CN103853871B - Safety requirement modeling method applicable for avionics system - Google Patents
Safety requirement modeling method applicable for avionics system Download PDFInfo
- Publication number
- CN103853871B CN103853871B CN201310595322.0A CN201310595322A CN103853871B CN 103853871 B CN103853871 B CN 103853871B CN 201310595322 A CN201310595322 A CN 201310595322A CN 103853871 B CN103853871 B CN 103853871B
- Authority
- CN
- China
- Prior art keywords
- security
- case
- failure
- level
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a safety requirement modeling method applicable for an avionics system. The method is characterized in that the expansion of UCMeta (Use Case Meta) is realized by analyzing and extracting concepts and restrictions related to the safety of an avionic embedded system, and by combining the extracted concepts and restrictions with basic concepts in RUCM (Restricted Use Case Modeling), so that a safety-related domain model is established; a description template for the safety requirements of the avionic embedded system is determined by analyzing the established domain model; when the description template with the determined safety requirements of the avionic embedded system is enabled to describe function requirements, safety-related nonfunctional restrictions are captured. According to the method provided by the invention, as a semi-formal safety requirement description method, the description template for the safety requirements and the corresponding limiting rules are added based on the RUCM, and used for describing the safety requirements completely and correctly; moreover, the certain-extent automatic verification is supported.
Description
Technical field
Refer to a kind of safety suitable for avionics system more particularly the present invention relates to a kind of method of Requirements Modeling
Requirements Modeling method.
Background technology
Software security(software safety)It is the system life in people is not jeopardized all the time controlled on software
A kind of property of the safe condition of life property and ecological environment.The embedded of high security is needed especially for Aero-Space etc.
For real-time software, with system, software proportion is incrementally increased, and consequence that software failure may cause is also increasingly
Seriously.To ensure the security of system, it is necessary to the security of system is described and is analyzed in demand analysis stage.
Requirements Modeling is an important activity in software requirement engineering, and requirement engineering teacher is by using different modelings
The expectation of method identification, understanding, excavation demand supplier to system, so that the structural model of software systems is built, behavior model,
Or other various models to showing the different qualities of software to be developed.Modeling method account for important work in this activity
With meaning to remove to treat software issue from different visual angles using different modeling methods, how from the expectation to total system
In derive expectation to software systems in itself, go how how displaying software systems behavior and rise in the reinforced system of software
To its effect.Referring to the first edition of in July, 2008《Software requirement engineering:Principle and method》Page 50, Jin Zhi etc. writes.
In current Requirements Modeling method, the description means and technology for mainly using are natural language, graphical symbol language
Make peace formal language etc..Divided from point of view of practicability:The Requirements Modeling method and the Requirements Modeling of object-oriented of structuring
Method.
The technology path of object-oriented method includes requirement engineering, Software for Design and software and realizes;Wherein, requirement engineering
There are Requirement Acquisition and demand analysis.Object-oriented method is first from the source of demand(Mainly user)The acquisition of the demand of carrying out,
User's description of tissue need's information, sets up use-case model.After the complete of user's request, accurate understanding is obtained, towards right
Begin to consider the realization mechanism of software as method, carry out Software for Design.April the 1st edition in 2009《Requirement engineering-software modeling
With analysis》Page 315, Luo Bin chief editors.
Comprehensively modularized avionics system(Integrated Modular Architecture, IMA, abbreviation avionics system
System)Software should be followed including operating system, application program, database, network, man-machine interface etc. unified series standard, rule
Model is developed, and the reusable of software, standardization, intellectuality, portability, quality, reliability etc. should all list characterization software in
Among the characteristic parameter of technology.
The content of the invention
In order that the avionics system software of required structure has security requirement higher, the present invention provides one kind and is applied to
The demand for security modeling method of avionics system.Use-case meta-model UCMeta in modeling method application RUCM of the invention is to participating in
Person Actor and use-case Use Case carry out security extension, the description of the Requirements Modeling of the avionics system software built needed for realizing;
Citation DO-178B standards carry out safety defect identification with existing avionics system software;By the demand for security mould of present invention design
Type can provide the complete requirement description without ambiguous for the Software for Design of avionics system.
A kind of demand for security modeling method suitable for avionics system of the invention, specifically there is the following steps:
Step one:Set up the domain-conceptual model of demand for security;
Safety identification establishment is carried out to existing avionics system software according to RTCA/DO-178B standards and obtains field concept mould
Type;
Step 2:Build the graphic extension of the avionics system based on UCMeta meta-models;The graphic extension of the avionics system
It is that the domain-conceptual model of the demand for security obtained according to step one is extended and obtains to UCMeta meta-models;
Step 3:Build the avionics system demand for security template based on RUCM description templates;The avionics system demand for security
Template is to be added continuous item on RUCM description templates to obtain.
In the present invention in step 2, domain-conceptual model is converted into UML Profile, to the meta-model of RUCM
Security extension is carried out in UCMeta;Refined in Actor, carrying out Security Extensions to Use Case sets up Safety Use
Case;Analysis field conceptual model, determines description template and restriction rule and the use of keyword of demand for security;Extension
RUCM description templates carry out demand for security description, add 10 safe description rules and some keywords to ensure the description of RUCM
Completely, accurately, unambiguity;UCMeta after extension creates the Use Case Diagram for supporting demand for security description, while
User is described by the function that each Use Case has carried out complete and accurate and demand for security is described.
The advantage of demand for security modeling method of the present invention is:
1. the present invention is studied in depth for the Aviation Embedded System of high security to safety standard DO-178B
And corresponding security model is created, such that it is able to be modeled to demand for security in the software requirement stage.
2. the present invention is modeled for the demand for security of Aviation Embedded System, extends the UCMeta of standard RUCM.
UCMeta is the meta-model of RUCM methods, and it is to use MOF(Meta Object Facility)Definition.By domain analysis
Model element Actor and Use Case in UML standard Use Case Diagram is refined and security extension is so that can
To support that the demand for security being patterned is modeled.
3. the present invention is modeled for the demand for security of Aviation Embedded System, extends the requirement description template of standard RUCM
And its restriction rule.Can be supported in the software requirement modeling stage to safety-related by the requirement description template for extending RUCM
Troubleshooting is described, and causes that the description of demand for security is complete, accurate, unambiguity by the extension of restriction rule.
Brief description of the drawings
Fig. 1 is the Technology Roadmap of conventional object-oriented method.
Fig. 2 is the domain-conceptual model figure in the scope of application of the present invention.
Fig. 3 is the UCMeta bag figures of RUCM of the present invention.
Fig. 4 schemes for UCSTemplate bags of the present invention.
Fig. 5 is Actor refined models figure of the present invention.
Fig. 6 is Use Case extended model figures of the present invention.
Fig. 7 is Use Case of the present invention and the data exchange figure between Actor or resource.
Fig. 8 is failure model figure of the present invention.
Fig. 9 is crash handling analysis model figure of the present invention.
Figure 10 is crash handling statement model figure of the present invention.
Figure 11 is each column information schematic diagram of Use case template demands.
Specific embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.
Shown in Figure 1, " use-case model " in Fig. 1 is exactly to need to model the demand for security mould for obtaining in the present patent application
Type.
A kind of demand for security modeling method suitable for avionics system of the invention, has specifically included the following steps:
Step one:Set up the domain-conceptual model of demand for security
Safety identification establishment is carried out to existing avionics system software according to RTCA/DO-178B standards and obtains field concept mould
Type.
The full name of RTCA/DO-178B standards is Royal Technical Commision on Aviation DO-
178B。
Demand for security is made up of the requirement of level of security and two parts of requirement of security function.Level of security will
Seeking the software of predominantly security isolation measure, i.e. different safety class needs to give different degrees of concern;Security function will
Asking main includes being identified the failure for triggering harm state in system, reduces probability and weakening that it enters unsafe condition
Its hazard analysis and HACCP.
Harm(Hazard)The potential unsafe condition of system that finger is caused by disabler or external event etc., DO-
The rank for endangering is divided in 178B standards, is shown its influence to system, these classifications are respectively:Catastrophic,
Dangerous/serious, heavier, lighter, without influence;Its level of security is defined to security critical software accordingly, according to
The order of severity of its harm for triggering is divided, and is equally divided into 5 ranks.
Table 1:Software security grade
Security function demand be in system may trigger harm be identified, and take certain measure reduce its send out
Raw probability mitigates its requirement for influenceing.Security function is divided from following several angles:
1)Failure mode and failure effect are analyzed
Failure mode refers to the mode that failure occurs.By the study to GB7826 standards and GJBZ1391 standards, the present invention
It is middle that failure mode is divided into five classes:Input data failure, output data fail, cannot complete expected disabler, time-out mistake
The failure that effect and abnormal hardware, user or environment are caused.
Use-case is represented with failure effect(Use Case)Failure the system or subsystem where the use-case caused
Influence, and working as the influence can produce certain harm to system(Security is impacted)When, the use-case is safety-critical.
Table 2:The definition of failure
| English | Chinese meaning |
| FailureID | The unique mark of failure |
| FailureDescription | The description of failure |
| Failure Mode | Failure mode |
| Failure Cause | Failure cause |
| Level | The level of security of failure |
| Hazard | The harm that failure causes |
For each harm(Hazard), its order of severity and the probability for occurring are defined, the order of severity and probability of happening are equal
It is qualitative analysis.Possibly cannot determine in the system requirement analysis stage or be difficult to determine a probability of happening for harm, can be with
First represented with None, it is supplemented again when data are complete.The risk of harm is the combination of its probability of happening and the order of severity,
Harm can be classified according to risk analysis.The order of severity of failure is according to degree of risk highest danger caused by its possibility
What evil was determined.
Table 3:The definition of harm
| English | Chinese meaning |
| Severity | The order of severity of harm |
| Probability | The probability of happening of harm |
| Failure | Trigger the failure of the harm |
Harm can be divided into two kinds:Single Failure Hazard and Combine Failure Hazard, i.e., it is single
The harm that the harm and multiple failures that failure causes cause.For example, may have many set brake system in aircraft, then single brake is
The failure of system will not cause harm to aircraft, and all failure can just lead to not slow down only all of brake system, to aircraft
Cause harm, such case is the harm that multiple failures cause.And for process level health monitoring, such as it cannot be carried out to failure
Treatment may then directly contribute harm to the system, be the single harm failed and cause.
2)Failure cause analysis
The reason for failure is described by accident analysis, each failure has the trigger condition of oneself, with Tigger come table
Show the triggering of failure.One or more sentence implementation procedure into, the condition of guarding is checked, if condition is unsatisfactory for,
A failure is then triggered, and then causes use-case to fail.
Description to the condition of guarding is by security constraint(Safety Constraint)Represent.Security constraint is divided into
Three classes:Real-time constraint, data constraint and state constraint.Real-time is constrained to periodically or performs the constraint of time;Data
Constraint of the constraint predominantly to data value, and state constraint is then the constraint that state is performed to use-case sentence, state is divided into three
Class:Normally, abnormal end, endless loop.
Table 4:The definition of security constraint
| English | Chinese meaning |
| ConstraintID | The mark of constraint |
| Sentence | The effective range constrained defined in field |
| Constraint | Field is the content of constraint |
In domain-conceptual model is as shown in Figure 2, the present invention belongs to safely in defining 12 by following DO-178B/C standards
Property, their specific implication is as follows:
P1:Each safety member be offered to corresponding safe interface to detect and process component inside generation failure and
From the failure that outside passes over.
P2:The interface related to security can only be activated by safety member or failure registration component.
P3:Each safety member and its safe interface are it is necessary to have identical security level.
P4:Each safety member for providing shared data access ensures to meet phase to the modification of data using invariant
The constraint answered.
P5:Each platform member should be able to provide enough resources for corresponding deployment component.
P6:Each identified failure has at least be detected and processed by a component.
P7:Each identified failure is it is necessary to have corresponding excitation and treatment strategy.
P8:Each failure that can be propagated has to be processed by other safety members.
P9:Failure can only be registered in failure registration component by escape way.
P10:The failure of registration can only be registered component and be processed according to corresponding treatment strategy.
P11:Each escape way is offered to interface to protect the security interacted between safety member.
P12:The level of security of each escape way can not be than connecting with it those components level of security it is low.
Step 2:Build the graphic extension of the avionics system based on UCMeta meta-models
Shown in Figure 2, in the present invention, the domain-conceptual model of the demand for security obtained according to step one is to UCMeta
Meta-model is extended, so as to obtain the graphic extension of avionics system.
UCMeta is the meta-model of RUCM methods, and it is to use MOF(Meta Object Facility)Definition, including
There are UCMeta, UML::UseCases、UCSTemplate、SentenceSemantics、SentencePatterns、
SentenceStructure.Wherein latter three mainly completes and the specification of natural language is limited.The structure of UCMeta such as Fig. 3
It is shown.
Security extension to UCMeta pays close attention to UCSTemplate bags, and metaclass UseCase can be by being added to
The relation of UseCaseSpecification is extended.Shown in Figure 4, UseCaseSpecification includes one
BriefDescription, Preconditon, one or more FlowOfEvents, primary actor, 0 to multiple
secondary actors.BriefDescription, Preconditon, PostConditon and FlowOfEvents contain
There is a series of Sentences.There are two kinds of flows of event:BasicFlow and AlternativeFlow.Each use-case must contain
One BasicFlow, can there is 0 to multiple AlternativeFlow.Each flow of event has a PostCondition, by one
The Sentences compositions of series.There is the affluent-dividing of three kinds of different modes:GlobalAlternative,
SpecificAlternative, and BoundedAlternative.Each AlternativeFlow has one
Condition, one reference stream of correspondence.
Sentence in UCSTemplate is divided into three kinds:Simple statement(Metaclass SimpleSentence), complicated sentence(Son
Bag ComplexSentence), special sentence(Attached bag SpecialSentence).Simple statement is do not have containing an independent clause
There is subordinate clause:Only one of which subject and a predicate.UCMeta has four kinds of complicated sentences, for four kinds of keywords:Condition
(IF-THEN-ELSEELSEIF-THEN-ENDIF), circulation (DO-UNTIL), concurrent (MEANWHILE) and checking
(VALIDATES THAT).There are four kinds of particular statements to illustrate the flow of event in a use-case is how to be interacted with other flow of event
, these four correspond to four keywords respectively:RESUME STEP, ABORT, INCLUDE USE CASE and EXTENDED BY.
Separately below from activist(Actor), use-case(Use Case)Introduce detailed expansion of the invention:
(A)The refinement of activist Actor
Carry out the role that descriptive system outside interacts with system using activist in UML, generally can be to use system
Personnel, or external equipment or entity in logic.UML standards are not classified to activist.The pin in RUCM
To each use-case, activist is divided into main activities person(Primary Actor)With secondary activity person(Secondary
Actor).Main activities person is first activist for initializing the use-case, and remaining is then secondary activity person.
By the concept classification of UML activists it is four types in the present invention, as shown in figure 5, specific content is as follows:
(1)Timer, periodically produces the entity of particular event, and it is NFP_Duration types to possess a type
duration(Duration)Attribute.NFP_Duration is the data type imported from UML/MARTE, comprising a real number and
Individual chronomere's information.
(2)HumanActor, represents that the activist is actual person.
(3)ExternalInstrument, represents external devices, its direction attribute description data of the device
Input and output direction, the signal type of its signal attribute description device is data signal or analog signal.Sensor(Pass
Sensor)And Actuator(Actuator)It is the Common Concepts in avionics system field, in this as ExternalInstrument's
Subclass occurs.
(4)ExternalSystem, for describing external system.
(B)The security extension of Use Case
Use Case describe the set performed by system, and descriptive system behavior is interacted by with activist, are
Important concept.Specification in RUCM methods to Use Case has carried out specification.Uase Case are expanded in the present invention
Safety Use Case, are defined as realizing the use-case of certain security function, and security function is then represented to system or its composition portion
The function that the failure for dividing is identified and processes, therefore, each Safety Use Case must be associated with one or more failures
Identification and treatment.It is specific below to introduce related extension content:
(1)The refinement of Use Case.Safety Use Case are inherited from Use Case in the present invention, its model such as Fig. 5 institutes
Show.Safety Use Case are defined as realizing the use-case of certain security function, each Safety Use Case has certainly
It can recognize that corresponding failure of removal to oneself level of security, and each Safety Use Case must be associated with one or many
The identification and treatment of individual failure.
Level of security is defined and divided in DO-178B standards.The security level of Safety Use Case is root
Determine according to the order of severity of its failure that may occur.Level of security is divided into five grades, and respectively level-A is arrived
Level-E, corresponds to catastrophic, dangerous/serious, heavier, lighter, without influence respectively.For different stage
Safety Use Case should give different degrees of concern.
(2)The Requirements Modeling of software security grade.The related demand of software security grade and constraint, i.e. security isolation are arranged
Apply and be defined.Security isolation measure refers to is isolated Safety-Critical System and non-safety critical system, level of security compared with
The relatively low system of system and level of security high is isolated, with ensure non-safety critical system or level of security it is relatively low be
System has influence on the function of safety-critical module in the way of outside expection.
To the related demand of software security grade and constraint in the present invention, i.e. security isolation measure is defined, specifically
Performance can be divided into two aspects:
a)It is outside when Actor the and Safety Use Case of external system or external equipment type carry out data exchange
The level of security of system or external equipment should be not less than the level of security of Safety Use Case.If external system, then should be true
Protect the security of external system;If external equipment, then relatively reliable external equipment should be selected.
b)When Safety Use Case use a certain resource in system, the level of security of the resource should be not less than
The level of security of Safety Use Case.
Represented with Communication Sentence in the present invention use-case and executor or use-case and resource it
Between data exchange, as shown in fig. 6, Communication Media are then communication medias, for the transmission of data provides support.
Several frequently seen communication media is enumerated in model:system_call(System is called)、hw_port(Hardware port)、bus_
protocol(Bus)、lan_protocol(LAN)And sys_service(The service that system is provided, such as blackboard, semaphore
And buffering area etc.).
Same Resource also defines corresponding security level attributes, use-case can by certain medium and resource,
External equipment or external system carry out data exchange.With keyword COLLECT INPUT FROM and keyword DELIEVR
OUTPUT TO represent from external equipment, external system or other use-cases collect or send data, represent data with keyword VIA
Transmission means.
(3)The Requirements Modeling of software security function.Security function demand is that the harm that may trigger in system is known
Not, and take certain measure reduce its probability of happening or mitigate its influence requirement.Detailed Jie is carried out in terms of three below
Continue:
a)Failure mode and failure effect are analyzed, and model with failure effect in the present invention as shown in fig. 7, represent use-case
The influence that failure is caused to the system or subsystem where the use-case, and working as the influence can produce certain harm to system(It is right
Security is impacted)When, the use-case is safety-critical.So, for Safety Use Case, its failure is bound to lead
Cause one or more harm Hazard.For each Hazard, its order of severity and the probability for occurring, the order of severity and hair are defined
Raw probability is qualitative analysis.The risk of harm is the combination of its probability of happening and the order of severity, can be to danger according to risk analysis
Evil is classified.The order of severity of failure is determined according to degree of risk highest harm caused by its possibility, and Safety
The level of security of Use Case is determined by the failure of its level of security highest.
b)Failure cause analysis, model are as shown in figure 8, the reason for present invention describes failure by accident analysis, model
In list several frequently seen fault type.The triggering of failure is represented with Tigger, in the execution of one or more sentence
Cheng Cheng, checks the condition of guarding, if condition is unsatisfactory for, triggers a failure, and then cause use-case to fail.To guarding
The description of condition is by Safety Constraint(Security constraint)Represent.Security constraint is divided into three classes:Real-time is about
Beam, data constraint and state constraint.Real-time is constrained to periodically or performs the constraint of time;Data constraint is mainly logarithm
According to the constraint of value, and state constraint is then the constraint that state is performed to use-case sentence, and state is divided into three classes:Normally, it is abnormal whole
Only, endless loop.Condition is described with Safety Condition Sentence and checks sentence.One condition checks that sentence is right
One inspection of constraint.Condition inspection is represented with keyword CHECK CONSTRAINT.Such as Constrained sentence c1, its sphere of action
It is STEP1, is constrained to STATE=normal, then corresponding condition checks that sentence example is as follows:The system CHECK
CONSTRAINT c1。
c)Crash handling, is modeled in Fig. 9 to the control mode for failing.Failure is carried out using certain mitigation strategy
Control, Failure Mitigation are defined as one kind of affluent-dividing, a series of handling process of definable to failure at
Reason.In addition, being modeled to several conventional crash handling modes.Record is represented and failure is recorded;Retry represents weight
Examination disabling portion function, the number of times that its attribute retry_times definition is retried;Progogate is represented in this use-case not to losing
Effect is processed, but is handed over to other use-cases or system is processed.Simultaneously can according to failure type and reason,
A series of handling process is defined to each failure.With several special statement list non ageing specially treated modes, as scheme
Shown in 10.Wherein, the type of service of Record Sentence is RECORD THE FAILURE;Retry Sentence's makes
It is RETRY FOR ... TIMES with form;The type of service of Propogate Sentence is PROPOGATE TO USE
CASE…。
Step 3:Build the avionics system demand for security template based on RUCM description templates
Shown in Figure 11, the content of RUCM description templates includes:Use-case name(Use Case Nmae), use-case summary
(Brief Description), the precondition that use-case is performed(Precondition), the main activities person of use-case(Primary
Actor), other activists of use-case(Secondary Actors), the dependence of the use-case and other use-cases
(Dependency), the generalization between the use-case and other use-cases(Generalization), the elementary event of the use-case
Stream(Basic Flow)And other three flows of event(Global Alternative Flow, Bounded
Alternative Flow, Specific Alternative Flow).Wherein each flow of event has to after performing and terminating
Have a Post Condition represent the flow of event perform after result, in each of which use-case one and only one
Basic Flow, and Global Alternative Flow, Bounded Alternative Flow, Specific
Alternative Flow determine its number for existing according to specific practical situation.RUCM description templates are also equipped with when in use
Corresponding rule and keyword.
The related expanding of demand for security description is not only carried out in the present invention to RUCM requirement descriptions template, while also increasing
Corresponding new rule and keyword.Detailed extension is carried out in terms of the two separately below:
(1)Demand for security description template
The RUCM description templates of standard define only three kinds of flows of event, be respectively elementary event stream, global extension flow of event
With local expansion flow of event, just have to be extended flow of event for the description for carrying out demand for security with describe failure and its
Corresponding processing mode.Extension flow of event is aiming at certain or some activity thing in an elementary event stream or extension flow of event
Other dispositions when part occurs.
Demand for security description template after being extended in the present invention is as follows:
Table 5:Demand for security description template
Table 6:Harm to the system table
| Hazard | Severity | Probability | Failure |
The essential part of demand for security template and common RUCM use-case templates are consistent substantially, only addition a line
SafetyLevel, is described to its level of security.
Add the related conceptual description of security again on this basis, specific extension is as follows:
a)Add the description of failure
Table 7:Failure description
b)Add the degradation treatment description of failure
Table 8:The degradation treatment of failure
Failure Mitigation:Failure degradation measure, is affluent-dividing, and a series of handling process of definable is to failure
Processed, it is also possible to add predefined processing mode, each Failure Mitigation there will be a Post
Condition with represent this process result.
c)Addition constraint definition
Table 9:Constraint definition
| ConstraintID | Sentence | Constraint |
Constraint parts are that the constraint in use-case is defined, and ConstraintID is the mark of constraint,
The effective range constrained defined in Sentence fields, Constraint fields are the content of constraint.
d)For whole system adds a harm list
Table 10:Harm list
| Hazard | Severity | Probability | Failure |
Also need to safeguard whole system one harm list after above-mentioned security extension has been carried out, can be with by the list
To all kinds of harm present in system, the order of severity is endangered, the failure that harm probability of happening and initiation endanger is recorded.
Hazard represents specific harm, and Severity represents the order of severity of harm, and the generation that Probability represents the harm is general
Rate, Failure represents the failure for triggering the harm.
In the present invention, some English does not refer to Chinese meaning, can be that English is translated directly into expressed by Chinese
The meaning of one's words.
(2)For demand for security template adds new restriction rule and keyword,
In order to be easy to express and obtain balance between expressing preciseness, RUCM devises 26 constraint rules altogether, wherein
16 rules are used to constrain the use of natural language, and 10 rules are used to define 10 Activity Descriptions with control structure, but
These rules are not met by the associated description of software security.Therefore the RUCM rules of standard are extended, the present invention
In relevant demand for security description restriction rule and keyword it is as follows:
R1:When the type of the executor of use-case is ExternalSystem or ExternalInstrument,
The level of security of ExternalSystem and ExternalInstrument should be not less than the level of security of use-case.
R2:When use-case accesses a certain resource, the level of security of the resource should be not less than the level of security of use-case.
R3:Represented from other use-cases or outside with keyword COLLECT INPUT FROM and DELIEVR OUTPUT TO
Data, the communication media used when representing data communication with keyword VIA are collected or sent to equipment.
R4:Represent that multiple failures are common using keyword AND and trigger a harm.
R5:Use keyword>、<,=, IN represented the scope of binding occurrence, and with keyword CHECK CONSTRAINT couple
Constraint is checked.
R6:One failure of record is represented using keyword RECORD THE FAILURE.
R7:Represented using keyword RETRY FOR..TIMES and retry operation, the number of times that definable is retried.
R8:Propagated using keyword PROPOGATE TO USE CASE tables non ageing.
R9:When failure travels to another use-case to be processed, the level of security of the use-case should be not less than currently
The level of security of use-case.
R10:The level of security of each failure is determined by the order of severity of the harm of its most serious for triggering, and each use-case
Level of security by its level of security highest failure determine.
Embodiment
Demand for security is described using demand for security template and keyword in following example.
Claims (2)
1. a kind of demand for security modeling method suitable for avionics system, it includes the following steps:
Step one:Set up the domain-conceptual model of demand for security;
Safety identification establishment is carried out to existing avionics system software according to RTCA/DO-178B standards and obtains domain-conceptual model;
Step 2:Build the graphic extension of the avionics system based on UCMeta meta-models;The graphic extension of the avionics system be according to
The domain-conceptual model of the demand for security obtained according to step one is extended and obtains to UCMeta meta-models;
Step 3:Build the avionics system demand for security template based on RUCM description templates;The avionics system demand for security template
It is to be added continuous item on RUCM description templates to obtain;
In step 2, domain-conceptual model is converted into UML Profile, to carrying out safety in the meta-model UCMeta of RUCM
Extension;Refined in Actor, carrying out Security Extensions to Use Case sets up SafetyUse Case;Analysis field is general
Model is read, description template and restriction rule and the use of keyword of demand for security is determined;Extension RUCM description templates enter
Row demand for security is described, and the description of 10 safe description rules of addition and some keywords to ensure RUCM is complete, accurate, nothing two
Justice;UCMeta after extension creates the Use Case Diagram for supporting demand for security description, while user passes through each
Use Case have carried out the function description and demand for security description of complete and accurate;
It is characterized in that:
The step of being refined in Actor has:
Step 301:Actor is extended according to the characteristics of embedded real time system, Actor is divided into four types:
Timer, Human Actor, External Instrument and External System;
Step 302:Periodic task is included in embedded real time system, and Timer is then used for triggering a cycle
Action, its attribute duration represents the time span in the cycle;The type NFD_Duration of its value includes the unit of time
And time value;Human Actor are represented and are used the user for triggering its related example;
Step 303:External Instrument represent the external equipment that data exchange is carried out with use-case, i.e. sensor or letter
Number receiver;Its attribute direction and signal represent data transfer direction and signal type respectively;
Step 304:External System represent outside use-case, subsystem or the system interacted with use-case;
Step 305:External Instrument and External System define level of security;
Described Use Case refinement steps have:
Step 401:Safety Use Case are inherited from Use Case;Safety Use Case are defined as realizing security function
Use-case, and security function then represents the function that the failure of system or its part is identified and is processed, therefore, it is each
Individual Safety Use Case must be associated with the identification and treatment of one or more failures;
Step 402:Level of security is defined and divided in foundation DO-178B standards, the security of Safety Use Case
Rank is divided into five grade level-A to level-E, corresponds to respectively catastrophic, dangerous/serious, heavier, lighter
, without influence;
Described safe description rule is:
R1:When the type of the executor of use-case is ExternalSystem or ExternalInstrument,
The level of security of ExternalSystem and ExternalInstrument should be not less than the level of security of use-case;
R2:When use-case accesses a certain resource, the level of security of the resource should be not less than the level of security of use-case;
R3:Represented from other use-cases or external equipment with keyword COLLECT INPUT FROM and DELIEVR OUTPUT TO
Collect or send data, the communication media used when representing data communication with keyword VIA;
R4:Represent that multiple failures are common using keyword AND and trigger a harm;
R5:Use keyword>、<,=, IN represented the scope of binding occurrence, and with keyword CHECKCONSTRAINT to constraint
Checked;
R6:One failure of record is represented using keyword RECORD THE FAILURE;
R7:The number of retries for retrying operation is represented using keyword RETRY FOR TIMES;
R8:Propagated using keyword PROPOGATE TO USE CASE tables non ageing;
R9:When failure travels to another use-case to be processed, the level of security of the use-case should be not less than current use-case
Level of security;
R10:The level of security of each failure is determined by the order of severity of the harm of its most serious for triggering, and the peace of each use-case
Full rank is determined by the failure of its level of security highest.
2. the demand for security modeling method suitable for avionics system according to claim 1, it is characterised in that avionics system
The complete structure of demand for security template is:
FailureID:The identification number of each failure;
FailureDescription:Failure behaviour is briefly described;
Failure Mode:Failure mode, its value is enumeration type;
Failure Cause:Failure cause, to trigger the type of the failure of failure, its value is enumeration type;
Level:The level of security of failure, determines according to the order of severity endangered caused by it;
Hazard:Fail the harm title for triggering;
FailureMitigate:Failure Mitigation methods;
Constraint parts are that the constraint in use-case is defined, and ConstraintID is the mark of constraint, Sentence
Defined in constrain effective range, constraint be constraint content.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310595322.0A CN103853871B (en) | 2013-11-21 | 2013-11-21 | Safety requirement modeling method applicable for avionics system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310595322.0A CN103853871B (en) | 2013-11-21 | 2013-11-21 | Safety requirement modeling method applicable for avionics system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103853871A CN103853871A (en) | 2014-06-11 |
| CN103853871B true CN103853871B (en) | 2017-05-24 |
Family
ID=50861523
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310595322.0A Active CN103853871B (en) | 2013-11-21 | 2013-11-21 | Safety requirement modeling method applicable for avionics system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103853871B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104461882B (en) * | 2014-11-29 | 2017-05-17 | 中国航空工业集团公司第六三一研究所 | Method for model verification of software conforming to DO-178B/C A level |
| CN104965956B (en) * | 2015-07-16 | 2017-11-21 | 北京航空航天大学 | A kind of requirements verification method based on RUCM |
| CN105373650B (en) * | 2015-10-15 | 2018-09-28 | 北京航空航天大学 | IMA dynamic restructuring modeling methods based on AADL |
| CN105976080A (en) * | 2016-03-24 | 2016-09-28 | 中国人民解放军装甲兵工程学院 | Combat command control flow modeling method |
| CN106020826B (en) * | 2016-05-23 | 2019-04-02 | 北京航空航天大学 | A kind of safe case modeling method based on template |
| CN107590339B (en) * | 2017-09-14 | 2020-05-01 | 西北工业大学 | Comprehensive modular avionics system performance degradation modeling and simulation method |
| CN109783870B (en) * | 2018-12-18 | 2020-12-29 | 北京航空航天大学 | Human-computer interaction risk scene identification method based on formal verification |
| CN111984229B (en) * | 2020-07-24 | 2022-02-01 | 南京航空航天大学 | Method for generating formal demand model for field natural language demand |
| CN112306476B (en) * | 2020-11-03 | 2023-04-14 | 中国航空工业集团公司西安航空计算技术研究所 | Embedded system security modeling method |
| CN112612241B (en) * | 2020-12-15 | 2021-09-28 | 中国航空综合技术研究所 | Safety analysis method for software of field programmable logic device of aviation equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894192A (en) * | 2010-07-19 | 2010-11-24 | 北京航空航天大学 | Simulation and demonstration system for design and validation of AFDX (Avionics Full Duplex Switched Ethernet) network and simulation and demonstration method thereof |
| CN101908962A (en) * | 2009-12-24 | 2010-12-08 | 中国航空工业集团公司第六三一研究所 | Key management method for integrated avionic system |
| CN102566443A (en) * | 2011-12-29 | 2012-07-11 | 中国航空工业集团公司第六三一研究所 | Simulation verification system and method for integrated avionics system model based on artifact design description language (ADDL) |
-
2013
- 2013-11-21 CN CN201310595322.0A patent/CN103853871B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101908962A (en) * | 2009-12-24 | 2010-12-08 | 中国航空工业集团公司第六三一研究所 | Key management method for integrated avionic system |
| CN101894192A (en) * | 2010-07-19 | 2010-11-24 | 北京航空航天大学 | Simulation and demonstration system for design and validation of AFDX (Avionics Full Duplex Switched Ethernet) network and simulation and demonstration method thereof |
| CN102566443A (en) * | 2011-12-29 | 2012-07-11 | 中国航空工业集团公司第六三一研究所 | Simulation verification system and method for integrated avionics system model based on artifact design description language (ADDL) |
Non-Patent Citations (2)
| Title |
|---|
| Ensuring Safety of Avionics Software at the Architecture Design Level:An Industrial Case Study;Ji Wu,et al;《2013 13th International Conference on Quality Software》;20130730;摘要,正文第1,3部分 * |
| 面向可信的航空嵌入式软件开发方法框架;牛文生 等;《北京航空航天大学学报》;20121231;第38卷(第12期);摘要,第1,4部分) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103853871A (en) | 2014-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103853871B (en) | Safety requirement modeling method applicable for avionics system | |
| Biggs et al. | A profile and tool for modelling safety information with design information in SysML | |
| Abdulkhaleq et al. | A comprehensive safety engineering approach for software-intensive systems based on STPA | |
| Zoughbi et al. | Modeling safety and airworthiness (RTCA DO-178B) information: conceptual model and UML profile | |
| Boulanger | CENELEC 50128 and IEC 62279 standards | |
| Feiler et al. | Automated fault tree analysis from aadl models | |
| Backes et al. | Requirements analysis of a quad-redundant flight control system | |
| Al-Lail et al. | An Approach to Analyzing Temporal Properties in UML Class Models. | |
| Luo et al. | Applying sofl to a railway interlocking system in industry | |
| Medikonda et al. | A framework for software safety in safety-critical systems | |
| McGregor et al. | Analysis and design of safety-critical, cyber-physical systems | |
| US11586976B2 (en) | Method and apparatus for creating tests for execution in a storage environment | |
| Zalewski et al. | Safety of computer control systems: challenges and results in software development | |
| Gerhart et al. | Regulatory case studies | |
| Feiler et al. | Architecture fault modeling and analysis with the error model annex, version 2 | |
| Lahtinen | Hardware failure modelling methodology for model checking | |
| Ye | Justifying the use of COTS Components within safety critical applications | |
| Medikonda et al. | An approach to modeling software safety in safety-critical systems | |
| Delmas et al. | Smt-based synthesis of fault-tolerant architectures | |
| Krejčí et al. | Model-based testing of automotive distributed systems with automated prioritization | |
| Luckey et al. | QUAASY: Quality assurance of adaptive systems | |
| Höfig et al. | MetaFMEA-A framework for reusable FMEAs | |
| Feiler | Architecture-led safety analysis of the joint multi-role (JMR) joint common architecture (JCA) demonstration system | |
| Honda et al. | Range analyzer: An automatic tool for arithmetic overflow detection in model-based development | |
| Rife et al. | Applying sensor integrity concepts to detect intermittent bugs in aviation software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |