CN113111494B - Specific risk modeling and analyzing method of man-machine object fusion system - Google Patents

Specific risk modeling and analyzing method of man-machine object fusion system Download PDF

Info

Publication number
CN113111494B
CN113111494B CN202110292296.9A CN202110292296A CN113111494B CN 113111494 B CN113111494 B CN 113111494B CN 202110292296 A CN202110292296 A CN 202110292296A CN 113111494 B CN113111494 B CN 113111494B
Authority
CN
China
Prior art keywords
model
defining
interaction
physical environment
error
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110292296.9A
Other languages
Chinese (zh)
Other versions
CN113111494A (en
Inventor
董云卫
肖明睿
曹阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202110292296.9A priority Critical patent/CN113111494B/en
Publication of CN113111494A publication Critical patent/CN113111494A/en
Application granted granted Critical
Publication of CN113111494B publication Critical patent/CN113111494B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation

Abstract

The invention discloses a specific risk modeling and analyzing method of a man-machine-object fusion system, which comprises the steps of summarizing and classifying specific risks in HCPS (hybrid human-computer system) and defining a complete specific risk model framework; secondly, defining specific risk model semantics including a human factor model and a physical environment model by means of AADL; then expanding the appendix of the specific risk model based on the AADL appendix technology, and generating a specific risk appendix analyzer by using an Xtext frame; then, completing system error model modeling by means of a specific risk model, and uniformly integrating the system error model modeling, the architecture model and the specific risk model into a specific risk analysis model; and finally, automatically calculating the DSPN model after the model conversion through a Petri network tool to obtain the failure probability of the system component, and simultaneously extracting safety information in the architecture model to complete a final specific risk analysis report. The invention establishes a more complete human-computer-object fusion system operation framework and can guide the establishment of a more comprehensive security evaluation model.

Description

Specific risk modeling and analyzing method of man-machine object fusion system
Technical Field
The invention belongs to the technical field of man-machine object fusion, and particularly relates to a specific risk modeling and analyzing method.
Background
The document "unknown modeling and running verification for automated learning driving control, a machine learning-based approach, 167 (2020)" discloses a parameterized modeling language for dynamic behavior of Human-computer-Physical System (HCPS), called Parametric Stochastic Hybrid statechar (stowhart (p)), aiming at modeling the dynamic behavior of HCPS with Stochastic and mixed-formation properties. The language first defines abstract syntax and concrete modeling expressions to define states in the HCPS, transitions between states, and commands to distinguish between different types of transitions by extending 5 types of variables and 5 types of expressions. Continuous variables in a physical process are depicted by using an ordinary differential equation, a state diagram describes the change condition with discrete behaviors in a calculation process, and the probability of occurrence of events is reflected by probability parameters and events when uncertainty in the environment, such as uncertainty of human behaviors, is modeled, and the modeling language can better solve the formalized modeling problem of a human-computer fusion system in the uncertain environment. In security critical embedded systems, however, security design and analysis primarily considers unsafe behavior and abnormal break variables in the system. The randomness in the HCPS cannot be simply reflected by probability parameters, and interactive behaviors and physical characteristics with random properties in the system are not depicted in the model, such as human behaviors, which are determined by assigned character rights, operating environments, error induction factors of interactive modes and the like. In addition, human factors and physical environment modeling in the HCPS should be considered from different perspectives, but the literature does not make model semantics for the human factors and the physical environment factors respectively, and adopts a unified meta-model and formal definition, which is not targeted. As a good modeling design language, AADL opens a language extension interface for supporting modeling and analysis work in the early stage of system development.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a specific risk modeling and analyzing method of a human-animal fusion system, which comprises the steps of firstly summarizing and classifying specific risks in HCPS (human-computer system) and defining a complete specific risk model framework; secondly, defining specific risk model semantics including an artificial factor model and a physical environment model by means of AADL; then expanding the appendix of the specific risk model based on the AADL appendix technology, and generating a specific risk appendix analyzer by using an Xtext frame; then, completing system error model modeling by means of a specific risk model, and uniformly integrating the system error model modeling, the architecture model and the specific risk model into a specific risk analysis model; and finally, automatically calculating the DSPN model after the model conversion through a Petri network tool to obtain the failure probability of the system component, and simultaneously extracting safety information in the architecture model to complete a final specific risk analysis report. The invention establishes a more complete human-computer-object fusion system operation framework and can guide the establishment of a more comprehensive security evaluation model.
The technical scheme adopted by the invention for solving the technical problem comprises the following steps:
step 1: establishing an AADL computing system architecture model for the HCPS system according to the system specification;
step 2: according to the specific risk in the HCPS, a human factor model and a physical environment model are respectively established according to behavior and feature classification;
step 2-1: defining the human factor model as a seven-tuple HM { A, IM, IP, OI, RP, II, ISQ }, wherein A represents an executor set, IM represents an interaction mode set, IP represents an interaction interface set, OI represents an operation interface, RP represents a role authority set, II represents an interaction intention, and ISQ represents an interaction sequence set, specifically:
step 2-1-1: defining a single individual directly interacting with the system as an executor, and establishing an executor set A ═ a in the system runtime 1 ,a 2 ,...,a i ,...,a n },a i Represents the ith performer; for each performer a i Defining role types and endowing different operation authorities in the security-critical embedded system;
step 2-1-2: defining the access operation of the interaction between the executor and the system in the system operation process as an interaction mode set IM ═ { IM } 1 ,im 2 ,...,im i ,...,im n },im i Representing an ith interactive mode, wherein the interactive mode is divided into a read operation and a write operation; the executor completes the task by executing the interaction mode im and the system i The execution is defined as that only one executor executes at the same time;
defining an attribute set for each interaction mode, wherein the attribute set comprises an interaction type, an interaction name, a nominal human error probability, an error induction factor EPC and an actual influence value APOA of the error induction factor EPC;
step 2-1-3: defining the interface provided for outside in the system operation process as an interactive interface set IP ═ IP 1 ,ip 2 ,...,ip i ,...ip n },ip i Representing the ith interactive interface, and enabling an executor to interact with the system through the interactive interface;
step 2-1-4: defining the relationship between the interactive interface and the interactive mode as an operation interface OI ═ R r ∪R w Wherein R is r Is the relationship of the write operation to the interactive interface,
Figure BDA0002982749160000021
R w is the relationship between the read operation and the interactive interface,
Figure BDA0002982749160000022
Figure BDA0002982749160000023
step 2-1-5: establishing a role permission set RP (RP) { RP (RP) } for the role type according to the operation regulations of the HCPS system 1 ,rp 2 ,...rp n At role authority rp i Defining an execution operation interface contained in the role type;
step 2-1-6: define interaction subject set IS ═ IS 1 ,is 2 ,...is n }, each interaction subject is i Is composed of limited performers i ={a 1 ,a 2 ,...a m Defining the relationship between the interaction subject and the operation interface as the interaction intention existing in the system
Figure BDA0002982749160000024
II={ii 1 ,ii 2 ,...,ii i ,…,ii n },ii i Representing the ith interaction intention; the interactive intention represents the intention that an interactive subject can finish through executing the operation interface in the running process of the system; defining a logical operator, wherein the operator represents that the two sides of the logical operator are optional return values, and the ith interactive intention ii i =({a 1 ,a 2 ,...a m },oi i )=(a 1 ,oi i )*(a 2 ,oi i )*...*(a m ,oi i );
Step 2-1-7: defining an interaction sequence set ISQ ═ { ISQ ═ ISQ 1 ,isq 2 ,...,isq i ,...,isq n }, interaction sequence isq i Is defined as a sequence of interaction intentions in time order
Figure BDA0002982749160000031
Describing a plurality of interaction intents ii during the operation of the system i The order of execution;
step 2-2: defining a physical environment model as one sevenTuple PM ═ BS, BS 0 PV, CV, CB, CD, T, where BS represents a discrete set of behavior states, BS 0 Representing an initial state set, PV representing a variable set, CV representing a clock variable set, CB representing a continuous behavior set, CD representing a transition mechanism set, and T representing a state transition set, specifically:
step 2-2-1: the limited set of discrete behavior states in the physical environment model is defined as BS ═ BS 1 ,bs 2 ,...bs n Represents different behavior states existing in the physical environment model;
step 2-2-2: defining initial state sets in a physical environment model
Figure BDA0002982749160000032
Representing an initial state of the physical component at the start;
step 2-2-3: defining a set of variables PV ═ PV of the physical environment model 1 ,pv 2 ,...pv n The variable is a discrete variable or a continuous variable defined on a real number set, and the running state of the physical component is described through the variable;
step 2-2-4: defining a set of clock variables CV ═ { CV in a physical environment model 1 ,cv 2 ,...cv n A clock variable is a clock in the physical environment model;
step 2-2-5: defining continuous behavior on behavior states as CB ═ CB 1 ,cb 2 ,...cb n Is used for describing the state bs of the physical environment model i The situation of external physical variables changing;
step 2-2-6: defining the set of transition mechanisms present in the physical environment model, CD ═ CD 1 ,cd 2 ,...cd n Describing a dynamic change process of the behavior state of the physical component, and dividing the process into the following three steps:
1) defining a set of trigger actions TB ═ { TB ═ TB included in a physical environment model 1 ,tb 2 ,...tb n Describing the constraint condition of the physical variable in the external environment, and when the constraint condition is not met, the row of the physical component isThe state will change;
2) defining a set of clock constraints CS ═ { CS ] included in a physical environment model 1 ,cs 2 ,...cs n }; defining a corresponding clock constraint cs in dependence on a clock variable i I.e. the comparison between the clock and the time constant; when the physical environment model receives the trigger action t i And at this time the clock constraint expression cs i If true, the behavior state changes, otherwise, the behavior state cannot change;
3) defining a set of clock resets CR ═ { CR ] included in a physical environment model i ,cr 2 ,...cr n When the state of the physical component is changed, part of clocks need to be reset;
step 2-2-7: describing a set of state transitions T ═ T { T } included in a physical environment model according to behavioral states and transition mechanisms 1 ,t 2 ,...t n Representing the current dynamic behavior information of the physical component;
and 3, step 3: and (3) defining the semantics of the specific risk model by adopting AADL, and expanding two semantics: artifact components and physical environment components;
step 3-1: defining type and implementing instantiation in the artifact component, defining features and interfaces in port and out port of interaction between an executor and a computing system in the type, and then declaring the interfaces as error propagation points by using an error model according to attribute information of the interfaces defined by the extended artifact model appendix;
step 3-2: defining type and implementing instantiation in the physical environment component, defining features in the type, and describing an interactive interface between the physical environment and the computing system; the extended physical environment model is utilized in the augmentation to define blending properties in the physical environment, while the error model is utilized to describe risk events present in the physical environment model.
And 4, step 4: the AADL core grammar is an extended AADL appendix for the human factor model and the physical environment model:
step 4-1: defining a grammatical rule of a human factor model appendix, wherein the human factor model appendix comprises an appendix library and appendix clauses; defining multiplexing information in an annex library, wherein the multiplexing information comprises an actor operator, a role type and an interactive mode; the reference of an appendix library is stated in an appendix clause, and then an operation interface, a role permission, an interaction intention interaction and an interaction sequence are defined;
step 4-2: defining a grammar rule of a physical environment model appendix, wherein the physical environment model appendix comprises an appendix library and appendix clauses; defining multiplexing information in an appendix library, wherein the multiplexing information comprises a behavior state, a physical variable and a clock variable; firstly, declaring the reference of an annex library in an annex clause, and then defining continuous behavior continuos behavior in a behavior state, trigger condition in a physical environment and transition relation transitions between the behavior states;
and 5: establishing an error model for the system according to the safety requirement of the system, specifically:
step 5-1: establishing an error model of the human factor model according to execution regulations followed by an executor, wherein the probability of an error event is determined by the attribute set of the interaction mode, and the occurrence probability of the error event is calculated by the following formula;
Figure BDA0002982749160000041
Figure BDA0002982749160000042
wherein
Figure BDA0002982749160000043
A weight value assigned to each EPC; APOA i Determining the actual influence value of each EPC by an expert scoring mode for the influence degree of each EPC; NHEP is the nominal human error probability of this type of error event in this field; HEP is the calculated human factor error probability;
step 5-2: establishing a corresponding error model for the physical environment model according to the use limit defined in the HCPS system operation standard, wherein the occurrence probability of an error event is defined by the severity level in the physical model, and the corresponding relation between the severity level and the occurrence probability is formulated;
step 5-3: describing risk propagation among the components by defining an error propagation point in an error model, so that a computing system architecture model, a human factor model and a physical environment model are combined to form a complete specific risk analysis model;
and 6: after the modeling of the specific risk analysis is completed, the specific risk analysis is completed in a mode of model inspection and model conversion, which is specifically as follows:
step 6-1: the model inspection is to extract specific risks, failure states and operation requirements from a specific risk analysis model, and a risk propagation path is determined through an error propagation mechanism defined in an error model;
step 6-2: according to the mapping rule from AADL to DSPN, converting an AADL specific risk analysis model into a DSPN model, converting an error state machine in the error model into a corresponding library place and a corresponding Tokenton in the DSPN model, transferring transition, then automatically calculating the converted error automaton by calling a Petri network tool TimeNet to obtain the occurrence probability of the system component in a failure state, and finally completing the specific risk analysis of the man-machine object fusion system.
The invention has the following beneficial effects:
1. the human factors and the physical environment factors are considered in the framework design stage, a more complete human-computer integration system operation framework is established, and a more comprehensive safety evaluation model can be guided to be established.
2. By formulating a specific risk model, formal semantics depict the uncertain factors of human factors and physical environment, so that the modeling process meets the random property of the HCPS system.
3. The modeling capability of the AADL language is expanded, subjective interaction behaviors of people and system operation physical environment characteristics can be described, and the design and modeling of a human-computer object fusion system can be supported.
4. Because the DSPN model after model conversion contains information such as executors and interaction modes in the human factor model, and information such as transitions between a trigger mechanism and behavior states defined in the physical environment model, the converted calculation model is more consistent with an actual system.
Drawings
FIG. 1 is a flow chart of the AADL-based specific risk modeling method of the present invention.
Fig. 2 is a schematic diagram of the syntactic rules of the human factor model appendix of the present invention, fig. 2(a) is a human factor model appendix library syntactic rule, and fig. 2(b) is a human factor model appendix clause syntactic rule.
Fig. 3 is a diagram showing the syntax rules in the appendix of the physical model of the present invention, fig. 3(a) is the syntax rules in the appendix library of the physical model, and fig. 3(b) is the syntax rules in the appendix clause of the physical model.
Fig. 4 is a schematic diagram of an architecture model of a safety and stability control system according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of semantic extension of abstrat components in AADL according to an embodiment of the present invention.
FIG. 6 is a diagram illustrating a set of actors in the artifact model component according to an embodiment of the invention.
FIG. 7 is a diagram illustrating interaction patterns and attribute sets in the human factor model component according to an embodiment of the present invention.
FIG. 8 is a diagram illustrating a set of attributes of an interaction interface in a human factor model component according to an embodiment of the present invention.
FIG. 9 is a diagram of an annex clause template of the human factor model according to an embodiment of the invention.
FIG. 10 is a schematic diagram of the physical model annex library template of an embodiment of the invention.
FIG. 11 is a diagram illustrating a physical model annex clause template according to an embodiment of the invention.
Fig. 12 is a schematic diagram of a PRA model of a safety and stability control system according to an embodiment of the present invention.
FIG. 13 is a schematic diagram of an error model of a human factor component in accordance with an embodiment of the invention.
FIG. 14 is a schematic diagram of an error model of a physical component in accordance with an embodiment of the invention.
Fig. 15 shows the converted DSPN model of the safety and stability control system in accordance with an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the drawings.
As shown in fig. 1, a method for risk-specific modeling and analysis of a human-computer fusion system includes the following steps:
step 1: establishing an AADL computing system architecture model for the HCPS system according to the system specification;
step 2: according to the specific risk in the HCPS, a human factor model and a physical environment model are respectively established according to behavior and feature classification;
step 2-1: defining the human factor model as a seven-tuple HM { A, IM, IP, OI, RP, II, ISQ }, wherein A represents an executor set, IM represents an interaction mode set, IP represents an interaction interface set, OI represents an operation interface, RP represents a role authority set, II represents an interaction intention, and ISQ represents an interaction sequence set, specifically:
step 2-1-1: defining a single individual directly interacting with the system as an executor, and establishing an executor set A ═ a in the system runtime 1 ,a 2 ,...,a i ,...,a n },a i Represents the ith performer; each performer a i All undertake corresponding roles to complete corresponding operations in the system operation process, and for each executor a i Defining role types and endowing different operation authorities in the security-critical embedded system;
step 2-1-2: defining the access operation of the interaction between the executor and the system in the system operation process as an interaction mode set IM ═ { IM } 1 ,im 2 ,...,im i ,...,im n },im i Representing an ith interactive mode, wherein the interactive mode is divided into a read operation and a write operation; the executor completes the task by executing the interaction between the interaction mode im and the system i The execution is defined as that only one executor executes at the same time;
defining an attribute set for each interaction mode, wherein the attribute set comprises an interaction type, an interaction name, a nominal human error probability, an error induction factor EPC and an actual influence value APOA of the error induction factor EPC; the NHEP comes from relevant statistics in the field, the EPC is independently customized according to different scenes, the type in 38 defined in the HEART method is referred, and the APOA is obtained by a neighborhood expert according to experience scoring;
step 2-1-3: defining the interface provided for outside in the system operation process as an interactive interface set IP ═ IP 1 ,ip 2 ,...,ip i ,...ip n },ip i Representing the ith interactive interface, and enabling an executor to interact with the system through the interactive interface;
step 2-1-4: defining the relationship between the interactive interface and the interactive mode as an operation interface OI ═ R r ∪R w There are two types of relationships according to interaction patterns: wherein R is r Is the relationship of the write operation to the interactive interface,
Figure BDA0002982749160000071
R w is the relationship between the read operation and the interactive interface,
Figure BDA0002982749160000072
step 2-1 to step 5: according to the operation regulation of the HCPS system, each role type is endowed with different operation authority, and a role authority set RP (RP) is established for the role type 1 ,rp 2 ,...rp n At role authority rp i Defining an executable operation interface contained in the role type;
step 2-1-6: define interaction subject set IS ═ IS 1 ,is 2 ,...is n }, each interaction subject is i Is composed of limited performers i ={a 1 ,a 2 ,...a m Defining the relationship between the interaction subject and the operation interface as the interaction intention existing in the system
Figure BDA0002982749160000073
II={ii 1 ,ii 2 ,...,ii i ,…,ii n },ii i Representing the ith interaction intention; interactionThe intention represents the intention that the interaction subject can complete through executing the operation interface in the system operation process; defining a logical operator, wherein the operator represents that the two sides of the logical operator are optional return values, and the ith interactive intention ii i =({a 1 ,a 2 ,...a m },oi i )=(a 1 ,oi i )*(a 2 ,oi i )*...*(a m ,oi i );
Step 2-1-7: defining an interaction sequence set ISQ ═ { ISQ ═ ISQ 1 ,isq 2 ,...,isq i ,...,isq n }, interaction sequence isq i Is defined as a sequence of interaction intentions in time order
Figure BDA0002982749160000074
Describing a plurality of interaction intents ii during the operation of the system i The order of execution;
step 2-2: defining the physical environment model as a seven-tuple PM ═ BS, BS 0 PV, CV, CB, CD, T, where BS represents a discrete set of behavior states, BS 0 Representing an initial state set, PV representing a variable set, CV representing a clock variable set, CB representing a continuous behavior set, CD representing a transition mechanism set, and T representing a state transition set, specifically:
step 2-2-1: the limited set of discrete behavior states in the physical environment model is defined as BS ═ BS 1 ,bs 2 ,...bs n Represents different behavior states existing in the physical environment model;
step 2-2-2: defining initial state sets in a physical environment model
Figure BDA0002982749160000081
Representing an initial state of the physical component at the start;
step 2-2-3: defining the set of variables PV ═ { PV > present in the physical environment model 1 ,pv 2 ,...pv n The variable is a discrete variable or a continuous variable defined on a real number set, and the running state of the physical component is described through the variable;
step 2-2-4: defining a set of clock variables CV ═ { CV in a physical environment model 1 ,cv 2 ,...cv n A clock variable is a clock in the physical environment model; when physical behaviors affect physical components, corresponding clock constraints exist at the same time;
step 2-2-5: defining continuous behavior on behavior states as CB ═ CB 1 ,cb 2 ,...cb n Is used for describing the state bs of the physical environment model i The situation of external physical variables changing;
step 2-2-6: defining a transition mechanism existing in a physical environment model for describing a dynamic change process of a behavior state of a physical component, and comprising the following three steps:
1) defining a set of trigger actions TB ═ { TB ═ TB included in a physical environment model 1 ,tb 2 ,...tb n Describing a constraint condition of a physical variable in an external environment, wherein when the constraint condition is not met, a behavior state of a physical component is changed;
2) defining a set of clock constraints CS ═ { CS ] included in a physical environment model 1 ,cs 2 ,...cs n }; defining a corresponding clock constraint cs in dependence on a clock variable i I.e. the comparison between the clock and the time constant; when the physical environment model receives the trigger action t i And at this time the clock constraint expression cs i If true, the behavior state changes, otherwise, the behavior state cannot change;
3) defining a set of clock resets CR ═ { CR ] included in a physical environment model 1 ,cr 2 ,...cr n When the state of the physical component is changed, part of clocks need to be reset;
step 2-2-7: describing a state transition set included in the physical environment model according to the behavior state and the transition mechanism, wherein the state transition set is used for representing the current dynamic behavior information of the physical component;
and step 3: the method adopts AADL to define specific risk model semantics, because AADL annexes need to be attached to component types or component implementations for modeling, but AADL core language does not support expanding new component types and implementations, AADL proposes definition of abstrate components, and can describe basic views of some brand-new components through the components and refine some descriptions, so that two semantics are constructed and expanded: artifact components and physical environment components;
step 3-1: defining type and implementing instantiation in the artifact component, defining features and interfaces in port and out port of interaction between an executor and a computing system in the type, and then declaring the interfaces as error propagation points by using an error model according to attribute information of the interfaces defined by the extended artifact model appendix; in an implementation, the definition sub-component declares which actors are involved in the scene, defines specific behavioral activities using a human factor model, and characterizes risk events present in the human factor model using an error model.
Step 3-2: defining type and implementing instantiation in the physical environment component, defining features in the type, and describing an interactive interface between the physical environment and the computing system; the extended physical environment model is utilized in the augmentation to define blending properties in the physical environment, while the error model is utilized to describe risk events present in the physical environment model.
And 4, step 4: the AADL core grammar is an extended AADL appendix for the human factor model and the physical environment model:
step 4-1: as shown in fig. 2, the grammatical rules of the artifact model appendix are defined, the artifact model appendix including an appendix library and appendix clauses; defining multiplexing information in an appendix library, wherein the multiplexing information comprises an actor operator, a role type and an interactive mode; the reference of an appendix library is stated in an appendix clause, and then an operation interface, a role permission, an interaction intention interaction and an interaction sequence are defined;
step 4-2: as shown in fig. 3, the grammatical rules of the physical environment model appendix are defined, the physical environment model appendix including an appendix library and appendix clauses; defining multiplexing information in an appendix library, wherein the multiplexing information comprises a behavior state, a physical variable and a clock variable; firstly, declaring the reference of an annex library in an annex clause, and then defining continuous behavior continuos behavior in a behavior state, trigger condition in a physical environment and transition relation transitions between the behavior states;
and 5: the expansion of a specific risk model is completed through the steps, and an error model is established for the system according to the safety requirement of the system, which specifically comprises the following steps:
step 5-1: establishing an error model of the human factor model according to execution regulations followed by an executor, wherein the probability of an error event is determined by the attribute set of the interaction mode, and the occurrence probability of the error event is calculated by the following formula;
Figure BDA0002982749160000091
Figure BDA0002982749160000092
wherein
Figure BDA0002982749160000093
A weight value assigned to each EPC; APOA i Determining the actual influence value of each EPC by an expert scoring mode for the influence degree of each EPC; NHEP is the nominal human error probability of this type of error event in this field; HEP is the calculated human factor error probability;
step 5-2: establishing a corresponding error model for the physical environment model according to the use limit defined in the HCPS system operation standard, wherein the occurrence probability of an error event is defined by the severity level in the physical model, and the corresponding relation between the severity level and the occurrence probability is formulated;
step 5-3: describing risk propagation among the components by defining an error propagation point in an error model, so that a computing system architecture model, a human factor model and a physical environment model are combined to form a complete specific risk analysis model;
step 6: after the modeling of the specific risk analysis is completed, the specific risk analysis is completed in a mode of model inspection and model conversion, which is specifically as follows:
step 6-1: the purpose of model checking is to analyze the impact of external events that may cause serious or catastrophic damage to the system. The model inspection is to extract specific risks, failure states and operation requirements from a specific risk analysis model, and a risk propagation path is determined through an error propagation mechanism defined in an error model;
step 6-2: according to the mapping rule from AADL to DSPN, converting an AADL specific risk analysis model into a DSPN model, converting an error state machine in the error model into a corresponding library place and a corresponding Tokenton in the DSPN model, transferring transition, then automatically calculating the converted error automaton by calling a Petri network tool TimeNet to obtain the occurrence probability of the system component in a failure state, and finally completing the specific risk analysis of the man-machine object fusion system.
The specific embodiment is as follows:
referring to fig. 1, the invention provides a specific risk modeling and analyzing method of a human-animal fusion system, aiming at randomness and mixed characteristics of human factors and physical environments in an HCPS system, a new specific risk model is formulated by means of an architecture design language AADL, and the influence of specific risks on system safety is analyzed. Firstly, defining a specific risk model framework and formal semantics according to specific risk behaviors and characteristics; secondly, expanding the semantics of abstrat components originally proposed by AADL, wherein the abstrat components comprise human factor components and physical components; then, the annex technology is utilized to expand the annex of the human factor model to carry out modeling description on the human factor component, and information such as an interaction mode, an operation interface, role authority, an interaction intention and an interaction sequence is established according to the relevant behaviors of an executor. And then, modeling and describing the physical component by using the physical model annex expanded in the annex mode, and establishing information such as a behavior state, a physical variable, a clock variable, a continuous behavior, a trigger mechanism, specific transition and the like according to the behavior of the physical environment. Based on the safety requirement of the system, modeling is carried out by utilizing an original error model of AADL, and an architecture model, a human factor component model and a physical component model are connected together through error propagation to form a complete specific risk model in a combined mode; and finally, formulating a mapping rule to convert the AADL model into the DSPN model, and calculating the failure probability of the error automaton in a steady state by using a Petri tool. The method specifically comprises the following six steps:
1. referring to fig. 4, an AADL architecture model is built for this embodiment according to the system specification. The flight control system of a certain airplane is selected as an implementation case. The system architecture mainly includes a processor unit CPU, a Memory unit Memory, a Bus, a voltage sensor (TS), a voltage variation detection component (TVD), a decision-making system (DMC), a display and control component (DC), and an Actuator (AC). In this case, the abstract component semantics need to be extended to Human Component (HC) and Lightning Physical Component (LPC). In this process, the physical environmental component enters an abnormal state from a normal state when a lightning risk event occurs. And a voltage sensor in the flight control system fails instantly under the action of strong current and enters a fault state. After the mutation amount detection system receives the abnormal data of the sensor, the decision system processes the abnormal data and sends an error instruction to the DC system, and the error instruction is displayed to the human factor component HC. The executors related to the human factor component comprise a pilot (Navigator), a Captain (Captain) and a co-pilot (co-pilot), the pilot receives system information fed back by the display control system and informs the system information to the Captain, the Captain enters a tension state to make an error judgment under the condition that the Captain suddenly encounters an emergency, and the co-pilot gives an error instruction to the decision making system. Finally, the actuator member is commanded to operate erroneously. The red dashed line between the components indicates that the Risk Event (RE) propagates through the port (IP) between the components. Eventually, the external grid system fails or even finally collapses due to a faulty command.
2. Referring to fig. 5, the architecture of the analysis system extends the abstrate component semantics into two classes of components: human factor model component humanComponent and lightning physical component lighting component.
2.1 referring to FIG. 6, the analytical system involved in its operationAnd the relative person who arrived, define it as performer a. In this case, three actors, a, are involved 1 ,a 2 ,a 3 Wherein the performer a 1 The role type of the monitoring system is Navigator, which is responsible for monitoring whether the data of the aircraft Navigator are normal or not; performer a 2 The role type of the system is Captain, which is responsible for organizing, commanding and coordinating flight control systems; performer a 3 The role type of (1) is co-poll of a co-pilot, and is responsible for complex and important operation tasks of the flight control system.
2.2 referring to FIG. 7, the interaction pattern that the performer may perform during the operation of the system is analyzed, in this case, two interaction patterns im are mainly involved 1 ,im 2 ,im 3 Interaction mode im 1 The data of the slave display and control equipment DC monitoring system and the interaction mode im are completed 2 Completing the reception of data from the pilot and making a decision, interacting with the mode im 3 And finishing outputting the scheduling instruction from the display control equipment. In addition to this, detailed attribute information, im, needs to be defined for the interaction pattern 1 The interaction type of (1) is read (R), the interaction name is monitoring data, the NHEP of the interaction task is defined as 0.0001, the EPC and the degree of influence APOA of the interaction pattern are respectively' EPC14. port, ambiguous or ill-matched system feedback: 4, APOA: 0.3; "," EPC16.an amplified quality of information modified by products and person/person interaction: 3, APOA: 0.16 "; im 2 The interaction type of (1) is read (r), the interaction name is dispatch determination, NHEP of the interaction task is defined as 0.0001, EPC and degree of influence APOA of the interaction pattern are "EPC 15. operand execution: 3, 0.2; "," EPC24. the insulated for absolute reasons white arm bearings and the capabilities of the operator: 1.6, APOA: 0.8". im 3 The interaction type of (2) is write (w), the interaction name is execution operation, the NHEP of the interaction task is defined as 0.0001, and the EPC and the influence degree APOA of the interaction mode are "EPC 29.high-level empirical stress: 1.8, APOA: 0.53; "" EPC 35: the leaving of normal work-sleep cycles: 1.1, APOA: 0.26".
2.3 referring to FIG. 8, the system has runThe interface provided for the outside mainly comprises two types of ip 1 ,ip 2 ,ip 3 ,ip 1 For the pilot to read data, ip, from a display-control system 2 For receiving data from the captain and making commands, ip 3 The system is used for the assistant driver to output instruction operation and respectively define interface specification, preventive measures and other attribute information for the interface;
2.4 referring to fig. 9, the interaction pattern defined according to steps 3-2, 3-3 is defined as an operation interface. The operation interface defines three kinds of oi 1 ,oi 2 ,oi 3 Respectively represent slave ip 1 Executing an interaction Pattern im 1 From ip 2 Executing an interaction Pattern im 2 From ip 3 Executing an interaction Pattern im 3
2.5 referring to fig. 9, corresponding operation rights are defined for each role type. The operation authority of the pilot is oi 1 The operation authority of the captain is oi 1 ,oi 2 ,oi 3 The assistant driver has an operation authority of oi 1 ,oi 3
2.6 referring to FIG. 9, the interaction intents in the system are defined according to defined actors and operational interfaces, the interaction intents in this case including three ii 1 ,ii 2 ,ii 3 ,ii 1 Indicates that can be represented by a 1 ,a 2 ,a 3 One of them completes the operation interface oi 1 ,ii 2 Indicating only by captain a 2 Complete the operational interface ii 3 Indicates that can be represented by a 2 ,a 3 One of them completes the operation interface oi 3
2.7 referring to FIG. 9, a corresponding set of interaction sequences is defined according to the interaction intents in 3-6. In this case, an interactive sequence needs to be defined
Figure BDA0002982749160000121
When the representation clock is 1, the interaction intention ii is executed 1 When the clock is 2, the interaction intention ii is executed 2 When the clock is 3, the interaction intention ii is executed 3 . The above interaction sequence completes the slave executor a 1 Detect abnormal data to performer a 2 Performs error scheduling, and then executes a 2 The wrong instruction output is executed.
3. And (3) establishing an AADL-based physical component model for the HCPS system by utilizing the grammar extended by the annex technology to the AADL core language. In this case, a physical environment model is established for the weather factors, including establishing a physical environment model annex library and annex clauses, limited discrete behavior states, physical variables and clock variables are defined in the annex library, and continuous behaviors, trigger mechanisms and state transitions are defined in the annex clauses:
3.1 referring to FIG. 10, an annex library is built for the weather factor component, and a limited set of discrete behavior states in the physical component model is defined, wherein an initial state indicates that the physical component is in a normal state, i.e., as an initial state, and a state indicates that the physical component is in an abnormal state, and a specific risk event may occur in the state. The initial and abnormal states of the weather factor components are cloudy and lighting.
3.2 referring to FIG. 10, a set of variables that may exist in the physical environment components are defined, and a lightning event may occur in a weather factor, so the lightning current lightning Current is defined as a physical variable in the weather factor, and is given in A.
3.3 referring to FIG. 10, a set of clock variables in the physical component model is defined, a local clock variable weather _ cv is defined for the weather component, and its initial value needs to be determined for the clock variable.
3.4 referring to fig. 11, the continuous behavior describes the change of physical variables when the component is in a certain behavior state, and the lightning current in the weather physical component is subject to the lightning current fun1(weather _ cv) which is a function of the clock variable.
3.5 according to the above elements, defining a transition mechanism existing in the physical component model for describing the dynamic change process of the behavior state of the physical component, and dividing into the following three steps:
1) referring to fig. 11, referring to physical variables in the appendix library to define the trigger behavior, the weather physical component formulates a trigger expression "current _ tb: lightingCurrent > -2000" of the lightning current lightingCurrent according to the lightning intensity level criteria.
2) Referring to fig. 11, clock constraints are defined by referring to clock variables in the appendix library, and clock variables local in the weather physical member are used to describe the time constraint of lightning current "weather _ cs: weather _ cv > -1".
3) Referring to fig. 11, the clock reset is defined by referring to the clock variables in the appendix library, and when lightning disappears in the weather physical component, the local clock variables will be reset to 0;
3.6 referring to FIG. 11, the set of state transitions included in the weather physical component and the grid physical component are described according to the behavioral state and transition mechanism defined above, discrete behavioral states transition when the trigger expression is true and the clock constraint is satisfied, and the clock variable is reset. When the trigger expression current _ tb in a weather physical component is true and the clock constraint weather _ cs is satisfied, the state of the component will transition from clody to lighting.
4. Establishing an error model for the system according to the system safety requirements, comprising the following substeps:
4.1 with reference to FIG. 12, an error model is established for the system architecture model according to system security requirements; and establishing an independent error model for each sub-component in the safety and stability control system, wherein the error model comprises an error state, an error event and a state transition.
4.2 with reference to fig. 13, according to the execution regulations followed by the performer, an error model of the human factor component is established according to the related information in the human factor model, wherein the error state is determined by the potential risk in the interaction pattern, the interaction sequence and the interaction intention in the human factor model to determine the error state of the performer a1, the error state of a1 is defined as misjudge and wrangcmd, the error state of a2 is defined as nervous and errorSchedule, the error state of a3 is defined as tired and wrangaction, the probability of the error event is determined by the attribute information of the interaction pattern in the human factor component model, including the Nominal Human Error Probability (NHEP), the error induction factor (EPC) and the actual influence value (APOA) of the EPC, the equations 1, 2 are calculated, wherein the occurrence probability of the error event ambigus that may occur by the performer a1 is calculated as 1.5048-10, and the occurrence probability of the error event that may occur by the performer a2 is calculated as 8.288-366, the probability of occurrence of the error event misopertion that the performer a3 may occur is calculated to be 4.383072 x 10-6 using the formula;
4.3 referring to fig. 14, according to the HCPS system operation regulations, a corresponding error model is established for the system physical component model according to the information defined by the physical environment model, the error state is determined by the behavior state in the physical environment model, and the error state in the lightning component is defined as the group fault. The error event is determined by a triggering mechanism in the physical environment model, and the occurrence probability is determined by the severity level defined in the continuous behavior, wherein the occurrence probability of the lightning strike defining the error event is defined as 5.0 x 10-6;
4.4 referring to FIG. 15, above, separate error model state machines are built for each component model, and these state machines need to be tied together by error propagation. Physical connections need to be established first through a port defined in the architectural model, and then the port is declared as an error propagation point in the error model. When an error event triggers an error condition inside the component, it will propagate out from the defined error propagation point, and will also propagate from the error propagation point into the component.
5. And establishing an instance model of the system, namely establishing a component instance of the top-level system. The model built in the above steps is called a declarative model, and in order to be able to analyze the model, the declarative model needs to be instantiated. The instantiation process is mainly characterized in that a connection example is added on the basis of component characteristics (ports), the connection relation between components is increased, a final human-computer-physical fusion system model based on AADL is formed by analyzing the dependency relation in a declarative model and assembling an independent and discrete architecture model, a human factor model, a physical environment model and an error model into an explanatory model, and further the derived system example can represent the runtime architecture of the information-physical fusion system, and the system instantiation file can also be used as an input file for analysis and evaluation at the next stage.
6. Analyzing and evaluating the obtained system instantiation file, and performing model inspection analysis and model conversion;
6.1 referring to FIG. 14, analyzing a system specific risk analysis model, extracting specific risk events defined in the model, including lightning events and misoperation events of a co-driver, and analyzing a propagation path of the risk events, wherein the lightning events directly influence a lightning sensor, and the misoperation directly influences a display control device;
6.2 referring to fig. 14, according to the formulated mapping rule, converting the AADL specific risk analysis model into a DSPN model, and then calling a Petri net tool TimeNet to perform simulation calculation, wherein the confidence level is set to 99%, the maximum relative error is set to 5%, the occurrence probability that each component is in a failure state when the system is in a steady state is obtained, and finally, the modeling and analysis of the specific risk of the man-machine-object fusion system are completed.

Claims (1)

1. A specific risk modeling and analyzing method of a man-machine object fusion system is characterized by comprising the following steps:
step 1: according to the system specification, establishing an AADL computing system architecture model for the HCPS system;
step 2: according to specific risks in the HCPS, a human factor model and a physical environment model are respectively established according to behavior and feature classification;
step 2-1: defining the human factor model as a seven-tuple HM { A, IM, IP, OI, RP, II, ISQ }, wherein A represents an executor set, IM represents an interaction mode set, IP represents an interaction interface set, OI represents an operation interface, RP represents a role authority set, II represents an interaction intention, and ISQ represents an interaction sequence set, specifically:
step 2-1-1: defining a single individual directly interacting with the system as an executor, and establishing an executor set A ═ a in the system runtime 1 ,a 2 ,...,a i ,...,a n },a i Represents the ith performer; for each performer a i Defining role types and endowing different operation authorities in the security-critical embedded system;
step 2-1-2: defining the access operation of the interaction between the executor and the system in the system operation process as an interaction mode set IM ═ { IM } 1 ,im 2 ,...,im i ,...,im n },im i Representing an ith interactive mode, wherein the interactive mode is divided into a read operation and a write operation; the executor completes the task by executing the interaction between the interaction mode im and the system i The execution is defined as that only one executor executes at the same time;
defining an attribute set for each interaction mode, wherein the attribute set comprises an interaction type, an interaction name, a nominal human error probability, an error induction factor EPC and an actual influence value APOA of the error induction factor EPC;
step 2-1-3: defining the interface provided for outside in the system operation process as an interactive interface set IP ═ IP 1 ,ip 2 ,...,ip i ,...ip n },ip i Representing the ith interactive interface, and enabling an executor to interact with the system through the interactive interface;
step 2-1-4: defining the relationship between the interactive interface and the interactive mode as an operation interface OI ═ R r ∪R w Wherein R is r Is the relationship of the write operation to the interactive interface,
Figure FDA0002982749150000011
R w is the relationship between the read operation and the interactive interface,
Figure FDA0002982749150000012
Figure FDA0002982749150000013
step 2-1-5: establishing a role permission set RP (RP) { RP (RP) } for the role type according to the operation regulations of the HCPS system 1 ,rp 2 ,...rp n At role authority rp i Defining an execution operation interface contained in the role type;
step 2-1-6: define interaction subject set IS ═ IS 1 ,is 2 ,...is n }, each interaction subject is i Is composed of limited performers i ={a 1 ,a 2 ,...a m And defining the relationship between the interaction subject and the operation interface as the existence in the systemInteraction intention of
Figure FDA0002982749150000014
II={ii 1 ,ii 2 ,...,ii i ,...,ii n },ii i Representing the ith interaction intention; the interactive intention represents the intention that an interactive subject can finish through executing the operation interface in the running process of the system; defining a logical operator, wherein the operator represents that the two sides of the logical operator are optional return values, and the ith interactive intention ii i =({a 1 ,a 2 ,...a m },oi i )=(a 1 ,oi i )*(a 2 ,oi i )*...*(a m ,oi i );
Step 2-1-7: defining an interaction sequence set ISQ ═ { ISQ ═ ISQ 1 ,isq 2 ,...,isq i ,...,isq n }, interaction sequence isq i Is defined as a sequence of interaction intents in time order
Figure FDA0002982749150000021
Describing multiple interaction intents ii during system operation i The order of execution;
step 2-2: defining a physical environment model as one seven-tuple PM ═ BS, BS 0 PV, CV, CB, CD, T, where BS represents a discrete set of behavior states, BS 0 Representing an initial state set, PV representing a variable set, CV representing a clock variable set, CB representing a continuous behavior set, CD representing a transition mechanism set, and T representing a state transition set, specifically:
step 2-2-1: the limited set of discrete behavior states in the physical environment model is defined as BS ═ BS 1 ,bs 2 ,...bs n Represents different behavior states existing in the physical environment model;
step 2-2-2: defining initial state sets in a physical environment model
Figure FDA0002982749150000022
Indicating physical member at the beginningThe initial state of (a);
step 2-2-3: defining the set of variables PV ═ { PV > present in the physical environment model 1 ,pv 2 ,...pv n The variable is a discrete variable or a continuous variable defined on a real number set, and the running state of the physical component is described through the variable;
step 2-2-4: defining a set of clock variables CV ═ { CV in a physical environment model 1 ,cv 2 ,...cv n A clock variable is a clock in the physical environment model;
step 2-2-5: defining continuous behavior on behavior states as CB ═ CB 1 ,cb 2 ,...cb n Is used for describing the state bs of the physical environment model i The situation of external physical variables changing;
step 2-2-6: defining the set of transition mechanisms present in the physical environment model, CD ═ CD 1 ,cd 2 ,...cd n Describing a dynamic change process of the behavior state of the physical component, and dividing the process into the following three steps:
1) defining a set of trigger actions TB ═ { TB ═ TB included in a physical environment model 1 ,tb 2 ,...tb n Describing a constraint condition of a physical variable in an external environment, wherein when the constraint condition is not met, a behavior state of a physical component is changed;
2) defining a set of clock constraints CS ═ CS included in a physical environment model 1 ,cs 2 ,...cs n }; defining a corresponding clock constraint cs in dependence on a clock variable i I.e. the comparison between the clock and the time constant; when the physical environment model receives the trigger action t i And at this time the clock constraint expression cs i If true, the behavior state changes, otherwise, the behavior state cannot change;
3) defining a set of clock resets CR ═ CR { CR } included in the physical environment model 1 ,cr 2 ,...cr n When the state of the physical component is changed, part of clocks need to be reset;
step 2-2-7: describing state transition sets included in a physical environment model according to behavioral state and transition mechanismsAnd T is ═ T 1 ,t 2 ,...t n Representing the current dynamic behavior information of the physical component;
and step 3: and (3) defining the semantics of the specific risk model by adopting AADL, and expanding two semantics: artifact components and physical environment components;
step 3-1: defining type and implementing implementation in the artifact component, defining features and interfaces inport and outport of interaction between an executor and a computing system in the type, and then declaring the interfaces as error propagation points by using an error model according to attribute information of the interfaces defined by the extended artifact model appendix;
step 3-2: defining type and implementing instantiation in the physical environment component, defining features in the type, and describing an interactive interface between the physical environment and the computing system; defining blending characteristics in a physical environment by using an extended physical environment model in the implementation, and describing risk events existing in the physical environment model by using an error model;
and 4, step 4: the AADL core grammar is an extended AADL appendix for the human factor model and the physical environment model:
step 4-1: defining a grammatical rule of a human factor model appendix, wherein the human factor model appendix comprises an appendix library and appendix clauses; defining multiplexing information in an annex library, wherein the multiplexing information comprises an actor operator, a role type and an interactive mode; the reference of an appendix library is stated in an appendix clause, and then an operation interface, a role permission, an interaction intention interaction and an interaction sequence are defined;
step 4-2: defining a grammar rule of a physical environment model appendix, wherein the physical environment model appendix comprises an appendix library and appendix clauses; defining multiplexing information in an appendix library, wherein the multiplexing information comprises a behavior state, a physical variable and a clock variable; firstly, declaring the reference of an annex library in an annex clause, and then defining continuous behavior continuos behavior in a behavior state, trigger condition in a physical environment and transition relation transitions between the behavior states;
and 5: establishing an error model for the system according to the safety requirement of the system, specifically:
step 5-1: establishing an error model of the human factor model according to execution regulations followed by an executor, wherein the probability of an error event is determined by the attribute set of the interaction mode, and the occurrence probability of the error event is calculated by the following formula;
Figure FDA0002982749150000033
Figure FDA0002982749150000031
wherein
Figure FDA0002982749150000032
A weight value assigned to each EPC; APOA i Determining the actual influence value of each EPC by an expert scoring mode for the influence degree of each EPC; NHEP is the nominal human error probability of this type of error event in this field; HEP is the calculated human factor error probability;
step 5-2: establishing a corresponding error model for the physical environment model according to the use limit defined in the HCPS system operation standard, wherein the occurrence probability of an error event is defined by the severity level in the physical model, and the corresponding relation between the severity level and the occurrence probability is formulated;
step 5-3: describing risk propagation among the components by defining an error propagation point in an error model, so that a computing system architecture model, a human factor model and a physical environment model are combined to form a complete specific risk analysis model;
step 6: after the modeling of the specific risk analysis is completed, the specific risk analysis is completed in a mode of model inspection and model conversion, which is specifically as follows:
step 6-1: the model inspection is to extract specific risks, failure states and operation requirements from a specific risk analysis model, and a risk propagation path is determined through an error propagation mechanism defined in an error model;
step 6-2: according to the mapping rule from AADL to DSPN, converting an AADL specific risk analysis model into a DSPN model, converting an error state machine in the error model into a corresponding library place and a corresponding Tokenton in the DSPN model, transferring transition, then automatically calculating the converted error automaton by calling a Petri network tool TimeNet to obtain the occurrence probability of the system component in a failure state, and finally completing the specific risk analysis of the man-machine object fusion system.
CN202110292296.9A 2021-03-18 2021-03-18 Specific risk modeling and analyzing method of man-machine object fusion system Active CN113111494B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110292296.9A CN113111494B (en) 2021-03-18 2021-03-18 Specific risk modeling and analyzing method of man-machine object fusion system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110292296.9A CN113111494B (en) 2021-03-18 2021-03-18 Specific risk modeling and analyzing method of man-machine object fusion system

Publications (2)

Publication Number Publication Date
CN113111494A CN113111494A (en) 2021-07-13
CN113111494B true CN113111494B (en) 2022-09-20

Family

ID=76711769

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110292296.9A Active CN113111494B (en) 2021-03-18 2021-03-18 Specific risk modeling and analyzing method of man-machine object fusion system

Country Status (1)

Country Link
CN (1) CN113111494B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116848542A (en) * 2022-01-28 2023-10-03 华为技术有限公司 Risk handling method and related device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104680014A (en) * 2015-03-02 2015-06-03 西北工业大学 Quantitative risk analysis method based on embedded system architecture model
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN110866341A (en) * 2019-11-19 2020-03-06 南京航空航天大学 Method for modeling information physical fusion system based on AADL-Modelica

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104680014A (en) * 2015-03-02 2015-06-03 西北工业大学 Quantitative risk analysis method based on embedded system architecture model
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN110866341A (en) * 2019-11-19 2020-03-06 南京航空航天大学 Method for modeling information physical fusion system based on AADL-Modelica

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于AADL的失效概率分配及安全性评估方法;魏晓敏等;《软件学报》;20200608(第06期);全文 *

Also Published As

Publication number Publication date
CN113111494A (en) 2021-07-13

Similar Documents

Publication Publication Date Title
Mhenni et al. Automatic fault tree generation from SysML system models
Woodman et al. Building safer robots: Safety driven control
Miyagi et al. Modeling and analysis of fault-tolerant systems for machining operations based on Petri nets
CN104504248A (en) Failure diagnosis modeling method based on designing data analysis
Van Lamsweerde Engineering requirements for system reliability and security
CN113111494B (en) Specific risk modeling and analyzing method of man-machine object fusion system
Gaaloul et al. Mining assumptions for software components using machine learning
Bernard et al. Experiments in model based safety analysis: Flight controls
Lipaczewski et al. Comparison of modeling formalisms for safety analyses: SAML and AltaRica
US11816024B2 (en) Method of testing a system model
Riascos et al. Detection and treatment of faults in manufacturing systems based on Petri Nets
Li et al. Safety analysis of software requirements: model and process
Liu et al. Defect prediction of radar system software based on bug repositories and behavior models
Gomes et al. Constructive model-based analysis for safety assessment
Püschel et al. Testing self-adaptive software: requirement analysis and solution scheme
Xiao et al. Architecture-level particular risk modeling and analysis for a cyber-physical system with AADL
Bashatah et al. Analyzing Standard Operating Procedures Using Model‐Based Systems Engineering Diagrams
Noyes et al. Aircraft warning systems: application of model-based reasoning techniques
Huang et al. Model-based systems engineering for prognostic and health management design
Prosvirnova et al. Strategies for Modelling Failure Propagation in Dynamic Systems with AltaRica
Salomon et al. Automatic safety computation for IMA systems
Trucco et al. Human error prediction in ATM via cognitive simulation: Preliminary study
Heitmeyer et al. High assurance human-centric decision systems
Saeed et al. Robust Requirements Specifications for Safety—Critical Systems
Liu et al. UML and B method based analysis and refinement for flight control software of unmanned aerial vehicle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant