CN106874200B - Embedded software reliability modeling and evaluating method based on AADL - Google Patents

Abstract

The invention discloses an AADL (architecture analysis and design language) -based embedded software reliability modeling and evaluating method, which comprises the following steps of: 1) establishing an AADL reliability model of embedded software; 2) extracting reliability elements in the AADL reliability model, and establishing a reliability model ZAL comprising a fault model, a structural model and a behavior model by adopting a Z language; 3) ZAL model is drawn by discrete time Markov chain DTMC, PCTL formula describing embedded software reliability is given, and the PCTL formula is calculated by adopting the proposed reliability evaluation algorithm ZARE to obtain instantaneous availability and finish reliability evaluation. The invention can not only express the embedded software hierarchically, is concise and clear, and is easy to understand, but also ZAL as a formalized model can strictly analyze and evaluate the reliability by adopting methods such as model detection and the like.

Description

Embedded software reliability modeling and evaluating method based on AADL

Technical Field

The invention belongs to the field of trusted computing, software engineering, formal modeling and verification, and particularly provides an AADL-based embedded software reliability modeling and evaluation method.

Background

In the field of software reliability research, the research of software reliability models always occupies an important position and is also the field with the most abundant achievements. How to establish a software reliability model as early as possible, reduce the modeling complexity, and enable the model to accurately depict the propagation relationship of faults among components is an important content in software reliability research work.

The modeling method of the software is mainly divided into a semi-formalization method and a formalization method. The software engineering generally uses semi-formalized specification to describe the software structure and behavior, and has the advantages of easy understanding and use and the like. AADL (architecture Analysis and Design Language) is proposed by SAE (society of automotive Engineers) of American society of automotive Engineers (society of automotive Engineers) on the basis of MetaH, UML. AADL adopts a mode that a single model supports various analyses, and key links of system design, analysis, verification, automatic code generation and the like are fused under a unified framework. The northwest industry university establishes a safety model based on the AADL error model accessory and the hazard model accessory, and converts the safety model into a GSPN model to analyze the safety of software. The MUNOZ M of NASA jet propulsion laboratory establishes an AADL information flow model and carries out delay analysis to prove the potential of the AADL applicable to space systems.

However, as a semi-formalized language, AADL is not conducive to strict analysis and verification of reliability. Therefore, extensive research is carried out on the AADL formal semantics. In this regard, some researchers have summarized two semantic description methods for AADL forms. The AADL form semantic description mainly adopts a conversion method (translation semantics), and can be roughly divided into two types: firstly, defining AADL semantics by adopting a formal language with accurate semantics, and then converting according to the semantics; the second is to directly convert the AADL model to another formalized model. The former is called as explicit description (explicit), inaccurate AADL semantics can be formalized, and semantics can be more completely described; the latter one is called implicit description (implicit) in order to directly use existing formal analysis tools of semantic models. The existing AADL reliability modeling and verification generally adopts implicit description. Sun H et al, at Iowa State university, proposed combining fault trees with AADL models for reliability and safety analysis. BOUDALI H et al, the university of herlandtex, proposed an extensible reliability assessment framework, which can support multiple modeling languages including AADL and UML, automatically convert the input model to an IO-IMC (input/output interactive Markov models) model, then perform reliability analysis based on a CADP tool, and can perform combined reliability analysis (compositional analysis) to support the reliability requirements of complex systems.

However, the existing implicit description has the defects that: generally, the existing methods all assume that the converted semantics are consistent, but the semantic descriptions are not possible to be consistent and are not accurate enough; the existing model conversion technology is based on the existing semantics of AADL, and some semantics in AADL are explained by natural language and examples, so that the given semantics are not accurate enough, and the semantic conversion is possibly not accurate and complete enough. On the other hand, the existing model conversion method also has respective disadvantages: while the Petri nets can well describe the dynamic behavior in most asynchronous, concurrent systems, their models tend to become very large; the fault tree is characterized in that the causal relationship of the fault can be comprehensively and visually described, but the quantitative analysis of the fault event added with the occurrence probability has great difficulty. Therefore, in order to make the model concise and describe the probability factors therein, the invention adopts the Z language which can strictly describe the data constraint to formally define the reliability elements in the AADL, and models the reliability in three levels of the fault model, the structural model and the behavior model, so that the model becomes concise and clear and is easy to understand.

And the property of the software is verified on the basis of the Z language, and a model detection method is mainly adopted. The dynamic semantic extension is carried out on the Z language, the Z language is combined with a software behavior modeling method, a software model with coupled static/dynamic visual angles of software is established, and the automatic verification of the Z language can be directly realized by correspondingly improving the existing model detection method. Hoenicke et al, university of orleberg, germany, studied the model detection method of the CSP-OZ-DC model, proposed a time automaton as an intermediate language to describe the event and data constraints of the model, and adopted a constraint-based model detector ARMC to verify the communication, data constraints and real-time constraints of the model. Mota et al, Federal university of Brooku, Baxibo, converts Z language to CSP_MModel, deadlock analysis was performed using FDR model detector. The Caozhining of Nanjing aerospace university provides a time sequence logic and a model detection algorithm thereof on a finite field ZIA model, and can verify the software state and the data constraint in an operation protocol. On the basis of ZAL model, the invention provides an embedded software reliability evaluation algorithm ZARE (Rel) based on probability model detection technology in consideration of probability distribution attributes of multiple elements in ZAL modeliability evaluation on AADL), the reliability of the embedded software can be strictly analyzed and evaluated.

Due to the characteristic that the generation and propagation of faults in the ZAL model are based on probability occurrence, a model detection method based on the ZAL model should consider probability factors, and the existing model detection method for the Z language has no research result related to probability model detection.

Disclosure of Invention

The invention aims to provide an AADL-based embedded software reliability modeling and evaluating method, so that the reliability of embedded software can be described in a predicate constraint mode, formal verification is facilitated, and good expandability is realized.

The technical solution for realizing the purpose of the invention is as follows: an AADL-based embedded software reliability modeling and evaluation method comprises the following steps:

step1, establishing a semi-formalized model, specifically establishing an AADL reliability model, which comprises a structure model and a fault model; the structure model comprises a component name, a component attribute, a connection and a flow, and the fault model comprises a fault type, a fault behavior and fault propagation;

step2, extracting reliability modeling elements in the AADL reliability model, wherein the reliability modeling elements comprise component names, connections, flows, fault behaviors and fault propagation;

step3, establishing an embedded software reliability model ZAL, specifically converting the semi-formalized model into a formalized model, expanding the model, and supplementing an operation protocol and reliability constraint thereof, including the following steps:

step 3-1, mapping the component state, the fault action event and the fault propagation point defined by the AADL reliability model to ZAL fault model ZA_errorThe attribute of the ErrorState set element comprises all possible states of a component and a probability distribution type corresponding to the states, the attribute of the Ebe set element comprises an event type and a probability distribution type of event occurrence, and the attribute of the Epp set element comprises a type of fault propagation and a probability distribution type of fault propagation success;

step 3-2, mapping the component names, connections and flows defined by the AADL reliability model to ZAL structure model ZA_structureThe attributes of the Component assembly element comprise the state of the Component, the current fault action event of the Component and the current fault propagation point, the attributes of the Connection assembly element comprise the Connection relation among the components, and the attributes of the Flow assembly element comprise the fault propagation point through which the fault propagates;

step 3-3, mapping fault propagation and state Transition defined by the AADL reliability model to an OutPropagation, InPropagation and Transition set element in an ZAL propagation model zabehavor, wherein the attribute of the OutPropagation set element includes a component name and a fault propagation point generating a fault, the attribute of the InPropagation set element includes a component name, a connection between components and a fault propagation point transmitting a fault, the attribute of the Transition set element includes a component name, a fault behavior event and a fault propagation point generating a state Transition, and the occurrence conditions and the probability distribution of the occurrence conditions of the 3 elements are described in predicate constraints;

and 4, evaluating the reliability on the basis of the ZAL model to obtain a reliability evaluation result.

Compared with the prior art, the invention has the following remarkable advantages: 1) the method defines a corresponding fault model and a corresponding structure model for each component in the embedded software, defines a behavior model for fault propagation among the components, hierarchically represents the system, is easy to understand, is simple and clear, and has no overstaffed model; 2) the method inherits the strong data constraint capability and good expandability of the Z language, can describe the probability, and can conveniently add the reliability elements.

The present invention is described in further detail below with reference to the attached drawing figures.

Drawings

Fig. 1 is a flowchart of an AADL-based embedded software reliability modeling and evaluation method.

FIG. 2 is an AADL architecture diagram of the flight management system.

FIG. 3 is an AADL reliability model for thread APC.

FIG. 4 is a state transition diagram of the thread APC.

Detailed Description

The invention relates to an AADL-based embedded software reliability modeling and evaluating method, which specifically comprises the following steps:

step1, establishing a semi-formalized model, specifically establishing an AADL reliability model, which comprises a structure model and a fault model; the structure model comprises a component name, a component attribute, a connection and a flow, and the fault model comprises a fault type, a fault behavior and fault propagation;

the component name refers to the names of specific equipment, processes, threads and ports in the embedded software;

the component attribute refers to the attribute of specific equipment, process, thread and port in the embedded software;

the connection refers to the connection between the components and indicates that control flow or data flow exists between the components;

the stream refers to a path for information stream transmission between the components;

the fault type refers to the type of the fault occurring in the component, including service-related fault, value-related fault and time-related fault, and can also define the fault type by itself;

the fault behavior defines fault behavior events, component states and state transitions, wherein the component states comprise a normal state and a fault state;

the fault propagation refers to the occurrence and propagation of the fault to other components, and defines a fault propagation point to indicate the direction of the fault propagation occurrence, wherein the fault propagation point comprises two types of outgoing and incoming.

Step2, extracting reliability modeling elements in the AADL reliability model, wherein the reliability modeling elements comprise component names, connections, flows, fault behaviors and fault propagation;

step3, establishing an embedded software reliability model ZAL, specifically converting the semi-formalized model into a formalized model, expanding the model, and supplementing an operation protocol and reliability constraint thereof, including the following steps:

step 3-1, mapping the component state, the fault action event and the fault propagation point defined by the AADL reliability model to ZAL fault model ZA_errorThe attribute of the ErrorState set element comprises all possible states of a component and a probability distribution type corresponding to the states, the attribute of the Ebe set element comprises an event type and a probability distribution type of event occurrence, and the attribute of the Epp set element comprises a type of fault propagation and a probability distribution type of fault propagation success;

step 3-2, mapping the component names, connections and flows defined by the AADL reliability model to ZAL structure model ZA_structureThe attributes of the Component assembly element comprise the state of the Component, the current fault action event of the Component and the current fault propagation point, the attributes of the Connection assembly element comprise the Connection relation among the components, and the attributes of the Flow assembly element comprise the fault propagation point through which the fault propagates;

step 3-3, mapping fault propagation and state Transition defined by the AADL reliability model to an OutPropagation, InPropagation and Transition set element in an ZAL propagation model zabehavor, wherein the attribute of the OutPropagation set element includes a component name and a fault propagation point generating a fault, the attribute of the InPropagation set element includes a component name, a connection between components and a fault propagation point transmitting a fault, the attribute of the Transition set element includes a component name, a fault behavior event and a fault propagation point generating a state Transition, and the occurrence conditions and the probability distribution of the occurrence conditions of the 3 elements are described in predicate constraints;

the embedded software reliability model ZAL is divided into a fault model, a structure model and a propagation model, and is used for describing the structure, behavior and reliability constraint of the embedded software, wherein:

(a) ZAL Fault model ZA_errorThe method comprises the elements of fault state, fault behavior event and fault propagation point modeling, wherein the probability distribution type of the elements comprises Fixed value Fixed, Poisson distribution Poisson and highGaussian distribution Gauss;

(b) ZAL structural model ZA_structureComprises components, connections and flow modeling elements;

(c) ZAL propagation model ZA_behaviorIncluding outgoing faults, incoming faults, state transition modeling elements, and their respective ZA_errorAnd ZA_structureThe binary relation between various elements.

And 4, evaluating the reliability on the basis of the ZAL model to obtain a reliability evaluation result. Specifically, the method for calculating the instantaneous availability in the ZAL model on the bounded domain specifically comprises the following steps:

step 4-1, depicting ZAL model as a quadruple

Wherein:

(1)S_Trepresented is the collection of relevant states in the system, namely ZAL the component states in the fault model;

(2)

representing the initial state of the system, namely the normal state contained in the component state in the AADL fault model;

(3) probability function prob S_T×S_T→[0,1]Representing the probability constraint imposed on the state transition, i.e. the probability distribution of the conditions under which the state transition occurs in the ZAL behavior model, the value of the probability being a real number and having a formula for any state s

(ii) true, where s 'is the successor state of s, indicating that the sum of the transition probabilities of state s to all its successor states s' is 1;

(4)TR_Trepresenting the set of state transitions in the system, ZAL in the behavioral model;

step 4-2, converting the quadruple T into a discrete time Markov chainDTMC, which is a six-tuple M ═ S_M,S_in,Ap,L,pb,T_M) Wherein:

(1)S_Mis a finite state set;

(2)S_in∈S_Mis an initial state;

(3) ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5)pb:S_M×S_M→[0,1]is a state transition probability function and for any state s:

if true, s' is the successor state to s;

(6)

is a collection of state transition relationships;

the conversion rules from the AADL model to DTMC are:

is a quadruple obtained from the AADL model, which is converted to DTMCM ═ (S)_M,S_in,Ap,L,prob,T_M) Wherein:

(1)S_M＝{s_i:s_Ti∈S_T,i∈N}，s_i∈S_Mis the state possessed by DTMC; s_Ti∈S_TIt is indicative ZAL of the state present in model T;

(2)S_in∈S_Mis an initial state, corresponding to that in the AADL model T

(3) Ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5) probability function prob → pb, i.e. prob: S_T×S_T→[0,1]＝pb:S_M×S_M→[0,1]It is indicated that the probability value assigned by the probability function in DTMC should be equal to the probability distribution in ZAL model;

(6)

is a collection of state transition relationships, where s_i∈S_M,s_j∈S_MCorresponding to state T in AADL model T_i∈S_T,t_j∈S_TRespectively, the beginning and end of a set of state transitions, each state transition(s)_i→s_j) Representing state transitions (T) in AADL model T_i→t_j)；

4-3, describing the availability by adopting probability computation tree logic PCTL, wherein;

the PCTL adds a probability operator P on the basis of CTL time sequence logic_～pObtained by expansion;

the PCTL path is defined as follows: let M be a discrete-time Markov chain, where the path π in M is an infinite sequence of states s₀,s₁…, such that

And introducing notation Paths(s) to show a path set from s;

the PCTL state formula on the atomic topic set Ap is defined as follows:

wherein true represents perpetuality; a is atomic proposition; the phi ^ phi formula is expressed in a form of the combination of two sub-formulas;

the formula is expressed in terms of no proposition, p ∈ [0,1 ]]，～∈{<,>,≤≥}，

Is a formula for a path and is a formula,

to represent

The relation between the established probability and p satisfies-;

the PCTL path formula is defined as follows:

wherein phi, phi₁,φ₂Is a formula of state; x φ indicates that φ is satisfied at the next state of the path; f phi indicates that phi is satisfied in some future state of the path; g phi indicates that all states on the path satisfy phi; phi is a₁Uφ₂Indicates that phi is satisfied on the path₂All states before the state of (c) satisfy phi₁；φ₁Rφ₂Indicates that phi is satisfied₂Is not satisfied with phi₁；

The bounding semantics of PCTL are defined as follows, let a ∈ Ap be an atomic proposition, M ═ S_M,S_in,Ap,L,pb,T_M) Is a discrete time Markov chain, S ∈ S_M，φ₁,φ₂Is based on P_≥pThe PCTL state formula of (a) is,

is based on P_≥pK is a natural number and is called a boundary;

satisfaction relationship for state formula | - ]_kIs defined as:

(1)s|＝_ka if and only if a ∈ l(s);

(2)s|＝_kφ₁∧φ₂if and only if s | ═_kφ₁And s | ═_kφ₂；

(3)s|＝_kφ₁∨φ₂If and only if s | ═_kφ₁Or s | ═_kφ₂；

(4)

If and only if

Satisfaction relationship for path formula | >, and_kis defined as:

(1)π|＝_kXφ₁if and only if k is greater than or equal to 1 and pi (1) |_kφ₁；

(2)π|＝_kFφ₁If and only if there is a natural number i ≦ k, so that π (i) | -_kφ₁；

(3)π|＝_kGφ₁If and only if i is less than or equal to k for any natural number, so that pi (i) | is_kφ₁And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·^ωω denotes that infinite loop is possible;

(4)π|＝_kφ₁Uφ₂if and only if there is a natural number i ≦ k, so that π (i) | -_kφ₂And for any natural number j less than i, pi (j) |_kφ₁；

(5)π|＝_kφ₁Rφ₂If and only if: a) for any natural number i ≦ k, pi (i) | ═ k_kφ₂And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·^ω(ii) a Or b) there is a natural number m ≦ k such that π (m) | -_kφ₁And for any natural number n less than m, pi (n) | ═_kφ₂；

The instantaneous availability is one of the reliability metric parameters, defined as follows:

the software system is set to have normal state and fault state, and is expressed by X (t), namely t is more than or equal to 0, and

the instantaneous availability of the system at time t is the probability that the system is in a normal state at time t, i.e., a (t) ═ P (x (t) ═ 1);

in model detection, proposition a is set by atom_sIndicating the current state s, i.e. a_sTrue, indicating that the current state is s; in DTMC, an initial state S_inCorresponding to the normal state of the component of the ZAL model,

if true, X (t) is equal to 1, and the current time is obtained

For true probability equaling to instantaneous availability, using PCTL formula

The probability that the future software system is in a normal state is not lower than r, and the time t is relative to the boundary t in the PCTL; let r be Pr (s |)_tPhi), t is continuously increased, the results obtained at the moment t of the previous time and the next time are subtracted, if the difference value is smaller than a preset termination criterion, the calculation is stopped, the result is obtained, otherwise, the calculation is continued;

4-4, adopting a reliability evaluation algorithm ZARE, and calculating

The value of r is true, namely the corresponding instantaneous availability, so as to obtain a reliability evaluation result;

the reliability evaluation algorithm ZARE is as follows:

let x (s, phi, t) be Pr (s |)_tφ)

Inputting:

1) discrete time Markov chain M ═ S_M,S_in,Ap,L,pb,T_M)，s∈S_M；

2) PCTL Path equation φ;

3) a boundary t;

4) m, ξ (m is the value of each increment of the border, ξ is the termination criterion);

and (3) outputting: r (r ═ Pr (s | ═ r ═ g-_tφ))

Step1. calculation

Let t be t + m, calculate

Step3, when x (s, phi, t) -x (s, phi, t-m) is equal to or larger than ξ, returning to Step2, otherwise, executing the next Step;

and step4.r is x (s, phi, t) and outputs r.

As described in more detail below.

The embedded software reliability modeling and evaluation method based on AADL provided by the invention establishes ZAL models which are mainly divided into a fault model, a structural model and a behavior model. The definition of ZAL model is given by Z language template, and formalized description method of each kind of constraint in embedded software is given for strict analysis and verification. And the predicates of the Z language are adopted to constrain the attributes of the modeling elements, so that the established model has consistency, and the accuracy and the efficiency of software modeling are improved.

1. ZAL failure model

ZAL the modeling elements of the fault model include component states, fault behavior events, and fault propagation points. ZAL the basic data types of the fault model can be divided into a fault behavior event type EventType, a probability distribution type DistributionType, a fault type ErrorType and a fault propagation type ErrorPropagationType. The EventType comprises a fault event ErrorEvent, a recovery event RecoverEvent and a repair event ReairlEvent; the DistributionType comprises Fixed values Fixed, Poisson Poison and Gauss; the ErrorType comprises a service-related fault ServiceRelatedError, a value-related fault ValueRelatedError, a time-related fault TimingLalatedError, a repeated replicationRelatedError and a concurrent fault ConcurrentRelatedError, and the fault type can be customized according to needs; the ErrorPropagationType includes an incoming fault incoming and an outgoing fault outgoing.

The formalization of the AADL fault model is defined as follows:

definition 1. triple ZA_errorThe (ComState, errorpreviewervevivent, ErrorPropagationPoint) is called AADL fault model, where ComState (componentstate) represents a set of component states, errorpreviewerveevent represents a set of fault behavior events, and ErrorPropagationPoint represents a set of fault propagation points.

ZA are given below_errorSpecific definition of middle triplets:

(1) component State ComState

The component state is the state of the component in the embedded software and can be divided into an initial state (normal state) and a fault state. Whether a component is in a normal state is an important basis for evaluating the reliability of the component, and the isInitial is used for indicating whether the component is in an initial state. The fault type ErrorType corresponding to the fault state needs to be described for the fault state. In order to describe the probability distribution parameters generated by the fault propagation point, the probability distribution needs to be defined, which includes two parameters, namely a probability distribution parameter (occurrence) and a probability distribution type (distribution). pbcs represents the true probability, i.e., the probability calculated from the probability distribution. The ComState definition method is as follows:

in the above schema, the elements in < > are alternatives, CS is an immutable part in the schema name, N represents a natural number, R represents a real number, and 0..1 represents that pb has a value ranging from 0 to 1.

(2) Fault behaviour event errorbhaviovent

The failure behavior event is a group of events which cause the state transition of the component, the occurrence probability of the failure behavior event exists, and the probability distribution needs to be defined. The probability distribution is a key parameter for quantitatively evaluating the reliability, and the variation of the probability distribution can greatly influence the reliability evaluation result. The definition method is as follows:

(3) fault propagation point ErrorPropationPoint

A fault propagation point refers to the location where a fault propagates between components. In the AADL specification, fault propagation is propagated by fault types, such as Novalue and Badvalue. In order to describe elements in the AADL consistently, fault type (errortype) is also illustrated here. However, in the quantitative reliability evaluation process, only the fault propagation is required to be known, and the type of the fault has no influence. The fault propagation point type (propagation) includes an incoming fault point and an outgoing fault point. Since the fault propagation behavior may also fail, the outgoing fault point needs to give a probability distribution pb1 (probability value calculated by the probability distribution) of fault propagation. Furthermore, the fault outgoing can be considered as fault generation, and the probability distribution pb2 also exists in the fault generation, and the combination of the two is the true probability of the fault from generation to propagation end. pb1 is indicated by pbepp and pb1 in combination with pb2 is indicated by pbreal. After the fault propagation is finished, if the fault propagation is successful, an incoming fault point is generated. Although the fault ingress point itself does not have a rate issue, in order to describe what probability distribution the incoming fault has an effect on the target component, a probability distribution is also defined for the incoming fault, whose value is the same as the corresponding outgoing fault, also denoted pbreal. The definition method is as follows:

2. ZAL structural model

ZAL structural model modeling elements include components, connections, and flows. ZAL the basic type of the structural model is the Predicate constraint Predicate.

The formalization of the AADL structural model is defined as follows:

definition 2. triple ZA_structureA ZAL structural model is called (Component, Connection, Flow), where Component stands for a set of components, Connection stands for a set of Component connections, and Flow stands for a set of Component flows.

ZA are given below_structureSpecific definition of middle triplets:

(1) component

In the AADL reliability model, the fault model is bound to the components one-to-one, so the structural model defines the component elements at ZAL to achieve the binding to the reliability elements in the ZAL fault model. The declaration of the component includes the state of the component, the fault behavior event that occurred, and the fault propagation point. Wherein a component can have several fault propagation points at the same time, which is represented by a subset of errorprovisionpoint. Its associated constraints are described in the predicate section. The definition method is as follows:

in the above schema, seq is the sequence type in the Z language, and F represents a finite subset.

(2) Component Connection

In AADL, component connections include port connections, data access connections, bus access connections, and the like. Component connection means that there is an interactive action between components such as data transmission, communication access, etc., which is also a precondition for fault propagation between components to occur. There are many types of component connections and thus there may be multiple connections between two components. It is simplified here to a connection without affecting the reliability evaluation. However, there is a directional limitation on the connection of components, and connections between two components in different directions (component a connecting to component B and component B connecting to component a) are considered to be different. The component Connection declaration section contains the source component sCom and the target component tCom, and the predicate section describes their associated constraints. The definition method is as follows:

(3) component Flow

In AADL, flows are used to describe and analyze logical paths throughout an architecture, including data flows, control flows, or failure eventsAnd (4) streaming. The component Flow represents a path of fault propagation between components, and the fault path is represented by a fault propagation point passed. The assembly flow may involve several assemblies<componentName_i>Com, while the declaration section describes the source and termination points of the component flow, and the predicate section describes its associated constraints. The definition method is as follows:

in the above mode, xi is used to denote a state space which is declaratively invariant, i.e. in<flowName>Flow pattern includes<componentName_i>All variables of Com; the elements with subscript i are repeatable.

3. ZAL behavior model

The basic type of the AADL behavior model is the Predicate constraint Predicate. Wherein the outgoing fault OutPropropagation and the state Transition are modeling elements of the AADL behavior model. The association between the AADL behavior model and the fault model is embodied by the inheritance relationship between OutPropropagation and Transition and the fault element in the fault model.

The formalization of the AADL behavioral model is defined as follows:

definition 3. triple ZA_behaviorThe behavior model is called ZAL (OutPropagation, InPropagation, Transition), where OutPropagation stands for outgoing fault set, InPropagation stands for incoming fault set, and Transition stands for state Transition set.

ZA are given below_behaviorSpecific definition of the middle doublet:

(1) outgoing fault OutPropagation

In the component failure behavior of the AADL, when a component is in some failure state, or encounters some incoming failure, it causes the component to fail, creating a failed egress point. The definition method is as follows:

in the above schema, Δ is used to represent the front state and the back state of the state space which are declared simultaneously, that is, each variable in the state space declares its front state variable and back state variable (adding' after the variable to represent its back state), and the change situation of the variables before and after the operation is described by the relationship of the front state value and the back state value in the predicate constraint.

The definition of the probability change of the fault transmitting point in the outgoing fault is given below, the fault state probability is set to be pbcs, the total number of n fault transmitting points is n, and the probability is pbepp_i(i is more than or equal to 1 and less than or equal to n), the original probability of the outgoing fault point is pbepp (namely the success rate of the fault propagation behavior).

Definition 4. when the fault condition results in outgoing fault behavior, the outgoing fault point probability becomes pbcs × pbepp.

Definition 5 when a failed ingress point causes an outgoing failure behavior, the outgoing failure point probability becomes

(2) Incoming fault InPropagation

After the fault outgoing point is generated, the fault can be propagated outwards. If a connection exists between the target component and the source component, the target component may generate a point of failure entry. And the probability distribution of the corresponding outgoing failure points will be given to the resulting failure entry points, which will be given in the predicate constraints. The definition method is as follows:

the following gives a definition of the probability variation of the point of entry of a fault in an incoming fault.

And 6, setting the probability of the fault transmitting-out point as pbepp, and then, the probability of the fault transmitting-in point is equal to pbepp.

(3) State Transition

In the component failure behavior of AADL, state transitions are due to the occurrence of failure behavior events or incoming failures. The definition method is as follows:

the following gives the definition of the probability change of the state of a component in a state transition. Setting the probability of a fault behavior event as pbebe, wherein the probability is pbepp, n fault transmission points are in total_i(1≤i≤n)。

Define 7 when a fault behavior event results in an outgoing state transition, then the component state probability becomes pbebe.

Definition 8 when a failed entry point causes a state transition, then the component state probability becomes

The reliability evaluation method based on the ZAL model is specifically described below:

and based on the embedded software behavior model described by the ZAL model and probability constraints in the embedded software behavior model, a probability model detection technology is adopted to evaluate the reliability. The basic idea of model detection is to express the behavior of the system by a state transition system (P) and to use a modal/sequential logic formula

Describing the property of the system, converting the verification process of ' whether the system has the expected property ' into a mathematical problem ' whether the state transition system P satisfies a certain formula

", is marked as

Further, it is necessary to verify that each state in P satisfies a certain formula

Is marked as

Based on the ZAL model defined above, we use Probabilistic computing Tree logic PCTL (Probabilistic computing Tr)ee Logic) describes a reliability measurement parameter, namely instantaneous availability, and designs a reliability evaluation algorithm ZARE (reliability evaluation on AADL).

1. Probabilistic Computational Tree Logic (PCTL)

Probability model detection generally takes a finite Markov chain as the model of the system, because changes in a general probability system are only affected by the current state, satisfying the Markov property. The state space set of AADL is Discrete, so this chapter describes the AADL model using the Discrete-Time Markov Chain DTMC (Discrete-Time Markov Chain). Since DTMC we are studying is homogeneous, the state transition probability can be considered independent of time, so it is sufficient to describe DTMC by state transition probability.

Definition 9 discrete time markov chain M ═ (S)_M,S_in,Ap,L,pb,T_M) Is a six-tuple in which:

(1)S_Mis a finite state set;

(2)S_in∈S_Mis an initial state;

(3) ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5)pb:S_M×S_M→[0,1]is a state transition probability function and for any state s:

if true, s' is the successor state to s;

(6)

is a collection of state transition relationships.

To complete the conversion of the ZAL model to DTMC, we characterized the ZAL model as a quadruple

Wherein:

(1)S_Trepresented is the collection of relevant states in the system, namely ZAL the component states in the fault model;

(2)

representing the initial state of the system, namely the state marked with initial in the AADL fault model;

(3) probability function prob S_T×S_T→[0,1]And represents the probability constraint imposed on the state transition. The value of the probability is a real value and has a formula for an arbitrary state s

Where s' is the subsequent state of s;

(4)TR_Trepresents the set of state transitions in the system, i.e., ZAL state transitions in the behavioral model.

The propagation of faults is explained here. In the ZAL fault model, we describe the final probability of fault propagation, pbreal, in the fault propagation point element. In the ZAL behavioral model, we define that outgoing faults and incoming faults describe the propagation probability of faults. While the impact of incoming faults on the state is also defined in the state transition element, the impact of fault propagation can be considered to have been attributed to the state transition. The quadruple T described above can thus fully describe the probability state space of the component.

The rules for the conversion from AADL model T to DTMC are given below:

suppose that

Is a probabilistic system derived from the AADL model, which is converted to DTMCM ═ (S)_M,S_in,Ap,L,prob,T_M) Wherein:

(1)S_M＝{s_i:s_Ti∈S_T,i∈N}，s_i∈S_Tis the state possessed by DTMC; s_Ti∈S_TThen it is an indication of the presence in the AADL model TThe state of (1);

(2)S_in∈S_Mis an initial state, corresponding to that in the AADL model T

(3) Ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5) probability function prob → pb, i.e. prob: S_T×S_T→[0,1]＝pb:S_M×S_M→[0,1]It is indicated that the probability value assigned by the probability function in DTMC should be equal to the probability distribution in the AADL model;

(6)

is a collection of state transition relationships, where s_i∈S_M,s_j∈S_MCorresponding to state T in AADL model T_i∈S_T,t_j∈S_TIndicating the beginning and end of the state, respectively. Each state transition(s)_i→s_j) Representing state transitions (T) in AADL model T_i→t_j)。

Intuitively, when the state of the system changes, the state transition in the DTMC is actually the state transition experienced by the AADL model during running, wherein the state transition is related to the probability value and is a random transition, and the same transition process is determined according to the mapping rule, so that the mapping relationship can well ensure consistency in the aspect of consistency constraint.

Define 10 (Path) let M be a discrete-time Markov chain, where the path π in M is an infinite sequence of states s₀,s₁…, such that

And the notation paths(s) is introduced to indicate the set of paths from s.

Define 11(PCTL). the PCTL state formula (syntax) on the atomic topic set Ap is as follows:

where a is the atom proposition, p ∈ [0,1 ]]，～∈{＜,＞,≤,≥}，

Is a path formula.

Define 12(PCTL Path formula). PCTL Path formula

Is defined as follows:

wherein phi, phi₁,φ₂Is a state formula.

In order to solve the problem of state space explosion in probability model detection, a boundary model detection technology is adopted. The main idea of bound model detection is to find evidence or counter-examples of the establishment of attributes in the limited local space of the system. For the computational tree logic part in PCTL, we can use the techniques in CTL bound model detection to define its bound semantics.

Define 13 (bounding semantics of PCTL) — let a ∈ Ap be an atomic proposition, M ═ S_M,S_in,Ap,L,pb,T_M) Is a discrete time Markov chain, S ∈ S_M，φ₁,φ₂Is based on P_≥pThe PCTL state formula of (a) is,

is based on P_≥pK is a natural number (called a world).

Satisfaction relationship for state formula | - ]_kIs defined as:

(1)s|＝_ka if and only if a ∈ l(s);

(2)s|＝_kφ₁∧φ₂when in parallel toOnly when s | ═_kφ₁And s | ═_kφ₂；

(3)s|＝_kφ₁∨φ₂If and only if s | ═_kφ₁Or s | ═_kφ₂；

(4)

If and only if

Here, the first and second liquid crystal display panels are,

satisfaction relationship for path formula | >, and_kis defined as:

(1)π|＝_kXφ₁if and only if k is greater than or equal to 1 and pi (1) |_kφ₁；

(2)π|＝_kFφ₁If and only if there is a natural number i ≦ k, so that π (i) | -_kφ₁；

(3)π|＝_kGφ₁If and only if i is less than or equal to k for any natural number, so that pi (i) | is_kφ₁And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·^ω；

(4)π|＝_kφ₁Uφ₂If and only if there is a natural number i ≦ k, so that π (i) | -_kφ₂And for any natural number j less than i, pi (j) |_kφ₁；

(5)π|＝_kφ₁Rφ₂If and only if: a) for any natural number i ≦ k, pi (i) | ═ k_kφ₂And there is a natural number 0 ≦ j ≦ k such that P (π (k), π (j)) > 0, π ≦ π (0) ·^ω(ii) a Or b) there is a natural number m ≦ k such that π (m) | -_kφ₁And pi (n) | for and for any natural number n less than m_kφ₂。

2. Software reliability evaluation algorithm based on AADL

Define 14 (instantaneous availability) let a system X (t) have two possible states, normal and fault, i.e. for t ≧ 0:

the instantaneous availability of the system at time t is the probability that the system is in a normal state at time t, i.e., a (t) ═ P (x (t) ═ 1).

In model detection, the atom can be used to set the topic a_sIndicating the current state s, i.e. a_sTrue, indicates that the current state is s. In DTMC, an initial state S_inCorresponding to the component normal state of the ZAL model.

If true, X (t) is equal to 1, and the current time is obtained

A probability of being true is equivalent to finding the instantaneous availability. Using the formula PCTL

The probability of indicating that the software system will be in a normal state in the future is not lower than r, and the moment t is the required instantaneous availability for the boundary t in the PCTL.

On the basis of the research of a boundary model detection algorithm of PCTL, a reliability evaluation method ZARE based on ZAL model is provided. The basic idea of the ZARE algorithm is: giving an initial value to the boundary, and calculating corresponding probability, namely the instant availability of the moment t; since a plurality of instantaneous availability degrees occur as t increases, a termination criterion is set; and subtracting the results obtained at the current and later two times t, stopping the calculation if the difference is smaller than a preset termination criterion, obtaining the result, and otherwise, continuing the calculation.

Let x (s, phi, t) be Pr (s |)_tφ)。

The ZARE calculation procedure is as follows:

inputting:

1) discrete time Markov chain M ═ S_M,S_in,Ap,L,pb,T_M) Wherein S ∈ S_M；

2) PCTL Path equation φ;

3) a boundary t;

4) m, ξ (m is the value of each increment of the border, ξ is the termination criterion);

and (3) outputting: r (r ═ Pr (s | ═ r ═ g-_tφ))。

Step1. calculation

Let t be t + m, calculate

Step2.while x (s, phi, t) -x (s, phi, t-m) ≥ ξ do { return to Step2 };

and step3.r is x (s, phi, t) and outputs r.

In order to make those skilled in the art better understand the technical problems, technical solutions and technical effects in the present application, the following describes in detail an AADL-based embedded software reliability modeling and evaluation method according to the present invention with reference to the accompanying drawings and the detailed description.

Fig. 2 shows an AADL architecture model of a Flight Management System (FMS), describing the data transmission process between 6 threads therein. The FMS data input is firstly subjected to basic processing of an NSP thread component, transmitted to an INav thread component, generates comprehensive navigation data and transmits the comprehensive navigation data to a GP thread component, an APC thread component and a PIO thread component, and guidance and performance optimization data processed by the GP thread component and the APC thread component are transmitted to an FPP thread component to obtain flight plan data. Finally, all data output to other subsystems is passed to other subsystems via the PIO threading component. The invention provides an AADL-based embedded software reliability modeling and evaluating method by taking thread APC as an example.

Step1, establishing an AADL reliability model, and FIG. 3 shows the AADL reliability model of APC.

Step2, extracting reliability elements in the AADL reliability model according to the established AADL reliability model, wherein the reliability elements comprise fault types, fault behaviors and fault propagation, and taking APC as an example:

from the AADL reliability model of fig. 3, it can be derived that APC contains the following reliability elements: two failure behavior events (failure event Fail, repair event Restart), two component states (initial state ErrorFree, Failed state), two failure propagation points (incoming failure point send1, outgoing failure point send2), and three state transitions (failure transition, Restart transition, badvaluetetration).

Step3, establishing an ZAL model of APC, and respectively establishing a fault model, a structural model and a behavior model mainly through the following 3 steps:

step 3-1: ZAL the fault model is specifically defined as follows:

(1) fault state

ErrorFreeCS is in initial state, no fault type, isInitial is set to 1; FailedCS is fault status, fault type is BadValue, and isInitial is set to 0.

(2) Failure behavior event

The FailEbe event type is ErrorEvent, and the occurrence probability distribution is 0.0003 and Fixed; the restatebe event type is replaervent with an occurrence probability distribution of 1 and Fixed.

(3) Points of fault propagation

The send1Epp is an incoming fault point, the fault type is BadValue, the probability distribution of the fault is related to the corresponding outgoing fault point, and the probability is assumed to be 0.0024; send2Epp is the outgoing failure point and the failure type is BadValue, with probability distribution 0.8 and Fixed.

Step 3-2: ZAL the structural model is specifically defined as follows:

(1) assembly

APC is in initial state, component state corresponds to ErrorFreeCS, no fault propagation point.

Connection and flow refer to the structure between components, so that a component element corresponding to a thread Inav is defined as inavic, a connection relation exists between the component element and a thread APC, and a fault propagation point sendEpp exists, corresponding to send1Epp in the APC. Examples of the definitions of connections and flows are then given.

(2) Connection of

(3) Flow of

Step 3-3: ZAL the behavioral model is specifically defined as follows:

(1) outgoing fault

When the APC is in the failed state FailedCS, a failure is generated, a failure propagation point is activated, and outgoing failure behavior is triggered.

In the above model catchfailOp, Epp ' ═ Epp ∪ { send2Epp } indicates that an element is added to the set of fault propagation points for a component after the fault out point is generated, and pbreal ' added ' indicates the post state of the variable.

(2) Incoming fault

And the APC has a fault transmission point, can receive the fault, and has footprint elements corresponding to the thread INav for transmitting the fault to the APC as InavCom and corresponding fault transmission points as sendEpp.

(3) State Transition

The APC has 3 state transitions FailTransition, RestartTransition, and BadValueTransition, which correspond to failT, restartT, and badvalue, respectively. The occurrence condition of the fail is that a failure behavior event FailEbe occurs, the influence is that the component state is transferred to the FailCS, and the probability distribution of the failure state is equal to that of the failure behavior event. The remaining state transitions are similar.

Step4, evaluating the reliability based on the ZAL model, taking APC as an example, the state transition diagram of which is shown in fig. 4, includes 2 states ErrorFree and Failed (s respectively)₀、s₁Expression), specifically comprising the following steps:

step 4-1: quadruplet corresponding to ZAL model of APC thread

Wherein:

(1)S_T＝{s₀,s₁in which the initial state is s₀；

(2)

(4)prob＝{prob(s₀,s₁)＝0.0054,prob(s₀,s₀)＝0.9946，prob(s₁,s₀)＝1}；

(5)TR_T＝{(s₀,s₀),(s₀,s₁),(s₁,s₀)}。

Step 4-2: based on the transformation rules described above, the DTMC model M can be obtained_APC＝(S_M,S_in,Ap,L,pb,T_M) Wherein:

(1)S_M＝{s₀,s₁}；

(2)S_in＝{s₀}；

(3) ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5)pb＝{pb(s₀,s₁)＝0.0054,pb(s₀,s₀)＝0.9946，pb(s₁,s₀)＝1}；

(6)T_M＝{(s₀,s₀),(s₀,s₁),(s₁,s₀)}。

step 4-3, the attribute we need to verify in this example is

I.e. the probability that the APC is in a normal state.

Step 4-4, calculate ZARE algorithm of r as follows:

inputting: m_APC＝(S_M,S_in,Ap,L,pb,T_M) The t is initially 3, the interval m is 1, the termination criterion ξ is 0.00001, and then substituted into the ZARE algorithm.

Taking the boundary equal to 3 as an example, the calculation process is described in detail, as shown in the following formula,

by Fa_inAnd (4) showing.

Find x(s)_in,Fa_in,3)＝0.994629，

Fullness calculated using tools designed for the methodThe value of the sufficient termination criterion is 0.994629, so the reliability of thread APC is 0.994629.

Therefore, the AADL-based embedded software reliability modeling method provided by the invention combines the modeling processes of semi-formalization and formalization, and is more intuitive than similar formalization methods; the built ZAL model can tightly couple the embedded software component model, the fault model and the reliability constraint thereof, and has good verifiability; and a probability-oriented model detection method can be applied to strictly evaluate the reliability of the embedded software based on the ZAL model. Therefore, the method of the invention can effectively improve the reliability of the embedded software model, thereby reducing the defect repair cost in the later stage of software development.

Claims (4)

1. An AADL-based embedded software reliability modeling and evaluation method is characterized by comprising the following steps:

step1, establishing a semi-formalized model, specifically establishing an AADL reliability model, which comprises a structure model and a fault model; the structure model comprises a component name, a component attribute, a connection and a flow, and the fault model comprises a fault type, a fault behavior and fault propagation;

step2, extracting reliability modeling elements in the AADL reliability model, wherein the reliability modeling elements comprise component names, connections, flows, fault behaviors and fault propagation;

step3, establishing an embedded software reliability model ZAL, specifically converting the semi-formalized model into a formalized model, expanding the model, and supplementing an operation protocol and reliability constraint thereof, including the following steps:

step 3-1, mapping the component state, the fault action event and the fault propagation point defined by the AADL reliability model to ZAL fault model ZA_errorThe attribute of the ErrorState set element comprises the state of a component which can be in and the probability distribution type corresponding to the state, the attribute of the Ebe set element comprises the event type and the probability distribution type of the event occurrence, and the attribute of the Epp set element comprises the type of fault propagation and the probability of fault propagation successA distribution type;

step 3-2, mapping the component names, connections and flows defined by the AADL reliability model to ZAL structure model ZA_structureThe attributes of the Component assembly element comprise the state of the Component, the current fault action event of the Component and the current fault propagation point, the attributes of the Connection assembly element comprise the Connection relation among the components, and the attributes of the Flow assembly element comprise the fault propagation point through which the fault propagates;

step 3-3, mapping the fault propagation and state transition defined by the AADL reliability model to ZAL propagation model ZA_behaviorThe properties of the OutProposition collection element comprise the names of components generating faults and fault propagation points, the properties of the InProposition collection element comprise the names of components transmitting faults, connections among the components and fault propagation points, the properties of the Transition collection element comprise the names of components generating state Transition, fault behavior events and fault propagation points, and the occurrence conditions and the conditional occurrence probability distribution of the 3 collection elements are described in predicate constraints;

and 4, evaluating the reliability on the basis of the embedded software reliability model ZAL to obtain a reliability evaluation result.

2. The AADL-based embedded software reliability modeling and evaluation method according to claim 1, wherein in step 1:

the component name refers to the name of a specific device, process, thread and port in the embedded software;

the component attribute refers to the attribute of specific equipment, process, thread and port in the embedded software;

the connection refers to the connection between the components and indicates that control flow or data flow exists between the components;

the stream refers to a path for information stream transmission between the components;

the fault type refers to the type of the fault occurring in the component, including service-related fault, value-related fault and time-related fault, and also includes self-defined fault type;

the fault behavior defines fault behavior events, component states and state transitions, wherein the component states comprise a normal state and a fault state;

the fault propagation refers to the occurrence and propagation of the fault to other components, and defines a fault propagation point to indicate the direction of the fault propagation occurrence, wherein the fault propagation point comprises two types of outgoing and incoming.

3. The AADL-based embedded software reliability modeling and evaluation method according to claim 1, wherein the embedded software reliability model ZAL in step3 is divided into three parts, namely a fault model, a structure model and a propagation model, for describing the structure, behavior and reliability constraints of the embedded software, wherein:

(a) ZAL Fault model ZA_errorThe fault analysis method comprises the following steps of modeling elements of a fault state, a fault behavior event and a fault propagation point, wherein the probability distribution type of the elements comprises Fixed value Fixed, Poisson distribution Poisson and Gaussian distribution Gauss;

(b) ZAL structural model ZA_structureComprises components, connections and flow modeling elements;

(c) ZAL propagation model ZA_behaviorIncluding outgoing faults, incoming faults, state transition modeling elements, and their respective ZA_errorAnd ZA_structureThe binary relation between various elements.

4. The AADL-based embedded software reliability modeling and evaluation method according to claim 1, wherein the step4 of evaluating reliability based on ZAL model, in particular calculating instantaneous availability in ZAL model on bounded domain, comprises the steps of:

step 4-1, depicting ZAL model as a quadruple

Wherein:

(1)S_Trepresented is the collection of relevant states in the system, namely ZAL the component states in the fault model;

(2)

representing the initial state of the system, namely the normal state contained in the component state in the AADL fault model;

(3) probability function prob S_T×S_T→[0,1]Representing the probability constraint loaded at the time of the state transition, i.e. ZAL the probability distribution of the occurrence conditions of the state transition in the propagation model, the value of the probability being a real value and being formulated for any state s

(ii) true, where s 'is the successor state of s, indicating that the sum of the transition probabilities of state s to all its successor states s' is 1;

(4)TR_Trepresenting the set of state transitions in the system, ZAL propagation model;

step 4-2, converting the quadruple T into a Discrete Time Markov Chain (DTMC), wherein the DTMC is a six-tuple M ═ S_M,S_in,Ap,L,pb,T_M) Wherein:

(1)S_Mis a finite state set;

(2)S_in∈S_Mis an initial state;

(3) ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5)pb:S_M×S_M→[0,1]is a state transition probability function and for any state s:

if true, s' is the successor state to s;

(6)

is a collection of state transition relationships;

the conversion rules from the AADL model to DTMC are:

is a quadruple obtained from the AADL model, which is converted to DTMC M ═ S_M,S_in,Ap,L,prob,T_M) Wherein:

(1)S_M＝{s_i:s_Ti∈S_T,i∈N}，s_i∈S_Mis the state possessed by DTMC; s_Ti∈S_TIt is indicative ZAL of the state present in model T;

(2)S_in∈S_Mis an initial state, corresponding to that in the AADL model T

(3) Ap is a finite set of atomic propositions;

(4)L:S_M→2^Apis a marker function;

(5) probability function prob → pb, i.e. prob: S_T×S_T→[0,1]＝pb:S_M×S_M→[0,1]It is indicated that the probability value assigned by the probability function in DTMC should be equal to the probability distribution in ZAL model;

(6)

is a collection of state transition relationships, where s_i∈S_M,s_j∈S_MCorresponding to state T in AADL model T_i∈S_T,t_j∈S_TRespectively, the beginning and end of a set of state transitions, each state transition(s)_i→s_j) Representing state transitions (T) in AADL model T_i→t_j)；

4-3, describing the availability by adopting probability computation tree logic PCTL, wherein;

the PCTL adds a probability operator P on the basis of CTL time sequence logic_～pObtained by expansion;

the PCTL path is defined as follows: let M be a discrete-time Markov chain, where the path π in M is an infinite sequence of states s₀,s₁…, such that

P(s_i,s_i+1)>0; and introducing notation Paths(s) to show a path set from s;

the PCTL state formula on the atomic topic set Ap is defined as follows:

wherein true represents perpetuality; a is atomic proposition; the phi ^ phi formula is expressed in a form of the combination of two sub-formulas;

the formula is expressed in terms of no proposition, p ∈ [0,1 ]]，～∈{<,>,≤≥}，

Is a formula for a path and is a formula,

to represent

The relation between the established probability and p satisfies-;

the PCTL path formula is defined as follows:

wherein phi, phi₁,φ₂Is a formula of state; x φ indicates that φ is satisfied at the next state of the path; f phi indicates that phi is satisfied in some future state of the path; g phi indicates that all states on the path satisfy phi; phi is a₁Uφ₂Indicates that phi is satisfied on the path₂All states before the state of (c) satisfy phi₁；φ₁Rφ₂Indicates that phi is satisfied₂Is not satisfied with phi₁；

The bounding semantics of PCTL are defined as follows, let a ∈ Ap be an atomic proposition, M ═ S_M,S_in,Ap,L,pb,T_M) Is a discrete time Markov chain, S ∈ S_M，φ₁,φ₂Is based on P_≥pThe PCTL state formula of (a) is,

is based on P_≥pK is a natural number and is called a boundary;

satisfaction relationship for state formula | - ]_kIs defined as:

(1)s|＝_ka if and only if a ∈ l(s);

(2)s|＝_kφ₁∧φ₂if and only if s | ═_kφ₁And s | ═_kφ₂；

(3)s|＝_kφ₁∨φ₂If and only if s | ═_kφ₁Or s | ═_kφ₂；

(4)

If and only if

Satisfaction relationship for path formula | >, and_kis defined as:

(1)π|＝_kXφ₁if and only if k is greater than or equal to 1 and pi (1) |_kφ₁；

(2)π|＝_kFφ₁If and only if there is a natural number i ≦ k, so that π (i) | -_kφ₁；

(3)π|＝_kGφ₁If and only if i is less than or equal to k for any natural number, so that pi (i) | is_kφ₁And a natural number 0 < j < k,

such that P (π (k), π (j))>0,π＝π(0)...π(j-1)(π(j)...π(k))^ωω denotes that infinite loop is possible;

(4)π|＝_kφ₁Uφ₂if and only if there is a natural number i ≦ k, so that π (i) | -_kφ₂And for any natural number j less than i, pi (j) |_kφ₁；

(5)π|＝_kφ₁Rφ₂If and only if: a) for any natural number i ≦ k, pi (i) | ═ k_kφ₂And there is a natural number 0 ≦ j ≦ k, such that P (π (k), π (j))>0,π＝π(0)...π(j-1)(π(j)...π(k))^ω(ii) a Or b) there is a natural number m ≦ k such that π (m) | -_kφ₁And for any natural number n less than m, pi (n) | ═_kφ₂；

The instantaneous availability is one of the reliability metric parameters, defined as follows:

the software system is set to have normal state and fault state, and is expressed by X (t), namely t is more than or equal to 0, and

the instantaneous availability of the system at time t is the probability that the system is in a normal state at time t, i.e., a (t) ═ P (x (t) ═ 1);

in model detection, proposition a is set by atom_sIndicating the current state s, i.e. a_sTrue, indicating that the current state is s; in DTMC, an initial state S_inCorresponding to the normal state of the component of the ZAL model,

true corresponds to X (t) ═1, obtaining the current time

For true probability equaling to instantaneous availability, using PCTL formula

The probability that the future software system is in a normal state is not lower than r, and the time t is relative to the boundary t in the PCTL; let r be Pr (s |)_tPhi), t is continuously increased, the results obtained at the moment t of the previous time and the next time are subtracted, if the difference value is smaller than a preset termination criterion, the calculation is stopped, the result is obtained, otherwise, the calculation is continued;

4-4, adopting a reliability evaluation algorithm ZARE, and calculating

The value of r is true, namely the corresponding instantaneous availability, so as to obtain a reliability evaluation result;

the reliability evaluation algorithm ZARE is as follows:

let x (s, phi, t) be Pr (s |)_tφ)

Inputting:

1) discrete time Markov chain M ═ S_M,S_in,Ap,L,pb,T_M)，s∈S_M；

2) PCTL Path equation φ;

3) a boundary t;

4) m, ξ (m is the value of each increment of the border, ξ is the termination criterion);

and (3) outputting: r (r ═ Pr (s | ═ r ═ g-_tφ))

Step1. calculate

Step2. let t be t + m, calculate

Step3, when x (s, phi, t) -x (s, phi, t-m) is equal to or larger than ξ, returning to Step2, otherwise, executing the next Step;

step4.r ═ x (s, Φ, t), and output r.

Images