CN114741052B - Formalized semantic analysis and inspection method for demand form model - Google Patents
Formalized semantic analysis and inspection method for demand form model Download PDFInfo
- Publication number
- CN114741052B CN114741052B CN202210421720.XA CN202210421720A CN114741052B CN 114741052 B CN114741052 B CN 114741052B CN 202210421720 A CN202210421720 A CN 202210421720A CN 114741052 B CN114741052 B CN 114741052B
- Authority
- CN
- China
- Prior art keywords
- excitation
- judgment
- value
- configuration
- variable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004458 analytical method Methods 0.000 title claims abstract description 25
- 238000007689 inspection Methods 0.000 title claims abstract description 12
- 230000005284 excitation Effects 0.000 claims description 110
- 238000012795 verification Methods 0.000 claims description 33
- 230000007717 exclusion Effects 0.000 claims description 30
- 230000006870 function Effects 0.000 claims description 27
- 238000000605 extraction Methods 0.000 claims description 20
- 230000014509 gene expression Effects 0.000 claims description 13
- 238000006243 chemical reaction Methods 0.000 claims description 9
- 230000008859 change Effects 0.000 claims description 8
- 230000001419 dependent effect Effects 0.000 claims description 7
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 238000013178 mathematical model Methods 0.000 abstract description 13
- 238000013461 design Methods 0.000 abstract description 3
- 230000009471 action Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 230000007704 transition Effects 0.000 description 3
- PUAQLLVFLMYYJJ-UHFFFAOYSA-N 2-aminopropiophenone Chemical compound CC(N)C(=O)C1=CC=CC=C1 PUAQLLVFLMYYJJ-UHFFFAOYSA-N 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- VUFNLQXQSDUXKB-DOFZRALJSA-N 2-[4-[4-[bis(2-chloroethyl)amino]phenyl]butanoyloxy]ethyl (5z,8z,11z,14z)-icosa-5,8,11,14-tetraenoate Chemical compound CCCCC\C=C/C\C=C/C\C=C/C\C=C/CCCC(=O)OCCOC(=O)CCCC1=CC=C(N(CCCl)CCCl)C=C1 VUFNLQXQSDUXKB-DOFZRALJSA-N 0.000 description 1
- 206010061619 Deformity Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/10—Requirements analysis; Specification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2282—Tablespace storage structures; Management thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/205—Parsing
- G06F40/211—Syntactic parsing, e.g. based on context-free grammar [CFG] or unification grammars
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/30—Semantic analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a formalized semantic analysis and inspection method for a demand form model, which maps the demand of on-board safety key software into a mathematical model based on propositional logic and relation theory, strictly mathematically defines the semantics of the demand, and then designs a series of automatic algorithms to verify the multi-layer semantic constraint of the demand.
Description
Technical Field
The invention relates to the technical field of demand modeling and verification of airborne safety critical software, in particular to a method for mapping the demand of the airborne safety critical software into a mathematical model based on propositional logic and relationship theory, carrying out strict mathematical definition on the semantics of the mathematical model, and then designing a series of automatic algorithms to verify the multi-layer semantic constraint of the demand.
Background
Modern onboard software implements most of the modern aircraft and system functions, with increasing importance to aircraft systems. The safety of on-board software with safety critical features is also an important feature of modern aircraft safety. However, the airborne software has the particularity that the airborne software cannot be inspected and tested like the weak components of cables, skins, panels and the like of an airplane, cannot be subjected to software exhaustion test, and needs to be ensured by means of strict and standard software development processes. In DO-178B/C software consideration in qualification approval of airborne System issued by International aviation Radio Technical Commission (RTCA), aiming at the specific industrial field of airborne software, the requirement of developing the airborne software is definitely required to be used as a core product, and development, test, verification and authentication work facing the requirement is developed. This standard has been accepted by the federal aviation administration FAA, the european aviation administration EASA, and the chinese civil aviation administration CAAC for developing acceptable safety compliance standards for on-board software.
Model-based system engineering (MBSE) was proposed in recent years by the international system engineering society. MBSE emphasizes the use of multi-level abstract models in the field of complex critical systems to describe the work product of each stage of system development, and in particular emphasizes discrete logic-based mathematical models to bring great benefits to system important attribute analysis and verification. Therefore, in the field of airborne software featuring safety keys, the latest DO-178C standard also provides a compliance criterion of a demand verification method based on a mathematical model, namely, modeling the semantics of the demand by adopting a proper mathematical model at the demand level of the airborne software, and then verifying the multi-level semantic constraint of the demand. This approach is becoming an effective compliance authentication approach. However, the DO-178C standard does not give what mathematical model should be used specifically, and what verification technique is adopted, but gives the compliance target that needs to be met by the mathematical model-based demand verification method, and allows different mathematical models and verification methods to be adopted to achieve a common compliance target.
In the field of aeronautical systems with safety-critical features, the verification of the requirements of the on-board software is generally required to meet several objectives: the onboard software has a plurality of different running configurations which can be multi-dimensionally parallel (for example, longitudinal control and transverse control in an automatic flight system correspond to two different configurations in a software running space and are further divided into sub-configurations according to targets), so that the characteristics under the different configurations need to be verified; must produce predictable deterministic output results at the same input dataset; the hierarchical judgment conditions, incentives, and the like in the internal processing must remain mutually exclusive, and intersections and the like are not allowed to occur.
The mathematical logic in the field of computer science is a discrete mathematical system based on set theory, adopts strictly defined logic symbols to express propositions, and comprises propositions logic, first-order predicate logic and other systems. The proposition logic can adopt and, or, non-or atomic proposition and other basic elements to carry out strict semantic definition of a logic formula on the content of a natural language description (such as description of most of functional requirements in onboard software by using item type natural language sentences). Although the proposition logic gives the semantic definition elements of the most basic logic formulas, the configuration, judgment conditions and incentives, deterministic requirements and the like of the on-board software field are not enough. The relation theory is the basis of a modern relation database, and intuitively, the relation among a plurality of variables can be described by a two-dimensional data table, and the essential table semantic definition is relation calculation and relation algebra; in the field of airborne software engineering, a tabular mode is often adopted to describe the relationship between data, so that a mathematical model suitable for the requirements of the airborne software can be established based on the characteristics of the field of the airborne software and comprehensively considering propositional logic and relationship theory.
To verify the goals that the on-board software needs to meet, automated verification algorithms must also be designed to accomplish this task. Currently, software tools that are based on some mathematical model and that enable automated inspection have: nuSMV, SPIN, SCADE, etc. However, these tools are designed to perform mathematical modeling and automatic analysis, and cannot meet the requirements of compliance verification of the on-board software demand features.
Disclosure of Invention
The invention aims to provide a formalized semantic analysis and inspection method for a demand-oriented form model, which maps the demand of an onboard safety key software into a mathematical model based on propositional logic and relationship theory, strictly mathematically defines the semantics of the demand, and then designs a series of automatic algorithms to verify the multi-layer semantic constraint of the demand.
The invention aims at realizing the following technical scheme:
a formalized semantic analysis and inspection method for a demand form model comprises the following steps:
step one, importing an RTM model converted from the item requirements; one of the RTM models contains the following set: the data type, the constant, the input variable, the configuration class, the internal variable, the output variable and the table function are divided into three types, namely a judgment relation table, an excitation relation table and a configuration conversion table; wherein:
Converting a group of judgment type requirements for generating similar output into a judgment relation table, and marking variable names of variables commonly influenced by the requirements in auxiliary information of the judgment relation table, wherein different output values generated in the requirements correspond to one row in the judgment relation table; the fields of the table are: the configuration, the judging condition and the output value;
a group of excitation requirements for generating similar output are converted into an excitation relation table, the variable names of variables influenced by the requirements together are noted in the auxiliary information of the excitation relation table, and different output values generated in the requirements correspond to one row in the excitation relation table; the fields of the table are: the configuration, excitation and output values;
the configuration conversion table corresponds to each configuration class in the model, and indicates which configuration should be converted to which configuration when the values of variables in the software change.
And step two, carrying out various analyses on the RTM model.
According to the above features, when input layer constraint verification is performed, the method comprises the following steps:
2-1) obtaining a table function set from the RTM model, and traversing all table functions;
2-2) reading the names of the dependent configuration classes in each judging relation table or the exciting relation table; obtaining a configuration class set from the RTM model, finding a configuration class matched with the dependent configuration class name, and adding the configuration class to the first configuration set one by one;
2-3) traversing all table rows of the judging condition table or the excitation relation table, reading configuration fields of the table rows of each row, and adding the configuration fields into a second configuration set one by one;
2-4) judging whether the first configuration set and the second configuration set are the same, if not, indicating that some similar configurations are not considered by the judging relation table or the exciting relation table, and adding a prompt that the table violates the constraint of the input layer in error information.
According to the above characteristics, when the internal layer judges and mutually exclusive constraint verification is performed, the method comprises the following steps:
3-1) obtaining a table function set from the RTM model, and traversing all table functions;
3-2) if the relation table is judged, traversing all table rows, reading the affiliated configuration of each row, and adding each different configuration into a third configuration set one by one;
3-3) for each configuration in the third configuration set, performing all of the following operations:
traversing all rows of the judging condition fields in the judging relation table, wherein the configuration of the rows is equal to the current configuration in the third configuration set, analyzing the judging condition, and finishing the following data structures: the variable output values of each row traversed, the judging conditions, each different continuous variable appearing in the table and each continuous variable correspond to one value set appearing on the right side of the atomic judging conditions, each different discrete variable appearing in the table and each discrete variable correspond to all value sets of the value range;
For a value set corresponding to the continuous variable, sequencing the values in the value set from small to large;
for each row of judgment conditions, performing equivalent replacement on the atom judgment conditions, and discretizing variables;
enumerating possible value combinations of all variables to form an extraction normal form structure;
expanding the disjunctive normal form, taking into account variables which are not considered in each conjunctive form, combining possible values of each group of variables with the original conjunctive form to generate a new conjunctive form, and replacing the original conjunctive form by the conjunctive forms;
the expansion formula formed by judging the condition of each line is compared in pairs, so long as the same conjunctive formula exists in certain two lines, the judgment conditions of the two lines are obviously satisfied at the same time when the variable value is such a value combination, if the output values of the two lines are not the same, judgment mutual exclusion is violated, and a prompt of the table violation judgment mutual exclusion is added in error information.
Preferably, the method for equivalently replacing the atom judgment condition is as follows:
for an atomic judgment condition containing discrete variables, numbering each value in the variable value domain from 1, and replacing the value on the right side of the atomic judgment condition with the number;
For atomic judgment conditions including continuous variables, segmenting the variable value range by using all values in the value sets of the variables in each row of judgment conditions, numbering each section from 1, and replacing all the atomic judgment conditions by using the value ranges corresponding to the sections.
According to the above features, when the judgment completeness constraint verification of the internal layer is performed, the method comprises the following steps:
4-1) sorting out the extraction normal form containing all possible value combinations of all variables according to the variables appearing in the judging conditions of all rows of the judging relation table for a certain judging relation table;
4-2) extracting the extraction normal form after expanding all the row judgment conditions, comparing the obtained extraction normal form with the extraction normal form of the previous step, if the extraction normal form is not equal to the extraction normal form of the previous step, indicating that an unaccounted combination exists in the judgment relation table, and when the variable value is the missing combination, no row judgment condition in the judgment relation table is met, the judgment completeness is violated, and the prompt of the violation judgment completeness of the table is added in error information.
According to the above characteristics, when the mutual exclusion constraint verification of the excitation of the inner layer is performed, the method comprises the following steps:
5-1) traversing the excitation relation table to obtain a first excitation set formed by different configurations in the excitation relation table;
5-1) traversing all rows in the stimulus relationship table with configuration node values equal to the current configuration in the first stimulus set, and resolving the stimulus, and sorting the following data structures: the variable output values AND the excitation of each row are traversed, the excitation operators, the guard operators, the excitation judging conditions AND the guard judging conditions of each AND excitation of each row are traversed, each different continuous variable appearing in the table corresponds to a value set appearing on the right side of the atomic judging conditions, each different discrete variable appearing in the excitation relation table corresponds to all value sets of one value range of each discrete variable;
5-2) to C excitation to carry out determination treatment;
5-3) sequencing the values of the value sets corresponding to the continuous variables from small to large;
5-4) replacing the excitation judgment conditions AND the guard judgment conditions of each AND excitation of each row with a disjunctive normal form;
5-5) equating the excitation to the judgment condition P satisfied at the previous time and the judgment condition P' satisfied at the subsequent time;
5-6) combining all P AND P' of each processed AND excitation of each row to obtain two judging conditions capable of meeting the row excitation, AND when a certain instant variable value combination meets the judging condition 1 AND the next instant variable value combination meets the judging condition 2, considering that the row excitation occurs;
5-7) comparing two disjunctive normal forms formed by exciting each line in pairs, if the two expressions respectively have the same conjunctive form, the fact that when a moment variable value is a value combination which exists simultaneously in a first expression and a next moment variable value is a value combination which exists simultaneously in a second expression is indicated, the excitation of the two lines is obviously satisfied simultaneously, if the output values of the two lines are not the same, the excitation mutual exclusion constraint of an inner layer is violated, and a prompt that the excitation mutual exclusion constraint of the inner layer is violated by the table is added in error information.
Preferably, the method for determining the excitation-C is as follows:
for each row of stimulus, if the number of stimulus with stimulus operators C in AND stimulus is n, 2 should be copied n Line, with binary numbers from 0 to 2 n Codes are performed, each corresponding to a copied excitation.
Preferably, the excitation is equivalent to the judgment condition P satisfied at the previous time and the judgment condition P' satisfied at the subsequent time in the following manner:
~T-PRE:P=P Guard ∧┐P Event ,P’=P Event ;
~T-POST:P=┐P Event ,P’=P Guard ∧P Event ;
~T-BOTH:P=P Guard ∧┐P Event ,P’=P Guard ∧P Event ;
~F-PRE:P=P Guard ∧P Event ,P’=┐P Event ;
~F-POST:P=P Event ,P’=P Guard ∧┐P Event ;
~F-BOTH:P=P Guard ∧P Event ,P’=P Guard ∧┐P Event 。
according to the above features, when performing output layer constraint verification, the method includes the following steps:
6-1) obtaining a table function set from the RTM model, and traversing all table functions;
6-2) reading the value range of the association variable of the judgment relation table or the excitation relation table;
6-3) reading a judging relation table or an excitation relation table, traversing all table rows, reading variable output value fields of each row, and adding the values into an output value set;
6-4) judging whether the output value set completely contains all possible values in the value range; if the variables controlled by the relation table and the excitation relation table are discrete, judging whether each discrete value in the value domain appears in the output value set; if the variable is continuous, judging whether all interval union sets in the output value set are equal to the value range interval;
6-5) if the constraint is not satisfied, adding a prompt that the table violates the constraint of the output layer into the error information.
The invention has the beneficial effects that:
the invention is oriented to the formalized analysis technology of the demand form model, carries out consistency and integrity analysis on formalized semantics of the demand form model, discovers basic errors including grammar, syntax and semantic errors in demand, and ambiguity and incompleteness problems of the demand, improves the completeness of demand verification, and improves the quality of the requirements of avionics software.
Drawings
FIG. 1 is a table of conditions for an EICAS engine indication corresponding to a demand of a crew alerting system.
Fig. 2 is a table of conditions in the FGS flight guidance system RTM.
FIG. 3 is a flow chart of a demand input integrity analysis.
Fig. 4 is a table of conditions in FGS flight guidance system RTM example 1.
Fig. 5 is a table of conditions in FGS flight guidance system RTM example 2.
FIG. 6 is a flow chart of a demand condition consistency, integrity analysis.
Fig. 7 is a table of conditions in FGS flight guidance system RTM example 3.
FIG. 8 is a flow chart of a demand output integrity analysis.
FIG. 9 is a flow chart of RTM model analysis.
FIG. 10 is a structural framework of an RTM model analysis method.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
No limitation is intended by the present invention, unless the context clearly indicates otherwise, as the elements or components of the present invention may be present in either a single form or in multiple forms. Although the steps of the present invention are arranged by reference numerals, the order of the steps is not limited, and the relative order of the steps may be adjusted unless the order of the steps is explicitly stated or the execution of a step requires other steps as a basis.
The invention aims at the problem that in the requirement design and verification stage of safety key airborne software, the item requirements of the airborne software are mapped into a mathematical model (RTM) based on propositional logic and relationship theory, the semantics of the item requirements are strictly defined mathematically, and then an algorithm is designed to judge whether the multi-layer semantic constraint in the verification requirement model is satisfied or not:
1) Input layer constraints
The requirements should satisfy the complete constraints of the input information. For a set of requirements (which may be understood as the same variables that are affected by those requirements) that produce homogeneous outputs, if a requirement refers to an action that the software should take under a certain configuration, then the set of requirements must also include descriptions of actions that should take under other homogeneous configurations (i.e., the configurations are mutually exclusive, but whenever in any of those configurations, the currently-belonging configuration may be understood as a particular variable whose value range is all of the homogeneous, that variable must and can only take one of the values). Such problems, when present, may result in software being unable to determine what action should be taken in certain configurations.
2) Judgment mutual exclusion constraint of inner layer
The requirements should satisfy the mutual exclusion of the judgment of the intrinsic meaning in the item semantics. If a demand is on the premise of meeting a certain judgment condition, namely, the demand belongs to a judgment type demand, then other judgment type demands are not allowed to appear, the output of the demand is mutually exclusive with the output of the demand (the variables influenced by the two demands are identical, but the variables are output to be different values), and meanwhile, the judgment condition of the demand and the judgment condition of the demand can be met simultaneously. Such problems, when present, can result in certain situations in which software is required to perform two mutually exclusive actions simultaneously.
3) Judgment completeness constraint of internal layer
The requirements should meet the judgment completeness of the intrinsic meaning in the item semantics. For a certain set of judgment type requirements that produce similar outputs, the judgment conditions of these requirements constitute all cases possible for the software. That is, no matter how the variables involved in the set of required judgment conditions take values, one of the corresponding judgment conditions is always satisfied. Such problems, when present, may result in some situations in which the software is unable to determine what action should be taken.
4) Mutual exclusion constraint of internal layer excitation
The requirements should satisfy the motivational mutual exclusion of the intrinsic meaning in the item semantics. If a demand is premised on meeting a stimulus, it is of the stimulus type. The stimulus referred to herein is typically a change in the value of some variable in the software. For any one incentive type requirement, other incentive type requirements are not allowed to appear, the output of the incentive type requirement is mutually exclusive with the output of the requirement, and the incentive of the incentive type requirement and the incentive energy of the requirement simultaneously occur. Such problems, when present, can result in certain situations in which software is required to perform two mutually exclusive actions simultaneously.
5) Output layer constraints
The demand should meet the completeness of the demand output. For a certain set of requirements to produce a homogeneous output, the output values produced by those requirements must constitute all the cases where that class of output is possible (it is understood that all output values constitute the range of variables that these requirements affect). Such problems, when present, can result in certain actions of the software never being performed.
For the satisfaction problem of the multi-layer requirement semantic verification, referring to fig. 9 and 10, a formalized semantic analysis and inspection method for a requirement table model in the embodiment inspects the possible problem in the requirement through an automatic verification algorithm, which includes the following steps:
step one: an RTM model translated from the item requirements is imported.
The RTM model is a conversion performed by a user according to defined form and format requirements, and one RTM model includes the following set:
1) Data Type (Type): all user-defined types are included, and all types are based on basic types, i.e. the parent type or ancestor type is a type such as a bootan, int, char, etc.
2) Constant (Constant): all user-defined constants are aggregated.
3) Input variable (Input): from the measurement of a certain value outside the software, the variable is converted from the value by an input device such as a sensor.
4) Configuration class (cfslass): each configuration class in the set of configuration classes represents a set of several different configurations that can be mutually converted during software operation. While configurations between different configuration classes do not switch between each other. This form is similar to the equivalent class of relational parts in discrete mathematics and is therefore called the configurational class.
Each configuration class can be considered a variable, and the configuration it contains is the range of values for that variable. Each configuration class is in only one configuration at a time when the software is running. Under different configurations, the value of the non-input variable will be affected. The configuration to which the class of configurations belongs may change upon the occurrence of certain specific stimuli.
For example, assuming that a flight has a configuration class flying height set below 1000 meters and above 1000 meters is specified to be low, when the flight flies from a low altitude below 1000 meters to a high altitude above 1000 meters while flying, excitation of the altitude 1000 meters contour line can occur, at which time the aircraft flying height configuration class is converted from a low configuration to a high configuration, and some functions in avionics software correspondingly change.
5) Internal variables (international): this is a type of variable that can be used in RTM, but which is neither an input variable that reads from outside the software, nor an output variable that the software returns to the outside. Such variables are used to represent a hierarchy of software requirements and also to store intermediate data.
6) Output variable (Output): the variables obtained by the software function are used to return the values to the user.
7) Table function (Table): the table functions are divided into three types, namely a judgment relation table, an excitation relation table and a configuration conversion table.
The judgment relation table and the excitation relation table are used for determining the values of the internal variable and the output variable. In contrast, the judgment relationship is used for defining what state in the software is, that is, what value should be taken by the internal variable or the output variable when each variable takes on value; the stimulus relationship is used to define what state transition occurs in the software, i.e., what change occurs in the value of each variable, what value should be taken by the internal variable or the output variable. The judgment relation table and the excitation relation table correspond to a requirement. The partial judgment condition, the excitation relation may have a dependence on a certain configuration class. At this time, the difference in the configuration to which the configuration class belongs will affect the judgment condition or stimulus in the table. Wherein:
1) A group of judgment type requirements for generating similar output are converted into a judgment relation table, and the variable names of variables influenced by the requirements are noted in the auxiliary information of the judgment relation table. The different output values generated in these demands correspond to one row in the table. The fields of the table are: the configuration, the judging condition and the output value. Some requirements do not relate to the configuration to which it belongs, then this field is empty.
2) A set of stimulus requirements for generating similar outputs is converted into a stimulus relation table, and the variable names of variables commonly influenced by the requirements are noted in the accessory information of the stimulus relation. The different output values generated in these demands correspond to one row in the table. The fields of the table are: the configuration, excitation and output value. Some requirements do not relate to the configuration to which it belongs, then this field is empty.
The configuration conversion table corresponds to each configuration class in the model. It indicates from which configuration to which configuration the transition of the state in the software occurs, i.e. what change of the value of each variable occurs.
Based on the definition of table functions in RTM, the formal definition of the judgment conditions and stimuli is given below:
1) Judging conditions: the judging conditions agreed in the method are in the form of disjunctive normal forms, namely, atomic judging conditions are connected into conjunctive forms by using AND symbols, and then the conjunctive forms are connected into judging condition forms by using OR symbols. The atom judgment condition is defined as a variable+comparison operator+variable value. Wherein the variable must belong to a variable set, and the variable value needs to satisfy a variable value range specified in the variable set. The comparison operators include =, >, <, > =, < =, and < =. The above form has proven to be basically converted from any complex judgment condition, so that the representation method is feasible.
2) Excitation: the definition of the stimulus nests with the definition of the judgment condition. We define that one stimulus can consist of multiple AND stimuli. Each AND stimulus is in the form of "stimulus operator+stimulus judgment condition+guard operator+guard judgment condition".
Wherein the excitation judgment condition AND the guard judgment condition are both defined by an AND-OR table.
The excitation operators may be-T, -F, or-C, respectively, representing excitation in which the excitation judgment condition is changed from false to true, from true to false, or the nature of true or false is changed.
The guard operator may take PRE, POST, BOTH. In the definition of AND stimulus, the guard operator AND the guard judgment condition may be defined or undefined at the same time. When defined, it means that the stimulus imposes some state constraints in addition to the change in the stimulus judgment conditions. If the guard operator is PRE, the guard judgment condition before the excitation occurs is true and the requirement is not made after the excitation occurs; if the POST is the POST, the POST is true after the POST does not need to be processed before the POST occurs; if BOTH is the BOTH, the judgment conditions of the guard before and after occurrence are all true.
Referring to FIG. 1, one embodiment of a demand conversion to RTM model for a demand in an engine indication and crew alerting system EICAS demand document is shown as follows:
When ipdmilayout normal=true, the aircraft integrated electronic display system should display the engine symbols in a standard layout.
The data type engineLayout is added in RTM, the parent type is basic type enginerated, and the value range is { normal, compressed }.
An input variable ipDMILayoutnormal is added in RTM, the data type is basic type bootan, and the value range is { false, true }.
An output variable opEngineHFEngineLayout is added in RTM, the data type is EngineLayout, and the value field inherits from the data type.
And adding a judgment relation in RTM, wherein the related variable is opEngineHFEngineLayout, and the dependent configuration class is null.
The requirements are converted into RTM models and then subjected to various analyses. A detailed inspection procedure for each analysis step is given below.
Step two: and carrying out input layer constraint verification, wherein the working principle is as follows:
1) If the relation table and the excitation relation table requirements relate to the belonged configuration, reading all configurations under the belonged configuration field in the table as a second configuration set.
2) Since the configurations in the second configuration set are all homogeneous configurations, all configurations of the class to which they belong are grouped into the first configuration set.
3) And judging whether the first configuration set and the second configuration set are the same or not. Obviously, if not identical, it is stated that there are some generic configurations not considered by the table.
As shown in fig. 3, the algorithm, when implemented, comprises the steps of:
2-1) obtaining a set of table functions from the RTM model, traversing all its elements, i.e., all the table functions.
2-2) reading the dependency configuration class names in each judgment relation table or excitation relation table, and skipping the check if the dependency configuration class names do not exist. And obtaining a configuration class set from the RTM model, traversing all elements of the configuration class set, finding a configuration class matched with the dependent configuration class name, and adding the configuration class to the first configuration set one by one.
2-3) traversing all elements of the judging condition table or the excitation relation table, namely all table rows, reading configuration fields of the table rows of each row, and adding the configuration fields into the second configuration set one by one.
2-4) determining whether the first set of configurations and the second set of configurations are the same. Obviously, if the input layer constraint is not the same, the prompt that the table violates the input layer constraint is added to the error information, wherein the prompt indicates that some similar configurations are not considered by the judging relation table or the exciting relation table.
FIG. 2 is a table of decision relationships in the RTM model corresponding to the FGS, in which some errors are artificially modified for use as an example of input layer constraint verification.
Wherein the configurational set of the configurational class cfConfig is { cOFF, cON }.
The data type of the internal variable tHDGSwitchPrepressed is basic type bootean, and the value range is { false, true }.
Wherein the data type of the internal variable tHDGDeselect is bootan, and the value range is { false, true }.
First, a first configuration set { cOFF, cON } of the dependent configuration class cfConfig is obtained. Then, the configuration field of the judgment relation table is traversed, and a second configuration set { cON } is constructed. The latter lacks the configurational cOFF.
In fact, before the artificial modification, another row is arranged behind the table, the belonged configuration is cOFF, the judgment condition is true forever, and the output value is true. At this point the table meets the input layer constraint validation requirements.
Step three: and performing judgment, mutual exclusion and constraint verification of an inner layer, wherein the working principle is as follows:
1) For a certain judging condition relation table, analyzing all sub judging conditions of judging fields of the judging condition relation table to obtain the following information: and judging the variable judged in the condition and obtaining a variable value field corresponding to the variable obtained from the input variable set, the internal variable set or the output variable set.
2) The judgment conditions of each row are corresponding to a judgment set, and one element in the judgment set is a group of values of all variables. If a certain judgment condition corresponds to a certain set, the set contains all value combinations which can meet the judgment condition.
3) And comparing the judging sets corresponding to each row in pairs, and judging whether the same value combination exists or not. Obviously, if present, it is stated that both of these judgment conditions are satisfied when such a combination of values occurs in software, i.e., the judgment mutual exclusion is violated.
In the analysis process of judging mutual exclusion, the atom judgment conditions are subjected to equivalent replacement. The specific method is as follows:
atom judgment conditions including discrete variables, numbering each value in the variable value field from 1, and replacing the value on the right side of the atom judgment conditions with the number. For example, there is a certain atom judgment condition x=a. The value range of x is { a, b }. The two values correspond to discrete values 1, 2, respectively. X=a is equivalently replaced with x=1.
Atom judgment conditions including continuous variables, segmenting the variable value range by all values in the value set of the variables appearing in each row judgment condition, and numbering each section from 1. For example, less than the minimum value in the set is considered to be 1, equal to the minimum value is considered to be 2, greater than the minimum value is considered to be less than the second smallest value is considered to be 3, equal to the second smallest value is considered to be 4, … …, equal to the maximum value is considered to be 2n, greater than the maximum value is considered to be 2n+1, where n is the number of variable values. And then replacing all the atomic judgment conditions by the value ranges corresponding to the intervals. For example, the presence of an atom judgment condition is: x > a. The x comparison values appearing in the table have a, b, and the value range is segmented into: x < a, x=a, a < x < b, x=b, x > b, corresponds to discrete values 1, 2, 3, 4, 5. Then x > a is equivalently replaced with x=3||x=4|x=5.
The following describes the implementation of the algorithm:
3-1) obtaining a set of table functions from the RTM model, traversing all its elements, i.e. all the table functions.
3-2) if the table is a judgment relation table, traversing the elements, namely all the table rows. The configuration of each row is read, and each different configuration is added to the third configuration set one by one.
3-3) for each configuration in the third configuration set, performing all of the following operations:
traversing the rows of all the judging condition fields in the judging relation table, wherein the configuration of the rows is equal to the current configuration in the third configuration set, and analyzing the judging condition. The following data structures are organized: the variable output values of each row traversed, the judging conditions, each different continuous variable appearing in the judging relation table and each continuous variable correspond to one value set appearing on the right side of the atomic judging conditions, each different discrete variable appearing in the judging relation table and each discrete variable correspond to all value sets of the value range. The type of each variable is obtained from the data type set, and only string, boolean, enumerated in the basic type is regarded as discrete type, namely the value field is defined by discrete values separated by commas. The other value ranges are continuous in type defined by upper and lower limits. A further feature of the discrete variable is that the comparison operator can only be equal in number when present in the atomic judgment condition. The custom type is the same as the parent type.
For the value sets corresponding to the continuous variable, the values in the value sets are sorted from small to large, so that the continuous interval and the like can be conveniently added into discrete value.
For each row of judgment conditions, performing equivalent replacement of the atomic judgment conditions among the judgment conditions.
Through the above process, all variables have been discretized, and possible combinations of values for all variables can be enumerated. However, at this time, the atomic judgment condition of the original continuous variable may be replaced with a disjunctive one (for example, it is assumed that the judgment condition (p 1 &x<b)||p 2 In which the interval of the continuous variable x is decomposed into x by the values a and b<a、x=a、a<x<b、x=b、x>b, the judgment condition after the discrete processing becomes (p 1 &(x=1||x=2||x=3))||p 2 . Obviously, the three-layer structure of disjunct-conjunctive-disjunct is the result after the treatment, and disfigurement normal form structure of judgment conditions is destroyed. Therefore, further processing is required to restore the disjunct-conjunctive structure to a disjunct-conjunctive structure. The operation mode is to separate all inner layer disjunctors generated in the previous step, disjunct all the disjunct parts with the disjunct expressions with all new atom judgment conditions of the disjunct expressions respectively, and then disjunct and merge to replace the original three-layer structure.
Expanding the extraction paradigm at this time, taking into account variables not considered in each conjunctive, combining the possible values of these variables for each set with the original conjunctive to generate a new conjunctive, and replacing the original conjunctive with these conjunctions.
The extended expression formed by comparing judging conditions of each line two by two, if any two lines have the same conjunctive expression, it is obvious that when the variable value is such a value combination, the judging conditions of the two lines are satisfied at the same time, if the output values of the two lines are not the same, the judging mutual exclusion is violated, and the prompt of the table for violating the judging mutual exclusion is added in the error information.
FIG. 4 is a graph of a decision relationship in the RTM model corresponding to the FGS, wherein some errors are artificially modified as an embodiment of the internal layer decision mutex constraint verification.
Wherein the data type of the input variable ipSYNCSwitch is ySwitch, and the value range is inherited from the data type.
Wherein the data type ySwitch parent type is the basic type enhanced, and the value range is { off, on }.
The data type of the input variable ipSYNCSwitchPressedHighest priority is basic type, and the value range is { false, true }.
Wherein the data type of the internal variable tHDGSwitchPressedHightPriority is basic type bootean, and the value range is { false, true }.
The discrete variables involved in the judgment condition are read to form a set { ipSYNCSwitch, ipSYNCSwitchPressedHighestPriority }.
The judgment conditions do not relate to continuous variables.
The value fields of the discrete variables are read to form a set of { off, on }, { false, true }.
And (5) equivalent replacement of the judgment condition. The two judgment conditions after replacement are as follows (two variables are abbreviated as ipV respectively) 1 、ipV 2 Abbreviated hereinafter): ipV 2 =2 and (ipV) 1 =2)||(ipV 2 =1)。
The expansion judgment condition is (ipV) 1 =1&ipV 2 =2)||(ipV 1 =2&ipV 2 =2) and (ipV) 1 =2&ipV 2 =1)||(ipV 1 =2&ipV 2 =2)||(ipV 1 =1&ipV 2 =1)。
It is apparent that the same conjunctive ipV exists between the two 1 =2&ipV 2 =2, and the two rows of output values are different. I.e. ipsyncswitch=on and ipSYNCSwitch pressure highestpriority=true, two rows in the table are satisfied simultaneously.
In fact, before the artificial modification, the judgment condition of the first row of the table is ipsyncswitch=off & ipSYNCSwitch pressure highestpriority=true. At this time, the table satisfies the judgment mutual exclusion constraint of the internal layer.
Step four: and (3) performing judgment completeness constraint verification of an inner layer, wherein the working principle is as follows:
1) For a certain judgment relation table, analyzing all judgment conditions of the judgment condition field to obtain the following information: the variables determined in the determination conditions, and the value ranges of these variables.
2) The judgment conditions of each row are corresponding to a first judgment set, and one element in the first judgment set is a group of values of all variables. If a certain judgment condition corresponds to a certain set, the set contains all value combinations which can meet the judgment condition.
3) Constructing a complete set containing all possible combinations of values from the value ranges of the variables mentioned in 1). Combining the first judgment sets in all 2) into a large second judgment set, and judging whether the second judgment set is identical to the whole set or not. Obviously, if the values are different, the missing value combination is indicated to be in the software, and no judgment condition is met, so that judgment completeness is violated.
When constraint check of a certain judgment relation table can accept judgment mutual exclusion, the algorithm process is as follows:
4-1) according to the variables appearing in the judging conditions of all the rows of the judging relation table, a forever disjunctive normal form can be arranged, namely, the disjunctive normal form comprising all possible value combinations of all the variables.
4-2) extracting the extraction normal form after expanding all the row judgment conditions, and comparing the obtained extraction normal form with the extraction normal form of the last step. If not, there are combinations of values in the specification table that are not considered. When the variable value is a combination of such deletions, no one row of judgment conditions in the judgment relation table is satisfied, violating judgment completeness. And adding a prompt of the violation judging completeness of the table into the error information.
FIG. 5 is a graph of a decision relationship in an RTM model corresponding to a FGS, in which some errors are artificially modified as an example of decision completeness constraints for the decision inner layer.
Wherein the set of configuration classes cfHDG is { cUndeferrined, cSelected, cfleared }.
The data type of the internal variable tHDGSelect is basic type, and the value range is { false, true }.
Wherein the data type of the internal variable tNonBasicLateralConfigIsActivated is basic type bootan, and the value range is { false, true }.
(1) In the configuration coundefed.
The discrete variables involved in the read judgment conditions constitute a set { tvdselect }.
The judgment conditions do not relate to continuous variables. If continuous variables are involved, the continuous threshold is segmented, the segmented threshold corresponds to one discrete variable, and then the discrete variables are assembled into a set.
The value fields of the discrete variables are read to form a set { { false, true }.
Constructing a disjunctive paradigm (two variables are abbreviated as ipV respectively) containing all valued cases 1 Abbreviated hereinafter): (ipV) 1 =1)||(ipV 1 =2)。
And (5) equivalent replacement of the judgment condition. The two judging conditions after replacement are respectively as follows: ipV 1 =2 and ipV 1 =1。
The judgment conditions are unchanged after the judgment conditions are expanded.
The two-line judgment conditions are extracted to obtain (ipV) 1 =2)||(ipV 1 =1) is identical to the extraction paradigm that includes all the values.
(2) Configuration cSelected.
The procedure is exactly the same as (1).
(3) Configuration cfleared).
The discrete variables involved in the judgment condition are read to form a set { tHDGSelectrode }.
The judgment conditions do not relate to continuous variables.
The value fields of the discrete variables are read to form a set { { false, true }.
Constructing a disjunctive paradigm (two variables are abbreviated as ipV respectively) containing all valued cases 1 Abbreviated hereinafter): (ipV) 1 =1)||(ipV 1 =2)。
And (5) equivalent replacement of the judgment condition. The judgment conditions after replacement are as follows: ipV 1 =2。
The judgment conditions are unchanged after the judgment conditions are expanded.
As only one line of judgment conditions exists, the judgment conditions are directly compared with the disjunctive normal form containing all the valued situations, and ipV is lack 1 Condition of =1In the case where tvdselect=false in the configuration cfleared, no row in the table is satisfied.
In fact, before the artificial modification, another row is arranged behind the table, the configuration is cfleared, the judgment condition is tvdselect=false, and the output value is false. At this time, the table does not judge the completeness problem.
Referring to FIG. 6, a general flow is shown for checking both constraints for a set of rows of a table in a homogeneous configuration.
Step five: and performing excitation mutual exclusion constraint verification (used for checking a configuration conversion table at the same time) of an inner layer, wherein the working principle is as follows:
1) For a certain excitation relation table, analyzing all excitation of excitation fields to obtain the following information: the variables involved in the excitation, the value ranges of these variables.
2) The stimulus for each row is mapped to two sets, one element of which is a set of values for all of the variables described above. If a stimulus corresponds to a certain two sets, the former set contains all possible combinations of values before the stimulus occurs, and the latter set contains all possible combinations of values after the stimulus occurs.
3) And comparing the two sets corresponding to each row in pairs, and judging whether the same value combination exists in the two sets. Obviously, if present, the instruction software transitions from the same combination of values in the previous set to the same combination of values in the subsequent set, both stimuli are considered to occur and the internal layer's mutually exclusive constraint of stimuli is violated.
In the analysis process of the mutual exclusion constraint of the excitation of the inner layer, uncertainty exists because the excitation of the-C can be true to false or false to true in the excitation judging condition, and the excitation of the-C needs to be processed. The specific method is as follows:
for each row of stimulus, if the number of stimulus with stimulus operators C in AND stimulus is n, 2 should be copied n And (3) row. For ease of handling, binary numbers from 0 to 2 may be used n Encoding is performed. Each code corresponds to a copied excitation. The ith bit in the code corresponds to the ith A originally-C in the copied excitation ND excitation. The bit 0 or 1 causes the AND stimulus to be T or F, respectively, in the copied stimulus.
The detailed algorithm process of the excitation mutual exclusion constraint analysis of the inner layer is as follows:
5-1) is the same as judging mutual exclusion, and the excitation relation table is traversed first to obtain a first excitation set formed by different types of the excitation relation table.
5-1) traversing all rows in the stimulus relationship table having configuration node values equal to the current configuration in the first stimulus set, and resolving the stimulus. The following data structures are organized: the variable output values, stimuli for each row that is traversed, the stimulus operators, the guard operators, the stimulus predicate conditions, AND the guard predicate conditions for each AND every different continuous variable that appears in the table, AND every continuous variable corresponds to a set of values that appears to the right of the atom predicate conditions, every different discrete variable that appears in the stimulus relationship table, AND every discrete variable corresponds to all sets of values for its value range.
5-2) to C excitation treatment.
5-3) for the value sets corresponding to the continuous variables, the values of the value sets are ordered from small to large, so that the continuous interval and the like can be conveniently added into discrete values.
5-4) for the excitation judgment condition AND the guard judgment condition of each AND excitation of each row, the same method as that in the judgment mutual exclusion checking flow is carried out, AND is replaced by a disjunctive normal form, AND all variables in the judgment mutual exclusion checking flow are discretized.
5-5) since the excitation can be equivalent to the judgment condition P satisfied at the previous time AND the judgment condition P' satisfied at the subsequent time, this step is to obtain two extraction patterns corresponding to each AND excitation by processing. P (P) Guard And P Event The guard judgment condition and the excitation judgment condition are respectively. The treatment mode is as follows:
·~T-PRE:P=P Guard ∧┐P Event ,P’=P Event 。
·~T-POST:P=┐P Event ,P’=P Guard ∧P Event 。
·~T-BOTH:P=P Guard ∧┐P Event ,P’=P Guard ∧P Event 。
·~F-PRE:P=P Guard ∧P Event ,P’=┐P Event 。
·~F-POST:P=P Event ,P’=P Guard ∧┐P Event 。
·~F-BOTH:P=P Guard ∧P Event ,P’=P Guard ∧┐P Event 。
5-6) combining all P AND P' for each AND stimulus processed for each row to obtain two judging conditions capable of meeting the row stimulus. When a certain instantaneous variable value combination satisfies the judgment condition 1 and the next instantaneous variable value combination satisfies the judgment condition 2, the line excitation is considered to occur.
5-7) comparing two disjunctive normal forms formed by exciting each line in pairs, if the two expressions respectively have the same conjunctive form, the fact that when a moment variable value is a value combination which exists simultaneously in a first expression and a next moment variable value is a value combination which exists simultaneously in a second expression is indicated, the excitation of the two lines is obviously satisfied simultaneously, if the output values of the two lines are not the same, the excitation mutual exclusion constraint of an inner layer is violated, and a prompt that the excitation mutual exclusion constraint of the inner layer is violated by the table is added in error information.
Step six: and carrying out constraint verification of an output layer, wherein the working principle is as follows:
1) And reading all output values under the output value fields in the judging relation table and the excitation relation table to be used as an output value set.
2) And taking the value range of the variable influenced by the judgment relation table or the excitation relation table as a value range set.
3) And comparing whether the output value set and the value range set are the same. Obviously, if not identical, it is stated that some output values are never generated.
Referring to fig. 8, the algorithm process is as follows:
6-1) obtaining a set of table functions from the RTM model, traversing all its elements, i.e. all the table functions.
6-2) reading the value range of the association variable of the judgment relation table or the excitation relation table.
6-3) reading the table of the table function, traversing all elements, namely all table rows, reading the variable output value fields of each row, and adding the values of the output value fields into an output value set.
6-4) judging whether the output value set completely contains all possible values in the value range. If the variables controlled by the relation table and the excitation relation table are discrete, judging whether each discrete value in the value domain appears in the output value set; if the variable is continuous, judging whether all interval union sets in the output value set are equal to the value range interval.
6-5) if the constraint is not satisfied, adding a prompt that the table violates the constraint of the output layer into the error information.
FIG. 7 is a graph of a decision relationship in the RTM model corresponding to the FGS, in which some errors have been artificially modified as an example of output layer constraint verification.
Wherein the set of configuration classes cfHDG is { cUndeferrined, cSelected, cfleared }.
The data type of the output variable opHDGLamp is yLamp, and the value field is inherited from the data type.
Wherein the parent type of the data type yLamp is the basic type enhanced, and the value range is { off, on }.
First, the value range { off, on } of the output variable opHDGLamp is obtained. Then, the output value field belonging to the table is traversed to construct an output value set { off }. The display then lacks the output value on.
In fact, the first row of the table output value is on before the manual modification. At this time, the table meets the constraint requirements of the output layer.
It will be understood that equivalents and modifications will occur to those skilled in the art in light of the present invention and their spirit, and all such modifications and substitutions are intended to be included within the scope of the present invention as defined in the following claims.
Claims (4)
1. The formalized semantic analysis and inspection method for the demand form model is characterized by comprising the following steps of:
Step one, importing an RTM model converted from the item requirements; one of the RTM models contains the following set: the data type, the constant, the input variable, the configuration class, the internal variable, the output variable and the table function are divided into three types, namely a judgment relation table, an excitation relation table and a configuration conversion table; wherein:
converting a group of judgment type requirements for generating similar output into a judgment relation table, and marking variable names of variables commonly influenced by the requirements in auxiliary information of the judgment relation table, wherein different output values generated in the requirements correspond to one row in the judgment relation table; the fields of the table are: the configuration, the judging condition and the output value;
a group of excitation requirements for generating similar output are converted into an excitation relation table, the variable names of variables influenced by the requirements together are noted in the auxiliary information of the excitation relation table, and different output values generated in the requirements correspond to one row in the excitation relation table; the fields of the table are: the configuration, excitation and output values;
the configuration conversion table corresponds to each configuration class in the model, and indicates which configuration should be converted to which configuration when the values of variables in the software change;
And step two, when input layer constraint verification is carried out, the method comprises the following steps:
2-1) obtaining a table function set from the RTM model, and traversing all table functions;
2-2) reading the names of the dependent configuration classes in each judging relation table or the exciting relation table; obtaining a configuration class set from the RTM model, finding a configuration class matched with the dependent configuration class name, and adding the configuration class to the first configuration set one by one;
2-3) traversing all table rows of the judging condition table or the excitation relation table, reading configuration fields of the table rows of each row, and adding the configuration fields into a second configuration set one by one;
2-4) judging whether the first configuration set and the second configuration set are the same, if not, indicating that some similar configurations are not considered by the judging relation table or the exciting relation table, and adding a prompt that the table violates the constraint of the input layer into error information;
and step three, when the judgment mutual exclusion constraint verification of the inner layer is carried out, the method comprises the following steps:
3-1) obtaining a table function set from the RTM model, and traversing all table functions;
3-2) if the relation table is judged, traversing all table rows, reading the affiliated configuration of each row, and adding each different configuration into a third configuration set one by one;
3-3) for each configuration in the third configuration set, performing all of the following operations:
Traversing all rows of the judging condition fields in the judging relation table, wherein the configuration of the rows is equal to the current configuration in the third configuration set, analyzing the judging condition, and finishing the following data structures: the variable output value of each traversed row, the judging condition, each different continuous variable appearing in the judging relation table, and each continuous variable respectively correspond to a value set appearing on the right side of the atomic judging condition, each different discrete variable appearing in the judging relation table, and each discrete variable respectively correspond to all value sets of the value range;
for a value set corresponding to the continuous variable, sequencing the values in the value set from small to large;
for each row of judgment conditions, performing equivalent replacement on the atom judgment conditions, and discretizing variables;
enumerating possible value combinations of all variables to form an extraction normal form structure;
expanding the disjunctive normal form, taking into account variables which are not considered in each conjunctive form, combining possible values of each group of variables with the original conjunctive form to generate a new conjunctive form, and replacing the original conjunctive form by the conjunctive forms;
if the output values of the two rows are not the same, the judgment mutual exclusion is violated, and a prompt of the table violation judgment mutual exclusion is added into error information;
And step four, when the judgment completeness constraint verification of the internal layer is carried out, the method comprises the following steps:
4-1) sorting out the extraction normal form containing all possible value combinations of all variables according to the variables appearing in the judging conditions of all rows of the judging relation table for a certain judging relation table;
4-2) extracting the extraction normal form after expanding all the row judgment conditions, comparing the obtained extraction normal form with the extraction normal form of the previous step, if the extraction normal form is not equal to the extraction normal form of the previous step, indicating that an unaccounted combination exists in the judgment relation table, and when the variable value is the missing combination, no row judgment condition in the judgment relation table is met, the judgment completeness is violated, and adding a prompt of the violation judgment completeness of the table into error information;
and step five, when the excitation mutual exclusion constraint verification of the inner layer is carried out, the method comprises the following steps:
5-1) traversing the excitation relation table to obtain a first excitation set formed by different configurations in the excitation relation table;
5-1) traversing all rows in the stimulus relationship table with configuration node values equal to the current configuration in the first stimulus set, and resolving the stimulus, and sorting the following data structures: the variable output values AND the excitation of each row are traversed, the excitation operators, the guard operators, the excitation judging conditions AND the guard judging conditions of each AND excitation of each row are traversed, each different continuous variable appearing in the table corresponds to a value set appearing on the right side of the atomic judging conditions, each different discrete variable appearing in the excitation relation table corresponds to all value sets of one value range of each discrete variable;
5-2) to C excitation to carry out determination treatment;
5-3) sequencing the values of the value sets corresponding to the continuous variables from small to large;
5-4) replacing the excitation judgment conditions AND the guard judgment conditions of each AND excitation of each row with a disjunctive normal form;
5-5) equating the excitation to the judgment condition P satisfied at the previous time and the judgment condition P' satisfied at the subsequent time;
5-6) combining all P AND P' of each processed AND excitation of each row to obtain two judging conditions capable of meeting the row excitation, AND when a certain instant variable value combination meets the judging condition 1 AND the next instant variable value combination meets the judging condition 2, considering that the row excitation occurs;
5-7) comparing two disjunctive normal forms formed by excitation of each line in pairs, if the two expressions respectively have the same conjunctive form, the fact that when a moment variable value is a value combination which exists simultaneously in a first expression and a next moment variable value is a value combination which exists simultaneously in a second expression, the excitation of the two lines is obviously satisfied simultaneously, if the output values of the two lines are not the same, the excitation mutual exclusion constraint of an inner layer is violated, and a prompt that the excitation mutual exclusion constraint of the inner layer is violated by the table is added in error information;
Step six, when carrying out output layer constraint verification, the method comprises the following steps:
6-1) obtaining a table function set from the RTM model, and traversing all table functions;
6-2) reading the value range of the association variable of the judgment relation table or the excitation relation table;
6-3) reading a judging relation table or an excitation relation table, traversing all table rows, reading variable output value fields of each row, and adding the values of the output value fields into an output value set;
6-4) judging whether the output value set completely contains all possible values in the value range; if the variables controlled by the relation table and the excitation relation table are discrete, judging whether each discrete value in the value domain appears in the output value set; if the variable is continuous, judging whether all interval union sets in the output value set are equal to the value range interval;
6-5) if the constraint is not satisfied, adding a prompt that the table violates the constraint of the output layer into the error information.
2. The formal semantic analysis and inspection method for a demand-oriented tabular model according to claim 1, characterized in that the method for equivalently replacing the atomic judgment condition is as follows:
for an atomic judgment condition containing discrete variables, numbering each value in the variable value domain from 1, and replacing the value on the right side of the atomic judgment condition with the number;
For atomic judgment conditions including continuous variables, segmenting the variable value range by using all values in the value sets of the variables in each row of judgment conditions, numbering each section from 1, and replacing all the atomic judgment conditions by using the value ranges corresponding to the sections.
3. The formal semantic analysis and inspection method for a demand-oriented tabular model of claim 1, wherein the method for determining-C stimulus is as follows:
for each row of stimulus, if the number of stimulus with stimulus operators C in AND stimulus is n, 2 should be copied n Line, with binary numbers from 0 to 2 n Codes are performed, each corresponding to a copied excitation.
4. The formal semantic analysis and inspection method for a demand-oriented tabular model according to claim 1, wherein the excitation is equivalent to the judgment condition P satisfied at the previous time and the judgment condition P' satisfied at the subsequent time in the following manner:
~T-PRE:P=P Guard ∧┐P Event ,P’=P Event ;
~T-POST:P=┐P Event ,P’=P Guard ∧P Event ;
~T-BOTH:P=P Guard ∧┐P Event ,P’=P Guard ∧P Event ;
~F-PRE:P=P Guard ∧P Event ,P’=┐P Event ;
~F-POST:P=P Event ,P’=P Guard ∧┐P Event ;
~F-BOTH:P=P Guard ∧P Event ,P’=P Guard ∧┐P Event 。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210421720.XA CN114741052B (en) | 2022-04-21 | 2022-04-21 | Formalized semantic analysis and inspection method for demand form model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210421720.XA CN114741052B (en) | 2022-04-21 | 2022-04-21 | Formalized semantic analysis and inspection method for demand form model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114741052A CN114741052A (en) | 2022-07-12 |
| CN114741052B true CN114741052B (en) | 2024-04-12 |
Family
ID=82283771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210421720.XA Active CN114741052B (en) | 2022-04-21 | 2022-04-21 | Formalized semantic analysis and inspection method for demand form model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114741052B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5481717A (en) * | 1993-04-12 | 1996-01-02 | Kabushiki Kaisha Toshiba | Logic program comparison method for verifying a computer program in relation to a system specification |
| CN111176614A (en) * | 2019-12-26 | 2020-05-19 | 南京航空航天大学 | Method for generating and analyzing VRM formalized demand model |
| CN112416337A (en) * | 2020-11-11 | 2021-02-26 | 北京京航计算通讯研究所 | Software architecture development system for aerospace embedded system |
-
2022
- 2022-04-21 CN CN202210421720.XA patent/CN114741052B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5481717A (en) * | 1993-04-12 | 1996-01-02 | Kabushiki Kaisha Toshiba | Logic program comparison method for verifying a computer program in relation to a system specification |
| CN111176614A (en) * | 2019-12-26 | 2020-05-19 | 南京航空航天大学 | Method for generating and analyzing VRM formalized demand model |
| CN112416337A (en) * | 2020-11-11 | 2021-02-26 | 北京京航计算通讯研究所 | Software architecture development system for aerospace embedded system |
Non-Patent Citations (1)
| Title |
|---|
| 一种新的分析和检查需求模型;徐煜, 毋国庆, 刘翔, 陈莘萌;武汉大学学报(自然科学版);19980630(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114741052A (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9589232B2 (en) | Editing and compiling business rules | |
| Heimdahl et al. | Completeness and consistency in hierarchical state-based requirements | |
| Kaiser et al. | A new component concept for fault trees | |
| Winter | Model Checking for Abstract State Machines. | |
| Kelly | The CRITTER System--Automated Critiquing of Digital Circuit Designs | |
| CN105260300A (en) | Service test method based on CAS (General Classification Standards of China Accounting Standards) application platform | |
| McCluskey et al. | A requirements capture method and its use in an air traffic control application | |
| Cosler et al. | Iterative circuit repair against formal specifications | |
| CN111176614B (en) | Method for generating and analyzing VRM formalized demand model | |
| CN114741052B (en) | Formalized semantic analysis and inspection method for demand form model | |
| AU2021201067B2 (en) | Editing and compiling business rules | |
| Kovalev et al. | Methods for identification of objects of development of cross-platform on-board software for communication and navigation satellites | |
| Delmas et al. | Smt-based synthesis of fault-tolerant architectures | |
| CN112416752B (en) | Data warehouse ETL (extract-transform-load) layered test method | |
| US11907628B2 (en) | Message signoffs | |
| Sheng et al. | Verifying Static Aspects of UML models using Prolog (S). | |
| Viktorova et al. | Software for Testability Analysis of Aviation Systems | |
| AU2016202201A1 (en) | Editing and compiling business rules | |
| Komatsu et al. | Generating LTL Formulas for Process Mining by Example of Trace | |
| Huang et al. | Design and Implementation for AltaRica 3.0 Model Visualization Method Based on ANTLR | |
| Lyu et al. | Platform of Formal Modeling and Analysis for Airborne Software Requirements | |
| CN117972339A (en) | Method, device, equipment and storage medium for constructing digital system test model | |
| McDermid | Safety Engineering and Assurance for Real-Time Systems | |
| Li | Development of a software tool for reliability estimation | |
| Ouyang | An integrated formal approach for developing reliable software of safety-critical system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |