CN109522718A - FADEC software security analysis method and device - Google Patents
FADEC software security analysis method and device Download PDFInfo
- Publication number
- CN109522718A CN109522718A CN201811204107.2A CN201811204107A CN109522718A CN 109522718 A CN109522718 A CN 109522718A CN 201811204107 A CN201811204107 A CN 201811204107A CN 109522718 A CN109522718 A CN 109522718A
- Authority
- CN
- China
- Prior art keywords
- hazard event
- event
- rise
- hazard
- security requirement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3608—Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation
Abstract
The embodiment of the present invention provides a kind of FADEC software security analysis method and device, which comprises FADEC software is analyzed based on FHA method, obtain FADEC software high-rise hazard event and high-rise hazard event security requirement;Based on FTA method according to high-rise hazard event and high-rise hazard event security requirement, middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event security requirement of FADEC software are obtained, and constructs fault tree;Based on CMA method to being analyzed with door event in fault tree, if all and door event in fault tree meets default independence requirement, each bottom hazard event is analyzed based on FMEA method;According to the analysis of each bottom hazard event as a result, judging whether FADEC software meets default security requirement.The embodiment of the present invention analyzes more comprehensively FADEC software security, as a result more accurate.
Description
Technical field
The embodiment of the present invention belongs to airborne technical field of software security, pacifies more particularly, to a kind of FADEC software
Full property analysis method and device.
Background technique
FADEC (Full Authority Digital Engine Control, Full Authority Digital Engine control) software
It is extracted for being responsible for starting, operating and the control closed, monitoring, instruction and data, also record storage APU (Accelerated
Processing Unit, OverDrive Processor ODP) parameter that starts every time and fault message.Therefore, right before using FADEC software
FADEC software carries out safety analysis and is of great significance.
It is analyzed, is had using FHA using logical security of the NuSMV detection instrument to FADEC software currently, having
(Function Hazard Analysis, function hazard analysis), FTA (Fault Tree Analysis, failure tree analysis (FTA)),
(Failure Mode and Effect Analysis loses by CMA (Common Mode Analysis, Common mode analysis) or FMEA
The analysis of effect mode influences) method analyzes the fault chains safety of FADEC software.Wherein, fault chains refer to by bottom
Event successively influences the path for leading to higher layer event upwards.
NuSMV detection instrument carries out the logical security detection of Major Systems, asks thrashing caused by single point failure
Topic can not detect;FHA method can only traceability system high level potential danger, can not carry out dangerous decomposing positioning and verifying;FTA method
Top event needs provide in advance, CMA method can not determine analysis object;FMEA method can be used for system dangerous and decompose and determine
Position and system bottom defect mode investigation, but be unable to hazard recognition and decompose and, with door event, and decomposed and fixed in positioning
When the level of position is more, analytic process is more complicated, and traceability is poor.Therefore, NuSMV detection instrument, the side FHA is used alone
Method, FTA method, CMA method and FMEA method cannot carry out accurate comprehensive safety analysis to FADEC software.
Summary of the invention
To overcome the problems, such as that above-mentioned existing method cannot carry out accurate comprehensive safety analysis or extremely to FADEC software
It partially solves the above problems, the embodiment of the present invention provides a kind of FADEC software security analysis method and device.
According to a first aspect of the embodiments of the present invention, a kind of FADEC software security analysis method is provided, comprising:
FADEC software is analyzed based on FHA method, obtains the high-rise hazard event and high level of the FADEC software
Hazard event security requirement;
Based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, described in acquisition
Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event of FADEC software
Security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, middle layer
Hazard event security requirement, bottom hazard event and bottom hazard event security requirement, construct the event of the FADEC software
Barrier tree;
Based on CMA method to being analyzed with door event in the fault tree, if all and door in the fault tree
Event meets default independence requirement, then is analyzed based on FMEA method each bottom hazard event;
According to the analysis of each bottom hazard event as a result, judging whether the FADEC software meets default security
It is required that.
Second aspect according to embodiments of the present invention provides a kind of FADEC software security analytical equipment, comprising:
Analysis module obtains the high-rise danger of the FADEC software for analyzing based on FHA method FADEC software
Dangerous event and high-rise hazard event security requirement;
Module is constructed, for being based on FTA method according to the high-rise hazard event and the high-rise hazard event safety
It is required that obtaining the middle layer hazard event of the FADEC software, bottom hazard event, middle layer hazard event security requirement
With bottom hazard event security requirement, endangered according to the high-rise hazard event, high-rise hazard event security requirement, middle layer
Dangerous event, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event security requirement, described in building
The fault tree of FADEC software;
Optimization module, for based on CMA method to being analyzed with door event in the fault tree, if the fault tree
In it is all meet default independence requirement with door event, then each bottom hazard event is divided based on FMEA method
Analysis;
Judgment module, for the analysis according to each bottom hazard event as a result, judging whether the FADEC software is full
Sufficient default security requirement.
In terms of third according to an embodiment of the present invention, a kind of electronic equipment is also provided, comprising:
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to
Order is able to carry out FADEC software provided by any possible implementation in the various possible implementations of first aspect
Safety Analysis Method.
4th aspect according to an embodiment of the present invention, also provides a kind of non-transient computer readable storage medium, described
Non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer execute first aspect
Various possible implementations in FADEC software security analysis method provided by any possible implementation.
The embodiment of the present invention provides a kind of FADEC software security analysis method and device, and this method, which passes through, is based on the side FHA
Method analyzes FADEC software, obtains the high-rise hazard event middle layer of FADEC software, based on FTA method according to the side FHA
The FADEC high level hazard event that method obtains obtains the middle layer hazard event and bottom hazard event of FADEC software, and constructs
FADEC software fault tree;Based on CMA method to being analyzed with door event in fault tree, all in fault tree and door thing
Part meets default independence requirement, is analyzed based on FMEA method each bottom hazard event, according to FMEA method
Analysis result knows whether FADEC software meets default security requirement, and the present embodiment ties FHA, FTA, CMA and FMEA
It closes, realizes that the fault chains danger to FADEC software carries out comprehensive analysis, safety analysis is more comprehensively, as a result more accurate.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is FADEC software security analysis method overall flow schematic diagram provided in an embodiment of the present invention;
Fig. 2 is fault tree schematic diagram in FADEC software security analysis method provided in an embodiment of the present invention;
Fig. 3 is updated fault tree schematic diagram in FADEC software security analysis method provided in an embodiment of the present invention;
Fig. 4 is FADEC software security analytical equipment overall structure diagram provided in an embodiment of the present invention;
Fig. 5 is electronic equipment overall structure diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
A kind of FADEC software security analysis method is provided in one embodiment of the invention, and Fig. 1 is that the present invention is implemented
The FADEC software security analysis method overall flow schematic diagram that example provides, this method comprises: S101, is based on FHA method pair
FADEC software is analyzed, and high-rise hazard event and the high level hazard event security requirement of the FADEC software are obtained;
Wherein, FHA method is function, the function that may not be able to be realized by analysis system by the analysis method because seeking fruit
Realize that mistake or function realize that security implication caused by opportunity deviation carrys out hazard recognition event, assessment when functional fault, decline and
Lose possible risk.The probability demands that corresponding hazard event occurs, i.e. safety are proposed according to the severity of risk
Index.According to SAE ARP 4761, the severity of risk is divided into four grades: disaster, serious, dangerous and one
As.For the different severity of risk, corresponding security requirement is distributed.FADEC software is divided using FHA method
Analysis obtains high-rise hazard event and the high level hazard event security requirement of FADEC software.High-rise hazard event is top
Dangerous event, high-rise hazard event security requirement is an abstract probability, and high-rise hazard event is endangered by several middle layers
Dangerous event causes, and middle layer hazard event is caused by several middle layer hazard events and/or several bottom hazard events.Example
Such as, in the anti-icing function of FADEC software, anti-icing control function failure is high-rise hazard event.
S102 is obtained based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement
Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom of the FADEC software are dangerous
Event security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, in
The security requirement of interbed hazard event, bottom hazard event and bottom hazard event security requirement, construct the FADEC software
Fault tree;
Wherein, FTA method is a kind of top-down analysis method, helps to identify potential system failure reason and calamity
Difficulty risk factor, to be improved to FADEC software.High-rise hazard event is decomposed using FTA method, Zhi Daoding
Bottom hazard event is arrived in position, the relationship between each hazard event is established using logical symbol, thus true according to high-rise hazard event
The middle layer hazard event for determining FADEC software, the bottom of FADEC software is determined according to the middle layer hazard event of FADEC software
Hazard event.
S103, based on CMA method to being analyzed with door event in the fault tree, if all in the fault tree
Meet default independence requirement with door event, then each bottom hazard event is analyzed based on FMEA method;
Wherein, CMA method is detected to the common mode failure for influencing multiple unit independence, is used for checking system function
Or the independence between component.The analysis object of CMA mainly may destroy independency principle and eventually lead to catastrophic failure
Potential common mode failure, cascading failure and the multiple failure of state.The present embodiment is carried out in fault tree with door event using CMA
Independence analysis, it is ensured that in fault tree with door off-line extraction.CMA can be used as the dangerous aided analysis method for decomposing positioning,
For determining that system dangerous decomposes the off-line extraction obtained.
Using CMA method to being analyzed with door event in the fault tree obtained in FTA method, judge in fault tree
Respectively whether meet default independence requirement with door event.For example, due to manual anti-icing disabler and automatic anti-icing disabler
It will lead to the anti-icing disabler of FADEC, therefore the default independence corresponding with door event of anti-icing function and automatic anti-icing function manually
Property require for manual anti-icing disabler and automatic anti-icing disabler it is mutually indepedent.If each and door event in fault tree is discontented
The default independence requirement of foot, then improve the common mode danger for being unsatisfactory for default independence requirement, until the institute in fault tree
Have and all meets corresponding default independence requirement with door event.If all and door event in fault tree meets default independence
It is required that then being analyzed based on FMEA method each bottom hazard event.
FMEA method is used to check the failure mode of system, function or component, analyzes the crash rate and failure of failure mode
The failure effect that mode generates, analysis result includes inoperative component or function, failure mode, crash rate and failure effect.Pass through
Analysis of the FMEA method to each bottom hazard event determines the dangerous attribute of bottom hazard event, i.e. the analysis knot of FMEA method
Fruit.
S104, according to the analysis of each bottom hazard event as a result, judging whether the FADEC software meets default peace
Full property requirement.
By FMEA method to the analysis of each bottom hazard event as a result, determining the probability of happening of each bottom hazard event.
Judge whether FADEC software meets default security requirement according to the probability of happening of each bottom hazard event.
The present embodiment obtains the dangerous thing of high level of FADEC software by analyzing based on FHA method FADEC software
The security requirement of part and higher layer event, based on FTA method according to FHA method obtain FADEC software middle layer hazard event,
Bottom hazard event, the security requirement of middle layer hazard event and bottom hazard event security requirement, building FADEC software event
Barrier tree, it is all in fault tree to preset independence with door event based on CMA method to being analyzed with door event in fault tree
It is required that being analyzed based on FMEA method each bottom hazard event, when security requirement according to the analysis result of FMEA method
Know whether FADEC software meets security requirement, FHA, FTA, CMA and FMEA are combined by the present embodiment, realization pair
The fault chains danger of FADEC software carries out comprehensive analysis, and safety analysis is more comprehensively, as a result more accurate.
On the basis of the above embodiments, FADEC software is analyzed based on FHA method in the present embodiment, obtains institute
The step of stating high-rise hazard event and the high level hazard event security requirement of FADEC software specifically includes: based on FHA method pair
The Specification of FADEC software is analyzed, and the high-rise hazard event of the FADEC software is obtained;Based on the FHA
Influence of the method to the high-rise hazard event is analyzed, and the influence grade of the high-rise hazard event is obtained;Based on described
FHA method analyzes the influence grade, obtains the dangerous security requirement of high level of the FADEC software.
Wherein, the Specification of FADEC software is to make user and software developer both sides to FADEC software
Initial regulation have a common understanding, make the basis of development, including hardware, function, performance, input are defeated
Out, interface requirements, data and database and documentation requirements etc..Demand of the present embodiment based on FHA method to FADEC software
Description is analyzed, and the high-rise hazard event of FADEC software is obtained.Detailed process be to the function of FADEC software into
Row analysis, determines potential disabler state;The influence that disabler occurs is analyzed, and determines that disabler influences;
Disabler is influenced to carry out severity analysis, determines the severity of disabler;Provide further dividing for disabler
Analysis method, such as FTA method;FHA table is generated, determines the default security requirement of function danger and function danger.For example,
The anti-icing function of FADEC software is as shown in table 1 based on the FHA table that FHA method obtains.Default security requires as flight every time
In the probability that occurs of anti-icing control function failure should be less than 5E-7;The probability that each in-flight anti-icing control can not close generation is answered
Less than 5E-3;In-flight anti-icing control accidentally opens the probability occurred and should be less than 5E-3 every time.The each aerial mission mean time of aircraft
Between be 5 hours.
The FHA table of the 1 anti-icing function of FADEC software of table
On the basis of the above embodiments, in the present embodiment based on FTA method according to the high-rise hazard event and described
High-rise hazard event security requirement obtains middle layer hazard event, the bottom hazard event, middle layer of the FADEC software
Hazard event security requirement and bottom hazard event security requirement, according to the high-rise hazard event, high-rise hazard event
Security requirement, middle layer hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event
Security requirement, the step of constructing the fault tree of the FADEC software, specifically include: being set according to the summary of the FADEC software
Count specification, based on FTA method obtain the middle layer hazard event for leading to the high-rise hazard event, bottom hazard event, in
The security requirement of interbed hazard event and bottom hazard event security requirement;Based on the high-rise hazard event and it is each it is described in
Incidence relation between incidence relation, each middle layer hazard event and each centre between interbed hazard event
Incidence relation between layer hazard event and each bottom hazard event, the high-rise hazard event security requirement is downward
The middle layer hazard event and the bottom hazard event are decomposed, the fault tree of the FADEC software is constructed.
Wherein, the Outline Design specification of FADEC software is related to the programming system design of FADEC software, including program system
Basic handling process, the institutional framework of programming system, module division, function distribution, the Interface design, operating energy loss, safety of system
Design and Data Structure Design etc., provide basis for the detailed design of program.The present embodiment is based on FTA method to FADEC software
Outline Design description analyzed, obtain FADEC software middle layer hazard event and bottom hazard event and in
Interbed hazard event and bottom hazard event security requirement construct FADEC software fault tree.High-rise danger according to the pre-stored data
The incidence relation between incidence relation, each middle layer hazard event between dangerous event and each middle layer hazard event, and it is each
Incidence relation between middle layer hazard event and each bottom hazard event, the security requirement of high-rise hazard event is divided downwards
Middle layer hazard event and bottom hazard event are solved, FADEC software fault tree is constructed.The high level that specifically FHA method is obtained
Dangerous and high-rise dangerous security requirement decomposes high-rise hazard event, acquisition causes high-rise danger as analysis object
The middle layer hazard event of event and middle layer hazard event security requirement decompose obtaining and draw to middle layer hazard event
The middle layer hazard event and/or bottom hazard event for playing middle layer hazard event, to middle layer hazard event security requirement
Decompose and obtain the security requirement of middle layer hazard event and/or bottom hazard event security requirement, to construct FADEC
Software fault tree.The anti-icing functional fault tree of FADEC software is as shown in Fig. 2, dangerous in digital representation wire frame below each wire frame
The security requirement of event, security requirement require to preset to each flight.Such as under anti-icing control function failure
The digital 5.00E-7 of side indicates that in-flight the probability of anti-icing control function failure should be less than 5.00E-7, the danger in round frame every time
Event is bottom hazard event.By high-rise hazard event, " probability that anti-icing control function failure occurs should be less than 5E-7 and fly every time
Row " is decomposed as analysis object, obtains middle layer hazard event and bottom hazard event, and by high-rise hazard event
Security requirement is dispensed downwardly into middle layer hazard event and bottom hazard event.It summarizes bottom hazard event and its safety is wanted
It asks, such as the probability of anti-icing control logic exception is 0, solenoid valve failure control logic exception probability is 0, solenoid valve Collaborative Control
Logic exception probability is 0.
On the basis of the above embodiments, independence is preset described in the present embodiment to require as the generation with door event
Independently of each other.
The fault tree constructed in FTA method when carrying out independence analysis with door event, is being known first using CMA method
Other fault tree with the hazard event in door event.Such as FADEC software anti-icing functional fault tree and the dangerous thing in door event
Part includes manual anti-icing disabler and automatic anti-icing disabler, A channel output failure and channel B output failure, and association
With control exception and automatically control abnormal etc..Default independence requires basis with the hazard event in door event when common mode occurs
The function effect of FADEC software is determined.For example, anti-icing disabler and automatic anti-icing disabler will lead to FADEC manually
Anti-icing disabler, therefore default independence requires to be that manual anti-icing disabler and automatic anti-icing disabler are mutually indepedent;A is logical
Road output failure and channel B output failure will lead to the anti-icing disabler of FADEC, therefore default independence requires to be that A channel exports
Failure and channel B output failure are mutually indepedent;Collaborative Control is abnormal and Fault Control will lead to the anti-icing function of FADEC extremely and lose
Effect, therefore default independence requires to be that Collaborative Control failure and Fault Control failure are mutually indepedent.To with the dangerous thing in door event
Part is analyzed, if being unsatisfactory for default independence requirement with the hazard event in door event, according to table 2 to FADEC software into
Row, which improves, to be made to meet default independence requirement with the hazard event in door event.
On the basis of the above embodiments, each bottom hazard event is divided based on FMEA method in the present embodiment
The step of analysis, specifically includes: according to the detail specifications specification of the FADEC software, obtaining each in the detail specifications specification
The detailed design document of bottom hazard event;According to the detailed design document of each bottom hazard event, each bottom is obtained
The code segment of layer hazard event;The code segment of each bottom hazard event is checked, each bottom danger thing is obtained
The aacode defect of part;According to the aacode defect of each bottom hazard event, determine that the generation of each bottom hazard event is general
Rate.
Wherein, the detailed design specification of FADEC software is related to each module in each level of FADEC software systems
Design, is that the specific implementation of FADEC preliminary design is designed.It is detailed to FADEC software that the present embodiment is based on FMEA method
Thin design specification book is analyzed, the middle layer hazard event and bottom hazard event and middle layer of acquisition FADEC software
Hazard event and bottom hazard event security requirement construct FADEC software fault tree.
The 2 anti-icing menu of FADEC software of table
In FMEA method, using the bottom hazard event of FADEC software as analysis object, according to the detailed of FADEC software
Thin description obtains the detailed design document of FADEC bottom hazard event, obtains the code segment of each bottom hazard event.
The code segment of each bottom hazard event is analyzed line by line, obtains the aacode defect of each bottom hazard event.If each bottom danger
There is aacode defect and then sets 1 for the probability of happening of each bottom hazard event in dangerous event.For example, FADEC software is anti-icing in Fig. 2
The bottom hazard event of function has abnormal anti-icing control logic, Collaborative Control exception, Fault Control exception, the transmission of FADEC data
Mistake, FADEC data calculative strategy mistake, engine data error of transmission, engine data calculative strategy mistake, flight control data
Error of transmission and flight control data calculative strategy mistake, obtain aacode defect existing for the code segment of each bottom hazard event.If each
There is aacode defect and then sets code failure mode for each bottom hazard event in bottom hazard event, by each bottom hazard event
Probability of happening be set as 1.The FMEA table of formation is as shown in table 3.Event is determined according to the probability of happening of each bottom hazard event
The probability of happening of each hazard event in barrier tree, i.e., each middle layer hazard event and the high-rise dangerous reality occurred in acquisition fault tree
Probability judges whether FADEC software meets security requirement according to the actual probabilities that each danger actually occurs.
The anti-icing function FMEA table of 3 FADEC software of table
On the basis of the above embodiments, in the present embodiment according to the analysis of each bottom hazard event as a result, judgement
The step of whether the FADEC software meets default security requirement specifically includes: according to the hair of each bottom hazard event
Raw probability, determines the probability of happening of each middle layer hazard event;According to the probability of happening of each middle layer hazard event,
The probability of happening for determining the high-rise hazard event, judges whether the probability of happening of the high-rise hazard event meets default safety
Property require.
Specifically, according to the probability of happening of each bottom hazard event, the probability of happening of each middle layer hazard event is determined;Root
According to the probability of happening of each middle layer hazard event, the probability of happening of high level hazard event is determined, thus according to each hazard event
Fault tree after actually occurring probability updating is as shown in Figure 3.The practical hair that in-flight anti-icing function is lost every time as shown in Figure 3
Raw probability is 8.16E-7, is unsatisfactory for the probability of happening that in-flight anti-icing function is lost every time in Fig. 2 and is less than the default of probability of happening
Security requirement.
On the basis of the various embodiments described above, in the present embodiment further include: carried out based on NuSMV to the FADEC software
Safety analysis.
Wherein, NuSMV is an open framework verification tool, can be carried out to the logical security that system designs automatic
Chemical examination card.The safety issue as caused by logic danger in FADEC software is analyzed using NuSMV.Analytic process is divided into
Three steps: the logical model of FADEC software is established using SMV language, security constraint is established to FADEC software by temporal logic
Whether meet security constraint with detection model built.If testing result is " True ", illustrate that FADEC software meets safety
Property constraint, there is no logic is dangerous for FADEC software at this time;If testing result is " False ", illustrate that FADEC software is discontented
Sufficient security constraint, there are logic danger for FADEC software at this time, while can also provide the path for being unsatisfactory for security constraint.
When establishing model, the state machine of Module keyword definition FADEC software is used.The state machine of FADEC software
Including main module and submodule.Main module is the execution entrance of NuSMV model, the NuSMV model executable for one
It must include main module, main module is the top of system model, the state machine comprising each subsystem under normal circumstances.Son
Module is according to the concrete condition self-defining title of FADEC software.Use the state variable of VAR keyword definition FADEC software.
After the completion of each module definition of FADEC software, the state set of each module is defined.The definition of FADEC application state set
After the completion, transfer relationship is defined to state set.Original state and transfer relationship are stated using ASSIGN keyword.Original state
With init keyword definition, NextState next keyword definition.If there is difference under different conditions in NextState
State, can use case keyword definition, esac keyword for terminate transfer relationship definition.
When determining the security constraint of FADEC software, security constraint is indicated using temporal logic formula.Pass through first
Analysis to FADEC software determines state or the road for having to satisfaction or ungratified FADEC software under certain conditions
Diameter, i.e. security constraint.Temporal logic formula is converted by security constraint.Temporal logic is divided into LTL (Linear
TemporalLogic, linear temporal) and CTL (Computational Tree Logic, calculation idea).LTL is used for
It advances according to a path, the system restriction description of only one unique succeeding state of each moment, CTL uses Mr. Yu
A state starts, and can have the system restriction of different branches to describe.Status safety constraint for FADEC software, uses CTL
It indicates, the path security constraint for FADEC software indicated using LTL.
It, will by text editing in the security constraint of the logical model detection FADEC software using FADEC software
The logical model of the FADEC software of SMV language description and the security constraint for obtaining FADEC software are stored in file, will
File format is revised as FADEC.smv, carries out model inspection to FADEC.smv based on NuSMV.For example, in order to make FADEC software
Anti-icing function it is normal, need to guarantee that the anti-icing function of binary channels is normal, i.e., A anti-icing function in channel is normal and the anti-icing function of channel B
Normally, it is stated based on temporal logic CTL, i.e. generation security constraint.Model built is carried out using NuSMV
The detection of security constraint, if testing result is " True ", it is concluded that the anti-icing function A channel of FADEC software and channel B can
It works normally, it is dangerous that there is no logics.
The present embodiment carries out logic hazard analysis to FADEC software using NuSMV, uses FHA, FTA, CMA and FMEA couple
The fault chains danger of FADEC software is analyzed, and comprehensive two kinds are analyzed as a result, make safety analysis more comprehensively, as a result more smart
Really.
A kind of FADEC software security analytical equipment is provided in another embodiment of the present invention, and the device is for real
Method in existing foregoing embodiments.Therefore, the description in each embodiment of aforementioned FADEC software security analysis method and
Definition, can be used for the understanding of each execution module in the embodiment of the present invention.Fig. 4 is that FADEC provided in an embodiment of the present invention is soft
Part safety analysis device overall structure diagram, the device include analysis module 401, building module 402, optimization module 403
With judgment module 404;Wherein:
Analysis module 401 is used to analyze FADEC software based on FHA method, obtains the high level of the FADEC software
Hazard event and high-rise hazard event security requirement;
Wherein, FHA method is function, the function that may not be able to be realized by analysis system by the analysis method because seeking fruit
Realize that mistake or function realize that security implication caused by opportunity deviation carrys out hazard recognition event, assessment when functional fault, decline and
Lose possible risk.The probability demands that corresponding hazard event occurs, i.e. safety are proposed according to the severity of risk
Index.Analysis module 401 analyzes FADEC software using FHA method, obtain FADEC software high-rise hazard event and
The security requirement of high-rise hazard event.Wherein, high-rise hazard event is the dangerous event of top, high-rise hazard event
Security requirement is an abstract probability, and high-rise hazard event is caused by several middle layer hazard events, middle layer danger thing
Part is caused by several middle layer hazard events and/or several bottom hazard events.
Module 402 is constructed to be used for based on FTA method according to the high-rise hazard event and the high-rise hazard event safety
Property require, the middle layer hazard event, bottom hazard event, middle layer hazard event safety for obtaining the FADEC software want
Summation bottom hazard event security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer
Hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event security requirement construct institute
State the fault tree of FADEC software;
Wherein, FTA method is a kind of top-down analysis method, helps to identify potential system failure reason and calamity
Difficulty risk factor, to be improved to FADEC software.It constructs module 402 and high-rise hazard event is carried out using FTA method
It decomposes, until navigating to bottom hazard event, the relationship between each hazard event is established using logical symbol, thus according to high level
Hazard event determines the middle layer hazard event of FADEC software, determines FADEC according to the middle layer hazard event of FADEC software
The bottom hazard event of software, while the security requirement of high-rise hazard event is decomposed into downwards middle layer hazard event and bottom
Layer hazard event, to construct FADEC software fault tree.
Optimization module 403 is used for based on CMA method to analyzing in the fault tree with door event, if the failure
All and door event in tree meets default independence requirement, then is divided based on FMEA method each bottom hazard event
Analysis;
Wherein, CMA method is detected to the common mode failure for influencing multiple unit independence, is used for checking system function
Or the independence between component.The analysis object of CMA mainly may destroy independency principle and eventually lead to catastrophic failure
Potential common mode failure, cascading failure and the multiple failure of state.Optimization module 403 is using CMA method to obtaining in FTA method
Being analyzed in fault tree with door event, judges whether each and door event in fault tree meets default independence requirement.If
Each and door event in fault tree is unsatisfactory for default independence requirement, then requires common mode danger to carry out to being unsatisfactory for default independence
It improves, until all and door event in fault tree all meets corresponding default independence requirement.If all in fault tree
Meet default independence requirement with door event, then each bottom hazard event is analyzed based on FMEA method.
Judgment module 404 is used for the analysis according to each bottom hazard event as a result, whether judging the FADEC software
Meet default security requirement.
Judgment module 404 is by FMEA method to the analysis of each bottom hazard event as a result, determining each bottom hazard event
Probability of happening.Judge whether FADEC software meets default security requirement according to the probability of happening of each bottom hazard event.
The present embodiment obtains the dangerous thing of high level of FADEC software by analyzing based on FHA method FADEC software
Part constructs fault tree according to the high-rise hazard event that FHA method obtains based on FTA method, based on CMA method in fault tree
It is analyzed with door event, in fault tree when all independence requirements default with door event satisfaction, based on FMEA method to each
The bottom hazard event is analyzed, and knows whether FADEC software meets safety and want according to the analysis result of FMEA method
It asks, FHA, FTA, CMA and FMEA are combined by the present embodiment, are realized and are carried out comprehensive point to the fault chains danger of FADEC software
Analysis, safety analysis are more comprehensively, as a result more accurate.
On the basis of the above embodiments, analysis module is specifically used in the present embodiment: soft to FADEC based on FHA method
The Specification of part is analyzed, and the high-rise hazard event of the FADEC software is obtained;Based on the FHA method pair
The influence of the high level hazard event is analyzed, and the influence grade of the high-rise hazard event is obtained;Based on the FHA method
The influence grade is analyzed, the dangerous security requirement of high level of the FADEC software is obtained.
On the basis of the above embodiments, module is constructed in the present embodiment to be specifically used for: according to the general of the FADEC software
Design instruction is wanted, the middle layer hazard event for leading to the high-rise hazard event, bottom danger thing are obtained based on FTA method
Part, the security requirement of middle layer hazard event and bottom hazard event security requirement;Based on the high-rise hazard event and respectively
Incidence relation between incidence relation, each middle layer hazard event and each institute between the middle layer hazard event
The incidence relation between middle layer hazard event and each bottom hazard event is stated, the high-rise hazard event safety is wanted
It asks and decomposes the middle layer hazard event and the bottom hazard event downwards, construct the fault tree of the FADEC software.
On the basis of the above embodiments, independence is preset described in the present embodiment to require as the generation with door event
Independently of each other.
On the basis of the various embodiments described above, optimization module is specifically used in the present embodiment: according to the FADEC software
Detail specifications specification obtains the detailed design document of each bottom hazard event in the detail specifications specification;
According to the detailed design document of each bottom hazard event, the code segment of each bottom hazard event is obtained;
The code segment of each bottom hazard event is checked, the aacode defect of each bottom hazard event is obtained;According to each
The aacode defect of the bottom hazard event determines the probability of happening of each bottom hazard event.
On the basis of the various embodiments described above, judgment module is specifically used in the present embodiment: dangerous according to each bottom
The probability of happening of event determines the probability of happening of each middle layer hazard event;According to each middle layer hazard event
Probability of happening determines the probability of happening of the high-rise hazard event, judges whether the probability of happening of the high-rise hazard event is full
Sufficient default security requirement.
It further include increasing module on the basis of the various embodiments described above, in the present embodiment, for being based on NuSMV to described
FADEC software carries out safety analysis.
The present embodiment provides a kind of electronic equipment, Fig. 5 is electronic equipment overall structure provided in an embodiment of the present invention signal
Figure, which includes: at least one processor 501, at least one processor 502 and bus 503;Wherein,
Processor 501 and memory 502 pass through bus 503 and complete mutual communication;
Memory 502 is stored with the program instruction that can be executed by processor 501, and the instruction of processor caller is able to carry out
Method provided by above-mentioned each method embodiment, for example, FADEC software is analyzed based on FHA method, described in acquisition
The high-rise hazard event of FADEC software and high-rise hazard event security requirement;Based on FTA method according to the high-rise dangerous thing
Part and the high-rise hazard event security requirement, obtain middle layer hazard event, the bottom danger thing of the FADEC software
Part, the security requirement of middle layer hazard event and bottom hazard event security requirement, according to the high-rise hazard event, high level
Hazard event security requirement, middle layer hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom
Hazard event security requirement constructs the fault tree of the FADEC software;Based on CMA method in the fault tree with door
Event is analyzed, if all and door event in the fault tree meets default independence requirement, is based on FMEA method pair
Each bottom hazard event is analyzed;According to the analysis of each bottom hazard event as a result, judging the FADEC software
Whether default security requirement is met.
The present embodiment provides a kind of non-transient computer readable storage medium, non-transient computer readable storage medium storages
Computer instruction, computer instruction make computer execute method provided by above-mentioned each method embodiment, for example, are based on
FHA method analyzes FADEC software, and high-rise hazard event and the high-rise hazard event for obtaining the FADEC software are safe
Property require;Based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, described in acquisition
Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event of FADEC software
Security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, middle layer
Hazard event security requirement, bottom hazard event and bottom hazard event security requirement, construct the event of the FADEC software
Barrier tree;Based on CMA method to being analyzed with door event in the fault tree, if all and door event in the fault tree
Meet default independence requirement, then each bottom hazard event is analyzed based on FMEA method;According to each bottom
The analysis of hazard event is as a result, judge whether the FADEC software meets default security requirement.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light
The various media that can store program code such as disk.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of FADEC software security analysis method characterized by comprising
FADEC software is analyzed based on FHA method, high-rise hazard event and the high level for obtaining the FADEC software are dangerous
Event security requirement;
Based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement, the FADEC is obtained
Middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom hazard event safety of software
Property require, it is dangerous according to the high-rise hazard event, high-rise hazard event security requirement, middle layer hazard event, middle layer
Event security requirement, bottom hazard event and bottom hazard event security requirement, construct the failure of the FADEC software
Tree;
Based on CMA method to being analyzed with door event in the fault tree, if all and door event in the fault tree
Meet default independence requirement, then each bottom hazard event is analyzed based on FMEA method;
According to the analysis of each bottom hazard event as a result, judging whether the FADEC software meets default security requirement.
2. being obtained the method according to claim 1, wherein being analyzed based on FHA method FADEC software
The step of high-rise hazard event of the FADEC software and high-rise hazard event security requirement, specifically includes:
It is analyzed based on Specification of the FHA method to FADEC software, obtains the high-rise danger of the FADEC software
Dangerous event;
Influence based on the FHA method to the high-rise hazard event is analyzed, and the shadow of the high-rise hazard event is obtained
Ring grade;
The influence grade is analyzed based on the FHA method, the dangerous safety of high level for obtaining the FADEC software is wanted
It asks.
3. the method according to claim 1, wherein based on FTA method according to the high-rise hazard event and institute
High-rise hazard event security requirement is stated, middle layer hazard event, the bottom hazard event, centre of the FADEC software are obtained
Layer hazard event security requirement and bottom hazard event security requirement, according to the high-rise hazard event, high-rise dangerous thing
Part security requirement, middle layer hazard event, the security requirement of middle layer hazard event, bottom hazard event and bottom danger thing
Part security requirement, the step of constructing the fault tree of the FADEC software, specifically include:
According to the Outline Design specification of the FADEC software, caused in the high-rise hazard event based on the acquisition of FTA method
Interbed hazard event, bottom hazard event, the security requirement of middle layer hazard event and bottom hazard event security requirement;
It is dangerous based on the incidence relation between the high-rise hazard event and each middle layer hazard event, each middle layer
Pass is associated between incidence relation and each middle layer hazard event and each bottom hazard event between event
The high-rise hazard event security requirement is decomposed downwards the middle layer hazard event and the bottom danger thing by system
Part constructs the fault tree of the FADEC software.
4. the method according to claim 1, wherein the default independence requires as the hair with door event
It is raw mutually indepedent.
5. the method according to claim 1, wherein being carried out based on FMEA method to each bottom hazard event
The step of analysis, specifically includes:
According to the detail specifications specification of the FADEC software, each bottom hazard event in the detail specifications specification is obtained
Detailed design document;
According to the detailed design document of each bottom hazard event, the code segment of each bottom hazard event is obtained;
The code segment of each bottom hazard event is checked, the aacode defect of each bottom hazard event is obtained;
According to the aacode defect of each bottom hazard event, the probability of happening of each bottom hazard event is determined.
6. according to the method described in claim 5, it is characterized in that, according to the analysis of each bottom hazard event as a result, sentencing
The step of whether the FADEC software meets default security requirement of breaking specifically includes:
According to the probability of happening of each bottom hazard event, the probability of happening of each middle layer hazard event is determined;
According to the probability of happening of each middle layer hazard event, determines the probability of happening of the high-rise hazard event, judge institute
Whether the probability of happening for stating high-rise hazard event meets default security requirement.
7. -6 any method according to claim 1, which is characterized in that further include:
Safety analysis is carried out to the FADEC software based on NuSMV.
8. a kind of FADEC software security analytical equipment characterized by comprising
Analysis module obtains the dangerous thing of high level of the FADEC software for analyzing based on FHA method FADEC software
Part and high-rise hazard event security requirement;
Construct module, for based on FTA method according to the high-rise hazard event and the high-rise hazard event security requirement,
Obtain middle layer hazard event, bottom hazard event, the security requirement of middle layer hazard event and the bottom of the FADEC software
Hazard event security requirement, according to the high-rise hazard event, high-rise hazard event security requirement, middle layer danger thing
Part, the security requirement of middle layer hazard event, bottom hazard event and bottom hazard event security requirement, described in building
The fault tree of FADEC software;
Optimization module, for based on CMA method to being analyzed with door event in the fault tree, if in the fault tree
It is all to meet default independence requirement with door event, then each bottom hazard event is analyzed based on FMEA method;
Judgment module, for according to the analysis of each bottom hazard event as a result, to judge whether the FADEC software meets pre-
If security requirement.
9. a kind of electronic equipment characterized by comprising
At least one processor, at least one processor and bus;Wherein,
The processor and memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy
Enough methods executed as described in claim 1 to 7 is any.
10. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer instruction is stored up, the computer instruction makes the computer execute the method as described in claim 1 to 7 is any.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811204107.2A CN109522718A (en) | 2018-10-16 | 2018-10-16 | FADEC software security analysis method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811204107.2A CN109522718A (en) | 2018-10-16 | 2018-10-16 | FADEC software security analysis method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109522718A true CN109522718A (en) | 2019-03-26 |
Family
ID=65770556
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811204107.2A Pending CN109522718A (en) | 2018-10-16 | 2018-10-16 | FADEC software security analysis method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109522718A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110084500A (en) * | 2019-04-19 | 2019-08-02 | 深圳市德塔防爆电动汽车有限公司 | Motor vehicle security control method and electric vehicle based on safety tree probability and security-critical degree |
CN110084919A (en) * | 2019-04-19 | 2019-08-02 | 深圳市德塔防爆电动汽车有限公司 | A kind of safe tree constructing method and electric vehicle of electric vehicle |
CN110110401A (en) * | 2019-04-19 | 2019-08-09 | 深圳市德塔防爆电动汽车有限公司 | A kind of Motor vehicle security design optimization method based on security tree model |
CN110223416A (en) * | 2019-05-27 | 2019-09-10 | 深圳市德塔防爆电动汽车有限公司 | A kind of the primary data analysis method and electric vehicle of electric vehicle |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103559422A (en) * | 2013-11-25 | 2014-02-05 | 中国航空综合技术研究所 | Safety probability risk assessment method for multi-failure-mode correlation system |
CN105574332A (en) * | 2015-12-12 | 2016-05-11 | 中国航空工业集团公司西安飞机设计研究所 | Importance analysis method of device in system and importance analysis system |
CN107703914A (en) * | 2017-09-30 | 2018-02-16 | 中国民用航空飞行学院 | A kind of aero-engine FADEC security of system appraisal procedures |
-
2018
- 2018-10-16 CN CN201811204107.2A patent/CN109522718A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103559422A (en) * | 2013-11-25 | 2014-02-05 | 中国航空综合技术研究所 | Safety probability risk assessment method for multi-failure-mode correlation system |
CN105574332A (en) * | 2015-12-12 | 2016-05-11 | 中国航空工业集团公司西安飞机设计研究所 | Importance analysis method of device in system and importance analysis system |
CN107703914A (en) * | 2017-09-30 | 2018-02-16 | 中国民用航空飞行学院 | A kind of aero-engine FADEC security of system appraisal procedures |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110084500A (en) * | 2019-04-19 | 2019-08-02 | 深圳市德塔防爆电动汽车有限公司 | Motor vehicle security control method and electric vehicle based on safety tree probability and security-critical degree |
CN110084919A (en) * | 2019-04-19 | 2019-08-02 | 深圳市德塔防爆电动汽车有限公司 | A kind of safe tree constructing method and electric vehicle of electric vehicle |
CN110110401A (en) * | 2019-04-19 | 2019-08-09 | 深圳市德塔防爆电动汽车有限公司 | A kind of Motor vehicle security design optimization method based on security tree model |
CN110084500B (en) * | 2019-04-19 | 2020-03-31 | 深圳市德塔防爆电动汽车有限公司 | Electric vehicle safety control method based on safety tree probability and safety importance degree and electric vehicle |
CN110223416A (en) * | 2019-05-27 | 2019-09-10 | 深圳市德塔防爆电动汽车有限公司 | A kind of the primary data analysis method and electric vehicle of electric vehicle |
CN110223416B (en) * | 2019-05-27 | 2021-05-14 | 深圳市德塔防爆电动汽车有限公司 | Raw data analysis method of electric vehicle and electric vehicle |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109522718A (en) | FADEC software security analysis method and device | |
Dangut et al. | An integrated machine learning model for aircraft components rare failure prognostics with log-based dataset | |
US10372872B2 (en) | Providing early warning and assessment of vehicle design problems with potential operational impact | |
Moura et al. | Learning from major accidents: Graphical representation and analysis of multi-attribute events to enhance risk communication | |
Roelen et al. | Accident models and organisational factors in air transport: The need for multi-method models | |
JP7186007B2 (en) | A data-driven, unsupervised algorithm for analyzing sensor data and detecting abnormal valve behavior | |
Javadi et al. | Fault tree analysis approach in reliability assessment of power system | |
CN108454879B (en) | Airplane fault processing system and method and computer equipment | |
Ghandehari et al. | An empirical comparison of combinatorial and random testing | |
EP2874106A1 (en) | System and method for aircraft failure diagnosis | |
Rashid et al. | Eradicating root causes of aviation maintenance errors: introducing the AMMP | |
KR102231588B1 (en) | Aviation safety inspection oversight apparatus | |
KR102232876B1 (en) | Breakdown type analysis system and method of digital equipment | |
CN110175359B (en) | Method and device for modeling security of complex system based on business process | |
Guo et al. | Flight safety assessment based on a modified human reliability quantification method | |
Bao et al. | An Integrated Framework for Risk Assessment of High Safety Significant Safety-related Digital Instrumentation and Control Systems in Nuclear Power Plants: Methodology and Demonstration | |
Wan et al. | Bibliometric analysis of human factors in aviation accident using MKD | |
CN105469186A (en) | Risk monitoring system capable of realizing self-monitoring and self-monitoring method | |
CN111680391A (en) | Accident model generation method, device and equipment for man-machine loop coupling system | |
CN116010886A (en) | Security monitoring method, device, electronic equipment and storage medium | |
CN106650945B (en) | A kind of software architecture security assessment method based on evidence combining theory | |
CN112433608B (en) | Automatic identification method for human-computer information interaction risk scene | |
CN114266472A (en) | Subway station evacuation risk analysis method based on Spark | |
Lawrence et al. | Human hazard analysis: A prototype method for human hazard analysis developed for the large commercial aircraft industry | |
Kunlun et al. | A safety approach to predict human error in critical flight tasks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190326 |
|
RJ01 | Rejection of invention patent application after publication |