CN107169636A - Demand for security generation method based on formalization Systems Theory process analysis procedure analysis - Google Patents
Demand for security generation method based on formalization Systems Theory process analysis procedure analysis Download PDFInfo
- Publication number
- CN107169636A CN107169636A CN201710283349.4A CN201710283349A CN107169636A CN 107169636 A CN107169636 A CN 107169636A CN 201710283349 A CN201710283349 A CN 201710283349A CN 107169636 A CN107169636 A CN 107169636A
- Authority
- CN
- China
- Prior art keywords
- eicas
- aircraft
- systems
- security
- demand
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
- G06Q10/06315—Needs-based resource requirements planning or analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/103—Workflow collaboration or project management
Landscapes
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Tourism & Hospitality (AREA)
- Theoretical Computer Science (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Marketing (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Game Theory and Decision Science (AREA)
- Data Mining & Analysis (AREA)
- Alarm Systems (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention discloses a kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis, it is characterised in that comprises the steps of:Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control structure figure of constructing system are determined;Step 2:Picking out causes the incorrect control of system dangerous, and the security constraint refined is formulated according to incorrect controlling behavior;Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is verified, the demand of wherein redundancy or contradiction is rejected or modification.The present invention has ensured the correctness and uniformity of Electronic Check Lis system demand for security.
Description
Technical field
It is particularly a kind of based on formalization Systems Theory process analysis procedure analysis the present invention relates to a kind of demand for security generation method
Demand for security generation method.
Background technology
Checklist on aircraft be for ensure cockpit crew can aircraft any mission phase according to inspection
Singly the configuration to carry out aircraft is operated.Conventional method is that crew performs inspection according to papery version checklist, is easily occurred
Various mistakes.Although aeronautical chart is attached great importance to deviate standard operation journey in S.O.P. and checklist, practical flight always
Sequence, the thing for ignoring checklist but happens occasionally, and has thereby resulted in many painful accidents.For by checklist, often send out
Raw following situations:Ignore checklist program, omit checklist project, although or read checklist in form, forget that project falls
In fact or because a variety of reasons are without performing.Electronic Check Lis is the checklist of electronization, aobvious to pilot on multifunction display
Show and point out all kinds of inspection projects, crew performs inspection according to prompting, and by the execution of record of keys checklist project,
Electronic Check Lis constantly responds the button operation of crew, the purpose completion status of report check individual event at any time.As electronics is examined
The popularization of verification certificate, the wide-bodied aircraft of domestic independent development will also use this new Electronic Check Lis system, but to electronics
The research of checklist demand for security is less, in order to obtain the demand for security of Electronic Check Lis system, obtains the security of system
Ensure, it is necessary to which a kind of method based on formalization Systems Theory process analysis procedure analysis extracts the demand for security of Electronic Check Lis system.
The content of the invention
The technical problems to be solved by the invention, which are to provide a kind of safety based on formalization Systems Theory process analysis procedure analysis, to be needed
Seek generation method.
In order to solve the above technical problems, the technical solution adopted in the present invention is:
A kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis, it is characterised in that comprise the steps of:
Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control of constructing system are determined
Structure chart processed;
Step 2:Picking out causes the incorrect control of system dangerous, and the safety refined is formulated according to incorrect controlling behavior
Constraint;
Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;
Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is verified, general
Wherein the demand of redundancy or contradiction is rejected or changed.
Further, in the step one, the two systems level for defining Electronic Check Lis is dangerous as follows:
H1. the Electronic Check Lis content on aircraft is incorrect;
H2. pilot operates not according to Electronic Check Lis to aircraft;
It is dangerous by said system level, it can be deduced that corresponding system-level security constraint:
SC1. the correctness of the Electronic Check Lis content on aircraft is ensured;
SC2. pilot must operate according to the prompting of Electronic Check Lis to aircraft.
Further, in the step 2, the incorrect control of system is included:
1) controller does not provide required controlling behavior, or is not implemented well but there is provided controlling behavior;
2) controller provides mistake or unsafe controlling behavior;
3) correct controlling behavior appears in the time of mistake;
4) stop too early of correct controlling behavior or continue too long.
Further, the security constraint that the dangerous controlling behavior formulates refinement is included
SC1:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must prompt alarm information;
SC2:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must point out correct warning information;
SC3:When aircraft does not occur abnormal, EICAS systems do not answer prompt alarm information;
SC4:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must defined time prompting alert believe
Breath.
Further, in the step 3, the reason of accident includes the behavior of controller operation, actuator and controlled process
Three classes.
Further, in the step 3, control defect is included
CF1. EICAS system jams;
CF2. inappropriate control algolithm in EICAS systems;
CF3. the warning information that EICAS systems are sent is lost in the transmission;
CF4. the device display failure of the warning information of EICAS systems is shown, it is impossible to display information;
CF5. transmission or display alarm information have time delay;
CF6. airborne equipment sensor failure, EICAS can not obtain the information of airborne equipment.
Further, in the step 4, Formal Modeling process is
Supervision variables A ircraft_State is used to indicate whether aircraft has exception, and EICAS_Sen is used to indicate that can EICAS feel
Know the exception of aircraft;
Item EICAS_Operate is used to indicate whether the operation of EICAS systems is correct;
Controlled variable Safety_EICAS is defined according to item and supervision variable, represents the security of EICAS systems;
EICAS safety control systems include following set:
Supervise variables collection:{Aircraft_State, EICAS_Sen}
Controlled variable set:{Safety_EICAS}
The set of item:{EICAS_Operate}
The type definition related to above-mentioned set:
TY(Aircraft_State) = {normal, abnormal}
TY(EICAS_Sen}) = {can, cannnot}
TY(Safety_EICAS) = {true, false}
TY(EICAS_Operate) = {EICAS_AlarmInfo, EICAS_AlarmCorrect, EICAS_Alarm
Time}。
Further, in the step 4, demand for security form is
SC1: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmInfo=true;
SC2: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmCorrect=true;
SC3: i(Aircraft_State = normal) → EICAS_Operate.EICAS_AlarmInfo =false;
SC4: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmTime=true。
The present invention compared with prior art, with advantages below and effect:
1) the dangerous source discriminations of STPA can pick out new reason factor that traditional technology can not handle there is provided guiding
Word ensure that the integrality of analysis, by hazard recognition reason there is provided the information needed for design process, can give software work
Cheng Shi design, which is provided, to be instructed to eliminate or control these situations as far as possible.
2) STPA methodology programs analysis system dangerous controlling behavior, draw Electronic Check Lis system safety need
Ask, reduce safety analysis and expertise is depended on unduly, and since earliest conceptual phase, safe design
It is to build the most economical effective method of more security system into system.
3) four variate models are used, the demand to natural language description carries out light weight, practical formalized description with dividing
Analysis, promotes formal modeling technology in the application of aviation field, ensured the correctness of Electronic Check Lis system demand for security with it is consistent
Property.
Brief description of the drawings
Fig. 1 is the four variate model figures of the present invention.
Fig. 2 is the Electronic Check Lis System control structures figure of the present invention.
Fig. 3 is the dangerous reason schematic diagram of the present invention.
Fig. 4 is that the condition of the item of the present invention represents to be intended to.
Fig. 5 is the controlling party form in the Electronic Check Lis system of the present invention.
Fig. 6 is each controlling party corresponding UCA and SC of present invention quantity form.
Fig. 7 is the Major Mathematics symbol used and its implication schematic diagram of the present invention.
Embodiment
Below in conjunction with the accompanying drawings and the present invention is described in further detail by embodiment, following examples are to this hair
Bright explanation and the invention is not limited in following examples.
Fig. 7 show Major Mathematics symbol and its implication schematic diagram used in specification.
As illustrated, a kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis of the present invention, bag
Containing following steps:
Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control of constructing system are determined
Structure chart processed;
In systematology, the method being controlled to emerging in large numbers characteristic is then between behavior and each component to single component
Row constraint is entered in interaction., safe to be ensured as emerging in large numbers property of system by security constraint, system-level dangerous generation is also just meaned
System-level security constraint to be breached.Therefore, in addition to the system-level danger clearly to be analyzed, in addition it is also necessary to determine system-level peace
Staff cultivation, ensures that the security constraint is achieved to be determined how in subsequent analysis.Pass through the control structure of constructing system
Come the interaction of different components inside exposing system, and the relation between each process, be that further identification causes system
Dangerous the reason for, establishes analysis foundation.It should be noted that the control structure of system and not only being embodied comprising control block diagram
Information, also comprising the description carried out to each control process, such as process model, control algolithm.
According to civil aircraft aircraft accident, find out may cause accident as the danger caused by Electronic Check Lis system, it is determined that
Corresponding system-level security constraint.The interaction come in the control structure figure of constructing system inside exposing system, and
Relation between each process, is the reason for further identification causes system dangerous to establish analysis foundation.Examined in the electronics of aircraft
During verification certificate system operation, if pilot operates not according to checklist content to aircraft, or operating mistake all will
Cause potential safety hazard;And if the content of Electronic Check Lis makes a mistake, pilot is operated according to the checklist of mistake, then
Aircraft accident can largely be produced.According to analysis of Influential Factors of the checklist to flight safety, Electronic Check Lis is defined
Two systems level is dangerous(hazard)It is as follows:
H1. the Electronic Check Lis content on aircraft is incorrect
H2. pilot operates not according to Electronic Check Lis to aircraft
It is dangerous by said system level, it can be deduced that corresponding system-level security constraint(Safety constraints, SC):
SC1. the correctness of the Electronic Check Lis content on aircraft is ensured;
SC2. pilot must operate according to the prompting of Electronic Check Lis to aircraft.
Advanced and analyzed by the operation principle of the Electronic Check Lis system to aircraft, fully grasp its specific workflow,
Extract controlling party in system as shown in the table of figure 5.
By the controlling party and control action in Fig. 5 tables, the control structure of Electronic Check Lis system as shown in Figure 2 is constructed
Figure, figure acceptance of the bid "(action)" for control action.
Step 2:Picking out causes the incorrect control of system dangerous, and formulates refinement according to incorrect controlling behavior
Security constraint;
The incorrect control of system is divided into following four classes:1) controller does not provide required controlling behavior, or provides
Controlling behavior is not implemented but well;2) controller provides mistake or unsafe controlling behavior;3) correct control
Behavior processed appears in the time (too early or too late) of mistake;4) stop too early of correct controlling behavior or continue too long.These
Reference when universal classification is only recognized as incorrect control, specific distinguish is needed for specific system.Further, since dangerous
The main purpose of analysis is that potential dangerous reason is found out before accident generation and is prevented, thus needs what basis was picked out
Dangerous reason --- incorrect control forms specific security constraint, to ensure the safety of system.
Identification is likely to result in the dangerous control of precarious position.Due to airline, unit, FMS, ECL system,
EICAS systems can serve as controlling party, so causing the dangerous controlling behavior of system dangerous state(unsafe control
action , UCA)It will be produced by these controlling parties.By analyzing these control loops, dangerous control therein is picked out
Behavior, i.e. dangerous matter sources, draw corresponding security constraint.
23 dangerous controlling behaviors of precipitation are divided into using the invention, corresponding number is as shown in Fig. 6 form.
Below by taking EICAS systems as an example, its controlling behavior is explained.Most of mono- police of abnormal examination Dan Douyu
Guard against information(EICAS MESSAGE)Corresponding, some shown EICAS MESSAGE shows there is a malfunction, and
Prompting pilot selects and completed the checklist.The dangerous controlling behavior of EICAS systems can be divided into following several:
UCA1. when aircraft occurs abnormal, EICAS systems do not provide warning information;
UCA2. when aircraft occurs abnormal, EICAS systems provide the warning information of mistake;
UCA3. when aircraft does not occur abnormal, EICAS systems provide warning information;
UCA4. when aircraft occurs abnormal, EICAS systems provide warning information too late;
Wherein UCA1 Producing reasons are the first situations described in first segment in text, i.e., do not provide controlling behavior;UCA2 and
UCA3 belongs to second, and there is provided the controlling behavior of mistake;UCA4 belongs to the third, and controlling behavior is provided in the incorrect time;
Because EICAS system prompt warning information information is discrete event, so in the absence of the 4th kind of dangerous item station, stopping too fast or mistake
Slowly.
Security constraint after refinement corresponding with above-mentioned dangerous controlling behavior is expressed as follows:
SC1:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must prompt alarm information;(Such as:Work as aircraft
Hydraulic system failure when, EICAS systems should display alarm information on a display screen)
SC2:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must point out correct warning information;(Such as:
When the hydraulic system failure of aircraft, EICAS systems should show correct warning information on a display screen, for crew
Operated)
SC3:When aircraft does not occur abnormal, EICAS systems do not answer prompt alarm information;(Such as:Engine does not catch fire, EICAS systems
System but catch fire by prompting, then pilot's necessary priority treatment information, and this will influence normal airplane operations, and bring potential safety hazard)
SC4:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must defined time prompting alert believe
Breath;(If prompting is too late, engine ignition, EICAS system alarms too late, may make accident more serious)
Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;
STPA purpose will be analyzed further except to find out above-mentioned inappropriate controlling behavior, also causes these incorrect controls
The control defect of the reason for behavior, i.e. system itself, the problem of the problem of such as control algolithm is present, process model are present,
Control the general classification of defect.These control defects are considered as the most basic reason of system dangerous appearance, and designer can be with
System design is improved according to these defects, with the security of lifting system.
Analyze dangerous control Producing reason.The reason of accident can be divided into 3 classes:Controller is operated;Actuator and controlled
The behavior of process;Communication and coordination between controller and policymaker.Control structure is related to people, and environment and behavior shaping mechanism exist
Also played an important role in Accident-causing.Being divided into analysis herein and drawing causes the reason for system dangerous occurs 48, below with EICAS
Exemplified by the UCA1 of system, reason classification such as the Fig. 3 for producing accident shows:
Analysis and Control loop, it can be deduced that following 6 control defect:
CF1. EICAS system jams;
CF2. inappropriate control algolithm in EICAS systems;
CF3. the warning information that EICAS systems are sent is lost in the transmission;
CF4. the device display failure of the warning information of EICAS systems is shown, it is impossible to display information;
CF5. transmission or display alarm information have time delay;
CF6. airborne equipment sensor failure, EICAS can not obtain the information of airborne equipment.
Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is tested
Card, the demand of wherein redundancy or contradiction is rejected or changed.
With four variate models, the mistake in terms of demand for security grammer and type, and uniformity and integrality phase are checked
The mistake of pass.The structural form of four variate models is as shown in figure 1, it is mainly made up of four relations between variable and variable:
1)Monitored variable(Monitored Variables, MV):The change that system is observed and given a response to system action
Amount;
2)Controlled variable(Controlled Variables, CV):System is used to control the variable that external environment condition gives a response;
3)Input variable(Input Variables, IV):MV is converted institute by the variable that software is read in, the variable by input equipment
;
4)Output variable(Output Variables, OV):The variable that software is read, the variable is obtained after being converted through output equipment
CV;
5)NAT:Define the natural sulfur reservoir in system environments, such as aircraft MAX CLB;
6)REQ:System requirements are defined, indicate how CV changes accordingly when MV changes;
7)Define the mapping relations between MV and IV;
8)Define the mapping relations between OV and CV.
Demand for security modeling to ECL systems.The security constraint of the natural language description drawn by STPA methods is also not
Enough accurately, it is necessary to carry out analysis checking to security constraint with the method for formalization.Demand is carried out using formalization method strict
Ground describes and analyzed the normalization and engineering degree for being favorably improved software development, ensures the quality of software product.
Demand for security to ECL systems is modeled, below with the friendship between ECL systems and EICAS safety control systems
Exemplified by the demand for security mutually analyzed, its modeling process is provided.
Supervision variables A ircraft_State is used to indicate whether aircraft has exception, and EICAS_Sen is used to indicate EICAS energy
The no exception for perceiving aircraft;
Item EICAS_Operate is used to indicate whether the operation of EICAS systems is correct;
Controlled variable Safety_EICAS is defined according to item and supervision variable, represents the security of EICAS systems;
EICAS safety control systems include following set:
Supervise variables collection:{Aircraft_State, EICAS_Sen}
Controlled variable set:{Safety_EICAS}
The set of item:{EICAS_Operate}
The type definition related to above-mentioned set:
TY(Aircraft_State) = {normal, abnormal}
TY(EICAS_Sen}) = {can, cannnot}
TY(Safety_EICAS) = {true, false}
TY(EICAS_Operate) = {EICAS_AlarmInfo, EICAS_AlarmCorrect, EICAS_Alarm
Time}
Under each demand for security, the value of item as shown in figure 4,
The demand is expressed as follows with the form of variable:
SC1: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmInfo=true;
SC2: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmCorrect=true;
SC3: i(Aircraft_State = normal) → EICAS_Operate.EICAS_AlarmInfo =false;
SC4: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmTime=true。
Above content described in this specification is only illustration made for the present invention.Technology belonging to of the invention
The technical staff in field can be made various modifications or supplement to described specific embodiment or be substituted using similar mode, only
Will without departing from description of the invention content or surmount scope defined in the claims, all should belong to the present invention guarantor
Protect scope.
Claims (8)
1. a kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis, it is characterised in that include following step
Suddenly:
Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control of constructing system are determined
Structure chart processed;
Step 2:Picking out causes the incorrect control of system dangerous, and the safety refined is formulated according to incorrect controlling behavior
Constraint;
Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;
Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is verified, general
Wherein the demand of redundancy or contradiction is rejected or changed.
2. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature
It is:In the step one, the two systems level for defining Electronic Check Lis is dangerous as follows:
H1. the Electronic Check Lis content on aircraft is incorrect;
H2. pilot operates not according to Electronic Check Lis to aircraft;
It is dangerous by said system level, it can be deduced that corresponding system-level security constraint:
SC1. the correctness of the Electronic Check Lis content on aircraft is ensured;
SC2. pilot must operate according to the prompting of Electronic Check Lis to aircraft.
3. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature
It is:In the step 2, the incorrect control of system is included:
1) controller does not provide required controlling behavior, or is not implemented well but there is provided controlling behavior;
2) controller provides mistake or unsafe controlling behavior;
3) correct controlling behavior appears in the time of mistake;
4) stop too early of correct controlling behavior or continue too long.
4. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 3, its feature
It is:The security constraint that the dangerous controlling behavior formulates refinement is included
SC1:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must prompt alarm information;
SC2:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must point out correct warning information;
SC3:When aircraft does not occur abnormal, EICAS systems do not answer prompt alarm information;
SC4:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must defined time prompting alert believe
Breath.
5. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature
It is:In the step 3, the reason of accident includes the class of behavior three of controller operation, actuator and controlled process.
6. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature
It is:In the step 3, control defect is included
CF1. EICAS system jams;
CF2. inappropriate control algolithm in EICAS systems;
CF3. the warning information that EICAS systems are sent is lost in the transmission;
CF4. the device display failure of the warning information of EICAS systems is shown, it is impossible to display information;
CF5. transmission or display alarm information have time delay;
CF6. airborne equipment sensor failure, EICAS can not obtain the information of airborne equipment.
7. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature
It is:In the step 4, Formal Modeling process is
Supervision variables A ircraft_State is used to indicate whether aircraft has exception, and EICAS_Sen is used to indicate that can EICAS feel
Know the exception of aircraft;
Item EICAS_Operate is used to indicate whether the operation of EICAS systems is correct;
Controlled variable Safety_EICAS is defined according to item and supervision variable, represents the security of EICAS systems;
EICAS safety control systems include following set:
Supervise variables collection:{Aircraft_State, EICAS_Sen}
Controlled variable set:{Safety_EICAS}
The set of item:{EICAS_Operate}
The type definition related to above-mentioned set:
TY(Aircraft_State) = {normal, abnormal}
TY(EICAS_Sen}) = {can, cannnot}
TY(Safety_EICAS) = {true, false}
TY(EICAS_Operate) = {EICAS_AlarmInfo, EICAS_AlarmCorrect, EICAS_Alarm
Time}。
8. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature
It is:In the step 4, demand for security form is
SC1: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmInfo=true;
SC2: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_
Operate.EICAS_ AlarmCorrect=true;
SC3: i(Aircraft_State = normal) → EICAS_Operate.EICAS_AlarmInfo =false;
SC4: (Aircraft_State = abnormal AND EICAS_Sen = can) →EICAS_
Operate.EICAS_ AlarmTime=true。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710283349.4A CN107169636B (en) | 2017-04-26 | 2017-04-26 | Safety demand generation method based on formalized system theoretical process analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710283349.4A CN107169636B (en) | 2017-04-26 | 2017-04-26 | Safety demand generation method based on formalized system theoretical process analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107169636A true CN107169636A (en) | 2017-09-15 |
CN107169636B CN107169636B (en) | 2020-12-29 |
Family
ID=59813647
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710283349.4A Active CN107169636B (en) | 2017-04-26 | 2017-04-26 | Safety demand generation method based on formalized system theoretical process analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107169636B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108398940A (en) * | 2018-03-16 | 2018-08-14 | 南京航空航天大学 | A kind of safety analytical method based on STPA formalized models |
CN109800393A (en) * | 2019-01-18 | 2019-05-24 | 南京航空航天大学 | Support the implementation method of the electrical form tool of STPA method analysis UCA |
CN109885870A (en) * | 2019-01-09 | 2019-06-14 | 同济大学 | A kind of verification method and system for autonomous driving vehicle expectation function safety |
CN110674473A (en) * | 2019-09-12 | 2020-01-10 | 中国民航大学 | Safety key software safety verification method based on STPA |
CN111984229A (en) * | 2020-07-24 | 2020-11-24 | 南京航空航天大学 | Method for generating formal demand model for field natural language demand |
CN112596475A (en) * | 2020-12-01 | 2021-04-02 | 北京电子工程总体研究所 | System safety analysis system based on process control |
CN112765013A (en) * | 2020-12-31 | 2021-05-07 | 华侨大学 | Safety analysis method and system for rail transit interlocking system |
CN112987631A (en) * | 2021-01-28 | 2021-06-18 | 中国水利水电科学研究院 | Method and system for carrying out safety analysis on reclaimed water recycling system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040205703A1 (en) * | 2000-12-28 | 2004-10-14 | Yeda Research And Development Co . , Ltd. , | Playing in scenarios of system behavior |
CN101833505A (en) * | 2010-04-30 | 2010-09-15 | 天津大学 | Method for detecting security bugs of software system |
CN101980212A (en) * | 2010-11-16 | 2011-02-23 | 中国航空无线电电子研究所 | Aviation electronic checklist and implementation method thereof |
CN104881606A (en) * | 2015-04-30 | 2015-09-02 | 天津大学 | Formalized modeling based software security requirement acquisition method |
-
2017
- 2017-04-26 CN CN201710283349.4A patent/CN107169636B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040205703A1 (en) * | 2000-12-28 | 2004-10-14 | Yeda Research And Development Co . , Ltd. , | Playing in scenarios of system behavior |
CN101833505A (en) * | 2010-04-30 | 2010-09-15 | 天津大学 | Method for detecting security bugs of software system |
CN101980212A (en) * | 2010-11-16 | 2011-02-23 | 中国航空无线电电子研究所 | Aviation electronic checklist and implementation method thereof |
CN104881606A (en) * | 2015-04-30 | 2015-09-02 | 天津大学 | Formalized modeling based software security requirement acquisition method |
Non-Patent Citations (3)
Title |
---|
LEVESON N G: "A New Accident Model for Engineering Safer Systems", 《]《SAFETY SCIENCE,ELSEVIE》 * |
李小勋: "基于STAMP 的形式化安全性分析", 《计算机应用与软件》 * |
靳慧斌: "基于事故/事件的大型客机"飞行员操作程序"分析", 《科技和产业》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108398940A (en) * | 2018-03-16 | 2018-08-14 | 南京航空航天大学 | A kind of safety analytical method based on STPA formalized models |
CN109885870A (en) * | 2019-01-09 | 2019-06-14 | 同济大学 | A kind of verification method and system for autonomous driving vehicle expectation function safety |
CN109800393A (en) * | 2019-01-18 | 2019-05-24 | 南京航空航天大学 | Support the implementation method of the electrical form tool of STPA method analysis UCA |
CN110674473A (en) * | 2019-09-12 | 2020-01-10 | 中国民航大学 | Safety key software safety verification method based on STPA |
CN110674473B (en) * | 2019-09-12 | 2023-01-17 | 中国民航大学 | Safety key software safety verification method based on STPA |
CN111984229A (en) * | 2020-07-24 | 2020-11-24 | 南京航空航天大学 | Method for generating formal demand model for field natural language demand |
CN111984229B (en) * | 2020-07-24 | 2022-02-01 | 南京航空航天大学 | Method for generating formal demand model for field natural language demand |
CN112596475A (en) * | 2020-12-01 | 2021-04-02 | 北京电子工程总体研究所 | System safety analysis system based on process control |
CN112596475B (en) * | 2020-12-01 | 2021-11-23 | 北京电子工程总体研究所 | System safety analysis system based on process control |
CN112765013A (en) * | 2020-12-31 | 2021-05-07 | 华侨大学 | Safety analysis method and system for rail transit interlocking system |
CN112987631A (en) * | 2021-01-28 | 2021-06-18 | 中国水利水电科学研究院 | Method and system for carrying out safety analysis on reclaimed water recycling system |
Also Published As
Publication number | Publication date |
---|---|
CN107169636B (en) | 2020-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107169636A (en) | Demand for security generation method based on formalization Systems Theory process analysis procedure analysis | |
CN112433609B (en) | Multi-subject-based information level human-computer interaction security modeling method | |
Thomson | High integrity systems and safety management in hazardous industries | |
Ancel et al. | The analysis of the contribution of human factors to the in-flight loss of control accidents | |
CN104932519A (en) | Unmanned aerial vehicle flight command auxiliary decision-making system based on expert knowledge and design method thereof | |
CN109783870B (en) | Human-computer interaction risk scene identification method based on formal verification | |
Gong et al. | An integrated graphic–taxonomic–associative approach to analyze human factors in aviation accidents | |
Rashid et al. | Eradicating root causes of aviation maintenance errors: introducing the AMMP | |
CN106779294A (en) | Airplane operation error detection method and system | |
Braga et al. | Incorporating certification in feature modelling of an unmanned aerial vehicle product line | |
US20140359366A1 (en) | Method and Engineering Apparatus for Performing a Three-Dimensional Analysis of a Technical System | |
Hryshchenko | Scientific research on the anti-stress preparation of specialists in a quarter century | |
Wan et al. | Bibliometric analysis of human factors in aviation accident using MKD | |
Ziakkas et al. | Artificial intelligence applications in aviation accident classification: A preliminary exploratory study | |
CN111680391B (en) | Accident model generation method, device and equipment for man-machine loop coupling system | |
CN112433608B (en) | Automatic identification method for human-computer information interaction risk scene | |
Rao | A new approach to modeling aviation accidents | |
Martins et al. | Human error in aviation: the behavior of pilots facing the modern technology | |
Skraaning Jr et al. | Towards a Deeper Understanding of Automation Transparency in the Operation of Nuclear Plants | |
Song et al. | A new software failure analysis method based on the system reliability modeling | |
Scarinci | Monitoring safety during airline operations: A systems approach | |
Yin | Design of Flight Training Evaluation System Based on Flight Parameters Data | |
Golovnin | Risk of problem solution skills loss by civil aviation pilots in uncertainty conditions | |
KOZUBA | The role of the human factor in maintaining the desired level of air mission execution safety | |
RU107611U1 (en) | EXPERT ACCIDENT INVESTIGATION SYSTEM |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |