WO2014174656A1 - 制御システム検査装置 - Google Patents
制御システム検査装置 Download PDFInfo
- Publication number
- WO2014174656A1 WO2014174656A1 PCT/JP2013/062320 JP2013062320W WO2014174656A1 WO 2014174656 A1 WO2014174656 A1 WO 2014174656A1 JP 2013062320 W JP2013062320 W JP 2013062320W WO 2014174656 A1 WO2014174656 A1 WO 2014174656A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- control system
- information
- plant
- model
- inspection apparatus
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
- G05B23/0243—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
- G05B23/0245—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model based on a qualitative model, e.g. rule based; if-then decisions
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B17/00—Systems involving the use of models or simulators of said systems
- G05B17/02—Systems involving the use of models or simulators of said systems electric
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/23—Pc programming
- G05B2219/23456—Model machine for simulation
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24034—Model checker, to verify and debug control software
Definitions
- the present invention relates to a technique for inspecting the safety of a control system.
- ECU software is executed on a microcontroller (microcomputer) on which an arithmetic unit (CPU) is mounted, and periodically acquires the value of a sensor connected to the ECU from an analog-digital conversion (ADC) module attached to the microcomputer.
- Software safety functions are installed as countermeasures against abnormal conditions such as sensor failure, noise, and sensor misdetection.
- the safety function compare the currently acquired sensor value (current value) with the sensor value acquired in the previous control cycle (previous value), and if this difference (variation amount) exceeds a certain level, There are processes such as setting the amount of fluctuation to a fixed value determined at the time of design when there is an abnormality. Further, when this abnormality continues for a certain period of time, fail-safe processing is performed to bring the system to a safe state, such as stopping the system.
- HILS Hardware In the Loop Simulation, which aims to improve development efficiency by conducting tests of parts that depend on vehicles at the early development stage and reducing rework, HILS).
- HILS designs the physical characteristics of the vehicle as a plant model, simulates the behavior of the actual machine by simulating it on a computer, and moves the computer and ECU in parallel to perform data communication in real time, Even if it is not prepared, the vehicle-dependent part of the ECU software can be tested.
- Patent Document 1 a plant model is broken at a timing set by a verifier, and a safety function test of software operating on a microcomputer is enabled.
- Patent Document 1 the verifier individually sets conditions for causing a failure, and when this condition is satisfied, an abnormality is generated and the safety of the control system is inspected.
- abnormalities occur at various unexpected timings, and if the verifier individually sets the conditions for generating a failure, there is a high possibility that test patterns will be lost. It is not suitable for exhaustively checking the safety of control systems.
- an object of the present invention is to provide a control system inspection apparatus capable of comprehensively inspecting the safety of a control system in various assumed situations.
- the present invention is a control system inspection apparatus for inspecting the safety of a control system, which simulates a plant that simulates an inspection target based on predetermined conditions and outputs a simulation result to the outside, and the simulation result And a model checking tool for generating information related to the state that the plant can take next based on the verification model and outputting the information to a simulator, and predetermined conditions for the simulation are set based on the information And
- Configuration diagram of a control system inspection apparatus Structure of control system inspection equipment and data flow Examples of safety conditions
- Execution path example Example when the inspection result is displayed on the display device Another example when the inspection result is displayed on the display device
- Operation flow of control system inspection equipment Example of a control system validation model
- plant models for control systems Examples of states that the control system can take
- the control system verification apparatus updates the plant state based on the input plant model at each time step in the simulation, and determines the safety of the plant state based on the input safety condition. If it is determined to be safe, the sensor value of the plant is converted into a format that can be identified by the input verification model, and a model checking tool is executed to verify the verification model with the converted sensor value as the initial value. After the model checking tool is finished, the control command value output by the verification model and the occurrence of failure are converted into a format that can be identified by the simulator, the simulation is restarted, and the inspection continues until the elapsed time in the simulator does not meet the inspection conditions. To do. If it is determined to be unsafe, the log executed so far is notified, and if the inspection condition is satisfied and the process is terminated, it is notified that it is safe.
- FIG. 1 is a configuration diagram of a control system inspection apparatus 1 according to the present embodiment.
- the control system inspection system 1 includes a computer 2, an input device 9 for input by an inspector to give an instruction to the computer 2, and a display device 10 for displaying an inspection result.
- the computer 2 includes an arithmetic device 3 such as a CPU, an external storage medium 4, a memory 7, and an input / output circuit 8.
- the external storage medium 4 stores a simulator 5 and a model checking tool 6.
- the input / output circuit 8 acquires information related to a command input from the input device 9 and provides information output to the display device 10.
- FIG. 2 is a block diagram showing a configuration of the control system inspection apparatus 1 and a data flow.
- An inspection condition 502, a plant model 503, a safety condition 505, and a verification model 601 are input from the input device 9 to the control system inspection apparatus 1 by a verifier.
- the inspection condition 502 is a condition for ending the inspection of the control system inspection apparatus 1, and is designated by a virtual time (for example, 10 minutes) that elapses in the simulation.
- the inspection condition 502 is not limited to this, and may be, for example, the number of simulations or a combination of time and number.
- the plant model 503 is a model that shows physical characteristics of a control target that changes according to an input, and is used to perform a model-based development method that utilizes a simulator such as Matlab (registered trademark) Simlink (registered trademark). , Generally described by a polynomial.
- a simulator such as Matlab (registered trademark) Simlink (registered trademark).
- the verification model 601 is a model that simulates software or user operation for controlling hardware to be controlled.
- the verification model 601 is a software program described in a state transition notation, and is executed by a model checking tool such as SPIN.
- the first embodiment targets a model in which the verification model is directly written by state transition, but is not limited thereto.
- a model checking tool such as an Efficient SMT-Based Context-Bounded Model Checker (ESBMC) that performs verification after automatically converting input source code into a state transition model may be used.
- EFBMC Efficient SMT-Based Context-Bounded Model Checker
- the control system inspection device 1 includes a simulator 5 and a model inspection tool 6.
- the simulator 5 simulates a plant that simulates an inspection target based on a predetermined condition, and outputs a simulation result to the outside.
- the simulator 5 repeatedly executes a unit 501, a plant execution unit 504, a safety confirmation unit 506, and a model inspection tool.
- An execution unit 508 and a simulation resumption unit 509 are configured. For convenience of explanation, this embodiment has such a structure, but is not limited thereto.
- the iterative execution unit 501 compares the input inspection condition with the time in the simulator, and determines whether or not the end condition is satisfied.
- the plant execution unit 504 simulates the plant based on a predetermined condition.
- the safety confirmation unit 506 determines whether or not the plant state after the simulation is safe.
- the model checking tool execution unit 508 converts the plant output output from the plant execution unit 504 into a format that can be identified by the model checking tool 6 and operates the model checking tool 6.
- the simulation restarting unit 509 converts the verification model output by the model checking tool 6 into a format that can be identified by the plant, and restarts the simulation.
- the plant simulates an inspection object, and in this embodiment, simulates a vehicle as hardware including an actuator and a sensor used to operate the actuator. Furthermore, the plant of the present embodiment includes not only the vehicle but also the shape of the road (straight line / curve) through which the vehicle passes. In the simulator 5, such a plant simulation result is specifically a detection value of a plant sensor. In the present embodiment, a plant in which an abnormality has occurred in hardware and a plant in which no abnormality has occurred in hardware are provided and can be switched by the output of the verification model.
- the model checking tool 6 generates information related to a state that can be taken next by the plant based on the simulation result (specifically, the state of the plant after the simulation is performed) by using the verification model. Output.
- the “information related to the state that can be taken by the plant” described above may be referred to as “state related information”. Further, such information is output in the form of a signal, and can be specified as “a signal related to a state that the plant can take next” or “a state-related signal”.
- the verification model includes a plurality of pieces of state-related information (that is, state-related information in which an abnormality has occurred in the plant and a state in which no abnormality has occurred in the plant). Related information).
- the state related information generated by the verification model of the present embodiment includes an actuator control command value determined based on the sensor value input from the simulator 5.
- the model checking tool 6 Since the model checking tool 6 outputs state related information generated by the verification model, it is necessary to select which of the state related information is to be simulated in the next time step.
- the function of selecting this state related information is provided in the simulation resuming unit 509. Further, the control system inspection apparatus 1 manages which of the plurality of state related information is selected (that is, has been simulated) and which is not selected. When the series of simulations is completed, the control system inspection apparatus 1 performs a simulation based on state-related information that has not yet been selected.
- the management of the state related information may be performed by the simulation resuming unit 509, may be performed by a management block provided separately in the simulator 5, or may be performed by a management unit provided outside the simulator 5. It may be performed.
- FIG. 3 is an example of the safety condition 505.
- the safety condition 505 describes a threshold value for determining whether the control system to be inspected is safe.
- the variable name value1 is not always 0, but is not limited thereto.
- the safety condition 505 may be changed according to the plant and the verification model.
- the variable name is not limited to the plant output signal. For example, if the state-related information output by the model checking tool includes information related to safety, this information may be used to determine whether the system is safe or the verification result of the model checking tool (Valid or invalid) may be a condition for determining whether or not the system is safe.
- FIG. 4 shows an example of the execution path 507.
- the execution path 507 information capable of grasping the flow of execution of the control system to be inspected during the inspection is recorded.
- the inspection number, the actuator control command value output from the verification model 601 selected for each failure occurrence timing to be inspected, and the value selected from the failure occurrence presence / absence information are stored in time series.
- this embodiment stores such information, but the present invention is not limited to this.
- the notation method is not limited to this.
- FIG. 5 is an example when the inspection result when the safety condition 505 is satisfied is displayed on the display device 10.
- the display method may be different from that in FIG.
- the verification result is not limited to that displayed on the display device 10, and may be output in a file format without being displayed on the display device 10.
- FIG. 6 is an example when the inspection result when the safety condition 505 is not satisfied is displayed on the display device 10.
- the display method may be different from that in FIG.
- the verification result is not limited to that displayed on the display device 10, and may be output in a file format without being displayed on the display device 10.
- the contents of the execution path 507 are displayed on the display device 10, but the present invention is not limited to this, and the contents may be output in a file format without displaying the contents of the execution path 507. .
- the simulation result output by the simulator 5, the generation and output of state-related information by the model inspection tool 6, and the setting of predetermined conditions for simulation based on the state-related information are the simulator 5. This is performed for each predetermined time step set in step (1).
- the predetermined time step is a unit of execution time in the simulation, and can be set by the verifier, for example, in a time of 1 ms or more. That is, in the control system inspection apparatus 1, when the simulator 5 performs simulation for a predetermined time step, the model inspection tool 6 determines state related information related to the state of the next plant based on the simulation result, and the simulator 5 Updates the simulation conditions in the next time step based on the state-related information, and restarts the simulation.
- control system inspection apparatus 1 has a function of synchronizing the time of the plant of the simulator 5 and the verification model of the model inspection tool 6. And since the control system test
- FIG. 7 shows a flow when the inspector uses the control system inspection apparatus 1. Hereinafter, each step of FIG. 7 will be described.
- step S01 the verifier inputs the plant model 503, the verification model 601, the safety condition 505, and the inspection condition 502 to the control system inspection apparatus 1.
- step S02 the verifier executes the simulator.
- step S03 the iterative execution unit 501 of the control system inspection apparatus 1 compares the input inspection condition with the time in the simulator, and determines whether or not the end condition is satisfied. If the end condition is satisfied, the process proceeds to S10. If the end condition is not satisfied, the process proceeds to S04. Note that the time in the simulator advances by a unit time step (by the timing of the occurrence of a failure to be verified) every time the repetitive execution unit is executed.
- the first embodiment compares the time with the simulator, but the present invention is not limited to this. For example, a new program may be created outside the simulator, and the end condition may be compared with that.
- step S04 the plant execution unit 504 of the control system inspection apparatus 1 simulates a plant model that simulates a plant that has failed and a plant that has not failed, based on information on whether or not a failure has occurred output from the verification model. Switch the plant model and update the state of the plant based on the input plant model.
- step S05 the safety confirmation unit 506 of the control system inspection device 1 compares the safety condition 505 with the output information of the plant corresponding to the safety condition 505 or the output information of the verification model to determine whether or not the unsafe state has been reached. judge. If the unsafe state is reached, the process moves to S10. If the unsafe state has not been reached, the process moves to S06.
- the information to be stored includes a time at which the storage timing can be identified, the output of the plant at that time, the output value of the selected verification model, the number of simulations, and the like.
- such information is stored as a log. However, it is not limited to this if the change in the control system can be understood in time series when it is found to be unsafe. .
- step S06 the model checking tool execution unit 508 of the control system checking device 1 converts the sensor value of the plant model 503 into a format that can be identified by the verification model 601, and executes the model checking tool.
- the simulator pauses until the end of execution of the model checking tool.
- a condition (property) for verifying the verification model may or may not be added to the model checking tool.
- the first embodiment adopts such a method, but is not limited thereto.
- step S07 the verification model execution unit 602 of the control system inspection apparatus 1 verifies the verification model 601 input using the model inspection tool 6.
- the verification model 601 simulating the control software outputs an actuator control command value, which is an output of the control software, and information on whether or not a failure has occurred in a state search process during execution of the model checking tool.
- the verification model 601 is designed to be nondeterministic with respect to the actuator control command value and the value of whether or not a failure has occurred.
- Nondeterminism is a property that the next state is not uniquely determined.
- nondeterminism may include, but is not limited to, the presence or absence of user operation or strength of operation force, the presence or absence of sensor noise, or the presence or absence of interruption of other control software.
- the first embodiment adopts such a method, but is not limited thereto.
- step S08 the simulation resuming unit 509 of the control system inspection apparatus 1 executes the model check tool 6 after the execution of the model check tool 6, and outputs the actuator control command value output from the model check tool 6 and the information on whether or not the failure has occurred.
- the verification model is designed in advance so that the output value of the verification model is output to the command prompt screen, and the simulator analyzes the output signal for screen output and extracts the corresponding information.
- the actuator control command value is an input signal of the plant model, and the information on whether or not a failure has occurred is used in determining whether or not the termination condition of S04 is satisfied.
- the first embodiment uses such a method, but is not limited thereto.
- a plurality of patterns of the actuator control command value and the information on whether or not the failure has occurred are output. At this time, one actuator control command value and failure occurrence information are selected from a plurality of patterns. The selection method does not matter.
- step S09 the iterative execution unit 501 of the control system inspection apparatus 1 advances the time in the simulation.
- step S10 when moving from S03, the repetitive execution unit 501 of the control system inspection apparatus 1 notifies information indicating that the safety condition as shown in FIG. 5 is satisfied. For example, a valid indicating that the safety condition is satisfied is displayed on the display device 10.
- inspection apparatus 1 notifies the information which shows not satisfy
- the contents of the execution path 507 are also notified. For example, an invalid indicating that the safety condition is satisfied and the contents of the execution path 506 are displayed on the display device 10.
- the first embodiment adopts such a method, but is not limited thereto.
- step S11 the inspector confirms the notified inspection result. For example, the inspection result displayed on the display device 10 is confirmed.
- FIG. 8 shows an example of the verification model 601.
- the verification model 601 includes a verification model element A, a verification model element B, and a verification model element C.
- the verification model element A is a verification model element indicating a steering state.
- the “normal” state may transition to “normal” or “failure”.
- the verification model element A has a function of outputting the steering state to the outside of the model checking tool 6 in each state.
- the verification model element B is a verification model element indicating a control software mode.
- the control software transitions to a “high speed” state and a “low speed” state according to the current plant speed.
- the state transits to the “fail safe (FS)” state.
- FS nail safe
- the steering assist amount is small in the “high speed” state
- the assist amount is large in the “low speed” state
- an alarm notifying the user of the steering failure is lit
- the steering assist amount is set to zero.
- processing etc. can be considered, it is not restricted to this.
- the verification model element B has a function of outputting the steering assist amount outside the model checking tool.
- the verification model element C is a verification model element indicating the accelerator amount when operated by the user. There is a possibility of transition from the “current value” state to the “current value” state, the “ ⁇ 1” state, the “+1” state, and the “+2” state.
- the “current value” state indicates the accelerator amount of the input value
- the “ ⁇ 1” state indicates a decrease in the accelerator amount
- the “+1” state and the “+2” state indicate an increase in the accelerator amount.
- the verification model element C has a function of outputting the accelerator amount outside the model checking tool 6.
- the accelerator amount calculated by the control software based on the user's accelerator pedal operation and the accelerator pedal operation is represented by one verification model element, but this is not limitative.
- these models are generated every time the model verification tool 6 is executed, and the initial state is determined based on the input values.
- this embodiment does this, but the present invention is not limited to this.
- the verification model is described in the state transition notation as described above, but the present invention is not limited to this.
- the state transition may be written in text.
- the contents of the verification model are not limited to this. There may be one verification model or a plurality of verification models.
- the state-related information generated by the verification model 601 will be described with reference to the example of FIG. 8.
- the steering is in a normal state, there are 12 types combining four states of accelerator amount and three states of control software. Examples of these are “steering: normal, accelerator amount: current value, control software: high speed”, “steering: normal, accelerator amount: ⁇ 1, control software: high speed”, and the like.
- the control software is normally controlled to be FS, so the number of combinations (that is, state related information) is smaller than that in the case where the steering is in a normal state.
- FIG. 9 shows an example of the plant model 503.
- the plant model 503 includes a model simulating a car body and a road.
- the normal steering and the failure steering are selected according to the steering state selected by the simulation resuming unit 509, and the state of the vehicle body is updated by actuator control based on the steering assist amount and the accelerator amount.
- the position of the vehicle body on the road is updated according to the distance traveled by the vehicle body.
- Fig. 10 is an image of the state that the control system can take. It shows that the state transitions with time in the simulation. For example, when the vehicle in the plant model is “high speed” and the road is “straight” at time N, the vehicle may be “high speed” and the road is “straight” at time N + 1. May be “low speed” and the road may be “straight”, and although omitted in FIG. 10, the road may be “curve”. If such a control system inspection system 1 is used, it will be understood that if the steering is in a “failure” state at time N + 3, a dangerous state is obtained.
- the safety of the control system can be inspected by combining the simulation and the model inspection tool. It is possible to comprehensively check the safety of the system. Therefore, it is possible to satisfactorily prevent test pattern omission that may occur when the verifier sets the failure timing. Moreover, according to the control system inspection apparatus 1, when a hardware failure occurs, safety such as checking whether software having a safety function can keep the target system in a safe state is easily achieved. Can be confirmed.
- the non-determinism of the verification model is applied to the user's operation related to the calculation of the actuator control command value and the presence / absence of hardware failure, but this is not restrictive.
- the present invention may be applied to sensor noise.
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
Description
Claims (12)
- 制御システムの安全性を検査する制御システム検査装置であって、
検査対象を模擬したプラントを所定の条件に基づいてシミュレーションし、シミュレーション結果を外部に出力するシミュレータと、
前記シミュレーション結果に基づいて次に前記プラントが採り得る状態に関連する情報を検証モデルによって生成し、シミュレータに出力するモデル検査ツールとを備え、
前記情報に基づいて前記シミュレーションの所定の条件が設定されることを特徴とする制御システム検査装置。 - 前記シミュレータによるシミュレーション結果の出力と、前記モデル検査ツールによる情報の生成及び前記情報の出力と、出力された前記情報に基づく前記シミュレーションの所定の条件の設定とが、前記シミュレータで設定される所定の時間ステップ毎に行われることを特徴とする請求項1記載の制御システム検査装置。
- 前記プラントの状態及び前記出力された情報の少なくとも一方に基づいて制御システムの安全性を判定する安全性確認部を有することを特徴とする請求項1記載の制御システム検査装置。
- 前記検証モデルが記載されたファイル以外の外部ファイルから前記プラントの出力情報を入力値として読み込む検証モデルを有することを特徴とする請求項1記載の制御システム検査装置。
- 前記検証モデルは、前記プラントの異常発生状態の有無が異なる複数の情報を生成することを特徴とする請求項1記載の制御システム検査装置。
- 前記プラントは、アクチュエータと該アクチュエータを動作させるのに用いられるセンサとを備えるハードウェアであり、
前記シミュレータは、前記シミュレーション結果として前記センサの検出値を前記モデル検査ツールに出力することを特徴とする請求項1記載の制御システム検査装置。 - 前記プラントは、アクチュエータと該アクチュエータを動作させるのに用いられるセンサとを備えるハードウェアであり、
前記検証モデルは、前記ハードウェアの故障状態の有無が異なる複数の情報を生成し、前記シミュレータに出力することを特徴とする請求項1記載の制御システム検査装置。 - 前記モデル検査ツールから出力される情報には、前記シミュレータから入力される前記センサ値に基づいて決定されるアクチュエータ制御指令値が含まれることを特徴とする請求項7記載の制御システム検査装置。
- 前記検証モデルは、状態遷移を示す記法で記載されることを特徴とする請求項1記載の制御システム検査装置。
- 前記モデル検査ツールから前記次に前記プラントが採り得る異なる状態に関連する情報として複数の情報が出力された場合、出力された複数の情報から次のシミュレーションに用いられる情報を選択する情報選択部を有することを特徴とする請求項1記載の制御システム検査装置。
- 前記プラントの出力を前記モデル検査ツールが識別可能な形式に変換し、前記モデル検査ツールを動作させるモデル検査ツール実行部と、
前記モデル検査ツールが出力した情報を前記プラントが識別可能な形式に変換し、シミュレーションを再開させるシミュレーション再開部とを有することを特徴とする請求項1記載の制御システム検査装置。 - 前記識別可能な形式に変換されたデータの少なくとも一方は外部ファイルに保存されることを特徴とする請求項11記載の制御システム検査装置。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2013/062320 WO2014174656A1 (ja) | 2013-04-26 | 2013-04-26 | 制御システム検査装置 |
DE112013006981.4T DE112013006981T5 (de) | 2013-04-26 | 2013-04-26 | Steuersystem Prüfmittel |
EP13882710.0A EP2990899A4 (en) | 2013-04-26 | 2013-04-26 | CONTROL SYSTEM INSPECTION DEVICE |
JP2015513451A JP6139670B2 (ja) | 2013-04-26 | 2013-04-26 | 制御システム検査装置 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2013/062320 WO2014174656A1 (ja) | 2013-04-26 | 2013-04-26 | 制御システム検査装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014174656A1 true WO2014174656A1 (ja) | 2014-10-30 |
Family
ID=51791262
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/062320 WO2014174656A1 (ja) | 2013-04-26 | 2013-04-26 | 制御システム検査装置 |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP2990899A4 (ja) |
JP (1) | JP6139670B2 (ja) |
DE (1) | DE112013006981T5 (ja) |
WO (1) | WO2014174656A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016212834A (ja) * | 2015-03-20 | 2016-12-15 | ザ・ボーイング・カンパニーThe Boeing Company | プログラム可能アクチュエータシミュレーションカード |
WO2020183609A1 (ja) * | 2019-03-12 | 2020-09-17 | 三菱電機株式会社 | 移動体制御装置および移動体制御方法 |
US11347918B2 (en) * | 2018-11-01 | 2022-05-31 | Mitsubishi Heavy Industries Engineering, Ltd. | Validation processing device, validation processing method, and program |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP7038554B2 (ja) | 2018-01-17 | 2022-03-18 | 三菱重工エンジニアリング株式会社 | 検証処理装置、ロジック生成装置及び検証処理方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10214112A (ja) * | 1997-01-29 | 1998-08-11 | Hitachi Ltd | 火力プラントシミュレータ |
JP2009157669A (ja) * | 2007-12-27 | 2009-07-16 | Hitachi Ltd | プラントシミュレータ及びプラントシミュレーション方法 |
JP2011161947A (ja) | 2010-02-04 | 2011-08-25 | Suzuki Motor Corp | 電子コントローラの自動検査システム |
JP2012037788A (ja) * | 2010-08-10 | 2012-02-23 | Mitsubishi Chemical Engineering Corp | 危険予知訓練装置および方法 |
-
2013
- 2013-04-26 DE DE112013006981.4T patent/DE112013006981T5/de not_active Withdrawn
- 2013-04-26 WO PCT/JP2013/062320 patent/WO2014174656A1/ja active Application Filing
- 2013-04-26 EP EP13882710.0A patent/EP2990899A4/en not_active Withdrawn
- 2013-04-26 JP JP2015513451A patent/JP6139670B2/ja active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10214112A (ja) * | 1997-01-29 | 1998-08-11 | Hitachi Ltd | 火力プラントシミュレータ |
JP2009157669A (ja) * | 2007-12-27 | 2009-07-16 | Hitachi Ltd | プラントシミュレータ及びプラントシミュレーション方法 |
JP2011161947A (ja) | 2010-02-04 | 2011-08-25 | Suzuki Motor Corp | 電子コントローラの自動検査システム |
JP2012037788A (ja) * | 2010-08-10 | 2012-02-23 | Mitsubishi Chemical Engineering Corp | 危険予知訓練装置および方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2990899A4 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016212834A (ja) * | 2015-03-20 | 2016-12-15 | ザ・ボーイング・カンパニーThe Boeing Company | プログラム可能アクチュエータシミュレーションカード |
JP7007790B2 (ja) | 2015-03-20 | 2022-01-25 | ザ・ボーイング・カンパニー | プログラム可能アクチュエータシミュレーションカード |
US11347918B2 (en) * | 2018-11-01 | 2022-05-31 | Mitsubishi Heavy Industries Engineering, Ltd. | Validation processing device, validation processing method, and program |
WO2020183609A1 (ja) * | 2019-03-12 | 2020-09-17 | 三菱電機株式会社 | 移動体制御装置および移動体制御方法 |
JPWO2020183609A1 (ja) * | 2019-03-12 | 2021-09-13 | 三菱電機株式会社 | 移動体制御装置および移動体制御方法 |
CN113519018A (zh) * | 2019-03-12 | 2021-10-19 | 三菱电机株式会社 | 移动体控制装置和移动体控制方法 |
JP7046262B2 (ja) | 2019-03-12 | 2022-04-01 | 三菱電機株式会社 | 移動体制御装置および移動体制御方法 |
CN113519018B (zh) * | 2019-03-12 | 2023-01-03 | 三菱电机株式会社 | 移动体控制装置和移动体控制方法 |
Also Published As
Publication number | Publication date |
---|---|
DE112013006981T5 (de) | 2016-04-07 |
EP2990899A1 (en) | 2016-03-02 |
JPWO2014174656A1 (ja) | 2017-02-23 |
JP6139670B2 (ja) | 2017-05-31 |
EP2990899A4 (en) | 2016-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9058419B2 (en) | System and method for verifying the integrity of a safety-critical vehicle control system | |
JP6139670B2 (ja) | 制御システム検査装置 | |
JP2014203314A (ja) | Ecuシミュレーション装置 | |
Rana et al. | Increasing efficiency of iso 26262 verification and validation by combining fault injection and mutation testing with model based development | |
JP5937209B2 (ja) | 故障影響評価システム及び評価方法 | |
Buehler et al. | Evolutionary functional testing of an automated parking system | |
US20120101791A1 (en) | Controlling simulation systems | |
EP2113087B1 (en) | System and computer program product for testing a logic circuit | |
TW201911088A (zh) | 對電子裝置的安全電路進行模擬的方法 | |
Rana et al. | Improving fault injection in automotive model based development using fault bypass modeling | |
JP2018081400A (ja) | 演算装置及び仮想開発環境装置 | |
Teige | Universal pattern: Formalization, testing, coverage, verification, and test case generation for safety-critical requirements | |
Wotawa et al. | Quality assurance methodologies for automated driving. | |
JP2009294846A (ja) | テストケース生成装置、テストケース生成プログラム、およびテストケース生成方法 | |
Abdulkhaleq et al. | A software safety verification method based on system-theoretic process analysis | |
JP2013077048A (ja) | 自己診断機能を備えたコンピュータ、ソフトウェア作成方法、およびソフトウェア作成装置 | |
CN102902852B (zh) | 一种汽车ecu诊断软件模型的自动生成系统及方法 | |
CN109753415B (zh) | 处理器验证系统及基于处理器验证系统的处理器验证方法 | |
JP2016031622A (ja) | ソフトウェア検証システムおよび制御装置 | |
Fritzsch et al. | Experiences from Large-Scale Model Checking: Verifying a Vehicle Control System with NuSMV | |
JP2015123748A (ja) | 検査システム | |
Ishigooka et al. | Practical use of formal verification for safety critical cyber-physical systems: A case study | |
CN111044826B (zh) | 检测方法及检测系统 | |
Popovici et al. | Formal model and code verification in Model-Based Design | |
KR101856065B1 (ko) | Obd 테스트 장치 및 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13882710 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015513451 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1120130069814 Country of ref document: DE Ref document number: 112013006981 Country of ref document: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2013882710 Country of ref document: EP |