The present application claims priority from Japanese application JP 2018-141888, filed on Jul. 27, 2018, the contents of which is hereby incorporated by reference into this application.
The present invention relates to a risk analysis support device, a risk analysis support method, and a risk analysis support program.
There is a risk analysis method that identifies a risk hidden in a system or product that could lead to an accident. As a representative risk analysis method, there are Failure Mode and Effect Analysis (FMEA) and Fault Tree Analysis (FTA). Many existing methods, including FMEA and FTA, identify a risk leading to an accident of a system based on a failure or a threat of a single component.
Knowledge of the previously identified failure or threat of a single component can reduce time required for risk analysis. JP-A-2009-140041 (Patent Literature 1) makes it possible to identify a risk in an information system based on system configuration information by using common threat countermeasure knowledge that defines threats and countermeasures that are commonly applicable to a plurality of systems. As a result, burden on an executor that performs the risk analysis is reduced since it is not necessary to identify the risk caused by a failure or threat of a single component from scratch for each individual system.
On the other hand, in recent years, with the complication of the system, a risk leading to an accident is caused even though such a failure or a threat of a single component is not generated. As an example, even though individual components are operating normally, there is an event in which the whole system falls into a non-secure state due to interaction of the system or the like. Such a risk cannot be identified by analysis methods such as performing analysis based on the failure or the threat of a single component.
STAMP/STPA disclosed in Nancy G. Leveson, “Engineering a Safer World”, The MIT Press (Non-Patent Literature 1) analyzes a flow of control in a system, and is an analysis method that enables identification of a risk leading to an accident that is not caused by a failure of a single component by describing an event leading to an accident as a scenario. STAMP/STPA is a top-down analysis method and the analysis is performed in the following four steps. First, a flow of control in the system is illustrated. Next, an accident to be analyzed is determined. Next, non-secure control leading to an accident is identified using four guide words. Finally, a scenario leading to non-secure control is identified using 13 hint words.
Here, a case will be considered in which a scenario leading to an accident without a failure or a threat of a single component is identified using a guide word and a hint word. A method of describing the scenario identified by the guide word and the hint word is left to the executor that performs the risk analysis and is often described in natural languages. When described in natural languages, the analysis takes time since it is difficult to use a scenario identified in other systems in the past and the scenario has to be identified from scratch even for similar systems. In addition, there is a possibility that a scenario that could be analyzed in the past cannot be identified since the executor that performs the risk analysis cannot recall the scenario from the guide word.
The method of Patent Literature 1 can prevent neglect of a threat that could be analyzed in the past by using knowledge describing the threat common to a plurality of systems. However, since it is based on the common threat countermeasure knowledge, it is not possible to extract a risk leading to an accident by a flow of control without causing a failure or a threat of a single component.
The method of Non-Patent Literature 1 prompts an analyst's recall with 4 guide words and 13 hint words. However, it takes time to perform analysis since the recalled scenario is described in natural languages, a past analysis result is difficult to use, and the analysis is executed from scratch. In addition, it is possible for the executor that performs the risk analysis to neglect scenarios that could be identified in the past.
In order to solve the above problems, an object of the invention is to provide a risk analysis support device, a risk analysis support method, and a risk analysis support program capable of preventing neglect by an executor that performs a risk analysis and shortening analysis time.
As an example, the risk analysis support device of the invention includes an input unit which is connected with a database and receives an input of a risk analysis target represented in a form of a control structure diagram, the database accumulating: (i) the control structure diagram representing the risk analysis target by a block and a control showing a relationship between a block executing control and a passive block controlled by the executing block, and (ii) a hazard scenario which corresponds to the control structure diagram and is represented by a tree structure in which each node has a correspondence relationship with the block or the control of the control structure diagram; a search unit which searches in the database for a similar control structure diagram including a subset of controls that matches or is similar to a subset of controls extracted from the control structure diagram whose input is received by the input unit, and acquires from the database a hazard scenario including a node having a correspondence relationship with a subset of controls included in the similar control structure diagram; and an output unit which outputs the hazard scenario acquired by the search unit in a tree structure.
According to the invention, it is possible to prevent neglect by an executor that performs a risk analysis and shorten analysis time.
Embodiments of the invention will be described below with reference to the drawings. The same reference numerals are given to the same configurations and the same processing, and descriptions thereof will be omitted. In addition, some or all of the embodiments and the modifications can be combined within the scope of the technical idea of the invention.
An analysis result database 140 and a template database 150 are connected to the risk analysis support device 100. The analysis result database 140 accumulates, in a form of a tree structure, a control structure diagram input in the risk analysis executed in the past and a scenario leading to an accident that corresponds to the control structure diagram and is identified by the risk analysis. A scenario represented by a tree structure is hereinafter referred to as a scenario tree. The template database 150 stores the configuration of a tree structure that can be commonly used in a plurality of systems as a template. The template is in the form of a scenario tree in which each node has a guide word number as configuration information.
Note that, the analysis result database 140 and the template database 150 may be integrated into an integrated database.
Further, the risk analysis support device 100 includes a user interface unit 110, a scenario recommendation unit 120, and a scenario capture unit 130. The user interface unit 110 supports information input and information confirmation by the user. The user interface unit 110 is configured with an input device such as a Graphical User Interface (GUI) and a keyboard displayed on a display screen of a display device such as a display.
The scenario recommendation unit 120 recommends a scenario based on the past risk analysis result and the template of the scenario according to the input of the user. The scenario capture unit 130 captures a scenario recommended by the scenario recommendation unit 120 into the user interface unit 110, and provides an environment in which the user can perform analysis based on the recommended result.
The user interface unit 110 includes a control structure diagram input unit 111, a recommendation interface unit 112, and a scenario input unit 113. The user inputs a control structure diagram configured with a control and a block in the control structure diagram input unit 111, confirms the recommendation result and captures the result in the recommendation interface unit 112, and inputs a scenario leading to an accident in the form of a tree structure based on the captured recommendation result in the scenario input unit 113.
The scenario recommendation unit 120 includes a control loop search unit 121, a recommendation tree generation unit 122, and a recommendation output unit 123. When there is a recommendation instruction from the control structure diagram input unit 111, the control loop search unit 121 extracts a control loop from the control structure diagram input to the control structure diagram input unit 111, and searches for a control structure diagram including a control loop similar to the extracted control loop from the analysis result database 140.
Here, the control loop is a subset of controls that influence each other in the control structure diagram. The control loop is only a subset of controls, and the loop may not exist. For example, the control loop is an application range (a subset of blocks and controls to be subjected to the risk analysis) of a hint word. Hereinafter, a control structure diagram including a similar control loop will be referred to as a similar control structure diagram.
The recommendation tree generation unit 122 generates a recommendation tree of a scenario based on a search result of the control loop search unit 121. The recommendation output unit 123 delivers the recommendation tree generated by the recommendation tree generation unit 122 to the recommendation interface unit 112.
The scenario capture unit 130 processes the recommendation tree, in which the user has instructed to capture, among recommendation trees displayed by the recommendation interface unit 112, and displays it on the scenario input unit 113 as a scenario tree of the input control structure diagram. The user can freely rewrite the scenario tree displayed on the scenario input unit 113. The control structure diagram input by the user through the control structure diagram input unit 111 and the scenario tree input by the user through the scenario input unit 113 are accumulated in the analysis result database 140.
When the user inputs the control structure diagram 213 and presses a scenario recommendation button 220, the scenario recommendation unit 120 searches for the similar control structure diagram of the input control structure diagram 213 from the analysis result database 140, generates a recommendation tree based on the search result, and makes a recommendation to the user.
In the input control structure diagram display screen 310, a control structure diagram input by the user on the control structure diagram input screen 200 is displayed. In the similar control structure diagram display screen 330, zero or more similar control structure diagrams searched from the input control structure diagram are displayed.
Blocks and controls not included in the similar control structure diagram are displayed by dotted lines among blocks and controls in the control structure diagram displayed on the input control structure diagram display screen 310. The display by the dotted lines is merely an example as long as blocks and controls not included in the similar control structure diagram can be identified. When the user presses an additional search button 320, a control structure diagram that necessarily includes blocks and controls that are not included in the similar control structure diagram and a related scenario tree can be additionally searched for as a recommendation tree. The control structure diagram additionally obtained by the additional search and the related recommendation tree are displayed on the recommendation tree display screen 350 of the recommendation result screen 300.
Blocks and controls not included in the input control structure diagram are displayed by dotted lines among the blocks and controls in the similar control structure diagram displayed on the similar control structure diagram display screen 330. The display by the dotted lines is merely an example as long as blocks and controls not included in the input control structure diagram can be identified.
On the recommendation tree display screen 350, zero or more recommendation trees generated by the scenario recommendation unit 120 are displayed (zero display means that it is not displayed). The scenario tree and the recommendation tree are represented by a tree structure configured with a node 351 having a correspondence relationship with a control structure diagram and a guide word number as configuration information, and a gate 352.
In the present embodiment, it is assumed that there are two types of nodes, which are an Unsafe Control Action (UCA) node 354 and a Hazard Control Factor (HCF) node 351. A node serving as a vertex of the scenario tree is the UCA node 354 and the other nodes are HCF nodes 351. Further, in the present embodiment, the gate 352 is an OR gate or an AND gate.
On the recommendation tree display screen 350, an HCF node 353 corresponding to a block or control not existing in the control structure diagram displayed on the input control structure diagram display screen 310 is displayed with a warning among blocks or controls in the similar control structure diagram displayed on the similar control structure diagram display screen 330. The warning may be distinguishable from other nodes by, for example, changing the display line type, changing the color, or giving an annotation.
A hazard 355 caused by the scenario of the scenario tree currently displayed is also displayed on the recommendation tree display screen 350. The hazard is not limited to a direct phenomenon or a state of the system that leads to an accident, and may display an accident that is an analysis target.
When the user presses a capture button 340 on the recommendation tree display screen 350, the displayed recommendation tree can be captured in the analysis result database 140 as a scenario tree corresponding to the input control structure diagram. The scenario tree captured in the analysis result database 140 can be used for a risk analysis on other risk analysis targets from next time onwards.
The user can freely rewrite the scenario tree by rewriting contents of nodes, adding and deleting nodes, and adding and deleting gates with respect to the displayed scenario tree. A hazard 412 corresponding to the scenario can also be rewritten by the user according to the system or the analysis target. The scenario tree input by the scenario input screen 400 is stored in the analysis result database 140. Note that, the scenario tree stored in the analysis result database 140 may be immediately stored in the analysis result database 140 when pressing the capture button 340 of the recommendation result display screen 300 without being edited on the scenario input screen 400.
Each control structure diagram is stored in the analysis result database 140 in the data format of the control structure diagram configuration information 500 shown in
Each control loop is stored in the analysis result database 140 in the data format of the control loop configuration information 600 shown in
Each control is stored in the analysis result database 140 in the data format of the control configuration information 700 shown in
Each block is stored in the analysis result database 140 in the data format of the block configuration information 800 shown in
Each scenario tree is stored in the analysis result database 140 in the data format of the scenario tree configuration information 900 shown in
Each UCA node is stored in the analysis result database 140 in the data format of the UCA node configuration information 1000 shown in
A lower level gate list 1203 is a gate connected to the lower level of the HCF node identified by the HCF ID 1201. A hint word number 1204 is the number of guide words used to identify the HCF identified by the HCF ID 1201. A related block or a related control 1205 is a block ID 801 of a block or a control ID 701 of a control corresponding to the HCF identified by the HCF ID 1201. A related flag 1206 is a flag used in a recommendation processing by the scenario recommendation unit 120, which shows the presence or absence of relation with the control structure diagram input by the user.
The UCA node configuration information (template) 1000-1 and the HCF node configuration information (template) 1200-1 are stored in the template database 150, and are information constituting a template of a scenario tree in which each node has only the guide word number as the configuration information.
First, the control loop search unit 121 extracts a control loop from the input control structure diagram (S1301). Specifically, the control loop search unit 121 extracts a control loop ID from the control loop list 504 of the control structure diagram configuration information 500 (see
Next, the control loop search unit 121 and the recommendation tree generation unit 122 repeat the following processing (control structure confirmation loop: S1302 to S1316 (see
First, the scenario recommendation unit 120 substitutes NULL into the recommendation tree list, and substitutes NULL into the similar control structure diagram list (S1303). The recommendation tree list is an array variable that lists recommendation trees, and the similar control structure diagram list is an array variable that lists similar control structure diagrams. As will be described below, the recommendation tree list stores the scenario tree ID 901 of the recommendation tree generated by the recommendation tree generation unit 122, and the similar control structure diagram list stores the control structure diagram ID of the control structure diagram in step S1308.
Further, the control loop search unit 121 and the recommendation tree generation unit 122 repeat the following processing (control loop confirmation loop: S1304 to S1313) for the control loop list 504 of the control structure diagram.
First, the control loop searching unit 121 confirms whether there is a control loop that perfectly matches the input control loop (S1305). The perfect match means that all controls 702 in the control list 602 of the control loop match, and that the block 703 and the passive block 704 match each other.
In a case of perfect match (S1305: YES), the control loop search unit 121 acquires the scenario tree list 603 of the control loop configuration information 600 corresponding to the input control loop from the analysis result database 140 (S1306). Next, the control loop searching unit 121 copies the scenario tree list 603 acquired in S1306 to the recommendation tree list (S1307) and moves the processing to S1308.
When all input control loops and the control loops do not perfectly match (S1305: NO), the control loop search unit 121 calculates the similarity between the control list 602 of the control loop and the control list 602 of the input control loop (S1309). If the similarity is equal to or greater than a predetermined threshold (S1310: YES), the control loop search unit 121 acquires the scenario tree list 603 corresponding to the control loop from the analysis result database 140, and inputs the scenario tree list to the recommendation tree generation unit 122 (S1311). Subsequently, the recommendation tree generation unit 122 creates a recommendation tree list based on the input of S1311 (S1312) and moves the processing to S1308.
On the other hand, when the similarity is not equal to or greater than the threshold (S1305: NO), the control loop search unit 121 moves the processing to S1313.
In S1308, the control loop search unit 121 substitutes the control structure diagram ID of the control structure diagram to be processed in the execution of the control structure confirmation loop this time into the similar control structure diagram list (S1308). Subsequently, the control loop search unit 121 and the recommendation tree generation unit 122 execute a control loop confirmation loop for the next control loop (S1313). When control loop confirmation loop: S1304 to S1313 for all input control loops ends, the control loop searching unit 121 moves the processing to S1314 in
Subsequently, when confirmation of all control loops is completed in S1313, when the similar control structure diagram list is NULL (S1314: YES), the control loop search unit 121 confirms the next control structure diagram (S1316). When the similar control structure diagram list is not NULL (S1314: NO), the recommendation output unit 123 displays a recommendation tree list on the recommendation interface unit 112 for the user (S1315).
Subsequently, in S1316, when confirmation of all control structure diagrams is completed, when the recommendation tree is not displayed in the recommendation interface unit 112 (S1317: YES), the control loop search unit 121 inputs NULL into the recommendation tree generation unit 122 (S1318). In response to this, when there is no recommendable scenario tree in the analysis result database 140, the recommendation tree generation unit 122 generates a recommendation tree list from the UCA node configuration information (template) 1000-1 and the HCF node configuration information (template) 1200-1 stored in the template database 150 (S1319). After that, the recommendation output unit 123 displays the recommendation tree list generated in S1319 on the recommendation interface unit 112 (S1320).
In S1316, when the confirmation of all control structure diagrams is completed, when the recommendation tree is displayed in the recommendation interface unit 112 (S1317: NO) or when S1320 ends, the processing of the scenario recommendation unit ends.
First, in S1401, when the input is NULL, that is, when a recommendable scenario tree does not exist in the analysis result database 140 (S1401: YES), the recommendation tree generation unit 122 acquires, from the template database 150, a template of a scenario tree which is configured with the UCA node configuration information (template) 1000-1 and the HCF node configuration information (template) 1200-1 and in which only the hint word number 1204 is filled (S1413). Subsequently, the recommendation tree generation unit 122 adds the scenario tree ID 901 to the scenario tree acquired in S1413 and adds the scenario tree to the recommendation tree list (S1414), and ends the recommendation tree generation processing.
On the other hand, when the input is not NULL (S1401: NO), the recommendation tree generation unit 122 repeats the following processing (recommendation tree generation loop: S1402 to S1412) for all the input scenario trees.
First, the recommendation tree generation unit 122 acquires the related control 1003 of the UCA node 1000 of the input scenario tree (S1403). In the present embodiment, it is assumed that the related control 1003 of the UCA node 902, which is the vertex of the recommendation tree, has to exist in the control structure diagram input by the user. When the control matching the related control 1003 acquired in S1403 exists in the control structure diagram input by the user (S1404: YES), the recommendation tree generation unit 122 adds the scenario tree to the recommendation tree list (S1406). When the control matching the related control 1003 acquired in S1403 does not exist in the control structure diagram input by the user (S1404: NO), and the processing of S1402 to S1405 has been processed for all input scenario trees to be processed, the recommendation tree generation unit 122 ends the recommendation tree generation processing.
Subsequent to S1406, the recommendation tree generation unit 122 repeats the following processing (HCF node confirmation loop: S1407 to S1412) for all the HCF nodes in the scenario tree added to the recommendation tree list in S1406.
First, the recommendation tree generation unit 122 acquires the related block or the related control 1205 of the HCF node to be processed (S1408). When a matching control or block exists in the control structure diagram input by the user (S1409: YES), the recommendation tree generation unit 122 sets the related flag 1206 of the HCF node to True (S1410). On the other hand, when not (S1409: NO), the recommendation tree generation unit 122 sets the related flag 1206 of the HCF node to False (S1411). When the processing of S1407 to S1412 has been processed for all HCF nodes to be processed, the recommendation tree generation unit 122 moves the processing to S1405.
First, the recommendation output unit 123 repeats the following processing (recommendation tree display loop: S1501 to S1508) for all the recommendation trees in the recommendation tree list.
First, the recommendation output unit 123 adds a new tab (new tab of tabs illustrated by “scenario 1” “scenario 2” . . . in
Next, the recommendation output unit 123 repeats the following processing (HCF node warning display loop: S1504 to S1507) for all HCF nodes in the recommendation tree displayed on the new tab of the recommendation tree display screen 350 in S1503.
First, the recommendation output unit 123 confirms whether the related flag 1206 of the HCF node is True (S1505). In the case of False (S1505: NO), the recommendation output unit 123 displays a warning (see the HCF node 353 in
In S1509 to S1512, the recommendation output unit 123 displays a similar control structure diagram. When the similar control structure diagram is NULL (S1509: YES), the recommendation tree display processing ends. When it is not NULL (S1509: NO), the recommendation output unit 123 adds a new tab (new tab of tabs illustrated by “
Subsequently, the recommendation output unit 123 displays the similar control structure diagram stored in the similar control structure diagram list on the new tab of the similar control structure diagram display screen 330 added in S1510 (S1511).
Subsequently, the recommendation output unit 123 repeats the following processing (block display loop: S1512 to S1515) for all blocks in the similar control structure diagram. When a block does not exist in the control structure diagram input by the user (S1513: YES), the recommendation output unit 123 changes the block to a dotted line display (S1514). When a block exists in the control structure diagram input by the user (S1513: YES), the recommendation output unit 123 moves the processing to S1515.
When all blocks in the similar control structure diagram to be processed in S1515 have been processed from S1512 to S1515, the recommendation tree generation unit 122 ends the recommendation tree display processing.
The following processing (vertex confirmation loop: S1601 to S1603) is repeated for all tabs (all tabs illustrated by “scenario 1” . . . in
First, the scenario capture unit 130 confirms whether the UCA node at the vertex of the scenario tree displayed on the tab to be processed of the scenario input screen 400 is the same as the UCA node at the vertex of the recommendation tree (S1602). When the UCA nodes at these vertices are the same (S1602: YES), the scenario capture unit 130 adds the lower level gate 1004 of the UCA node of the recommendation tree to the lower level node list 1103 of the lower level gate 1004 of the UCA node at the vertex of the scenario tree displayed in the tab to be processed and displays it (S1607). By grouping scenario trees of the same UCA node into one recommendation tree by the processing of S1607, the risk analysis can be more efficient. After the display of S1607, the vertex confirmation loop (S1601) ends. When the vertices are not the same (S1602: NO), the vertex confirmation loop is continued (S1603).
When the scenario tree having the same vertex does not exist after the vertex confirmation loop of S1601 to S1603, the scenario capture unit 130 adds a new tab to the scenario input screen 400 (S1604). Subsequently, the scenario capture unit 130 displays a recommendation tree on the new tab added in S1604 (S1605).
After displaying the recommendation tree on the new tab of the scenario input screen 400, the scenario capture unit 130 repeats the following processing (HCF node display loop: S1606 to S1610) for all HCF nodes in the displayed recommendation tree.
First, the scenario capture unit 130 confirms whether the related flag 1206 of the HCF node to be processed is True (S1608). When it is not lure (S1608: NO), the scenario capture unit 130 first substitutes NULL into “HCF 1202” “related block or related control 1205” of the HCF node to be processed, and updates the display (S1610). When S1610 ends and the processing of S1606 to S1609 have been processed for all HCF nodes to be processed in S1609, the scenario capture unit 130 ends the scenario capture processing.
One of the determination criteria of the similarity is an edit distance 1702 of the control list 602 shown in
Further,
Note that, the mismatch of control list head control 1705 maybe omitted. In this case, when the similarity is calculated (see S1309 in
In the first embodiment, a control structure diagram representing a risk analysis target such as a system by control and block, and a scenario in which each node is represented as a tree structure having a correspondence relationship with a control structure diagram and a guide word are accumulated in a database, a control structure diagram having a subset similar to a control subset of a control structure diagram of an input system is searched from a database, and a tree structure of a hazard scenario having a correspondence relationship with the control structure diagram obtained by the search is recommended. Therefore, according to the first embodiment, since the hazard scenario corresponding to the control structure diagram of the input system is displayed based on the accumulated past hazard scenario, analysis time of the risk analysis of a system represented by a plurality of blocks and controls can be shortened, and the burden on the executor can be reduced. Furthermore, since the risk inherent in the system is visually displayed on the GUI by using the past risk analysis results, it is possible to prevent the executor that performs the risk analysis from neglecting the risk.
In a second embodiment of the invention, when a user adds a new HCF node to a scenario tree on the scenario input screen 400, recommendation of a lower level node is executed. Hereinafter, in the present embodiment, the same reference numerals are given to the same components as those in the first embodiment, and descriptions thereof will be omitted. Further, in
First, the scenario recommendation unit 120 substitutes NULL into a recommendation tree list, and substitutes NULL into a similar control structure diagram list (S1303). Subsequently, the scenario recommendation unit 120 inputs NULL to the recommendation tree generation unit 122 (S1318). In response to S1318, the recommendation tree generation processing of
According to the above second embodiment, when it is considered that an appropriate failure cause corresponding to the hazard 412 of the scenario input screen 400 is not displayed in the lowest level HCF node of the recommendation tree in the process of risk analysis, by newly adding an empty HCF node having only the hint word as configuration information by the executor that performs risk analysis, an appropriate node or tree structure connected below the added HCF node is acquired from the template database 150 and added to the recommendation tree. By repeating such processing, an appropriate failure cause in the scenario input screen 400 is displayed on the lowest level HCF node of the recommendation tree, and it is possible to efficiently support identification of the failure cause of the target hazard by the executor that performs risk analysis.
Note that, the invention is not limited to the embodiments described above, and includes various modifications. For example, the above-described embodiments are described in detail to explain the invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration in one embodiment can be replaced with the configuration in another embodiment, and the configuration in another embodiment can be added to the configuration in one embodiment. In addition, with respect to a part of the configuration in each embodiment, it is possible to add, delete, and replace other configurations.
Number | Date | Country | Kind |
---|---|---|---|
2018-141888 | Jul 2018 | JP | national |