CN114356283A - Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements - Google Patents

Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements Download PDF

Info

Publication number
CN114356283A
CN114356283A CN202111590128.4A CN202111590128A CN114356283A CN 114356283 A CN114356283 A CN 114356283A CN 202111590128 A CN202111590128 A CN 202111590128A CN 114356283 A CN114356283 A CN 114356283A
Authority
CN
China
Prior art keywords
real
time
rtnl
statement
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111590128.4A
Other languages
Chinese (zh)
Inventor
陈小红
刘少彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN202111590128.4A priority Critical patent/CN114356283A/en
Publication of CN114356283A publication Critical patent/CN114356283A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method and a system for detecting and positioning real-time inconsistency of CPS requirements, which are characterized in that firstly, the requirements of a CPS system are accurately described through a real-time mode language RTNL capable of expressing time constraint, then, the situations of compound conditional statements and condition conflicts in the RTNL are detected and processed, then, the situations are converted into the constraint of a clock constraint specification language CCSL, further, the constraints are converted into a real-time clock graph expressing the time constraint between clocks, the rules of allowed nodes in the graph are summarized, the real-time inconsistency is detected in the real-time clock graph according to the rules, and the inconsistent part in the requirements expressed by the real-time mode language is positioned according to the detection result. The invention also provides a system for detecting and positioning the real-time inconsistency of the CPS requirements. The method provided by the invention realizes lightweight automatic detection and error positioning of real-time inconsistency, reduces the detection time of real-time inconsistency, improves the requirement verification efficiency, and helps requirement engineers and other users to quickly verify and modify requirements.

Description

Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements
Technical Field
The invention belongs to the field of real-time demand analysis and formalization methods, and relates to a method and a system for detecting and positioning real-time inconsistency of CPS demands.
Background
The CPS (Cyber-Physical System) is a multi-dimensional complex System integrating computing, network and Physical environments, emphasizes the fusion of information and physics, and realizes the real-time perception, dynamic Control and information service of a large-scale engineering System through the organic fusion and deep cooperation of 3C (computing, Communication and Control) technology. Smart grids, autonomous automotive systems, medical monitoring, industrial control systems, robotic systems, and autonomous avionics are all typical CPS systems. There are many real-time requirements in CPS system requirements, i.e. requirements to describe the behavior of the system that must react to input within a given time frame. For example, a rocket will launch at a specified time, or enter a particular orbit at a specified time; the car should be parked within a prescribed time, etc. The real-time requirement is closely related to security. If the rocket does not enter a specific orbit within a specified time, it is likely to deviate from the flight trajectory and explode like Aliena No. 5. Inconsistencies can easily be introduced when running real-time demands spread over multiple control units.
In order to provide accurate analytical verification of real-time requirements, many safety-critical field standards, such as the european railway application standards EN50128 and EN50129, recommend the use of formalization methods. The formalization method is written by using a set of symbols of well-defined mathematical concepts, has strict grammar specification and definite semantic definition, and can accurately express and verify the real-time security requirement. However, the formalization method has higher requirements on the mathematical basis, and natural language is easier to master for a demand engineer. Today, most companies still use natural language to express demand. Natural language is easy to grasp, but it is difficult to analyze it accurately due to its natural ambiguity. Most of the existing inconsistency verification methods rely on formal verification methods. However, these methods have the problems of explosion of states, low verification efficiency, and incapability of locating inconsistent demand sets. The invention provides a real-time mode language for describing the real-time requirements of a CPS system, the real-time mode language is converted into a real-time clock diagram, the real-time inconsistency is subjected to lightweight automatic verification through rules allowing node generation, and the requirements causing the real-time inconsistency are positioned.
Disclosure of Invention
The invention aims to provide a method and a system for detecting and positioning real-time inconsistency of CPS (cyber physical system) requirements.
The specific technical scheme for realizing the purpose of the invention is as follows:
a real-time inconsistency detection and positioning method for CPS requirements is characterized by comprising the following steps:
the method comprises the following steps: rewriting the original CPS system requirement description into a statement set which accords with a real-time security model language RTNL; the method specifically comprises the following steps:
the original CPS system requirement description contains time constraint; the RTNL is composed of three basic elements of event, state and time constraint and describes the time constraint between the event and the state; and rewriting the original CPS system requirement description into a statement set conforming to a real-time security model language RTNL.
Step two: rewriting a composite conditional statement in the RTNL statement set into a simple statement; the method specifically comprises the following steps:
the RTNL language contains sentences which are divided into two types of ' and connection ' and ' or connection ' and are used for connecting a plurality of states by using ' and ' or ' keywords to express composite conditions; for the "and connection" type, a single new state is introduced to replace the original state; for the type of 'or connection', splitting an original state into single states; the sentence with the compound condition is rewritten into a simple sentence without the compound condition.
Step three: detecting and processing condition conflicts in the RTNL statement sets, and grouping requirements to obtain one or more RTNL statement sets; the method specifically comprises the following steps:
the method comprises the steps that multiple RTNL sentences possibly contain condition conflicts, for one group of RTNL sentences, condition parts of each sentence are recorded, sentences which cannot be met by the condition parts at the same time are searched, each sentence in the sentences is recombined with the rest sentences which can be met at the same time, multiple groups of new sentence sets are obtained, searching and recombining are continued in each new sentence set until the sentence condition parts of each group can be met at the same time, and one or more groups of independent RTNL sentence sets are obtained.
Step four: converting each group of RTNL statements into a Clock Constraint Specification Language (CCSL) constraint set; the method specifically comprises the following steps:
CCSL is a specification language that describes clock constraints; converting a group of RTNL statement sets into CCSL constraints, firstly, directly converting each RTNL statement to obtain the constraint corresponding to each statement, and then collecting all the constraints to obtain the CCSL constraint set corresponding to the group of RTNL statement sets; this conversion is performed separately on multiple sets of RTNL statements, resulting in one or more independent sets of CCSL constraints.
Step five: converting each group of CCSL constraint sets into a real-time clock diagram; the method specifically comprises the following steps:
the real-time clock graph is a weighted directed graph, nodes represent clocks, and edges represent real-time constraint relations among the clocks; according to the definition of a real-time clock graph, a node set and an edge set of the graph are obtained from a CCSL constraint set and are converted into a corresponding real-time clock graph; this conversion is performed for each set of CCSL constraints, resulting in one or more independent real-time clock maps.
Step six: summarizing rules that allow nodes to occur in a real-time clock graph; the method specifically comprises the following steps:
obtaining a rule which allows the node to occur in the real-time clock graph according to the definition of the real-time inconsistency; all nodes in a graph are allowed to occur, so that the consistency is real-time, otherwise, the inconsistency is real-time; and calculating and judging according to the characteristics of the precursor nodes of each node to determine whether the node is allowed to occur or not.
Step seven: judging whether all nodes are allowed to occur in each group of required real-time clock graphs according to node occurrence rules, determining whether real-time inconsistency exists, and obtaining a node set which is not allowed to occur; the method specifically comprises the following steps:
judging whether all nodes in the graph are allowed to occur or not by using the rule for allowing the nodes to occur obtained in the step six for each real-time clock graph obtained in the step five, determining whether real-time inconsistency exists in the corresponding requirements of the graph, and obtaining a node set which is not allowed to occur; for a plurality of independent real-time clock graphs, as long as one graph has real-time consistency, the original requirement has real-time consistency, and if each graph does not have real-time consistency, the original requirement does not have real-time consistency.
Step eight: for nodes which are not allowed to occur, tracing and positioning to an RTNL statement causing real-time inconsistency; the method specifically comprises the following steps:
starting from the set of nodes which are not allowed to occur, positioning to a corresponding RTNL statement which causes real-time inconsistency; maintaining the corresponding RTNL statement information by utilizing each CCSL constraint of the RTNL statement, so that each node in the real-time clock graph contains the corresponding RTNL statement set; for each node in the node set which is not allowed to occur, obtaining a corresponding RTNL statement set, and combining all the RTNL statement sets of all the nodes to obtain the RTNL statement causing the inconsistency.
A system for implementing the above-described method for real-time inconsistency detection and localization of CPS requirements, the system comprising the following modules:
the requirement editing module comprises a graphical user interface and is used for compiling and modifying the RTNL statement; receiving user input to obtain a statement set which accords with RTNL grammar specification;
the requirement preprocessing module is used for converting the RTNL statement containing the composite condition into a simple statement without the composite condition and detecting and processing condition conflict in the requirement; inputting a group of RTNL statement sets and outputting one or more groups of processed RTNL statement sets;
a requirement translation module for translating the requirement expressed in RTNL into a CCSL constraint; inputting an RTNL statement set and outputting a CCSL constraint set;
the constraint visualization module is used for converting the CCSL constraint into a real-time clock diagram for visualization and subsequent processing; inputting a CCSL constraint set and outputting a real-time clock diagram;
the demand verification module is used for detecting real-time inconsistency between the demand and the real-time clock diagram and positioning the demand causing the real-time inconsistency; and inputting a real-time clock diagram, outputting whether real-time inconsistency exists, and if so, simultaneously outputting a requirement statement for triggering the real-time inconsistency.
The method and the system provided by the invention realize the lightweight automatic detection and error positioning of the real-time inconsistency, reduce the detection time of the real-time inconsistency, improve the requirement verification efficiency and help the requirement engineer and other users to quickly verify and modify the requirement.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a schematic diagram of the handling of conditional conflicts in RTNL conversion in the present invention;
FIG. 3 is a simplified diagram of a real-time clock diagram according to the present invention;
FIG. 4 is an exemplary diagram of nodes allowed to occur in the real time clock diagram of the present invention;
FIG. 5 is an exemplary diagram of a node in a real-time clock graph that is not allowed to occur in the present invention;
FIG. 6 is a real time clock diagram of an automotive lighting system in an embodiment of the present invention;
FIG. 7 is a real time clock diagram of an automotive lighting system in an embodiment of the present invention;
FIG. 8 is a schematic illustration of an embodiment of the system of the present invention in operation;
FIG. 9 is a block diagram of the system of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and examples.
Referring to fig. 1, the real-time inconsistency detecting and positioning method for CPS requirements of the present invention specifically executes the following processes:
firstly, rewriting the original CPS system requirement description into a statement set conforming to the RTNL specification of a real-time schema language. In order to describe the real-time requirement, the invention provides a new real-time model language RTNL which has a complete expression model and is close to the natural language expression, so that the original requirement can be quickly and accurately converted. The RTNL statement has three basic constituent elements, event, state and time constraints. It is assumed that the event occurs instantaneously and therefore has no duration, and that the establishment of a state has a certain duration, and thus the occurrence of each state can be represented by the start and end events of the state and their durations. Let s denote a certain state, e denote a certain event, t denote a time constraint, and the statement for RTNL is expressed as follows:
describing a certain state s for a period of time t → "s holds for t
Describing a certain state s1Duration t1Inducing another state s2Duration t2→“if s 1 holds for t 1 , s 2 holds for t 2
Describing a certain state s1Is initiated, after a period of time t another state s2Is true →'if s 1 ends, after t, s 2 holds
Describing a certain state s1For a period of time t1Initiated at a time t2Last another state s2Is true →'if s 1 holds for t 1 , after t 2 , s 2 holds
Describing a certain state s1Is initiated, after a period of time t another state s2Is true →'if s 1 holds, after t, s 2 holds
Describing a certain state s1Establishment of (c) causes another state s2Duration t → "if s 1 holds, s 2 holds for t
Describing the onset of the establishment of a certain state s, after a period of time t a certain event e occurs → "if s holds, after t, e occurs
Describing the ending initiation of a certain state s, after a certain event t a certain event e occurs → "if s ends, after t, e occurs
Describing a certain state s for a period of time t1Initiated at a time t2Post event e occurs → "if s holds for t 1 , after t 2 , e occurs
Describing the initiation of the occurrence of a certain event e, a certain state s holds after a period of time t → "When e occurs, after t, s holds
Describing the initiation of the occurrence of a certain event e, a certain state s does not stand after a period of time t → "When e occurs, after t, s not holds
Describing that the occurrence of a certain event triggers a certain state s duration t → "When e occurs, s holds for t
Describing a certain event e1Is triggered by another event e after a period of time t2Onset →'When e 1 occurs, after t, e 2 occurs
T time periodicity relation → describing a certain event e "e occurs periodically t
Conditional complex describing multiple states →'s 1 and s 2 "and"s 1 or s 2
Time constraints heretEither exact (exact) temporal relationships or relationships greater than (mortan), greater than or equal to (atleast), less than (lessthan), less than or equal to (atmost) may be expressed, for example, as "s holds for more than/at least/less than/at most t", only the former is retained here for the sake of brevity.
And secondly, rewriting the compound conditional statement in the RTNL statement set into a simple statement. The processing of compound conditional statements includes two cases:
for a composite state composed of multiple states connected by an and, only real-time constraint relationships between the composite state itself and other states or events are considered. For a sentence "if s 1 and s 2 holds, after t, e occurs", a state s is introduced to represent the composite state, and the real-time constraints in the statement are represented as"if s holds, after t, e occurs". The same complex states are represented by the same state symbols, and different complex states are distinguished by different state symbols.
For a composite state composed of a plurality of states connected by an or, each state and the rest of the sentence are taken to form a respective sentence, and a plurality of new sentences are obtained. For a sentence "if s 1 or s 2 holds, after t, e occurs", the sentence is split into"if s 1 holds, after t, e occurs"and"if s 2 holds, after t, e occurs”。
And thirdly, detecting and processing the condition conflict in the RTNL statement set, and grouping the requirements. A conditional conflict is one in which the conditional portions of multiple RTNL statements cannot be satisfied simultaneously, and satisfying these conditions at the same time results in a conflict. Assuming that m and n are two positive integers and that m > n, it is clear that a certain state s can not be satisfied simultaneously for more than m seconds and for less than m-n seconds. And splitting the RTNL statement causing the condition conflict into mutually independent RTNL statement sets, namely requirement groups, and carrying out subsequent analysis processing. For a group of RTNL sentences, firstly, recording condition parts in each sentence, related states and corresponding satisfied conditions, then searching all the conditions, searching for the conditions which cannot be simultaneously satisfied under the same state, splitting the conditions into independent sentence sets, splitting once when a condition conflict is found, merging the sentence sets, and continuing splitting in a new sentence set until no condition conflict exists in each independent sentence set, thereby obtaining the RTNL sentence sets in all the requirement groups.
Fourthly, for each RTNL statement, the conversion rule to CCSL is described as follows:
s holds for t”→“s.f-s.s=t; s.s<s.f”
if s 1 holds for t 1 , s 2 holds for t 2 ”→“s1.f-s1.s=t1;s2.f-s2.s=t2;s1.f<s2.s;s1.s<s1.f;s2.s<s2.f”
if s 1 ends, after t, s 2 holds”→“s.f-s.s=t;s.s<s.f”
if s 1 holds for t 1 , after t 2 , s 2 holds”→“s1.f-s1.s=t1;s2.s-s1.f=t2; s1.s<s1.f; s2.s<s2.f”
if s1 holds, after t, s2 holds”→“s2.s-s1.s=t;s2.s<s1.f;s1.s<s1.f;s2.s<s2.f”
if s 1 holds, s 2 holds for t”→“s1.s<s2.s;s2.s<s1.f;s2.f-s2.s=t;s1.s<s1.f;s2.s<s2.f”
if s holds, after t, e occurs”→“e-s.s=t;e<s.f;s.s<s.f”
if s ends, after t, e occurs”→“e-s.f=t; s.s<s.f”
if s holds for t 1 , after t 2 , e occurs”→“s.f-s.s=t1;e-s.f=t2;s.s<s.f”
When e occurs, after t, s holds”→“s.s-e=t;s.s<s.f”
When e occurs, after t, s not holds”→“s.s<e;s.f-e=t;s.s<s.f”
When e occurs, s holds for t”→“e<s.s;s.f-s.s=t;s.s<s.f”
When e 1 occurs, after t, e 2 occurs”→“e2-e1=t”
e occurs periodically t”→“e$1-e=t”
wherein s is1.s<s2.s,s1.f-s1.s=t1E $1 is a CCSL description, with the specific meaning of event s1S strictly precedes the event s2S, event s1F and event s1S occurs at a time interval t1The next occurrence of event e. According to the above rules, for any RTNL statement, a corresponding CCSL constraint set can be converted. For each RTNL statement set obtained above, each statement translates directly and aggregates all CCSL constraints.
And fifthly, converting each group of CCSL constraint sets into a real-time clock diagram. The real-time clock graph is a weighted directed graph defined as RCG: = (RC, RA), RC is a set of nodes representing clocks, RA ⊆ RC × T × RC is a set of weighted edges, T represents a set of real-time constraints between clocks. (c)1,t,c2) E.g. RA represents node c1To node c2There is a real-time constraint relationship t between, t is the time range on this edge, which is denoted as
Figure RE-694668DEST_PATH_IMAGE001
. The form of the CCSL constraint obtained in the previous step can be directly expressed in a real-time clock diagram, each constraint can correspond to two unique clock nodes, and the time constraint becomes the edge weight of the two nodes. All CCSL constraints are marked in the graph, and the node set and the edge set of the real-time clock graph can be easily obtained, so that the real-time clock graph is obtained.
And step six, summarizing rules of allowing the nodes to occur in the real-time clock diagram. Each node in the real-time clock graph corresponds to an event, and whether the node can occur depends on whether all constraints of the event can be met. According to the definition of real-time inconsistency, if each node in the real-time clock graph is allowed to occur, the corresponding requirement has real-time consistency, and if any node is not allowed to occur, the real-time inconsistency exists in the group of requirements. The rules that allow node occurrence are detailed below:
l Case 1: if node niWithout predecessor, node niCan occur.
l Case 2: if node niWith only one direct predecessor and the direct predecessor can occur, node niCan occur.
l Case 3: if node niThere are multiple predecessors, which can be divided into the following cases:
n Case 3.1: if node niThe predecessor closures of each direct predecessor do not have an intersection, and any direct predecessor is not in the predecessor closures of other direct predecessors, then node niCan occur.
n Case 3.2: node niThere are any two nodes in the direct predecessor of (1): node njAnd node nkIf node njAnd node n and union of its predecessor closureskAnd the union of the previous closure exists intersection, and for any node n in the intersectionlThere are two cases:
u Case 3.2.1: at the slave node nlTo node njIs greater than the node n for any value in the time range intersection of all pathslThrough node nkTo node niAny value in the time range intersection of all the paths, then the node niCan occur.
u Case 3.2.2: at the slave node nlTo node njIn the time range intersection of all paths, if any value is t, if t is smaller than node nlThrough node nkTo node niAnd a node n obtained on the basis of TlThrough node njTo node niThe intersection of the time ranges of all the paths and T exists, then the node niCan occur.
l Case 4: such asFruit node niIs the start event node of the state and in its predecessor closure there is a node n with a self-loopjFor njAny value t in the time range intersection of the self-loop relationship exists in the time range intersection of all paths from the state start event node to the state end event node, and the value is less than or equal to t, so that the node niCan occur.
And seventhly, judging whether all nodes are allowed to occur in each group of required real-time clock graphs according to the node occurrence rule, determining whether real-time inconsistency exists, and obtaining a node set which is not allowed to occur. And judging whether the node can occur or not for each node in a real-time clock graph according to the rule for allowing the node to occur. For each node, if there are multiple direct predecessors, look up the predecessor closure for each direct predecessor and verify by definition whether its occurrence condition is met. If the node is a starting event node of the state, detecting whether a self-loop node exists in a precursor of the node by using a depth-first algorithm, and verifying whether the existence condition of the starting event node of the state is met. When a plurality of nodes exist in the intersection of the previous closure of a node direct precursor, if a node close to the node exists, so that the node does not meet the condition of existence of the node, the other nodes in the intersection are not calculated. And (3) applying the rule to each node in the graph for verification, and finally obtaining a group of node sets which cannot occur, wherein if the set is empty, the real-time inconsistency is not detected, and if the set is not empty, the real-time inconsistency is detected. If a plurality of real-time clock graphs are obtained in the sixth step, as long as one graph has real-time consistency, the original requirement has real-time consistency; otherwise, all the graphs have real-time inconsistency, and the original requirements have real-time inconsistency.
Eighth, for nodes that are not allowed to occur, tracing and locating to the relevant RTNL statement that causes the real-time inconsistency. At this time, real-time inconsistency is required to exist, and a relevant RTNL statement causing the real-time inconsistency is positioned from the node set which is obtained in the seventh step and is not allowed to occur; in the conversion process of the step four, each CCSL constraint is maintained with its corresponding RTNL statement information, so that each node event in the real-time clock graph contains its corresponding RTNL statement set; for a set of node events that cannot occur, all of the corresponding RTNL statements are RTNL statements that cause inconsistency.
Referring to fig. 9, the system for detecting and locating the real-time inconsistency of CPS requirements according to the present invention includes the following modules:
and the requirement editing module comprises a graphical user interface and is used for writing and modifying the RTNL statement by a user, highlighting the key words in the grammar, executing the step one in the method of the invention and outputting a plurality of RTNL requirement statements.
And the requirement preprocessing module is used for converting the RTNL requirement statement possibly containing the composite condition into a simple statement not containing the composite condition, detecting and processing condition conflicts in the requirement, executing the second step and the third step in the method of the invention, and generating one or more sets of RTNL requirement sets.
And the requirement conversion module is used for converting the requirement expressed by the RTNL into the CCSL constraint, executing the step four in the method of the invention and generating the CCSL constraint set corresponding to the RTNL requirement.
And the constraint visualization module is used for converting the CCSL constraint into a real-time clock diagram for visualization and subsequent processing, executing the fifth step in the method, generating the real-time clock diagram corresponding to the CCSL constraint and visualizing the real-time clock diagram by using a graphic interface.
And the requirement verification module comprises rule logic allowing node generation and is used for detecting real-time inconsistency between the requirement and the real-time clock graph and positioning the requirement causing the real-time inconsistency, the sixth step, the seventh step and the eighth step in the method are executed, whether the real-time inconsistency exists in the original requirement or not is output, and if the real-time inconsistency exists, a requirement statement causing the real-time inconsistency is output at the same time.
Through data interaction, original requirements are in flow transmission among modules which are independent from each other in the forms of RTNL requirement texts, CCSL constraints and real-time clock diagrams, and execution of the method is completed together.
Examples
As shown in fig. 1, the present embodiment takes the requirements of a real-world lighting system of an automobile as an example to describe the method in detail.
The requirements of an automotive lighting system are described below:
If the switch is turned to AUTO, and the light intensityis at or below 70% then the low Beam should stay or turnimmediately ON.
If the switch is turned to AUTO, and the light intensityis above 70% and then the low Beam should stay or turn immediately OFF.
If the switch is in position AUTO, the low Beam areOFF, and the light intensity falls below 60%, then the lightsshould turn ON if this condition lasts for 2s.
If the switch is in position AUTO, the low Beam are ON, and the light intensity is above 70%, then the lights should turnOFF if this condition lasts for 3s.
If the switch is turned to MANU, the low Beams are OFF, and the low Beam Button is ON, then the low Beams should turn ON for 1s if this condition lasts for less than 3s.
If the switch is turned to MANU, the low Beams are OFF, and the low Beam Button is ON, then the low Beams should turn ON if this condition lasts for at least 3s.
The on and off states of the low Beams alternately holds at 1s.
in the first step, the original CPS system requirement description is rewritten into a statement set conforming to the RTNL mode. Key state, event and time constraint relationships are identified from natural language requirements and then expressed in RTNL language. Taking the requirement description of "If the switch is AUTO, and the light intensity is at or below 70%, the low Beam skin state or turn immediatately ON." as an example, "If" is followed by the condition part of the requirement, and "the" is followed by the result part. "switch" here is an object, followed by the "is" state of the object "AUTO", which may be denoted as "switch. "light intensity" is another object, followed by the object's state "at or below 70%", and appropriate abbreviations may be omitted if the object and state are too long, here denoted as "light. An "and" between two states indicates that this is a composite state, so the condition part of the requirement description can be expressed as "If switch. "low Beam" is the object in the results section, "immediatately" represents a time constraint here, and can be expressed as "after at most 1 ms" in a very small unit of time, "ON" represents the state of the object, and can be expressed as "lBeam. ON"; the result portion of the demand can therefore be expressed as "ibeam. For this demand description, when the state of "lowBeam" is "ON", the satisfaction of the condition does not cause a change in the state, and therefore an implicit state "ibeam. off" may be added in the condition section, which is thus modified to "If switch. The original requirements are all rewritten as RTNL statements as follows:
if switch.auto and lBeam.off and light.below70 holds, after 1s, lBeam.on holds
if switch.auto and lBeam.on and light.above70 holds, after 1s, lBeam.off holds
if switch.auto and light.below60 and lBeam.off holds for at least 2s, lBeam.on holds for at least 0s
if switch.auto and light.above70 and lBeam.on holds for at least3s, lBeam.off holds for at least 0s
if switch.manu and lBeam.off and lBut.on holds for less than 3s, lBeam.on holds for 1s
if switch.manu and lBeam.off and lBut.on holds for at least 3s, lBeam.on holds for at least 0s
if lBeam.off ends, after 1s, lBeam.on holds
and secondly, rewriting the compound conditional statement in the RTNL statement set into a simple statement. The statement "if switch. auto and lBeam. off and light. below7 e-holes, after 1s, lBeam. on-holes" containing the composite condition is rewritten as "if CS-1 holes, after 1s, lBeam. on-holes", where "CS-1" denotes the composite state "switch. auto and lBeam. off and light. below70". And processing the conditional compound statement in the RTNL statement obtained in the last step, wherein the result is as follows:
the number of the product is 1: ifCS-1 holds, after 1s, lBeam
No. 2 ifCS-2, after 1s, lBeam
The number 3 is ifCS-3 holes for at least 2s, lBeam
The number 4 is ifCS-2 holes for at least one of 3s, lBeam
The number 5 is ifCS-4 holes for less than 3s, lBeam
The numbers of the materials are 6: ifCS-4 holes for at least3s, lBeam
No. 7, iflBeam. off ends, after 1s, lBeam. on holes
And thirdly, detecting and processing the condition conflict in the RTNL statement set, and grouping the requirements. For example, "ifarmDown hole for less than 0.5s, lBlocking hole for 3 s" and "ifarmDown hole for at least less 0.5s, lBlocking hole for 2 s" are two different RTNL statements, the conditional parts of which are "ifarmDown hole for less than 0.5 s" and "ifarmDown hole for at least 0.5 s", respectively, which apparently cannot be satisfied simultaneously, so that the two requirement statements are split into two independent sets of requirement statements for subsequent analysis, as shown in FIG. 2. In the RTNL statement set obtained in the previous step, the statements numbered 5 and 6 have conditional conflicts, and after the processing conditions conflict, two sets of RTNL statements are obtained, which are respectively denoted by the numbers "1, 2,3,4,5, 7" and "1, 2,3,4,6, 7".
Fourth, for each RTNL statement set, each RTNL statement is directly translated and all CCSL constraints are assembled. Converting the two sets of demand sets obtained in the last step to obtain results of ' lBeam.on.f-lBeam.on.s =1 ', CS-2.f-CS-2.s >0 ', CS-4.f-CS-4.s <3 ', lBeam.off.f-lBeam.off.s >0 ', lBeam.on.s-CS-4.f >0 ', lBeam.on.s-lBeam.off.f =1 ', CS-3.f-CS-3.s > =2 ', lBeam.off.s-CS-2. off =1 ', lBeam.on.s-CS-3.f >0 ', CS-1.f-CS-1.s >0 ', lBeam.on.s-CS-1.s =1 ', and ' lBeam.on.f-lBeam.on.s =1 ', CS-2.f-CS-2. f = 1. CS-3.f =1 ', CS-2.f = 0 ', CS-3.f = 3.f, CS-3.f = 1. f-S = 1.f =1, CS-3.f = 1. f-S = 1. S-S =1, CS-3.f = 1.f, CS-3.f, CS-S = 1.f, CS-3.f, CS-S = 1.f, and's-S of the second-S of the first-S of the second set of the first set of the second set of the first set of the second set of 0, CS-1.f-CS-1.s >0, lBeam.on.s-CS-1.s =1 ".
And fifthly, converting each group of CCSL constraint sets into a real-time clock diagram. A simple real time clock diagram is shown in fig. 3, with the time range on the edge from node a to node B being (0, 5). Node ciTo node cjThe path of (c) refers to the set of a set of edges in the real-time clock graph (c)i,t1,ci+1,t2,ci+2,…,ci+m,m,cj). If node ciTo node cjIf there is a path, the time range on the path is the sum of the time ranges of all edges in the path. For example, there is a path from node a to node C (a,<5,B,>2, C), where there are two edges on the path, where the time range on the edge from node a to node B is (0,5) and the time range on the edge from node B to node C is (2, ∞), so the time range on the path is (0,5) and (2, ∞) plus, i.e., (2, ∞). Notably, the self-loop relationships of the nodes are ignored in computing the time horizon for the path. The two sets of CCSL constraint sets obtained in the previous step are converted into real-time clock diagrams as shown in fig. 6 and fig. 7, respectively.
And sixthly, summarizing rules of allowing nodes to occur corresponding to the real-time consistency in the real-time clock graph. The following specifically describes the rule by taking fig. 4 as an example. As shown in FIG. 4, node A and node E have no predecessors, and both nodes can occur, in line with Case 1. Node B only has one direct predecessor of node a as shown in fig. 4, and node a can occur, node B can occur, conforming to Case 2. As shown in fig. 4, there are two direct predecessors, node a and node E, the predecessor closures of these two nodes are both ∅, obviously, there is no intersection in these two predecessor closures, and neither node a nor node E is included in the predecessor closure, so node C can occur, and it conforms to Case 3.1. As shown in FIG. 4, two direct predecessors exist in node G, node A and node C, and the union { A } and { A, C, E } of two predecessor closures and their corresponding direct predecessors can be obtained, and an intersection { A } exists in the two sets. The time range on the path (A, >5, C) from node A to node C is (5, ∞), and since node A is the direct predecessor of node G, the time range on the path (A, ≦ 5, G) from node A to node G is (0, 5). Any value in (5, ∞) is greater than that in (0,5), so node G can occur, conforming to Case 3.2.1. As shown in FIG. 4, node F has two direct predecessors, node C and node E, and the union { A, C, E } and { E } of two predecessor closures and their corresponding direct predecessors can be obtained, and the two sets have an intersection { E }. There are two paths from node E to node C, the intersection of the time ranges of these two paths is (3,5), node E is the direct predecessor of node F, so the time range from node E to node F (E, ≦ 5, F) is (0, 5.) there is only one path from node C to node F (C, <2, F) and the time range of this path is (0, 2). for any value in (3,5) that is less than the maximum value in (0,5), taking 4 as an example, on the basis of this value, the time range on all paths from node E to node F through node C is (4,6), obviously (0,5] intersects (4,6), so node F can occur, Case conforms to E3.2.2. node D.s is the start event node of state D as shown in FIG. 4, there is node B in the predecessor packet of node D.s, which is a node in self-loop relationship with node B. the time range of 2 self-loop relationship with node B is 2 The time range intersection of all paths from the start event node D.s to the end time node D.f for state D is (0, 3.) obviously, there are values less than 2 in (0, 3), so node D.s can occur, conforming to Case 4.
The following describes nodes that do not meet the occurrence condition, using fig. 5 as an example. Node E has two direct predecessors, node C and node D, and can obtain a union { C } and { C, D } of the two predecessor closures and their corresponding direct predecessors, there being an intersection { C } in the two sets, there being two paths from node C to node D, the intersection of the time ranges of which is (3,5 ]. node C is the direct predecessor of node E, so the time range of the path from node C to node E (C, ≦ 5, E) is (0,5 ]. only one path (D, >2, E) exists from node D to node E and the time range of which is (2, ∞) when the value in (3,5] is 4, it is less than the maximum value of (0,5], on the basis of which the time range of all paths from node C through node D to node E is (6, ∞), apparently intersecting with (0,5] there is no intersection and the occurrence condition of node (Case 3.2.1) is not met, so node E cannot occur. Node B.s is the start event node of state B, node A, the node with self-loop relationship, exists in the front closure of node B.s, and the time range of node A self-loop relationship is 2. There is only one path (B.s, >2, B.f) from the start event node B.s to the end event node B.f of state B, and the time range of the path is (2, ∞). it is apparent that 2 is smaller than any one of (2, ∞) values, so the node B.s cannot occur according to the occurrence condition (Case 5) of the node. From the node occurrence condition (Case 2), node B.f has only one direct predecessor B.s but B.s cannot occur, and thus node B.f cannot occur.
And seventhly, judging whether all nodes are allowed to occur in each group of required real-time clock graphs according to the node occurrence rule, determining whether real-time inconsistency exists, and obtaining a node set which is not allowed to occur. Taking fig. 4 as an example, the node occurrence rule is applied to determine each node to obtain that the node set which cannot occur is an empty set, that is, all nodes can occur, so that no real-time inconsistency exists. Taking fig. 5 as an example, the set of nodes that cannot occur is obtained by applying the node occurrence rule as { E, B.s, B.f }. In the two real-time clock graphs (fig. 6 and 7) obtained in the fifth step, the real-time clock graph corresponding to fig. 6 is judged by applying the node occurrence rule, and the node set which cannot occur is obtained as an empty set, so that the group of requirements has real-time consistency, and thus the original requirements also have real-time consistency.
Eighth, the relevant RTNL statement is located by the node that cannot occur. And maintaining the corresponding relation from the RTNL statement to the CCSL constraint in the conversion process to further obtain the RTNL statement corresponding to the node in each graph, wherein the node set obtained in the fifth step can automatically obtain the statement causing the inconsistency.
The operation support of the embodiment by the system provided by the invention is shown in figure 8.

Claims (10)

1. A method for detecting and positioning real-time inconsistency of CPS requirements is characterized by comprising the following steps:
the method comprises the following steps: rewriting the original CPS system requirement description into a statement set which accords with a real-time security model language RTNL;
step two: rewriting a composite conditional statement in the RTNL statement set into a simple statement;
step three: detecting and processing condition conflicts in the RTNL statement sets, and grouping requirements to obtain one or more RTNL statement sets;
step four: converting each group of RTNL statements into a Clock Constraint Specification Language (CCSL) constraint set;
step five: converting each group of CCSL constraint sets into a real-time clock diagram;
step six: summarizing rules that allow nodes to occur in a real-time clock graph;
step seven: judging whether all nodes are allowed to occur in each group of required real-time clock graphs according to node occurrence rules, determining whether real-time inconsistency exists, and obtaining a node set which is not allowed to occur;
step eight: for nodes that are not allowed to occur, the source is traced and the RTNL statement that causes the real-time inconsistency is located.
2. The real-time inconsistency detection and localization method according to claim 1, wherein the first step is specifically: the original CPS system requirement description contains time constraint; the RTNL is composed of three basic elements of event, state and time constraint and describes the time constraint between the event and the state; and rewriting the original CPS system requirement description into a statement set conforming to a real-time security model language RTNL.
3. The real-time inconsistency detection and localization method according to claim 1, wherein the second step is specifically: the RTNL language contains sentences which are divided into two types of ' and connection ' and ' or connection ' and are used for connecting a plurality of states by using ' and ' or ' keywords to express composite conditions; for the "and connection" type, a single new state is introduced to replace the original state; for the type of 'or connection', splitting an original state into single states; the sentence with the compound condition is rewritten into a simple sentence without the compound condition.
4. The real-time inconsistency detecting and locating method according to claim 1, wherein the third step is specifically: the method comprises the steps that multiple RTNL sentences possibly contain condition conflicts, for one group of RTNL sentences, condition parts of each sentence are recorded, sentences which cannot be met by the condition parts at the same time are searched, each sentence in the sentences is recombined with the rest sentences which can be met at the same time, multiple groups of new sentence sets are obtained, searching and recombining are continued in each new sentence set until the sentence condition parts of each group can be met at the same time, and one or more groups of independent RTNL sentence sets are obtained.
5. The real-time inconsistency detection and localization method according to claim 1, wherein the fourth step is specifically: CCSL is a specification language that describes clock constraints; converting a group of RTNL statement sets into CCSL constraints, firstly, directly converting each RTNL statement to obtain the constraint corresponding to each statement, and then collecting all the constraints to obtain the CCSL constraint set corresponding to the group of RTNL statement sets; this conversion is performed separately on multiple sets of RTNL statements, resulting in one or more independent sets of CCSL constraints.
6. The real-time inconsistency detection and localization method according to claim 1, wherein the fifth step is specifically: the real-time clock graph is a weighted directed graph, nodes represent clocks, and edges represent real-time constraint relations among the clocks; according to the definition of a real-time clock graph, a node set and an edge set of the graph are obtained from a CCSL constraint set and are converted into a corresponding real-time clock graph; this conversion is performed for each set of CCSL constraints, resulting in one or more independent real-time clock maps.
7. The real-time inconsistency detection and localization method according to claim 1, wherein the sixth step is specifically: obtaining a rule which allows the node to occur in the real-time clock graph according to the definition of the real-time inconsistency; all nodes in a graph are allowed to occur, so that the consistency is real-time, otherwise, the inconsistency is real-time; and calculating and judging according to the characteristics of the precursor nodes of each node to determine whether the node is allowed to occur or not.
8. The real-time inconsistency detection and localization method according to claim 1, wherein the seventh step is specifically: judging whether all nodes in the graph are allowed to occur or not by using the rule for allowing the nodes to occur obtained in the step six for each real-time clock graph obtained in the step five, determining whether real-time inconsistency exists in the corresponding requirements of the graph, and obtaining a node set which is not allowed to occur; for a plurality of independent real-time clock graphs, as long as one graph has real-time consistency, the original requirement has real-time consistency, and if each graph does not have real-time consistency, the original requirement does not have real-time consistency.
9. The real-time inconsistency detection and localization method according to claim 1, wherein the eighth step is specifically: starting from the set of nodes which are not allowed to occur, positioning to a corresponding RTNL statement which causes real-time inconsistency; maintaining the corresponding RTNL statement information by utilizing each CCSL constraint of the RTNL statement, so that each node in the real-time clock graph contains the corresponding RTNL statement set; for each node in the node set which is not allowed to occur, obtaining a corresponding RTNL statement set, and combining all the RTNL statement sets of all the nodes to obtain the RTNL statement causing the inconsistency.
10. A system implementing the method for real-time inconsistency detection and localization of CPS requirements as claimed in claim 1, comprising the following modules:
a requirements editing module, supporting claim 2, comprising a graphical user interface for writing and modifying RTNL statements; receiving user input to obtain a statement set which accords with RTNL grammar specification;
a requirement preprocessing module, implementing claim 3 and claim 4, for converting an RTNL statement containing a compound condition into a simple statement without a compound condition and detecting and processing a condition conflict in the requirement; inputting a group of RTNL statement sets and outputting one or more groups of processed RTNL statement sets;
a requirements translation module, implementing claim 5, for translating requirements expressed in RTNL to CCSL constraints; inputting an RTNL statement set and outputting a CCSL constraint set;
a constraint visualization module implementing claim 6 for converting the CCSL constraints into a real-time clock map for visualization and subsequent processing; inputting a CCSL constraint set and outputting a real-time clock diagram;
a requirement verification module, implementing claim 7 and claim 8, for detecting real-time inconsistencies between the requirements and the real-time clock graph and locating requirements that cause the real-time inconsistencies; and inputting a real-time clock diagram, outputting whether real-time inconsistency exists, and if so, simultaneously outputting a requirement statement for triggering the real-time inconsistency.
CN202111590128.4A 2021-12-23 2021-12-23 Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements Pending CN114356283A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111590128.4A CN114356283A (en) 2021-12-23 2021-12-23 Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111590128.4A CN114356283A (en) 2021-12-23 2021-12-23 Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements

Publications (1)

Publication Number Publication Date
CN114356283A true CN114356283A (en) 2022-04-15

Family

ID=81101840

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111590128.4A Pending CN114356283A (en) 2021-12-23 2021-12-23 Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements

Country Status (1)

Country Link
CN (1) CN114356283A (en)

Similar Documents

Publication Publication Date Title
Felder et al. Proving properties of real-time systems through logical specifications and Petri net models
CN110348622B (en) Temperature prediction method and system based on machine learning and electronic equipment
Bock et al. Advantageous usage of textual domain-specific languages for scenario-driven development of automated driving functions
CN111880784B (en) SIMSCRIPT language-oriented discrete event simulation graphical modeling method
CN110502227A (en) The method and device of code completion, storage medium, electronic equipment
CN112560277B (en) Automobile automatic driving scene modeling method based on domain specific modeling language ADSML
EP3575990A2 (en) Observer for simulation test and verification
CN104267936A (en) Semantic tree based asynchronous dynamic push-down network reachability analysis method
CN109977514B (en) Method for generating model scheduling sequence of radar synchronous data flow graph
CN114168615A (en) Method and system for querying SCD (substation configuration description) file of intelligent substation by natural language
CN116088846A (en) Processing method, related device and equipment for continuous integrated code format
Feather et al. Automatic generation of test oracles—from pilot studies to application
Bernard et al. Design: a key stage of product lifecycle
CN114356283A (en) Method and system for detecting and positioning real-time inconsistency of CPS (control Performance Standard) requirements
CN115033212A (en) Avionics system primitive model integrated construction method and device and computer equipment
CN111639128A (en) E-commerce data integration system and method based on distribution
Insaurralde Model-merged development for analysis and design of dependable software systems
Ferreira et al. Formal verification of object-oriented graph grammars specifications
Gorton et al. Parallel software engineering with PARSE
RU2364930C2 (en) Generation method of knowledgebases for systems of verification of distributed computer complexes software and device for its implementation
EP3575956A1 (en) Graph configuration language transformation method and apparatus
Santa et al. Relations of UML and OETPN Models
CN113434116B (en) Modeling and verifying method of mode-based letter fusion system for period controller
CN115712420A (en) Architecture design and architecture conversion method based on complex real-time embedded system
Liang et al. The technical system establishment and application of decision support system generator based on component coordination

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination