KR100448019B1 - the operation method and network alarm variable information electrical system - Google Patents

Abstract

The present invention relates to a system for transmitting alarm variable information through a communication network and a method of operating the same.

According to the present invention, when an abnormal state of the target facility device occurs, the comprehensive control room 10 determines and controls the alarm variable information. The alarm variable information is immediately transmitted to the subject, and the received subject is fed back to the integrated control room. When inputting transmission information such as management environment, IT environment, alarm variable, work information of own organization and device, this input result is treated as a new case in the task scheduler 20 and the case is delivered to the case-based reasoning processor 30. In addition, the case-based reasoning processor 30 selects a unique attribute among the attributes of the new case, assigns an index, and calculates the similarity by searching the database of past alarm information risk factor analysis cases for the cases most similar to the index attribute value. It is composed.

According to the present invention configured as described above, the relevant information is promptly transmitted to the person in charge as soon as an alarm variable information situation occurs, such as safety of a national important facility and equipment stoppage of an industrial facility and a failure, and the person in charge is responsible for transmitting information even while remote or on the move. In particular, the case analysis results are automatically transmitted using the most similar risk analysis cases of the relevant sector, so that the cause of equipment stoppage of the facility can be analyzed quickly and the solution can be provided. It is.

Description

System for transmitting alarm variable information through a communication network and its operation method {the operation method and network alarm variable information electrical system}

The present invention relates to a system for transmitting alarm variable information through a communication network and a method of operating the same, and more specifically, to a person in charge of alarm variable information situations such as safety of a national important facility, equipment stoppage of an industrial facility, and a failure. In order to respond promptly and to respond to it, the responsible person can transmit and check the information remotely or on the move. In particular, the case analysis results are automatically and quickly delivered by using the most similar risk analysis cases of the relevant sector. It is to analyze the cause of the equipment stop and to provide a solution.

As is well known, case-based reasoning (CBR) refers to solving new problems by applying the solutions used to solve past problems.

As shown in FIG. 1, through conventional CBR, a comprehensive control room → alarm information risk identification → alarm information risk data collection → alarm information risk assessment → risk and vulnerability assessment → generate analysis results. Traditional alarm variable delivery methods were implemented.

In other words, the method of delivering alarm variables such as the device abnormality firstly includes the device error warning, secondly, visual identification of the first worker's device error, thirdly, the cause analysis of the first worker's abnormality, fourthly, wired notification of the person in charge, and fifth, cause response. There are five stages.

However, in the conventional method as described above, a problem occurs that requires a lot of time for the judgment and troubleshooting of the first person in case of emergency, and the cause analysis can not be reused because the experience and knowledge of similar cases in the past cannot be recycled. There is a problem in that it takes time and technical time to find a solution.

Furthermore, in the related art, a problem arises that it takes a lot of time for the expert to be input, and this causes a big problem that only the expert can perform the problem.

The present invention has been made to solve all the problems of the prior art as described above, using alarm information risk factors analysis cases performed by experts in the past, alarm information, such as equipment safety of major national facilities, equipment stoppage, failure occurrence By analyzing the risk factors and automatically presenting the systematic analysis results, the first object is to make it possible for beginners who do not have the expertise of alarm information risk factor analysis to perform alarm information risk factor analysis task quickly and easily. The second objective is that it is difficult to calculate the alarm information risk factor analysis results suitable for the technical environment, such as the equipment shutdown of a critical facility inherent in the alarm information risk factor, which is pointed out as a problem of the existing structural risk analysis method. Cost-effective, fast and important The purpose of this study was to obtain the alarm information risk factor analysis reflecting the award situation, and the third purpose is to provide a system and method of transmitting alarm variable information through a communication network that can greatly improve the quality and reliability of the product. to provide.

In order to achieve the above object, the present invention is based on the decision history storage unit, the disaster prevention plan rule, the disaster prevention plan rule, the disaster prevention plan memory unit and the information input reception unit, and the history information of the decision made at the time of disaster. In the disaster decision support apparatus having a decision support information preparation unit which has prepared decision support information and a decision information execution unit which has executed the decision support information created by the decision support information preparation unit, This is judged and controlled in the integrated control room, which is immediately transmitted to the subject, and the subject receives feedback to the integrated control room, and the user inputs transmission information such as the management environment, IT environment, alarm variables, and work information of his or her organization and equipment. This input result is treated as a new case by the task scheduler 20, and the case is a case-based reasoning processor (3). 0), the case-based reasoning processor 30 selects a unique attribute among the attributes of the new case, assigns an index, and retrieves the cases most similar to the index attribute value from the historical alert information risk factor analysis case database. It provides a system for transmitting alarm variable information through a communication network case-based reasoning, characterized in that configured to calculate the similarity.

Hereinafter, described in detail with reference to the accompanying drawings a preferred embodiment of the present invention for achieving this purpose are as follows.

1 is a block diagram of a conventional alarm variable transmission method.

Figure 2 uses the present invention case-based reasoning and structural alert information risk factor analysis

Configuration of an embodiment of a method for transmitting alarm variable information through a communication network

Degree.

3 is an analysis of risk factors of alarm information based on case-based reasoning of the present invention and

Alarm transmission technology through trust Overall flow chart and alarm information Before risk factors

Configuration diagram of an embodiment of data stored in a song information database.

<Explanation of symbols for the main parts of the drawings>

10: Comprehensive Control Room 20: Task Scheduler

30: Case Based Reasoning Processor

A system for transmitting alarm variable information and a method of operating the same through a communication network applied to the present invention are configured as shown in FIGS. 2 and 3.

In the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

The following terms are terms set in consideration of functions in the present invention, which may vary depending on the intention or custom of the producer, and their definitions should be made based on the contents throughout the specification.

First, the target field of the system and the operating method of the alarm variable information transmission through the present invention network is "national facilities" "national safety and security, defense, information, disasters, firefighting and important facilities", "electric power industry" (Firepower, Nuclear Power, Hydropower, Cogeneration, Power Supply Stations, etc.): Companies, power plants, etc. .

The transmission medium includes a conventional mobile phone (011,016,017,018,019), a computer with a network function, a monitor with a mobile communication function, a Page Phone (Pager).

In addition, the transmission means uses wired, wireless, and satellite, and the transmission technology includes special tool development (CDR: algorithm) and text, voice, and video using CDR.

In addition, in case of transmission information (e.g. in the power industry) (building a database of related information), `` Alarm variable: device stoppage, device failure (functions including cause and emergency measures) '', `` Emergency information: safety accident, Emergency contact network function ”,` `Operation information: In case of power industry (output, frequency, voltage, during operation, stopping, important work matters, breakdown of equipment) '',` `Business information: instructions, report matters (video: breakdown equipment) And on-site situation) ”,“ Data retrieval: facilities, materials, personnel, performance, planning, and domestic and international related data ”, and the transmission information related data is configured so that users can select, input, modify, and supplement.

In addition, one or two or more persons (single or plural), business sites and headquarters (headquarters) are divided into individual databases, and the corresponding information is divided and classified according to job titles and duties. The data related to the transmission target is configured so that the user can select, input, modify, and supplement the data.

Others include reception check function, system manager database construction, communication security system construction and transmission data system and administrator.

In more detail, when the abnormal state of the target facility equipment occurs, the comprehensive control room 10 determines and controls this, and the alarm variable information is immediately transmitted to the subject and the subject receives the feedback to the comprehensive control room. If the user inputs transmission information such as management environment, IT environment, alarm variable, and work information of his or her organization and device, the input result is treated as a new case in the task scheduler 20, and the case is a case-based reasoning processor (30). In this case, the case-based reasoning processor 30 selects a unique attribute among the attributes of the new case and assigns an index, searches for the cases most similar to the index attribute value in the past alarm information risk factor analysis case database. Configured to calculate the similarity.

The present invention uses a case-based reasoning (CBR) technique applied to the risk analysis system of the transmission of alarm information variables, such as safety of national critical facilities such as power plants, equipment shutdown of industrial facilities, occurrence of failure, etc. A technology for alert information transmission, comprising: a first step of, when receiving attribute information of a specific sector from a user, regards the received attribute information as an input case that is an object of risk analysis of alert information; A second step of transmitting a feedback to the end user through a communication network after the first step to solve the problem and feedbacking; A third step of analyzing a risk analysis case having the most similarity to the input case among the past risk analysis cases stored after the second step; A fourth step of evaluating risk factors, threat factors, and vulnerabilities with respect to the input case using the evaluation result of the searched most similar risk analysis case after the third step; And a fifth step of comprehensively analyzing risk factors for a specific sector by combining the evaluation results after the fourth step and providing the user with the specific partial risk analysis result and solutions and references.

According to the present invention, when the attribute information of a specific sector is input from the user to the alarm information risk factor analysis system having a processor for constructing a delivery system using case-based reasoning, structural alarm information risk factor analysis, and wired / wireless satellite, etc. A first function of considering information as an input case subject to an alarm information risk analysis; A second function of retrieving a risk analysis case having the highest similarity with the input case among stored historical alarm information risk factor analysis cases; A third function of evaluating alarm information value, threat, and vulnerability for the input case by using an evaluation result of the retrieved most similar alarm information risk factor analysis case; And a fourth function of analyzing the alarm information risk factor for the specific sector by synthesizing the evaluation result and providing the alarm information risk factor analysis result to the user. A fifth function of searching for whether there is a past infringement and providing the user with the evaluation of the searched infringement reflected in the third function evaluation; And providing a solution for further realizing a sixth function of re-correcting the evaluation result provided by the fifth function and other alarm information risk factors due to device abnormality to the user using a transmission means such as wireless. Includes features

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

According to the present invention is a diagram illustrating an embodiment of an automatic alarm information analysis method combining case-based reasoning and structural alarm information risk factor analysis.

The system which combines case-based reasoning and alarm information risk factor analysis to which the present invention is applied is a task 2 alarm task risk identification and task to a task scheduler 20 that performs the existing structural alert information risk factor analysis method. Task 3 consists of the addition of a case-based reasoning processor 30 to provide expert knowledge to perform threat and vulnerability assessments. Threats refer to factors or situations that can cause damage to certain sectors such as devices, including external threats (e.g. hacking / viruses, damage from external invaders, earthquakes, etc.) and internal threats ( For example, mistakes made by employees, data miss entries, etc.). Vulnerability refers to a weakness in control that does not sufficiently protect a particular segment, such as a device, against a threat. Risk refers to the degree of loss of devices that can be generated through threats and vulnerabilities, which are determined by the value threats and vulnerabilities of specific sectors such as devices. At this time, Task 1 is the part that receives the user input to infer the risk analysis of the alarm information. From the user, the relevant field, alarm variable, emergency information, operation information, task, decision by position, report, processing, information technology environment, etc. Input the property information of. When Task 1 is completed, the Task Scheduler 20 goes through the case-based reasoning of Task 2 (Alarm Information Risk Assessment) and Task 3 (Threatment Assessment, Vulnerability Assessment). Produce the results of the analysis in order.

In other words, after performing alarm information risk value assessment, threat assessment, and vulnerability assessment, the result of each evaluation is synthesized to generate an alarm information risk factor analysis result. The alarm information risk assessment, threat assessment, or vulnerability assessment obtains the respective evaluation results by the case-based reasoning (CBR) processor 30.

Task 1, which receives the input, and Task 4, which shows the inference result, are related to simple input / output.

However, the overall operation of the case-based reasoning processor (CBR Processor) 30 that performs task-based alarm information risk factor valuation, task 3 threat and vulnerability assessment by case-based inference is as follows.

The case-based reasoning processor (SBR Processor) 30 which performs the case-based reasoning gives an index for finding a similar case with respect to the input case when a new alarm information risk factor analysis case is input from the user. In this case, the index is given according to an index rule stored in advance. At this time, the index rule scans items of a case input by the user, and is a device sector, a work process, a type of data and other input cases that are essential for alarm information risk factor value, evaluation, threat and vulnerability evaluation. The unique attribute among the items is selected to give a standardized normalized taxonomy index for each item.

After that, the similar case is searched in the alarm information risk factor analysis case database (DB) for the input case, and among the retrieved similar cases, the most similar case is searched by the similarity evaluation rule. Here, the alarm information risk analysis case database (DB) stores past alarm information risk analysis cases. In addition, the risk analysis result is modified according to a modification rule (Rule) to fit the alarm information risk factor analysis result derived from the searched most similar case to the newly entered case, and the evaluation result is corrected and the evaluation result is presented to the user. That is, it is modified by the causal model rule between case and attribute value and evaluation result value.

In addition, the evaluation results presented to the user are searched for the breach incident database (DB) to present the evaluation results more realistic to the user and receive feedback from the user. The user can then revise the evaluation results, which are then revised in accordance with the Supplementary Rules.

Meanwhile, the operation of the alarm information security risk factor analysis system is briefly described as follows.

First, when a user inputs transmission information such as the management environment, IT environment, alarm variables, and work information of his or her organization and device, the input result is treated as a new case in the task scheduler 20. It delivers to the CBR PROCESSER 30.

At this time, the case-based reasoning processor (CBR PROCESSER) 30 selects a unique attribute among the attributes of the new case and assigns an index, and analyzes the risk factors of past alarm information risk factors that are most similar to the index (INDEX) attribute value. Similarity is calculated by searching in the case database (DB).

In addition, the present invention is an embodiment structure diagram of the data stored in the alarm information risk factor analysis case (DB) database (DB) as shown in the figure. It is a data structure that stores risk analysis cases performed in the past and is stored in the risk analysis case database (DB).

At this time, the risk factor of the alarm information is automatically calculated as the weighted average value of the probability of loss and the vulnerability evaluation result, and the degree of loss appears as expected loss when illegal exposure, tampering, or destruction of the alarm information risk factor occurs. And it can be divided into a structure for each specific factor to be derived. Among them, an embodiment structure diagram of data stored in an alarm information security breach incident (Case) database (DB) according to the present invention can be drawn. In addition, the drawing is a data structure that stores past alarm information security breach incident cases, and is stored in the alarm information security violation case database (DB) of individual case databases (DB) derived from the drawing.

In addition, an embodiment of a similarity calculation method for searching for similar cases according to the present invention can also be drawn as an explanatory diagram.

In addition, the description of the similarity calculation method in the process of evaluating the value of the alarm information factor can be drawn.

The present invention selects important items such as industry, work process, alarm variable, operation information, and work information that can have a significant impact on the evaluation of the value of alarm information from existing input cases and newly input case items, and the similarity difference for each item is selected. Calculate

The similarity difference (SIM) calculation method is divided into abstraction layer difference, quantitative difference, and qualitative difference calculation method according to the property of an item.

That is, first, the abstraction layer difference calculation method is calculated based on the degree of similarity between the two items in the classification system. For example, if the power industry of the newly inputted item is the substation area, the existing input case 1 is the power supply station, and the case 2 is the power distribution control room. high.

Second, the quantitative difference calculation method calculates the similarity as the numerical difference between two case items. For example, the absolute value of the two cases of voltage difference is determined by the similarity.

Thirdly, qualitative difference calculation method calculates similarity by qualitative level difference classified according to 5-step scale. For example, how severe is the short circuit? In response to: 1. Very low, 2. Low, 3. Normal, 4. High, 5. Very high. Evaluate in five steps and calculate the similarity through this level difference.

When the similarity difference for each item is calculated, the similarity difference value is multiplied by a predetermined weight for each item according to each item attribute. The weighted average obtained by dividing the sum of the weighted similarity differences for each item calculated by the total weighted sum is calculated as the final similarity. That is, each attribute may be weighted differently according to importance, and thus, the similarity may be differently assigned according to the weight and importance of each item, and thus the similarity is the difference between the weight of each item and the case (attribute of the input case). The sum of the value multiplied by the information value and the difference between the attribute information values of the past risk analysis case is calculated as a weighted average value divided by the weighted sum.

For example, the similarity of the alarm information risk assessment value between the newly entered case and the previously entered case 1 is calculated as follows.

The weighted similarity difference of the item 'work' is calculated by calculating the abstraction difference between the work items, which is the compared item property (e.g. 3), and multiplying the weight assigned to the item 'work' (e.g. 5 points) (3 X 5 = 15 Calculate Similarly, the qualitative difference of the 'leakage degree' item is calculated (e.g., 2) and the weighted similarity difference of the item 'leakage degree' is multiplied by the weight (e.g., 10 points) assigned to the item 'competition degree' ( 2 x 10 = 20).

Finally, the sum of the weighted similarity differences of the items calculated in this way is calculated (5 + 10 points = 15 points, assuming that there are only two items above), and divided by (35 ÷ 15 = 2.3).

In addition, an example of a method of calculating similarity in an alarm information risk factor evaluation process may be given.

IT environment items such as network type, web server type, DBMS type, etc., which can have a significant impact on the threat, are selected in the same way as the method applied when evaluating the risk factors of the alarm information. do.

An example of the similarity calculation method in the vulnerability assessment process may be mentioned.

In other words, it is calculated in the same way as the method applied in the above-mentioned risk information evaluation of alarm information, but IT control and management environment items such as virus protection level and firewall control level that can have a significant impact on vulnerability assessment are selected as important items. do. Accordingly, the similar case search results according to the present invention can be illustrated. That is, the case-based reasoning (CBR) processor 30 may display a result of a similar case search for a case input by a user.

The case-based reasoning (CBR) processor 30 selects the case with the highest similarity and modifies the evaluation result of the selected case according to the newly input case situation.

In addition, the present invention may appear as a result of the implementation of the method for adapting the case presentation result.

The causal model is applied to the evaluation results (alarm information risk assessment, risk assessment, and vulnerability assessment) inferred from past cases similar to those input from the user. That is, the evaluation result of the selected case is modified by a causal model rule between the attribute value of the case and the evaluation result value.

Thereafter, if there is a past infringement case, it is searched for and if there is a past infringement case, the evaluation result of the past infringement case is finally reflected to present the evaluation result modified and adapted to the situation to the user. Here, past infringement cases refer to infringement cases known to the general public such as which device has an abnormality and the current device frequently occurs.

A causal model can also be drawn for modifying the case presentation results according to the present invention.

In this way, the causal model is applied to modify the alarm information risk factor evaluation results derived from the selected similar cases. In other words, the newly entered case and attribute values are applied to this causal model to modify the result of risk information evaluation of alarm information derived from similar cases.

Hereinafter, the causal model rule applied at the time of evaluating the risk information value of the alarm information will be described.

Asset value is defined as the loss that a device suffers in the event of device destruction, unavailability, or tampering.

According to the value of each item attribute of the newly entered case, the degree of impact on the loss, that is, the value of the risk information of the alarm information, will be changed. The high degree of impact means that alarm information risk factors are as important.

For example, if the number of strokes over the device of the newly entered case is small, the impact of a breakdown or non-availability accident is 1, but the modulation is 3, which is normal.

On the other hand, when a short circuit is normal, the effects are 2, 2, 3, and 5 in case of breakdown, unavailability, and modulation accident.

In the event of destruction, inability, or tampering caused by a causality model rule method, the value of each item in the newly entered case can be calculated.

If the average value of the influence of each item (attribute) calculated in this way is obtained, it is possible to comprehensively calculate the degree of the loss effect in case of breakdown, unavailability, and modulation in the newly input case.

Thus, the risk value of alarm information is calculated by integrating alarm information risk variables such as the degree of impact and loss of equipment when each accident occurs.

On the other hand, the causal model rule applied in the threat evaluation defines the probability of occurrence according to the newly entered item value to evaluate how high the probability of each threat factor (eg destruction), such as internal and external threat factors, is occurring. .

For example, the probability of device destruction threat is defined as high when there is a high device failure (such as a short circuit).

At the same time, the causal model rules applied in the vulnerability assessment define the relationship between each internal security control, the degree of management and the probability of a security incident such as destruction, non-availability, and tampering. The better internal security control management (e.g. encryption) is, the lower the probability of a security incident.

As described above, the present invention may be variously modified and may take various forms in applying the above components.

And it is to be understood that the invention is not limited to the specific forms referred to in the above description, but rather includes all modifications, equivalents and substitutions within the spirit and scope of the invention as defined by the appended claims. It should be understood that.

As described in detail above, the present invention analyzes risk factors such as safety of national major facilities, equipment stoppage of industrial facilities, and occurrence of failures by using alarm information risk factor analysis cases performed by experts in the past, and analyzes the systematic analysis results. By presenting it automatically, even beginners who do not have the expertise of alarm information risk factor analysis can quickly and easily perform alarm information risk factor analysis, and point out the alarm information risk factors pointed out as a problem of the existing structural risk analysis method. It is economical and quick, and special situation of important facility is well solved by solving the problem that it is difficult to calculate the alarm information risk factor analysis result that is suitable for the technical environment such as equipment stop of the critical facility inherent and it takes much time and cost to analyze the alarm information risk factor. Reflected alarm information risk factors analysis results can be obtained This is a very useful invention that can greatly improve the quality and reliability of the product.

Claims (3)

Decision support system based on the disaster prevention plan rule storage unit, information input reception unit, and the decision history memory unit that records the history information of the decision decision already made at the time of disaster, and the disaster prevention plan rule, disaster alert and history information. In the disaster decision support apparatus having an information creation unit and a decision information execution unit that executes the decision support information created by the decision support information creation unit, When an abnormality occurs in the device, it is determined and controlled in the integrated control room, and immediately transmitted to the target person, and the received target person is fed back to the integrated control room, and the user manages the organization environment, IT environment, alarm variables, When inputting transmission information such as work information, the input result is treated as a new case in the task scheduler 20, and the case is transferred to the case-based reasoning processor 30, and the case-based reasoning processor 30 has attributes of the new case. Selecting a unique property from among them, assigning an index, and searching the case most similar to the index property value in the past alarm information risk factor analysis case database to calculate the similarity. Information transmission system. Decision support system based on the disaster prevention plan rule storage unit, information input reception unit, and the decision history memory unit that records the history information of the decision decision already made at the time of disaster, and the disaster prevention plan rule, disaster alert and history information. In the disaster decision support apparatus having a decision information execution section that executes the decision support information created by the information creation section and the decision support information creation section, A first step of considering the input attribute information as an input case for analyzing an alarm information risk factor when receiving attribute information on a specific sector from a user; A second step of transmitting a feedback to the end user through a communication network after the first step to solve the problem and feedbacking; Among the risk analysis cases stored after the second step, the risk analysis case having the highest similarity to the input case includes the abstraction layer difference, the quantitative difference, and the qualitative difference. The method is calculated based on how similar items are in the classification system, and the quantitative difference calculation method includes: a third step of calculating similarity based on a numerical difference between two case items; A fourth step of evaluating risk factors, threat factors, and vulnerabilities with respect to the input case using the evaluation result of the searched most similar risk analysis case after the third step; After the fourth step, the qualitative difference calculation method is used to aggregate the evaluation results to comprehensively analyze the risk factors for a particular sector, and to provide the user with the specific partial risk analysis result and solutions and references. And a fifth step of providing a similarity value with qualitative level differences classified according to the case-based reasoning. delete