CN103853871B - Safety requirement modeling method applicable for avionics system - Google Patents

Safety requirement modeling method applicable for avionics system Download PDF

Info

Publication number
CN103853871B
CN103853871B CN201310595322.0A CN201310595322A CN103853871B CN 103853871 B CN103853871 B CN 103853871B CN 201310595322 A CN201310595322 A CN 201310595322A CN 103853871 B CN103853871 B CN 103853871B
Authority
CN
China
Prior art keywords
security
case
failure
level
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310595322.0A
Other languages
Chinese (zh)
Other versions
CN103853871A (en
Inventor
吴际
张辉辉
李亚晖
牛文生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Xian Aeronautics Computing Technique Research Institute of AVIC
Original Assignee
Beihang University
Xian Aeronautics Computing Technique Research Institute of AVIC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University, Xian Aeronautics Computing Technique Research Institute of AVIC filed Critical Beihang University
Priority to CN201310595322.0A priority Critical patent/CN103853871B/en
Publication of CN103853871A publication Critical patent/CN103853871A/en
Application granted granted Critical
Publication of CN103853871B publication Critical patent/CN103853871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a safety requirement modeling method applicable for an avionics system. The method is characterized in that the expansion of UCMeta (Use Case Meta) is realized by analyzing and extracting concepts and restrictions related to the safety of an avionic embedded system, and by combining the extracted concepts and restrictions with basic concepts in RUCM (Restricted Use Case Modeling), so that a safety-related domain model is established; a description template for the safety requirements of the avionic embedded system is determined by analyzing the established domain model; when the description template with the determined safety requirements of the avionic embedded system is enabled to describe function requirements, safety-related nonfunctional restrictions are captured. According to the method provided by the invention, as a semi-formal safety requirement description method, the description template for the safety requirements and the corresponding limiting rules are added based on the RUCM, and used for describing the safety requirements completely and correctly; moreover, the certain-extent automatic verification is supported.

Description

A kind of demand for security modeling method suitable for avionics system
Technical field
Refer to a kind of safety suitable for avionics system more particularly the present invention relates to a kind of method of Requirements Modeling Requirements Modeling method.
Background technology
Software security(software safety)It is the system life in people is not jeopardized all the time controlled on software A kind of property of the safe condition of life property and ecological environment.The embedded of high security is needed especially for Aero-Space etc. For real-time software, with system, software proportion is incrementally increased, and consequence that software failure may cause is also increasingly Seriously.To ensure the security of system, it is necessary to the security of system is described and is analyzed in demand analysis stage.
Requirements Modeling is an important activity in software requirement engineering, and requirement engineering teacher is by using different modelings The expectation of method identification, understanding, excavation demand supplier to system, so that the structural model of software systems is built, behavior model, Or other various models to showing the different qualities of software to be developed.Modeling method account for important work in this activity With meaning to remove to treat software issue from different visual angles using different modeling methods, how from the expectation to total system In derive expectation to software systems in itself, go how how displaying software systems behavior and rise in the reinforced system of software To its effect.Referring to the first edition of in July, 2008《Software requirement engineering:Principle and method》Page 50, Jin Zhi etc. writes.
In current Requirements Modeling method, the description means and technology for mainly using are natural language, graphical symbol language Make peace formal language etc..Divided from point of view of practicability:The Requirements Modeling method and the Requirements Modeling of object-oriented of structuring Method.
The technology path of object-oriented method includes requirement engineering, Software for Design and software and realizes;Wherein, requirement engineering There are Requirement Acquisition and demand analysis.Object-oriented method is first from the source of demand(Mainly user)The acquisition of the demand of carrying out, User's description of tissue need's information, sets up use-case model.After the complete of user's request, accurate understanding is obtained, towards right Begin to consider the realization mechanism of software as method, carry out Software for Design.April the 1st edition in 2009《Requirement engineering-software modeling With analysis》Page 315, Luo Bin chief editors.
Comprehensively modularized avionics system(Integrated Modular Architecture, IMA, abbreviation avionics system System)Software should be followed including operating system, application program, database, network, man-machine interface etc. unified series standard, rule Model is developed, and the reusable of software, standardization, intellectuality, portability, quality, reliability etc. should all list characterization software in Among the characteristic parameter of technology.
The content of the invention
In order that the avionics system software of required structure has security requirement higher, the present invention provides one kind and is applied to The demand for security modeling method of avionics system.Use-case meta-model UCMeta in modeling method application RUCM of the invention is to participating in Person Actor and use-case Use Case carry out security extension, the description of the Requirements Modeling of the avionics system software built needed for realizing; Citation DO-178B standards carry out safety defect identification with existing avionics system software;By the demand for security mould of present invention design Type can provide the complete requirement description without ambiguous for the Software for Design of avionics system.
A kind of demand for security modeling method suitable for avionics system of the invention, specifically there is the following steps:
Step one:Set up the domain-conceptual model of demand for security;
Safety identification establishment is carried out to existing avionics system software according to RTCA/DO-178B standards and obtains field concept mould Type;
Step 2:Build the graphic extension of the avionics system based on UCMeta meta-models;The graphic extension of the avionics system It is that the domain-conceptual model of the demand for security obtained according to step one is extended and obtains to UCMeta meta-models;
Step 3:Build the avionics system demand for security template based on RUCM description templates;The avionics system demand for security Template is to be added continuous item on RUCM description templates to obtain.
In the present invention in step 2, domain-conceptual model is converted into UML Profile, to the meta-model of RUCM Security extension is carried out in UCMeta;Refined in Actor, carrying out Security Extensions to Use Case sets up Safety Use Case;Analysis field conceptual model, determines description template and restriction rule and the use of keyword of demand for security;Extension RUCM description templates carry out demand for security description, add 10 safe description rules and some keywords to ensure the description of RUCM Completely, accurately, unambiguity;UCMeta after extension creates the Use Case Diagram for supporting demand for security description, while User is described by the function that each Use Case has carried out complete and accurate and demand for security is described.
The advantage of demand for security modeling method of the present invention is:
1. the present invention is studied in depth for the Aviation Embedded System of high security to safety standard DO-178B And corresponding security model is created, such that it is able to be modeled to demand for security in the software requirement stage.
2. the present invention is modeled for the demand for security of Aviation Embedded System, extends the UCMeta of standard RUCM. UCMeta is the meta-model of RUCM methods, and it is to use MOF(Meta Object Facility)Definition.By domain analysis Model element Actor and Use Case in UML standard Use Case Diagram is refined and security extension is so that can To support that the demand for security being patterned is modeled.
3. the present invention is modeled for the demand for security of Aviation Embedded System, extends the requirement description template of standard RUCM And its restriction rule.Can be supported in the software requirement modeling stage to safety-related by the requirement description template for extending RUCM Troubleshooting is described, and causes that the description of demand for security is complete, accurate, unambiguity by the extension of restriction rule.
Brief description of the drawings
Fig. 1 is the Technology Roadmap of conventional object-oriented method.
Fig. 2 is the domain-conceptual model figure in the scope of application of the present invention.
Fig. 3 is the UCMeta bag figures of RUCM of the present invention.
Fig. 4 schemes for UCSTemplate bags of the present invention.
Fig. 5 is Actor refined models figure of the present invention.
Fig. 6 is Use Case extended model figures of the present invention.
Fig. 7 is Use Case of the present invention and the data exchange figure between Actor or resource.
Fig. 8 is failure model figure of the present invention.
Fig. 9 is crash handling analysis model figure of the present invention.
Figure 10 is crash handling statement model figure of the present invention.
Figure 11 is each column information schematic diagram of Use case template demands.
Specific embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.
Shown in Figure 1, " use-case model " in Fig. 1 is exactly to need to model the demand for security mould for obtaining in the present patent application Type.
A kind of demand for security modeling method suitable for avionics system of the invention, has specifically included the following steps:
Step one:Set up the domain-conceptual model of demand for security
Safety identification establishment is carried out to existing avionics system software according to RTCA/DO-178B standards and obtains field concept mould Type.
The full name of RTCA/DO-178B standards is Royal Technical Commision on Aviation DO- 178B。
Demand for security is made up of the requirement of level of security and two parts of requirement of security function.Level of security will Seeking the software of predominantly security isolation measure, i.e. different safety class needs to give different degrees of concern;Security function will Asking main includes being identified the failure for triggering harm state in system, reduces probability and weakening that it enters unsafe condition Its hazard analysis and HACCP.
Harm(Hazard)The potential unsafe condition of system that finger is caused by disabler or external event etc., DO- The rank for endangering is divided in 178B standards, is shown its influence to system, these classifications are respectively:Catastrophic, Dangerous/serious, heavier, lighter, without influence;Its level of security is defined to security critical software accordingly, according to The order of severity of its harm for triggering is divided, and is equally divided into 5 ranks.
Table 1:Software security grade
Security function demand be in system may trigger harm be identified, and take certain measure reduce its send out Raw probability mitigates its requirement for influenceing.Security function is divided from following several angles:
1)Failure mode and failure effect are analyzed
Failure mode refers to the mode that failure occurs.By the study to GB7826 standards and GJBZ1391 standards, the present invention It is middle that failure mode is divided into five classes:Input data failure, output data fail, cannot complete expected disabler, time-out mistake The failure that effect and abnormal hardware, user or environment are caused.
Use-case is represented with failure effect(Use Case)Failure the system or subsystem where the use-case caused Influence, and working as the influence can produce certain harm to system(Security is impacted)When, the use-case is safety-critical.
Table 2:The definition of failure
English Chinese meaning
FailureID The unique mark of failure
FailureDescription The description of failure
Failure Mode Failure mode
Failure Cause Failure cause
Level The level of security of failure
Hazard The harm that failure causes
For each harm(Hazard), its order of severity and the probability for occurring are defined, the order of severity and probability of happening are equal It is qualitative analysis.Possibly cannot determine in the system requirement analysis stage or be difficult to determine a probability of happening for harm, can be with First represented with None, it is supplemented again when data are complete.The risk of harm is the combination of its probability of happening and the order of severity, Harm can be classified according to risk analysis.The order of severity of failure is according to degree of risk highest danger caused by its possibility What evil was determined.
Table 3:The definition of harm
English Chinese meaning
Severity The order of severity of harm
Probability The probability of happening of harm
Failure Trigger the failure of the harm
Harm can be divided into two kinds:Single Failure Hazard and Combine Failure Hazard, i.e., it is single The harm that the harm and multiple failures that failure causes cause.For example, may have many set brake system in aircraft, then single brake is The failure of system will not cause harm to aircraft, and all failure can just lead to not slow down only all of brake system, to aircraft Cause harm, such case is the harm that multiple failures cause.And for process level health monitoring, such as it cannot be carried out to failure Treatment may then directly contribute harm to the system, be the single harm failed and cause.
2)Failure cause analysis
The reason for failure is described by accident analysis, each failure has the trigger condition of oneself, with Tigger come table Show the triggering of failure.One or more sentence implementation procedure into, the condition of guarding is checked, if condition is unsatisfactory for, A failure is then triggered, and then causes use-case to fail.
Description to the condition of guarding is by security constraint(Safety Constraint)Represent.Security constraint is divided into Three classes:Real-time constraint, data constraint and state constraint.Real-time is constrained to periodically or performs the constraint of time;Data Constraint of the constraint predominantly to data value, and state constraint is then the constraint that state is performed to use-case sentence, state is divided into three Class:Normally, abnormal end, endless loop.
Table 4:The definition of security constraint
English Chinese meaning
ConstraintID The mark of constraint
Sentence The effective range constrained defined in field
Constraint Field is the content of constraint
In domain-conceptual model is as shown in Figure 2, the present invention belongs to safely in defining 12 by following DO-178B/C standards Property, their specific implication is as follows:
P1:Each safety member be offered to corresponding safe interface to detect and process component inside generation failure and From the failure that outside passes over.
P2:The interface related to security can only be activated by safety member or failure registration component.
P3:Each safety member and its safe interface are it is necessary to have identical security level.
P4:Each safety member for providing shared data access ensures to meet phase to the modification of data using invariant The constraint answered.
P5:Each platform member should be able to provide enough resources for corresponding deployment component.
P6:Each identified failure has at least be detected and processed by a component.
P7:Each identified failure is it is necessary to have corresponding excitation and treatment strategy.
P8:Each failure that can be propagated has to be processed by other safety members.
P9:Failure can only be registered in failure registration component by escape way.
P10:The failure of registration can only be registered component and be processed according to corresponding treatment strategy.
P11:Each escape way is offered to interface to protect the security interacted between safety member.
P12:The level of security of each escape way can not be than connecting with it those components level of security it is low.
Step 2:Build the graphic extension of the avionics system based on UCMeta meta-models
Shown in Figure 2, in the present invention, the domain-conceptual model of the demand for security obtained according to step one is to UCMeta Meta-model is extended, so as to obtain the graphic extension of avionics system.
UCMeta is the meta-model of RUCM methods, and it is to use MOF(Meta Object Facility)Definition, including There are UCMeta, UML::UseCases、UCSTemplate、SentenceSemantics、SentencePatterns、 SentenceStructure.Wherein latter three mainly completes and the specification of natural language is limited.The structure of UCMeta such as Fig. 3 It is shown.
Security extension to UCMeta pays close attention to UCSTemplate bags, and metaclass UseCase can be by being added to The relation of UseCaseSpecification is extended.Shown in Figure 4, UseCaseSpecification includes one BriefDescription, Preconditon, one or more FlowOfEvents, primary actor, 0 to multiple secondary actors.BriefDescription, Preconditon, PostConditon and FlowOfEvents contain There is a series of Sentences.There are two kinds of flows of event:BasicFlow and AlternativeFlow.Each use-case must contain One BasicFlow, can there is 0 to multiple AlternativeFlow.Each flow of event has a PostCondition, by one The Sentences compositions of series.There is the affluent-dividing of three kinds of different modes:GlobalAlternative, SpecificAlternative, and BoundedAlternative.Each AlternativeFlow has one Condition, one reference stream of correspondence.
Sentence in UCSTemplate is divided into three kinds:Simple statement(Metaclass SimpleSentence), complicated sentence(Son Bag ComplexSentence), special sentence(Attached bag SpecialSentence).Simple statement is do not have containing an independent clause There is subordinate clause:Only one of which subject and a predicate.UCMeta has four kinds of complicated sentences, for four kinds of keywords:Condition (IF-THEN-ELSEELSEIF-THEN-ENDIF), circulation (DO-UNTIL), concurrent (MEANWHILE) and checking (VALIDATES THAT).There are four kinds of particular statements to illustrate the flow of event in a use-case is how to be interacted with other flow of event , these four correspond to four keywords respectively:RESUME STEP, ABORT, INCLUDE USE CASE and EXTENDED BY.
Separately below from activist(Actor), use-case(Use Case)Introduce detailed expansion of the invention:
(A)The refinement of activist Actor
Carry out the role that descriptive system outside interacts with system using activist in UML, generally can be to use system Personnel, or external equipment or entity in logic.UML standards are not classified to activist.The pin in RUCM To each use-case, activist is divided into main activities person(Primary Actor)With secondary activity person(Secondary Actor).Main activities person is first activist for initializing the use-case, and remaining is then secondary activity person.
By the concept classification of UML activists it is four types in the present invention, as shown in figure 5, specific content is as follows:
(1)Timer, periodically produces the entity of particular event, and it is NFP_Duration types to possess a type duration(Duration)Attribute.NFP_Duration is the data type imported from UML/MARTE, comprising a real number and Individual chronomere's information.
(2)HumanActor, represents that the activist is actual person.
(3)ExternalInstrument, represents external devices, its direction attribute description data of the device Input and output direction, the signal type of its signal attribute description device is data signal or analog signal.Sensor(Pass Sensor)And Actuator(Actuator)It is the Common Concepts in avionics system field, in this as ExternalInstrument's Subclass occurs.
(4)ExternalSystem, for describing external system.
(B)The security extension of Use Case
Use Case describe the set performed by system, and descriptive system behavior is interacted by with activist, are Important concept.Specification in RUCM methods to Use Case has carried out specification.Uase Case are expanded in the present invention Safety Use Case, are defined as realizing the use-case of certain security function, and security function is then represented to system or its composition portion The function that the failure for dividing is identified and processes, therefore, each Safety Use Case must be associated with one or more failures Identification and treatment.It is specific below to introduce related extension content:
(1)The refinement of Use Case.Safety Use Case are inherited from Use Case in the present invention, its model such as Fig. 5 institutes Show.Safety Use Case are defined as realizing the use-case of certain security function, each Safety Use Case has certainly It can recognize that corresponding failure of removal to oneself level of security, and each Safety Use Case must be associated with one or many The identification and treatment of individual failure.
Level of security is defined and divided in DO-178B standards.The security level of Safety Use Case is root Determine according to the order of severity of its failure that may occur.Level of security is divided into five grades, and respectively level-A is arrived Level-E, corresponds to catastrophic, dangerous/serious, heavier, lighter, without influence respectively.For different stage Safety Use Case should give different degrees of concern.
(2)The Requirements Modeling of software security grade.The related demand of software security grade and constraint, i.e. security isolation are arranged Apply and be defined.Security isolation measure refers to is isolated Safety-Critical System and non-safety critical system, level of security compared with The relatively low system of system and level of security high is isolated, with ensure non-safety critical system or level of security it is relatively low be System has influence on the function of safety-critical module in the way of outside expection.
To the related demand of software security grade and constraint in the present invention, i.e. security isolation measure is defined, specifically Performance can be divided into two aspects:
a)It is outside when Actor the and Safety Use Case of external system or external equipment type carry out data exchange The level of security of system or external equipment should be not less than the level of security of Safety Use Case.If external system, then should be true Protect the security of external system;If external equipment, then relatively reliable external equipment should be selected.
b)When Safety Use Case use a certain resource in system, the level of security of the resource should be not less than The level of security of Safety Use Case.
Represented with Communication Sentence in the present invention use-case and executor or use-case and resource it Between data exchange, as shown in fig. 6, Communication Media are then communication medias, for the transmission of data provides support. Several frequently seen communication media is enumerated in model:system_call(System is called)、hw_port(Hardware port)、bus_ protocol(Bus)、lan_protocol(LAN)And sys_service(The service that system is provided, such as blackboard, semaphore And buffering area etc.).
Same Resource also defines corresponding security level attributes, use-case can by certain medium and resource, External equipment or external system carry out data exchange.With keyword COLLECT INPUT FROM and keyword DELIEVR OUTPUT TO represent from external equipment, external system or other use-cases collect or send data, represent data with keyword VIA Transmission means.
(3)The Requirements Modeling of software security function.Security function demand is that the harm that may trigger in system is known Not, and take certain measure reduce its probability of happening or mitigate its influence requirement.Detailed Jie is carried out in terms of three below Continue:
a)Failure mode and failure effect are analyzed, and model with failure effect in the present invention as shown in fig. 7, represent use-case The influence that failure is caused to the system or subsystem where the use-case, and working as the influence can produce certain harm to system(It is right Security is impacted)When, the use-case is safety-critical.So, for Safety Use Case, its failure is bound to lead Cause one or more harm Hazard.For each Hazard, its order of severity and the probability for occurring, the order of severity and hair are defined Raw probability is qualitative analysis.The risk of harm is the combination of its probability of happening and the order of severity, can be to danger according to risk analysis Evil is classified.The order of severity of failure is determined according to degree of risk highest harm caused by its possibility, and Safety The level of security of Use Case is determined by the failure of its level of security highest.
b)Failure cause analysis, model are as shown in figure 8, the reason for present invention describes failure by accident analysis, model In list several frequently seen fault type.The triggering of failure is represented with Tigger, in the execution of one or more sentence Cheng Cheng, checks the condition of guarding, if condition is unsatisfactory for, triggers a failure, and then cause use-case to fail.To guarding The description of condition is by Safety Constraint(Security constraint)Represent.Security constraint is divided into three classes:Real-time is about Beam, data constraint and state constraint.Real-time is constrained to periodically or performs the constraint of time;Data constraint is mainly logarithm According to the constraint of value, and state constraint is then the constraint that state is performed to use-case sentence, and state is divided into three classes:Normally, it is abnormal whole Only, endless loop.Condition is described with Safety Condition Sentence and checks sentence.One condition checks that sentence is right One inspection of constraint.Condition inspection is represented with keyword CHECK CONSTRAINT.Such as Constrained sentence c1, its sphere of action It is STEP1, is constrained to STATE=normal, then corresponding condition checks that sentence example is as follows:The system CHECK CONSTRAINT c1。
c)Crash handling, is modeled in Fig. 9 to the control mode for failing.Failure is carried out using certain mitigation strategy Control, Failure Mitigation are defined as one kind of affluent-dividing, a series of handling process of definable to failure at Reason.In addition, being modeled to several conventional crash handling modes.Record is represented and failure is recorded;Retry represents weight Examination disabling portion function, the number of times that its attribute retry_times definition is retried;Progogate is represented in this use-case not to losing Effect is processed, but is handed over to other use-cases or system is processed.Simultaneously can according to failure type and reason, A series of handling process is defined to each failure.With several special statement list non ageing specially treated modes, as scheme Shown in 10.Wherein, the type of service of Record Sentence is RECORD THE FAILURE;Retry Sentence's makes It is RETRY FOR ... TIMES with form;The type of service of Propogate Sentence is PROPOGATE TO USE CASE…。
Step 3:Build the avionics system demand for security template based on RUCM description templates
Shown in Figure 11, the content of RUCM description templates includes:Use-case name(Use Case Nmae), use-case summary (Brief Description), the precondition that use-case is performed(Precondition), the main activities person of use-case(Primary Actor), other activists of use-case(Secondary Actors), the dependence of the use-case and other use-cases (Dependency), the generalization between the use-case and other use-cases(Generalization), the elementary event of the use-case Stream(Basic Flow)And other three flows of event(Global Alternative Flow, Bounded Alternative Flow, Specific Alternative Flow).Wherein each flow of event has to after performing and terminating Have a Post Condition represent the flow of event perform after result, in each of which use-case one and only one Basic Flow, and Global Alternative Flow, Bounded Alternative Flow, Specific Alternative Flow determine its number for existing according to specific practical situation.RUCM description templates are also equipped with when in use Corresponding rule and keyword.
The related expanding of demand for security description is not only carried out in the present invention to RUCM requirement descriptions template, while also increasing Corresponding new rule and keyword.Detailed extension is carried out in terms of the two separately below:
(1)Demand for security description template
The RUCM description templates of standard define only three kinds of flows of event, be respectively elementary event stream, global extension flow of event With local expansion flow of event, just have to be extended flow of event for the description for carrying out demand for security with describe failure and its Corresponding processing mode.Extension flow of event is aiming at certain or some activity thing in an elementary event stream or extension flow of event Other dispositions when part occurs.
Demand for security description template after being extended in the present invention is as follows:
Table 5:Demand for security description template
Table 6:Harm to the system table
Hazard Severity Probability Failure
The essential part of demand for security template and common RUCM use-case templates are consistent substantially, only addition a line SafetyLevel, is described to its level of security.
Add the related conceptual description of security again on this basis, specific extension is as follows:
a)Add the description of failure
Table 7:Failure description
b)Add the degradation treatment description of failure
Table 8:The degradation treatment of failure
Failure Mitigation:Failure degradation measure, is affluent-dividing, and a series of handling process of definable is to failure Processed, it is also possible to add predefined processing mode, each Failure Mitigation there will be a Post Condition with represent this process result.
c)Addition constraint definition
Table 9:Constraint definition
ConstraintID Sentence Constraint
Constraint parts are that the constraint in use-case is defined, and ConstraintID is the mark of constraint, The effective range constrained defined in Sentence fields, Constraint fields are the content of constraint.
d)For whole system adds a harm list
Table 10:Harm list
Hazard Severity Probability Failure
Also need to safeguard whole system one harm list after above-mentioned security extension has been carried out, can be with by the list To all kinds of harm present in system, the order of severity is endangered, the failure that harm probability of happening and initiation endanger is recorded. Hazard represents specific harm, and Severity represents the order of severity of harm, and the generation that Probability represents the harm is general Rate, Failure represents the failure for triggering the harm.
In the present invention, some English does not refer to Chinese meaning, can be that English is translated directly into expressed by Chinese The meaning of one's words.
(2)For demand for security template adds new restriction rule and keyword,
In order to be easy to express and obtain balance between expressing preciseness, RUCM devises 26 constraint rules altogether, wherein 16 rules are used to constrain the use of natural language, and 10 rules are used to define 10 Activity Descriptions with control structure, but These rules are not met by the associated description of software security.Therefore the RUCM rules of standard are extended, the present invention In relevant demand for security description restriction rule and keyword it is as follows:
R1:When the type of the executor of use-case is ExternalSystem or ExternalInstrument, The level of security of ExternalSystem and ExternalInstrument should be not less than the level of security of use-case.
R2:When use-case accesses a certain resource, the level of security of the resource should be not less than the level of security of use-case.
R3:Represented from other use-cases or outside with keyword COLLECT INPUT FROM and DELIEVR OUTPUT TO Data, the communication media used when representing data communication with keyword VIA are collected or sent to equipment.
R4:Represent that multiple failures are common using keyword AND and trigger a harm.
R5:Use keyword>、<,=, IN represented the scope of binding occurrence, and with keyword CHECK CONSTRAINT couple Constraint is checked.
R6:One failure of record is represented using keyword RECORD THE FAILURE.
R7:Represented using keyword RETRY FOR..TIMES and retry operation, the number of times that definable is retried.
R8:Propagated using keyword PROPOGATE TO USE CASE tables non ageing.
R9:When failure travels to another use-case to be processed, the level of security of the use-case should be not less than currently The level of security of use-case.
R10:The level of security of each failure is determined by the order of severity of the harm of its most serious for triggering, and each use-case Level of security by its level of security highest failure determine.
Embodiment
Demand for security is described using demand for security template and keyword in following example.

Claims (2)

1. a kind of demand for security modeling method suitable for avionics system, it includes the following steps:
Step one:Set up the domain-conceptual model of demand for security;
Safety identification establishment is carried out to existing avionics system software according to RTCA/DO-178B standards and obtains domain-conceptual model;
Step 2:Build the graphic extension of the avionics system based on UCMeta meta-models;The graphic extension of the avionics system be according to The domain-conceptual model of the demand for security obtained according to step one is extended and obtains to UCMeta meta-models;
Step 3:Build the avionics system demand for security template based on RUCM description templates;The avionics system demand for security template It is to be added continuous item on RUCM description templates to obtain;
In step 2, domain-conceptual model is converted into UML Profile, to carrying out safety in the meta-model UCMeta of RUCM Extension;Refined in Actor, carrying out Security Extensions to Use Case sets up SafetyUse Case;Analysis field is general Model is read, description template and restriction rule and the use of keyword of demand for security is determined;Extension RUCM description templates enter Row demand for security is described, and the description of 10 safe description rules of addition and some keywords to ensure RUCM is complete, accurate, nothing two Justice;UCMeta after extension creates the Use Case Diagram for supporting demand for security description, while user passes through each Use Case have carried out the function description and demand for security description of complete and accurate;
It is characterized in that:
The step of being refined in Actor has:
Step 301:Actor is extended according to the characteristics of embedded real time system, Actor is divided into four types: Timer, Human Actor, External Instrument and External System;
Step 302:Periodic task is included in embedded real time system, and Timer is then used for triggering a cycle Action, its attribute duration represents the time span in the cycle;The type NFD_Duration of its value includes the unit of time And time value;Human Actor are represented and are used the user for triggering its related example;
Step 303:External Instrument represent the external equipment that data exchange is carried out with use-case, i.e. sensor or letter Number receiver;Its attribute direction and signal represent data transfer direction and signal type respectively;
Step 304:External System represent outside use-case, subsystem or the system interacted with use-case;
Step 305:External Instrument and External System define level of security;
Described Use Case refinement steps have:
Step 401:Safety Use Case are inherited from Use Case;Safety Use Case are defined as realizing security function Use-case, and security function then represents the function that the failure of system or its part is identified and is processed, therefore, it is each Individual Safety Use Case must be associated with the identification and treatment of one or more failures;
Step 402:Level of security is defined and divided in foundation DO-178B standards, the security of Safety Use Case Rank is divided into five grade level-A to level-E, corresponds to respectively catastrophic, dangerous/serious, heavier, lighter , without influence;
Described safe description rule is:
R1:When the type of the executor of use-case is ExternalSystem or ExternalInstrument, The level of security of ExternalSystem and ExternalInstrument should be not less than the level of security of use-case;
R2:When use-case accesses a certain resource, the level of security of the resource should be not less than the level of security of use-case;
R3:Represented from other use-cases or external equipment with keyword COLLECT INPUT FROM and DELIEVR OUTPUT TO Collect or send data, the communication media used when representing data communication with keyword VIA;
R4:Represent that multiple failures are common using keyword AND and trigger a harm;
R5:Use keyword>、<,=, IN represented the scope of binding occurrence, and with keyword CHECKCONSTRAINT to constraint Checked;
R6:One failure of record is represented using keyword RECORD THE FAILURE;
R7:The number of retries for retrying operation is represented using keyword RETRY FOR TIMES;
R8:Propagated using keyword PROPOGATE TO USE CASE tables non ageing;
R9:When failure travels to another use-case to be processed, the level of security of the use-case should be not less than current use-case Level of security;
R10:The level of security of each failure is determined by the order of severity of the harm of its most serious for triggering, and the peace of each use-case Full rank is determined by the failure of its level of security highest.
2. the demand for security modeling method suitable for avionics system according to claim 1, it is characterised in that avionics system The complete structure of demand for security template is:
FailureID:The identification number of each failure;
FailureDescription:Failure behaviour is briefly described;
Failure Mode:Failure mode, its value is enumeration type;
Failure Cause:Failure cause, to trigger the type of the failure of failure, its value is enumeration type;
Level:The level of security of failure, determines according to the order of severity endangered caused by it;
Hazard:Fail the harm title for triggering;
FailureMitigate:Failure Mitigation methods;
Constraint parts are that the constraint in use-case is defined, and ConstraintID is the mark of constraint, Sentence Defined in constrain effective range, constraint be constraint content.
CN201310595322.0A 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system Active CN103853871B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310595322.0A CN103853871B (en) 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310595322.0A CN103853871B (en) 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system

Publications (2)

Publication Number Publication Date
CN103853871A CN103853871A (en) 2014-06-11
CN103853871B true CN103853871B (en) 2017-05-24

Family

ID=50861523

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310595322.0A Active CN103853871B (en) 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system

Country Status (1)

Country Link
CN (1) CN103853871B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104461882B (en) * 2014-11-29 2017-05-17 中国航空工业集团公司第六三一研究所 Method for model verification of software conforming to DO-178B/C A level
CN104965956B (en) * 2015-07-16 2017-11-21 北京航空航天大学 A kind of requirements verification method based on RUCM
CN105373650B (en) * 2015-10-15 2018-09-28 北京航空航天大学 IMA dynamic restructuring modeling methods based on AADL
CN105976080A (en) * 2016-03-24 2016-09-28 中国人民解放军装甲兵工程学院 Combat command control flow modeling method
CN106020826B (en) * 2016-05-23 2019-04-02 北京航空航天大学 A kind of safe case modeling method based on template
CN107590339B (en) * 2017-09-14 2020-05-01 西北工业大学 Comprehensive modular avionics system performance degradation modeling and simulation method
CN109783870B (en) * 2018-12-18 2020-12-29 北京航空航天大学 Human-computer interaction risk scene identification method based on formal verification
CN111984229B (en) * 2020-07-24 2022-02-01 南京航空航天大学 Method for generating formal demand model for field natural language demand
CN112306476B (en) * 2020-11-03 2023-04-14 中国航空工业集团公司西安航空计算技术研究所 Embedded system security modeling method
CN112612241B (en) * 2020-12-15 2021-09-28 中国航空综合技术研究所 Safety analysis method for software of field programmable logic device of aviation equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101894192A (en) * 2010-07-19 2010-11-24 北京航空航天大学 Simulation and demonstration system for design and validation of AFDX (Avionics Full Duplex Switched Ethernet) network and simulation and demonstration method thereof
CN101908962A (en) * 2009-12-24 2010-12-08 中国航空工业集团公司第六三一研究所 Key management method for integrated avionic system
CN102566443A (en) * 2011-12-29 2012-07-11 中国航空工业集团公司第六三一研究所 Simulation verification system and method for integrated avionics system model based on artifact design description language (ADDL)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101908962A (en) * 2009-12-24 2010-12-08 中国航空工业集团公司第六三一研究所 Key management method for integrated avionic system
CN101894192A (en) * 2010-07-19 2010-11-24 北京航空航天大学 Simulation and demonstration system for design and validation of AFDX (Avionics Full Duplex Switched Ethernet) network and simulation and demonstration method thereof
CN102566443A (en) * 2011-12-29 2012-07-11 中国航空工业集团公司第六三一研究所 Simulation verification system and method for integrated avionics system model based on artifact design description language (ADDL)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Ensuring Safety of Avionics Software at the Architecture Design Level:An Industrial Case Study;Ji Wu,et al;《2013 13th International Conference on Quality Software》;20130730;摘要,正文第1,3部分 *
面向可信的航空嵌入式软件开发方法框架;牛文生 等;《北京航空航天大学学报》;20121231;第38卷(第12期);摘要,第1,4部分) *

Also Published As

Publication number Publication date
CN103853871A (en) 2014-06-11

Similar Documents

Publication Publication Date Title
CN103853871B (en) Safety requirement modeling method applicable for avionics system
Biggs et al. A profile and tool for modelling safety information with design information in SysML
Abdulkhaleq et al. A comprehensive safety engineering approach for software-intensive systems based on STPA
Zoughbi et al. Modeling safety and airworthiness (RTCA DO-178B) information: conceptual model and UML profile
Boulanger CENELEC 50128 and IEC 62279 standards
Carvalho et al. NAT2TESTSCR: Test case generation from natural language requirements based on SCR specifications
Feiler et al. Automated fault tree analysis from aadl models
Backes et al. Requirements analysis of a quad-redundant flight control system
US11586976B2 (en) Method and apparatus for creating tests for execution in a storage environment
Al-Lail et al. An Approach to Analyzing Temporal Properties in UML Class Models.
Uludağ et al. Integration of systems design and risk management through model‐based systems development
Luo et al. Applying sofl to a railway interlocking system in industry
Medikonda et al. A framework for software safety in safety-critical systems
McGregor et al. Analysis and design of safety-critical, cyber-physical systems
Zalewski et al. Safety of computer control systems: challenges and results in software development
Ye Justifying the use of COTS Components within safety critical applications
Feiler et al. Architecture fault modeling and analysis with the error model annex, version 2
Gerhart et al. Regulatory case studies
Lahtinen Hardware failure modelling methodology for model checking
Verhulst et al. Antifragility: systems engineering at its best
Medikonda et al. An approach to modeling software safety in safety-critical systems
Delmas et al. Smt-based synthesis of fault-tolerant architectures
Luckey et al. QUAASY: Quality assurance of adaptive systems
Höfig et al. MetaFMEA-A framework for reusable FMEAs
Kumar et al. Safety analysis of safety‐critical systems for their applicability on NPP systems: A state‐of‐the‐art review

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant