+

CN103853871A - Safety requirement modeling method applicable for avionics system - Google Patents

Safety requirement modeling method applicable for avionics system Download PDF

Info

Publication number
CN103853871A
CN103853871A CN201310595322.0A CN201310595322A CN103853871A CN 103853871 A CN103853871 A CN 103853871A CN 201310595322 A CN201310595322 A CN 201310595322A CN 103853871 A CN103853871 A CN 103853871A
Authority
CN
China
Prior art keywords
security
safety
use case
failure
case
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310595322.0A
Other languages
Chinese (zh)
Other versions
CN103853871B (en
Inventor
吴际
张辉辉
李亚晖
牛文生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Xian Aeronautics Computing Technique Research Institute of AVIC
Original Assignee
Beihang University
Xian Aeronautics Computing Technique Research Institute of AVIC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University, Xian Aeronautics Computing Technique Research Institute of AVIC filed Critical Beihang University
Priority to CN201310595322.0A priority Critical patent/CN103853871B/en
Publication of CN103853871A publication Critical patent/CN103853871A/en
Application granted granted Critical
Publication of CN103853871B publication Critical patent/CN103853871B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明公开了一种适用于航电系统的安全需求建模方法,该方法通过对航空嵌入式系统的安全性相关的概念和约束进行分析提取,并将提取的概念和约束与RUCM中的基本概念相结合,实现对UCMeta的扩展从而建立安全性相关的领域模型;通过对建立的领域模型进行分析,确定出航空嵌入式系统安全需求的描述模板使其在准确描述功能需求的同时又捕获安全性相关的非功能约束。本发明方法是一种半形式化的安全性需求描述方法,在RUCM的基础上增加安全性需求的描述模板和相应的限制规则,用于完整的、准确的对安全性需求进行描述,并支持一定程度的自动化验证。

The invention discloses a safety requirement modeling method suitable for avionics systems. The method analyzes and extracts concepts and constraints related to the safety of aviation embedded systems, and combines the extracted concepts and constraints with the basic The concept is combined to realize the expansion of UCMeta to establish a security-related domain model; through the analysis of the established domain model, the description template for the security requirements of the aviation embedded system is determined so that it can accurately describe the functional requirements and capture the security requirements at the same time. Sex-related non-functional constraints. The method of the present invention is a semi-formal security requirement description method, which adds a security requirement description template and corresponding restriction rules on the basis of RUCM, and is used to describe the security requirement completely and accurately, and supports Some degree of automated validation.

Description

A kind of demand for security modeling method that is applicable to avionics system
Technical field
The present invention relates to a kind of method of Requirements Modeling, more particularly, refer to a kind of demand for security modeling method that is applicable to avionics system.
Background technology
Software security (software safety) is that the system controlled about software is not all the time in jeopardizing a kind of character of people's lives and properties and the safe condition of ecologic environment.Especially, for the embedded real-time software that needs high security for Aero-Space etc., along with the progressively increase of software proportion in system, the consequence that software failure may cause is also more and more serious.For guaranteeing the security of system, need to the security of system be described and be analyzed in demand analysis stage.
Requirements Modeling is an important activity in software requirement engineering, requirement engineering teacher is by adopting different modeling method identification, understanding, excavate the expectation of demand supplier to system, thereby build the structural model of software systems, behavior model, or other are various to showing the model of different qualities of software to be developed.Modeling method has accounted for important effect in this activity, adopt different modeling methods to mean from different visual angles and remove to treat software issue, how to deriving the expectation to software systems itself expectation of total system, go to show how behavior how to play its effect in the reinforced system of software of software systems.Referring to the 50th page of in July, 2008 first published " software requirement engineering: principle and method ", Jin Zhi etc. write.
In current Requirements Modeling method, main description means and the technology using is natural language, graphical symbol language and formal language etc.Divide from point of view of practicability: structurized Requirements Modeling method and OO Requirements Modeling method.
The technology path of object-oriented method includes requirement engineering, Software for Design and software and realizes; Wherein, requirement engineering has Requirement Acquisition and demand analysis.First object-oriented method carries out obtaining of demand from the source (being mainly user) of demand, and the user profile of tissue need's information, sets up use-case model.After obtaining complete, the accurate understanding of user's request, object-oriented method just starts to consider the realization mechanism of software, carries out Software for Design.The 1st edition " requirement engineering-software modeling and analysis " the 315th page April in 2009, Luo Bin chief editor.
Comprehensively modularized avionics system (Integrated Modular Architecture, IMA, be called for short avionics system) software comprise that operating system, application program, database, network, man-machine interface etc. should follow unified series standard, standard and develop, reusable, the standardization of software, intellectuality, portability, quality, reliability etc. all should be listed among the characteristic parameter of characterization software technology.
Summary of the invention
For the avionics system software that makes required structure has higher security requirement, the invention provides a kind of demand for security modeling method that is applicable to avionics system.Use-case meta-model UCMeta in modeling method application RUCM of the present invention carries out security extension to participant Actor and use-case Use Case, realizes the description of the Requirements Modeling of the avionics system software of required structure; Citation DO-178B standard and existing avionics system software carry out safety defect identification; The demand for security model designing by the present invention can provide the complete requirement description without ambiguous for the Software for Design of avionics system.
A kind of demand for security modeling method that is applicable to avionics system of the present invention, has the following step particularly:
Step 1: the domain-conceptual model of setting up demand for security;
According to RTCA/DO-178B standard, existing avionics system software is carried out to safety identification establishment and obtain domain-conceptual model;
Step 2: the graphic extension that builds the avionics system based on UCMeta meta-model; The graphic extension of this avionics system is that the domain-conceptual model of the demand for security that obtains according to step 1 is expanded and obtains UCMeta meta-model;
Step 3: build the avionics system demand for security template based on RUCM description template; This avionics system demand for security template is on RUCM description template, to add continuous item to obtain.
In step 2, domain-conceptual model is converted to UML Profile in the present invention, to carrying out security extension in the meta-model UCMeta of RUCM; In Actor, carry out refinement, Use Case is carried out to security expansion and set up Safety Use Case; Analysis field conceptual model, determines the use of description template and restriction rule and the key word of demand for security; Expansion RUCM description template carries out demand for security description, adds that 10 security descriptors rules and some key words are complete, accurate with the description of assurance RUCM, unambiguity; UCMeta after expansion creates the Use Case Diagram that supports that demand for security is described, and user has carried out complete and accurate by each Use Case simultaneously functional description and demand for security are described.
The advantage of demand for security modeling method of the present invention is:
1. the present invention is directed to the Aviation Embedded System of high security, safety standard DO-178B has been carried out studying in depth and having created corresponding security model, thereby can carry out modeling to demand for security in the software requirement stage.
2. the present invention is directed to the demand for security modeling of Aviation Embedded System, expanded the UCMeta of standard RUCM.UCMeta is the meta-model of RUCM method, and it is to use MOF(Meta Object Facility) definition.By domain analysis to the model element Actor in UML standard Use Case Diagram with Use Case carries out refinement and thereby security extension can support to carry out patterned demand for security modeling.
3. the present invention is directed to the demand for security modeling of Aviation Embedded System, expanded requirement description template and the restriction rule thereof of standard RUCM.Requirement description template by expansion RUCM can be supported in the software requirement modeling stage relevant fault handling is described to safety, and by the expansion of restriction rule make the description of demand for security complete, accurate, unambiguity.
Accompanying drawing explanation
Fig. 1 is the Technology Roadmap of conventional object-oriented method.
Fig. 2 is the domain-conceptual model figure in the scope of application of the present invention.
Fig. 3 is the UCMeta bag figure of RUCM of the present invention.
Fig. 4 is UCSTemplate bag figure of the present invention.
Fig. 5 is Actor refined model figure of the present invention.
Fig. 6 is Use Case extended model figure of the present invention.
Fig. 7 is the exchanges data figure between Use Case of the present invention and Actor or resource.
Fig. 8 is failure model figure of the present invention.
Fig. 9 is crash handling analytical model figure of the present invention.
Figure 10 is crash handling statement model figure of the present invention.
Figure 11 is each hurdle information schematic diagram of Use case template demand.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.
Shown in Figure 1, " use-case model " in Fig. 1 is exactly the demand for security model that needs modeling to obtain in the present patent application.
A kind of demand for security modeling method that is applicable to avionics system of the present invention, specifically includes the following step:
Step 1: the domain-conceptual model of setting up demand for security
According to RTCA/DO-178B standard, existing avionics system software is carried out to safety identification establishment and obtain domain-conceptual model.
The full name of RTCA/DO-178B standard is Royal Technical Commision on Aviation DO-178B.
Demand for security is made up of the requirement of level of security and two parts that require of security function.The requirement of level of security is mainly safe quarantine measures, and the software of different safety class need to give concern in various degree; The requirement of security function mainly comprises that the inefficacy to causing harm state in system identifies, and reduces its probability that enters unsafe condition and weakens its harm consequence.
Harm (Hazard) refers to the potential unsafe condition of system being caused by disabler or external event etc., in DO-178B standard, the rank of harm is divided, show its impact on system, these classifications respectively: catastrophic, dangerous/serious, heavier, lighter, without impact; To its level of security of safety-critical software definition, divide according to the order of severity of the harm of its initiation accordingly, be divided into equally 5 ranks.
Table 1: software security grade
Figure BDA0000419377370000041
Security function demand is identified the harm that may cause in system, and takes certain measure to reduce its probability of happening or alleviate the requirement of its impact.From several angles below, security function is divided:
1) failure mode and failure effect analysis
Failure mode refers to the mode that lost efficacy and occur.By the study to GB7826 standard and GJBZ1391 standard, in the present invention, failure mode is divided into five classes: the inefficacy that input data failure, output data failure, the disabler that cannot complete expection, overtime inefficacy and abnormal hardware, user or environment cause.
The impact that the system of the inefficacy that represents use-case (Use Case) with failure effect on this use-case place or subsystem cause, and in the time that this affects meeting system is produced to certain harm (security is impacted), this use-case is safety-critical.
Table 2: the definition of inefficacy
English Chinese meaning
FailureID The unique identification losing efficacy
FailureDescription The description of losing efficacy
Failure?Mode Failure mode
Failure?Cause Failure cause
Level The level of security losing efficacy
Hazard The harm that inefficacy causes
For each harm (Hazard), define the probability of its order of severity and generation, the order of severity and probability of happening are qualitative analysis.The probability of happening that possibly cannot determine or be difficult to determine a harm in the system requirement analysis stage, can first represent with None, when data integrity, it is supplemented again.The risk of harm is the combination of its probability of happening and the order of severity, can classify to harm according to venture analysis.The order of severity losing efficacy is that the highest harm of degree of risk that may cause according to it determines.
Table 3: the definition of harm
English Chinese meaning
Severity The order of severity of harm
Probability The probability of happening of harm
Failure Cause the inefficacy of this harm
Harm can be divided into two kinds: Single Failure Hazard and Combine Failure Hazard, the harm that the harm that single inefficacy causes and multiple inefficacy cause.For example, may have many cover brake system in aircraft, the inefficacy of single brake system can not work the mischief to aircraft, only has the whole inefficacies of all brake system just can cause slowing down, and aircraft is worked the mischief, and this situation is the harm that multiple inefficacies cause.And for process level health monitoring, cannot process fault as it and may directly cause harm to the system, the harm causing for single inefficacy.
2) failure cause analysis
Describe the reason of inefficacy by fault analysis, each fault has the trigger condition of oneself, represents the triggering of fault with Tigger.Implementation at one or more statement becomes, and the condition of guarding is checked, if condition does not meet, triggers a fault, and then causes use-case to lose efficacy.
The description of the condition of guarding is represented by security constraint (Safety Constraint).Security constraint is divided into three classes: real-time constraint, data constraint and state constraint.Real-time is constrained to periodically or the constraint of execution time; Data constraint is mainly the constraint to data value, and state constraint is the constraint to use-case statement executing state, and state is divided into three classes: normal, abnormal end, endless loop.
Table 4: the definition of security constraint
English Chinese meaning
ConstraintID The mark of constraint
Sentence The effective range of definition constraint in field
Constraint Field is the content of constraint
Domain-conceptual model as shown in Figure 2 in, the present invention is by the security attribute in 12 of having followed DO-178B/C standard definition, their concrete implication is as follows:
P1: each safety member will provide corresponding safe interface to detect and to process the fault of component inside generation and the fault passing over from outside.
P2: the interface relevant to security can only be activated by safety member or fault registration member.
P3: each safety member and its safe interface must have identical security level.
P4: each safety member invariant of sharing data access that provides guarantees the modification of data to meet corresponding constraint.
P5: each platform member should be able to provide enough resources for the corresponding member of disposing.
P6: each fault being identified must at least be detected and process by a member.
P7: each fault being identified must have corresponding excitation and processing policy.
P8: the each fault that can propagate must be by other safety member processing.
P9: fault can only be registered in fault registration member by escape way.
P10: the fault of registration can only be registered member and process according to corresponding processing policy.
P11: each escape way will provide interface with mutual security between protection safety member.
P12: the level of security of each escape way can not be lower than the level of security of those members that connect with it.
Step 2: the graphic extension that builds the avionics system based on UCMeta meta-model
Shown in Figure 2, in the present invention, the domain-conceptual model of the demand for security obtaining according to step 1 is expanded UCMeta meta-model, thereby obtains the graphic extension of avionics system.
UCMeta is the meta-model of RUCM method, it is to use MOF(Meta Object Facility) definition, include UCMeta, UML::UseCases, UCSTemplate, SentenceSemantics, SentencePatterns, SentenceStructure.Wherein, three has mainly completed the standard of natural language has been limited.The structure of UCMeta as shown in Figure 3.
The security extension of UCMeta is paid close attention to UCSTemplate bag, and metaclass UseCase can expand by the relation of adding UseCaseSpecification to.Shown in Figure 4, UseCaseSpecification comprises BriefDescription, a Preconditon, one or more FlowOfEvents, primary actor, 0 to multiple secondary actors.BriefDescription, Preconditon, PostConditon and FlowOfEvents all contain a series of Sentences.There are two kinds of flow of event: BasicFlow and AlternativeFlow.Each use-case must contain a BasicFlow, can have 0 to multiple AlternativeFlow.Each flow of event has a PostCondition, is made up of a series of Sentences.There is the affluent-dividing of three kinds of different modes: GlobalAlternative, SpecificAlternative, and BoundedAlternative.Each AlternativeFlow has a condition, a corresponding reference stream.
Statement in UCSTemplate is divided into three kinds: simple statement (metaclass SimpleSentence), complicated statement (attached bag ComplexSentence), special sentence (attached bag SpecialSentence).Simple statement does not have subordinate clause for containing an independent clause: only have a subject and a predicate.UCMeta has four kinds of complicated statements, for four kinds of keywords: condition (IF-THEN-ELSEELSEIF-THEN-ENDIF), circulation (DO-UNTIL), concurrent (MEANWHILE) and verify (VALIDATES THAT).How mutual with other flow of event have the flow of event in a use-case of four kinds of particular statement explanations is, these four kinds respectively corresponding four key words: RESUME STEP, ABORT, INCLUDE USE CASE and EXTENDED BY.
Introduce detailed expansion of the present invention from activist (Actor), use-case (Use Case) respectively below:
(A) refinement of activist Actor
In UML, coming descriptive system outside with activist, with system, mutual role occurs, can be the personnel of use system conventionally, can be also external unit or entity in logic.UML standard is not classified to activist.In RUCM, for each use-case, activist is divided into main activities person (Primary Actor) and secondary activity person (Secondary Actor).Main activities person is first activist of this use-case of initialization, and all the other are secondary activity persons.
In the present invention, be Four types by UML activist's concept classification, as shown in Figure 5, concrete thes contents are as follows:
(1) Timer, periodically produces the entity of particular event, has the duration(duration that a type is NFP_Duration type) attribute.NFP_Duration is the data type importing from UML/MARTE, comprises a real number and chronomere's information.
(2) HumanActor, represents that this activist is actual person.
(3) ExternalInstrument, represents external devices, its direction attribute description the data input and output direction of this device, its signal attribute description the signal type of this device be digital signal or simulating signal.Sensor(sensor) and Actuator(actuator) be the Common Concepts in avionics system field, occur in this as the subclass of ExternalInstrument.
(4) ExternalSystem, is used for describing external system.
(B) security extension of Use Case
Use Case has described the performed set of system, by with activist's mutual descriptive system behavior, be important concept.In RUCM method, the specification of Use Case is carried out to standard.In the present invention, Uase Case is expanded to Safety Use Case, be defined as the use-case of realizing certain security function, security function represents the function that the inefficacy of system or its ingredient is identified and processed, therefore, each Safety Use Case must be associated with identification and the processing of one or more inefficacies.The relevant expansion content of introduction of lower mask body:
(1) refinement of Use Case.In the present invention, Safety Use Case inherits from Use Case, and its model as shown in Figure 5.Safety Use Case is defined as to the use-case of realizing certain security function, each Safety Use Case have oneself level of security it can identify corresponding failure of removal, each Safety Use Case must be associated with identification and the processing of one or more inefficacies.
In DO-178B standard, level of security is defined and divided.The security level of Safety Use Case is to determine according to the order of severity of its contingent inefficacy.Level of security is divided into five grades, is respectively level-A to level-E, distinguishes corresponding catastrophic, dangerous/serious, heavier, lighter, nothing impact.Should give and concern in various degree for different stage Safety Use Case.
(2) Requirements Modeling of software security grade.To the relevant demand of software security grade and constraint, safe quarantine measures define.Safe quarantine measures refer to Safety-Critical System and non-safety critical system to isolate, the system that the system that level of security is higher and level of security are lower is isolated, to guarantee that system that non-safety critical system or level of security are lower has influence on the function of safety-critical module in the mode outside expection.
In the present invention, to the relevant demand of software security grade and constraint, safe quarantine measures are defined, and concrete manifestation can be divided into two aspects:
A) in the time that the Actor of external system or external unit type and Safety Use Case carry out exchanges data, the level of security of external system or external unit should be not less than the level of security of Safety Use Case.If external system, should guarantee the security of external system; If external unit, should select more reliable external unit.
B) when in Safety Use Case use system when a certain resource, the level of security of this resource should be not less than the level of security of Safety Use Case.
Represent the exchanges data between use-case and executor or use-case and resource with Communication Sentence in the present invention, as shown in Figure 6, Communication Media is communication media, for the transmission of data provides support.In model, listed several frequently seen communication media: system_call(system call), hw_port(hardware port), bus_protocol(bus), lan_protocol(LAN (Local Area Network)) and the service that provides of sys_service(system, as blackboard, semaphore and buffer zone etc.).
Same Resource has also defined corresponding security level attributes, and use-case can carry out exchanges data by certain medium and resource, external unit or external system.Represent collect or send data from external unit, external system or other use-cases with key word COLLECT INPUT FROM and key word DELIEVR OUTPUT TO, represent the transmission mode of data with key word VIA.
(3) Requirements Modeling of software security function.Security function demand is that the harm to causing in system is identified, and takes certain measure to reduce its probability of happening or alleviate the requirement of its impact.Be described in detail from three aspects: below:
A) failure mode and failure effect analysis, model as shown in Figure 7, the impact that the system of the inefficacy that represents use-case with failure effect in the present invention on this use-case place or subsystem cause, and in the time that this affects meeting system is produced to certain harm (security is impacted), this use-case is safety-critical.So for Safety Use Case, its inefficacy is bound to cause one or more harm Hazard.For each Hazard, define the probability of its order of severity and generation, the order of severity and probability of happening are qualitative analysis.The risk of harm is the combination of its probability of happening and the order of severity, can classify to harm according to venture analysis.The order of severity losing efficacy is that the highest harm of degree of risk that may cause according to it determines, the level of security of Safety Use Case is to be determined by the highest inefficacy of its level of security.
B) failure cause analysis, as shown in Figure 8, the present invention describes the reason of inefficacy to model by fault analysis, listed several frequently seen fault type in model.Represent the triggering of fault with Tigger, become in the implementation of one or more statement, the condition of guarding is checked, if condition does not meet, trigger a fault, and then cause use-case to lose efficacy.To the description of the condition of guarding by Safety Constraint(security constraint) represent.Security constraint is divided into three classes: real-time constraint, data constraint and state constraint.Real-time is constrained to periodically or the constraint of execution time; Data constraint is mainly the constraint to data value, and state constraint is the constraint to use-case statement executing state, and state is divided into three classes: normal, abnormal end, endless loop.Condition inspect statement is described with Safety Condition Sentence.A condition inspect statement is the inspection to a constraint.Represent condition inspection with key word CHECK CONSTRAINT.If any converge statement c1, its reach is STEP1, is constrained to STATE=normal, and corresponding condition inspect statement example is as follows: The system CHECK CONSTRAINT c1.
C) crash handling, carries out modeling to the control mode losing efficacy in Fig. 9.Adopt certain mitigation strategy to control losing efficacy, Failure Mitigation is defined as the one of affluent-dividing, and a series for the treatment of scheme of definable was processed losing efficacy.In addition, several conventional crash handling modes are carried out to modeling.Record represents to carry out record to losing efficacy; Retry represents retry inefficacy partial function, the number of times of its attribute retry_times definition retry; Progogate is not illustrated in this use-case and processed losing efficacy, but is given other use-cases or system is processed.Can, according to the type and the reason that lost efficacy, define a series for the treatment of scheme to each inefficacy simultaneously.By several special statement list non ageing special processing modes, as shown in the Figure 10 of institute.Wherein, the type of service of Record Sentence is RECORD THE FAILURE; The type of service of Retry Sentence is RETRY FOR ... TIMES; The type of service of Propogate Sentence is PROPOGATE TO USE CASE ...
Step 3: build the avionics system demand for security template based on RUCM description template
Shown in Figure 11, the content of RUCM description template comprises: use-case name (Use Case Nmae), use-case summary (Brief Description), the precondition (Precondition) that use-case is carried out, the main activities person (Primary Actor) of use-case, other activists (Secondary Actors) of use-case, the dependence (Dependency) of this use-case and other use-cases, generalization (Generalization) between this use-case and other use-cases, elementary event stream (Basic Flow) and other three flows of event (Global Alternative Flow of this use-case, Bounded Alternative Flow, Specific Alternative Flow).Wherein each flow of event must have a Post Condition to represent the result after this flow of event is carried out after carrying out and finishing, wherein in each use-case, have and only have a Basic Flow, and Global Alternative Flow, Bounded Alternative Flow, Specific Alternative Flow determine the number of its existence according to concrete practical situation.RUCM description template is also furnished with corresponding rule and key word in use.
In the present invention, not only RUCM requirement description template is carried out to the related expanding that demand for security is described, also increased corresponding new regulation and key word simultaneously.Carry out detailed expansion from these two aspects respectively below:
(1) demand for security description template
The RUCM description template of standard has only defined three kinds of flows of event, respectively elementary event stream, overall situation expansion flow of event and local expansion flow of event, for the description of carrying out demand for security just must expand to describe fault and corresponding processing mode thereof to flow of event.Expansion flow of event is exactly other dispositions when certain or some life events occur in elementary event stream or expansion flow of event.
Demand for security description template in the present invention after expansion is as follows:
Table 5: demand for security description template
Table 6: harm to the system table
Hazard Severity Probability Failure
? ? ? ?
The essential part of demand for security template and common RUCM use-case template are consistent substantially, only add a line SafetyLevel, and its level of security is described.
Add again on this basis the conceptual description that security is relevant, concrete expansion is as follows:
A) add the description of losing efficacy
Table 7: lost efficacy and describe
B) add the degradation losing efficacy and process description
Table 8: the degradation processing of inefficacy
Failure Mitigation: inefficacy degradation measure, for affluent-dividing, the a series for the treatment of scheme of definable was processed losing efficacy, and also can add predefined processing mode, and each Failure Mitigation will have a Post Condition to represent the result of this processing.
C) add constraint definition
Table 9: constraint definition
ConstraintID Sentence Constraint
? ? ?
Constraint part is that the constraint in use-case is defined, and ConstraintID is the mark of constraint, the effective range of definition constraint in Sentence field, and Constraint field is the content of constraint.
D) for whole system is added a harm list
Table 10: harm list
Hazard Severity Probability Failure
? ? ? ?
After above-mentioned security extension, also need whole system to safeguard a harm list having carried out, can be to all kinds of harm that exist in system by this list, the harm order of severity, record is carried out in harm probability of happening and the inefficacy that causes harm.Hazard represents concrete harm, the order of severity of Severity representative harm, and Probability represents the probability of happening of this harm, Failure represents to cause the inefficacy of this harm.
In the present invention, some English does not refer to Chinese meaning, can be the English expressed meaning of one's words of Chinese of directly translating into.
(2) for demand for security template is added new restriction rule and key word,
In order to average out being easy to express with expressing between preciseness, RUCM has designed 26 constraint rules altogether, wherein 16 rules are in order to retrain the use of natural language, 10 rules are in order to define 10 Activity Descriptions with control structure, but these rules can't meet the associated description of software security.Therefore will expand the RUCM rule of standard, restriction rule and key word that in the present invention, relevant demand for security is described are as follows:
R1: in the time that the executor's of use-case type is ExternalSystem or ExternalInstrument, the level of security of ExternalSystem and ExternalInstrument should be not less than the level of security of use-case.
R2: in the time that use-case is accessed a certain resource, the level of security of this resource should be not less than the level of security of use-case.
R3: represent to collect or send data, the communication media using while representing data communication with key word VIA from other use-cases or external unit with key word COLLECT INPUT FROM and DELIEVR OUTPUT TO.
R4: use key word AND to represent a harm of the common initiation of multiple inefficacies.
R5: use key word >, < ,=, IN represents the scope of binding occurrence, and check retraining with key word CHECK CONSTRAINT.
R6: use key word RECORD THE FAILURE to represent to record an inefficacy.
R7: use key word RETRY FOR..TIMES to represent retry operation, the number of times of definable retry.
R8: use key word PROPOGATE TO USE CASE table non ageing to propagate.
R9: in the time that inefficacy propagates into another one use-case and processes, the level of security of this use-case should be not less than the level of security of current use-case.
R10: the level of security of each inefficacy is determined by the order of severity of the most serious harm of its initiation, and the level of security of each use-case is determined by the highest inefficacy of its level of security.
embodiment
In example below, use demand for security template and key word to be described demand for security.
Figure BDA0000419377370000151

Claims (6)

1.一种适用于航电系统的安全需求建模方法,其特征在于包括有下列步骤:1. A safety requirement modeling method applicable to avionics systems, characterized in that it comprises the following steps: 步骤一:建立安全需求的领域概念模型;Step 1: Establish a domain conceptual model of security requirements; 依据RTCA/DO-178B标准对现有航电系统软件进行安全识别创建得到领域概念模型;According to the RTCA/DO-178B standard, the security identification of the existing avionics system software is established to obtain the domain concept model; 步骤二:构建基于UCMeta元模型的航电系统的图形扩展;该航电系统的图形扩展是依据步骤一得到的安全需求的领域概念模型对UCMeta元模型进行扩展而得到;Step 2: Construct the graphic extension of the avionics system based on the UCMeta meta-model; the graphic extension of the avionics system is obtained by extending the UCMeta meta-model based on the domain concept model of security requirements obtained in step 1; 步骤三:构建基于RUCM描述模板的航电系统安全需求模板;该航电系统安全需求模板是在RUCM描述模板上进行添加相关项得到。Step 3: Build an avionics system security requirement template based on the RUCM description template; the avionics system security requirement template is obtained by adding related items to the RUCM description template. 2.根据权利要求1所述的适用于航电系统的安全需求建模方法,其特征在于:在步骤二中,将领域概念模型转换为UML Profile,对RUCM的元模型UCMeta中进行安全扩展;在Actor中进行细化,对Use Case进行安全性扩展建立SafetyUse Case;分析领域概念模型,确定出安全需求的描述模板以及限制规则和关键字的使用;扩展RUCM描述模板进行安全需求描述,添加10条安全描述规则和若干关键字以保证RUCM的描述完整、准确、无二义性;扩展后的UCMeta创建支持安全需求描述的Use Case Diagram,同时用户通过每一个Use Case都进行了完整准确的功能描述和安全需求描述。2. The safety requirement modeling method applicable to avionics systems according to claim 1, characterized in that: in step 2, the domain concept model is converted into UML Profile, and safety extension is carried out in the metamodel UCMeta of RUCM; Refine in Actor, expand the security of Use Case and establish SafetyUse Case; analyze the domain concept model, determine the description template of safety requirements and limit the use of rules and keywords; expand the RUCM description template to describe the safety requirements, add 10 Security description rules and several keywords to ensure complete, accurate, and unambiguous description of RUCM; the expanded UCMeta creates a Use Case Diagram that supports the description of security requirements, and the user performs complete and accurate functions through each Use Case Description and Security Requirements Description. 3.根据权利要求2所述的适用于航电系统的安全需求建模方法,其特征在于:在Actor中进行细化的步骤有:3. The safety requirement modeling method suitable for avionics systems according to claim 2, characterized in that: the step of refinement in Actor includes: 步骤301:根据嵌入式实时系统的特点对Actor进行扩展,将Actor划分为四种类型:Timer、Human Actor、External Instrument和External System;Step 301: Expand the Actor according to the characteristics of the embedded real-time system, and divide the Actor into four types: Timer, Human Actor, External Instrument and External System; 步骤302:在嵌入式实时系统中包含很多周期性的任务,而Timer则用来触发一个周期性的动作,其属性duration表示该周期的时间长度。其值的类型NFD_Duration包括时间的单位和时间值;Human Actor表示使用触发其相关用例的用户;Step 302: The embedded real-time system contains many periodic tasks, and the Timer is used to trigger a periodic action, and its attribute duration indicates the time length of the cycle. Its value type NFD_Duration includes the unit of time and time value; Human Actor represents the user who triggers its related use cases; 步骤303:External Instrument表示和用例进行数据交换的外部设备,例如传感器、信号接收器等;其属性direction和signal分别表示数据传输方向和信号类型;Step 303: External Instrument represents an external device that exchanges data with the use case, such as a sensor, a signal receiver, etc.; its attributes direction and signal represent the data transmission direction and signal type, respectively; 步骤304:External System表示和用例进行交互的外部用例、子系统或者系统;Step 304: External System represents an external use case, subsystem or system that interacts with the use case; 步骤305:External Instrument和External System均定义了安全级别。Step 305: Both External Instrument and External System define security levels. 4.根据权利要求2所述的适用于航电系统的安全需求建模方法,其特征在于:所述的Use Case细化步骤有:4. The safety requirement modeling method applicable to avionics systems according to claim 2, characterized in that: said Use Case refinement steps include: 步骤401:Safety Use Case继承自Use Case;将Safety Use Case定义为实现一定安全功能的用例,而安全功能则表示对系统或其组成部分的失效进行识别和处理的功能,因此,每一个Safety Use Case须关联到一个或多个失效的识别和处理;Step 401: Safety Use Case is inherited from Use Case; Safety Use Case is defined as a use case that realizes a certain safety function, and safety function refers to the function of identifying and processing the failure of the system or its components. Therefore, each Safety Use Case Case shall be associated with the identification and handling of one or more failures; 步骤402:依据DO-178B标准中对安全级别进行定义和划分,Safety Use Case的安全性级别分为五个等级level-A到level-E,分别对应灾难性的、危险的/严重的、较重的、较轻的、无影响的。Step 402: According to the definition and division of safety levels in the DO-178B standard, the safety levels of Safety Use Case are divided into five levels from level-A to level-E, corresponding to catastrophic, dangerous/serious, relatively serious Heavy, light, unaffected. 5.根据权利要求2所述的适用于航电系统的安全需求建模方法,其特征在于:所述的安全描述规则为:5. The safety requirement modeling method suitable for avionics systems according to claim 2, characterized in that: the described safety description rules are: R1:当用例的执行者的类型为ExternalSystem或者ExternalInstrument时,ExternalSystem和ExternalInstrument的安全级别应不小于用例的安全级别。R1: When the type of executor of the use case is ExternalSystem or ExternalInstrument, the security level of ExternalSystem and ExternalInstrument should not be less than the security level of the use case. R2:当用例访问某一资源时,该资源的安全级别应不小于用例的安全级别。R2: When a use case accesses a resource, the security level of the resource should not be lower than that of the use case. R3:用关键字COLLECT INPUT FROM和DELIEVR OUTPUT TO表示从其他用例或外部设备收集或发送数据,用关键字VIA表示数据通讯时使用的通讯介质。R3: Use the keywords COLLECT INPUT FROM and DELIEVR OUTPUT TO to indicate collecting or sending data from other use cases or external devices, and use the keyword VIA to indicate the communication medium used for data communication. R4:使用关键字AND表示多个失效共同引发一个危害。R4: Use the keyword AND to indicate that multiple failures together cause a hazard. R5:使用关键字>、<、=、IN表示约束值的范围,并且用关键字CHECKCONSTRAINT对约束进行检查。R5: Use the keywords >, <, =, IN to indicate the range of constraint values, and use the keyword CHECKCONSTRAINT to check the constraints. R6:使用关键字RECORD THE FAILURE表示记录一个失效。R6: Use the keyword RECORD THE FAILURE to indicate that a failure is recorded. R7:使用关键字RETRY FOR..TIMES表示重试操作,可定义重试的次数。R7: Use the keyword RETRY FOR..TIMES to indicate the retry operation, which can define the number of retries. R8:使用关键字PROPOGATE TO USE CASE表示失效的传播。R8: Use the keyword PROPOGATE TO USE CASE to indicate invalidation propagation. R9:当失效传播到另外一个用例进行处理时,该用例的安全级别应该不低于当前用例的安全级别。R9: When the failure propagates to another use case for processing, the safety level of this use case should not be lower than the safety level of the current use case. R10:每个失效的安全级别由其引发的最严重的危害的严重程度决定,而每个用例的安全级别由其安全级别最高的失效决定。R10: The safety level of each failure is determined by the severity of the most serious hazard it causes, and the safety level of each use case is determined by its highest safety failure. 6.根据权利要求1所述的适用于航电系统的安全需求建模方法,其特征在于航电系统安全需求模板的完整结构为:6. The safety requirement modeling method suitable for avionics systems according to claim 1, characterized in that the complete structure of the avionics system safety requirements template is: FailureID:每个失效的标识号;FailureID: the identification number of each failure; FailureDescription:失效行为的简单描述;FailureDescription: a brief description of the failure behavior; Failure Mode:失效模式,其值为枚举类型;Failure Mode: failure mode, its value is an enumeration type; Failure Cause:失效原因,为引发失效的故障的类型,其值为枚举类型;Failure Cause: failure cause, which is the type of failure that caused the failure, and its value is an enumeration type; Level:失效的安全级别,根据其导致的危害的严重程度确定;Level: The safety level of the failure, determined according to the severity of the harm it causes; Hazard:失效引发的危害,该域为危害的名称;Hazard: Hazard caused by failure, this field is the name of the hazard; FailureMitigate:失效减缓措施,为分支流,可定义一系列的处理流程对失效进行处理,也可以添加预定义的处理方式;FailureMitigate: Failure mitigation measures, which are branch streams, can define a series of processing procedures to handle failures, and can also add predefined processing methods; Constraint部分是对用例中的约束进行定义,ConstraintID为约束的标记,Sentence中定义约束的有效范围,constraint为约束的内容。The Constraint part is to define the constraints in the use case, ConstraintID is the tag of the constraint, the effective range of the constraint is defined in the Sentence, and constraint is the content of the constraint.
CN201310595322.0A 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system Active CN103853871B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310595322.0A CN103853871B (en) 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310595322.0A CN103853871B (en) 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system

Publications (2)

Publication Number Publication Date
CN103853871A true CN103853871A (en) 2014-06-11
CN103853871B CN103853871B (en) 2017-05-24

Family

ID=50861523

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310595322.0A Active CN103853871B (en) 2013-11-21 2013-11-21 Safety requirement modeling method applicable for avionics system

Country Status (1)

Country Link
CN (1) CN103853871B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104461882A (en) * 2014-11-29 2015-03-25 中国航空工业集团公司第六三一研究所 Method for model verification of software conforming to DO-178B/C A level
CN104965956A (en) * 2015-07-16 2015-10-07 北京航空航天大学 RUCM based demand verification method
CN105373650A (en) * 2015-10-15 2016-03-02 北京航空航天大学 AADL based IMA dynamic reconfiguration modeling method
CN105976080A (en) * 2016-03-24 2016-09-28 中国人民解放军装甲兵工程学院 Combat command control flow modeling method
CN106020826A (en) * 2016-05-23 2016-10-12 北京航空航天大学 Template-based safety case modeling method
CN107590339A (en) * 2017-09-14 2018-01-16 西北工业大学 A kind of comprehensively modularized avionics system performance degradation modeling and simulation method
CN109783870A (en) * 2018-12-18 2019-05-21 北京航空航天大学 A kind of human-computer interaction risk scene recognition method based on Formal Verification
CN111984229A (en) * 2020-07-24 2020-11-24 南京航空航天大学 Formal requirements model generation method for domain natural language requirements
CN112306476A (en) * 2020-11-03 2021-02-02 中国航空工业集团公司西安航空计算技术研究所 Embedded system security modeling method
CN112612241A (en) * 2020-12-15 2021-04-06 中国航空综合技术研究所 Safety analysis method for software of field programmable logic device of aviation equipment
CN114692588A (en) * 2022-03-22 2022-07-01 广西师范大学 An extension method based on semi-structured natural language EARS requirement template

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101894192A (en) * 2010-07-19 2010-11-24 北京航空航天大学 Simulation and Demonstration System and Simulation and Demonstration Method for AFDX Network Design and Verification
CN101908962A (en) * 2009-12-24 2010-12-08 中国航空工业集团公司第六三一研究所 Key management method for integrated avionic system
CN102566443A (en) * 2011-12-29 2012-07-11 中国航空工业集团公司第六三一研究所 Simulation verification system and method for integrated avionics system model based on artifact design description language (ADDL)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101908962A (en) * 2009-12-24 2010-12-08 中国航空工业集团公司第六三一研究所 Key management method for integrated avionic system
CN101894192A (en) * 2010-07-19 2010-11-24 北京航空航天大学 Simulation and Demonstration System and Simulation and Demonstration Method for AFDX Network Design and Verification
CN102566443A (en) * 2011-12-29 2012-07-11 中国航空工业集团公司第六三一研究所 Simulation verification system and method for integrated avionics system model based on artifact design description language (ADDL)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JI WU,ET AL: "Ensuring Safety of Avionics Software at the Architecture Design Level:An Industrial Case Study", 《2013 13TH INTERNATIONAL CONFERENCE ON QUALITY SOFTWARE》 *
牛文生 等: "面向可信的航空嵌入式软件开发方法框架", 《北京航空航天大学学报》 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104461882A (en) * 2014-11-29 2015-03-25 中国航空工业集团公司第六三一研究所 Method for model verification of software conforming to DO-178B/C A level
CN104461882B (en) * 2014-11-29 2017-05-17 中国航空工业集团公司第六三一研究所 Method for model verification of software conforming to DO-178B/C A level
CN104965956A (en) * 2015-07-16 2015-10-07 北京航空航天大学 RUCM based demand verification method
CN104965956B (en) * 2015-07-16 2017-11-21 北京航空航天大学 A kind of requirements verification method based on RUCM
CN105373650B (en) * 2015-10-15 2018-09-28 北京航空航天大学 IMA dynamic restructuring modeling methods based on AADL
CN105373650A (en) * 2015-10-15 2016-03-02 北京航空航天大学 AADL based IMA dynamic reconfiguration modeling method
CN105976080A (en) * 2016-03-24 2016-09-28 中国人民解放军装甲兵工程学院 Combat command control flow modeling method
CN106020826A (en) * 2016-05-23 2016-10-12 北京航空航天大学 Template-based safety case modeling method
CN106020826B (en) * 2016-05-23 2019-04-02 北京航空航天大学 A kind of safe case modeling method based on template
CN107590339A (en) * 2017-09-14 2018-01-16 西北工业大学 A kind of comprehensively modularized avionics system performance degradation modeling and simulation method
CN109783870A (en) * 2018-12-18 2019-05-21 北京航空航天大学 A kind of human-computer interaction risk scene recognition method based on Formal Verification
CN111984229A (en) * 2020-07-24 2020-11-24 南京航空航天大学 Formal requirements model generation method for domain natural language requirements
CN112306476A (en) * 2020-11-03 2021-02-02 中国航空工业集团公司西安航空计算技术研究所 Embedded system security modeling method
CN112306476B (en) * 2020-11-03 2023-04-14 中国航空工业集团公司西安航空计算技术研究所 Embedded system security modeling method
CN112612241A (en) * 2020-12-15 2021-04-06 中国航空综合技术研究所 Safety analysis method for software of field programmable logic device of aviation equipment
CN114692588A (en) * 2022-03-22 2022-07-01 广西师范大学 An extension method based on semi-structured natural language EARS requirement template
CN114692588B (en) * 2022-03-22 2024-12-13 广西师范大学 An extension method based on semi-structured natural language EARS requirement template

Also Published As

Publication number Publication date
CN103853871B (en) 2017-05-24

Similar Documents

Publication Publication Date Title
CN103853871A (en) Safety requirement modeling method applicable for avionics system
Biggs et al. A profile and tool for modelling safety information with design information in SysML
Abdulkhaleq et al. A comprehensive safety engineering approach for software-intensive systems based on STPA
Campos et al. Model checking interactor specifications
Carvalho et al. NAT2TESTSCR: Test case generation from natural language requirements based on SCR specifications
Clark et al. A study on run time assurance for complex cyber physical systems
Firesmith Are your requirements complete?
Feiler et al. Automated fault tree analysis from aadl models
CN105955719A (en) Airborne safety-critical system security requirement tracking chain establishment and maintenance method
Arnold et al. Contracts and behavioral patterns for sos: The EU IP DANSE approach
Hamann et al. On integrating structure and behavior modeling with OCL
Varshosaz et al. Discrete time Markov chain families: modeling and verification of probabilistic software product lines
Al-Lail et al. An Approach to Analyzing Temporal Properties in UML Class Models.
Matoussi et al. A survey of non-functional requirements in software development process
McGregor et al. Analysis and design of safety-critical, cyber-physical systems
Uludağ et al. Integration of systems design and risk management through model‐based systems development
Hayrapetian et al. Empirically analyzing and evaluating security features in software requirements
Luo et al. Applying sofl to a railway interlocking system in industry
Feiler et al. Architecture fault modeling and analysis with the error model annex, version 2
Medikonda et al. A framework for software safety in safety-critical systems
Knuplesch et al. Ensuring business process compliance along the process life cycle
Medikonda et al. An approach to modeling software safety in safety-critical systems
Khalil et al. A pattern-based approach towards the guided reuse of safety mechanisms in the automotive domain
Hawkins et al. An approach to designing safety critical systems using the unified modelling language
Mhenni et al. SysML safety profile for mechatronics

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载