CN107169636A - Demand for security generation method based on formalization Systems Theory process analysis procedure analysis - Google Patents

Demand for security generation method based on formalization Systems Theory process analysis procedure analysis Download PDF

Info

Publication number
CN107169636A
CN107169636A CN201710283349.4A CN201710283349A CN107169636A CN 107169636 A CN107169636 A CN 107169636A CN 201710283349 A CN201710283349 A CN 201710283349A CN 107169636 A CN107169636 A CN 107169636A
Authority
CN
China
Prior art keywords
eicas
aircraft
systems
security
demand
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710283349.4A
Other languages
Chinese (zh)
Other versions
CN107169636B (en
Inventor
王立松
周颖
胡军
汪圆圆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN201710283349.4A priority Critical patent/CN107169636B/en
Publication of CN107169636A publication Critical patent/CN107169636A/en
Application granted granted Critical
Publication of CN107169636B publication Critical patent/CN107169636B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0631Resource planning, allocation, distributing or scheduling for enterprises or organisations
    • G06Q10/06315Needs-based resource requirements planning or analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/103Workflow collaboration or project management

Landscapes

  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Engineering & Computer Science (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • Tourism & Hospitality (AREA)
  • Theoretical Computer Science (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Marketing (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Educational Administration (AREA)
  • Development Economics (AREA)
  • Game Theory and Decision Science (AREA)
  • Data Mining & Analysis (AREA)
  • Alarm Systems (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

The invention discloses a kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis, it is characterised in that comprises the steps of:Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control structure figure of constructing system are determined;Step 2:Picking out causes the incorrect control of system dangerous, and the security constraint refined is formulated according to incorrect controlling behavior;Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is verified, the demand of wherein redundancy or contradiction is rejected or modification.The present invention has ensured the correctness and uniformity of Electronic Check Lis system demand for security.

Description

Demand for security generation method based on formalization Systems Theory process analysis procedure analysis
Technical field
It is particularly a kind of based on formalization Systems Theory process analysis procedure analysis the present invention relates to a kind of demand for security generation method Demand for security generation method.
Background technology
Checklist on aircraft be for ensure cockpit crew can aircraft any mission phase according to inspection Singly the configuration to carry out aircraft is operated.Conventional method is that crew performs inspection according to papery version checklist, is easily occurred Various mistakes.Although aeronautical chart is attached great importance to deviate standard operation journey in S.O.P. and checklist, practical flight always Sequence, the thing for ignoring checklist but happens occasionally, and has thereby resulted in many painful accidents.For by checklist, often send out Raw following situations:Ignore checklist program, omit checklist project, although or read checklist in form, forget that project falls In fact or because a variety of reasons are without performing.Electronic Check Lis is the checklist of electronization, aobvious to pilot on multifunction display Show and point out all kinds of inspection projects, crew performs inspection according to prompting, and by the execution of record of keys checklist project, Electronic Check Lis constantly responds the button operation of crew, the purpose completion status of report check individual event at any time.As electronics is examined The popularization of verification certificate, the wide-bodied aircraft of domestic independent development will also use this new Electronic Check Lis system, but to electronics The research of checklist demand for security is less, in order to obtain the demand for security of Electronic Check Lis system, obtains the security of system Ensure, it is necessary to which a kind of method based on formalization Systems Theory process analysis procedure analysis extracts the demand for security of Electronic Check Lis system.
The content of the invention
The technical problems to be solved by the invention, which are to provide a kind of safety based on formalization Systems Theory process analysis procedure analysis, to be needed Seek generation method.
In order to solve the above technical problems, the technical solution adopted in the present invention is:
A kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis, it is characterised in that comprise the steps of:
Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control of constructing system are determined Structure chart processed;
Step 2:Picking out causes the incorrect control of system dangerous, and the safety refined is formulated according to incorrect controlling behavior Constraint;
Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;
Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is verified, general Wherein the demand of redundancy or contradiction is rejected or changed.
Further, in the step one, the two systems level for defining Electronic Check Lis is dangerous as follows:
H1. the Electronic Check Lis content on aircraft is incorrect;
H2. pilot operates not according to Electronic Check Lis to aircraft;
It is dangerous by said system level, it can be deduced that corresponding system-level security constraint:
SC1. the correctness of the Electronic Check Lis content on aircraft is ensured;
SC2. pilot must operate according to the prompting of Electronic Check Lis to aircraft.
Further, in the step 2, the incorrect control of system is included:
1) controller does not provide required controlling behavior, or is not implemented well but there is provided controlling behavior;
2) controller provides mistake or unsafe controlling behavior;
3) correct controlling behavior appears in the time of mistake;
4) stop too early of correct controlling behavior or continue too long.
Further, the security constraint that the dangerous controlling behavior formulates refinement is included
SC1:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must prompt alarm information;
SC2:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must point out correct warning information;
SC3:When aircraft does not occur abnormal, EICAS systems do not answer prompt alarm information;
SC4:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must defined time prompting alert believe Breath.
Further, in the step 3, the reason of accident includes the behavior of controller operation, actuator and controlled process Three classes.
Further, in the step 3, control defect is included
CF1. EICAS system jams;
CF2. inappropriate control algolithm in EICAS systems;
CF3. the warning information that EICAS systems are sent is lost in the transmission;
CF4. the device display failure of the warning information of EICAS systems is shown, it is impossible to display information;
CF5. transmission or display alarm information have time delay;
CF6. airborne equipment sensor failure, EICAS can not obtain the information of airborne equipment.
Further, in the step 4, Formal Modeling process is
Supervision variables A ircraft_State is used to indicate whether aircraft has exception, and EICAS_Sen is used to indicate that can EICAS feel Know the exception of aircraft;
Item EICAS_Operate is used to indicate whether the operation of EICAS systems is correct;
Controlled variable Safety_EICAS is defined according to item and supervision variable, represents the security of EICAS systems;
EICAS safety control systems include following set:
Supervise variables collection:{Aircraft_State, EICAS_Sen}
Controlled variable set:{Safety_EICAS}
The set of item:{EICAS_Operate}
The type definition related to above-mentioned set:
TY(Aircraft_State) = {normal, abnormal}
TY(EICAS_Sen}) = {can, cannnot}
TY(Safety_EICAS) = {true, false}
TY(EICAS_Operate) = {EICAS_AlarmInfo, EICAS_AlarmCorrect, EICAS_Alarm Time}。
Further, in the step 4, demand for security form is
SC1: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmInfo=true;
SC2: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmCorrect=true;
SC3: i(Aircraft_State = normal) → EICAS_Operate.EICAS_AlarmInfo =false;
SC4: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmTime=true。
The present invention compared with prior art, with advantages below and effect:
1) the dangerous source discriminations of STPA can pick out new reason factor that traditional technology can not handle there is provided guiding Word ensure that the integrality of analysis, by hazard recognition reason there is provided the information needed for design process, can give software work Cheng Shi design, which is provided, to be instructed to eliminate or control these situations as far as possible.
2) STPA methodology programs analysis system dangerous controlling behavior, draw Electronic Check Lis system safety need Ask, reduce safety analysis and expertise is depended on unduly, and since earliest conceptual phase, safe design It is to build the most economical effective method of more security system into system.
3) four variate models are used, the demand to natural language description carries out light weight, practical formalized description with dividing Analysis, promotes formal modeling technology in the application of aviation field, ensured the correctness of Electronic Check Lis system demand for security with it is consistent Property.
Brief description of the drawings
Fig. 1 is the four variate model figures of the present invention.
Fig. 2 is the Electronic Check Lis System control structures figure of the present invention.
Fig. 3 is the dangerous reason schematic diagram of the present invention.
Fig. 4 is that the condition of the item of the present invention represents to be intended to.
Fig. 5 is the controlling party form in the Electronic Check Lis system of the present invention.
Fig. 6 is each controlling party corresponding UCA and SC of present invention quantity form.
Fig. 7 is the Major Mathematics symbol used and its implication schematic diagram of the present invention.
Embodiment
Below in conjunction with the accompanying drawings and the present invention is described in further detail by embodiment, following examples are to this hair Bright explanation and the invention is not limited in following examples.
Fig. 7 show Major Mathematics symbol and its implication schematic diagram used in specification.
As illustrated, a kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis of the present invention, bag Containing following steps:
Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control of constructing system are determined Structure chart processed;
In systematology, the method being controlled to emerging in large numbers characteristic is then between behavior and each component to single component Row constraint is entered in interaction., safe to be ensured as emerging in large numbers property of system by security constraint, system-level dangerous generation is also just meaned System-level security constraint to be breached.Therefore, in addition to the system-level danger clearly to be analyzed, in addition it is also necessary to determine system-level peace Staff cultivation, ensures that the security constraint is achieved to be determined how in subsequent analysis.Pass through the control structure of constructing system Come the interaction of different components inside exposing system, and the relation between each process, be that further identification causes system Dangerous the reason for, establishes analysis foundation.It should be noted that the control structure of system and not only being embodied comprising control block diagram Information, also comprising the description carried out to each control process, such as process model, control algolithm.
According to civil aircraft aircraft accident, find out may cause accident as the danger caused by Electronic Check Lis system, it is determined that Corresponding system-level security constraint.The interaction come in the control structure figure of constructing system inside exposing system, and Relation between each process, is the reason for further identification causes system dangerous to establish analysis foundation.Examined in the electronics of aircraft During verification certificate system operation, if pilot operates not according to checklist content to aircraft, or operating mistake all will Cause potential safety hazard;And if the content of Electronic Check Lis makes a mistake, pilot is operated according to the checklist of mistake, then Aircraft accident can largely be produced.According to analysis of Influential Factors of the checklist to flight safety, Electronic Check Lis is defined Two systems level is dangerous(hazard)It is as follows:
H1. the Electronic Check Lis content on aircraft is incorrect
H2. pilot operates not according to Electronic Check Lis to aircraft
It is dangerous by said system level, it can be deduced that corresponding system-level security constraint(Safety constraints, SC):
SC1. the correctness of the Electronic Check Lis content on aircraft is ensured;
SC2. pilot must operate according to the prompting of Electronic Check Lis to aircraft.
Advanced and analyzed by the operation principle of the Electronic Check Lis system to aircraft, fully grasp its specific workflow, Extract controlling party in system as shown in the table of figure 5.
By the controlling party and control action in Fig. 5 tables, the control structure of Electronic Check Lis system as shown in Figure 2 is constructed Figure, figure acceptance of the bid "(action)" for control action.
Step 2:Picking out causes the incorrect control of system dangerous, and formulates refinement according to incorrect controlling behavior Security constraint;
The incorrect control of system is divided into following four classes:1) controller does not provide required controlling behavior, or provides Controlling behavior is not implemented but well;2) controller provides mistake or unsafe controlling behavior;3) correct control Behavior processed appears in the time (too early or too late) of mistake;4) stop too early of correct controlling behavior or continue too long.These Reference when universal classification is only recognized as incorrect control, specific distinguish is needed for specific system.Further, since dangerous The main purpose of analysis is that potential dangerous reason is found out before accident generation and is prevented, thus needs what basis was picked out Dangerous reason --- incorrect control forms specific security constraint, to ensure the safety of system.
Identification is likely to result in the dangerous control of precarious position.Due to airline, unit, FMS, ECL system, EICAS systems can serve as controlling party, so causing the dangerous controlling behavior of system dangerous state(unsafe control action , UCA)It will be produced by these controlling parties.By analyzing these control loops, dangerous control therein is picked out Behavior, i.e. dangerous matter sources, draw corresponding security constraint.
23 dangerous controlling behaviors of precipitation are divided into using the invention, corresponding number is as shown in Fig. 6 form.
Below by taking EICAS systems as an example, its controlling behavior is explained.Most of mono- police of abnormal examination Dan Douyu Guard against information(EICAS MESSAGE)Corresponding, some shown EICAS MESSAGE shows there is a malfunction, and Prompting pilot selects and completed the checklist.The dangerous controlling behavior of EICAS systems can be divided into following several:
UCA1. when aircraft occurs abnormal, EICAS systems do not provide warning information;
UCA2. when aircraft occurs abnormal, EICAS systems provide the warning information of mistake;
UCA3. when aircraft does not occur abnormal, EICAS systems provide warning information;
UCA4. when aircraft occurs abnormal, EICAS systems provide warning information too late;
Wherein UCA1 Producing reasons are the first situations described in first segment in text, i.e., do not provide controlling behavior;UCA2 and UCA3 belongs to second, and there is provided the controlling behavior of mistake;UCA4 belongs to the third, and controlling behavior is provided in the incorrect time; Because EICAS system prompt warning information information is discrete event, so in the absence of the 4th kind of dangerous item station, stopping too fast or mistake Slowly.
Security constraint after refinement corresponding with above-mentioned dangerous controlling behavior is expressed as follows:
SC1:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must prompt alarm information;(Such as:Work as aircraft Hydraulic system failure when, EICAS systems should display alarm information on a display screen)
SC2:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must point out correct warning information;(Such as: When the hydraulic system failure of aircraft, EICAS systems should show correct warning information on a display screen, for crew Operated)
SC3:When aircraft does not occur abnormal, EICAS systems do not answer prompt alarm information;(Such as:Engine does not catch fire, EICAS systems System but catch fire by prompting, then pilot's necessary priority treatment information, and this will influence normal airplane operations, and bring potential safety hazard)
SC4:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must defined time prompting alert believe Breath;(If prompting is too late, engine ignition, EICAS system alarms too late, may make accident more serious)
Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;
STPA purpose will be analyzed further except to find out above-mentioned inappropriate controlling behavior, also causes these incorrect controls The control defect of the reason for behavior, i.e. system itself, the problem of the problem of such as control algolithm is present, process model are present, Control the general classification of defect.These control defects are considered as the most basic reason of system dangerous appearance, and designer can be with System design is improved according to these defects, with the security of lifting system.
Analyze dangerous control Producing reason.The reason of accident can be divided into 3 classes:Controller is operated;Actuator and controlled The behavior of process;Communication and coordination between controller and policymaker.Control structure is related to people, and environment and behavior shaping mechanism exist Also played an important role in Accident-causing.Being divided into analysis herein and drawing causes the reason for system dangerous occurs 48, below with EICAS Exemplified by the UCA1 of system, reason classification such as the Fig. 3 for producing accident shows:
Analysis and Control loop, it can be deduced that following 6 control defect:
CF1. EICAS system jams;
CF2. inappropriate control algolithm in EICAS systems;
CF3. the warning information that EICAS systems are sent is lost in the transmission;
CF4. the device display failure of the warning information of EICAS systems is shown, it is impossible to display information;
CF5. transmission or display alarm information have time delay;
CF6. airborne equipment sensor failure, EICAS can not obtain the information of airborne equipment.
Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is tested Card, the demand of wherein redundancy or contradiction is rejected or changed.
With four variate models, the mistake in terms of demand for security grammer and type, and uniformity and integrality phase are checked The mistake of pass.The structural form of four variate models is as shown in figure 1, it is mainly made up of four relations between variable and variable:
1)Monitored variable(Monitored Variables, MV):The change that system is observed and given a response to system action Amount;
2)Controlled variable(Controlled Variables, CV):System is used to control the variable that external environment condition gives a response;
3)Input variable(Input Variables, IV):MV is converted institute by the variable that software is read in, the variable by input equipment ;
4)Output variable(Output Variables, OV):The variable that software is read, the variable is obtained after being converted through output equipment CV;
5)NAT:Define the natural sulfur reservoir in system environments, such as aircraft MAX CLB;
6)REQ:System requirements are defined, indicate how CV changes accordingly when MV changes;
7)Define the mapping relations between MV and IV;
8)Define the mapping relations between OV and CV.
Demand for security modeling to ECL systems.The security constraint of the natural language description drawn by STPA methods is also not Enough accurately, it is necessary to carry out analysis checking to security constraint with the method for formalization.Demand is carried out using formalization method strict Ground describes and analyzed the normalization and engineering degree for being favorably improved software development, ensures the quality of software product.
Demand for security to ECL systems is modeled, below with the friendship between ECL systems and EICAS safety control systems Exemplified by the demand for security mutually analyzed, its modeling process is provided.
Supervision variables A ircraft_State is used to indicate whether aircraft has exception, and EICAS_Sen is used to indicate EICAS energy The no exception for perceiving aircraft;
Item EICAS_Operate is used to indicate whether the operation of EICAS systems is correct;
Controlled variable Safety_EICAS is defined according to item and supervision variable, represents the security of EICAS systems;
EICAS safety control systems include following set:
Supervise variables collection:{Aircraft_State, EICAS_Sen}
Controlled variable set:{Safety_EICAS}
The set of item:{EICAS_Operate}
The type definition related to above-mentioned set:
TY(Aircraft_State) = {normal, abnormal}
TY(EICAS_Sen}) = {can, cannnot}
TY(Safety_EICAS) = {true, false}
TY(EICAS_Operate) = {EICAS_AlarmInfo, EICAS_AlarmCorrect, EICAS_Alarm Time}
Under each demand for security, the value of item as shown in figure 4,
The demand is expressed as follows with the form of variable:
SC1: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmInfo=true;
SC2: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmCorrect=true;
SC3: i(Aircraft_State = normal) → EICAS_Operate.EICAS_AlarmInfo =false;
SC4: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmTime=true。
Above content described in this specification is only illustration made for the present invention.Technology belonging to of the invention The technical staff in field can be made various modifications or supplement to described specific embodiment or be substituted using similar mode, only Will without departing from description of the invention content or surmount scope defined in the claims, all should belong to the present invention guarantor Protect scope.

Claims (8)

1. a kind of demand for security generation method based on formalization Systems Theory process analysis procedure analysis, it is characterised in that include following step Suddenly:
Step one:For the system-level danger for needing to analyze, corresponding system-level security constraint, the control of constructing system are determined Structure chart processed;
Step 2:Picking out causes the incorrect control of system dangerous, and the safety refined is formulated according to incorrect controlling behavior Constraint;
Step 3:Identification causes the control defect that incorrect controlling behavior occurs, that is, the basic reason for causing system dangerous to occur;
Step 4:Pair security constraint determined carries out extraction and the Formal Modeling of variable, then these demands is verified, general Wherein the demand of redundancy or contradiction is rejected or changed.
2. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature It is:In the step one, the two systems level for defining Electronic Check Lis is dangerous as follows:
H1. the Electronic Check Lis content on aircraft is incorrect;
H2. pilot operates not according to Electronic Check Lis to aircraft;
It is dangerous by said system level, it can be deduced that corresponding system-level security constraint:
SC1. the correctness of the Electronic Check Lis content on aircraft is ensured;
SC2. pilot must operate according to the prompting of Electronic Check Lis to aircraft.
3. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature It is:In the step 2, the incorrect control of system is included:
1) controller does not provide required controlling behavior, or is not implemented well but there is provided controlling behavior;
2) controller provides mistake or unsafe controlling behavior;
3) correct controlling behavior appears in the time of mistake;
4) stop too early of correct controlling behavior or continue too long.
4. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 3, its feature It is:The security constraint that the dangerous controlling behavior formulates refinement is included
SC1:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must prompt alarm information;
SC2:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must point out correct warning information;
SC3:When aircraft does not occur abnormal, EICAS systems do not answer prompt alarm information;
SC4:When aircraft occur EICAS it is appreciable abnormal when, EICAS systems must defined time prompting alert believe Breath.
5. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature It is:In the step 3, the reason of accident includes the class of behavior three of controller operation, actuator and controlled process.
6. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature It is:In the step 3, control defect is included
CF1. EICAS system jams;
CF2. inappropriate control algolithm in EICAS systems;
CF3. the warning information that EICAS systems are sent is lost in the transmission;
CF4. the device display failure of the warning information of EICAS systems is shown, it is impossible to display information;
CF5. transmission or display alarm information have time delay;
CF6. airborne equipment sensor failure, EICAS can not obtain the information of airborne equipment.
7. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature It is:In the step 4, Formal Modeling process is
Supervision variables A ircraft_State is used to indicate whether aircraft has exception, and EICAS_Sen is used to indicate that can EICAS feel Know the exception of aircraft;
Item EICAS_Operate is used to indicate whether the operation of EICAS systems is correct;
Controlled variable Safety_EICAS is defined according to item and supervision variable, represents the security of EICAS systems;
EICAS safety control systems include following set:
Supervise variables collection:{Aircraft_State, EICAS_Sen}
Controlled variable set:{Safety_EICAS}
The set of item:{EICAS_Operate}
The type definition related to above-mentioned set:
TY(Aircraft_State) = {normal, abnormal}
TY(EICAS_Sen}) = {can, cannnot}
TY(Safety_EICAS) = {true, false}
TY(EICAS_Operate) = {EICAS_AlarmInfo, EICAS_AlarmCorrect, EICAS_Alarm Time}。
8. according to the demand for security generation method based on formalization Systems Theory process analysis procedure analysis described in claim 1, its feature It is:In the step 4, demand for security form is
SC1: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmInfo=true;
SC2: (Aircraft_State = abnormal AND EICAS_Sen = can) → EICAS_ Operate.EICAS_ AlarmCorrect=true;
SC3: i(Aircraft_State = normal) → EICAS_Operate.EICAS_AlarmInfo =false;
SC4: (Aircraft_State = abnormal AND EICAS_Sen = can) →EICAS_ Operate.EICAS_ AlarmTime=true。
CN201710283349.4A 2017-04-26 2017-04-26 Safety demand generation method based on formalized system theoretical process analysis Active CN107169636B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710283349.4A CN107169636B (en) 2017-04-26 2017-04-26 Safety demand generation method based on formalized system theoretical process analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710283349.4A CN107169636B (en) 2017-04-26 2017-04-26 Safety demand generation method based on formalized system theoretical process analysis

Publications (2)

Publication Number Publication Date
CN107169636A true CN107169636A (en) 2017-09-15
CN107169636B CN107169636B (en) 2020-12-29

Family

ID=59813647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710283349.4A Active CN107169636B (en) 2017-04-26 2017-04-26 Safety demand generation method based on formalized system theoretical process analysis

Country Status (1)

Country Link
CN (1) CN107169636B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108398940A (en) * 2018-03-16 2018-08-14 南京航空航天大学 A kind of safety analytical method based on STPA formalized models
CN109800393A (en) * 2019-01-18 2019-05-24 南京航空航天大学 Support the implementation method of the electrical form tool of STPA method analysis UCA
CN109885870A (en) * 2019-01-09 2019-06-14 同济大学 A kind of verification method and system for autonomous driving vehicle expectation function safety
CN110674473A (en) * 2019-09-12 2020-01-10 中国民航大学 Safety key software safety verification method based on STPA
CN111984229A (en) * 2020-07-24 2020-11-24 南京航空航天大学 Method for generating formal demand model for field natural language demand
CN112596475A (en) * 2020-12-01 2021-04-02 北京电子工程总体研究所 System safety analysis system based on process control
CN112765013A (en) * 2020-12-31 2021-05-07 华侨大学 Safety analysis method and system for rail transit interlocking system
CN112987631A (en) * 2021-01-28 2021-06-18 中国水利水电科学研究院 Method and system for carrying out safety analysis on reclaimed water recycling system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205703A1 (en) * 2000-12-28 2004-10-14 Yeda Research And Development Co . , Ltd. , Playing in scenarios of system behavior
CN101833505A (en) * 2010-04-30 2010-09-15 天津大学 Method for detecting security bugs of software system
CN101980212A (en) * 2010-11-16 2011-02-23 中国航空无线电电子研究所 Aviation electronic checklist and implementation method thereof
CN104881606A (en) * 2015-04-30 2015-09-02 天津大学 Formalized modeling based software security requirement acquisition method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205703A1 (en) * 2000-12-28 2004-10-14 Yeda Research And Development Co . , Ltd. , Playing in scenarios of system behavior
CN101833505A (en) * 2010-04-30 2010-09-15 天津大学 Method for detecting security bugs of software system
CN101980212A (en) * 2010-11-16 2011-02-23 中国航空无线电电子研究所 Aviation electronic checklist and implementation method thereof
CN104881606A (en) * 2015-04-30 2015-09-02 天津大学 Formalized modeling based software security requirement acquisition method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LEVESON N G: "A New Accident Model for Engineering Safer Systems", 《]《SAFETY SCIENCE,ELSEVIE》 *
李小勋: "基于STAMP 的形式化安全性分析", 《计算机应用与软件》 *
靳慧斌: "基于事故/事件的大型客机"飞行员操作程序"分析", 《科技和产业》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108398940A (en) * 2018-03-16 2018-08-14 南京航空航天大学 A kind of safety analytical method based on STPA formalized models
CN109885870A (en) * 2019-01-09 2019-06-14 同济大学 A kind of verification method and system for autonomous driving vehicle expectation function safety
CN109800393A (en) * 2019-01-18 2019-05-24 南京航空航天大学 Support the implementation method of the electrical form tool of STPA method analysis UCA
CN110674473A (en) * 2019-09-12 2020-01-10 中国民航大学 Safety key software safety verification method based on STPA
CN110674473B (en) * 2019-09-12 2023-01-17 中国民航大学 Safety key software safety verification method based on STPA
CN111984229A (en) * 2020-07-24 2020-11-24 南京航空航天大学 Method for generating formal demand model for field natural language demand
CN111984229B (en) * 2020-07-24 2022-02-01 南京航空航天大学 Method for generating formal demand model for field natural language demand
CN112596475A (en) * 2020-12-01 2021-04-02 北京电子工程总体研究所 System safety analysis system based on process control
CN112596475B (en) * 2020-12-01 2021-11-23 北京电子工程总体研究所 System safety analysis system based on process control
CN112765013A (en) * 2020-12-31 2021-05-07 华侨大学 Safety analysis method and system for rail transit interlocking system
CN112987631A (en) * 2021-01-28 2021-06-18 中国水利水电科学研究院 Method and system for carrying out safety analysis on reclaimed water recycling system

Also Published As

Publication number Publication date
CN107169636B (en) 2020-12-29

Similar Documents

Publication Publication Date Title
CN107169636A (en) Demand for security generation method based on formalization Systems Theory process analysis procedure analysis
CN112433609B (en) Multi-subject-based information level human-computer interaction security modeling method
Thomson High integrity systems and safety management in hazardous industries
Ancel et al. The analysis of the contribution of human factors to the in-flight loss of control accidents
CN104932519A (en) Unmanned aerial vehicle flight command auxiliary decision-making system based on expert knowledge and design method thereof
CN109783870B (en) Human-computer interaction risk scene identification method based on formal verification
Gong et al. An integrated graphic–taxonomic–associative approach to analyze human factors in aviation accidents
Rashid et al. Eradicating root causes of aviation maintenance errors: introducing the AMMP
CN106779294A (en) Airplane operation error detection method and system
Braga et al. Incorporating certification in feature modelling of an unmanned aerial vehicle product line
US20140359366A1 (en) Method and Engineering Apparatus for Performing a Three-Dimensional Analysis of a Technical System
Hryshchenko Scientific research on the anti-stress preparation of specialists in a quarter century
Wan et al. Bibliometric analysis of human factors in aviation accident using MKD
Ziakkas et al. Artificial intelligence applications in aviation accident classification: A preliminary exploratory study
CN111680391B (en) Accident model generation method, device and equipment for man-machine loop coupling system
CN112433608B (en) Automatic identification method for human-computer information interaction risk scene
Rao A new approach to modeling aviation accidents
Martins et al. Human error in aviation: the behavior of pilots facing the modern technology
Skraaning Jr et al. Towards a Deeper Understanding of Automation Transparency in the Operation of Nuclear Plants
Song et al. A new software failure analysis method based on the system reliability modeling
Scarinci Monitoring safety during airline operations: A systems approach
Yin Design of Flight Training Evaluation System Based on Flight Parameters Data
Golovnin Risk of problem solution skills loss by civil aviation pilots in uncertainty conditions
KOZUBA The role of the human factor in maintaining the desired level of air mission execution safety
RU107611U1 (en) EXPERT ACCIDENT INVESTIGATION SYSTEM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant