CN109918235A - A kind of method of calibration for Safety-Critical System software upgrading - Google Patents
A kind of method of calibration for Safety-Critical System software upgrading Download PDFInfo
- Publication number
- CN109918235A CN109918235A CN201910404071.0A CN201910404071A CN109918235A CN 109918235 A CN109918235 A CN 109918235A CN 201910404071 A CN201910404071 A CN 201910404071A CN 109918235 A CN109918235 A CN 109918235A
- Authority
- CN
- China
- Prior art keywords
- computing unit
- behavior
- newly
- existing
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a kind of methods of calibration for Safety-Critical System software upgrading, comprising: expands at least one newly-increased computing unit from hardware view;Existing computing unit in redundancy unit loads existing software, loads software to be upgraded in newly-increased computing unit;Each existing computing unit and newly-increased computing unit are based on identical input and are calculated;Reality output is determined according to the operation result of each existing computing unit;The operation result of newly-increased computing unit is compared with the operation result of each existing computing unit or by the existing voting results that each operation result generates, record compares log;The anticipatory behavior of the existing software of identified off-line changes;Change and compare log according to anticipatory behavior, judges whether the behavior of newly-increased computing unit meets expection.To solve the contradiction of operation system field adjustable finite time Yu system software upgrading field adjustable time demand.
Description
Technical field
The present invention relates to software field more particularly to a kind of schools of the Safety-Critical System software upgrading for rail traffic
Proved recipe method.
Background technique
For safety-related Safety-Critical System for the system failure, especially safety-related failure is wanting for zero tolerance
It asks.The most important mission of Safety-Critical System is exactly elimination system failure.System failure source can be is lost by hardware randomness
It imitates the failure of bring randomness and system design or system realizes wrong bring systematic failure.
For systematic failure, main stream approach is controlled by the method for system engineering and mathematical model at present.System
Property failure be difficult to eradicate, main the reason of there are two aspects:
1) system model has differences with real world.Model process is established, is the simplification to real world under certain viewing angles.
2) during system model is implemented as final products, engineer is understanding the people for linking up and realizing in product process
It is brought into final products for mistake.
For the 2nd point, system engineering and the technologies such as software automatic code generating and mathematical verification can be very good to control
System, but for first point, it is necessary to it is tested by a large amount of reality system to ensure.But the system not put into operation can be led to
A large amount of field adjustables are crossed to obtain the time resource of investigation failure, but the system for having put into operation, field adjustable time are one
A limited resources being of great value.For example subway system is the lifeline in city, usual subway receives class after morning, but first
Vehicle goes out vehicle at 5 points or so.In order to debug new software, after needing to carry out reverse graft, that is, new software installation, and debugging to system
Reverting to old system and carrying out validation test ensures second day normal operation.If deducting the safety management of debugging again, test is quasi-
Links, the remaining debug time such as standby are very limited.But Safety-Critical System debugging test must be sufficiently.
Summary of the invention
The purpose of the present invention is to provide a kind of methods of calibration for Safety-Critical System software upgrading, solve operation system
The contradiction of system field adjustable finite time and system software upgrading field adjustable time demand.
Realizing the technical solution of above-mentioned purpose is:
A kind of method of calibration for Safety-Critical System software upgrading, comprising:
In the redundancy unit that X multiplies that N takes M system, at least one newly-increased computing unit is expanded from hardware view;Wherein, X is positive whole
Number, N, M are all larger than equal to 2, and are integer;
N number of existing computing unit in redundancy unit loads existing software, loads software to be upgraded in newly-increased computing unit;
Each existing computing unit and each execution cycle of newly-increased computing unit are based on the identical input of this period and are calculated;
According to the operation result of each existing computing unit determine reality output, and by the operation result of each existing computing unit or by
The existing voting results that each operation result generates inform newly-increased computing unit;
The operation result of newly-increased computing unit is generated with the operation result of each existing computing unit or by each operation result
Existing voting results are compared, and comparing log according to comparison result record is that behavior is consistent or behavior is inconsistent;
The anticipatory behavior that the existing software of identified off-line is directed to the change of software to be upgraded and generates changes;
Change and compare log according to anticipatory behavior, judges whether the behavior of newly-increased computing unit meets expection.
Preferably, anticipatory behavior variation includes: that anticipatory behavior is consistent and anticipatory behavior is inconsistent;
Whether the behavior of the newly-increased computing unit of the judgement meets expection, comprising:
Comparing log recording is that behavior is consistent, and anticipatory behavior is consistent, then determines that the behavior of newly-increased computing unit meets expection;
Comparing log recording is that behavior is consistent, and anticipatory behavior is inconsistent, then determines that the behavior of newly-increased computing unit is not met
It is expected that;
Comparing log recording is that behavior is inconsistent, and anticipatory behavior is consistent, then determines that the behavior of newly-increased computing unit is not met
It is expected that;
Comparing log recording is that behavior is inconsistent, and anticipatory behavior is inconsistent, checks that the behavior for comparing log recording is inconsistent
It is whether identical as the inconsistent mode of anticipatory behavior, if so, determining that the behavior of newly-increased computing unit meets expection;Otherwise, sentence
Surely the behavior of newly-increased computing unit does not meet expection.
Preferably, the reality output and the output isolation of newly-increased computing unit that each existing computing unit determines.
Preferably, the version of software to be upgraded level-one higher than the version of existing software.
Preferably, it increases computing unit newly and the comparison result of each existing computing unit is not involved in reality output.
Preferably, X, N, M are 2.
The beneficial effects of the present invention are: the present invention is realized within the service time by using redundancy check principle to new peace
The test of complete overcritical system software, so as to permanently effective verifying be carried out to new software, to ensure in the normal operation time
Quality in Safety-Critical System software upgrade process, while both systematic normal operations are not influenced, it is severe that safety is effectively relieved
Seek the contradiction of system for field testing requirement with limited on-the-spot test time after practical limited operation.
Detailed description of the invention
Fig. 1 is the schematic diagram for increasing computing unit calculated result and the verification of existing computing unit voting results in the present invention newly;
Fig. 2 is the schematic diagram for increasing computing unit calculated result and the verification of existing computing unit operation result in the present invention newly;
Fig. 3 is the schematic diagram for increasing computing unit input synchronous with existing computing unit in the present invention newly;
Fig. 4 is 2 to multiply 2 schematic diagrames for taking 2 system architectures in the prior art.
Specific embodiment
The present invention will be further described with reference to the accompanying drawings.
Redundancy provides the availability of system, that is, system A and B can execute the same task, realize identical function.Just
System A works in normal situation, and system B is ready at all times to take over system A, but and is not involved in the task execution.Once system A event
Barrier, system B receive task at once, and safeguards system continues to operate normally.
Verification purpose is to alleviate randomness failure bring safety hazards.The same task arranges have identical function
Unit A1 and unit A2 independently do simultaneously.It does to be over and unit A1, A2 result calculated separately is brought ballot, take few
Number obeys majority principle.The measurement standard of randomness is probability, from probability angle, multiple units occur simultaneously randomness failure and
Cause the probability of identical result extremely low, to alleviate the harm of randomness failure.Under special circumstances, separate unit ballot knot
Fruit is just divided equally, and without most or minority, is needed to make a safe action using secure side strategy is swung to and is determined.For example sentence
Whether a disconnected train will brake, and only unit A1 and two separate units of unit A2 carry out brake result respectively and calculate.Unit A1
Obtaining a result will brake, and unit A2, which is obtained, does not have to brake as a result, system finally takes the brake action an of safety.Following Fig. 4
Shown, typical Safety Redundancy verification framework of illustrating: 2, which multiply 2, takes 2 system architectures.The framework is widely used in subway control system.
Wherein 2 to multiply redundancy be for availability, and 2 to take 2 verifications be for safety.
The principle of above-mentioned redundancy check, innovation and application to overcritical system software upgrading.It needs to accomplish: 1) from principle
On, existing software (version N) is regarded as a verification unit, the new software to be upgraded (version N+1, software to be upgraded) is regarded
Make another verification unit, new and old software calculated result is compared.2) angle is being controlled for real system, both
There are software (version N) and the new software (version N+1) to be upgraded to be regarded as redundant system, realizes synchronizing information.But new software is forever
It is far not involved in practical control, that is, never adapter system.
Software upgrading is the concept of an iteration.1) improved function is needed for existing software, new software action is answered
The difference will reach Further aim.2) new software others function, it should consistent with existing software;I.e. in addition to target modification
Function, system action should not be influenced by modification, should be consistent with existing software.
Two above software upgrading iteration tests target can be reached by verifying principle.If can be in system operation
Between carry out check test, then most test target can trigger covering in system normal operation.Namely existing software
Operation scene itself is exactly the test and debugging scene to new software.If new system have passed through the several months together with existing system
Service time check test, it is ensured that software quality, when upgrading software again later, people's confidence can be greatly increased.Just as handle
Following operation situation, is deduced till now in advance after upgrading.But it wherein to solve there are one problem, cannot exactly influence
Control of the existing software to actual operation.Therefore, it is necessary to accomplish redundancy but do not take over.
In main stock redundance system, back-up system tool is there are two feature: 1) have the ability taken at any time, this point be by with
Active system synchronizing information is realized.2) never control system, this point can export isolation by back-up system and realize before adapter tube.
New software can be regarded as in back-up system in the present invention, but need the strategy of adjustment or more: 1) new software peace
Dress system has adapter tube ability, the not adapter tube actual operation during new software debugging, it is ensured that will not influence existing software and normally transport
Battalion.2) also need to know that both systematic output is as a result, for check test while system output isolation.
The present invention multiplies N suitable for X and takes M system, and X is positive integer, and N, M are all larger than equal to 2, and is integer.Suitable for each
Redundancy unit (primary or stand-by unit).Each redundancy unit uses same procedure.
Method of calibration for Safety-Critical System software upgrading of the invention, including the following steps:
One, in the redundancy unit that X multiplies that N takes M system, at least one newly-increased computing unit is expanded from hardware view;The present embodiment
In, by 2 multiply 2 take 2 systems for.Consider in resource, a unit can be increased newly for verifying new software logic.It is newly-increased to calculate
Unit hardware random fault that may be present can be monitored by the verification with existing computing unit.
Two, N number of existing computing unit in redundancy unit loads existing software, loads in newly-increased computing unit to be upgraded
Software (new software).
Three, in order to carry out the verification of newly-increased computing unit and existing computing unit behavior, input letter need to be carried out for inputting
Breath synchronizes.System information after expansion is synchronized takes M redundancy check system information synchronization mechanism consistent with N.In the present embodiment, 2 take 2
After system is expanded, 3 information synchronization mechanisms for taking 2 systems, existing computing unit and each execution cycle of newly-increased computing unit are taken
The identical input of this period is all based on to be calculated.As shown in Figure 3.
Four, it acquires existing computing unit calculated result to be verified with newly-increased computing unit, while ensureing that newly-increased calculating is single
Member will not influence reality output.Due to new system (being made of newly-increased computing unit) from framework with real system (by existing meter
Calculate unit composition) control isolation, also just never real adapter system, to fortune of the real system under existing software control
Row.Specifically, reality output is determined according to the operation result of each existing computing unit, and by the operation knot of each existing computing unit
Fruit informs newly-increased computing unit by the existing voting results that each operation result generates.By the operation result of newly-increased computing unit with
The operation result of each existing computing unit is compared by the existing voting results that each operation result generates, and comparison result is not
Reality output is participated in, is only used as check test as a result, comparing log according to comparison result record is consistent (the i.e. newly-increased meter of behavior
Calculate the operation result of unit and the operation result of each existing computing unit or the existing voting results generated by each operation result
It is identical) or behavior inconsistent (operation result of i.e. newly-increased computing unit is with the operation result of each existing computing unit or by each
The existing voting results that operation result generates are different).As shown in Figure 1, 2.Specifically, verification decision principle is as follows:
The software of newly-increased computing unit load is upgraded version software, and comparing existing software has modification increment.Identified off-line is existing
The anticipatory behavior variation that the change of software generates: anticipatory behavior is inconsistent and anticipatory behavior is consistent.
Anticipatory behavior variation log compared with compares, and determines whether the behavior of newly-increased computing unit meets expection, does not meet
Expected place need to carry out analysis judgement: be expected error or software implementation error.Referring specifically to the following table 1, it is divided into four kinds of feelings
Condition:
1) comparing log recording is that behavior is consistent, and anticipatory behavior is consistent, then it is pre- to determine that the behavior of newly-increased computing unit meets
Phase.
2) comparing log recording is that behavior is consistent, and anticipatory behavior is inconsistent, then determines the behavior of newly-increased computing unit
Expection is not met, and further analysis is expected error or software implementation error.
3) comparing log recording is that behavior is inconsistent, and anticipatory behavior is consistent, then determines the behavior of newly-increased computing unit
Expection is not met, and further analysis is expected error or software implementation error.
4) comparing log recording is that behavior is inconsistent, and anticipatory behavior is inconsistent, checks that two inconsistent modes are
It is no identical, it may be assumed that lead to the reason mode that the behavior for comparing log recording is inconsistent, the reason mode inconsistent with anticipatory behavior,
It is whether identical, if so, determining that the behavior of newly-increased computing unit meets expection, if it is not, determining the behavior of newly-increased computing unit not
Meet expection, and further analysis is expected error or software implementation error.
| Anticipatory behavior is consistent | Anticipatory behavior is inconsistent | |
| It is consistent to compare log recording behavior | Normally | Analysis is expected error or software implementation error |
| It is inconsistent to compare log recording behavior | Analysis is expected error or software implementation error | Check whether inconsistent mode is as expected |
Table 1
Therefore, during existing system operation, new software is by verification comparison both systematic behaviors, in normal operation process
In perform new software and obtained sufficiently effective verifying, greatly reduce non-operation period Software thread test pressure.
Above embodiments are used for illustrative purposes only, rather than limitation of the present invention, the technology people in relation to technical field
Member, without departing from the spirit and scope of the present invention, can also make various transformation or modification, therefore all equivalent
Technical solution also should belong to scope of the invention, should be limited by each claim.
Claims (6)
1. a kind of method of calibration for Safety-Critical System software upgrading characterized by comprising
In the redundancy unit that X multiplies that N takes M system, at least one newly-increased computing unit is expanded from hardware view;Wherein, X is positive whole
Number, N, M are all larger than equal to 2, and are integer;
N number of existing computing unit in redundancy unit loads existing software, loads software to be upgraded in newly-increased computing unit;
Each existing computing unit and each execution cycle of newly-increased computing unit are based on the identical input of this period and are calculated;
According to the operation result of each existing computing unit determine reality output, and by the operation result of each existing computing unit or by
The existing voting results that each operation result generates inform newly-increased computing unit;
The operation result of newly-increased computing unit is generated with the operation result of each existing computing unit or by each operation result
Existing voting results are compared, and comparing log according to comparison result record is that behavior is consistent or behavior is inconsistent;
The anticipatory behavior that the existing software of identified off-line is directed to the change of software to be upgraded and generates changes;
Change and compare log according to anticipatory behavior, judges whether the behavior of newly-increased computing unit meets expection.
2. the method for calibration according to claim 1 for Safety-Critical System software upgrading, which is characterized in that described
Anticipatory behavior variation includes: that anticipatory behavior is consistent and anticipatory behavior is inconsistent;
Whether the behavior of the newly-increased computing unit of the judgement meets expection, comprising:
Comparing log recording is that behavior is consistent, and anticipatory behavior is consistent, then determines that the behavior of newly-increased computing unit meets expection;
Comparing log recording is that behavior is consistent, and anticipatory behavior is inconsistent, then determines that the behavior of newly-increased computing unit is not met
It is expected that;
Comparing log recording is that behavior is inconsistent, and anticipatory behavior is consistent, then determines that the behavior of newly-increased computing unit is not met
It is expected that;
Comparing log recording is that behavior is inconsistent, and anticipatory behavior is inconsistent, checks that the behavior for comparing log recording is inconsistent
It is whether identical as the inconsistent mode of anticipatory behavior, if so, determining that the behavior of newly-increased computing unit meets expection;Otherwise, sentence
Surely the behavior of newly-increased computing unit does not meet expection.
3. the method for calibration according to claim 1 for Safety-Critical System software upgrading, which is characterized in that each existing
The reality output and the output isolation of newly-increased computing unit that computing unit determines.
4. the method for calibration according to claim 1 for Safety-Critical System software upgrading, which is characterized in that be upgraded
The version of software level-one higher than the version of existing software.
5. the method for calibration according to claim 1 for Safety-Critical System software upgrading, which is characterized in that newly-increased meter
The comparison result for calculating unit and each existing computing unit is not involved in reality output.
6. the method for calibration according to claim 1 for Safety-Critical System software upgrading, which is characterized in that X, N, M
It is 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910404071.0A CN109918235B (en) | 2019-05-16 | 2019-05-16 | A kind of method of calibration for Safety-Critical System software upgrading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910404071.0A CN109918235B (en) | 2019-05-16 | 2019-05-16 | A kind of method of calibration for Safety-Critical System software upgrading |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109918235A true CN109918235A (en) | 2019-06-21 |
| CN109918235B CN109918235B (en) | 2019-07-30 |
Family
ID=66979139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910404071.0A Active CN109918235B (en) | 2019-05-16 | 2019-05-16 | A kind of method of calibration for Safety-Critical System software upgrading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109918235B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103389919A (en) * | 2013-07-30 | 2013-11-13 | 浙江中控技术股份有限公司 | Data processing method and device based on redundant equipment system |
| CN109448880A (en) * | 2018-09-25 | 2019-03-08 | 北京广利核系统工程有限公司 | Method and system is filled under nuclear safe level hot backup redundancy control station unperturbed |
-
2019
- 2019-05-16 CN CN201910404071.0A patent/CN109918235B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103389919A (en) * | 2013-07-30 | 2013-11-13 | 浙江中控技术股份有限公司 | Data processing method and device based on redundant equipment system |
| CN109448880A (en) * | 2018-09-25 | 2019-03-08 | 北京广利核系统工程有限公司 | Method and system is filled under nuclear safe level hot backup redundancy control station unperturbed |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109918235B (en) | 2019-07-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Guo et al. | A simple reliability block diagram method for safety integrity verification | |
| Powell et al. | GUARDS: A generic upgradable architecture for real-time dependable systems | |
| Papadopoulos et al. | The potential for a generic approach to certification of safety critical systems in the transportation sector | |
| US5144230A (en) | Method and system for testing integrated circuits by cycle stealing | |
| Bloomfield et al. | Confidence: its role in dependability cases for risk assessment | |
| GB2110855A (en) | Computer-based interlocking system | |
| Jacklin et al. | Verification, validation, and certification challenges for adaptive flight-critical control system software | |
| Bukowski et al. | Using Markov models for safety analysis of programmable electronic systems | |
| CN105209982A (en) | Method and apparatus for controlling a physical unit in an automation system | |
| CN109918235B (en) | A kind of method of calibration for Safety-Critical System software upgrading | |
| Boulanger | Safety of Computer Architectures | |
| CN105843745B (en) | It is a kind of for testing the method and system of redundancy management software | |
| Voas et al. | Reducing uncertainty about common-mode failures | |
| Dmitriev et al. | Towards Design Assurance Level C for Machine-Learning Airborne Applications | |
| Bishop | Does software have to be ultra reliable in safety critical systems? | |
| KR101584717B1 (en) | Method and Apparatus for testing software fail processing module mounted on embeded system for aerial Vehicle | |
| Sghairi et al. | Architecture optimization based on incremental approach for airplane digital distributed flight control system | |
| Schoepf et al. | Why CPM is not CPM-enabling standardized safety mechanisms on off-the-shelf ima modules | |
| Mo et al. | Human error tolerant design for air traffic control systems | |
| McIntyre et al. | The boeing 777 fault tolerant air data and inertial reference system-a new venture in working together | |
| Amendola et al. | Architecture and safety requirements of the ACC railway interlocking system | |
| Xu et al. | Verification of air data computer software using formal methods | |
| Trauboth et al. | Safety considerations in project management of computerized automation systems | |
| Filip | Certification of EGNOS safety-of-life service for ERTMS according to IEC 61508 and EN 50129 | |
| Djambazova | Simulating A Fault-Tolerant System with Adjustable Reliability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |