CN106874200B - Embedded software reliability modeling and evaluating method based on AADL - Google Patents
Embedded software reliability modeling and evaluating method based on AADL Download PDFInfo
- Publication number
- CN106874200B CN106874200B CN201710077564.9A CN201710077564A CN106874200B CN 106874200 B CN106874200 B CN 106874200B CN 201710077564 A CN201710077564 A CN 201710077564A CN 106874200 B CN106874200 B CN 106874200B
- Authority
- CN
- China
- Prior art keywords
- model
- fault
- state
- reliability
- aadl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000011156 evaluation Methods 0.000 claims abstract description 29
- 238000001514 detection method Methods 0.000 claims abstract description 21
- 238000004458 analytical method Methods 0.000 claims abstract description 14
- 230000007704 transition Effects 0.000 claims description 73
- 230000006399 behavior Effects 0.000 claims description 55
- 238000013507 mapping Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 7
- 239000003550 marker Substances 0.000 claims description 7
- 230000009471 action Effects 0.000 claims description 6
- 230000001502 supplementing effect Effects 0.000 claims description 3
- 238000013461 design Methods 0.000 abstract description 4
- UOAMTSKGCBMZTC-UHFFFAOYSA-N dicofol Chemical compound C=1C=C(Cl)C=CC=1C(C(Cl)(Cl)Cl)(O)C1=CC=C(Cl)C=C1 UOAMTSKGCBMZTC-UHFFFAOYSA-N 0.000 abstract 1
- 230000006870 function Effects 0.000 description 13
- 238000012795 verification Methods 0.000 description 8
- 238000011160 research Methods 0.000 description 6
- 230000003542 behavioural effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 241001239379 Calophysus macropterus Species 0.000 description 1
- 208000022936 Chronic acquired demyelinating polyneuropathy Diseases 0.000 description 1
- ZJPGOXWRFNKIQL-JYJNAYRXSA-N Phe-Pro-Pro Chemical compound C([C@H](N)C(=O)N1[C@@H](CCC1)C(=O)N1[C@@H](CCC1)C(O)=O)C1=CC=CC=C1 ZJPGOXWRFNKIQL-JYJNAYRXSA-N 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000002574 poison Substances 0.000 description 1
- 231100000614 poison Toxicity 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
Abstract
The invention discloses an AADL (architecture analysis and design language) -based embedded software reliability modeling and evaluating method, which comprises the following steps of: 1) establishing an AADL reliability model of embedded software; 2) extracting reliability elements in the AADL reliability model, and establishing a reliability model ZAL comprising a fault model, a structural model and a behavior model by adopting a Z language; 3) ZAL model is drawn by discrete time Markov chain DTMC, PCTL formula describing embedded software reliability is given, and the PCTL formula is calculated by adopting the proposed reliability evaluation algorithm ZARE to obtain instantaneous availability and finish reliability evaluation. The invention can not only express the embedded software hierarchically, is concise and clear, and is easy to understand, but also ZAL as a formalized model can strictly analyze and evaluate the reliability by adopting methods such as model detection and the like.
Description
Technical Field
The invention belongs to the field of trusted computing, software engineering, formal modeling and verification, and particularly provides an AADL-based embedded software reliability modeling and evaluation method.
Background
In the field of software reliability research, the research of software reliability models always occupies an important position and is also the field with the most abundant achievements. How to establish a software reliability model as early as possible, reduce the modeling complexity, and enable the model to accurately depict the propagation relationship of faults among components is an important content in software reliability research work.
The modeling method of the software is mainly divided into a semi-formalization method and a formalization method. The software engineering generally uses semi-formalized specification to describe the software structure and behavior, and has the advantages of easy understanding and use and the like. AADL (architecture Analysis and Design Language) is proposed by SAE (society of automotive Engineers) of American society of automotive Engineers (society of automotive Engineers) on the basis of MetaH, UML. AADL adopts a mode that a single model supports various analyses, and key links of system design, analysis, verification, automatic code generation and the like are fused under a unified framework. The northwest industry university establishes a safety model based on the AADL error model accessory and the hazard model accessory, and converts the safety model into a GSPN model to analyze the safety of software. The MUNOZ M of NASA jet propulsion laboratory establishes an AADL information flow model and carries out delay analysis to prove the potential of the AADL applicable to space systems.
However, as a semi-formalized language, AADL is not conducive to strict analysis and verification of reliability. Therefore, extensive research is carried out on the AADL formal semantics. In this regard, some researchers have summarized two semantic description methods for AADL forms. The AADL form semantic description mainly adopts a conversion method (translation semantics), and can be roughly divided into two types: firstly, defining AADL semantics by adopting a formal language with accurate semantics, and then converting according to the semantics; the second is to directly convert the AADL model to another formalized model. The former is called as explicit description (explicit), inaccurate AADL semantics can be formalized, and semantics can be more completely described; the latter one is called implicit description (implicit) in order to directly use existing formal analysis tools of semantic models. The existing AADL reliability modeling and verification generally adopts implicit description. Sun H et al, at Iowa State university, proposed combining fault trees with AADL models for reliability and safety analysis. BOUDALI H et al, the university of herlandtex, proposed an extensible reliability assessment framework, which can support multiple modeling languages including AADL and UML, automatically convert the input model to an IO-IMC (input/output interactive Markov models) model, then perform reliability analysis based on a CADP tool, and can perform combined reliability analysis (compositional analysis) to support the reliability requirements of complex systems.
However, the existing implicit description has the defects that: generally, the existing methods all assume that the converted semantics are consistent, but the semantic descriptions are not possible to be consistent and are not accurate enough; the existing model conversion technology is based on the existing semantics of AADL, and some semantics in AADL are explained by natural language and examples, so that the given semantics are not accurate enough, and the semantic conversion is possibly not accurate and complete enough. On the other hand, the existing model conversion method also has respective disadvantages: while the Petri nets can well describe the dynamic behavior in most asynchronous, concurrent systems, their models tend to become very large; the fault tree is characterized in that the causal relationship of the fault can be comprehensively and visually described, but the quantitative analysis of the fault event added with the occurrence probability has great difficulty. Therefore, in order to make the model concise and describe the probability factors therein, the invention adopts the Z language which can strictly describe the data constraint to formally define the reliability elements in the AADL, and models the reliability in three levels of the fault model, the structural model and the behavior model, so that the model becomes concise and clear and is easy to understand.
And the property of the software is verified on the basis of the Z language, and a model detection method is mainly adopted. The dynamic semantic extension is carried out on the Z language, the Z language is combined with a software behavior modeling method, a software model with coupled static/dynamic visual angles of software is established, and the automatic verification of the Z language can be directly realized by correspondingly improving the existing model detection method. Hoenicke et al, university of orleberg, germany, studied the model detection method of the CSP-OZ-DC model, proposed a time automaton as an intermediate language to describe the event and data constraints of the model, and adopted a constraint-based model detector ARMC to verify the communication, data constraints and real-time constraints of the model. Mota et al, Federal university of Brooku, Baxibo, converts Z language to CSPMModel, deadlock analysis was performed using FDR model detector. The Caozhining of Nanjing aerospace university provides a time sequence logic and a model detection algorithm thereof on a finite field ZIA model, and can verify the software state and the data constraint in an operation protocol. On the basis of ZAL model, the invention provides an embedded software reliability evaluation algorithm ZARE (Rel) based on probability model detection technology in consideration of probability distribution attributes of multiple elements in ZAL modeliability evaluation on AADL), the reliability of the embedded software can be strictly analyzed and evaluated.
Due to the characteristic that the generation and propagation of faults in the ZAL model are based on probability occurrence, a model detection method based on the ZAL model should consider probability factors, and the existing model detection method for the Z language has no research result related to probability model detection.
Disclosure of Invention
The invention aims to provide an AADL-based embedded software reliability modeling and evaluating method, so that the reliability of embedded software can be described in a predicate constraint mode, formal verification is facilitated, and good expandability is realized.
The technical solution for realizing the purpose of the invention is as follows: an AADL-based embedded software reliability modeling and evaluation method comprises the following steps:
step1, establishing a semi-formalized model, specifically establishing an AADL reliability model, which comprises a structure model and a fault model; the structure model comprises a component name, a component attribute, a connection and a flow, and the fault model comprises a fault type, a fault behavior and fault propagation;
step2, extracting reliability modeling elements in the AADL reliability model, wherein the reliability modeling elements comprise component names, connections, flows, fault behaviors and fault propagation;
step3, establishing an embedded software reliability model ZAL, specifically converting the semi-formalized model into a formalized model, expanding the model, and supplementing an operation protocol and reliability constraint thereof, including the following steps:
step 3-1, mapping the component state, the fault action event and the fault propagation point defined by the AADL reliability model to ZAL fault model ZAerrorThe attribute of the ErrorState set element comprises all possible states of a component and a probability distribution type corresponding to the states, the attribute of the Ebe set element comprises an event type and a probability distribution type of event occurrence, and the attribute of the Epp set element comprises a type of fault propagation and a probability distribution type of fault propagation success;
step 3-2, mapping the component names, connections and flows defined by the AADL reliability model to ZAL structure model ZAstructureThe attributes of the Component assembly element comprise the state of the Component, the current fault action event of the Component and the current fault propagation point, the attributes of the Connection assembly element comprise the Connection relation among the components, and the attributes of the Flow assembly element comprise the fault propagation point through which the fault propagates;
step 3-3, mapping fault propagation and state Transition defined by the AADL reliability model to an OutPropagation, InPropagation and Transition set element in an ZAL propagation model zabehavor, wherein the attribute of the OutPropagation set element includes a component name and a fault propagation point generating a fault, the attribute of the InPropagation set element includes a component name, a connection between components and a fault propagation point transmitting a fault, the attribute of the Transition set element includes a component name, a fault behavior event and a fault propagation point generating a state Transition, and the occurrence conditions and the probability distribution of the occurrence conditions of the 3 elements are described in predicate constraints;
and 4, evaluating the reliability on the basis of the ZAL model to obtain a reliability evaluation result.
Compared with the prior art, the invention has the following remarkable advantages: 1) the method defines a corresponding fault model and a corresponding structure model for each component in the embedded software, defines a behavior model for fault propagation among the components, hierarchically represents the system, is easy to understand, is simple and clear, and has no overstaffed model; 2) the method inherits the strong data constraint capability and good expandability of the Z language, can describe the probability, and can conveniently add the reliability elements.
The present invention is described in further detail below with reference to the attached drawing figures.
Drawings
Fig. 1 is a flowchart of an AADL-based embedded software reliability modeling and evaluation method.
FIG. 2 is an AADL architecture diagram of the flight management system.
FIG. 3 is an AADL reliability model for thread APC.
FIG. 4 is a state transition diagram of the thread APC.
Detailed Description
The invention relates to an AADL-based embedded software reliability modeling and evaluating method, which specifically comprises the following steps:
step1, establishing a semi-formalized model, specifically establishing an AADL reliability model, which comprises a structure model and a fault model; the structure model comprises a component name, a component attribute, a connection and a flow, and the fault model comprises a fault type, a fault behavior and fault propagation;
the component name refers to the names of specific equipment, processes, threads and ports in the embedded software;
the component attribute refers to the attribute of specific equipment, process, thread and port in the embedded software;
the connection refers to the connection between the components and indicates that control flow or data flow exists between the components;
the stream refers to a path for information stream transmission between the components;
the fault type refers to the type of the fault occurring in the component, including service-related fault, value-related fault and time-related fault, and can also define the fault type by itself;
the fault behavior defines fault behavior events, component states and state transitions, wherein the component states comprise a normal state and a fault state;
the fault propagation refers to the occurrence and propagation of the fault to other components, and defines a fault propagation point to indicate the direction of the fault propagation occurrence, wherein the fault propagation point comprises two types of outgoing and incoming.
Step2, extracting reliability modeling elements in the AADL reliability model, wherein the reliability modeling elements comprise component names, connections, flows, fault behaviors and fault propagation;
step3, establishing an embedded software reliability model ZAL, specifically converting the semi-formalized model into a formalized model, expanding the model, and supplementing an operation protocol and reliability constraint thereof, including the following steps:
step 3-1, mapping the component state, the fault action event and the fault propagation point defined by the AADL reliability model to ZAL fault model ZAerrorThe attribute of the ErrorState set element comprises all possible states of a component and a probability distribution type corresponding to the states, the attribute of the Ebe set element comprises an event type and a probability distribution type of event occurrence, and the attribute of the Epp set element comprises a type of fault propagation and a probability distribution type of fault propagation success;
step 3-2, mapping the component names, connections and flows defined by the AADL reliability model to ZAL structure model ZAstructureThe attributes of the Component assembly element comprise the state of the Component, the current fault action event of the Component and the current fault propagation point, the attributes of the Connection assembly element comprise the Connection relation among the components, and the attributes of the Flow assembly element comprise the fault propagation point through which the fault propagates;
step 3-3, mapping fault propagation and state Transition defined by the AADL reliability model to an OutPropagation, InPropagation and Transition set element in an ZAL propagation model zabehavor, wherein the attribute of the OutPropagation set element includes a component name and a fault propagation point generating a fault, the attribute of the InPropagation set element includes a component name, a connection between components and a fault propagation point transmitting a fault, the attribute of the Transition set element includes a component name, a fault behavior event and a fault propagation point generating a state Transition, and the occurrence conditions and the probability distribution of the occurrence conditions of the 3 elements are described in predicate constraints;
the embedded software reliability model ZAL is divided into a fault model, a structure model and a propagation model, and is used for describing the structure, behavior and reliability constraint of the embedded software, wherein:
(a) ZAL Fault model ZAerrorThe method comprises the elements of fault state, fault behavior event and fault propagation point modeling, wherein the probability distribution type of the elements comprises Fixed value Fixed, Poisson distribution Poisson and highGaussian distribution Gauss;
(b) ZAL structural model ZAstructureComprises components, connections and flow modeling elements;
(c) ZAL propagation model ZAbehaviorIncluding outgoing faults, incoming faults, state transition modeling elements, and their respective ZAerrorAnd ZAstructureThe binary relation between various elements.
And 4, evaluating the reliability on the basis of the ZAL model to obtain a reliability evaluation result. Specifically, the method for calculating the instantaneous availability in the ZAL model on the bounded domain specifically comprises the following steps:
(1)STrepresented is the collection of relevant states in the system, namely ZAL the component states in the fault model;
(2)representing the initial state of the system, namely the normal state contained in the component state in the AADL fault model;
(3) probability function prob ST×ST→[0,1]Representing the probability constraint imposed on the state transition, i.e. the probability distribution of the conditions under which the state transition occurs in the ZAL behavior model, the value of the probability being a real number and having a formula for any state s
(ii) true, where s 'is the successor state of s, indicating that the sum of the transition probabilities of state s to all its successor states s' is 1;
(4)TRTrepresenting the set of state transitions in the system, ZAL in the behavioral model;
step 4-2, converting the quadruple T into a discrete time Markov chainDTMC, which is a six-tuple M ═ SM,Sin,Ap,L,pb,TM) Wherein:
(1)SMis a finite state set;
(2)Sin∈SMis an initial state;
(3) ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5)pb:SM×SM→[0,1]is a state transition probability function and for any state s:
if true, s' is the successor state to s;
the conversion rules from the AADL model to DTMC are:
is a quadruple obtained from the AADL model, which is converted to DTMCM ═ (S)M,Sin,Ap,L,prob,TM) Wherein:
(1)SM={si:sTi∈ST,i∈N},si∈SMis the state possessed by DTMC; sTi∈STIt is indicative ZAL of the state present in model T;
(3) Ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5) probability function prob → pb, i.e. prob: ST×ST→[0,1]=pb:SM×SM→[0,1]It is indicated that the probability value assigned by the probability function in DTMC should be equal to the probability distribution in ZAL model;
(6)is a collection of state transition relationships, where si∈SM,sj∈SMCorresponding to state T in AADL model Ti∈ST,tj∈STRespectively, the beginning and end of a set of state transitions, each state transition(s)i→sj) Representing state transitions (T) in AADL model Ti→tj);
4-3, describing the availability by adopting probability computation tree logic PCTL, wherein;
the PCTL adds a probability operator P on the basis of CTL time sequence logic~pObtained by expansion;
the PCTL path is defined as follows: let M be a discrete-time Markov chain, where the path π in M is an infinite sequence of states s0,s1…, such thatAnd introducing notation Paths(s) to show a path set from s;
the PCTL state formula on the atomic topic set Ap is defined as follows:
wherein true represents perpetuality; a is atomic proposition; the phi ^ phi formula is expressed in a form of the combination of two sub-formulas;the formula is expressed in terms of no proposition, p ∈ [0,1 ]],~∈{<,>,≤≥},Is a formula for a path and is a formula,to representThe relation between the established probability and p satisfies-;
the PCTL path formula is defined as follows:
wherein phi, phi1,φ2Is a formula of state; x φ indicates that φ is satisfied at the next state of the path; f phi indicates that phi is satisfied in some future state of the path; g phi indicates that all states on the path satisfy phi; phi is a1Uφ2Indicates that phi is satisfied on the path2All states before the state of (c) satisfy phi1;φ1Rφ2Indicates that phi is satisfied2Is not satisfied with phi1;
The bounding semantics of PCTL are defined as follows, let a ∈ Ap be an atomic proposition, M ═ SM,Sin,Ap,L,pb,TM) Is a discrete time Markov chain, S ∈ SM,φ1,φ2Is based on P≥pThe PCTL state formula of (a) is,is based on P≥pK is a natural number and is called a boundary;
satisfaction relationship for state formula | - ]kIs defined as:
(1)s|=ka if and only if a ∈ l(s);
(2)s|=kφ1∧φ2if and only if s | ═kφ1And s | ═kφ2;
(3)s|=kφ1∨φ2If and only if s | ═kφ1Or s | ═kφ2;
Satisfaction relationship for path formula | >, andkis defined as:
(1)π|=kXφ1if and only if k is greater than or equal to 1 and pi (1) |kφ1;
(2)π|=kFφ1If and only if there is a natural number i ≦ k, so that π (i) | -kφ1;
(3)π|=kGφ1If and only if i is less than or equal to k for any natural number, so that pi (i) | iskφ1And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·ωω denotes that infinite loop is possible;
(4)π|=kφ1Uφ2if and only if there is a natural number i ≦ k, so that π (i) | -kφ2And for any natural number j less than i, pi (j) |kφ1;
(5)π|=kφ1Rφ2If and only if: a) for any natural number i ≦ k, pi (i) | ═ kkφ2And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·ω(ii) a Or b) there is a natural number m ≦ k such that π (m) | -kφ1And for any natural number n less than m, pi (n) | ═kφ2;
The instantaneous availability is one of the reliability metric parameters, defined as follows:
the software system is set to have normal state and fault state, and is expressed by X (t), namely t is more than or equal to 0, and
the instantaneous availability of the system at time t is the probability that the system is in a normal state at time t, i.e., a (t) ═ P (x (t) ═ 1);
in model detection, proposition a is set by atomsIndicating the current state s, i.e. asTrue, indicating that the current state is s; in DTMC, an initial state SinCorresponding to the normal state of the component of the ZAL model,if true, X (t) is equal to 1, and the current time is obtainedFor true probability equaling to instantaneous availability, using PCTL formulaThe probability that the future software system is in a normal state is not lower than r, and the time t is relative to the boundary t in the PCTL; let r be Pr (s |)tPhi), t is continuously increased, the results obtained at the moment t of the previous time and the next time are subtracted, if the difference value is smaller than a preset termination criterion, the calculation is stopped, the result is obtained, otherwise, the calculation is continued;
4-4, adopting a reliability evaluation algorithm ZARE, and calculatingThe value of r is true, namely the corresponding instantaneous availability, so as to obtain a reliability evaluation result;
the reliability evaluation algorithm ZARE is as follows:
let x (s, phi, t) be Pr (s |)tφ)
Inputting:
1) discrete time Markov chain M ═ SM,Sin,Ap,L,pb,TM),s∈SM;
2) PCTL Path equation φ;
3) a boundary t;
4) m, ξ (m is the value of each increment of the border, ξ is the termination criterion);
and (3) outputting: r (r ═ Pr (s | ═ r ═ g-tφ))
Step3, when x (s, phi, t) -x (s, phi, t-m) is equal to or larger than ξ, returning to Step2, otherwise, executing the next Step;
and step4.r is x (s, phi, t) and outputs r.
As described in more detail below.
The embedded software reliability modeling and evaluation method based on AADL provided by the invention establishes ZAL models which are mainly divided into a fault model, a structural model and a behavior model. The definition of ZAL model is given by Z language template, and formalized description method of each kind of constraint in embedded software is given for strict analysis and verification. And the predicates of the Z language are adopted to constrain the attributes of the modeling elements, so that the established model has consistency, and the accuracy and the efficiency of software modeling are improved.
1. ZAL failure model
ZAL the modeling elements of the fault model include component states, fault behavior events, and fault propagation points. ZAL the basic data types of the fault model can be divided into a fault behavior event type EventType, a probability distribution type DistributionType, a fault type ErrorType and a fault propagation type ErrorPropagationType. The EventType comprises a fault event ErrorEvent, a recovery event RecoverEvent and a repair event ReairlEvent; the DistributionType comprises Fixed values Fixed, Poisson Poison and Gauss; the ErrorType comprises a service-related fault ServiceRelatedError, a value-related fault ValueRelatedError, a time-related fault TimingLalatedError, a repeated replicationRelatedError and a concurrent fault ConcurrentRelatedError, and the fault type can be customized according to needs; the ErrorPropagationType includes an incoming fault incoming and an outgoing fault outgoing.
The formalization of the AADL fault model is defined as follows:
ZA are given belowerrorSpecific definition of middle triplets:
(1) component State ComState
The component state is the state of the component in the embedded software and can be divided into an initial state (normal state) and a fault state. Whether a component is in a normal state is an important basis for evaluating the reliability of the component, and the isInitial is used for indicating whether the component is in an initial state. The fault type ErrorType corresponding to the fault state needs to be described for the fault state. In order to describe the probability distribution parameters generated by the fault propagation point, the probability distribution needs to be defined, which includes two parameters, namely a probability distribution parameter (occurrence) and a probability distribution type (distribution). pbcs represents the true probability, i.e., the probability calculated from the probability distribution. The ComState definition method is as follows:
in the above schema, the elements in < > are alternatives, CS is an immutable part in the schema name, N represents a natural number, R represents a real number, and 0..1 represents that pb has a value ranging from 0 to 1.
(2) Fault behaviour event errorbhaviovent
The failure behavior event is a group of events which cause the state transition of the component, the occurrence probability of the failure behavior event exists, and the probability distribution needs to be defined. The probability distribution is a key parameter for quantitatively evaluating the reliability, and the variation of the probability distribution can greatly influence the reliability evaluation result. The definition method is as follows:
(3) fault propagation point ErrorPropationPoint
A fault propagation point refers to the location where a fault propagates between components. In the AADL specification, fault propagation is propagated by fault types, such as Novalue and Badvalue. In order to describe elements in the AADL consistently, fault type (errortype) is also illustrated here. However, in the quantitative reliability evaluation process, only the fault propagation is required to be known, and the type of the fault has no influence. The fault propagation point type (propagation) includes an incoming fault point and an outgoing fault point. Since the fault propagation behavior may also fail, the outgoing fault point needs to give a probability distribution pb1 (probability value calculated by the probability distribution) of fault propagation. Furthermore, the fault outgoing can be considered as fault generation, and the probability distribution pb2 also exists in the fault generation, and the combination of the two is the true probability of the fault from generation to propagation end. pb1 is indicated by pbepp and pb1 in combination with pb2 is indicated by pbreal. After the fault propagation is finished, if the fault propagation is successful, an incoming fault point is generated. Although the fault ingress point itself does not have a rate issue, in order to describe what probability distribution the incoming fault has an effect on the target component, a probability distribution is also defined for the incoming fault, whose value is the same as the corresponding outgoing fault, also denoted pbreal. The definition method is as follows:
2. ZAL structural model
ZAL structural model modeling elements include components, connections, and flows. ZAL the basic type of the structural model is the Predicate constraint Predicate.
The formalization of the AADL structural model is defined as follows:
definition 2. triple ZAstructureA ZAL structural model is called (Component, Connection, Flow), where Component stands for a set of components, Connection stands for a set of Component connections, and Flow stands for a set of Component flows.
ZA are given belowstructureSpecific definition of middle triplets:
(1) component
In the AADL reliability model, the fault model is bound to the components one-to-one, so the structural model defines the component elements at ZAL to achieve the binding to the reliability elements in the ZAL fault model. The declaration of the component includes the state of the component, the fault behavior event that occurred, and the fault propagation point. Wherein a component can have several fault propagation points at the same time, which is represented by a subset of errorprovisionpoint. Its associated constraints are described in the predicate section. The definition method is as follows:
in the above schema, seq is the sequence type in the Z language, and F represents a finite subset.
(2) Component Connection
In AADL, component connections include port connections, data access connections, bus access connections, and the like. Component connection means that there is an interactive action between components such as data transmission, communication access, etc., which is also a precondition for fault propagation between components to occur. There are many types of component connections and thus there may be multiple connections between two components. It is simplified here to a connection without affecting the reliability evaluation. However, there is a directional limitation on the connection of components, and connections between two components in different directions (component a connecting to component B and component B connecting to component a) are considered to be different. The component Connection declaration section contains the source component sCom and the target component tCom, and the predicate section describes their associated constraints. The definition method is as follows:
(3) component Flow
In AADL, flows are used to describe and analyze logical paths throughout an architecture, including data flows, control flows, or failure eventsAnd (4) streaming. The component Flow represents a path of fault propagation between components, and the fault path is represented by a fault propagation point passed. The assembly flow may involve several assemblies<componentNamei>Com, while the declaration section describes the source and termination points of the component flow, and the predicate section describes its associated constraints. The definition method is as follows:
in the above mode, xi is used to denote a state space which is declaratively invariant, i.e. in<flowName>Flow pattern includes<componentNamei>All variables of Com; the elements with subscript i are repeatable.
3. ZAL behavior model
The basic type of the AADL behavior model is the Predicate constraint Predicate. Wherein the outgoing fault OutPropropagation and the state Transition are modeling elements of the AADL behavior model. The association between the AADL behavior model and the fault model is embodied by the inheritance relationship between OutPropropagation and Transition and the fault element in the fault model.
The formalization of the AADL behavioral model is defined as follows:
definition 3. triple ZAbehaviorThe behavior model is called ZAL (OutPropagation, InPropagation, Transition), where OutPropagation stands for outgoing fault set, InPropagation stands for incoming fault set, and Transition stands for state Transition set.
ZA are given belowbehaviorSpecific definition of the middle doublet:
(1) outgoing fault OutPropagation
In the component failure behavior of the AADL, when a component is in some failure state, or encounters some incoming failure, it causes the component to fail, creating a failed egress point. The definition method is as follows:
in the above schema, Δ is used to represent the front state and the back state of the state space which are declared simultaneously, that is, each variable in the state space declares its front state variable and back state variable (adding' after the variable to represent its back state), and the change situation of the variables before and after the operation is described by the relationship of the front state value and the back state value in the predicate constraint.
The definition of the probability change of the fault transmitting point in the outgoing fault is given below, the fault state probability is set to be pbcs, the total number of n fault transmitting points is n, and the probability is pbeppi(i is more than or equal to 1 and less than or equal to n), the original probability of the outgoing fault point is pbepp (namely the success rate of the fault propagation behavior).
Definition 4. when the fault condition results in outgoing fault behavior, the outgoing fault point probability becomes pbcs × pbepp.
Definition 5 when a failed ingress point causes an outgoing failure behavior, the outgoing failure point probability becomes
(2) Incoming fault InPropagation
After the fault outgoing point is generated, the fault can be propagated outwards. If a connection exists between the target component and the source component, the target component may generate a point of failure entry. And the probability distribution of the corresponding outgoing failure points will be given to the resulting failure entry points, which will be given in the predicate constraints. The definition method is as follows:
the following gives a definition of the probability variation of the point of entry of a fault in an incoming fault.
And 6, setting the probability of the fault transmitting-out point as pbepp, and then, the probability of the fault transmitting-in point is equal to pbepp.
(3) State Transition
In the component failure behavior of AADL, state transitions are due to the occurrence of failure behavior events or incoming failures. The definition method is as follows:
the following gives the definition of the probability change of the state of a component in a state transition. Setting the probability of a fault behavior event as pbebe, wherein the probability is pbepp, n fault transmission points are in totali(1≤i≤n)。
Define 7 when a fault behavior event results in an outgoing state transition, then the component state probability becomes pbebe.
Definition 8 when a failed entry point causes a state transition, then the component state probability becomes
The reliability evaluation method based on the ZAL model is specifically described below:
and based on the embedded software behavior model described by the ZAL model and probability constraints in the embedded software behavior model, a probability model detection technology is adopted to evaluate the reliability. The basic idea of model detection is to express the behavior of the system by a state transition system (P) and to use a modal/sequential logic formulaDescribing the property of the system, converting the verification process of ' whether the system has the expected property ' into a mathematical problem ' whether the state transition system P satisfies a certain formula", is marked asFurther, it is necessary to verify that each state in P satisfies a certain formulaIs marked asBased on the ZAL model defined above, we use Probabilistic computing Tree logic PCTL (Probabilistic computing Tr)ee Logic) describes a reliability measurement parameter, namely instantaneous availability, and designs a reliability evaluation algorithm ZARE (reliability evaluation on AADL).
1. Probabilistic Computational Tree Logic (PCTL)
Probability model detection generally takes a finite Markov chain as the model of the system, because changes in a general probability system are only affected by the current state, satisfying the Markov property. The state space set of AADL is Discrete, so this chapter describes the AADL model using the Discrete-Time Markov Chain DTMC (Discrete-Time Markov Chain). Since DTMC we are studying is homogeneous, the state transition probability can be considered independent of time, so it is sufficient to describe DTMC by state transition probability.
Definition 9 discrete time markov chain M ═ (S)M,Sin,Ap,L,pb,TM) Is a six-tuple in which:
(1)SMis a finite state set;
(2)Sin∈SMis an initial state;
(3) ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5)pb:SM×SM→[0,1]is a state transition probability function and for any state s:
if true, s' is the successor state to s;
To complete the conversion of the ZAL model to DTMC, we characterized the ZAL model as a quadrupleWherein:
(1)STrepresented is the collection of relevant states in the system, namely ZAL the component states in the fault model;
(2)representing the initial state of the system, namely the state marked with initial in the AADL fault model;
(3) probability function prob ST×ST→[0,1]And represents the probability constraint imposed on the state transition. The value of the probability is a real value and has a formula for an arbitrary state s
Where s' is the subsequent state of s;
(4)TRTrepresents the set of state transitions in the system, i.e., ZAL state transitions in the behavioral model.
The propagation of faults is explained here. In the ZAL fault model, we describe the final probability of fault propagation, pbreal, in the fault propagation point element. In the ZAL behavioral model, we define that outgoing faults and incoming faults describe the propagation probability of faults. While the impact of incoming faults on the state is also defined in the state transition element, the impact of fault propagation can be considered to have been attributed to the state transition. The quadruple T described above can thus fully describe the probability state space of the component.
The rules for the conversion from AADL model T to DTMC are given below:
suppose thatIs a probabilistic system derived from the AADL model, which is converted to DTMCM ═ (S)M,Sin,Ap,L,prob,TM) Wherein:
(1)SM={si:sTi∈ST,i∈N},si∈STis the state possessed by DTMC; sTi∈STThen it is an indication of the presence in the AADL model TThe state of (1);
(3) Ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5) probability function prob → pb, i.e. prob: ST×ST→[0,1]=pb:SM×SM→[0,1]It is indicated that the probability value assigned by the probability function in DTMC should be equal to the probability distribution in the AADL model;
(6)is a collection of state transition relationships, where si∈SM,sj∈SMCorresponding to state T in AADL model Ti∈ST,tj∈STIndicating the beginning and end of the state, respectively. Each state transition(s)i→sj) Representing state transitions (T) in AADL model Ti→tj)。
Intuitively, when the state of the system changes, the state transition in the DTMC is actually the state transition experienced by the AADL model during running, wherein the state transition is related to the probability value and is a random transition, and the same transition process is determined according to the mapping rule, so that the mapping relationship can well ensure consistency in the aspect of consistency constraint.
Define 10 (Path) let M be a discrete-time Markov chain, where the path π in M is an infinite sequence of states s0,s1…, such thatAnd the notation paths(s) is introduced to indicate the set of paths from s.
Define 11(PCTL). the PCTL state formula (syntax) on the atomic topic set Ap is as follows:
wherein phi, phi1,φ2Is a state formula.
In order to solve the problem of state space explosion in probability model detection, a boundary model detection technology is adopted. The main idea of bound model detection is to find evidence or counter-examples of the establishment of attributes in the limited local space of the system. For the computational tree logic part in PCTL, we can use the techniques in CTL bound model detection to define its bound semantics.
Define 13 (bounding semantics of PCTL) — let a ∈ Ap be an atomic proposition, M ═ SM,Sin,Ap,L,pb,TM) Is a discrete time Markov chain, S ∈ SM,φ1,φ2Is based on P≥pThe PCTL state formula of (a) is,is based on P≥pK is a natural number (called a world).
Satisfaction relationship for state formula | - ]kIs defined as:
(1)s|=ka if and only if a ∈ l(s);
(2)s|=kφ1∧φ2when in parallel toOnly when s | ═kφ1And s | ═kφ2;
(3)s|=kφ1∨φ2If and only if s | ═kφ1Or s | ═kφ2;
satisfaction relationship for path formula | >, andkis defined as:
(1)π|=kXφ1if and only if k is greater than or equal to 1 and pi (1) |kφ1;
(2)π|=kFφ1If and only if there is a natural number i ≦ k, so that π (i) | -kφ1;
(3)π|=kGφ1If and only if i is less than or equal to k for any natural number, so that pi (i) | iskφ1And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·ω;
(4)π|=kφ1Uφ2If and only if there is a natural number i ≦ k, so that π (i) | -kφ2And for any natural number j less than i, pi (j) |kφ1;
(5)π|=kφ1Rφ2If and only if: a) for any natural number i ≦ k, pi (i) | ═ kkφ2And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·ω(ii) a Or b) there is a natural number m ≦ k such that π (m) | -kφ1And pi (n) | for and for any natural number n less than mkφ2。
2. Software reliability evaluation algorithm based on AADL
Define 14 (instantaneous availability) let a system X (t) have two possible states, normal and fault, i.e. for t ≧ 0:
the instantaneous availability of the system at time t is the probability that the system is in a normal state at time t, i.e., a (t) ═ P (x (t) ═ 1).
In model detection, the atom can be used to set the topic asIndicating the current state s, i.e. asTrue, indicates that the current state is s. In DTMC, an initial state SinCorresponding to the component normal state of the ZAL model.If true, X (t) is equal to 1, and the current time is obtainedA probability of being true is equivalent to finding the instantaneous availability. Using the formula PCTLThe probability of indicating that the software system will be in a normal state in the future is not lower than r, and the moment t is the required instantaneous availability for the boundary t in the PCTL.
On the basis of the research of a boundary model detection algorithm of PCTL, a reliability evaluation method ZARE based on ZAL model is provided. The basic idea of the ZARE algorithm is: giving an initial value to the boundary, and calculating corresponding probability, namely the instant availability of the moment t; since a plurality of instantaneous availability degrees occur as t increases, a termination criterion is set; and subtracting the results obtained at the current and later two times t, stopping the calculation if the difference is smaller than a preset termination criterion, obtaining the result, and otherwise, continuing the calculation.
Let x (s, phi, t) be Pr (s |)tφ)。
The ZARE calculation procedure is as follows:
inputting:
1) discrete time Markov chain M ═ SM,Sin,Ap,L,pb,TM) Wherein S ∈ SM;
2) PCTL Path equation φ;
3) a boundary t;
4) m, ξ (m is the value of each increment of the border, ξ is the termination criterion);
and (3) outputting: r (r ═ Pr (s | ═ r ═ g-tφ))。
Step2.while x (s, phi, t) -x (s, phi, t-m) ≥ ξ do { return to Step2 };
and step3.r is x (s, phi, t) and outputs r.
In order to make those skilled in the art better understand the technical problems, technical solutions and technical effects in the present application, the following describes in detail an AADL-based embedded software reliability modeling and evaluation method according to the present invention with reference to the accompanying drawings and the detailed description.
Fig. 2 shows an AADL architecture model of a Flight Management System (FMS), describing the data transmission process between 6 threads therein. The FMS data input is firstly subjected to basic processing of an NSP thread component, transmitted to an INav thread component, generates comprehensive navigation data and transmits the comprehensive navigation data to a GP thread component, an APC thread component and a PIO thread component, and guidance and performance optimization data processed by the GP thread component and the APC thread component are transmitted to an FPP thread component to obtain flight plan data. Finally, all data output to other subsystems is passed to other subsystems via the PIO threading component. The invention provides an AADL-based embedded software reliability modeling and evaluating method by taking thread APC as an example.
Step1, establishing an AADL reliability model, and FIG. 3 shows the AADL reliability model of APC.
Step2, extracting reliability elements in the AADL reliability model according to the established AADL reliability model, wherein the reliability elements comprise fault types, fault behaviors and fault propagation, and taking APC as an example:
from the AADL reliability model of fig. 3, it can be derived that APC contains the following reliability elements: two failure behavior events (failure event Fail, repair event Restart), two component states (initial state ErrorFree, Failed state), two failure propagation points (incoming failure point send1, outgoing failure point send2), and three state transitions (failure transition, Restart transition, badvaluetetration).
Step3, establishing an ZAL model of APC, and respectively establishing a fault model, a structural model and a behavior model mainly through the following 3 steps:
step 3-1: ZAL the fault model is specifically defined as follows:
(1) fault state
ErrorFreeCS is in initial state, no fault type, isInitial is set to 1; FailedCS is fault status, fault type is BadValue, and isInitial is set to 0.
(2) Failure behavior event
The FailEbe event type is ErrorEvent, and the occurrence probability distribution is 0.0003 and Fixed; the restatebe event type is replaervent with an occurrence probability distribution of 1 and Fixed.
(3) Points of fault propagation
The send1Epp is an incoming fault point, the fault type is BadValue, the probability distribution of the fault is related to the corresponding outgoing fault point, and the probability is assumed to be 0.0024; send2Epp is the outgoing failure point and the failure type is BadValue, with probability distribution 0.8 and Fixed.
Step 3-2: ZAL the structural model is specifically defined as follows:
(1) assembly
APC is in initial state, component state corresponds to ErrorFreeCS, no fault propagation point.
Connection and flow refer to the structure between components, so that a component element corresponding to a thread Inav is defined as inavic, a connection relation exists between the component element and a thread APC, and a fault propagation point sendEpp exists, corresponding to send1Epp in the APC. Examples of the definitions of connections and flows are then given.
(2) Connection of
(3) Flow of
Step 3-3: ZAL the behavioral model is specifically defined as follows:
(1) outgoing fault
When the APC is in the failed state FailedCS, a failure is generated, a failure propagation point is activated, and outgoing failure behavior is triggered.
In the above model catchfailOp, Epp ' ═ Epp ∪ { send2Epp } indicates that an element is added to the set of fault propagation points for a component after the fault out point is generated, and pbreal ' added ' indicates the post state of the variable.
(2) Incoming fault
And the APC has a fault transmission point, can receive the fault, and has footprint elements corresponding to the thread INav for transmitting the fault to the APC as InavCom and corresponding fault transmission points as sendEpp.
(3) State Transition
The APC has 3 state transitions FailTransition, RestartTransition, and BadValueTransition, which correspond to failT, restartT, and badvalue, respectively. The occurrence condition of the fail is that a failure behavior event FailEbe occurs, the influence is that the component state is transferred to the FailCS, and the probability distribution of the failure state is equal to that of the failure behavior event. The remaining state transitions are similar.
Step4, evaluating the reliability based on the ZAL model, taking APC as an example, the state transition diagram of which is shown in fig. 4, includes 2 states ErrorFree and Failed (s respectively)0、s1Expression), specifically comprising the following steps:
(1)ST={s0,s1in which the initial state is s0;
(4)prob={prob(s0,s1)=0.0054,prob(s0,s0)=0.9946,prob(s1,s0)=1};
(5)TRT={(s0,s0),(s0,s1),(s1,s0)}。
Step 4-2: based on the transformation rules described above, the DTMC model M can be obtainedAPC=(SM,Sin,Ap,L,pb,TM) Wherein:
(1)SM={s0,s1};
(2)Sin={s0};
(3) ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5)pb={pb(s0,s1)=0.0054,pb(s0,s0)=0.9946,pb(s1,s0)=1};
(6)TM={(s0,s0),(s0,s1),(s1,s0)}。
step 4-3, the attribute we need to verify in this example isI.e. the probability that the APC is in a normal state.
Step 4-4, calculate ZARE algorithm of r as follows:
inputting: mAPC=(SM,Sin,Ap,L,pb,TM) The t is initially 3, the interval m is 1, the termination criterion ξ is 0.00001, and then substituted into the ZARE algorithm.
Taking the boundary equal to 3 as an example, the calculation process is described in detail, as shown in the following formula,by FainAnd (4) showing.
Find x(s)in,Fain,3)=0.994629,Fullness calculated using tools designed for the methodThe value of the sufficient termination criterion is 0.994629, so the reliability of thread APC is 0.994629.
Therefore, the AADL-based embedded software reliability modeling method provided by the invention combines the modeling processes of semi-formalization and formalization, and is more intuitive than similar formalization methods; the built ZAL model can tightly couple the embedded software component model, the fault model and the reliability constraint thereof, and has good verifiability; and a probability-oriented model detection method can be applied to strictly evaluate the reliability of the embedded software based on the ZAL model. Therefore, the method of the invention can effectively improve the reliability of the embedded software model, thereby reducing the defect repair cost in the later stage of software development.
Claims (4)
1. An AADL-based embedded software reliability modeling and evaluation method is characterized by comprising the following steps:
step1, establishing a semi-formalized model, specifically establishing an AADL reliability model, which comprises a structure model and a fault model; the structure model comprises a component name, a component attribute, a connection and a flow, and the fault model comprises a fault type, a fault behavior and fault propagation;
step2, extracting reliability modeling elements in the AADL reliability model, wherein the reliability modeling elements comprise component names, connections, flows, fault behaviors and fault propagation;
step3, establishing an embedded software reliability model ZAL, specifically converting the semi-formalized model into a formalized model, expanding the model, and supplementing an operation protocol and reliability constraint thereof, including the following steps:
step 3-1, mapping the component state, the fault action event and the fault propagation point defined by the AADL reliability model to ZAL fault model ZAerrorThe attribute of the ErrorState set element comprises the state of a component which can be in and the probability distribution type corresponding to the state, the attribute of the Ebe set element comprises the event type and the probability distribution type of the event occurrence, and the attribute of the Epp set element comprises the type of fault propagation and the probability of fault propagation successA distribution type;
step 3-2, mapping the component names, connections and flows defined by the AADL reliability model to ZAL structure model ZAstructureThe attributes of the Component assembly element comprise the state of the Component, the current fault action event of the Component and the current fault propagation point, the attributes of the Connection assembly element comprise the Connection relation among the components, and the attributes of the Flow assembly element comprise the fault propagation point through which the fault propagates;
step 3-3, mapping the fault propagation and state transition defined by the AADL reliability model to ZAL propagation model ZAbehaviorThe properties of the OutProposition collection element comprise the names of components generating faults and fault propagation points, the properties of the InProposition collection element comprise the names of components transmitting faults, connections among the components and fault propagation points, the properties of the Transition collection element comprise the names of components generating state Transition, fault behavior events and fault propagation points, and the occurrence conditions and the conditional occurrence probability distribution of the 3 collection elements are described in predicate constraints;
and 4, evaluating the reliability on the basis of the embedded software reliability model ZAL to obtain a reliability evaluation result.
2. The AADL-based embedded software reliability modeling and evaluation method according to claim 1, wherein in step 1:
the component name refers to the name of a specific device, process, thread and port in the embedded software;
the component attribute refers to the attribute of specific equipment, process, thread and port in the embedded software;
the connection refers to the connection between the components and indicates that control flow or data flow exists between the components;
the stream refers to a path for information stream transmission between the components;
the fault type refers to the type of the fault occurring in the component, including service-related fault, value-related fault and time-related fault, and also includes self-defined fault type;
the fault behavior defines fault behavior events, component states and state transitions, wherein the component states comprise a normal state and a fault state;
the fault propagation refers to the occurrence and propagation of the fault to other components, and defines a fault propagation point to indicate the direction of the fault propagation occurrence, wherein the fault propagation point comprises two types of outgoing and incoming.
3. The AADL-based embedded software reliability modeling and evaluation method according to claim 1, wherein the embedded software reliability model ZAL in step3 is divided into three parts, namely a fault model, a structure model and a propagation model, for describing the structure, behavior and reliability constraints of the embedded software, wherein:
(a) ZAL Fault model ZAerrorThe fault analysis method comprises the following steps of modeling elements of a fault state, a fault behavior event and a fault propagation point, wherein the probability distribution type of the elements comprises Fixed value Fixed, Poisson distribution Poisson and Gaussian distribution Gauss;
(b) ZAL structural model ZAstructureComprises components, connections and flow modeling elements;
(c) ZAL propagation model ZAbehaviorIncluding outgoing faults, incoming faults, state transition modeling elements, and their respective ZAerrorAnd ZAstructureThe binary relation between various elements.
4. The AADL-based embedded software reliability modeling and evaluation method according to claim 1, wherein the step4 of evaluating reliability based on ZAL model, in particular calculating instantaneous availability in ZAL model on bounded domain, comprises the steps of:
(1)STrepresented is the collection of relevant states in the system, namely ZAL the component states in the fault model;
(2)representing the initial state of the system, namely the normal state contained in the component state in the AADL fault model;
(3) probability function prob ST×ST→[0,1]Representing the probability constraint loaded at the time of the state transition, i.e. ZAL the probability distribution of the occurrence conditions of the state transition in the propagation model, the value of the probability being a real value and being formulated for any state s
(ii) true, where s 'is the successor state of s, indicating that the sum of the transition probabilities of state s to all its successor states s' is 1;
(4)TRTrepresenting the set of state transitions in the system, ZAL propagation model;
step 4-2, converting the quadruple T into a Discrete Time Markov Chain (DTMC), wherein the DTMC is a six-tuple M ═ SM,Sin,Ap,L,pb,TM) Wherein:
(1)SMis a finite state set;
(2)Sin∈SMis an initial state;
(3) ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5)pb:SM×SM→[0,1]is a state transition probability function and for any state s:
if true, s' is the successor state to s;
the conversion rules from the AADL model to DTMC are:
is a quadruple obtained from the AADL model, which is converted to DTMC M ═ SM,Sin,Ap,L,prob,TM) Wherein:
(1)SM={si:sTi∈ST,i∈N},si∈SMis the state possessed by DTMC; sTi∈STIt is indicative ZAL of the state present in model T;
(3) Ap is a finite set of atomic propositions;
(4)L:SM→2Apis a marker function;
(5) probability function prob → pb, i.e. prob: ST×ST→[0,1]=pb:SM×SM→[0,1]It is indicated that the probability value assigned by the probability function in DTMC should be equal to the probability distribution in ZAL model;
(6)is a collection of state transition relationships, where si∈SM,sj∈SMCorresponding to state T in AADL model Ti∈ST,tj∈STRespectively, the beginning and end of a set of state transitions, each state transition(s)i→sj) Representing state transitions (T) in AADL model Ti→tj);
4-3, describing the availability by adopting probability computation tree logic PCTL, wherein;
the PCTL adds a probability operator P on the basis of CTL time sequence logic~pObtained by expansion;
the PCTL path is defined as follows: let M be a discrete-time Markov chain, where the path π in M is an infinite sequence of states s0,s1…, such thatP(si,si+1)>0; and introducing notation Paths(s) to show a path set from s;
the PCTL state formula on the atomic topic set Ap is defined as follows:
wherein true represents perpetuality; a is atomic proposition; the phi ^ phi formula is expressed in a form of the combination of two sub-formulas;the formula is expressed in terms of no proposition, p ∈ [0,1 ]],~∈{<,>,≤≥},Is a formula for a path and is a formula,to representThe relation between the established probability and p satisfies-;
the PCTL path formula is defined as follows:
wherein phi, phi1,φ2Is a formula of state; x φ indicates that φ is satisfied at the next state of the path; f phi indicates that phi is satisfied in some future state of the path; g phi indicates that all states on the path satisfy phi; phi is a1Uφ2Indicates that phi is satisfied on the path2All states before the state of (c) satisfy phi1;φ1Rφ2Indicates that phi is satisfied2Is not satisfied with phi1;
The bounding semantics of PCTL are defined as follows, let a ∈ Ap be an atomic proposition, M ═ SM,Sin,Ap,L,pb,TM) Is a discrete time Markov chain, S ∈ SM,φ1,φ2Is based on P≥pThe PCTL state formula of (a) is,is based on P≥pK is a natural number and is called a boundary;
satisfaction relationship for state formula | - ]kIs defined as:
(1)s|=ka if and only if a ∈ l(s);
(2)s|=kφ1∧φ2if and only if s | ═kφ1And s | ═kφ2;
(3)s|=kφ1∨φ2If and only if s | ═kφ1Or s | ═kφ2;
Satisfaction relationship for path formula | >, andkis defined as:
(1)π|=kXφ1if and only if k is greater than or equal to 1 and pi (1) |kφ1;
(2)π|=kFφ1If and only if there is a natural number i ≦ k, so that π (i) | -kφ1;
(3)π|=kGφ1If and only if i is less than or equal to k for any natural number, so that pi (i) | iskφ1And a natural number 0 < j < k,
such that P (π (k), π (j))>0,π=π(0)...π(j-1)(π(j)...π(k))ωω denotes that infinite loop is possible;
(4)π|=kφ1Uφ2if and only if there is a natural number i ≦ k, so that π (i) | -kφ2And for any natural number j less than i, pi (j) |kφ1;
(5)π|=kφ1Rφ2If and only if: a) for any natural number i ≦ k, pi (i) | ═ kkφ2And there is a natural number 0 ≦ j ≦ k, such that P (π (k), π (j))>0,π=π(0)...π(j-1)(π(j)...π(k))ω(ii) a Or b) there is a natural number m ≦ k such that π (m) | -kφ1And for any natural number n less than m, pi (n) | ═kφ2;
The instantaneous availability is one of the reliability metric parameters, defined as follows:
the software system is set to have normal state and fault state, and is expressed by X (t), namely t is more than or equal to 0, and
the instantaneous availability of the system at time t is the probability that the system is in a normal state at time t, i.e., a (t) ═ P (x (t) ═ 1);
in model detection, proposition a is set by atomsIndicating the current state s, i.e. asTrue, indicating that the current state is s; in DTMC, an initial state SinCorresponding to the normal state of the component of the ZAL model,true corresponds to X (t) ═1, obtaining the current timeFor true probability equaling to instantaneous availability, using PCTL formulaThe probability that the future software system is in a normal state is not lower than r, and the time t is relative to the boundary t in the PCTL; let r be Pr (s |)tPhi), t is continuously increased, the results obtained at the moment t of the previous time and the next time are subtracted, if the difference value is smaller than a preset termination criterion, the calculation is stopped, the result is obtained, otherwise, the calculation is continued;
4-4, adopting a reliability evaluation algorithm ZARE, and calculatingThe value of r is true, namely the corresponding instantaneous availability, so as to obtain a reliability evaluation result;
the reliability evaluation algorithm ZARE is as follows:
let x (s, phi, t) be Pr (s |)tφ)
Inputting:
1) discrete time Markov chain M ═ SM,Sin,Ap,L,pb,TM),s∈SM;
2) PCTL Path equation φ;
3) a boundary t;
4) m, ξ (m is the value of each increment of the border, ξ is the termination criterion);
and (3) outputting: r (r ═ Pr (s | ═ r ═ g-tφ))
Step3, when x (s, phi, t) -x (s, phi, t-m) is equal to or larger than ξ, returning to Step2, otherwise, executing the next Step;
step4.r ═ x (s, Φ, t), and output r.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710077564.9A CN106874200B (en) | 2017-02-14 | 2017-02-14 | Embedded software reliability modeling and evaluating method based on AADL |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710077564.9A CN106874200B (en) | 2017-02-14 | 2017-02-14 | Embedded software reliability modeling and evaluating method based on AADL |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106874200A CN106874200A (en) | 2017-06-20 |
CN106874200B true CN106874200B (en) | 2020-07-07 |
Family
ID=59167477
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710077564.9A Active CN106874200B (en) | 2017-02-14 | 2017-02-14 | Embedded software reliability modeling and evaluating method based on AADL |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106874200B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107526865B (en) * | 2017-06-29 | 2024-06-14 | 南京航空航天大学 | Modeling method for CPS (control system) based on AADL (architecture analysis and design language) |
CN107908557B (en) * | 2017-11-14 | 2020-10-20 | 上海电子信息职业技术学院 | Embedded software credible attribute modeling and verifying method |
CN108595959B (en) * | 2018-03-27 | 2021-10-22 | 西北工业大学 | AADL model security evaluation method based on deterministic stochastic Petri network |
CN111240972B (en) * | 2020-01-06 | 2022-03-08 | 上海丰蕾信息科技有限公司 | Model verification device based on source code |
CN112069649B (en) * | 2020-07-21 | 2023-08-18 | 武汉交通职业学院 | Electric automobile EPS system reliability assessment method based on MDA |
CN112100062B (en) * | 2020-08-31 | 2023-01-17 | 西北工业大学 | Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network |
CN112306476B (en) * | 2020-11-03 | 2023-04-14 | 中国航空工业集团公司西安航空计算技术研究所 | Embedded system security modeling method |
CN112506075B (en) * | 2020-11-20 | 2022-11-22 | 重庆交通大学 | TPZN-based intelligent network automobile system cooperative control method |
CN112463628B (en) * | 2020-12-11 | 2022-03-29 | 北京航空航天大学 | Self-adaptive evolution method of autonomous unmanned system software based on model base framework |
CN112799890B (en) * | 2020-12-31 | 2022-10-14 | 南京航空航天大学 | Bus SEU-resistant reliability modeling and evaluating method |
CN112799862B (en) * | 2020-12-31 | 2022-09-06 | 南京航空航天大学 | Reliability modeling and evaluating method for CPU anti-SEU effect facing radiation environment |
CN115480546B (en) * | 2022-09-26 | 2023-07-18 | 中国人民解放军空军工程大学航空机务士官学校 | Multi-service system availability evaluation method based on uncertainty theory |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007136684A2 (en) * | 2006-05-17 | 2007-11-29 | The Mathworks, Inc. | Action languages for unified modeling language model |
CN102053910B (en) * | 2010-11-18 | 2013-01-16 | 西北工业大学 | Embedded software testing method based on AADL (Architecture Analysis and Design Language) mode transformation relationship |
CN102880548B (en) * | 2012-09-18 | 2015-07-15 | 西北工业大学 | AADL (Architecture Analysis and Design Language) reliability model generation method based on behavior description |
CN103488568B (en) * | 2013-09-30 | 2016-03-02 | 南京航空航天大学 | A kind of embedded software credible attribute modeling and verification method |
-
2017
- 2017-02-14 CN CN201710077564.9A patent/CN106874200B/en active Active
Non-Patent Citations (2)
Title |
---|
一种基于多维信任度的动态RBAC模型;庄毅;《计算机与现代化》;20150630(第6期);第7-11页 * |
一种捕获结构光光点坐标的方法及其软件实现;刘维维;《微计算机信息》;20050430;第21卷(第4期);第98-100页 * |
Also Published As
Publication number | Publication date |
---|---|
CN106874200A (en) | 2017-06-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106874200B (en) | Embedded software reliability modeling and evaluating method based on AADL | |
Mhenni et al. | Automatic fault tree generation from SysML system models | |
Russo et al. | An abductive approach for analysing event-based requirements specifications | |
Jeffords et al. | Automatic generation of state invariants from requirements specifications | |
CN109634600B (en) | Code generation method based on security extension SysML and AADL models | |
CN110134599B (en) | System architecture error behavior verification method and device | |
CN107590320A (en) | A kind of Dynamic fault tree generation method | |
Bittner et al. | Symbolic synthesis of observability requirements for diagnosability | |
Lipaczewski et al. | Comparison of modeling formalisms for safety analyses: SAML and AltaRica | |
Bernaerts et al. | Validating industrial requirements with a contract-based approach | |
Bozzano et al. | Formal Methods for Aerospace Systems: Achievements and Challenges | |
CN112487711B (en) | AltaRica fault tree generation method and system based on probability distribution | |
Jeffords et al. | An algorithm for strengthening state invariants generated from requirements specifications | |
Hamdane et al. | From AADL to timed automaton-A verification approach | |
Ouchani et al. | A formal verification framework for Bluespec System Verilog | |
Li et al. | System modeling and fault tree analysis based on AltaRica | |
Yu et al. | Research on Modeling and Analysis of CPS | |
Yang et al. | Constraint-based consistency checking for multi-view models of cyber-physical system | |
Insaurralde | Model-merged development for analysis and design of dependable software systems | |
CN111709133A (en) | System safety evaluation method based on automatic generation of model fault tree | |
Zhang et al. | Test case generation from formal models of cyber physical system | |
Glazberg et al. | PSL: Beyond hardware verification | |
Ruchkin | Architectural and Analytic Integration of Cyber-Physical System Models. | |
Chen et al. | RBML: A Refined Behavior Modeling Language for Safety-Critical Hybrid Systems | |
Vuotto | Requirements-driven design of cyber-physical systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |