WO2023282024A1 - System design support device, system design support method, and system design support system - Google Patents

System design support device, system design support method, and system design support system Download PDF

Info

Publication number
WO2023282024A1
WO2023282024A1 PCT/JP2022/024268 JP2022024268W WO2023282024A1 WO 2023282024 A1 WO2023282024 A1 WO 2023282024A1 JP 2022024268 W JP2022024268 W JP 2022024268W WO 2023282024 A1 WO2023282024 A1 WO 2023282024A1
Authority
WO
WIPO (PCT)
Prior art keywords
probability
information
data flow
hardware
data
Prior art date
Application number
PCT/JP2022/024268
Other languages
French (fr)
Japanese (ja)
Inventor
剛 畠山
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2023533504A priority Critical patent/JP7483143B2/en
Publication of WO2023282024A1 publication Critical patent/WO2023282024A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/20Software design

Definitions

  • the present disclosure relates to a system design support device, a system design support method, and a system design support system.
  • the methods of coping with abnormalities caused by the above events can be categorized into two types, and either or both of them are used in system development.
  • One of the two coping methods is to extremely increase the reliability of the S/W execution environment, that is, the reliability of the H/W side. This allows the design of the S/W to exclude some anomalies that may occur on the H/W side from consideration.
  • the other is a coping method for coping with H/W anomalies with S/W logic, assuming that anomalous behavior may occur on the H/W side with a certain probability.
  • Patent Documents 1, 2, 3, 4, and 5 as an abnormality detection method for H / W (especially semiconductor devices), a method for efficiently detecting defects within a realistic verification cost and an undetected defect A technique for evaluating the reliability of H/W by calculating how much is left has been proposed.
  • the techniques of Patent Literatures 1 to 5 correspond to a method of improving the reliability of H/W among the above two methods.
  • Patent Literature 6 based on a hierarchical structure in which S/W and H/W are components, by simulating an abnormality that occurs in one of the components in the system, detection of vulnerabilities related to anomalies is supported. techniques have been proposed.
  • the technique of Patent Literature 6 corresponds to a coping method that uses S/W logic to deal with an abnormality in H/W, among the above two coping methods.
  • the above two coping methods have two common issues. One is the inability to compensate for any anomalies (eg, soft errors) with 100% accuracy. The other is that any coping method is specialized for anomalies that occur at specific locations, timings, and frequencies within the system.
  • control instructions A and B are represented as data 0x01 (0000 0001 in bit string) and 0x03 (0000 0011 in bit string), respectively. In this case, if 0x01 accidentally becomes 0x03 due to garbled 1-bit 1 data, the control instruction is correct as data.
  • the present disclosure has been made in view of the problems described above, and aims to provide a technology that can quantitatively evaluate the reliability or robustness of a system.
  • a system design support device includes system configuration information indicating the hierarchy of hardware included in a system and software executed by the hardware, and data flow indicating the flow of data in at least part of the system.
  • an acquisition unit configured to acquire information and probability information indicating a probability of occurrence of an abnormality in data in the hardware; a calculation unit for calculating, as a partial abnormality occurrence probability, an abnormality occurrence probability of data in each of the hardware and the software.
  • the data failure probability in each of the hardware and software included in at least a part of the system is defined as the partial failure probability. calculate.
  • FIG. 1 is a block diagram showing the configuration of a system design support device according to Embodiment 1; FIG. It is a figure which shows the example of coping method information.
  • FIG. 4 is a diagram showing an example of system configuration information; It is a figure which shows the example of data flow information. It is a figure which shows the example of H/W abnormality probability information. 4 is a flow chart showing the operation of the design input section; It is a flowchart which shows the operation
  • FIG. 4 is a flow chart showing the operation of the hierarchy and parts disassembly section; It is a figure which shows the example of disassembled data flow information.
  • 5 is a flow chart showing the operation of a contamination probability calculation unit; It is a figure for demonstrating the operation example of a contamination probability calculation part. It is a figure for demonstrating the operation example of a contamination probability calculation part.
  • 2 is a block diagram showing the configuration of a system design support device according to Embodiment 2; FIG. It is a flowchart which shows operation
  • FIG. 4 is a diagram showing an example of system configuration information; It is a figure which shows the example of disassembled data flow information. It is a figure which shows the example of coping method information.
  • FIG. 11 is a block diagram showing a hardware configuration of a system design support device according to another modified example.
  • FIG. 11 is a block diagram showing a hardware configuration of a system design support device according to another modified example;
  • FIG. 1 is a block diagram showing the configuration of system design support apparatus 100 according to the first embodiment.
  • the system design support device 100 in FIG. 1 comprises the components within the dashed lines in FIG. Specifically, the system design support apparatus 100 includes a design input unit 101 as an acquisition unit, a calculation unit 121, and a contamination probability display unit 109 as an output unit.
  • the calculation unit 121 includes a hierarchy and parts identification unit 102 , a hierarchy and parts disassembly unit 105 , and a contamination probability calculation unit 107 .
  • the design input unit 101 acquires system configuration information 111, data flow information 112, and H/W failure probability information 113, which is probability information. Based on the system configuration information 111, the data flow information 112, and the H/W abnormality probability information 113, the calculation unit 121 calculates the data abnormality occurrence probability in each of the hardware and software included in at least a part of the system to be evaluated. is calculated as the partial failure occurrence probability. In Embodiment 1, the design input unit 101 further acquires the coping method information 110 , and the calculating unit 121 corrects the partial failure occurrence probability of the specific portion based on the coping method information 110 .
  • the calculation unit 121 calculates the data failure probability of the entire hardware and software included in the at least part of the system as the overall failure occurrence probability. do.
  • the system design support apparatus 100 pollutes contamination probability information 108, which is information including at least one of partial failure probability and overall failure probability, as a quantitative evaluation of the reliability or robustness of the system to be evaluated. It is displayed on the probability display unit 109 . That is, the contamination probability display unit 109 displays and outputs information based on the partial abnormality occurrence probability.
  • the system design support device 100 supports the system design of the user 114 by performing such display.
  • the contamination probability display unit 109 may be provided separately from the system design support device 100 .
  • the system design support device 100 will be described in detail. First, the coping method information 110, the system configuration information 111, the data flow information 112, and the H/W failure probability information 113 acquired by the design input unit 101 will be described.
  • FIG. 2 is a diagram showing an example of the coping method information 110.
  • the coping method information 110 includes the type of coping method for anomalies, and the success rate (hereinafter also referred to as compensation success probability) of compensating for the occurrence of data anomalies in a specific part of the system to be evaluated by the coping method. and
  • a specific part of the system that includes a computer, at least one of a LAN (Local Area Network) cable and network switch, and the computer is set as an application pattern.
  • LAN Local Area Network
  • the application pattern is used for pattern matching, which will be described later.
  • the upper limit of the compensation success probability is 1, which means that the closer the compensation success probability is to 1, the higher the possibility that the abnormality will be compensated.
  • coping method 1, coping method 2, . . . may be set in the order applied to the data flow when the system actually operates.
  • FIG. 3 is a diagram showing an example of the system configuration information 111.
  • the system configuration information 111 is information indicating the configuration of the system to be evaluated.
  • the system configuration information 111 indicates the hierarchy and linkage between the hardware included in the system to be evaluated and the software executed by the hardware.
  • Hierarchy implies a dependency where the behavior of one depends on the context of another.
  • Coordination means a relationship in which data can be delivered directly, and may include relationships other than dependency (for example, parallel relationships). Note that cooperation is also described as connection, and hardware and software included in the system are also described as components.
  • one network switch E202 is physically connected to three devices (devices E211, E221, E231) via three LAN cables (LAN cables E241, E242, E243).
  • the device E211 includes a first computer E212, an OS (Operating System) E213, a M/W (middleware) E214, a first application E216, and a second application E215 as a S/W hierarchical structure.
  • OS Operating System
  • M/W middleware
  • the devices E221 and 231 are configured similarly to the device E211. That is, the device E221 includes a second computer E222, an OSE223, an M/WE224, a third application E226, and a fourth application E225 as a S/W hierarchical structure.
  • the device E231 includes a third computer E232, an OSE233, an M/WE234, a fifth application E236, and a sixth application E235 as a S/W hierarchical structure.
  • the system configuration information 111 shows the hierarchy and cooperation of hardware and software by block diagrams, but is not limited to this.
  • the system configuration information 111 may indicate the hierarchy and linkage of hardware and software using a table, for example.
  • FIG. 4 is a diagram showing an example of the data flow information 112.
  • FIG. Data flow information 112 indicates the flow of data through at least a portion of the system under evaluation.
  • data flow 1 in FIG. 4 indicates that data flows through the first application, second application, M/W, . . . , M/W, and fourth application in this order.
  • data flow 2 of FIG. 4 shows data flowing through substantially all of the system of FIG.
  • FIG. 5 is a diagram showing an example of the H/W abnormality probability information 113.
  • the H/W anomaly probability information 113 indicates an anomaly occurrence probability of data in hardware.
  • the probability of occurrence of data failure in hardware includes the probability of data corruption in hardware and the probability of data loss in hardware, but is not limited to these.
  • the probability of garbled bits depends on various definitions such as x cases/year, x cases/number of transactions, etc., but the type of definition is not particularly limited.
  • FIG. 6 is a flow chart showing the operation of the design input unit 101. As shown in FIG.
  • step S1 the design input unit 101 inputs coping method information 110, system configuration information 111, data flow information 112, and H/W abnormality probability information 113 is accepted.
  • step S2 the design input unit 101 classifies and distributes various design information.
  • the coping method information 110 is supplied to the contamination probability calculation unit 107
  • the system configuration information 111 is supplied to the hierarchy and component identification unit 102
  • the data flow information 112 is supplied to the hierarchy and component disassembly unit 105
  • the H/W error probability information 113 is supplied to the contamination probability calculation unit 107. It is output to probability calculation section 107 .
  • the input method, the transfer method, and the data method of the signal itself received by the design input unit 101 are not particularly limited.
  • FIG. 7 is a flow chart showing the operation of the hierarchy and component identification unit 102. As shown in FIG.
  • step S ⁇ b>11 the hierarchy and part identification unit 102 receives the system configuration information 111 from the design input unit 101 .
  • step S ⁇ b>12 the hierarchy and component identification unit 102 extracts linkages between hierarchical structures and component configurations from the system configuration information 111 and generates system hierarchy and component information 103 .
  • FIG. 8 is a diagram showing an example of the hierarchy and part information 103 regarding the cooperation of the device E211 from the system configuration information 111 (see FIG. 3). For example, since the first computer E212 in FIG. 3 has a direct connection relationship only with the OSE 213 and the LAN cable E241, in FIG. is circled.
  • the hierarchy and component identification unit 102 identifies the hierarchy in FIG. and component information 103 are extracted.
  • the first application E216 and the second application E215 can be linked only via the M/WE213.
  • information indicating it is separately included in the system configuration information 111 of FIG. 3 a gap is provided between these parts in FIG. You may provide the mechanism which can do it separately.
  • step S13 of FIG. 7 the hierarchy and component identification unit 102 extracts the dependencies of the hierarchical structure of the H/W and the S/W operating thereon, and the unit of component configuration from the system configuration information 111. , is generated as the hierarchical dependency information 104 .
  • FIG. 9 is a diagram showing an example of hierarchical dependency information 104 generated from system configuration information 111 (see FIG. 3).
  • the operations of the OSE 213, the M/WE 214, the first application E 216, and the second application E 215 depend on the status of the first computer E 212, but the operations of the first computer E 212 do not depend on the status of the OSE 213, etc. is shown.
  • the first application E216 and the second application E215 are in a parallel relationship in a certain hierarchy of applications, but are not in a dependent relationship.
  • FIG. 9 shows that the system in FIG. 3 is composed of four layers: computer, OS, M/W, and application. Note that the specific data format of the hierarchy and component information 103 does not matter as long as it includes such dependency relationships and component configurations.
  • FIG. 10 is a flow chart showing the operation of the layer and component decomposition unit 105. As shown in FIG.
  • the hierarchy and parts disassembly section 105 receives the data flow information 112 from the design input section 101 and the hierarchy and parts information 103 from the hierarchy and parts identification section .
  • step S22 the hierarchy and component decomposition unit 105 interprets how the data flow indicated by the data flow information 112 is realized by how the hierarchy and components indicated by the hierarchy and component information 103 are linked. Then, based on the interpretation, the hierarchy and part decomposition unit 105 assigns the identification information of the hierarchy and part information 103 to the parts indicated in the data flow of the data flow information 112, and appropriately divides the parts of the hierarchy and part information 103. Complement. The hierarchy and component decomposition unit 105 generates the information obtained by the above processing as the decomposed data flow information 106 .
  • FIG. 11 is a diagram showing an example of the disassembled data flow information 106 generated from the data flow 1 of the data flow information 112 (see FIG. 4) and the hierarchy and component information 103 (see FIG. 8).
  • the hierarchy and component disassembly unit 105 converts the portion "first application -> second application” in data flow 1 in FIG. 4 to "E216: first application - > E215: Converting to "second application”. Also, for example, the layer and component disassembly unit 105 performs the " The part "first computer -> network switch” is supplemented with "E212: first computer -> E241 LAN cable -> E202: network switch" in FIG.
  • the hierarchy and component decomposition unit 105 generates the decomposed data flow information 106 of FIG. 11 by performing the conversion described above on all of the data flow 1 and data flow 2 of the data flow information 112 of FIG. Complementation of the data flow is not essential, and for example, in the data flow information 112, it may be set in advance so that the layer and component decomposition unit 105 does not perform complementation.
  • FIG. 12 is a flowchart showing the operation of the contamination probability calculation unit 107. As shown in FIG.
  • the contamination probability calculation unit 107 obtains the hierarchy dependency information 104 from the hierarchy and parts identification unit 102, the disassembled data flow information 106 from the hierarchy and parts disassembly unit 105, and the H /W Anomaly probability information 113 is accepted.
  • the contamination probability calculation unit 107 calculates the probability of occurrence of failure of the data of each layer and each component as the probability of partial failure occurrence based on the hierarchy dependency information 104 and the H/W failure probability information 113.
  • FIG. 13 is a diagram for explaining an operation example of the contamination probability calculation unit 107.
  • the contamination probability calculation unit 107 reads four layers, computer, OS, M/W, and application, with the computer as the base, from the layer dependency information 104 (see FIG. 9). Further, the contamination probability calculation unit 107 reads 1% as the 1-bit garbled probability of the first computer, which is the H/W, from the H/W abnormality probability information 113 (see FIG. 5).
  • the contamination probability calculation unit 107 reads 1% as the 1-bit garbled probability of the first computer, which is the H/W, from the H/W abnormality probability information 113 (see FIG. 5).
  • the data is garbled in one of the above four hierarchies.
  • FIG. 13 shows, as an example, that the data used in each layer is 4-bit data "1010".
  • the contamination probability calculation unit 107 divides 1% into 4 equal parts and calculates the garbled bit probability of each hierarchy as 0.25%. In addition, assuming that the occurrence probabilities of garbled bits in the parallel-related first application E216 and the second application E215 are approximately equal, the contamination probability calculation unit 107 divides the above 0.25% into two equal parts, is calculated as 0.125%. In the same manner as described above, the contamination probability calculation unit 107 also calculates the probability of occurrence of partial failure for the data of each layer and each component for other failures such as bit loss included in the H/W failure probability information 113 . Calculate as a probability.
  • step S33 of FIG. 12 the contamination probability calculation unit 107 associates each layer and each part included in the disassembled data flow information 106 with the partial failure occurrence probability of each layer and each part calculated in step S32.
  • FIG. 14 is a diagram for explaining an operation example of the contamination probability calculation unit 107 in steps S33 to S36 of FIG.
  • Column C801 in FIG. 14 shows data flow 1 of the disassembled data flow information 106 in FIG. 11, and column C802 in FIG. 14 shows the partial failure occurrence probability in FIG.
  • Column C801 and column C802 are linked by linking in step S33.
  • the contamination probability calculation unit 107 performs processing for accepting the coping method information 110 corresponding to the system. Then, the contamination probability calculation unit 107 determines whether or not the coping method information 110 from the design input unit 101 has been received. If it is determined that the request has been received, the process proceeds to step S35, and if it is determined that the request has not been received, the process proceeds to step S36.
  • step S35 the contamination probability calculation unit 107 reads each coping method of the coping method information 110, and determines which part of the data flow of the decomposed data flow information 106 the application pattern of the coping method corresponds to. Search by matching. For example, when searching for the application pattern of coping method 1 in FIG. 2 in the data flow of column C801 in FIG. E222: The second computer is retrieved.
  • the contamination probability calculation unit 107 searches by pattern matching which part of the data flow in the decomposed data flow information 106 the application pattern of each coping method corresponds to, and stores the position.
  • columns C803 and C805 of FIG. 14 the portions corresponding to the adaptive patterns of coping methods 1 and 2 of FIG. ing.
  • the contamination probability calculation unit 107 calculates the data abnormality occurrence probability for the entire hardware and software included in the data flow based on the partial abnormality occurrence probability of the data flow of the system under evaluation. Calculated as probability of occurrence.
  • the overall error occurrence probability is the probability that one or more data errors occur in the entire hardware and software from the start point to the end point of the data flow.
  • the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability when the coping method is not applied based on the partial abnormality occurrence probability in column C802. As a specific example, the contamination probability calculation unit 107 calculates ⁇ 1-(1-0.125%)*(1-0.125%)*(1-0.250%)*...*(1-0.125% ) ⁇ 100, the overall failure occurrence probability is calculated as 21.301%.
  • the contamination probability calculation unit 107 corrects the partial failure occurrence probability of the application pattern of countermeasure method 1 among the partial failure occurrence probabilities of column C802 by the compensation success probability of column C803.
  • the contamination probability calculation unit 107 calculates ⁇ 1 ⁇ (1 ⁇ 0.250%) ⁇ (1 ⁇ 10.000%) ⁇ (1 ⁇ 1.000%) ⁇ (1 ⁇ 10.000%) ⁇ (1 ⁇ 0.250%) ⁇ (1 ⁇ 90.000%) ⁇ 100, the partial failure occurrence probability of the applied pattern is corrected to 2.021% as shown in column C804.
  • the partial failure occurrence probability corrected in this way is the probability that the failure will remain even if countermeasure method 1 is applied.
  • the probability of survival is shown to be 2.021%.
  • column C804 shows the same partial failure occurrence probabilities as column C802 for layers and parts that do not correspond to the adaptive pattern of countermeasure method 1 .
  • the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability when coping method 1 is applied, based on the partial abnormality occurrence probability in column C804. Specifically, the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability to be 3.360% by performing the same calculation for the column C804 as the calculation for the column C802.
  • the contamination probability calculation unit 107 calculates column C806 from column C802 and column C805 in the same manner as column C804 was calculated from column C802 and column C803.
  • the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability when countermeasure method 2 is applied based on the partial abnormality occurrence probability in column C806. Specifically, the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability as 1.743% by performing the same calculation for column C806 as the calculation for column C802.
  • a column R801 shows the overall failure occurrence probability when no handling method is applied, the overall failure occurrence probability when handling method 1 is applied, and the overall failure occurrence probability when handling method 2 is applied.
  • the operations of steps S31 to S36 in FIG. 12 described above are performed for all of the failure occurrence probabilities of the H/W failure probability information 113 (see FIG. 5) and all of the decomposed data flow information 112 (see FIG. 11). data flow.
  • the contamination probability calculation unit 107 generates contamination probability information 108 including at least one of a partial failure probability and a total failure probability for all failure occurrence probabilities and all data flows.
  • the contamination probability display unit 109 displays the contamination probability information 108 to the user 114 in any display method. For example, when the contamination probability information 108 as shown in the column R801 of FIG. 14 is displayed, the user 114 selects in the following order: when no coping method is applied, when coping method 1 is applied, and when coping method 2 is applied. , it can be confirmed that the garbled bit occurrence probability decreases.
  • the output unit is described as being the contamination probability display unit 109 that displays the contamination probability information 108, but the contamination probability information 108 may be output.
  • the output unit may be a transmission unit that transmits the contamination probability information 108 instead of the contamination probability display unit 109 that displays the contamination probability information 108, or an output device that outputs the contamination probability information 108 to the storage device. may be
  • ⁇ Summary of Embodiment 1> based on the system configuration information, the data flow information, and the probability information, the data in each of the hardware and software included in the data flow is calculated as the partial abnormality occurrence probability. Further, based on the partial failure occurrence probability of at least a part of the system, the data failure probability of the entire hardware and software included in the at least part of the system is calculated as the overall failure occurrence probability. According to such a configuration, it is possible to quantitatively evaluate the reliability or robustness of the system with respect to, for example, garbled data and data loss.
  • FIG. 15 is a block diagram showing the configuration of system design support apparatus 100 according to the second embodiment.
  • constituent elements that are the same as or similar to the above-described constituent elements are denoted by the same or similar reference numerals, and different constituent elements will be mainly described.
  • the system design support device 100 in FIG. 15 comprises the components within the dashed lines in FIG. Specifically, the system design support apparatus 100 of FIG. 15 includes a coping method learning unit 132 and a coping method proposing unit 134 in addition to the configuration described in the first embodiment.
  • the design input unit 101 acquires allowable contamination probability information 131 in addition to coping method information 110, system configuration information 111, data flow information 112, and H/W abnormality probability information 113.
  • the coping method learning unit 132 learns a combination of the decomposed data flow information 106 and the contamination probability information 108 using the coping method of the coping method information 110 as a label. That is, the coping method learning unit 132 learns a combination of the decomposed data flow information 106, the contamination probability information 108 including the probability of occurrence of an abnormality, and the coping method information 110 including the coping method to be implemented in the system. As a result of this learning, a trained model 133 is generated. The trained model 133 is based on the disassembled data flow information 106 and the probability of occurrence of anomalies (corresponding to the contamination probability information 108), and a new coping method (corresponding to the coping method information 110) to be additionally implemented in the system. is a model that can infer
  • the coping method proposal unit 134 generates estimated coping method information 135 (coping method corresponding to the information 110) is output.
  • the estimated coping strategy information 135 includes new coping strategies that can satisfy the permissible contamination probability information 131 in the system and should be additionally implemented.
  • FIG. 16 is a flow chart showing the operation of the coping method learning unit 132 .
  • step S41 the coping method learning unit 132 acquires the decomposed data flow information 106, its contamination probability information 108, and its coping method information 110 for a certain system.
  • FIG. 17 is a diagram showing system configuration information 111 according to the second embodiment. As shown in FIG. 17, at least one of hardware and software indicated in the system configuration information 111 is set with a first coefficient. Specifically, as the first coefficient, a coefficient named "cost" is set for the first computer E212, OSE213, second computer E222, OSE223, third computer E232, and OSE233.
  • FIG. 18 is a diagram showing decomposed data flow information 106 according to the second embodiment. As shown in FIG. 18 , the first coefficient (cost) in FIG. 17 is reflected in the decomposed data flow information 106 .
  • FIG. 19 is a diagram showing coping method information 110 according to the second embodiment. As shown in FIG. 19, at least one of hardware and software in coping method information 110 is set with a second coefficient. Specifically, as the second coefficient, a coefficient named “R” is set for the first computer, the LAN cable, and the second computer of coping method 3 . How to use the first coefficient (cost) and the second coefficient (R) will be described later.
  • the coping method learning unit 132 uses the decomposed data flow information 106, the contamination probability information 108, and the coping method information 110 to train the convolutional neural network model.
  • the coping method learning unit 132 performs supervised learning on the decomposed data flow information 106 and the contamination probability information 108 using the coping methods of the coping method information 110 as labels.
  • Various types of input data may take information in various formats such as graphic representations, texts, and numerical values, but there is no particular limitation as to how these are converted to improve learning efficiency.
  • step S ⁇ b>43 the coping method learning unit 132 outputs the trained model as the learned model 133 . While the user repeatedly uses the above system, the data set of the disassembled data flow information 106, the contamination probability information 108, and the coping method information 110 is repeatedly input to the system design support device 100, and each time a series of steps S41 to S43 is performed. The process is repeated.
  • FIG. 20 is a flowchart showing the operation of the coping method proposing unit 134. As shown in FIG.
  • the coping method proposal unit 134 acquires the disassembled data flow information 106, the allowable contamination probability information 131, and the learned model 133.
  • the acceptable contamination probability information 131 includes the expected contamination occurrence probability for each data flow that is acceptable in the system and included in the data flow information 112 . It does not matter whether the allowable contamination probability information 131 is specified as common to all data flows or specified individually.
  • the coping method proposal unit 134 expands the allowable contamination probability acquired in step S51 to an arbitrary range.
  • the allowable contamination probability of data flow 1 is set to "0.01%”
  • the allowable contamination probability of data flow 2 is set to "0.1%”.
  • the coping method proposal unit 134 selects the lowest allowable contamination probability among the allowable contamination probability of data flow 1 and the allowable contamination probability of data flow 2, that is, the allowable contamination probability of data flow 1.
  • the coping method proposal unit 134 expands the range of "0.01%", which is the allowable contamination probability of data flow 1, by adding one digit to "0.001%” and by decreasing one digit. Expand to "0.1%”. Note that the expansion here is not limited to this, and may be expanded according to arbitrary rules.
  • the countermeasure method proposal unit 134 creates new allowable contamination probability information 131 having substantially the same data structure as the original allowable contamination probability information 131 based on the expansion result of the allowable contamination probability.
  • the original allowable contamination probability information 131 is a combination of "0.01%” and "0.1%” as the allowable contamination probabilities of data flow 1 and data flow 2.
  • FIG. In this case, the coping method proposal unit 134 creates the original allowable contamination probability information 131 as new allowable contamination probability information 131 as it is. Then, the handling method proposal unit 134 selects a combination of “0.001%” and “0.1%” as the allowable contamination probabilities of data flow 1 and data flow 2, and “0.1%” and “0.1%”.
  • % are created as new allowable contamination probability information 131 . That is, the coping method proposal unit 134 creates three new allowable contamination probability information 131 as combination patterns created from one original allowable contamination probability information 131 .
  • a combination pattern created from one original allowable contamination probability information 131 is hereinafter referred to as allowable contamination probability variation data. It should be noted that the type of variation data to be created is arbitrary and is not limited to this example.
  • the coping method proposal unit 134 uses the learned model 133 to generate the estimated coping method information 135 from the combination of the decomposed data flow information 106 and the variation of the allowable contamination probability created in step S52. demand.
  • the estimated coping method information 135 includes an estimated pattern of coping methods to be implemented.
  • the structure of the estimated coping method information 135 is substantially the same as the data structure of the coping method information 110 shown in FIG. 19 and the like. In the above example where the variation of allowable contamination probability includes three pieces of allowable contamination probability information 131, three pieces of estimated coping method information 135 are obtained in step S53.
  • step S54 the coping method proposal unit 134 inputs the decomposed data flow information 106 acquired in step S51 and any one of the three estimated coping method information 135 obtained in step S53 to the contamination probability calculation unit 107. do.
  • Contamination probability calculation section 107 generates contamination probability information 108 based on input decomposed data flow information 106 and estimated coping method information 135, as described in the first embodiment. In the above example where three pieces of estimated coping method information 135 are obtained, three pieces of contamination probability information 108 are generated in step S54.
  • step S54 calculation similar to the calculation of the contamination probability information 108 described in the first embodiment is performed. In this calculation, if the first coefficient and the second coefficient are set, the contamination probability calculation unit 107 further performs the following calculation.
  • FIG. 21 is a diagram for explaining an operation example of the contamination probability calculation unit 107.
  • a first coefficient C811, a second coefficient C812, and a countermeasure application result coefficient C813 are added to the items in FIG. 14 described in the first embodiment.
  • the information already explained in Embodiment 1 is uniformly indicated by "-" here, and the explanation thereof is omitted.
  • “ ⁇ ⁇ ” is uniformly used to indicate that no coefficient is set.
  • the first coefficient is ⁇ cost: 100,000 ⁇ and the second coefficient is ⁇ .
  • the second coefficient is not set for E213: OS countermeasure method 3 with ⁇ cost: 100,000 ⁇ set. Therefore, even if the coping method 3 in which the second coefficient is not set is applied, the cost of E213: OS remains ⁇ cost: 100,000 ⁇ as indicated by the coping application result coefficient C813.
  • ⁇ R: 2 ⁇ is set as the second coefficient in E212: Coping method 3 of the first calculator, in which ⁇ cost: 1,000,000 ⁇ is set.
  • E212: The cost of the first computer is ⁇ cost: 1,000,000 ⁇ doubled, and ⁇ cost: 2,000 ⁇ as shown in coping application result coefficient C813. , 000 ⁇ and double the original.
  • the contamination probability calculation unit 107 obtains the countermeasure application result coefficient C813, which is the feature amount of the countermeasure method, based on the first coefficient and the second coefficient.
  • the contamination probability display unit 109 displays the estimated coping method information 135 and the contamination probability information 108 in any format.
  • the contamination probability display unit 109 may display the estimated coping method information 135 and the contamination probability information 108 by the number of variations of the allowable contamination probability information 131. display may be ordered based on
  • the design input unit 101 and the calculation unit 121 shown in FIG. 1 described above are hereinafter referred to as "the design input unit 101 and the like".
  • the design input section 101 and the like are implemented by a processing circuit 81 shown in FIG. That is, the processing circuit 81 includes a design input unit 101 that acquires the system configuration information 111, the data flow information 112, and the H/W abnormality probability information 113, the system configuration information 111, the data flow information 112, and the H/W and a calculation unit 121 that calculates, based on the error probability information 113, the error occurrence probability of data in each of the hardware and software included in the data flow as a partial error occurrence probability.
  • Dedicated hardware may be applied to the processing circuit 81, or a processor that executes a program stored in a memory may be applied.
  • Processors include, for example, central processing units, processing units, arithmetic units, microprocessors, microcomputers, and DSPs (Digital Signal Processors).
  • the processing circuit 81 may be, for example, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or a combination of these.
  • Each function of each unit such as the design input unit 101 may be realized by a circuit in which processing circuits are distributed, or the functions of each unit may be collectively realized by one processing circuit.
  • the processing circuit 81 When the processing circuit 81 is a processor, the functions of the design input unit 101 and the like are realized by combining with software and the like.
  • Software and the like correspond to, for example, software, firmware, or software and firmware.
  • Software or the like is written as a program and stored in memory. As shown in FIG. 23, a processor 82 applied to a processing circuit 81 reads out and executes a program stored in a memory 83 to realize the function of each section.
  • the system design support apparatus 100 when executed by the processing circuit 81, it obtains the system configuration information 111, the data flow information 112, and the H/W abnormality probability information 113; A step of calculating the probability of occurrence of a data failure in each of the hardware and software included in the data flow as a probability of partial failure based on the data flow information 112 and the H/W failure probability information 113.
  • a memory 83 is provided for storing the program to be executed automatically. In other words, this program can be said to cause a computer to execute the procedures and methods of the design input unit 101 and the like.
  • the memory 83 is, for example, a non-volatile or Volatile semiconductor memory, HDD (Hard Disk Drive), magnetic disk, flexible disk, optical disk, compact disk, mini disk, DVD (Digital Versatile Disc), their drive devices, etc., or any storage media that will be used in the future There may be.
  • HDD Hard Disk Drive
  • magnetic disk flexible disk
  • optical disk compact disk
  • mini disk mini disk
  • DVD Digital Versatile Disc
  • each function of the design input unit 101 and the like is realized by either hardware or software has been described above.
  • the configuration is not limited to this, and a configuration in which a part of the design input unit 101 and the like is realized by dedicated hardware and another part is realized by software or the like may be used.
  • the function is realized by a processing circuit 81 as dedicated hardware, an interface, a receiver, and the like. It is possible to realize the function by executing
  • the processing circuit 81 can implement each of the functions described above by means of hardware, software, etc., or a combination thereof.
  • system design support device described above can also be applied to a system design support system constructed as a system by appropriately combining several devices.
  • each function or each component of the system design support device described above may be distributed to each device that constructs the system, or may be concentrated in any one of the devices. good.
  • 100 system design support device 101 design input unit, 108 contamination probability information, 109 contamination probability display unit, 110 coping method information, 111 system configuration information, 112 data flow information, 113 H/W abnormality probability information, 121 calculation unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)

Abstract

The objective of the present invention is to provide a technology capable of quantitatively evaluating the reliability or robustness of a system. This system design support device is a device that supports system design, and comprises an acquiring unit and a computing unit. The acquiring unit acquires system configuration information, data flow information, and probability information. The computing unit computes, as a partial abnormality generation probability, a data abnormality generation probability in each of hardware and software included in at least a portion of the system, on the basis of the system configuration information, the data flow information, and the probability information.

Description

システム設計支援装置、システム設計支援方法及びシステム設計支援システムSystem design support device, system design support method, and system design support system
 本開示は、システム設計支援装置、システム設計支援方法及びシステム設計支援システムに関する。 The present disclosure relates to a system design support device, a system design support method, and a system design support system.
 社会には、何らかの不具合によって意図しない振舞い(以下、単に異常と記す)が生じた場合に、物的及び経済的損失や、人命に影響を及ぼすシステムが多く存在する。そのようなシステムの例として、例えば鉄道、自動車、航空機といった移動体の制御システム及び管理システム、並びに、発電所の電力管理システムのような、社会インフラのシステムが挙げられる。 In society, there are many systems that can cause material and economic losses and human lives if unintended behavior (hereinafter simply referred to as abnormalities) occurs due to some kind of malfunction. Examples of such systems include control and management systems for moving bodies such as railways, automobiles, and aircraft, and social infrastructure systems such as power management systems for power plants.
 通常、システム開発では、S/W(ソフトウェア)の機能試験、及び、H/W(ハードウェア)の故障対策などが行われる。上述のような信頼性または堅牢性が要求されるシステムの開発では、これらに加えて、発生確率が非常に低い事象によってシステムが誤作動する可能性も考慮される。こうした事象による異常の一つに、例えば、電子回路がH/W的に正常であっても、電子の衝突や電磁場の影響によって電子回路内のビット化け及びデータ損失が生じるソフトエラー(偶発故障とも記される)がある。 Normally, in system development, S/W (software) function tests and H/W (hardware) failure countermeasures are performed. In developing a system that requires reliability or robustness as described above, in addition to these considerations, the possibility of the system malfunctioning due to an event with a very low probability of occurrence is taken into consideration. One of the abnormalities caused by such events is soft errors (also known as accidental failures) that cause garbled bits and data loss in electronic circuits due to collisions of electrons and the effects of electromagnetic fields, even if the electronic circuits are normal in terms of hardware and hardware. is noted).
 複雑で大規模なシステムの開発では、ソフトエラーが発生する箇所ごとに、ソフトエラーによってもたらされるあらゆる可能性及びその対策を検討するには、膨大な分析作業が必要になるという問題がある。  In the development of a complex and large-scale system, there is a problem that a huge amount of analysis work is required to consider all the possibilities brought about by soft errors and countermeasures for each point where soft errors occur.
 ところで、上記のような事象による異常への対処方式は、二つに類型化でき、そのどちらか、または、両方がシステム開発で用いられる。二つの対処方式のうちの一つは、S/Wの実行環境の信頼性、つまりH/W側の信頼性を極端に高くする対処方式である。これにより、S/Wの設計において、H/W側で起き得る一部の異常を考慮の対象外とすることが可能になる。もう一つは、ある確率でH/W側で異常な振舞いが起き得ること前提として、S/WのロジックでH/Wの異常に対応する対処方式である。 By the way, the methods of coping with abnormalities caused by the above events can be categorized into two types, and either or both of them are used in system development. One of the two coping methods is to extremely increase the reliability of the S/W execution environment, that is, the reliability of the H/W side. This allows the design of the S/W to exclude some anomalies that may occur on the H/W side from consideration. The other is a coping method for coping with H/W anomalies with S/W logic, assuming that anomalous behavior may occur on the H/W side with a certain probability.
 例えば特許文献1,2,3,4,5では、H/W(特に半導体装置)の異常検出方式として、現実的な検証コストの中で効率的に欠陥を検出する方法や、未検出の欠陥がどの程度残っているかを算出して、H/Wの信頼性を評価する技術が提案されている。特許文献1~5の技術は、上記二つの対処方式のうち、H/Wの信頼性を高める対処方式に対応する。 For example, in Patent Documents 1, 2, 3, 4, and 5, as an abnormality detection method for H / W (especially semiconductor devices), a method for efficiently detecting defects within a realistic verification cost and an undetected defect A technique for evaluating the reliability of H/W by calculating how much is left has been proposed. The techniques of Patent Literatures 1 to 5 correspond to a method of improving the reliability of H/W among the above two methods.
 例えば特許文献6では、S/W及びH/Wを部品とする階層構造に基づいて、システム内のいずれかの部品で起きた異常をシミュレーションすることによって、異常に関する脆弱性の検出を支援するする技術が提案されている。特許文献6の技術は、上記二つの対処方式のうち、S/WのロジックでH/Wの異常に対応する対処方式に対応する。 For example, in Patent Literature 6, based on a hierarchical structure in which S/W and H/W are components, by simulating an abnormality that occurs in one of the components in the system, detection of vulnerabilities related to anomalies is supported. techniques have been proposed. The technique of Patent Literature 6 corresponds to a coping method that uses S/W logic to deal with an abnormality in H/W, among the above two coping methods.
 上記二つの対処方式には2つの共通課題がある。1つは、何らかの異常(例えばソフトエラー)に対して、100%の確度でその異常を補償できないことである。もう1つは、いずれの対処方式も、システム内における特定の箇所、タイミング、及び、頻度で起きる異常に特化されていることである。 The above two coping methods have two common issues. One is the inability to compensate for any anomalies (eg, soft errors) with 100% accuracy. The other is that any coping method is specialized for anomalies that occur at specific locations, timings, and frequencies within the system.
 さらに、例えば特許文献1~5の技術では、ソフトエラーのようなH/Wが正常でも発生する異常への対処能力については評価できない。例えば特許文献6の技術では、予め定められた異常が発生した場合の影響を評価しているため、正常な状態が意図せずに別の正常な状態になってしまうような想定外の異常を評価できない。具体的には、あるシステムにおいて、制御命令A,Bがそれぞれデータとして0x01(ビット列では0000 0001)、0x03(ビット列では0000 0011)として表現されているとする。この場合において、1bit1のデータ化けよって偶然に0x01が0x03になると、データとしては正しい制御命令となってしまうため、特許文献6の技術では、上記のようなデータ化けを検出できない。 Furthermore, for example, with the techniques of Patent Documents 1 to 5, it is not possible to evaluate the ability to cope with abnormalities such as soft errors that occur even when the H/W is normal. For example, in the technique of Patent Document 6, since the effect of a predetermined abnormality is evaluated, an unexpected abnormality such as a normal state unintentionally changing to another normal state is detected. Cannot be evaluated. Specifically, in a system, control instructions A and B are represented as data 0x01 (0000 0001 in bit string) and 0x03 (0000 0011 in bit string), respectively. In this case, if 0x01 accidentally becomes 0x03 due to garbled 1-bit 1 data, the control instruction is correct as data.
特開2004-185550号公報JP-A-2004-185550 特開2009-192407号公報JP 2009-192407 A 特開平05-209943号公報JP-A-05-209943 特開2010-015420号公報Japanese Patent Application Laid-Open No. 2010-015420 特開2016-218577号公報JP 2016-218577 A 特開2005-275749号公報JP 2005-275749 A
 以上のことから、システム全体の堅牢性を高めるには様々な対処方式を組み合わせて使用する必要がある。このためには、様々な対処方式の使用の有無について、システムの信頼性または堅牢性を定量的に評価することが考えられる。しかしながら、従来技術では、システムの信頼性または堅牢性を定量的に評価していないという問題があった。 Based on the above, it is necessary to use a combination of various countermeasures to increase the robustness of the entire system. For this purpose, it is conceivable to quantitatively evaluate the reliability or robustness of the system with respect to the use or non-use of various countermeasures. However, the prior art has the problem that the reliability or robustness of the system is not quantitatively evaluated.
 そこで、本開示は、上記のような問題点に鑑みてなされたものであり、システムの信頼性または堅牢性を定量的に評価可能な技術を提供することを目的とする。 Therefore, the present disclosure has been made in view of the problems described above, and aims to provide a technology that can quantitatively evaluate the reliability or robustness of a system.
 本開示に係るシステム設計支援装置は、システムに含まれるハードウェアと前記ハードウェアで実行されるソフトウェアとの階層を示すシステム構成情報と、前記システムの少なくとも一部でのデータの流れを示すデータフロー情報と、前記ハードウェアでのデータの異常発生確率を示す確率情報とを取得する取得部と、前記システム構成情報、前記データフロー情報、及び、前記確率情報に基づいて、前記少なくとも一部に含まれる前記ハードウェア及び前記ソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する算出部とを備える。 A system design support device according to the present disclosure includes system configuration information indicating the hierarchy of hardware included in a system and software executed by the hardware, and data flow indicating the flow of data in at least part of the system. an acquisition unit configured to acquire information and probability information indicating a probability of occurrence of an abnormality in data in the hardware; a calculation unit for calculating, as a partial abnormality occurrence probability, an abnormality occurrence probability of data in each of the hardware and the software.
 本開示によれば、システム構成情報、データフロー情報、及び、確率情報に基づいて、システムの少なくとも一部に含まれるハードウェア及びソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する。このような構成によれば、システムの信頼性または堅牢性を定量的に評価することができる。 According to the present disclosure, based on the system configuration information, the data flow information, and the probability information, the data failure probability in each of the hardware and software included in at least a part of the system is defined as the partial failure probability. calculate. With such a configuration, it is possible to quantitatively evaluate the reliability or robustness of the system.
実施の形態1に係るシステム設計支援装置の構成を示すブロック図である。1 is a block diagram showing the configuration of a system design support device according to Embodiment 1; FIG. 対処方式情報の例を示す図である。It is a figure which shows the example of coping method information. システム構成情報の例を示す図である。FIG. 4 is a diagram showing an example of system configuration information; データフロー情報の例を示す図である。It is a figure which shows the example of data flow information. H/W異常確率情報の例を示す図である。It is a figure which shows the example of H/W abnormality probability information. 設計入力部の動作を示すフローチャートである。4 is a flow chart showing the operation of the design input section; 階層及び部品識別部の動作を示すフローチャートである。It is a flowchart which shows the operation|movement of a hierarchy and components identification part. 階層及び部品情報の例を示す図である。It is a figure which shows the example of hierarchy and component information. 階層依存情報の例を示す図である。It is a figure which shows the example of hierarchy dependence information. 階層及び部品分解部の動作を示すフローチャートである。4 is a flow chart showing the operation of the hierarchy and parts disassembly section; 分解済みデータフロー情報の例を示す図である。It is a figure which shows the example of disassembled data flow information. 汚染確率算出部の動作を示すフローチャートである。5 is a flow chart showing the operation of a contamination probability calculation unit; 汚染確率算出部の動作例を説明するための図である。It is a figure for demonstrating the operation example of a contamination probability calculation part. 汚染確率算出部の動作例を説明するための図である。It is a figure for demonstrating the operation example of a contamination probability calculation part. 実施の形態2に係るシステム設計支援装置の構成を示すブロック図である。2 is a block diagram showing the configuration of a system design support device according to Embodiment 2; FIG. 対処方式学習部の動作を示すフローチャートである。It is a flowchart which shows operation|movement of a coping method learning part. システム構成情報の例を示す図である。FIG. 4 is a diagram showing an example of system configuration information; 分解済みデータフロー情報の例を示す図である。It is a figure which shows the example of disassembled data flow information. 対処方式情報の例を示す図である。It is a figure which shows the example of coping method information. 対処方式提案部の動作を示すフローチャートである。It is a flowchart which shows operation|movement of a coping method proposal part. 汚染確率算出部の動作例を説明するための図である。It is a figure for demonstrating the operation example of a contamination probability calculation part. その他の変形例に係るシステム設計支援装置のハードウェア構成を示すブロック図である。FIG. 11 is a block diagram showing a hardware configuration of a system design support device according to another modified example; その他の変形例に係るシステム設計支援装置のハードウェア構成を示すブロック図である。FIG. 11 is a block diagram showing a hardware configuration of a system design support device according to another modified example;
 <実施の形態1>
 図1は、本実施の形態1に係るシステム設計支援装置100の構成を示すブロック図である。 <Embodiment 1>
FIG. 1 is a block diagram showing the configuration of system design support apparatus 100 according to the first embodiment.
 図1のシステム設計支援装置100は、図1中の破線内の構成要素を備える。具体的には、システム設計支援装置100は、取得部である設計入力部101と、算出部121と、出力部である汚染確率表示部109とを備える。算出部121は、階層及び部品識別部102と、階層及び部品分解部105と、汚染確率算出部107とを備える。 The system design support device 100 in FIG. 1 comprises the components within the dashed lines in FIG. Specifically, the system design support apparatus 100 includes a design input unit 101 as an acquisition unit, a calculation unit 121, and a contamination probability display unit 109 as an output unit. The calculation unit 121 includes a hierarchy and parts identification unit 102 , a hierarchy and parts disassembly unit 105 , and a contamination probability calculation unit 107 .
 以下で説明するように、設計入力部101は、システム構成情報111と、データフロー情報112と、確率情報であるH/W異常確率情報113とを取得する。算出部121は、システム構成情報111、データフロー情報112及びH/W異常確率情報113に基づいて、評価対象のシステムの少なくとも一部に含まれるハードウェア及びソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する。本実施の形態1では、設計入力部101は、対処方式情報110をさらに取得し、算出部121は、対処方式情報110に基づいて、特定部分の部分異常発生確率を補正する。 As described below, the design input unit 101 acquires system configuration information 111, data flow information 112, and H/W failure probability information 113, which is probability information. Based on the system configuration information 111, the data flow information 112, and the H/W abnormality probability information 113, the calculation unit 121 calculates the data abnormality occurrence probability in each of the hardware and software included in at least a part of the system to be evaluated. is calculated as the partial failure occurrence probability. In Embodiment 1, the design input unit 101 further acquires the coping method information 110 , and the calculating unit 121 corrects the partial failure occurrence probability of the specific portion based on the coping method information 110 .
 算出部121は、評価対象のシステムの少なくとも一部の部分異常発生確率に基づいて、当該少なくとも一部に含まれるハードウェア及びソフトウェアの全体でのデータの異常発生確率を、全体異常発生確率として算出する。システム設計支援装置100は、評価対象のシステムの信頼性または堅牢性の定量的な評価として、部分異常発生確率及び全体異常発生確率の少なくともいずれか1つを含む情報である汚染確率情報108を汚染確率表示部109で表示する。すなわち、汚染確率表示部109は、部分異常発生確率に基づく情報を表示して出力する。システム設計支援装置100は、このような表示を行うことにより、ユーザー114のシステム設計を支援する。なお、システム設計支援システムでは、汚染確率表示部109は、システム設計支援装置100から離間されて設けられてもよい。 Based on the partial failure occurrence probability of at least a part of the system to be evaluated, the calculation unit 121 calculates the data failure probability of the entire hardware and software included in the at least part of the system as the overall failure occurrence probability. do. The system design support apparatus 100 pollutes contamination probability information 108, which is information including at least one of partial failure probability and overall failure probability, as a quantitative evaluation of the reliability or robustness of the system to be evaluated. It is displayed on the probability display unit 109 . That is, the contamination probability display unit 109 displays and outputs information based on the partial abnormality occurrence probability. The system design support device 100 supports the system design of the user 114 by performing such display. In addition, in the system design support system, the contamination probability display unit 109 may be provided separately from the system design support device 100 .
 次に、システム設計支援装置100について詳細に説明する。まず、設計入力部101で取得される対処方式情報110、システム構成情報111、データフロー情報112、及び、H/W異常確率情報113について説明する。 Next, the system design support device 100 will be described in detail. First, the coping method information 110, the system configuration information 111, the data flow information 112, and the H/W failure probability information 113 acquired by the design input unit 101 will be described.
 図2は、対処方式情報110の例を示す図である。対処方式情報110は、異常への対処方式の種類と、当該対処方式によって、評価対象のシステムの特定部分でのデータの異常発生が補償される成功率(以下、補償成功確率とも記される)とを示す。例えば、図2の対処方式1では、システムのうち、計算機と、LAN(Local Area Network)ケーブル及びネットワークスイッチの少なくともいずれか1つと、計算機とを含む特定部分が、適用パターンとして設定されている。この適用パターンを流れるデータに異常が発生した場合に、対処方式1が行われると、0.9(=90%)の確率で異常が補償されることになる。 FIG. 2 is a diagram showing an example of the coping method information 110. FIG. The coping method information 110 includes the type of coping method for anomalies, and the success rate (hereinafter also referred to as compensation success probability) of compensating for the occurrence of data anomalies in a specific part of the system to be evaluated by the coping method. and For example, in solution method 1 of FIG. 2, a specific part of the system that includes a computer, at least one of a LAN (Local Area Network) cable and network switch, and the computer is set as an application pattern. When an abnormality occurs in the data flowing through this application pattern, if the coping method 1 is performed, the abnormality will be compensated with a probability of 0.9 (=90%).
 なお、適用パターンは、後述するパターンマッチングに用いられる。また、補償成功確率の上限値は1であり、補償成功確率が1に近づくほど、異常が補償される可能性が高くなることを意味する。なお、実際にシステムが動作するときにデータフローに適用される順に対処方式1、対処方式2、…が設定されてもよい。 The application pattern is used for pattern matching, which will be described later. Moreover, the upper limit of the compensation success probability is 1, which means that the closer the compensation success probability is to 1, the higher the possibility that the abnormality will be compensated. In addition, coping method 1, coping method 2, . . . may be set in the order applied to the data flow when the system actually operates.
 図3は、システム構成情報111の例を示す図である。システム構成情報111は、評価対象のシステムの構成を示す情報である。 FIG. 3 is a diagram showing an example of the system configuration information 111. FIG. The system configuration information 111 is information indicating the configuration of the system to be evaluated.
 システム構成情報111は、評価対象のシステムに含まれるハードウェアと、当該ハードウェアで実行されるソフトウェアとの階層及び連携を示す。階層は、一方の動作に他方の状況が依存する依存関係を意味する。連携は、データの直接的な受け渡しが可能な関係を意味し、依存関係以外の関係(例えば並列関係)を含むこともある。なお、連携は繋がりとも記され、システムに含まれるハードウェア及びソフトウェアのそれぞれは部品とも記される。 The system configuration information 111 indicates the hierarchy and linkage between the hardware included in the system to be evaluated and the software executed by the hardware. Hierarchy implies a dependency where the behavior of one depends on the context of another. Coordination means a relationship in which data can be delivered directly, and may include relationships other than dependency (for example, parallel relationships). Note that cooperation is also described as connection, and hardware and software included in the system are also described as components.
 図3のシステムでは、1つのネットワークスイッチE202が、3つのLANケーブル(LANケーブルE241,E242,E243)を介して3つの装置(装置E211,E221,E231)と物理的に接続されている。装置E211は、S/W的な階層構造として、第1計算機E212と、OS(Operating System)E213と、M/W(ミドルウェア)E214と、第1アプリケーションE216と、第2アプリケーションE215とを含む。なお、図3などではアプリケーションは「App」と略記されている。 In the system of FIG. 3, one network switch E202 is physically connected to three devices (devices E211, E221, E231) via three LAN cables (LAN cables E241, E242, E243). The device E211 includes a first computer E212, an OS (Operating System) E213, a M/W (middleware) E214, a first application E216, and a second application E215 as a S/W hierarchical structure. Note that the application is abbreviated as “App” in FIG. 3 and the like.
 装置E221及び装置231は、装置E211と同様に構成されている。つまり、装置E221は、S/W的な階層構造として、第2計算機E222と、OSE223と、M/WE224と、第3アプリケーションE226と、第4アプリケーションE225とを含む。装置E231は、S/W的な階層構造として、第3計算機E232と、OSE233と、M/WE234と、第5アプリケーションE236と、第6アプリケーションE235とを含む。 The devices E221 and 231 are configured similarly to the device E211. That is, the device E221 includes a second computer E222, an OSE223, an M/WE224, a third application E226, and a fourth application E225 as a S/W hierarchical structure. The device E231 includes a third computer E232, an OSE233, an M/WE234, a fifth application E236, and a sixth application E235 as a S/W hierarchical structure.
 なお図3では、システム構成情報111は、ハードウェア及びソフトウェアの階層及び連携をブロック図によって示しているが、これに限ったものではない。例えば、システム構成情報111は、ハードウェア及びソフトウェアの階層及び連携を、例えばテーブルなどによって示してもよい。 In FIG. 3, the system configuration information 111 shows the hierarchy and cooperation of hardware and software by block diagrams, but is not limited to this. For example, the system configuration information 111 may indicate the hierarchy and linkage of hardware and software using a table, for example.
 図4は、データフロー情報112の例を示す図である。データフロー情報112は、評価対象のシステムの少なくとも一部でのデータの流れを示す。例えば、図4のデータフロー1では、データが、第1アプリケーション、第2アプリケーション、M/W、…、M/W、第4アプリケーションをこの順に流れることを示す。例えば、図4のデータフロー2では、データが、実質的に図3のシステムの全部を流れることを示す。 FIG. 4 is a diagram showing an example of the data flow information 112. FIG. Data flow information 112 indicates the flow of data through at least a portion of the system under evaluation. For example, data flow 1 in FIG. 4 indicates that data flows through the first application, second application, M/W, . . . , M/W, and fourth application in this order. For example, data flow 2 of FIG. 4 shows data flowing through substantially all of the system of FIG.
 図5は、H/W異常確率情報113の例を示す図である。H/W異常確率情報113は、ハードウェアでのデータの異常発生確率を示す。本実施の形態1では、ハードウェアでのデータの異常発生確率は、ハードウェアでデータ化けが発生する確率、及び、ハードウェアでデータ損失が発生する確率を含むが、これに限ったものではない。また、bit化けの確率は、x件/年、x件/トランザクション数、などの様々な定義に依存するが、その定義の種別は特に限定しない。 FIG. 5 is a diagram showing an example of the H/W abnormality probability information 113. FIG. The H/W anomaly probability information 113 indicates an anomaly occurrence probability of data in hardware. In Embodiment 1, the probability of occurrence of data failure in hardware includes the probability of data corruption in hardware and the probability of data loss in hardware, but is not limited to these. . Also, the probability of garbled bits depends on various definitions such as x cases/year, x cases/number of transactions, etc., but the type of definition is not particularly limited.
 <設計入力部>
 次に、設計入力部101の動作について説明する。図6は、設計入力部101の動作を示すフローチャートである。 <Design input section>
Next, the operation of the design input unit 101 will be described. FIG. 6 is a flow chart showing the operation of the design input unit 101. As shown in FIG.
 まず、ステップS1にて、設計入力部101は、システム設計支援装置100の外部から、評価対象のシステム装置の各種設計情報として、対処方式情報110、システム構成情報111、データフロー情報112、及び、H/W異常確率情報113を受け付ける。 First, in step S1, the design input unit 101 inputs coping method information 110, system configuration information 111, data flow information 112, and H/W abnormality probability information 113 is accepted.
 ステップS2にて、設計入力部101は、各種設計情報を分別して分配する。これにより、対処方式情報110は汚染確率算出部107に、システム構成情報111は階層及び部品識別部102に、データフロー情報112は階層及び部品分解部105に、H/W異常確率情報113は汚染確率算出部107に出力される。なお、設計入力部101の受け付ける各種情報の入力方式、転送方式及び信号自体のデータ方式は特に限定しない。 In step S2, the design input unit 101 classifies and distributes various design information. As a result, the coping method information 110 is supplied to the contamination probability calculation unit 107, the system configuration information 111 is supplied to the hierarchy and component identification unit 102, the data flow information 112 is supplied to the hierarchy and component disassembly unit 105, and the H/W error probability information 113 is supplied to the contamination probability calculation unit 107. It is output to probability calculation section 107 . The input method, the transfer method, and the data method of the signal itself received by the design input unit 101 are not particularly limited.
 <階層及び部品識別部>
 次に、階層及び部品識別部102の動作について説明する。図7は、階層及び部品識別部102の動作を示すフローチャートである。 <Hierarchy and part identification part>
Next, the operation of the hierarchy and component identification unit 102 will be described. FIG. 7 is a flow chart showing the operation of the hierarchy and component identification unit 102. As shown in FIG.
 まず、ステップS11にて、階層及び部品識別部102は、設計入力部101からのシステム構成情報111を受け付ける。 First, in step S<b>11 , the hierarchy and part identification unit 102 receives the system configuration information 111 from the design input unit 101 .
 ステップS12にて、階層及び部品識別部102は、システム構成情報111から、階層構造間及び部品構成間の連携を抽出し、システムの階層及び部品情報103として生成する。 In step S<b>12 , the hierarchy and component identification unit 102 extracts linkages between hierarchical structures and component configurations from the system configuration information 111 and generates system hierarchy and component information 103 .
 図8は、システム構成情報111(図3参照)から、装置E211の連携についての階層及び部品情報103の例を示す図である。例えば、図3の第1計算機E212は、OSE213及びLANケーブルE241のみと直接的な接続関係を有しているため、図8では第1計算機E212に対して、OSE213を示すE213と、LANケーブルE241を示すE241とに丸が付されている。 FIG. 8 is a diagram showing an example of the hierarchy and part information 103 regarding the cooperation of the device E211 from the system configuration information 111 (see FIG. 3). For example, since the first computer E212 in FIG. 3 has a direct connection relationship only with the OSE 213 and the LAN cable E241, in FIG. is circled.
 なお、図3のシステム全体では、LANケーブル、OS及びM/Wなどのように、論理的には同じものを指す部品及び階層が複数存在する。このことに鑑みて、図8の階層及び部品情報103では、いずれのLANケーブル、OS及びM/W等の部品を指しているのかを一意に定めるユニークな名称及び番号等の識別情報が、各部品に付与されている。本実施の形態1では、その識別情報は、図3の符号で使用している「E2xx」という番号体系であるものとするが、これ限ったものではない。 It should be noted that, in the entire system of FIG. 3, there are multiple parts and layers that logically point to the same thing, such as LAN cables, OS and M/W. In view of this, in the hierarchy and component information 103 of FIG. given to the part. In Embodiment 1, the identification information is assumed to be the numbering system "E2xx" used in the symbols in FIG. 3, but it is not limited to this.
 なお本実施の形態1では、階層及び部品識別部102は、図3のブロック図において視覚的に隣接する階層及び部品には直接的な連携が可能である、という判断基準で、図8の階層及び部品情報103を抽出している。実際のシステム設計方式によっては、例えば第1アプリケーションE216と第2アプリケーションE215とはM/WE213を介してしか連携できないとする方式もある。そのような方式に対しては、そのことを示す情報を、図3のシステム構成情報111に別途含めたり、図3においてそれら部品の間に隙間を設けたり、連携の情報を抽出して別途編集できる仕組みを別途設けたりしてもよい。 Note that in the first embodiment, the hierarchy and component identification unit 102 identifies the hierarchy in FIG. and component information 103 are extracted. Depending on the actual system design method, for example, there is also a method in which the first application E216 and the second application E215 can be linked only via the M/WE213. For such a method, information indicating it is separately included in the system configuration information 111 of FIG. 3, a gap is provided between these parts in FIG. You may provide the mechanism which can do it separately.
 図7のステップS13にて、階層及び部品識別部102は、システム構成情報111から、H/W及びその上で動作するS/Wの階層構造の依存関係と、部品構成の単位とを抽出し、階層依存情報104として生成する。 In step S13 of FIG. 7, the hierarchy and component identification unit 102 extracts the dependencies of the hierarchical structure of the H/W and the S/W operating thereon, and the unit of component configuration from the system configuration information 111. , is generated as the hierarchical dependency information 104 .
 図9は、システム構成情報111(図3参照)から生成される階層依存情報104の例を示す図である。図9では、例えばOSE213、M/WE214、第1アプリケーションE216及び第2アプリケーションE215の動作は、第1計算機E212の状況に依存するが、第1計算機E212の動作は、OSE213などの状況に依存しないことが示されている。また例えば、第1アプリケーションE216と第2アプリケーションE215とは、アプリケーションのある階層において並列関係であるが、依存関係ではないということが示されている。また例えば、図9では、図3のシステムが、計算機、OS、M/W、及び、アプリケーションという4つの階層で構成されていることが示されている。なお、このような依存関係及び部品構成を含むのであれば、階層及び部品情報103の具体的なデータ形式等は特に問わない。 FIG. 9 is a diagram showing an example of hierarchical dependency information 104 generated from system configuration information 111 (see FIG. 3). In FIG. 9, for example, the operations of the OSE 213, the M/WE 214, the first application E 216, and the second application E 215 depend on the status of the first computer E 212, but the operations of the first computer E 212 do not depend on the status of the OSE 213, etc. is shown. Also, for example, the first application E216 and the second application E215 are in a parallel relationship in a certain hierarchy of applications, but are not in a dependent relationship. Further, for example, FIG. 9 shows that the system in FIG. 3 is composed of four layers: computer, OS, M/W, and application. Note that the specific data format of the hierarchy and component information 103 does not matter as long as it includes such dependency relationships and component configurations.
 <階層及び部品分解部>
 次に、階層及び部品分解部105について説明する。図10は、階層及び部品分解部105の動作を示すフローチャートである。 <Hierarchy and parts disassembly section>
Next, the hierarchy and parts decomposition unit 105 will be described. FIG. 10 is a flow chart showing the operation of the layer and component decomposition unit 105. As shown in FIG.
 まずステップS21にて、階層及び部品分解部105は、設計入力部101からのデータフロー情報112と、階層及び部品識別部102からの階層及び部品情報103とを受け付ける。 First, in step S21, the hierarchy and parts disassembly section 105 receives the data flow information 112 from the design input section 101 and the hierarchy and parts information 103 from the hierarchy and parts identification section .
 ステップS22にて、階層及び部品分解部105は、データフロー情報112で示されるデータフローが、階層及び部品情報103で示される階層及び部品のどのような連携によって実現するかを解釈する。そして、階層及び部品分解部105は、その解釈に基づいて、データフロー情報112のデータフローに示される部品に、階層及び部品情報103の識別情報を付与し、階層及び部品情報103の部品を適宜補完する。階層及び部品分解部105は、以上の処理によって得られた情報を、分解済みデータフロー情報106として生成する。 In step S22, the hierarchy and component decomposition unit 105 interprets how the data flow indicated by the data flow information 112 is realized by how the hierarchy and components indicated by the hierarchy and component information 103 are linked. Then, based on the interpretation, the hierarchy and part decomposition unit 105 assigns the identification information of the hierarchy and part information 103 to the parts indicated in the data flow of the data flow information 112, and appropriately divides the parts of the hierarchy and part information 103. Complement. The hierarchy and component decomposition unit 105 generates the information obtained by the above processing as the decomposed data flow information 106 .
 図11は、データフロー情報112(図4参照)のデータフロー1と、階層及び部品情報103(図8参照)から生成される分解済みデータフロー情報106の例を示す図である。 FIG. 11 is a diagram showing an example of the disassembled data flow information 106 generated from the data flow 1 of the data flow information 112 (see FIG. 4) and the hierarchy and component information 103 (see FIG. 8).
 例えば、階層及び部品分解部105は、図8の識別情報に基づいて、図4のデータフロー1の「第1アプリケーション -> 第2アプリケーション」という部分を、図11の「E216:第1アプリケーション -> E215:第2アプリケーション」に変換している。また例えば、階層及び部品分解部105は、図8のE212とE241との連携、及び、第1計算機とネットワークスイッチとの間の最短経路の推定結果に基づいて、図4のデータフロー1の「第1計算機 -> ネットワークスイッチ」という部分を、図11の「E212:第1計算機 -> E241LANケーブル -> E202:ネットワークスイッチ」に補完している。 For example, based on the identification information in FIG. 8, the hierarchy and component disassembly unit 105 converts the portion "first application -> second application" in data flow 1 in FIG. 4 to "E216: first application - > E215: Converting to "second application". Also, for example, the layer and component disassembly unit 105 performs the " The part "first computer -> network switch" is supplemented with "E212: first computer -> E241 LAN cable -> E202: network switch" in FIG.
 階層及び部品分解部105は、図4のデータフロー情報112のデータフロー1及びデータフロー2の全てに以上のような変換を行うことにより、図11の分解済みデータフロー情報106を生成する。なお、データフローの補完は必須ではなく、例えば、データフロー情報112において、階層及び部品分解部105が補完を行わないように予め設定されてもよい。 The hierarchy and component decomposition unit 105 generates the decomposed data flow information 106 of FIG. 11 by performing the conversion described above on all of the data flow 1 and data flow 2 of the data flow information 112 of FIG. Complementation of the data flow is not essential, and for example, in the data flow information 112, it may be set in advance so that the layer and component decomposition unit 105 does not perform complementation.
 <汚染確率算出部>
 次に、汚染確率算出部107について説明する。図12は、汚染確率算出部107の動作を示すフローチャートである。 <Contamination probability calculation unit>
Next, the contamination probability calculator 107 will be described. FIG. 12 is a flowchart showing the operation of the contamination probability calculation unit 107. As shown in FIG.
 まずステップS31にて、汚染確率算出部107は、階層及び部品識別部102からの階層依存情報104と、階層及び部品分解部105からの分解済みデータフロー情報106と、設計入力部101からのH/W異常確率情報113とを受け付ける。 First, in step S31, the contamination probability calculation unit 107 obtains the hierarchy dependency information 104 from the hierarchy and parts identification unit 102, the disassembled data flow information 106 from the hierarchy and parts disassembly unit 105, and the H /W Anomaly probability information 113 is accepted.
 ステップS32にて、汚染確率算出部107は、階層依存情報104とH/W異常確率情報113とに基づいて、各階層及び各部品のデータの異常発生確率を、部分異常発生確率として算出する。 At step S32, the contamination probability calculation unit 107 calculates the probability of occurrence of failure of the data of each layer and each component as the probability of partial failure occurrence based on the hierarchy dependency information 104 and the H/W failure probability information 113.
 図13は、汚染確率算出部107の動作例を説明するための図である。例えば、汚染確率算出部107は、階層依存情報104(図9参照)から、計算機、OS、M/W、及び、アプリケーションという、計算機を底辺とする4階層を読み取る。また、汚染確率算出部107は、H/W異常確率情報113(図5参照)から、H/Wである第1計算機の1bitのbit化け確率として1%を読み取る。ここで、bit化けの発生した場合、上記4階層のいずれかでデータが化けることになる。 FIG. 13 is a diagram for explaining an operation example of the contamination probability calculation unit 107. FIG. For example, the contamination probability calculation unit 107 reads four layers, computer, OS, M/W, and application, with the computer as the base, from the layer dependency information 104 (see FIG. 9). Further, the contamination probability calculation unit 107 reads 1% as the 1-bit garbled probability of the first computer, which is the H/W, from the H/W abnormality probability information 113 (see FIG. 5). Here, when garbled bits occur, the data is garbled in one of the above four hierarchies.
 本実施の形態1では説明を簡単にするために、4階層のそれぞれで使用するデータのbit数は、同じあると仮定する。図13では、その一例として、各階層で使用するデータはいずれも「1010」という4bitのデータであることが示されている。 In order to simplify the explanation in the first embodiment, it is assumed that the number of bits of data used in each of the four hierarchies is the same. FIG. 13 shows, as an example, that the data used in each layer is 4-bit data "1010".
 この場合、4階層のbit化けの発生確率はいずれも概ね同じとなる。そこで、4階層全体で1%のbit化けが発生する場合には、汚染確率算出部107は、1%を4等分して、各階層のbit化け確率を0.25%と算定する。また、並列関係の第1アプリケーションE216及び第2アプリケーションE215のbit化けの発生確率はいずれも概ね等しいと仮定して、汚染確率算出部107は、上記0.25%を2等分して、それぞれのbit化け確率を0.125%と算定する。上記と同様にして、汚染確率算出部107は、H/W異常確率情報113に含まれる、bit損失などのその他の異常についても、各階層及び各部品のデータの異常発生確率を、部分異常発生確率として算出する。 In this case, the occurrence probability of garbled bits in the four layers is roughly the same. Therefore, when 1% of garbled bits occur in all four hierarchies, the contamination probability calculation unit 107 divides 1% into 4 equal parts and calculates the garbled bit probability of each hierarchy as 0.25%. In addition, assuming that the occurrence probabilities of garbled bits in the parallel-related first application E216 and the second application E215 are approximately equal, the contamination probability calculation unit 107 divides the above 0.25% into two equal parts, is calculated as 0.125%. In the same manner as described above, the contamination probability calculation unit 107 also calculates the probability of occurrence of partial failure for the data of each layer and each component for other failures such as bit loss included in the H/W failure probability information 113 . Calculate as a probability.
 なお実際のシステムでは、上記のように単純なデータ分布ではないため、各階層の部分異常発生確率は均等ではない。そこで、汚染確率算出部107は、データフローにおけるデータの各階層での、滞在期間、演算処理、及び、サイズの少なくともいずれか1つに基づいて、部分異常発生確率を補正するための重みを設定してもよい。例えば、M/Wの滞在期間、演算処理及びサイズのいずれかが、計算機、OS、及び、アプリケーションのものよりも大きい場合を想定する。この場合には、汚染確率算出部107は、計算機、OS、M/W、アプリケーションの重みをそれぞれ例えば1、1、2、1と設定して、M/Wのbit化けの発生確率を0.4%(=1%×2/(1+1+2+1))と算定してもよい。このような構成によれば、精度の高い部分異常発生確率を算出することができる。 Note that the actual system does not have a simple data distribution as described above, so the probability of occurrence of partial failures in each layer is not uniform. Therefore, the contamination probability calculation unit 107 sets a weight for correcting the probability of occurrence of a partial failure based on at least one of length of stay, arithmetic processing, and size in each layer of data in the data flow. You may For example, assume that any one of M/W stay period, arithmetic processing, and size is larger than those of the computer, OS, and application. In this case, the contamination probability calculation unit 107 sets the weights of the computer, OS, M/W, and application to, for example, 1, 1, 2, and 1, respectively, and sets the occurrence probability of garbled bits of M/W to 0.0. It may be calculated as 4% (=1%×2/(1+1+2+1)). According to such a configuration, it is possible to calculate the partial failure occurrence probability with high accuracy.
 図12のステップS33にて、汚染確率算出部107は、分解済みデータフロー情報106に含まれる各階層及び各部品に、ステップS32で算出した各階層及び各部品の部分異常発生確率を紐づける。 In step S33 of FIG. 12, the contamination probability calculation unit 107 associates each layer and each part included in the disassembled data flow information 106 with the partial failure occurrence probability of each layer and each part calculated in step S32.
 図14は、図12のステップS33からステップS36における汚染確率算出部107の動作例を説明するための図である。図14の欄C801には、図11の分解済みデータフロー情報106のデータフロー1が示され、図14の欄C802には、図13の部分異常発生確率が示されている。ステップS33の紐づけによって、欄C801と欄C802とが紐づけられる。 FIG. 14 is a diagram for explaining an operation example of the contamination probability calculation unit 107 in steps S33 to S36 of FIG. Column C801 in FIG. 14 shows data flow 1 of the disassembled data flow information 106 in FIG. 11, and column C802 in FIG. 14 shows the partial failure occurrence probability in FIG. Column C801 and column C802 are linked by linking in step S33.
 図12のステップS34にて、汚染確率算出部107は、システムに対応する対処方式情報110の受け付け処理を行う。そして、汚染確率算出部107は、設計入力部101からの対処方式情報110を受け付けたか否かを判定する。受け付けたと判定された場合には処理がステップS35に進み、受け付けたと判定されなかった場合には処理がステップS36に進む。 At step S34 in FIG. 12, the contamination probability calculation unit 107 performs processing for accepting the coping method information 110 corresponding to the system. Then, the contamination probability calculation unit 107 determines whether or not the coping method information 110 from the design input unit 101 has been received. If it is determined that the request has been received, the process proceeds to step S35, and if it is determined that the request has not been received, the process proceeds to step S36.
 ステップS35にて、汚染確率算出部107は、対処方式情報110の各対処方式を読み込み、その対処方式の適用パターンが、分解済みデータフロー情報106のデータフローのどの部分に対応しているかをパターンマッチングにより検索する。例えば図2の対処方式1の適用パターンを、図14の欄C801のデータフローにおいて検索した場合、E212:第1計算機 -> E241:LANケーブル -> E202:ネットワークスイッチ -> E242:LANケーブル -> E222:第2計算機、が検索される。 In step S35, the contamination probability calculation unit 107 reads each coping method of the coping method information 110, and determines which part of the data flow of the decomposed data flow information 106 the application pattern of the coping method corresponds to. Search by matching. For example, when searching for the application pattern of coping method 1 in FIG. 2 in the data flow of column C801 in FIG. E222: The second computer is retrieved.
 このように、汚染確率算出部107は、各対処方式の適用パターンが分解済みデータフロー情報106のデータフローのどの部分に対応しているかをパターンマッチングにより検索し、その位置を記憶する。なお、図14の欄C803及び欄C805には、図2の対処方式1,2の適応パターンに対応する部分に補償成功確率が付され、適応パターンに対応する部分以外にはドットハッチングが付されている。 In this way, the contamination probability calculation unit 107 searches by pattern matching which part of the data flow in the decomposed data flow information 106 the application pattern of each coping method corresponds to, and stores the position. In columns C803 and C805 of FIG. 14, the portions corresponding to the adaptive patterns of coping methods 1 and 2 of FIG. ing.
 ステップS36にて、汚染確率算出部107は、評価対象のシステムのデータフローの部分異常発生確率に基づいて、データフローに含まれるハードウェア及びソフトウェアの全体でのデータの異常発生確率を、全体異常発生確率として算出する。本実施の形態1では、その一例として、全体異常発生確率は、データフローの始点から終点までのハードウェア及びソフトウェア全体でのデータの異常が1つ以上発生する確率であるものとする。 In step S36, the contamination probability calculation unit 107 calculates the data abnormality occurrence probability for the entire hardware and software included in the data flow based on the partial abnormality occurrence probability of the data flow of the system under evaluation. Calculated as probability of occurrence. In the first embodiment, as an example, the overall error occurrence probability is the probability that one or more data errors occur in the entire hardware and software from the start point to the end point of the data flow.
 例えば、汚染確率算出部107は、欄C802の部分異常発生確率に基づいて、対処方式が適用されないときの全体異常発生確率を算出する。具体例として、汚染確率算出部107は、{1-(1-0.125%)×(1-0.125%)×(1-0.250%)×…×(1-0.125%)}×100を算出することによって、全体異常発生確率を21.301%と算定する。 For example, the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability when the coping method is not applied based on the partial abnormality occurrence probability in column C802. As a specific example, the contamination probability calculation unit 107 calculates {1-(1-0.125%)*(1-0.125%)*(1-0.250%)*...*(1-0.125% )}×100, the overall failure occurrence probability is calculated as 21.301%.
 例えば、汚染確率算出部107は、欄C802の部分異常発生確率のうち、対処方式1の適用パターンの部分異常発生確率を、欄C803の補償成功確率で補正する。具体例として、汚染確率算出部107は、{1-(1-0.250%)×(1-10.000%)×(1-1.000%)×(1-10.000%)×(1-0.250%)}×(1-90.000%)×100を算出することによって、欄C804に示すように、適用パターンの部分異常発生確率を2.021%に補正する。 For example, the contamination probability calculation unit 107 corrects the partial failure occurrence probability of the application pattern of countermeasure method 1 among the partial failure occurrence probabilities of column C802 by the compensation success probability of column C803. As a specific example, the contamination probability calculation unit 107 calculates {1−(1−0.250%)×(1−10.000%)×(1−1.000%)×(1−10.000%)× (1−0.250%)}×(1−90.000%)×100, the partial failure occurrence probability of the applied pattern is corrected to 2.021% as shown in column C804.
 なお、このように補正された部分異常発生確率は、対処方式1が適用された場合でも異常が残存する確率である。つまり欄C804には、データが、対処方式1の適応パターンに対応する5つの階層及び部品の全体をデータが通る場合に、対処方式1が適用されても1つ以上の部品でデータの異常が残存する確率が、2.021%であることが示されている。また欄C804には、対処方式1の適応パターンに対応しない階層及び部品については、欄C802と同じ部分異常発生確率が示されている。 It should be noted that the partial failure occurrence probability corrected in this way is the probability that the failure will remain even if countermeasure method 1 is applied. In other words, in the column C804, when the data passes through all five layers and parts corresponding to the adaptive pattern of the handling method 1, even if the handling method 1 is applied, one or more parts have an abnormality in the data. The probability of survival is shown to be 2.021%. Also, column C804 shows the same partial failure occurrence probabilities as column C802 for layers and parts that do not correspond to the adaptive pattern of countermeasure method 1 .
 汚染確率算出部107は、欄C804の部分異常発生確率に基づいて、対処方式1が適用されたときの全体異常発生確率を算出する。具体的には、汚染確率算出部107は、欄C802に対する算出と同様の算出を欄C804に対して行うことにより、全体異常発生確率を3.360%と算定する。 The contamination probability calculation unit 107 calculates the overall abnormality occurrence probability when coping method 1 is applied, based on the partial abnormality occurrence probability in column C804. Specifically, the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability to be 3.360% by performing the same calculation for the column C804 as the calculation for the column C802.
 汚染確率算出部107は、欄C802及び欄C803から欄C804を算出したのと同様にして、欄C802及び欄C805から欄C806を算出する。汚染確率算出部107は、欄C806の部分異常発生確率に基づいて、対処方式2が適用されたときの全体異常発生確率を算出する。具体的には、汚染確率算出部107は、欄C802に対する算出と同様の算出を欄C806に対して行うことにより、全体異常発生確率を1.743%と算定する。 The contamination probability calculation unit 107 calculates column C806 from column C802 and column C805 in the same manner as column C804 was calculated from column C802 and column C803. The contamination probability calculation unit 107 calculates the overall abnormality occurrence probability when countermeasure method 2 is applied based on the partial abnormality occurrence probability in column C806. Specifically, the contamination probability calculation unit 107 calculates the overall abnormality occurrence probability as 1.743% by performing the same calculation for column C806 as the calculation for column C802.
 欄R801には、対処方式が適用されないときの全体異常発生確率、対処方式1が適用されたときの全体異常発生確率、及び、対処方式2が適用されたときの全体異常発生確率が示されている。 A column R801 shows the overall failure occurrence probability when no handling method is applied, the overall failure occurrence probability when handling method 1 is applied, and the overall failure occurrence probability when handling method 2 is applied. there is
 以上で説明した図12のステップS31~ステップS36の動作は、H/W異常確率情報113(図5参照)の全ての異常発生確率、及び、分解済みデータフロー情報112(図11参照)の全てのデータフローについて行われる。汚染確率算出部107は、全ての異常発生確率及び全てのデータフローについて、部分異常発生確率及び全体異常発生確率の少なくともいずれか1つを含む汚染確率情報108を生成する。 The operations of steps S31 to S36 in FIG. 12 described above are performed for all of the failure occurrence probabilities of the H/W failure probability information 113 (see FIG. 5) and all of the decomposed data flow information 112 (see FIG. 11). data flow. The contamination probability calculation unit 107 generates contamination probability information 108 including at least one of a partial failure probability and a total failure probability for all failure occurrence probabilities and all data flows.
 汚染確率表示部109は、任意の表示方式で汚染確率情報108をユーザー114に対して表示する。例えば図14の欄R801のような汚染確率情報108が表示された場合、ユーザー114は、対処方式が適用されないとき、対処方式1が適用されたとき、対処方式2が適用されたときの順で、bit化け発生確率が低下していくことを確認できる。 The contamination probability display unit 109 displays the contamination probability information 108 to the user 114 in any display method. For example, when the contamination probability information 108 as shown in the column R801 of FIG. 14 is displayed, the user 114 selects in the following order: when no coping method is applied, when coping method 1 is applied, and when coping method 2 is applied. , it can be confirmed that the garbled bit occurrence probability decreases.
 なお、本実施の形態1では、出力部は、汚染確率情報108を表示する汚染確率表示部109であるものとして説明したが、汚染確率情報108を出力すればよい。例えば、出力部は、汚染確率情報108を表示する汚染確率表示部109ではなく、汚染確率情報108を送信する送信部などであってもよいし、記憶装置に汚染確率情報108を出力する出力装置であってもよい。 In the first embodiment, the output unit is described as being the contamination probability display unit 109 that displays the contamination probability information 108, but the contamination probability information 108 may be output. For example, the output unit may be a transmission unit that transmits the contamination probability information 108 instead of the contamination probability display unit 109 that displays the contamination probability information 108, or an output device that outputs the contamination probability information 108 to the storage device. may be
 <実施の形態1のまとめ>
 以上のような本実施の形態1に係るシステム設計支援装置100によれば、システム構成情報、データフロー情報、及び、確率情報に基づいて、データフローに含まれるハードウェア及びソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する。また、システムの少なくとも一部の部分異常発生確率に基づいて、当該少なくとも一部に含まれるハードウェア及びソフトウェアの全体でのデータの異常発生確率を、全体異常発生確率として算出する。このような構成によれば、例えばデータ化けやデータ損失などに関して、システムの信頼性または堅牢性を定量的に評価することができる。 <Summary of Embodiment 1>
According to the system design support apparatus 100 according to the first embodiment as described above, based on the system configuration information, the data flow information, and the probability information, the data in each of the hardware and software included in the data flow is calculated as the partial abnormality occurrence probability. Further, based on the partial failure occurrence probability of at least a part of the system, the data failure probability of the entire hardware and software included in the at least part of the system is calculated as the overall failure occurrence probability. According to such a configuration, it is possible to quantitatively evaluate the reliability or robustness of the system with respect to, for example, garbled data and data loss.
 <実施の形態2>
 図15は、本実施の形態2に係るシステム設計支援装置100の構成を示すブロック図である。以下、本実施の形態2に係る構成要素のうち、上述の構成要素と同じまたは類似する構成要素については同じまたは類似する参照符号を付し、異なる構成要素について主に説明する。 <Embodiment 2>
FIG. 15 is a block diagram showing the configuration of system design support apparatus 100 according to the second embodiment. Hereinafter, among the constituent elements according to the second embodiment, constituent elements that are the same as or similar to the above-described constituent elements are denoted by the same or similar reference numerals, and different constituent elements will be mainly described.
 図15のシステム設計支援装置100は、図15中の破線内の構成要素を備える。具体的には、図15のシステム設計支援装置100は、実施の形態1に記載の構成に加え、対処方式学習部132と、対処方式提案部134とを備える。 The system design support device 100 in FIG. 15 comprises the components within the dashed lines in FIG. Specifically, the system design support apparatus 100 of FIG. 15 includes a coping method learning unit 132 and a coping method proposing unit 134 in addition to the configuration described in the first embodiment.
 設計入力部101は、対処方式情報110と、システム構成情報111と、データフロー情報112と、H/W異常確率情報113とに加えて、許容汚染確率情報131を取得する。 The design input unit 101 acquires allowable contamination probability information 131 in addition to coping method information 110, system configuration information 111, data flow information 112, and H/W abnormality probability information 113.
 対処方式学習部132は、対処方式情報110の対処方式をラベルとして、分解済みデータフロー情報106及び汚染確率情報108の組合せを学習する。つまり、対処方式学習部132は、分解済みデータフロー情報106と、異常発生確率を含む汚染確率情報108と、システムにて実施すべき対処方式を含む対処方式情報110との組み合わせを学習する。この学習結果として、学習済みモデル133が生成される。学習済みモデル133は、分解済みデータフロー情報106と、異常発生確率(汚染確率情報108に対応)とに基づいて、システムにて追加で実施すべき新たな対処方式(対処方式情報110に対応)を推測可能なモデルである。 The coping method learning unit 132 learns a combination of the decomposed data flow information 106 and the contamination probability information 108 using the coping method of the coping method information 110 as a label. That is, the coping method learning unit 132 learns a combination of the decomposed data flow information 106, the contamination probability information 108 including the probability of occurrence of an abnormality, and the coping method information 110 including the coping method to be implemented in the system. As a result of this learning, a trained model 133 is generated. The trained model 133 is based on the disassembled data flow information 106 and the probability of occurrence of anomalies (corresponding to the contamination probability information 108), and a new coping method (corresponding to the coping method information 110) to be additionally implemented in the system. is a model that can infer
 対処方式提案部134は、新たな分解済みデータフロー情報106と、システムにおいて許容できる異常発生確率を含む許容汚染確率情報131と、学習済みモデル133とに基づいて、推定対処方式情報135(対処方式情報110に対応)を出力する。推定対処方式情報135は、システムにて許容汚染確率情報131を満たすことが可能であり、追加で実施すべき新たな対処方式を含む。 The coping method proposal unit 134 generates estimated coping method information 135 (coping method corresponding to the information 110) is output. The estimated coping strategy information 135 includes new coping strategies that can satisfy the permissible contamination probability information 131 in the system and should be additionally implemented.
 <対処方式学習部>
 対処方式学習部132について説明する。図16は、対処方式学習部132の動作を示すフローチャートである。 <Coping method learning part>
The coping method learning unit 132 will be described. FIG. 16 is a flow chart showing the operation of the coping method learning unit 132 .
 まず、ステップS41にて、対処方式学習部132は、あるシステムについて、分解済みデータフロー情報106と、その汚染確率情報108と、その対処方式情報110とを取得する。 First, in step S41, the coping method learning unit 132 acquires the decomposed data flow information 106, its contamination probability information 108, and its coping method information 110 for a certain system.
 図17は、本実施の形態2に係るシステム構成情報111を示す図である。図17に示すように、システム構成情報111に示されるハードウェア及びソフトウェアの少なくともいずれか1つに、第1係数が設定されている。具体的には、第1係数として、第1計算機E212、OSE213、第2計算機E222、OSE223、第3計算機E232、及び、OSE233に、「cost」という名称の係数が設定されている。 FIG. 17 is a diagram showing system configuration information 111 according to the second embodiment. As shown in FIG. 17, at least one of hardware and software indicated in the system configuration information 111 is set with a first coefficient. Specifically, as the first coefficient, a coefficient named "cost" is set for the first computer E212, OSE213, second computer E222, OSE223, third computer E232, and OSE233.
 図18は、本実施の形態2に係る分解済みデータフロー情報106を示す図である。図18に示すように、図17の第1係数(cost)が分解済みデータフロー情報106において反映される。 FIG. 18 is a diagram showing decomposed data flow information 106 according to the second embodiment. As shown in FIG. 18 , the first coefficient (cost) in FIG. 17 is reflected in the decomposed data flow information 106 .
 図19は、本実施の形態2に係る対処方式情報110を示す図である。図19に示すように、対処方式情報110のハードウェア及びソフトウェアの少なくともいずれか1つに、第2係数が設定されている。具体的には、第2係数として、対処方式3の第1計算機、LANケーブル、及び、第2計算機に、「R」という名称の係数が設定されている。第1係数(cost)及び第2係数(R)の活用方法については後述する。 FIG. 19 is a diagram showing coping method information 110 according to the second embodiment. As shown in FIG. 19, at least one of hardware and software in coping method information 110 is set with a second coefficient. Specifically, as the second coefficient, a coefficient named “R” is set for the first computer, the LAN cable, and the second computer of coping method 3 . How to use the first coefficient (cost) and the second coefficient (R) will be described later.
 ステップS42にて、対処方式学習部132は、分解済みデータフロー情報106と、汚染確率情報108と、対処方式情報110とを用いて畳み込みニューラルネットワークモデルのトレーニングを行う。本実施の形態2では、対処方式学習部132は、分解済みデータフロー情報106及び汚染確率情報108に対し、対処方式情報110の対処方式をラベルとして教師あり学習を行う。各種入力データは図式表現、テキスト、及び、数値といった様々な形式の情報を取っている可能性があるが、これらをどのように変換し、学習効率を高めるかについては特に限定しない。 In step S42, the coping method learning unit 132 uses the decomposed data flow information 106, the contamination probability information 108, and the coping method information 110 to train the convolutional neural network model. In the second embodiment, the coping method learning unit 132 performs supervised learning on the decomposed data flow information 106 and the contamination probability information 108 using the coping methods of the coping method information 110 as labels. Various types of input data may take information in various formats such as graphic representations, texts, and numerical values, but there is no particular limitation as to how these are converted to improve learning efficiency.
 ステップS43にて、対処方式学習部132は、トレーニング済みのモデルを学習済みモデル133として出力する。ユーザーが上記システムを繰り返し使う中で、分解済みデータフロー情報106、汚染確率情報108、対処方式情報110のデータセットがシステム設計支援装置100に繰り返し入力され、その度にステップS41~S43の一連の処理が繰り返される。 In step S<b>43 , the coping method learning unit 132 outputs the trained model as the learned model 133 . While the user repeatedly uses the above system, the data set of the disassembled data flow information 106, the contamination probability information 108, and the coping method information 110 is repeatedly input to the system design support device 100, and each time a series of steps S41 to S43 is performed. The process is repeated.
 <対処方式提案部>
 次に、対処方式提案部134について説明する。図20は、対処方式提案部134の動作を示すフローチャートである。 <Corresponding method proposal department>
Next, the coping method proposal unit 134 will be described. FIG. 20 is a flowchart showing the operation of the coping method proposing unit 134. As shown in FIG.
 ステップS51にて、対処方式提案部134は、分解済みデータフロー情報106と、許容汚染確率情報131と、学習済みモデル133とを取得する。ここで許容汚染確率情報131は、システムにおいて許容でき、データフロー情報112に含まれる各データフローに対して期待される汚染発生確率を含む。許容汚染確率情報131を、全データフロー共通として指定するか、個別に指定するかは問わない。 In step S51, the coping method proposal unit 134 acquires the disassembled data flow information 106, the allowable contamination probability information 131, and the learned model 133. Here, the acceptable contamination probability information 131 includes the expected contamination occurrence probability for each data flow that is acceptable in the system and included in the data flow information 112 . It does not matter whether the allowable contamination probability information 131 is specified as common to all data flows or specified individually.
 ステップS52にて、対処方式提案部134は、ステップS51で取得した許容汚染確率を任意の範囲に拡張する。例えば、データフロー情報112にて、データフロー1の許容汚染確率として「0.01%」が設定され、データフロー2の許容汚染確率として「0.1%」が設定されている場合について説明する。この場合、対処方式提案部134は、データフロー1の許容汚染確率とデータフロー2の許容汚染確率とのうち最も許容汚染確率の低いもの、つまりデータフロー1の許容汚染確率を選択する。そして、対処方式提案部134は、データフロー1の許容汚染確率である「0.01%」の範囲の拡張として、桁を一つ増やした「0.001%」と、桁を一つ減らした「0.1%」とに拡張する。なお、ここでの拡張は、これに限ったものではなく、任意の規則で拡張を行ってもよい。 In step S52, the coping method proposal unit 134 expands the allowable contamination probability acquired in step S51 to an arbitrary range. For example, in the data flow information 112, the allowable contamination probability of data flow 1 is set to "0.01%", and the allowable contamination probability of data flow 2 is set to "0.1%". . In this case, the coping method proposal unit 134 selects the lowest allowable contamination probability among the allowable contamination probability of data flow 1 and the allowable contamination probability of data flow 2, that is, the allowable contamination probability of data flow 1. Then, the coping method proposal unit 134 expands the range of "0.01%", which is the allowable contamination probability of data flow 1, by adding one digit to "0.001%" and by decreasing one digit. Expand to "0.1%". Note that the expansion here is not limited to this, and may be expanded according to arbitrary rules.
 対処方式提案部134は、許容汚染確率の拡張結果に基づいて、元の許容汚染確率情報131と実質的に同じデータ構造を有する新たな許容汚染確率情報131を作成する。上記例であれば、元の許容汚染確率情報131は、データフロー1及びデータフロー2の許容汚染確率として「0.01%」及び「0.1%」が組み合わされていた。この場合、対処方式提案部134は、元の許容汚染確率情報131をそのまま新たな許容汚染確率情報131として作成する。そして、対処方式提案部134は、データフロー1及びデータフロー2の許容汚染確率として「0.001%」及び「0.1%」の組合せ、並びに、「0.1%」及び「0.1%」の組合せのそれぞれを新たな許容汚染確率情報131として作成する。つまり、対処方式提案部134は、1つの元の許容汚染確率情報131から作成された組み合わせパターンとして、3つの新たな許容汚染確率情報131を作成する。以後、1つの元の許容汚染確率情報131から作成された組み合わせパターンを、許容汚染確率のバリエーションデータと呼ぶ。なお、どのようなバリエーションデータを作るかは任意であり、本例に限定しない。 The countermeasure method proposal unit 134 creates new allowable contamination probability information 131 having substantially the same data structure as the original allowable contamination probability information 131 based on the expansion result of the allowable contamination probability. In the above example, the original allowable contamination probability information 131 is a combination of "0.01%" and "0.1%" as the allowable contamination probabilities of data flow 1 and data flow 2. FIG. In this case, the coping method proposal unit 134 creates the original allowable contamination probability information 131 as new allowable contamination probability information 131 as it is. Then, the handling method proposal unit 134 selects a combination of “0.001%” and “0.1%” as the allowable contamination probabilities of data flow 1 and data flow 2, and “0.1%” and “0.1%”. %” are created as new allowable contamination probability information 131 . That is, the coping method proposal unit 134 creates three new allowable contamination probability information 131 as combination patterns created from one original allowable contamination probability information 131 . A combination pattern created from one original allowable contamination probability information 131 is hereinafter referred to as allowable contamination probability variation data. It should be noted that the type of variation data to be created is arbitrary and is not limited to this example.
 ステップS53にて、対処方式提案部134は、学習済みモデル133を用いて、分解済みデータフロー情報106と、ステップS52で作成された許容汚染確率のバリエーションとの組み合わせから、推定対処方式情報135を求める。推定対処方式情報135には、実施すべき対処方式の推定パターンが含まれる。推定対処方式情報135の構造は、図19などの対処方式情報110のデータ構造と実質的に同じである。許容汚染確率のバリエーションが、3つの許容汚染確率情報131を含む上記例では、ステップS53にて、3つの推定対処方式情報135が求められる。 In step S53, the coping method proposal unit 134 uses the learned model 133 to generate the estimated coping method information 135 from the combination of the decomposed data flow information 106 and the variation of the allowable contamination probability created in step S52. demand. The estimated coping method information 135 includes an estimated pattern of coping methods to be implemented. The structure of the estimated coping method information 135 is substantially the same as the data structure of the coping method information 110 shown in FIG. 19 and the like. In the above example where the variation of allowable contamination probability includes three pieces of allowable contamination probability information 131, three pieces of estimated coping method information 135 are obtained in step S53.
 ステップS54にて、対処方式提案部134は、ステップS51で取得した分解済みデータフロー情報106と、ステップS53で求めた3つの推定対処方式情報135のいずれか1つとを汚染確率算出部107に入力する。汚染確率算出部107は、実施の形態1の説明と同様に、入力された分解済みデータフロー情報106と、推定対処方式情報135とに基づいて汚染確率情報108を生成する。3つの推定対処方式情報135が求められる上記例では、ステップS54にて、3つの汚染確率情報108が生成される。 In step S54, the coping method proposal unit 134 inputs the decomposed data flow information 106 acquired in step S51 and any one of the three estimated coping method information 135 obtained in step S53 to the contamination probability calculation unit 107. do. Contamination probability calculation section 107 generates contamination probability information 108 based on input decomposed data flow information 106 and estimated coping method information 135, as described in the first embodiment. In the above example where three pieces of estimated coping method information 135 are obtained, three pieces of contamination probability information 108 are generated in step S54.
 ここで、図18で説明した第1係数(cost)及び図19で説明した第2係数(R)の活用について説明する。本実施の形態2ではステップS54にて、実施の形態1で説明した汚染確率情報108の算出と同様の算出を行う。この算出の際に、第1係数及び第2係数が設定されていた場合に、汚染確率算出部107にて以下の計算をさらに行う。 Here, utilization of the first coefficient (cost) described in FIG. 18 and the second coefficient (R) described in FIG. 19 will be described. In the second embodiment, in step S54, calculation similar to the calculation of the contamination probability information 108 described in the first embodiment is performed. In this calculation, if the first coefficient and the second coefficient are set, the contamination probability calculation unit 107 further performs the following calculation.
 図21は、汚染確率算出部107の動作例を説明するための図である。図21では、実施の形態1にて説明した図14の項目に、第1係数C811、第2係数C812、及び、対処適用結果係数C813が追加されている。図21では、簡単のため、実施の形態1にて説明済みの情報をここでは一律で「-」で表記し、その説明を省く。また、図21では、係数が設定されていないことを一律で「{}」で表記する。 FIG. 21 is a diagram for explaining an operation example of the contamination probability calculation unit 107. FIG. In FIG. 21, a first coefficient C811, a second coefficient C812, and a countermeasure application result coefficient C813 are added to the items in FIG. 14 described in the first embodiment. In FIG. 21, for the sake of simplicity, the information already explained in Embodiment 1 is uniformly indicated by "-" here, and the explanation thereof is omitted. In addition, in FIG. 21 , “{ }” is uniformly used to indicate that no coefficient is set.
 例えばE213:OSでは、第1係数は{cost:100,000}であり、第2係数は{}である。またE212:第1計算機では、第1係数は{cost:1,000,000}であり、第2係数は{R:2}である。各係数の意味をどのように解釈し計算に利用するかは任意であるが、ここでは一例として、costは、その係数が設定された要素の購入及び実装等にかかる費用を意味し、Rは、その要素を多重化することを意味するものとする。 For example, in E213:OS, the first coefficient is {cost: 100,000} and the second coefficient is {}. E212: In the first calculator, the first coefficient is {cost: 1,000,000} and the second coefficient is {R: 2}. It is arbitrary how to interpret the meaning of each coefficient and use it for calculation. , to mean multiplexing its elements.
 {cost:100,000}が設定されたE213:OSの対処方式3には、第2係数が設定されていない。このため、第2係数が設定されていない対処方式3を適用しても、E213:OSのcostは、対処適用結果係数C813に示すように{cost:100,000}のままで変化はない。 The second coefficient is not set for E213: OS countermeasure method 3 with {cost: 100,000} set. Therefore, even if the coping method 3 in which the second coefficient is not set is applied, the cost of E213: OS remains {cost: 100,000} as indicated by the coping application result coefficient C813.
 一方、{cost:1,000,000}が設定されたE212:第1計算機の対処方式3には、第2係数として{R:2}が設定されている。この場合に対処方式3を適用すると、E212:第1計算機のcostは、{cost:1,000,000}が2重化されて、対処適用結果係数C813に示すように{cost:2,000,000}と元の2倍になる。このように本実施の形態2では、汚染確率算出部107は、第1係数と前記第2係数とに基づいて対処方式の特徴量である対処適用結果係数C813を求める。 On the other hand, {R: 2} is set as the second coefficient in E212: Coping method 3 of the first calculator, in which {cost: 1,000,000} is set. In this case, if coping method 3 is applied, E212: The cost of the first computer is {cost: 1,000,000} doubled, and {cost: 2,000} as shown in coping application result coefficient C813. , 000} and double the original. As described above, in the second embodiment, the contamination probability calculation unit 107 obtains the countermeasure application result coefficient C813, which is the feature amount of the countermeasure method, based on the first coefficient and the second coefficient.
 汚染確率表示部109は、推定対処方式情報135と、汚染確率情報108とを任意の形式で表示する。例えば、汚染確率表示部109は、許容汚染確率情報131のバリエーションの件数分だけ、推定対処方式情報135及び汚染確率情報108を表示してもよく、その表示の際に、対処適用結果係数C813に基づいて表示の順序付けを行ってもよい。 The contamination probability display unit 109 displays the estimated coping method information 135 and the contamination probability information 108 in any format. For example, the contamination probability display unit 109 may display the estimated coping method information 135 and the contamination probability information 108 by the number of variations of the allowable contamination probability information 131. display may be ordered based on
 <実施の形態2のまとめ>
 以上のような本実施の形態2に係るシステム設計支援装置100によれば、分解済みデータフロー情報106と、汚染確率情報108と、対処方式情報110との組み合わせを学習する。このような構成によれば、追加で実施すべき適切な新たな対処方式を提案することができる。 <Summary of Embodiment 2>
According to the system design support apparatus 100 according to the second embodiment as described above, combinations of the decomposed data flow information 106, the contamination probability information 108, and the coping method information 110 are learned. According to such a configuration, it is possible to propose an appropriate new coping method to be additionally implemented.
 <その他の変形例>
 上述した図1の設計入力部101及び算出部121を、以下「設計入力部101等」と記す。設計入力部101等は、図22に示す処理回路81により実現される。すなわち、処理回路81は、システム構成情報111、データフロー情報112、及び、H/W異常確率情報113を取得する設計入力部101と、システム構成情報111、データフロー情報112、及び、H/W異常確率情報113に基づいて、データフローに含まれるハードウェア及びソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する算出部121と、を備える。処理回路81には、専用のハードウェアが適用されてもよいし、メモリに格納されるプログラムを実行するプロセッサが適用されてもよい。プロセッサには、例えば、中央処理装置、処理装置、演算装置、マイクロプロセッサ、マイクロコンピュータ、DSP(Digital Signal Processor)などが該当する。 <Other Modifications>
The design input unit 101 and the calculation unit 121 shown in FIG. 1 described above are hereinafter referred to as "the design input unit 101 and the like". The design input section 101 and the like are implemented by a processing circuit 81 shown in FIG. That is, the processing circuit 81 includes a design input unit 101 that acquires the system configuration information 111, the data flow information 112, and the H/W abnormality probability information 113, the system configuration information 111, the data flow information 112, and the H/W and a calculation unit 121 that calculates, based on the error probability information 113, the error occurrence probability of data in each of the hardware and software included in the data flow as a partial error occurrence probability. Dedicated hardware may be applied to the processing circuit 81, or a processor that executes a program stored in a memory may be applied. Processors include, for example, central processing units, processing units, arithmetic units, microprocessors, microcomputers, and DSPs (Digital Signal Processors).
 処理回路81が専用のハードウェアである場合、処理回路81は、例えば、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ASIC(Application Specific Integrated Circuit)、FPGA(Field Programmable Gate Array)、またはこれらを組み合わせたものが該当する。設計入力部101等の各部の機能それぞれは、処理回路を分散させた回路で実現されてもよいし、各部の機能をまとめて一つの処理回路で実現されてもよい。 If the processing circuit 81 is dedicated hardware, the processing circuit 81 may be, for example, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or a combination of these. Each function of each unit such as the design input unit 101 may be realized by a circuit in which processing circuits are distributed, or the functions of each unit may be collectively realized by one processing circuit.
 処理回路81がプロセッサである場合、設計入力部101等の機能は、ソフトウェア等との組み合わせにより実現される。なお、ソフトウェア等には、例えば、ソフトウェア、ファームウェア、または、ソフトウェア及びファームウェアが該当する。ソフトウェア等はプログラムとして記述され、メモリに格納される。図23に示すように、処理回路81に適用されるプロセッサ82は、メモリ83に記憶されたプログラムを読み出して実行することにより、各部の機能を実現する。すなわち、システム設計支援装置100は、処理回路81により実行されるときに、システム構成情報111、データフロー情報112、及び、H/W異常確率情報113とを取得するステップと、システム構成情報111、データフロー情報112、及び、H/W異常確率情報113に基づいて、データフローに含まれるハードウェア及びソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出するステップと、が結果的に実行されることになるプログラムを格納するためのメモリ83を備える。換言すれば、このプログラムは、設計入力部101等の手順や方法をコンピュータに実行させるものであるともいえる。ここで、メモリ83は、例えば、RAM(Random Access Memory)、ROM(Read Only Memory)、フラッシュメモリ、EPROM(Erasable Programmable Read Only Memory)、EEPROM(Electrically Erasable Programmable Read Only Memory)などの、不揮発性または揮発性の半導体メモリ、HDD(Hard Disk Drive)、磁気ディスク、フレキシブルディスク、光ディスク、コンパクトディスク、ミニディスク、DVD(Digital Versatile Disc)、それらのドライブ装置等、または、今後使用されるあらゆる記憶媒体であってもよい。 When the processing circuit 81 is a processor, the functions of the design input unit 101 and the like are realized by combining with software and the like. Software and the like correspond to, for example, software, firmware, or software and firmware. Software or the like is written as a program and stored in memory. As shown in FIG. 23, a processor 82 applied to a processing circuit 81 reads out and executes a program stored in a memory 83 to realize the function of each section. That is, when the system design support apparatus 100 is executed by the processing circuit 81, it obtains the system configuration information 111, the data flow information 112, and the H/W abnormality probability information 113; A step of calculating the probability of occurrence of a data failure in each of the hardware and software included in the data flow as a probability of partial failure based on the data flow information 112 and the H/W failure probability information 113. A memory 83 is provided for storing the program to be executed automatically. In other words, this program can be said to cause a computer to execute the procedures and methods of the design input unit 101 and the like. Here, the memory 83 is, for example, a non-volatile or Volatile semiconductor memory, HDD (Hard Disk Drive), magnetic disk, flexible disk, optical disk, compact disk, mini disk, DVD (Digital Versatile Disc), their drive devices, etc., or any storage media that will be used in the future There may be.
 以上、設計入力部101等の各機能が、ハードウェア及びソフトウェア等のいずれか一方で実現される構成について説明した。しかしこれに限ったものではなく、設計入力部101等の一部を専用のハードウェアで実現し、別の一部をソフトウェア等で実現する構成であってもよい。例えば、設計入力部101については専用のハードウェアとしての処理回路81、インターフェース及びレシーバなどでその機能を実現し、それ以外についてはプロセッサ82としての処理回路81がメモリ83に格納されたプログラムを読み出して実行することによってその機能を実現することが可能である。 The configuration in which each function of the design input unit 101 and the like is realized by either hardware or software has been described above. However, the configuration is not limited to this, and a configuration in which a part of the design input unit 101 and the like is realized by dedicated hardware and another part is realized by software or the like may be used. For example, for the design input unit 101, the function is realized by a processing circuit 81 as dedicated hardware, an interface, a receiver, and the like. It is possible to realize the function by executing
 以上のように、処理回路81は、ハードウェア、ソフトウェア等、またはこれらの組み合わせによって、上述の各機能を実現することができる。 As described above, the processing circuit 81 can implement each of the functions described above by means of hardware, software, etc., or a combination thereof.
 また、以上で説明したシステム設計支援装置は、いくつかの機器を適宜に組み合わせてシステムとして構築されるシステム設計支援システムにも適用することができる。この場合、以上で説明したシステム設計支援装置の各機能あるいは各構成要素は、前記システムを構築する各機器に分散して配置されてもよいし、いずれかの機器に集中して配置されてもよい。 In addition, the system design support device described above can also be applied to a system design support system constructed as a system by appropriately combining several devices. In this case, each function or each component of the system design support device described above may be distributed to each device that constructs the system, or may be concentrated in any one of the devices. good.
 なお、実施の形態を適宜、変形、省略することが可能である。 Note that the embodiment can be modified or omitted as appropriate.
 100 システム設計支援装置、101 設計入力部、108 汚染確率情報、109 汚染確率表示部、110 対処方式情報、111 システム構成情報、112 データフロー情報、113 H/W異常確率情報、121 算出部。 100 system design support device, 101 design input unit, 108 contamination probability information, 109 contamination probability display unit, 110 coping method information, 111 system configuration information, 112 data flow information, 113 H/W abnormality probability information, 121 calculation unit.

Claims (9)

  1.  システムに含まれるハードウェアと前記ハードウェアで実行されるソフトウェアとの階層を示すシステム構成情報と、前記システムの少なくとも一部でのデータの流れを示すデータフロー情報と、前記ハードウェアでのデータの異常発生確率を示す確率情報とを取得する取得部と、
     前記システム構成情報、前記データフロー情報、及び、前記確率情報に基づいて、前記少なくとも一部に含まれる前記ハードウェア及び前記ソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する算出部と
    を備える、システム設計支援装置。     system configuration information indicating the hierarchy of hardware included in the system and software executed by the hardware; data flow information indicating the flow of data in at least part of the system; and data flow in the hardware. an acquisition unit that acquires probability information indicating an abnormality occurrence probability;
    Based on the system configuration information, the data flow information, and the probability information, a probability of occurrence of data failure in each of the hardware and the software included in the at least part is calculated as a probability of occurrence of partial failure. A system design support device, comprising: a calculator.
  2.  請求項1に記載のシステム設計支援装置であって、
     前記算出部は、
     前記少なくとも一部を流れるデータの各階層での、滞在期間、演算処理、及び、サイズの少なくともいずれか1つに基づいて、前記部分異常発生確率を補正するための重みを設定する、システム設計支援装置。     The system design support device according to claim 1,
    The calculation unit
    Supporting system design by setting a weight for correcting the probability of occurrence of a partial failure based on at least one of length of stay, arithmetic processing, and size in each layer of the data flowing through the at least part Device.
  3.  請求項1または請求項2に記載のシステム設計支援装置であって、
     前記取得部は、
     前記システムの特定部分においてデータの異常発生が補償される成功率を示す対処方式情報をさらに取得し、
     前記算出部は、
     前記対処方式情報に基づいて、前記特定部分の前記部分異常発生確率を補正する、システム設計支援装置。     The system design support device according to claim 1 or claim 2,
    The acquisition unit
    further acquiring coping method information indicating a success rate of compensating for data anomalies in a specific part of the system;
    The calculation unit
    A system design support device that corrects the partial failure occurrence probability of the specific portion based on the coping method information.
  4.  請求項1から請求項3のうちのいずれか1項に記載のシステム設計支援装置であって、
     前記算出部は、
     前記少なくとも一部の前記部分異常発生確率に基づいて、前記少なくとも一部に含まれる前記ハードウェア及び前記ソフトウェアの全体でのデータの異常発生確率を、全体異常発生確率として算出する、システム設計支援装置。     The system design support device according to any one of claims 1 to 3,
    The calculation unit
    A system design support apparatus for calculating, as a total failure probability, a data failure probability for the entirety of the hardware and software included in the at least part based on the partial failure probability of the at least part. .
  5.  請求項4に記載のシステム設計支援装置であって、
     前記部分異常発生確率及び前記全体異常発生確率の少なくともいずれか1つを含む情報を出力する出力部をさらに備える、システム設計支援装置。     The system design support device according to claim 4,
    A system design support apparatus, further comprising an output unit that outputs information including at least one of the partial failure probability and the overall failure probability.
  6.  請求項1から請求項5のうちのいずれか1項に記載のシステム設計支援装置であって、
     前記システム構成情報及び前記データフロー情報から得られる分解済みデータフロー情報と、前記部分異常発生確率から得られる異常発生確率と、前記システムにて実施すべき対処方式との組み合わせを学習する対処方式学習部と、
     新たな前記分解済みデータフロー情報と、前記システムにおいて許容できる異常発生確率と、前記対処方式学習部の学習結果とに基づいて、前記システムにて追加で実施すべき新たな前記対処方式を提案する対処方式提案部と
    をさらに備える、システム設計支援装置。     The system design support device according to any one of claims 1 to 5,
    Coping method learning for learning a combination of decomposed data flow information obtained from the system configuration information and the data flow information, anomaly occurrence probability obtained from the partial anomaly occurrence probability, and a coping method to be implemented in the system. Department and
    A new coping method to be additionally implemented in the system is proposed based on the new decomposed data flow information, the probability of anomaly occurrence that can be tolerated in the system, and the learning result of the coping method learning unit. and a coping method proposing unit.
  7.  請求項6に記載のシステム設計支援装置であって、
     システム構成情報に示される前記ハードウェア及び前記ソフトウェアの少なくともいずれか1つに第1係数が設定され、
     前記対処方式を表す前記ハードウェア及び前記ソフトウェアの少なくともいずれか1つに第2係数が設定され、
     前記算出部は、
     前記第1係数と前記第2係数とに基づいて、前記対処方式の特徴量を求める、システム設計支援装置。     The system design support device according to claim 6,
    A first coefficient is set to at least one of the hardware and the software indicated in the system configuration information;
    A second coefficient is set to at least one of the hardware and the software representing the coping method,
    The calculation unit
    A system design support device that obtains a feature amount of the coping method based on the first coefficient and the second coefficient.
  8.  システムに含まれるハードウェアと前記ハードウェアで実行されるソフトウェアとの階層を示すシステム構成情報と、前記システムの少なくとも一部でのデータの流れを示すデータフロー情報と、前記ハードウェアでのデータの異常発生確率を示す確率情報とを取得し、
     前記システム構成情報、前記データフロー情報、及び、前記確率情報に基づいて、前記少なくとも一部に含まれる前記ハードウェア及び前記ソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する、システム設計支援方法。     system configuration information indicating the hierarchy of hardware included in the system and software executed by the hardware; data flow information indicating the flow of data in at least part of the system; and data flow in the hardware. Acquiring probability information indicating the probability of anomaly occurrence,
    Based on the system configuration information, the data flow information, and the probability information, a probability of occurrence of data failure in each of the hardware and the software included in the at least part is calculated as a probability of occurrence of partial failure. , system design support method.
  9.  システムに含まれるハードウェアと前記ハードウェアで実行されるソフトウェアとの階層を示すシステム構成情報と、前記システムの少なくとも一部でのデータの流れを示すデータフロー情報と、前記ハードウェアでのデータの異常発生確率を示す確率情報とを取得する取得部と、
     前記システム構成情報、前記データフロー情報、及び、前記確率情報に基づいて、前記少なくとも一部に含まれる前記ハードウェア及び前記ソフトウェアのそれぞれでのデータの異常発生確率を、部分異常発生確率として算出する算出部と、
     前記部分異常発生確率に基づく情報を出力する出力部と
    を備える、システム設計支援システム。     system configuration information indicating the hierarchy of hardware included in the system and software executed by the hardware; data flow information indicating the flow of data in at least part of the system; and data flow in the hardware. an acquisition unit that acquires probability information indicating an abnormality occurrence probability;
    Based on the system configuration information, the data flow information, and the probability information, a probability of occurrence of data failure in each of the hardware and the software included in the at least part is calculated as a probability of occurrence of partial failure. a calculation unit;
    and an output unit that outputs information based on the partial failure occurrence probability.
PCT/JP2022/024268 2021-07-05 2022-06-17 System design support device, system design support method, and system design support system WO2023282024A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2023533504A JP7483143B2 (en) 2021-07-05 2022-06-17 System design support device, system design support method and system design support system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021111421 2021-07-05
JP2021-111421 2021-07-05

Publications (1)

Publication Number Publication Date
WO2023282024A1 true WO2023282024A1 (en) 2023-01-12

Family

ID=84801447

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/024268 WO2023282024A1 (en) 2021-07-05 2022-06-17 System design support device, system design support method, and system design support system

Country Status (2)

Country Link
JP (1) JP7483143B2 (en)
WO (1) WO2023282024A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005038223A (en) * 2003-07-16 2005-02-10 Nec Corp Failure restoration device, failure restoration method, and program
JP2005107773A (en) * 2003-09-30 2005-04-21 Hitachi Ltd Defect influence degree estimation method and design support system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005038223A (en) * 2003-07-16 2005-02-10 Nec Corp Failure restoration device, failure restoration method, and program
JP2005107773A (en) * 2003-09-30 2005-04-21 Hitachi Ltd Defect influence degree estimation method and design support system

Also Published As

Publication number Publication date
JPWO2023282024A1 (en) 2023-01-12
JP7483143B2 (en) 2024-05-14

Similar Documents

Publication Publication Date Title
Shooman Reliability of computer systems and networks: fault tolerance, analysis, and design
Robidoux et al. Automated modeling of dynamic reliability block diagrams using colored Petri nets
Shu et al. Generalized detectability for discrete event systems
US20040088652A1 (en) Data processing and difference computation for generating addressing information
US8024647B2 (en) Method and system for checking rotate, shift and sign extension functions using a modulo function
US10275548B1 (en) Interactive diagnostic modeling evaluator
JP4288486B2 (en) Disk array device, RAID parity data generation circuit, and Galois field multiplication circuit
JP2007025981A (en) Fault diagnosis apparatus, program, and recording medium
Jin et al. Efficient board-level functional fault diagnosis with missing syndromes
Triantafyllou Consecutive‐Type Reliability Systems: An Overview and Some Applications
Greenan et al. Reliability of flat XOR-based erasure codes on heterogeneous devices
US7328200B2 (en) Apparatus, method, and computer program product for converting decision flowcharts into decision probabilistic graphs
WO2023282024A1 (en) System design support device, system design support method, and system design support system
Alharthi et al. Sentiment analysis based error detection for large-scale systems
CN110941625B (en) Payment consistency checking method, system, equipment and storage medium
JP2022108008A (en) Data generation apparatus, method and learning apparatus
TW459175B (en) A method and apparatus for detecting errors in data output from memory and a device failure in the memory
JP5170010B2 (en) Disk array device, disk array device control method, and disk array device program
CN113222164B (en) Quantum calculation program generation method and expression form thereof
CN112256478B (en) Method, system, equipment and storage medium for repairing single disk fault
Butenko Modeling of a reactor trip system using Markov chains: case study
Chen et al. An improving approach for dom-based web test suite repair
Naruse et al. Optimal checkpoint intervals, schemes and structures for computing modules
JP4336859B2 (en) Redundant drive group and writing method and data restoring method using the same
Souri Formal specification and verification of a data replication approach in distributed systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22837442

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023533504

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE