CN109522718A - FADEC software security analysis method and device - Google Patents

FADEC software security analysis method and device Download PDF

Info

Publication number
CN109522718A
CN109522718A CN201811204107.2A CN201811204107A CN109522718A CN 109522718 A CN109522718 A CN 109522718A CN 201811204107 A CN201811204107 A CN 201811204107A CN 109522718 A CN109522718 A CN 109522718A
Authority
CN
China
Prior art keywords
hazard event
event
rise
hazard
security requirement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811204107.2A
Other languages
Chinese (zh)
Inventor
钟德明
丁玉新
孙睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201811204107.2A priority Critical patent/CN109522718A/en
Publication of CN109522718A publication Critical patent/CN109522718A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3608Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation

Abstract

The embodiment of the present invention provides a kind of FADEC software security analysis method and device, which comprises FADEC software is analyzed based on FHA method, obtain FADEC software high-rise hazard event and high-rise hazard event security requirement;Based on FTA method according to high-rise hazard event and high-rise hazard event security requirement, middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event security requirement of FADEC software are obtained, and constructs fault tree;Based on CMA method to being analyzed with door event in fault tree, if all and door event in fault tree meets default independence requirement, each bottom hazard event is analyzed based on FMEA method;According to the analysis of each bottom hazard event as a result, judging whether FADEC software meets default security requirement.The embodiment of the present invention analyzes more comprehensively FADEC software security, as a result more accurate.

Description

FADEC software security analysis method and device
Technical field
The embodiment of the present invention belongs to airborne technical field of software security, pacifies more particularly, to a kind of FADEC software Full property analysis method and device.
Background technique
FADEC (Full Authority Digital Engine Control, Full Authority Digital Engine control) software It is extracted for being responsible for starting, operating and the control closed, monitoring, instruction and data, also record storage APU (Accelerated Processing Unit, OverDrive Processor ODP) parameter that starts every time and fault message.Therefore, right before using FADEC software FADEC software carries out safety analysis and is of great significance.
It is analyzed, is had using FHA using logical security of the NuSMV detection instrument to FADEC software currently, having (Function Hazard Analysis, function hazard analysis), FTA (Fault Tree Analysis, failure tree analysis (FTA)), (Failure Mode and Effect Analysis loses by CMA (Common Mode Analysis, Common mode analysis) or FMEA The analysis of effect mode influences) method analyzes the fault chains safety of FADEC software.Wherein, fault chains refer to by bottom Event successively influences the path for leading to higher layer event upwards.
NuSMV detection instrument carries out the logical security detection of Major Systems, asks thrashing caused by single point failure Topic can not detect;FHA method can only traceability system high level potential danger, can not carry out dangerous decomposing positioning and verifying;FTA method Top event needs provide in advance, CMA method can not determine analysis object;FMEA method can be used for system dangerous and decompose and determine Position and system bottom defect mode investigation, but be unable to hazard recognition and decompose and, with door event, and decomposed and fixed in positioning When the level of position is more, analytic process is more complicated, and traceability is poor.Therefore, NuSMV detection instrument, the side FHA is used alone Method, FTA method, CMA method and FMEA method cannot carry out accurate comprehensive safety analysis to FADEC software.
Summary of the invention
To overcome the problems, such as that above-mentioned existing method cannot carry out accurate comprehensive safety analysis or extremely to FADEC software It partially solves the above problems, the embodiment of the present invention provides a kind of FADEC software security analysis method and device.
According to a first aspect of the embodiments of the present invention, a kind of FADEC software security analysis method is provided, comprising:
FADEC software is analyzed based on FHA method, obtains the high-rise hazard event and high level of the FADEC software Hazard event security requirement;
Based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, described in acquisition Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event of FADEC software Security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, middle layer Hazard event security requirement, bottom hazard event and bottom hazard event security requirement, construct the event of the FADEC software Barrier tree;
Based on CMA method to being analyzed with door event in the fault tree, if all and door in the fault tree Event meets default independence requirement, then is analyzed based on FMEA method each bottom hazard event;
According to the analysis of each bottom hazard event as a result, judging whether the FADEC software meets default security It is required that.
Second aspect according to embodiments of the present invention provides a kind of FADEC software security analytical equipment, comprising:
Analysis module obtains the high-rise danger of the FADEC software for analyzing based on FHA method FADEC software Dangerous event and high-rise hazard event security requirement;
Module is constructed, for being based on FTA method according to the high-rise hazard event and the high-rise hazard event safety It is required that obtaining the middle layer hazard event of the FADEC software, bottom hazard event, middle layer hazard event security requirement With bottom hazard event security requirement, endangered according to the high-rise hazard event, high-rise hazard event security requirement, middle layer Dangerous event, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event security requirement, described in building The fault tree of FADEC software;
Optimization module, for based on CMA method to being analyzed with door event in the fault tree, if the fault tree In it is all meet default independence requirement with door event, then each bottom hazard event is divided based on FMEA method Analysis;
Judgment module, for the analysis according to each bottom hazard event as a result, judging whether the FADEC software is full Sufficient default security requirement.
In terms of third according to an embodiment of the present invention, a kind of electronic equipment is also provided, comprising:
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to Order is able to carry out FADEC software provided by any possible implementation in the various possible implementations of first aspect Safety Analysis Method.
4th aspect according to an embodiment of the present invention, also provides a kind of non-transient computer readable storage medium, described Non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer execute first aspect Various possible implementations in FADEC software security analysis method provided by any possible implementation.
The embodiment of the present invention provides a kind of FADEC software security analysis method and device, and this method, which passes through, is based on the side FHA Method analyzes FADEC software, obtains the high-rise hazard event middle layer of FADEC software, based on FTA method according to the side FHA The FADEC high level hazard event that method obtains obtains the middle layer hazard event and bottom hazard event of FADEC software, and constructs FADEC software fault tree;Based on CMA method to being analyzed with door event in fault tree, all in fault tree and door thing Part meets default independence requirement, is analyzed based on FMEA method each bottom hazard event, according to FMEA method Analysis result knows whether FADEC software meets default security requirement, and the present embodiment ties FHA, FTA, CMA and FMEA It closes, realizes that the fault chains danger to FADEC software carries out comprehensive analysis, safety analysis is more comprehensively, as a result more accurate.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is FADEC software security analysis method overall flow schematic diagram provided in an embodiment of the present invention;
Fig. 2 is fault tree schematic diagram in FADEC software security analysis method provided in an embodiment of the present invention;
Fig. 3 is updated fault tree schematic diagram in FADEC software security analysis method provided in an embodiment of the present invention;
Fig. 4 is FADEC software security analytical equipment overall structure diagram provided in an embodiment of the present invention;
Fig. 5 is electronic equipment overall structure diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
A kind of FADEC software security analysis method is provided in one embodiment of the invention, and Fig. 1 is that the present invention is implemented The FADEC software security analysis method overall flow schematic diagram that example provides, this method comprises: S101, is based on FHA method pair FADEC software is analyzed, and high-rise hazard event and the high level hazard event security requirement of the FADEC software are obtained;
Wherein, FHA method is function, the function that may not be able to be realized by analysis system by the analysis method because seeking fruit Realize that mistake or function realize that security implication caused by opportunity deviation carrys out hazard recognition event, assessment when functional fault, decline and Lose possible risk.The probability demands that corresponding hazard event occurs, i.e. safety are proposed according to the severity of risk Index.According to SAE ARP 4761, the severity of risk is divided into four grades: disaster, serious, dangerous and one As.For the different severity of risk, corresponding security requirement is distributed.FADEC software is divided using FHA method Analysis obtains high-rise hazard event and the high level hazard event security requirement of FADEC software.High-rise hazard event is top Dangerous event, high-rise hazard event security requirement is an abstract probability, and high-rise hazard event is endangered by several middle layers Dangerous event causes, and middle layer hazard event is caused by several middle layer hazard events and/or several bottom hazard events.Example Such as, in the anti-icing function of FADEC software, anti-icing control function failure is high-rise hazard event.
S102 is obtained based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom of the FADEC software are dangerous Event security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, in The security requirement of interbed hazard event, bottom hazard event and bottom hazard event security requirement, construct the FADEC software Fault tree;
Wherein, FTA method is a kind of top-down analysis method, helps to identify potential system failure reason and calamity Difficulty risk factor, to be improved to FADEC software.High-rise hazard event is decomposed using FTA method, Zhi Daoding Bottom hazard event is arrived in position, the relationship between each hazard event is established using logical symbol, thus true according to high-rise hazard event The middle layer hazard event for determining FADEC software, the bottom of FADEC software is determined according to the middle layer hazard event of FADEC software Hazard event.
S103, based on CMA method to being analyzed with door event in the fault tree, if all in the fault tree Meet default independence requirement with door event, then each bottom hazard event is analyzed based on FMEA method;
Wherein, CMA method is detected to the common mode failure for influencing multiple unit independence, is used for checking system function Or the independence between component.The analysis object of CMA mainly may destroy independency principle and eventually lead to catastrophic failure Potential common mode failure, cascading failure and the multiple failure of state.The present embodiment is carried out in fault tree with door event using CMA Independence analysis, it is ensured that in fault tree with door off-line extraction.CMA can be used as the dangerous aided analysis method for decomposing positioning, For determining that system dangerous decomposes the off-line extraction obtained.
Using CMA method to being analyzed with door event in the fault tree obtained in FTA method, judge in fault tree Respectively whether meet default independence requirement with door event.For example, due to manual anti-icing disabler and automatic anti-icing disabler It will lead to the anti-icing disabler of FADEC, therefore the default independence corresponding with door event of anti-icing function and automatic anti-icing function manually Property require for manual anti-icing disabler and automatic anti-icing disabler it is mutually indepedent.If each and door event in fault tree is discontented The default independence requirement of foot, then improve the common mode danger for being unsatisfactory for default independence requirement, until the institute in fault tree Have and all meets corresponding default independence requirement with door event.If all and door event in fault tree meets default independence It is required that then being analyzed based on FMEA method each bottom hazard event.
FMEA method is used to check the failure mode of system, function or component, analyzes the crash rate and failure of failure mode The failure effect that mode generates, analysis result includes inoperative component or function, failure mode, crash rate and failure effect.Pass through Analysis of the FMEA method to each bottom hazard event determines the dangerous attribute of bottom hazard event, i.e. the analysis knot of FMEA method Fruit.
S104, according to the analysis of each bottom hazard event as a result, judging whether the FADEC software meets default peace Full property requirement.
By FMEA method to the analysis of each bottom hazard event as a result, determining the probability of happening of each bottom hazard event. Judge whether FADEC software meets default security requirement according to the probability of happening of each bottom hazard event.
The present embodiment obtains the dangerous thing of high level of FADEC software by analyzing based on FHA method FADEC software The security requirement of part and higher layer event, based on FTA method according to FHA method obtain FADEC software middle layer hazard event, Bottom hazard event, the security requirement of middle layer hazard event and bottom hazard event security requirement, building FADEC software event Barrier tree, it is all in fault tree to preset independence with door event based on CMA method to being analyzed with door event in fault tree It is required that being analyzed based on FMEA method each bottom hazard event, when security requirement according to the analysis result of FMEA method Know whether FADEC software meets security requirement, FHA, FTA, CMA and FMEA are combined by the present embodiment, realization pair The fault chains danger of FADEC software carries out comprehensive analysis, and safety analysis is more comprehensively, as a result more accurate.
On the basis of the above embodiments, FADEC software is analyzed based on FHA method in the present embodiment, obtains institute The step of stating high-rise hazard event and the high level hazard event security requirement of FADEC software specifically includes: based on FHA method pair The Specification of FADEC software is analyzed, and the high-rise hazard event of the FADEC software is obtained;Based on the FHA Influence of the method to the high-rise hazard event is analyzed, and the influence grade of the high-rise hazard event is obtained;Based on described FHA method analyzes the influence grade, obtains the dangerous security requirement of high level of the FADEC software.
Wherein, the Specification of FADEC software is to make user and software developer both sides to FADEC software Initial regulation have a common understanding, make the basis of development, including hardware, function, performance, input are defeated Out, interface requirements, data and database and documentation requirements etc..Demand of the present embodiment based on FHA method to FADEC software Description is analyzed, and the high-rise hazard event of FADEC software is obtained.Detailed process be to the function of FADEC software into Row analysis, determines potential disabler state;The influence that disabler occurs is analyzed, and determines that disabler influences; Disabler is influenced to carry out severity analysis, determines the severity of disabler;Provide further dividing for disabler Analysis method, such as FTA method;FHA table is generated, determines the default security requirement of function danger and function danger.For example, The anti-icing function of FADEC software is as shown in table 1 based on the FHA table that FHA method obtains.Default security requires as flight every time In the probability that occurs of anti-icing control function failure should be less than 5E-7;The probability that each in-flight anti-icing control can not close generation is answered Less than 5E-3;In-flight anti-icing control accidentally opens the probability occurred and should be less than 5E-3 every time.The each aerial mission mean time of aircraft Between be 5 hours.
The FHA table of the 1 anti-icing function of FADEC software of table
On the basis of the above embodiments, in the present embodiment based on FTA method according to the high-rise hazard event and described High-rise hazard event security requirement obtains middle layer hazard event, the bottom hazard event, middle layer of the FADEC software Hazard event security requirement and bottom hazard event security requirement, according to the high-rise hazard event, high-rise hazard event Security requirement, middle layer hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event Security requirement, the step of constructing the fault tree of the FADEC software, specifically include: being set according to the summary of the FADEC software Count specification, based on FTA method obtain the middle layer hazard event for leading to the high-rise hazard event, bottom hazard event, in The security requirement of interbed hazard event and bottom hazard event security requirement;Based on the high-rise hazard event and it is each it is described in Incidence relation between incidence relation, each middle layer hazard event and each centre between interbed hazard event Incidence relation between layer hazard event and each bottom hazard event, the high-rise hazard event security requirement is downward The middle layer hazard event and the bottom hazard event are decomposed, the fault tree of the FADEC software is constructed.
Wherein, the Outline Design specification of FADEC software is related to the programming system design of FADEC software, including program system Basic handling process, the institutional framework of programming system, module division, function distribution, the Interface design, operating energy loss, safety of system Design and Data Structure Design etc., provide basis for the detailed design of program.The present embodiment is based on FTA method to FADEC software Outline Design description analyzed, obtain FADEC software middle layer hazard event and bottom hazard event and in Interbed hazard event and bottom hazard event security requirement construct FADEC software fault tree.High-rise danger according to the pre-stored data The incidence relation between incidence relation, each middle layer hazard event between dangerous event and each middle layer hazard event, and it is each Incidence relation between middle layer hazard event and each bottom hazard event, the security requirement of high-rise hazard event is divided downwards Middle layer hazard event and bottom hazard event are solved, FADEC software fault tree is constructed.The high level that specifically FHA method is obtained Dangerous and high-rise dangerous security requirement decomposes high-rise hazard event, acquisition causes high-rise danger as analysis object The middle layer hazard event of event and middle layer hazard event security requirement decompose obtaining and draw to middle layer hazard event The middle layer hazard event and/or bottom hazard event for playing middle layer hazard event, to middle layer hazard event security requirement Decompose and obtain the security requirement of middle layer hazard event and/or bottom hazard event security requirement, to construct FADEC Software fault tree.The anti-icing functional fault tree of FADEC software is as shown in Fig. 2, dangerous in digital representation wire frame below each wire frame The security requirement of event, security requirement require to preset to each flight.Such as under anti-icing control function failure The digital 5.00E-7 of side indicates that in-flight the probability of anti-icing control function failure should be less than 5.00E-7, the danger in round frame every time Event is bottom hazard event.By high-rise hazard event, " probability that anti-icing control function failure occurs should be less than 5E-7 and fly every time Row " is decomposed as analysis object, obtains middle layer hazard event and bottom hazard event, and by high-rise hazard event Security requirement is dispensed downwardly into middle layer hazard event and bottom hazard event.It summarizes bottom hazard event and its safety is wanted It asks, such as the probability of anti-icing control logic exception is 0, solenoid valve failure control logic exception probability is 0, solenoid valve Collaborative Control Logic exception probability is 0.
On the basis of the above embodiments, independence is preset described in the present embodiment to require as the generation with door event Independently of each other.
The fault tree constructed in FTA method when carrying out independence analysis with door event, is being known first using CMA method Other fault tree with the hazard event in door event.Such as FADEC software anti-icing functional fault tree and the dangerous thing in door event Part includes manual anti-icing disabler and automatic anti-icing disabler, A channel output failure and channel B output failure, and association With control exception and automatically control abnormal etc..Default independence requires basis with the hazard event in door event when common mode occurs The function effect of FADEC software is determined.For example, anti-icing disabler and automatic anti-icing disabler will lead to FADEC manually Anti-icing disabler, therefore default independence requires to be that manual anti-icing disabler and automatic anti-icing disabler are mutually indepedent;A is logical Road output failure and channel B output failure will lead to the anti-icing disabler of FADEC, therefore default independence requires to be that A channel exports Failure and channel B output failure are mutually indepedent;Collaborative Control is abnormal and Fault Control will lead to the anti-icing function of FADEC extremely and lose Effect, therefore default independence requires to be that Collaborative Control failure and Fault Control failure are mutually indepedent.To with the dangerous thing in door event Part is analyzed, if being unsatisfactory for default independence requirement with the hazard event in door event, according to table 2 to FADEC software into Row, which improves, to be made to meet default independence requirement with the hazard event in door event.
On the basis of the above embodiments, each bottom hazard event is divided based on FMEA method in the present embodiment The step of analysis, specifically includes: according to the detail specifications specification of the FADEC software, obtaining each in the detail specifications specification The detailed design document of bottom hazard event;According to the detailed design document of each bottom hazard event, each bottom is obtained The code segment of layer hazard event;The code segment of each bottom hazard event is checked, each bottom danger thing is obtained The aacode defect of part;According to the aacode defect of each bottom hazard event, determine that the generation of each bottom hazard event is general Rate.
Wherein, the detailed design specification of FADEC software is related to each module in each level of FADEC software systems Design, is that the specific implementation of FADEC preliminary design is designed.It is detailed to FADEC software that the present embodiment is based on FMEA method Thin design specification book is analyzed, the middle layer hazard event and bottom hazard event and middle layer of acquisition FADEC software Hazard event and bottom hazard event security requirement construct FADEC software fault tree.
The 2 anti-icing menu of FADEC software of table
In FMEA method, using the bottom hazard event of FADEC software as analysis object, according to the detailed of FADEC software Thin description obtains the detailed design document of FADEC bottom hazard event, obtains the code segment of each bottom hazard event. The code segment of each bottom hazard event is analyzed line by line, obtains the aacode defect of each bottom hazard event.If each bottom danger There is aacode defect and then sets 1 for the probability of happening of each bottom hazard event in dangerous event.For example, FADEC software is anti-icing in Fig. 2 The bottom hazard event of function has abnormal anti-icing control logic, Collaborative Control exception, Fault Control exception, the transmission of FADEC data Mistake, FADEC data calculative strategy mistake, engine data error of transmission, engine data calculative strategy mistake, flight control data Error of transmission and flight control data calculative strategy mistake, obtain aacode defect existing for the code segment of each bottom hazard event.If each There is aacode defect and then sets code failure mode for each bottom hazard event in bottom hazard event, by each bottom hazard event Probability of happening be set as 1.The FMEA table of formation is as shown in table 3.Event is determined according to the probability of happening of each bottom hazard event The probability of happening of each hazard event in barrier tree, i.e., each middle layer hazard event and the high-rise dangerous reality occurred in acquisition fault tree Probability judges whether FADEC software meets security requirement according to the actual probabilities that each danger actually occurs.
The anti-icing function FMEA table of 3 FADEC software of table
On the basis of the above embodiments, in the present embodiment according to the analysis of each bottom hazard event as a result, judgement The step of whether the FADEC software meets default security requirement specifically includes: according to the hair of each bottom hazard event Raw probability, determines the probability of happening of each middle layer hazard event;According to the probability of happening of each middle layer hazard event, The probability of happening for determining the high-rise hazard event, judges whether the probability of happening of the high-rise hazard event meets default safety Property require.
Specifically, according to the probability of happening of each bottom hazard event, the probability of happening of each middle layer hazard event is determined;Root According to the probability of happening of each middle layer hazard event, the probability of happening of high level hazard event is determined, thus according to each hazard event Fault tree after actually occurring probability updating is as shown in Figure 3.The practical hair that in-flight anti-icing function is lost every time as shown in Figure 3 Raw probability is 8.16E-7, is unsatisfactory for the probability of happening that in-flight anti-icing function is lost every time in Fig. 2 and is less than the default of probability of happening Security requirement.
On the basis of the various embodiments described above, in the present embodiment further include: carried out based on NuSMV to the FADEC software Safety analysis.
Wherein, NuSMV is an open framework verification tool, can be carried out to the logical security that system designs automatic Chemical examination card.The safety issue as caused by logic danger in FADEC software is analyzed using NuSMV.Analytic process is divided into Three steps: the logical model of FADEC software is established using SMV language, security constraint is established to FADEC software by temporal logic Whether meet security constraint with detection model built.If testing result is " True ", illustrate that FADEC software meets safety Property constraint, there is no logic is dangerous for FADEC software at this time;If testing result is " False ", illustrate that FADEC software is discontented Sufficient security constraint, there are logic danger for FADEC software at this time, while can also provide the path for being unsatisfactory for security constraint.
When establishing model, the state machine of Module keyword definition FADEC software is used.The state machine of FADEC software Including main module and submodule.Main module is the execution entrance of NuSMV model, the NuSMV model executable for one It must include main module, main module is the top of system model, the state machine comprising each subsystem under normal circumstances.Son Module is according to the concrete condition self-defining title of FADEC software.Use the state variable of VAR keyword definition FADEC software. After the completion of each module definition of FADEC software, the state set of each module is defined.The definition of FADEC application state set After the completion, transfer relationship is defined to state set.Original state and transfer relationship are stated using ASSIGN keyword.Original state With init keyword definition, NextState next keyword definition.If there is difference under different conditions in NextState State, can use case keyword definition, esac keyword for terminate transfer relationship definition.
When determining the security constraint of FADEC software, security constraint is indicated using temporal logic formula.Pass through first Analysis to FADEC software determines state or the road for having to satisfaction or ungratified FADEC software under certain conditions Diameter, i.e. security constraint.Temporal logic formula is converted by security constraint.Temporal logic is divided into LTL (Linear TemporalLogic, linear temporal) and CTL (Computational Tree Logic, calculation idea).LTL is used for It advances according to a path, the system restriction description of only one unique succeeding state of each moment, CTL uses Mr. Yu A state starts, and can have the system restriction of different branches to describe.Status safety constraint for FADEC software, uses CTL It indicates, the path security constraint for FADEC software indicated using LTL.
It, will by text editing in the security constraint of the logical model detection FADEC software using FADEC software The logical model of the FADEC software of SMV language description and the security constraint for obtaining FADEC software are stored in file, will File format is revised as FADEC.smv, carries out model inspection to FADEC.smv based on NuSMV.For example, in order to make FADEC software Anti-icing function it is normal, need to guarantee that the anti-icing function of binary channels is normal, i.e., A anti-icing function in channel is normal and the anti-icing function of channel B Normally, it is stated based on temporal logic CTL, i.e. generation security constraint.Model built is carried out using NuSMV The detection of security constraint, if testing result is " True ", it is concluded that the anti-icing function A channel of FADEC software and channel B can It works normally, it is dangerous that there is no logics.
The present embodiment carries out logic hazard analysis to FADEC software using NuSMV, uses FHA, FTA, CMA and FMEA couple The fault chains danger of FADEC software is analyzed, and comprehensive two kinds are analyzed as a result, make safety analysis more comprehensively, as a result more smart Really.
A kind of FADEC software security analytical equipment is provided in another embodiment of the present invention, and the device is for real Method in existing foregoing embodiments.Therefore, the description in each embodiment of aforementioned FADEC software security analysis method and Definition, can be used for the understanding of each execution module in the embodiment of the present invention.Fig. 4 is that FADEC provided in an embodiment of the present invention is soft Part safety analysis device overall structure diagram, the device include analysis module 401, building module 402, optimization module 403 With judgment module 404;Wherein:
Analysis module 401 is used to analyze FADEC software based on FHA method, obtains the high level of the FADEC software Hazard event and high-rise hazard event security requirement;
Wherein, FHA method is function, the function that may not be able to be realized by analysis system by the analysis method because seeking fruit Realize that mistake or function realize that security implication caused by opportunity deviation carrys out hazard recognition event, assessment when functional fault, decline and Lose possible risk.The probability demands that corresponding hazard event occurs, i.e. safety are proposed according to the severity of risk Index.Analysis module 401 analyzes FADEC software using FHA method, obtain FADEC software high-rise hazard event and The security requirement of high-rise hazard event.Wherein, high-rise hazard event is the dangerous event of top, high-rise hazard event Security requirement is an abstract probability, and high-rise hazard event is caused by several middle layer hazard events, middle layer danger thing Part is caused by several middle layer hazard events and/or several bottom hazard events.
Module 402 is constructed to be used for based on FTA method according to the high-rise hazard event and the high-rise hazard event safety Property require, the middle layer hazard event, bottom hazard event, middle layer hazard event safety for obtaining the FADEC software want Summation bottom hazard event security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer Hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event security requirement construct institute State the fault tree of FADEC software;
Wherein, FTA method is a kind of top-down analysis method, helps to identify potential system failure reason and calamity Difficulty risk factor, to be improved to FADEC software.It constructs module 402 and high-rise hazard event is carried out using FTA method It decomposes, until navigating to bottom hazard event, the relationship between each hazard event is established using logical symbol, thus according to high level Hazard event determines the middle layer hazard event of FADEC software, determines FADEC according to the middle layer hazard event of FADEC software The bottom hazard event of software, while the security requirement of high-rise hazard event is decomposed into downwards middle layer hazard event and bottom Layer hazard event, to construct FADEC software fault tree.
Optimization module 403 is used for based on CMA method to analyzing in the fault tree with door event, if the failure All and door event in tree meets default independence requirement, then is divided based on FMEA method each bottom hazard event Analysis;
Wherein, CMA method is detected to the common mode failure for influencing multiple unit independence, is used for checking system function Or the independence between component.The analysis object of CMA mainly may destroy independency principle and eventually lead to catastrophic failure Potential common mode failure, cascading failure and the multiple failure of state.Optimization module 403 is using CMA method to obtaining in FTA method Being analyzed in fault tree with door event, judges whether each and door event in fault tree meets default independence requirement.If Each and door event in fault tree is unsatisfactory for default independence requirement, then requires common mode danger to carry out to being unsatisfactory for default independence It improves, until all and door event in fault tree all meets corresponding default independence requirement.If all in fault tree Meet default independence requirement with door event, then each bottom hazard event is analyzed based on FMEA method.
Judgment module 404 is used for the analysis according to each bottom hazard event as a result, whether judging the FADEC software Meet default security requirement.
Judgment module 404 is by FMEA method to the analysis of each bottom hazard event as a result, determining each bottom hazard event Probability of happening.Judge whether FADEC software meets default security requirement according to the probability of happening of each bottom hazard event.
The present embodiment obtains the dangerous thing of high level of FADEC software by analyzing based on FHA method FADEC software Part constructs fault tree according to the high-rise hazard event that FHA method obtains based on FTA method, based on CMA method in fault tree It is analyzed with door event, in fault tree when all independence requirements default with door event satisfaction, based on FMEA method to each The bottom hazard event is analyzed, and knows whether FADEC software meets safety and want according to the analysis result of FMEA method It asks, FHA, FTA, CMA and FMEA are combined by the present embodiment, are realized and are carried out comprehensive point to the fault chains danger of FADEC software Analysis, safety analysis are more comprehensively, as a result more accurate.
On the basis of the above embodiments, analysis module is specifically used in the present embodiment: soft to FADEC based on FHA method The Specification of part is analyzed, and the high-rise hazard event of the FADEC software is obtained;Based on the FHA method pair The influence of the high level hazard event is analyzed, and the influence grade of the high-rise hazard event is obtained;Based on the FHA method The influence grade is analyzed, the dangerous security requirement of high level of the FADEC software is obtained.
On the basis of the above embodiments, module is constructed in the present embodiment to be specifically used for: according to the general of the FADEC software Design instruction is wanted, the middle layer hazard event for leading to the high-rise hazard event, bottom danger thing are obtained based on FTA method Part, the security requirement of middle layer hazard event and bottom hazard event security requirement;Based on the high-rise hazard event and respectively Incidence relation between incidence relation, each middle layer hazard event and each institute between the middle layer hazard event The incidence relation between middle layer hazard event and each bottom hazard event is stated, the high-rise hazard event safety is wanted It asks and decomposes the middle layer hazard event and the bottom hazard event downwards, construct the fault tree of the FADEC software.
On the basis of the above embodiments, independence is preset described in the present embodiment to require as the generation with door event Independently of each other.
On the basis of the various embodiments described above, optimization module is specifically used in the present embodiment: according to the FADEC software Detail specifications specification obtains the detailed design document of each bottom hazard event in the detail specifications specification;
According to the detailed design document of each bottom hazard event, the code segment of each bottom hazard event is obtained; The code segment of each bottom hazard event is checked, the aacode defect of each bottom hazard event is obtained;According to each The aacode defect of the bottom hazard event determines the probability of happening of each bottom hazard event.
On the basis of the various embodiments described above, judgment module is specifically used in the present embodiment: dangerous according to each bottom The probability of happening of event determines the probability of happening of each middle layer hazard event;According to each middle layer hazard event Probability of happening determines the probability of happening of the high-rise hazard event, judges whether the probability of happening of the high-rise hazard event is full Sufficient default security requirement.
It further include increasing module on the basis of the various embodiments described above, in the present embodiment, for being based on NuSMV to described FADEC software carries out safety analysis.
The present embodiment provides a kind of electronic equipment, Fig. 5 is electronic equipment overall structure provided in an embodiment of the present invention signal Figure, which includes: at least one processor 501, at least one processor 502 and bus 503;Wherein,
Processor 501 and memory 502 pass through bus 503 and complete mutual communication;
Memory 502 is stored with the program instruction that can be executed by processor 501, and the instruction of processor caller is able to carry out Method provided by above-mentioned each method embodiment, for example, FADEC software is analyzed based on FHA method, described in acquisition The high-rise hazard event of FADEC software and high-rise hazard event security requirement;Based on FTA method according to the high-rise dangerous thing Part and the high-rise hazard event security requirement, obtain middle layer hazard event, the bottom danger thing of the FADEC software Part, the security requirement of middle layer hazard event and bottom hazard event security requirement, according to the high-rise hazard event, high level Hazard event security requirement, middle layer hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom Hazard event security requirement constructs the fault tree of the FADEC software;Based on CMA method in the fault tree with door Event is analyzed, if all and door event in the fault tree meets default independence requirement, is based on FMEA method pair Each bottom hazard event is analyzed;According to the analysis of each bottom hazard event as a result, judging the FADEC software Whether default security requirement is met.
The present embodiment provides a kind of non-transient computer readable storage medium, non-transient computer readable storage medium storages Computer instruction, computer instruction make computer execute method provided by above-mentioned each method embodiment, for example, are based on FHA method analyzes FADEC software, and high-rise hazard event and the high-rise hazard event for obtaining the FADEC software are safe Property require;Based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, described in acquisition Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event of FADEC software Security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, middle layer Hazard event security requirement, bottom hazard event and bottom hazard event security requirement, construct the event of the FADEC software Barrier tree;Based on CMA method to being analyzed with door event in the fault tree, if all and door event in the fault tree Meet default independence requirement, then each bottom hazard event is analyzed based on FMEA method;According to each bottom The analysis of hazard event is as a result, judge whether the FADEC software meets default security requirement.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light The various media that can store program code such as disk.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of FADEC software security analysis method characterized by comprising
FADEC software is analyzed based on FHA method, high-rise hazard event and the high level for obtaining the FADEC software are dangerous Event security requirement;
Based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, the FADEC is obtained Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event safety of software Property require, it is dangerous according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, middle layer Event security requirement, bottom hazard event and bottom hazard event security requirement, construct the failure of the FADEC software Tree;
Based on CMA method to being analyzed with door event in the fault tree, if all and door event in the fault tree Meet default independence requirement, then each bottom hazard event is analyzed based on FMEA method;
According to the analysis of each bottom hazard event as a result, judging whether the FADEC software meets default security requirement.
2. being obtained the method according to claim 1, wherein being analyzed based on FHA method FADEC software The step of high-rise hazard event of the FADEC software and high-rise hazard event security requirement, specifically includes:
It is analyzed based on Specification of the FHA method to FADEC software, obtains the high-rise danger of the FADEC software Dangerous event;
Influence based on the FHA method to the high-rise hazard event is analyzed, and the shadow of the high-rise hazard event is obtained Ring grade;
The influence grade is analyzed based on the FHA method, the dangerous safety of high level for obtaining the FADEC software is wanted It asks.
3. the method according to claim 1, wherein based on FTA method according to the high-rise hazard event and institute High-rise hazard event security requirement is stated, middle layer hazard event, the bottom hazard event, centre of the FADEC software are obtained Layer hazard event security requirement and bottom hazard event security requirement, according to the high-rise hazard event, high-rise dangerous thing Part security requirement, middle layer hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom danger thing Part security requirement, the step of constructing the fault tree of the FADEC software, specifically include:
According to the Outline Design specification of the FADEC software, caused in the high-rise hazard event based on the acquisition of FTA method Interbed hazard event, bottom hazard event, the security requirement of middle layer hazard event and bottom hazard event security requirement;
It is dangerous based on the incidence relation between the high-rise hazard event and each middle layer hazard event, each middle layer Pass is associated between incidence relation and each middle layer hazard event and each bottom hazard event between event The high-rise hazard event security requirement is decomposed downwards the middle layer hazard event and the bottom danger thing by system Part constructs the fault tree of the FADEC software.
4. the method according to claim 1, wherein the default independence requires as the hair with door event It is raw mutually indepedent.
5. the method according to claim 1, wherein being carried out based on FMEA method to each bottom hazard event The step of analysis, specifically includes:
According to the detail specifications specification of the FADEC software, each bottom hazard event in the detail specifications specification is obtained Detailed design document;
According to the detailed design document of each bottom hazard event, the code segment of each bottom hazard event is obtained;
The code segment of each bottom hazard event is checked, the aacode defect of each bottom hazard event is obtained;
According to the aacode defect of each bottom hazard event, the probability of happening of each bottom hazard event is determined.
6. according to the method described in claim 5, it is characterized in that, according to the analysis of each bottom hazard event as a result, sentencing The step of whether the FADEC software meets default security requirement of breaking specifically includes:
According to the probability of happening of each bottom hazard event, the probability of happening of each middle layer hazard event is determined;
According to the probability of happening of each middle layer hazard event, determines the probability of happening of the high-rise hazard event, judge institute Whether the probability of happening for stating high-rise hazard event meets default security requirement.
7. -6 any method according to claim 1, which is characterized in that further include:
Safety analysis is carried out to the FADEC software based on NuSMV.
8. a kind of FADEC software security analytical equipment characterized by comprising
Analysis module obtains the dangerous thing of high level of the FADEC software for analyzing based on FHA method FADEC software Part and high-rise hazard event security requirement;
Construct module, for based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, Obtain middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom of the FADEC software Hazard event security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer danger thing Part, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event security requirement, described in building The fault tree of FADEC software;
Optimization module, for based on CMA method to being analyzed with door event in the fault tree, if in the fault tree It is all to meet default independence requirement with door event, then each bottom hazard event is analyzed based on FMEA method;
Judgment module, for according to the analysis of each bottom hazard event as a result, to judge whether the FADEC software meets pre- If security requirement.
9. a kind of electronic equipment characterized by comprising
At least one processor, at least one processor and bus;Wherein,
The processor and memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy Enough methods executed as described in claim 1 to 7 is any.
10. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited Computer instruction is stored up, the computer instruction makes the computer execute the method as described in claim 1 to 7 is any.
CN201811204107.2A 2018-10-16 2018-10-16 FADEC software security analysis method and device Pending CN109522718A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811204107.2A CN109522718A (en) 2018-10-16 2018-10-16 FADEC software security analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811204107.2A CN109522718A (en) 2018-10-16 2018-10-16 FADEC software security analysis method and device

Publications (1)

Publication Number Publication Date
CN109522718A true CN109522718A (en) 2019-03-26

Family

ID=65770556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811204107.2A Pending CN109522718A (en) 2018-10-16 2018-10-16 FADEC software security analysis method and device

Country Status (1)

Country Link
CN (1) CN109522718A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084500A (en) * 2019-04-19 2019-08-02 深圳市德塔防爆电动汽车有限公司 Motor vehicle security control method and electric vehicle based on safety tree probability and security-critical degree
CN110084919A (en) * 2019-04-19 2019-08-02 深圳市德塔防爆电动汽车有限公司 A kind of safe tree constructing method and electric vehicle of electric vehicle
CN110110401A (en) * 2019-04-19 2019-08-09 深圳市德塔防爆电动汽车有限公司 A kind of Motor vehicle security design optimization method based on security tree model
CN110223416A (en) * 2019-05-27 2019-09-10 深圳市德塔防爆电动汽车有限公司 A kind of the primary data analysis method and electric vehicle of electric vehicle

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103559422A (en) * 2013-11-25 2014-02-05 中国航空综合技术研究所 Safety probability risk assessment method for multi-failure-mode correlation system
CN105574332A (en) * 2015-12-12 2016-05-11 中国航空工业集团公司西安飞机设计研究所 Importance analysis method of device in system and importance analysis system
CN107703914A (en) * 2017-09-30 2018-02-16 中国民用航空飞行学院 A kind of aero-engine FADEC security of system appraisal procedures

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103559422A (en) * 2013-11-25 2014-02-05 中国航空综合技术研究所 Safety probability risk assessment method for multi-failure-mode correlation system
CN105574332A (en) * 2015-12-12 2016-05-11 中国航空工业集团公司西安飞机设计研究所 Importance analysis method of device in system and importance analysis system
CN107703914A (en) * 2017-09-30 2018-02-16 中国民用航空飞行学院 A kind of aero-engine FADEC security of system appraisal procedures

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084500A (en) * 2019-04-19 2019-08-02 深圳市德塔防爆电动汽车有限公司 Motor vehicle security control method and electric vehicle based on safety tree probability and security-critical degree
CN110084919A (en) * 2019-04-19 2019-08-02 深圳市德塔防爆电动汽车有限公司 A kind of safe tree constructing method and electric vehicle of electric vehicle
CN110110401A (en) * 2019-04-19 2019-08-09 深圳市德塔防爆电动汽车有限公司 A kind of Motor vehicle security design optimization method based on security tree model
CN110084500B (en) * 2019-04-19 2020-03-31 深圳市德塔防爆电动汽车有限公司 Electric vehicle safety control method based on safety tree probability and safety importance degree and electric vehicle
CN110223416A (en) * 2019-05-27 2019-09-10 深圳市德塔防爆电动汽车有限公司 A kind of the primary data analysis method and electric vehicle of electric vehicle
CN110223416B (en) * 2019-05-27 2021-05-14 深圳市德塔防爆电动汽车有限公司 Raw data analysis method of electric vehicle and electric vehicle

Similar Documents

Publication Publication Date Title
CN109522718A (en) FADEC software security analysis method and device
Dangut et al. An integrated machine learning model for aircraft components rare failure prognostics with log-based dataset
US10372872B2 (en) Providing early warning and assessment of vehicle design problems with potential operational impact
Moura et al. Learning from major accidents: Graphical representation and analysis of multi-attribute events to enhance risk communication
Roelen et al. Accident models and organisational factors in air transport: The need for multi-method models
JP7186007B2 (en) A data-driven, unsupervised algorithm for analyzing sensor data and detecting abnormal valve behavior
Javadi et al. Fault tree analysis approach in reliability assessment of power system
CN108454879B (en) Airplane fault processing system and method and computer equipment
Ghandehari et al. An empirical comparison of combinatorial and random testing
EP2874106A1 (en) System and method for aircraft failure diagnosis
Rashid et al. Eradicating root causes of aviation maintenance errors: introducing the AMMP
KR102231588B1 (en) Aviation safety inspection oversight apparatus
KR102232876B1 (en) Breakdown type analysis system and method of digital equipment
CN110175359B (en) Method and device for modeling security of complex system based on business process
Guo et al. Flight safety assessment based on a modified human reliability quantification method
Bao et al. An Integrated Framework for Risk Assessment of High Safety Significant Safety-related Digital Instrumentation and Control Systems in Nuclear Power Plants: Methodology and Demonstration
Wan et al. Bibliometric analysis of human factors in aviation accident using MKD
CN105469186A (en) Risk monitoring system capable of realizing self-monitoring and self-monitoring method
CN111680391A (en) Accident model generation method, device and equipment for man-machine loop coupling system
CN116010886A (en) Security monitoring method, device, electronic equipment and storage medium
CN106650945B (en) A kind of software architecture security assessment method based on evidence combining theory
CN112433608B (en) Automatic identification method for human-computer information interaction risk scene
CN114266472A (en) Subway station evacuation risk analysis method based on Spark
Lawrence et al. Human hazard analysis: A prototype method for human hazard analysis developed for the large commercial aircraft industry
Kunlun et al. A safety approach to predict human error in critical flight tasks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190326

RJ01 Rejection of invention patent application after publication