CN114741052A - Requirement table model-oriented formalized semantic analysis and inspection method - Google Patents
Requirement table model-oriented formalized semantic analysis and inspection method Download PDFInfo
- Publication number
- CN114741052A CN114741052A CN202210421720.XA CN202210421720A CN114741052A CN 114741052 A CN114741052 A CN 114741052A CN 202210421720 A CN202210421720 A CN 202210421720A CN 114741052 A CN114741052 A CN 114741052A
- Authority
- CN
- China
- Prior art keywords
- excitation
- judgment
- value
- configuration
- variable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004458 analytical method Methods 0.000 title claims abstract description 28
- 238000007689 inspection Methods 0.000 title claims abstract description 14
- 230000005284 excitation Effects 0.000 claims description 146
- 230000007717 exclusion Effects 0.000 claims description 33
- 238000012795 verification Methods 0.000 claims description 32
- 230000006870 function Effects 0.000 claims description 27
- 230000014509 gene expression Effects 0.000 claims description 25
- 230000001419 dependent effect Effects 0.000 claims description 9
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 239000011347 resin Substances 0.000 claims 1
- 229920005989 resin Polymers 0.000 claims 1
- 238000001721 transfer moulding Methods 0.000 claims 1
- 238000013178 mathematical model Methods 0.000 abstract description 15
- 238000013461 design Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000018109 developmental process Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- VUFNLQXQSDUXKB-DOFZRALJSA-N 2-[4-[4-[bis(2-chloroethyl)amino]phenyl]butanoyloxy]ethyl (5z,8z,11z,14z)-icosa-5,8,11,14-tetraenoate Chemical compound CCCCC\C=C/C\C=C/C\C=C/C\C=C/CCCC(=O)OCCOC(=O)CCCC1=CC=C(N(CCCl)CCCl)C=C1 VUFNLQXQSDUXKB-DOFZRALJSA-N 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/10—Requirements analysis; Specification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2282—Tablespace storage structures; Management thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
- G06F40/211—Syntactic parsing, e.g. based on context-free grammar [CFG] or unification grammars
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/30—Semantic analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a formal semantic analysis and inspection method for a requirement table model, which maps the requirements of airborne safety key software into a mathematical model based on propositional logic and a relation theory, strictly defines the semantics of the mathematical model, and then designs a series of automatic algorithms to verify the multilayer semantic constraints of the requirements.
Description
Technical Field
The invention relates to the technical field of requirement modeling and verification of airborne safety key software, in particular to a method for mapping requirements of the airborne safety key software into a mathematical model based on propositional logic and a relational theory, strictly defining the semantics of the mathematical model, and then designing a series of automatic algorithms to verify the multilayer semantic constraints of the requirements.
Background
Modern airborne software realizes most of modern airplane and system functions, and has higher and higher importance on airplane systems. The security of the on-board software with safety critical features also becomes an important feature of modern aircraft safety. However, airborne software has its particularity, and it cannot be inspected and tested similarly to the powerless parts such as cables, skins, panels, etc. of an airplane, and also cannot perform exhaustive test of software, and needs to be guaranteed by means of a strict and normative software development process. In DO-178B/C software considerations in the process of qualification of airborne systems, issued by the International aeronautical Radio Technical Committee (RTCA), specific requirements for the specific industrial field of airborne software are made to develop development, testing, verification and certification work facing the requirements by taking the requirements of airborne software development as core products. This standard has been accepted by the federal aviation administration FAA, the european aviation administration EASA and the national aviation administration CAAC as acceptable safety compliance standards for airborne software development.
Model-based system engineering (MBSE) was proposed in recent years by the international system engineering society. MBSE emphasizes that a multi-level abstract model is used for describing a working product of each stage of system development in the field of complex key systems, and particularly emphasizes that a discrete logic-based mathematical model brings great benefits to important attribute analysis and verification of the system. Therefore, in the field of airborne software characterized by safety key, the latest DO-178C standard also provides a conformity criterion of a demand verification method based on a mathematical model, namely, a proper mathematical model is adopted to model the semantics of the airborne software at the demand level, and then the multilevel semantic constraint of the demand is verified. This approach is becoming an effective way of compliance certification. However, in the DO-178C standard, it is not specified what mathematical model should be used and what verification technique is used, but only the compliance target that needs to be met by the mathematical model-based requirement verification method is specified, and different mathematical models and verification methods are allowed to be used to achieve the common compliance target.
In the field of aeronautical systems with safety-critical features, the verification of the requirements of the onboard software generally requires the following objectives to be met: the airborne software has a plurality of different operation configurations which can be parallel in multiple dimensions (for example, longitudinal control and transverse control in an automatic flight system correspond to two large types of different configurations in a software operation space, and the configurations are further divided into sub-configurations according to targets), so that the characteristics under different configurations need to be verified; predictable deterministic output results must be produced on the same input data set; judging conditions and excitation of each level in internal processing must keep mutual exclusion, and intersection is not allowed to occur.
The mathematical logic in the field of computer science is a discrete mathematical system based on set theory, adopts strictly defined logic symbols to express proposition, and comprises proposition logic, first-order predicate logic and other systems. The propositional logic can adopt basic elements such as AND, OR, NOT and atomic propositions to carry out strict semantic definition of a logic formula on the content described by a natural language (for example, most functional requirements in airborne software are described by clause natural language sentences). Although propositional logic gives the most basic semantic definition elements of a logic formula, the configuration, judgment conditions and excitation, certainty requirements and the like of the field of airborne software are not enough. The relation theory is the basis of a modern relational database, and intuitively, the relation among a plurality of variables can be described by a two-dimensional data table, and the essential table semantic definition is relation calculation and relation algebra; in the field of airborne software engineering, the relationship between data is often described in a tabular mode, so that a mathematical model suitable for the requirements of airborne software can be established based on the characteristics of the field of airborne software and by comprehensively considering propositional logic and relationship theory.
To verify the goals that the onboard software needs to meet, an automated verification algorithm must also be designed to accomplish this task. Currently, software workers based on some mathematical model and capable of automatic inspection have: NuSMV, SPIN, SCADE, etc. However, the tools are designed for a system to perform mathematical modeling and automatic analysis, and cannot meet the requirement of compliance verification of airborne software requirement characteristics.
Disclosure of Invention
The invention aims to provide a formal semantic analysis and inspection method for a requirement table model, which maps the requirements of airborne safety key software into a mathematical model based on propositional logic and a relation theory, strictly defines the semantics of the mathematical model, and then designs a series of automatic algorithms to verify the required multilayer semantic constraints.
The invention aims to be realized by the following technical scheme:
a formalized semantic analysis and inspection method for a requirement-oriented table model comprises the following steps:
step one, importing an RTM model converted from an item requirement; one RTM model includes the following sets: the method comprises the following steps that data types, constants, input variables, configuration types, internal variables, output variables and table functions are divided into three types, namely a judgment relation table, an excitation relation table and a configuration conversion table; wherein:
converting a group of judgment type requirements which generate similar output into a judgment relation table, wherein the auxiliary information of the judgment relation table indicates the variable name of the variable which is influenced by the requirements together, and different output values generated in the requirements correspond to one line in the judgment relation table; the fields of the table are: the configuration, the judgment condition and the output value;
a group of excitation requirements which generate similar output is converted into an excitation relation table, the attached information of the excitation relation table indicates the variable names of variables which are affected by the requirements together, and different output values generated in the requirements are aligned to one line in the stress excitation relation table; the fields of the table are: the configuration, excitation and output value;
the configuration conversion table corresponds to each configuration class in the model, and indicates which configuration should be converted from when the values of the variables in the software are changed.
And step two, performing various analyses on the RTM model.
According to the above features, the method for performing input layer constraint verification comprises the following steps:
2-1) obtaining a table function set from the RTM model and traversing all table functions;
2-2) reading the dependent configuration type names in each judgment relation table or excitation relation table; obtaining a configuration class set from the RTM model, finding configuration classes matched with the names of the dependent configuration classes, and adding the configuration classes into the first configuration set one by one;
2-3) traversing all table rows of the judgment condition table or the excitation relation table, reading configuration fields of the table rows of each row, and adding the configuration fields into a second configuration set one by one;
2-4) judging whether the first configuration set and the second configuration set are the same, if not, indicating that some similar configurations are not considered by the judgment relation table or the excitation relation table, and adding a prompt that the table violates the input layer constraint into the error information.
According to the above features, when performing the judgment mutual exclusion constraint verification of the internal layer, the method comprises the following steps:
3-1) obtaining a table function set from the RTM model and traversing all the table functions;
3-2) if the relation table is judged, traversing all table rows, reading the configuration of each row, and adding each different configuration into a third configuration set one by one;
3-3) for each configuration in the third configuration set, performing all of the following operations:
traversing all the rows of which the configurations in all the judging condition fields in the judging relation table are equal to the current configuration in the third configuration set, analyzing the judging conditions, and arranging the following data structures: the variable output values and the judgment conditions of the traversed rows, each different continuous variable appearing in the table, each corresponding value set appearing on the right side of the atomic judgment condition, each different discrete variable appearing in the table, and each discrete variable corresponding to all value sets of a value domain of the discrete variable;
for the value sets corresponding to the continuous variables, sorting the values from small to large;
for each row of judgment conditions, carrying out equivalent replacement on the atom judgment conditions, and discretizing variables;
enumerating possible value combinations of all variables to form a disjunctive normal form structure;
expanding the disjunctive normal form, considering variables not considered in each conjunctive form, combining each group of variables possibly valued with the original conjunctive form to generate a new conjunctive form, and replacing the original conjunctive form with the conjunctive forms;
comparing every two rows of the extended formulas formed by judging the conditional expressions, as long as the same combined expression exists in a certain two rows, the judgment conditions of the two rows are obviously met at the same time when the variable values are combined by the values of the extracted expressions, if the output values of the two rows are still different, the judgment mutual exclusion is violated, and the prompt that the table violates the judgment mutual exclusion is added into the error information.
Preferably, the method for equivalent replacement of the atomic judgment condition is as follows:
for the atom judgment condition containing the discrete type variable, numbering each value in the variable value domain from 1, and replacing the value on the right side of the atom judgment condition by the number;
for the atom judgment condition containing continuous variables, segmenting the variable value domain by using all values in the value set of the variables appearing in each row judgment condition, numbering each interval from 1, and then replacing all atom judgment conditions by using the value ranges corresponding to the intervals.
According to the above feature, when performing the judgment completeness constraint verification of the internal layer, the method includes the following steps:
4-1) for a certain judgment relation table, sorting out a disjunctive normal form containing all possible value combinations of all variables according to the variables appearing in the judgment conditions of all rows of the judgment relation table;
4-2) extracting the extracted normal form after all the line judgment conditions are expanded, comparing the obtained extracted normal form with the extracted normal form in the previous step, if the extracted normal form is not equal, indicating that the value combination which is not considered exists in the judgment relation table, when the variable value is the missing combination, judging that no line judgment condition in the judgment relation table is met, violating the judgment completeness, and adding a prompt of violating the judgment completeness of the table into the error information.
According to the above features, when performing excitation mutual exclusion constraint verification of the internal layer, the method comprises the following steps:
5-1) traversing the excitation relation table to obtain different configurations in the excitation relation table to form a first excitation set;
5-1) traversing all the rows of which the configuration node values in the excitation relation table are equal to the current configuration in the first excitation set, analyzing the excitation, and sorting the following data structures: the variable output value AND the excitation of each traversed row, the excitation operator, the guard operator, the excitation judgment condition AND the guard judgment condition of the AND excitation of the row, each different continuous variable appearing in the table AND each corresponding value set appearing on the right side of the atomic judgment condition, each different discrete variable appearing in the excitation relation table AND each discrete variable corresponding to all value sets of a value domain;
5-2) -C excitation for determining treatment;
5-3) for the value sets corresponding to the continuous variables, sorting the values of the value sets from small to large;
5-4) replacing the excitation judgment condition AND the guard judgment condition of each AND excitation of each row with a disjunctive normal form;
5-5) equating the excitation to a judgment condition P met at the previous moment and a judgment condition P' met at the next moment;
5-6) combining all the processed AND excitations of each row with P AND P' to obtain two judgment conditions capable of meeting the row excitation, AND when a certain instant variable value combination meets the judgment condition 1 AND the next instant variable value combination meets the judgment condition 2, determining that the row excitation occurs;
5-7) comparing two disjunctive normal forms formed by each line of excitation pairwise, if the two expressions have the same conjunctive expression respectively, the two expressions obviously meet the excitation of the two lines simultaneously when a certain instant variable value is the value combination existing in the first expression simultaneously and the next instant variable value is the value combination existing in the second expression simultaneously, if the output values of the two lines are still different, the excitation mutual exclusion constraint of the inner layer is violated, and the prompt that the table violates the excitation mutual exclusion constraint of the inner layer is added into the error information.
Preferably, the C excitation is deterministic as follows:
for each line of stimulus, if the number of stimuli with stimulus operator-C in AND stimulus is n, 2 should be copiednLine, from 0 to 2 in binary numbernEncoding is performed, each encoding corresponding to a replicated stimulus.
Preferably, the excitation is equivalent to the judgment condition P satisfied at the previous time and the judgment condition P' satisfied at the next time in the following way:
~T-PRE:P=PGuard∧┐PEvent,P’=PEvent;
~T-POST:P=┐PEvent,P’=PGuard∧PEvent;
~T-BOTH:P=PGuard∧┐PEvent,P’=PGuard∧PEvent;
~F-PRE:P=PGuard∧PEvent,P’=┐PEvent;
~F-POST:P=PEvent,P’=PGuard∧┐PEvent;
~F-BOTH:P=PGuard∧PEvent,P’=PGuard∧┐PEvent。
according to the above feature, when performing the verification of the output layer constraint, the method comprises the following steps:
6-1) obtaining a table function set from the RTM model, and traversing all table functions;
6-2) reading the value range of the associated variable of the judgment relation table or the excitation relation table;
6-3) reading a judgment relation table or an excitation relation table, traversing all table rows, reading variable output value fields of each row, and adding the values into an output value set;
6-4) judging whether the output value set completely contains all possible values in the value domain; if the variables controlled by the relation table and the excitation relation table are discrete, judging whether each discrete value in the value range appears in the output value set; if the variable is continuous, judging whether all the interval union sets in the output value set are equal to the value domain interval;
6-5) if the table does not meet the constraint, adding a prompt that the table violates the output layer constraint into the error information.
The invention has the beneficial effects that:
the requirement form model-oriented formalization analysis technology analyzes the consistency and integrity of formalization semantics of the requirement model, finds basic errors including grammar, syntax and semantic errors in the requirement and the ambiguity and incompleteness problems of the requirement, improves the completeness of requirement verification and improves the quality of avionic software requirements.
Drawings
FIG. 1 is a table of conditions for an EICAS engine indication corresponding to a demand for a unit warning system.
Figure 2 is a table of conditions in the RTM of the FGS flight guidance system.
FIG. 3 is a flow diagram of a demand input integrity analysis.
Figure 4 is an example table 1 of conditions in an FGS flight guidance system RTM.
Figure 5 is an example of a table of conditions 2 in an FGS flight guidance system RTM.
FIG. 6 is a flow chart of demand condition consistency, integrity analysis.
Fig. 7 is an example table 3 of conditions in the FGS flight guidance system RTM.
FIG. 8 is a flow chart of a demand output integrity analysis.
FIG. 9 is a flow chart of RTM model analysis.
Fig. 10 is a structural framework of the RTM model analysis method.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
Unless the context clearly dictates otherwise, the elements and components of the present invention may be present in either single or in multiple forms and are not limited thereto. Although the steps in the present invention are arranged by using reference numbers, the order of the steps is not limited, and the relative order of the steps can be adjusted unless the order of the steps is explicitly stated or other steps are required for the execution of a certain step.
The invention aims at the requirement design and verification stage of safety key airborne software, mapping the entrypoint requirement of the airborne software into a mathematical model (RTM) based on propositional logic and relation theory, carrying out strict mathematical definition on the semantics of the RTM, and then designing an algorithm to verify whether the multilayer semantic constraints in the requirement model are met:
1) input layer constraints
The requirements should satisfy the complete constraints of the input information. For a set of requirements that produce similar outputs (it is understood that the variables affected by these requirements are the same), if a requirement refers to an action that the software should perform in a certain configuration, then the set of requirements must also include other similar configurations (i.e., these configurations are mutually exclusive, but in any one of them at any time). Such problems can result in certain configurations where the software cannot determine the action to be performed.
2) Judgment mutual exclusion constraint of internal layer
The requirement should satisfy the judgment mutual exclusion of the intrinsic meaning in the item semantics. If a requirement is premised on meeting a certain judgment condition, namely belongs to a judgment type requirement, other judgment type requirements are not allowed to appear, the output of the requirement is mutually exclusive with the output of the requirement (the two requirements affect the same variable, but the variable is enabled to be output to be different values), and meanwhile, the judgment condition of the requirement and the judgment condition of the requirement can be met simultaneously. Such problems can lead to certain situations where software is required to perform two mutually exclusive actions simultaneously.
3) Constraint on judgment completeness of internal layer
The need should meet the judgment completeness of the meaning inherent in the item semantics. For a certain set of decision-type requirements that produce homogeneous output, the decision conditions for these requirements constitute all the cases possible for the software. That is, one of the corresponding judgment conditions can be satisfied no matter how the variables involved in the judgment conditions of the set of requirements take values. Such problems can lead to certain situations where the software cannot determine the action that should be taken.
4) Incentive mutual exclusion constraints for internal layers
The requirement should satisfy the incentives mutual exclusion of the intrinsic meaning in the item semantics. A demand is an incentive type demand if it presupposes satisfaction of an incentive. The stimulus referred to herein is typically a change in the value of some variable in the software. For any excitation type requirement, other excitation type requirements are not allowed to appear, the output of the excitation type requirement is mutually exclusive with the output of the requirement, and the excitation of the excitation type requirement and the excitation of the requirement can occur simultaneously. Such problems can lead to some cases where the software is required to perform two mutually exclusive actions simultaneously.
5) Output layer constraints
The requirements should meet the completeness of the required output. For a certain set of requirements to produce a homogeneous output, the output values produced by these requirements must constitute all cases possible for that type of output (it being understood that all output values constitute the value range of the variables affected by these requirements). When such problems occur, some actions of the software can never be performed.
For the satisfiable problem of the multi-layer requirement semantic verification, referring to fig. 9 and 10, the formal semantic analysis and inspection method for the requirement table model according to the embodiment inspects the problem that may exist in the requirement by an automatic verification algorithm, and includes the following steps:
the method comprises the following steps: an RTM model translated from an item requirement is imported.
RTM models are transformations by the user according to defined form and format requirements, one RTM model contains the following set:
1) data Type (Type): all the types defined by the user are included, and all the types are based on basic types, namely the parent type or the ancestor type of the basic types are types such as bolean, int, char and the like.
2) Constant (Constant): all user-defined constants are aggregated.
3) Input variables (Input): from the evaluation of values outside the software, variables converted from these values by input devices such as sensors.
4) Configuration class (CFClass): each configuration class in the set of configuration classes represents a set of a plurality of different configurations which can be mutually converted in the software operation. And the configurations between different configuration classes are not mutually converted. This form is analogous to the equivalence class of the relational parts in discrete mathematics and is therefore called a configuration class.
Each configuration class can be considered a variable, and the configuration it contains is the value range of the variable. During software operation, each configuration class is in only one configuration at a time. In different configurations, the value of the non-input variable is influenced. The configuration class may change configuration upon the occurrence of certain specific stimuli.
For example, if a flight has a configuration class flight height, which is defined as low below 1000 m and high above 1000 m, when the flight flies from low altitude below 1000 m to high altitude above 1000 m, excitation crossing the contour line of 1000 m occurs, and the configuration class of the flight height of the aircraft is converted from low configuration to high configuration, and some functions in the avionics software are changed accordingly.
5) Internal variable (Internal): this is a type of variable that would be used in RTM, but which does not belong to either the input variables read from outside the software or the output variables returned to the outside by the software. Such variables are used to represent the level of software requirements and also for the storage of intermediate data.
6) Output variable (Output): variables obtained by the software function, whose values are used for returning to the user.
7) Table function (Table): the table functions are divided into three categories, namely a judgment relation table, an excitation relation table and a configuration conversion table.
The judgment relation table and the excitation relation table are used for determining values of internal variables and output variables. The difference is that the judgment relationship is used to specify what value should be taken by the internal variable or the output variable when the software is in what state, that is, how each variable takes on value; the excitation relationship is used to specify what value the internal variable or the output variable should take when a state transition occurs in the software, that is, when the value of each variable changes. The judgment relation table and the incentive relation table correspond to a requirement respectively. Partial judgment conditions and excitation relations may have dependence on a certain configuration class. In this case, the difference in the configuration to which the configuration class belongs will affect the judgment condition or stimulus in the table. Wherein:
1) a group of judgment type requirements which generate similar output are converted into a judgment relation table, and the attached information of the judgment relation table indicates the variable names of the variables which are influenced by the requirements together. The different output values produced in these requirements each correspond to a row in the table. The fields of the table are: the configuration, the judgment condition and the output value. If there are requirements that do not relate to the associated configuration, this field is empty.
2) A group of excitation type requirements for generating the same kind of output are converted into an excitation relation table, and the attached information of the excitation relation table indicates the variable names of the variables which are influenced by the requirements together. The different output values produced in these requirements each correspond to a row in the table. The fields of the table are: configuration, excitation and output value. If there are requirements that do not relate to the associated configuration, the field is empty.
The configuration conversion table corresponds to each configuration class in the model. It indicates which configuration should be switched from when what state transition occurs in the software, i.e., when what change occurs in the value of each variable.
Based on the definition of the table function in RTM, a formal definition of the decision conditions and stimuli is given below:
1) judging conditions: the judgment condition agreed in the method is in the form of disjunctive normal form, namely, the judgment condition is formed by connecting the atomic judgment condition with the 'and' symbol into conjunctive form and then connecting the conjunctive form with the 'or' symbol. The atomic judgment condition is defined as a form of "variable + comparison operator + variable value". Wherein the variable must belong to a set of variables, the variable value needs to satisfy a variable value range specified in the set of variables. The comparison operators include ═, >, < >, < ═ and < >. The representation method is feasible due to the fact that the form can be basically obtained by conversion from any complex judgment condition.
2) Excitation: the definition of the stimulus nests the definition of the decision condition. We define that an excitation can consist of multiple AND excitations. Each AND stimulus is in the form of "stimulus operator + stimulus judgment condition + guard operator + guard judgment condition".
Wherein the excitation judgment condition AND the guard judgment condition are defined by an AND-OR table.
The stimulus operators may take T, F, or C to represent stimuli with stimulus decision conditions changing from false to true, true to false, or true and false properties, respectively.
The guard operator may take PRE, POST, BOTH. In the definition of the AND stimulus, the guard operator AND guard judgment condition may be defined simultaneously or not. When defined, it means that the stimulus adds some state constraints in addition to the change in the stimulus judgment conditions. If the guard operator is PRE, then the guard judgment condition before the excitation occurs needs to be true and no requirement is made after the excitation occurs; if the POST is true, no requirement is made before the occurrence and the POST is true after the occurrence; if the BOTH is the key, the guard judgment conditions before and after occurrence are true.
Referring to FIG. 1, the following is a requirement in the Engine indication and crew Warning System EICAS requirement document as an embodiment of the requirement transformation into an RTM model:
when ipdm aircraft normal is true, the aircraft integrated electronic display system should display the engine symbols in a standard layout.
The data type engineLayout is added in RTM, the father type is basic type enumerated, and the value field is { normal, compressed }.
An input variable iDMILayoutNormal is added into RTM, the data type is a basic type boolean, and the value range is { false, true }.
An output variable openginehtenelayout is added to RTM, the data type is engineLayout, and the value field is inherited from the data type.
And adding a judgment relation in RTM, wherein the related variable is opEngineHFEngineLayout, and the dependent configuration class is null.
And converting the requirements into an RTM model and then carrying out various analyses. The detailed examination procedure for each analysis step is given below.
Step two: input layer constraint verification is carried out, and the working principle is as follows:
1) and if the judgment relation table and the excitation relation table relate to the affiliated configuration, reading all configurations under the affiliated configuration field in the table to serve as a second configuration set.
2) Since the configurations in the second configuration set are all homogeneous configurations, all configurations belonging to the category to which they belong are grouped into the first configuration set.
3) And judging whether the first configuration set and the second configuration set are the same. Obviously, if not identical, some of the same configurations are not considered by the table.
As shown in fig. 3, the algorithm, when implemented, comprises the following steps:
2-1) obtain a set of table functions from the RTM model, traverse all its elements, i.e. all table functions.
2-2) reading the dependent configuration type name in each judgment relation table or excitation relation table, and skipping the check if no dependent configuration type name exists. And acquiring a configuration class set from the RTM model, traversing all elements of the configuration class set, finding configuration classes matched with the names of the dependent configuration classes, and adding the configuration classes into the first configuration set one by one.
And 2-3) traversing all elements, namely all table rows, of the judgment condition table or the excitation relation table, reading configuration fields to which the table rows of each row belong, and adding the configuration fields into the second configuration set one by one.
2-4) judging whether the first configuration set and the second configuration set are the same. Obviously, if the two types of configurations are different, the same type of configurations are not considered by the judgment relation table or the excitation relation table, and a prompt that the table violates the constraint of the input layer is added into the error information.
Fig. 2 is a table of the determination relationship in the RTM model corresponding to the flight guidance system FGS, in which some errors are artificially modified as an example of the input layer constraint verification.
Wherein the configuration set of the configuration class cfConfig is { cOFF, cON }.
The data type of the internal variable tHDGSwitchPresessed is a basic type, boolean, and the value field is { false, true }.
The data type of the internal variable tHDGDeselect is bootean, and the value range is { false, true }.
First, a first set of configurations { cOFF, cON } is obtained for the dependent configuration class cfConfig. And then, traversing the configuration field to which the judgment relation table belongs to construct a second configuration set { cON }. The latter apparently lacks the configuration cOFF.
Actually, before manual modification, another row is arranged behind the table, the configuration of the other row is cOFF, the judgment condition is permanent true, and the output value is true. At this point the form meets the input layer constraint validation requirements.
Step three: and (3) carrying out judgment mutual exclusion constraint verification on the internal layer, wherein the working principle is as follows:
1) analyzing all the sub-judgment conditions of the judgment fields of a certain judgment condition relation table to obtain the following information: and judging the variable judged in the condition, and obtaining a variable value range corresponding to the variable from the input variable set, the internal variable set or the output variable set.
2) And corresponding the judgment condition of each line to a judgment set, wherein one element in the judgment set is a group of values of all the variables. If a certain judgment condition corresponds to a certain set, the set contains all value combinations which can meet the judgment condition.
3) And comparing the judgment sets corresponding to each row pairwise to judge whether the same value combination exists. Obviously, if the combination exists, the two judgment conditions are satisfied when the combination appears in the software, namely, the judgment mutual exclusion is violated.
In the analysis process of judging mutual exclusion, equivalent replacement is carried out on the atom judgment condition. The specific method comprises the following steps:
an atomic judgment condition including a discrete variable, in which each value in the variable value field is numbered from 1, and the value on the right side of the atomic judgment condition is replaced with the number. For example, there is a certain atom determination condition x ═ a. The value range of x is { a, b }. The two values correspond to discrete values 1, 2, respectively. Then x-a is equivalently replaced with x-1.
The atomic judgment condition including the continuous variable, segments the variable value range by all values in the value set in which the variable appears in each row judgment condition, and numbers each section from 1. For example, a value smaller than the minimum value in the set is regarded as 1, equal to the minimum value is regarded as 2, a value larger than the minimum value and smaller than the second smallest value is regarded as 3, a value equal to the second smallest value is regarded as 4, … …, equal to the maximum value is regarded as 2n, and larger than the maximum value is regarded as 2n +1, where n is the number of values of the variable. And then replacing all atom judgment conditions by the value ranges corresponding to the intervals. For example, there is some atom judgment condition: x > a. The x comparison values appearing in the table are a and b, and the value range is segmented into: x < a, x ═ a, a < x < b, x ═ b, x > b, corresponding to the discrete values 1, 2, 3, 4, 5. Then x > a is equivalently replaced with x 3 x 4 x 5.
The implementation of the algorithm is described next:
3-1) obtain the table function set from the RTM model, and traverse all elements, i.e. all table functions.
3-2) if the relation table is judged, traversing the elements, namely all table rows. And reading the configuration of each row, and adding each different configuration into the third configuration set one by one.
3-3) for each configuration in the third configuration set, performing all of the following operations:
traversing all the rows of which the configurations in all the judging condition fields in the judging relation table are equal to the current configuration in the third configuration set, and analyzing the judging conditions. The following data structures are collated: the method comprises the steps of obtaining variable output values and judgment conditions of traversed rows, judging each different continuous variable appearing in a relation table, judging a value set appearing on the right side of an atom judgment condition corresponding to each continuous variable, judging each different discrete variable appearing in the relation table, and corresponding each discrete variable to all the value sets of a value domain of each discrete variable. The type of each variable is obtained from a data type set, and only string, coolean and enumerated in basic types are regarded as discrete types, namely, the value range is defined by discrete values separated by commas. The other value ranges are continuous type with the type defined by the upper and lower limits. A further feature of discrete variables is that the compare operator can only be equal in sign when present in an atomic judgment condition. The custom type is the same as the parent type.
For the value sets corresponding to the continuous variables, the values in the value sets are sorted from small to large, so that the continuous intervals and the like are conveniently added into discrete values.
For each row of judgment conditions, equivalent replacement is performed on the atomic judgment conditions in the judgment conditions.
After the above processing, all the variables are already discretized, and possible value combinations of all the variables can be enumerated. However, in this case, the atomic judgment condition of the original continuous variable may be replaced by an analytic expression (for example, assuming that a judgment condition (p) exists1&x<b)||p2Where the interval of a continuous variable x is decomposed into x by values a and b<a、x=a、a<x<b、x=b、x>b, the judgment condition after the discrete processing is changed to (p)1&(x=1||x=2||x=3))||p2. Obviously, the result after the processing is a three-layer structure of disjunction-conjunction-disjunction), and the disjunctive normal form structure of the judgment condition is destroyed. Therefore, it is necessary to perform a further process to restore the structure of the extract-combine-extract to the structure of the extract-combine. The operation mode is to separate all the inner-layer disjunctive formulas generated in the last step, combine all the parts combined with the disjunctive formulas with all the new atom judgment conditions of the disjunctive formulas respectively, and then replace the original three-layer structure by disjunctive combination.
The disjunctive normal form at this time is expanded, variables which are not considered in each conjunctive form are considered, possible values of the variables in each group are taken, a new conjunctive form is generated by combining the variables with the original conjunctive form, and the original conjunctive form is replaced by the conjunctive form.
And comparing the extended expressions formed by the judgment conditions of each row pairwise, if only one row has the same combined expression, the judgment conditions of the two rows are obviously met simultaneously when the variables take the values of the combination of the extracted expressions, if the output values of the two rows are still different, the judgment mutual exclusion is violated, and a prompt that the table violates the judgment mutual exclusion is added into the error information.
Fig. 4 is a diagram of a determination relationship in an RTM model corresponding to a flight guidance system FGS, in which some errors are artificially modified as an example of the determination mutual exclusion constraint verification of the internal layer.
The data type of the input variable ipSYNCSwitch is ySwitch, and the value field is inherited from the data type.
Wherein the data type ySwitch father type is a basic type estimated, and the value range is { off, on }.
The data type of the input variable ipsyncswitch compressed high level priority is a basic type, bootean, and the value range is { false, true }.
Wherein the data type of the internal variable tHDGSwitchPressedHighestpriority is a basic type boolean, and the value field is { false, true }.
And reading discrete variables related to the judgment condition to form a set { ipSYNCSwitch, ipSYNCSwitch pressedhighestpriority }.
The judgment condition does not relate to a continuous variable.
Reading the value range of each discrete variable to form a set of { { off, on }, { false, true } }.
And equivalently replacing the judgment condition. The two judgment conditions after the replacement are respectively as follows (the two variables are respectively abbreviated as ipV1、ipV2Hereinafter, abbreviated): ipV22 and (ipV)1=2)||(ipV2=1)。
The expansion judgment condition is (ipV)1=1&ipV2=2)||(ipV1=2&ipV22) and (ipV)1=2&ipV2=1)||(ipV1=2&ipV2=2)||(ipV1=1&ipV2=1)。
Obviously, the two have the same conjunctive formula ipV1=2&ipV22, and the two rows output different values. I.e., ipSYNCSwitch on and ipSYNCSwitch pressedhighestpriority true, satisfy both rows of the table.
In fact, before the modification, the judgment condition of the first row of the table is ipSYNCSwitch off & ipSYNCSwitch pressedhighestpriority true. At this time, the table meets the judgment mutual exclusion constraint of the internal layer.
Step four: and (3) carrying out constraint verification on judgment completeness of an internal layer, wherein the working principle is as follows:
1) analyzing all judgment conditions of the judgment condition field for a certain judgment relation table to obtain the following information: variables judged in the judgment condition, and the value ranges of these variables.
2) And corresponding the judgment condition of each line to a first judgment set, wherein one element in the first judgment set is a group of values of all the variables. If a certain judgment condition corresponds to a certain set, the set contains all value combinations which can meet the judgment condition.
3) Constructing a complete set containing all possible value combinations according to the value range of the variable mentioned in 1). Merging all the first judgment sets in the step 2) into a large second judgment set, and judging whether the second judgment set is the same as the full set. Obviously, if the values are different, it is indicated that no judgment condition is satisfied when the missing value combination appears in the software, and the judgment completeness is violated.
When the constraint check of a certain judgment relation table can accept judgment mutual exclusion, the algorithm process is as follows:
4-1) according to the variables appearing in the judgment conditions of all the rows of the judgment relation table, a permanent and true disjunctive normal form can be arranged, namely the disjunctive normal form comprises all possible value combinations of all the variables.
4-2) extracting the disjunct normal forms after all the line judgment conditions are expanded, and comparing the obtained disjunct normal forms with the disjunct normal forms in the previous step. If not, the value combination which is not considered exists in the table. When the variable takes the value of such a missing combination, no one row of judgment conditions in the judgment relation table is satisfied, and judgment completeness is violated. And adding a prompt that the table violates judgment completeness into the error information.
Fig. 5 shows a judgment relationship in an RTM model corresponding to a flight guidance system FGS, in which some errors are artificially modified as an example of judgment completeness constraint for judging an internal layer.
Wherein the configuration set of the configuration class cfHDG is { cUndefined, cSelected, cfleard }.
The data type of the internal variable tHDGSelect is basic type boolean, and the value range is { false, true }.
Wherein the data type of the internal variable tNonbasicLaterAlConfigIsActivated is a basic type boolean, and the value range is { false, true }.
(ii) configuration under cUndefined.
And reading discrete variables related to the judgment condition to form a set { tHDGSelect }.
The judgment condition does not relate to a continuous variable. If continuous variables are involved, the continuous domain values are segmented, the segmented domain values correspond to one discrete variable, and then the discrete variables are combined into a set.
And reading the value range of each discrete variable to form a set { { false, true } }.
Constructing disjunctive normal forms containing all value cases (two variables are respectively abbreviated as ipV)1Hereinafter, abbreviated): (ipV)1=1)||(ipV1=2)。
And equivalently replacing the judgment condition. The two judgment conditions after replacement are respectively as follows: ipV12 and ipV1=1。
And expanding the judgment condition and then keeping the judgment condition unchanged.
Two lines of judgment conditions are extracted to obtain (ipV)1=2)||(ipV11) is the same as the disjunctive normal form including all values.
② under the configuration of cSelected.
The steps are completely the same as the first step.
③ when the cfleft is configured.
And reading discrete variables related to the judgment condition to form a set { tHDGSelect }.
The judgment condition does not relate to a continuous variable.
And reading the value range of each discrete variable to form a set { { false, true } }.
Constructing a disjunctive normal form containing all the value cases (the two variables are respectively abbreviated as ipV1Hereinafter, abbreviated): (ipV)1=1)||(ipV1=2)。
And equivalently replacing the judgment condition. The judgment conditions after replacement are as follows: ipV1=2。
And expanding the judgment condition and then keeping the judgment condition unchanged.
Since there is only one row of judgment conditions, it is directly compared with the disjunctive normal form containing all the value cases, and ipV is not found1In the case of 1, i.e. with the configuration cfleft, tHDGSelect is false, no one row in the table is satisfied.
In fact, before the manual modification, another row follows the table, which belongs to the configuration cfleft, the determination condition is tHDGSelect, and the output value is false. At this point the table does not judge completeness.
Referring to FIG. 6, a general flow for simultaneously examining the above two constraints for a set of table rows in the same configuration is shown.
Step five: and performing excitation mutual exclusion constraint verification of an internal layer (simultaneously used for checking a configuration conversion table), wherein the working principle is as follows:
1) analyzing all the incentives of the incentive field to a certain incentive relation table to obtain the following information: variables involved in the excitation, value ranges for these variables.
2) The excitation of each row corresponds to two sets, one element in a set being a set of values for all of the above variables. If a certain excitation corresponds to a certain two sets, the former set contains all possible value combinations before the excitation occurs, and the latter set contains all possible value combinations after the excitation occurs.
3) And comparing the two sets corresponding to each row pairwise, and judging whether the same value combination exists in the two sets. Obviously, if the combination exists, the two excitations are considered to occur and violate the excitation mutual exclusion constraint of the internal layer when the software is converted from the same value combination in the former set to the same value combination in the latter set.
In the analysis process of excitation mutual exclusion constraint of the inner layer, the excitation of C is required to be processed because the excitation judgment condition of C is changed from true to false or from false to true, and uncertainty exists. The specific method comprises the following steps:
for each line of stimulus, if the number of stimuli with stimulus operator-C in AND stimulus is n, 2 should be copiednAnd (6) rows. For ease of processing, binary numbers from 0 to 2 may be usednAnd (6) coding is carried out. Each code corresponds to a replicated stimulus. The ith bit in the code corresponds to the ith AND excitation originally being-C in the copied excitation. The bit is 0 or 1, AND the AND excitation is set to T or F, respectively, among the replicated excitations.
The detailed algorithm process of the excitation mutual exclusion constraint analysis of the internal layer is as follows:
5-1) traversing the excitation relation table to obtain different configurations of the excitation relation table to form a first excitation set when the judgment mutual exclusion is the same.
5-1) traversing all the rows of the excitation relation tables, wherein the structure node values of all the rows are equal to the current structure in the first excitation set, and analyzing the excitation. The following data structures are collated: the method comprises the steps of outputting values AND excitations of variables of traversed rows, wherein the variables of the rows are respectively AND-excited, the excitation operator, the guard operator, the excitation judgment condition AND the guard judgment condition of the rows, each different continuous variable appearing in a table, each continuous variable corresponds to a value set appearing on the right side of an atom judgment condition, each different discrete variable appearing in an excitation relation table, AND each discrete variable corresponds to all value sets of a value range.
5-2) to C excitation treatment.
5-3) for the value sets corresponding to the continuous variables, sorting the values of the value sets from small to large, and conveniently adding the continuous intervals and the like into discrete values.
5-4) executing the same method as the judgment mutual exclusion check flow for the excitation judgment condition AND the guard judgment condition of each AND excitation of each row, replacing the excitation judgment condition AND the guard judgment condition with a disjunctive normal form, AND discretizing all variables in the disjunctive normal form.
5-5) since the excitation can be equivalent to the judgment condition P satisfied at the previous moment AND the judgment condition P' satisfied at the later moment, the two disjunctive normal forms corresponding to each AND excitation are obtained through processing at this step. PGuardAnd PEventThe guard judgment condition and the excitation judgment condition are respectively. The treatment method is as follows:
·~T-PRE:P=PGuard∧┐PEvent,P’=PEvent。
·~T-POST:P=┐PEvent,P’=PGuard∧PEvent。
·~T-BOTH:P=PGuard∧┐PEvent,P’=PGuard∧PEvent。
·~F-PRE:P=PGuard∧PEvent,P’=┐PEvent。
·~F-POST:P=PEvent,P’=PGuard∧┐PEvent。
·~F-BOTH:P=PGuard∧PEvent,P’=PGuard∧┐PEvent。
5-6) performing combination on P AND P' of each processed AND excitation line to obtain two judgment conditions capable of meeting the excitation line. And when a certain instant variable value combination meets the judgment condition 1 and the next instant variable value combination meets the judgment condition 2, the line excitation is considered to occur.
5-7) comparing two disjunctive normal forms formed by each line of excitation pairwise, if the two expressions have the same conjunctive expression respectively, the two expressions obviously meet the excitation of the two lines simultaneously when a certain instant variable value is the value combination existing in the first expression simultaneously and the next instant variable value is the value combination existing in the second expression simultaneously, if the output values of the two lines are still different, the excitation mutual exclusion constraint of the inner layer is violated, and the prompt that the table violates the excitation mutual exclusion constraint of the inner layer is added into the error information.
Step six: and (4) carrying out constraint verification on an output layer, wherein the working principle is as follows:
1) and reading all output values under the output value fields in the judgment relation table and the excitation relation table to serve as an output value set.
2) And taking the value range of the variable influenced by the judgment relation table or the excitation relation table as a value range set.
3) And comparing whether the output value set and the value range set are the same. Obviously, if they are not the same, it means that some output value will never be generated.
Referring to fig. 8, the algorithm proceeds as follows:
6-1) obtaining a table function set from the RTM model, and traversing all elements, namely all table functions.
6-2) reading the value range of the associated variable of the judgment relation table or the excitation relation table.
6-3) reading the table of the table function, traversing all elements, namely all table rows, reading variable output value fields of each row, and adding the values of the output value fields into one output value set.
6-4) determining whether the set of output values completely contains all possible values in the value domain. If the variables controlled by the relation table and the excitation relation table are judged to be discrete, judging whether each discrete value in the value range appears in the output value set; and if the variable is of a continuous type, judging whether all the interval union sets in the output value set are equal to the value domain interval.
6-5) if the table does not meet the constraint, adding a prompt that the table violates the output layer constraint into the error information.
Fig. 7 shows a decision relationship in an RTM model corresponding to a flight guidance system FGS, in which some errors are artificially modified as an example of output layer constraint verification.
The configuration set of the configuration class cfHDG is { cUndefined, cSelected, cfspare }.
The data type of the output variable ophdglomp is yLamp, and the value field inherits from the data type.
The father type of the data type yLamp is a basic type enumerated, and the value range is { off, on }.
First, the value range { off, on } of the output variable opHDGLAmp is obtained. And then, traversing the output value field of the table to construct an output value set { off }. The latter obviously lacks the output value on.
In fact, the output value of the first row of the table is on, before being modified by human. The table then conforms to the constraint requirements of the output layer.
It should be understood that equivalents and modifications to the invention as described herein may occur to those skilled in the art, and all such modifications and alterations are intended to fall within the scope of the appended claims.
Claims (9)
1. A formalized semantic analysis and inspection method for a requirement-oriented table model is characterized by comprising the following steps:
step one, importing an RTM (resin transfer molding) model converted from item requirements; one RTM model contains the following set: the method comprises the following steps that data types, constants, input variables, configuration types, internal variables, output variables and table functions are divided into three types, namely a judgment relation table, an excitation relation table and a configuration conversion table; wherein:
converting a group of judgment type requirements which generate similar output into a judgment relation table, wherein the auxiliary information of the judgment relation table indicates the variable name of the variable which is influenced by the requirements together, and different output values generated in the requirements correspond to one line in the judgment relation table; the fields of the table are: the configuration, the judgment condition and the output value;
a group of excitation requirements which generate similar output is converted into an excitation relation table, the attached information of the excitation relation table indicates the variable names of variables which are affected by the requirements together, and different output values generated in the requirements are aligned to one line in the stress excitation relation table; the fields of the table are: the configuration, excitation and output value;
the configuration conversion table corresponds to each configuration class in the model, and indicates which configuration should be converted from when the values of the variables in the software are changed.
And step two, performing various analyses on the RTM model.
2. The method according to claim 1, wherein the input layer constraint verification comprises the following steps:
2-1) obtaining a table function set from the RTM model and traversing all table functions;
2-2) reading the dependent configuration type names in each judgment relation table or excitation relation table; obtaining a configuration class set from the RTM model, finding configuration classes matched with the names of the dependent configuration classes, and adding the configuration classes into the first configuration set one by one;
2-3) traversing all table rows of the judgment condition table or the excitation relation table, reading configuration fields of the table rows of each row, and adding the configuration fields into a second configuration set one by one;
2-4) judging whether the first configuration set and the second configuration set are the same, if not, indicating that some similar configurations are not considered by the judgment relation table or the excitation relation table, and adding a prompt that the table violates the input layer constraint into the error information.
3. The method for formalized semantic analysis and inspection of requirement-oriented form model according to claim 1, wherein when performing judgment mutual exclusion constraint verification of the internal layer, the method comprises the following steps:
3-1) obtaining a table function set from the RTM model, and traversing all table functions;
3-2) if the relation table is judged, traversing all table rows, reading the configuration of each row, and adding each different configuration into a third configuration set one by one;
3-3) for each configuration in the third configuration set, performing all of the following operations:
traversing all the rows of which the configurations in all the judging condition fields in the judging relation table are equal to the current configuration in the third configuration set, analyzing the judging conditions, and arranging the following data structures: the method comprises the steps of determining variable output values and determination conditions of traversed rows, determining each different continuous variable appearing in a relation table, determining a value set appearing on the right side of an atom determination condition corresponding to each continuous variable, determining each different discrete variable appearing in the relation table, and determining all value sets of a value domain corresponding to each discrete variable;
for the value sets corresponding to the continuous variables, sorting the values in the value sets from small to large;
for each row of judgment conditions, carrying out equivalent replacement on the atom judgment conditions, and discretizing variables;
enumerating possible value combinations of all variables to form a disjunctive normal form structure;
expanding the disjunctive normal form, considering variables not considered in each conjunctive form, combining each group of variables possibly valued with the original conjunctive form to generate a new conjunctive form, and replacing the original conjunctive form with the conjunctive forms;
comparing every two rows of the extended formulas formed by judging the conditional expressions, as long as the same combined expression exists in a certain two rows, the judgment conditions of the two rows are obviously met at the same time when the variable values are combined by the values of the extracted expressions, if the output values of the two rows are still different, the judgment mutual exclusion is violated, and the prompt that the table violates the judgment mutual exclusion is added into the error information.
4. The formal semantic analysis and inspection method for the requirement-oriented form model according to claim 3, wherein the equivalent replacement method for the atomic judgment condition is as follows:
for an atom judgment condition containing discrete variables, numbering each value in a variable value domain from 1, and replacing the value on the right side of the atom judgment condition with the number;
for the atom judgment condition containing continuous variables, segmenting the variable value domain by using all values in the value set of the variables appearing in each row judgment condition, numbering each interval from 1, and then replacing all atom judgment conditions by using the value ranges corresponding to the intervals.
5. The method of claim 1, wherein the formal semantic analysis and inspection method for requirement-oriented form model comprises the following steps when performing the verification of the judgment completeness constraint of the internal layer:
4-1) sorting out a disjunctive normal form containing all possible value combinations of all variables according to the variables appearing in the judgment conditions of all rows of a certain judgment relation table;
4-2) extracting the extracted normal form after all the line judgment conditions are expanded, comparing the obtained extracted normal form with the extracted normal form in the previous step, if the extracted normal form is not equal, indicating that the value combination which is not considered exists in the judgment relation table, when the variable value is the missing combination, judging that no line judgment condition in the judgment relation table is met, violating the judgment completeness, and adding a prompt of violating the judgment completeness of the table into the error information.
6. The method for formalized semantic analysis and inspection of requirement-oriented form model according to claim 1, wherein when performing excitation mutual exclusion constraint verification of the internal layer, the method comprises the following steps:
5-1) traversing the excitation relation table to obtain different configurations in the excitation relation table to form a first excitation set;
5-1) traversing all the rows of which the configuration node values in the excitation relation table are equal to the current configuration in the first excitation set, analyzing the excitation, and sorting the following data structures: the variable output value AND the excitation of each traversed row, the excitation operator, the guard operator, the excitation judgment condition AND the guard judgment condition of the AND excitation of each traversed row, each different continuous variable appearing in the table, AND each continuous variable corresponding to a value set appearing on the right side of the atomic judgment condition, each different discrete variable appearing in the excitation relation table, AND each discrete variable corresponding to all the value sets of a value range;
5-2) -C excitation for determining treatment;
5-3) for the value sets corresponding to the continuous variables, sorting the values of the value sets from small to large;
5-4) replacing the excitation judgment condition AND the guard judgment condition of each AND excitation of each row with a disjunctive normal form;
5-5) equating the excitation to a judgment condition P met at the previous moment and a judgment condition P' met at the next moment;
5-6) combining all P AND P' of each processed AND excitation line to obtain two judgment conditions capable of meeting the excitation line, AND when a certain instant variable value combination meets the judgment condition 1 AND the next instant variable value combination meets the judgment condition 2, judging that the excitation line occurs;
5-7) comparing two disjunctive normal forms formed by each line of excitation pairwise, if the two expressions have the same conjunctive expression respectively, the two expressions obviously meet the excitation of the two lines simultaneously when a certain instant variable value is the value combination existing in the first expression simultaneously and the next instant variable value is the value combination existing in the second expression simultaneously, if the output values of the two lines are still different, the excitation mutual exclusion constraint of the inner layer is violated, and the prompt that the table violates the excitation mutual exclusion constraint of the inner layer is added into the error information.
7. The method for formalized semantic analysis and inspection of a requirement-oriented form model according to claim 6, wherein the C excitation is performed by the following method:
for each line of stimulus, if the number of stimuli with stimulus operator-C in AND stimulus is n, 2 should be copiednLine, from 0 to 2 in binary numbernAnd performing encoding, wherein each encoding corresponds to one copied excitation.
8. The method according to claim 6, wherein the processing of equating the excitation to the judgment condition P satisfied at the previous time and the judgment condition P' satisfied at the later time is as follows:
~T-PRE:P=PGuard∧┐PEvent,P’=PEvent;
~T-POST:P=┐PEvent,P’=PGuard∧PEvent;
~T-BOTH:P=PGuard∧┐PEvent,P’=PGuard∧PEvent;
~F-PRE:P=PGuard∧PEvent,P’=┐PEvent;
~F-POST:P=PEvent,P’=PGuard∧┐PEvent;
~F-BOTH:P=PGuard∧PEvent,P’=PGuard∧┐PEvent。
9. the method according to claim 1, wherein the formal semantic analysis and inspection method for the requirement-oriented form model comprises the following steps when performing output-level constraint verification:
6-1) obtaining a table function set from the RTM model, and traversing all table functions;
6-2) reading the value range of the associated variable of the judgment relation table or the excitation relation table;
6-3) reading a judgment relation table or an excitation relation table, traversing all table rows, reading variable output value fields of each row, and adding the values of the output value fields into an output value set;
6-4) judging whether the output value set completely contains all possible values in the value domain; if the variables controlled by the relation table and the excitation relation table are discrete, judging whether each discrete value in the value range appears in the output value set; if the variable is continuous, judging whether all the interval union sets in the output value set are equal to the value domain interval;
6-5) if the table does not meet the constraint, adding a prompt that the table violates the output layer constraint into the error message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210421720.XA CN114741052B (en) | 2022-04-21 | 2022-04-21 | Formalized semantic analysis and inspection method for demand form model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210421720.XA CN114741052B (en) | 2022-04-21 | 2022-04-21 | Formalized semantic analysis and inspection method for demand form model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114741052A true CN114741052A (en) | 2022-07-12 |
| CN114741052B CN114741052B (en) | 2024-04-12 |
Family
ID=82283771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210421720.XA Active CN114741052B (en) | 2022-04-21 | 2022-04-21 | Formalized semantic analysis and inspection method for demand form model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114741052B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5481717A (en) * | 1993-04-12 | 1996-01-02 | Kabushiki Kaisha Toshiba | Logic program comparison method for verifying a computer program in relation to a system specification |
| CN111176614A (en) * | 2019-12-26 | 2020-05-19 | 南京航空航天大学 | Method for generating and analyzing VRM formalized demand model |
| CN112416337A (en) * | 2020-11-11 | 2021-02-26 | 北京京航计算通讯研究所 | Software architecture development system for aerospace embedded system |
-
2022
- 2022-04-21 CN CN202210421720.XA patent/CN114741052B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5481717A (en) * | 1993-04-12 | 1996-01-02 | Kabushiki Kaisha Toshiba | Logic program comparison method for verifying a computer program in relation to a system specification |
| CN111176614A (en) * | 2019-12-26 | 2020-05-19 | 南京航空航天大学 | Method for generating and analyzing VRM formalized demand model |
| CN112416337A (en) * | 2020-11-11 | 2021-02-26 | 北京京航计算通讯研究所 | Software architecture development system for aerospace embedded system |
Non-Patent Citations (1)
| Title |
|---|
| 徐煜, 毋国庆, 刘翔, 陈莘萌: "一种新的分析和检查需求模型", 武汉大学学报(自然科学版), no. 03, 30 June 1998 (1998-06-30) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114741052B (en) | 2024-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Heimdahl et al. | Completeness and consistency in hierarchical state-based requirements | |
| Kaiser et al. | A new component concept for fault trees | |
| Mhenni et al. | Automatic fault tree generation from SysML system models | |
| Winter | Model Checking for Abstract State Machines. | |
| CN110134599B (en) | System architecture error behavior verification method and device | |
| CN105512195B (en) | A kind of product F MECA report analysis decision assistant method | |
| CN104978275B (en) | A kind of target verification and evidence model extracting method towards DO 178C software test procedures | |
| Vanthienen et al. | An illustration of verification and validation in the modelling phase of KBS development | |
| Kelly | The CRITTER System--Automated Critiquing of Digital Circuit Designs | |
| Cosler et al. | Iterative circuit repair against formal specifications | |
| Winter | Model checking abstract state machines | |
| Solomentsev et al. | Diagnostics programs efficiency analysis in operation system of radioelectronic eguipment | |
| CN111176614B (en) | Method for generating and analyzing VRM formalized demand model | |
| Hadj-Mabrouk | Contribution of artificial intelligence and machine learning to the assessment of the safety of critical software used in railway transport | |
| CN114741052B (en) | Formalized semantic analysis and inspection method for demand form model | |
| CN106650945B (en) | A kind of software architecture security assessment method based on evidence combining theory | |
| Hu et al. | Model-based safety analysis for an aviation software specification | |
| Rychtyckyj | DLMS: An Evaluation of KL-ONE in the Automobile Industry. | |
| Delmas et al. | Smt-based synthesis of fault-tolerant architectures | |
| Zhipeng et al. | A method of test case generation based on VRM model | |
| Park et al. | Model-based concurrent systems design for safety | |
| Lukiyanova | Systems Analysis: the Structure-and-Purpose Approach Based on Logic-linguistic Formalisation | |
| US11907628B2 (en) | Message signoffs | |
| Viktorova et al. | Software for Testability Analysis of Aviation Systems | |
| CN112416752B (en) | Data warehouse ETL (extract-transform-load) layered test method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |