard disk 914. May be forwarded to. Instead, the program may be transmitted to the computer 901 via a network (not shown) and stored in the hard disk 914. The program is loaded into the RAM 913 when executed. The program may be loaded directly from the CD-ROM 921, the FD 922, or the network.

  The program does not necessarily include an operating system (OS), a third-party program, or the like that causes the computer 901 to execute the functions of the consistency check apparatus 1 according to the above-described embodiment. The program may include only a part of an instruction that calls an appropriate function (module) in a controlled manner and obtains a desired result. How the computer system 900 operates is well known and will not be described in detail.

  Further, the present invention is not limited to the above-described embodiment, and various modifications are possible, and it goes without saying that these are also included in the scope of the present invention.

  As described above, according to the consistency inspection apparatus or the like according to the present invention, the effect that the consistency of the case that is the object of the consistency inspection can be automatically inspected is obtained, and it is useful as an apparatus for performing such an inspection. .

DESCRIPTION OF SYMBOLS 1 Consistency inspection apparatus 11 Inspection object memory | storage part 12 Inspection part 13 Inspection result output part 14 Execution part 15 Graph memory | storage part 16 Translation part 17 Display part 18 Reception part

Claims (12)

Having a directed acyclic graph structure including a goal node corresponding to an objective, an evidence node corresponding to a basis for proving the objective, and a strategy node that decomposes one goal node into one or more goal nodes; Cases that are subject to consistency checking are information described using terms corresponding to each node and operators corresponding to the parent-child relationship of each node, and are described in an artificial language that is subject to proof checking. An inspection object storage unit for storing inspection object information, which is information,
An inspection unit that performs proof inspection on the inspection object information;
A consistency inspection apparatus comprising: an inspection result output unit that outputs a result of a certification inspection by the inspection unit. The inspection object information includes model information including definitions of each term included in the inspection object information, and discussion structure information indicating a structure of a directed acyclic graph corresponding to the inspection object information. Consistency checker. A graph storage unit that stores information about each node of the directed acyclic graph corresponding to the inspection target information and a parent-child relationship between the nodes, and stores graph information that is information on a case to be inspected for consistency When,
According to the parent-child relationship pattern of each node of the graph information, each node of the graph information is converted into a term, the parent-child relationship of each node is converted into an operator, and the inspection object information after conversion is stored in the inspection object memory The consistency inspection apparatus according to claim 1, further comprising a translation unit that accumulates in the unit. The directed acyclic graph further includes a context node corresponding to context information regarding the case whose consistency is to be checked,
A graph storage unit that stores information about each node of the directed acyclic graph corresponding to the inspection target information and a parent-child relationship between the nodes, and stores graph information that is information on a case to be inspected for consistency When,
The inspection object information is converted into each node of the inspection object information according to a pattern of a term and an operator, each operator is converted into a parent-child relationship of each node, and the converted graph information is converted into the above-described graph information. The consistency inspection apparatus according to claim 1, further comprising a translation unit that accumulates in the graph storage unit. The consistency check device according to any one of claims 1 to 4, wherein the artificial language is an artificial language based on a constructive type theory. The consistency inspection apparatus according to claim 5, further comprising an execution unit that executes the inspection object information that has been inspected for errors by a proof inspection by the inspection unit. The execution unit executes the inspection target information to obtain, from the inspection target information, a term corresponding to each node of the case that is a consistency inspection target and an operator corresponding to the parent-child relationship of each node. The consistency inspection apparatus according to claim 6, wherein the inspection target information is explicitly written. In the inspection object storage unit, a conversion program corresponding to the process of converting the inspection object information into the graph information is also stored,
The consistency inspection apparatus according to claim 4, wherein the translation unit converts the inspection target information into the graph information by executing the conversion program. 9. The consistency checking apparatus according to claim 8, wherein the inspection object information and the conversion program are described in the same artificial language based on a constructive type theory. The item of the inspection object information includes a meta variable,
The consistency check apparatus according to claim 1, wherein the artificial language is an artificial language of an interactive proof support system. Having a directed acyclic graph structure including a goal node corresponding to an objective, an evidence node corresponding to a basis for proving the objective, and a strategy node that decomposes one goal node into one or more goal nodes; Cases that are subject to consistency checking are information described using terms corresponding to each node and operators corresponding to the parent-child relationship of each node, and are described in an artificial language that is subject to proof checking. A consistency inspection method that is processed by using an inspection object storage unit in which inspection object information is stored, an inspection unit, and an inspection result output unit,
An inspection step in which the inspection unit performs a proof inspection on the inspection object information;
A consistency inspection method, comprising: an inspection result output step in which the inspection result output unit outputs a result of a certification inspection in the inspection step. Having a directed acyclic graph structure including a goal node corresponding to an objective, an evidence node corresponding to a basis for proving the objective, and a strategy node that decomposes one goal node into one or more goal nodes; Cases that are subject to consistency checking are information described using terms corresponding to each node and operators corresponding to the parent-child relationship of each node, and are described in an artificial language that is subject to proof checking. A computer accessible to the inspection object storage unit in which the inspection object information is stored,
An inspection unit that performs proof inspection on the inspection object information,
A program for causing an inspection result output unit to output a result of a certification inspection by the inspection unit.