STPA-based security critical system formalization development method, system and storage medium
阅读说明:本技术 基于stpa的安全攸关系统形式化开发方法、系统及存储介质 (STPA-based security critical system formalization development method, system and storage medium ) 是由 梅萌 于 2021-06-30 设计创作,主要内容包括:本发明涉及一种基于STPA的安全攸关系统形式化开发方法、系统及存储介质,其中安全攸关系统形式化开发方法包括:步骤1:基于STPA安全分析方法确定各项不安全操作UCA所对应的约束条件;步骤2:使用形式化方法为安全攸关系统建模,并在相应层级中增加步骤1获取的各项约束条件;步骤3:完成安全攸关模型的证明;步骤4:生成可执行代码,完成安全攸关系统的开发。与现有技术相比,本发明具有可信度高、可靠性好等优点。(The invention relates to a security critical system formalization development method, a system and a storage medium based on STPA, wherein the security critical system formalization development method comprises the following steps: step 1: determining constraint conditions corresponding to each unsafe operation UCA based on an STPA safety analysis method; step 2: modeling a safety-critical system by using a formal method, and adding each constraint condition obtained in the step 1 in a corresponding level; and step 3: the certification of the safety vital model is completed; and 4, step 4: and generating executable codes to complete the development of the safety critical system. Compared with the prior art, the method has the advantages of high reliability, good reliability and the like.)
1. A security-critical system formalization development method based on STPA is characterized by comprising the following steps:
step 1: determining constraint conditions corresponding to each unsafe operation UCA based on an STPA safety analysis method;
step 2: modeling a safety-critical system by using a formal method, and adding each constraint condition obtained in the step 1 in a corresponding level;
and step 3: the certification of the safety vital model is completed;
and 4, step 4: and generating executable codes to complete the development of the safety critical system.
2. The STPA-based safety critical systems formalization development method according to claim 1, wherein the step 1 specifically comprises:
step 1-1: determining accidents and hazards in the safety critical system;
step 1-2: acquiring a control structure chart;
step 1-3: the system requirements are arranged, and a model refinement strategy is determined;
step 1-4: identifying an unsafe control operation UCA;
step 1-5: obtaining the constraint conditions of each UCA and describing the constraint by using a natural language.
3. The STPA-based safety critical systems formalization development method according to claim 2, characterized in that the step 1-1 is specifically:
the goals of the safety critical system, the boundaries of the system, the incidents that the system is not acceptable, and the existence of hazard events associated with each incident are determined.
4. The STPA-based safety critical systems formalization development method according to claim 2, characterized in that the steps 1-2 are specifically:
the control relationship and information exchange among the components in the safety critical system are determined, and then a control structure diagram is drawn to clearly control the control relationship and the control operation.
5. The STPA-based security critical systems formalization development method according to claim 2, wherein the non-secure control operation UCA in steps 1-4 comprises:
no control operation is performed;
unsafe control operations that cause danger are performed;
control operations are performed but the operations are performed too early, too late, or in the wrong order;
the control operation is performed but the operation is stopped prematurely or lasts too long.
6. The STPA-based safety critical systems formalization method of claim 1, wherein the formalization method in step 2 is: Event-B method.
7. The STPA-based safety critical systems formalization development method according to claim 1, wherein the step 3 further comprises: and (4) judging whether the code generation condition is met or not after the certification of the safety vital model is finished, if so, executing the step 4, otherwise, searching for deficiency or error in system requirements, and continuously finishing the certification of the safety vital model.
8. The STPA-based security critical systems formalization development method according to claim 7, wherein the code generation condition is: the system model has completed all proofs and all requirements are not in conflict with each other.
9. A security critical systems formalization development system for the STPA-based security critical systems formalization development method according to claim 1, wherein the development system comprises:
the STPA safety analysis module is used for analyzing the UCA of the unsafe control operation of the safety critical system and generating corresponding constraint conditions;
the formal modeling module is used for performing formal modeling on the safety-critical system and adopting the unsafe control operation UCA constraint condition generated by the STPA safety analysis module;
the model certification module is used for realizing certification of the safety-critical system formalized model;
and the code generation module is used for generating executable codes according to the formalized model of the finished certification.
10. A storage medium, wherein the STPA-based security critical system formalization development method according to any one of claims 1-8 is stored in the storage medium.
Technical Field
The invention relates to the technical field of development of security critical systems, in particular to a security critical system formalization development method and system based on STPA and a storage medium.
Background
In a safety-critical system, hazard identification and safety analysis are main technical means for discovering inherent hazards in the system, analyzing the serious level of accidents caused by the hazards and finally effectively managing and controlling risks in the system. The traditional safety analysis technology such as FTA and FMEA can analyze the component failure causing system danger and link the failure probability of the system with the component failure, but the traditional safety analysis technology has insufficient capability of analyzing the interaction between the components in a complex system along with the increase of the complexity of the system. STPA (System-thermal Processing Analysis) is based on a large-scale System accident Analysis model STAMP, takes safety problems as control problems, pays attention to System hazards caused by improper control and unsafe interaction among components, and compared with the traditional safety Analysis technology, can more comprehensively comb the factors causing System hazards and increase the safety of the System.
In the prior art, when a safety critical system is modeled, safety constraint conditions are set manually, related safety analysis technologies are not used, the constraint conditions are set freely, the safety of the system is poor, a simulation verification mode consumes a large amount of time, manpower and material resources, the problems existing in the system cannot be found in time, and the system construction speed is influenced.
Disclosure of Invention
The present invention is directed to overcoming the above-mentioned drawbacks of the prior art and providing a security critical system formal development method, system and storage medium based on STPA with high reliability and good reliability.
The purpose of the invention can be realized by the following technical scheme:
a STPA-based safety-critical systems formalization development method, the development method comprising:
step 1: determining constraint conditions corresponding to each unsafe operation UCA based on an STPA safety analysis method;
step 2: modeling a safety-critical system by using a formal method, and adding each constraint condition obtained in the step 1 in a corresponding level;
and step 3: the certification of the safety vital model is completed;
and 4, step 4: and generating executable codes to complete the development of the safety critical system.
Preferably, the step 1 specifically comprises:
step 1-1: determining accidents and hazards in the safety critical system;
step 1-2: acquiring a control structure chart;
step 1-3: the system requirements are arranged, and a model refinement strategy is determined;
step 1-4: identifying an unsafe control operation UCA;
step 1-5: obtaining the constraint conditions of each UCA and describing the constraint by using a natural language.
More preferably, the step 1-1 specifically comprises:
the goals of the safety critical system, the boundaries of the system, the incidents that the system is not acceptable, and the existence of hazard events associated with each incident are determined.
More preferably, the step 1-2 is specifically:
the control relationship and information exchange among the components in the safety critical system are determined, and then a control structure diagram is drawn to clearly control the control relationship and the control operation.
More preferably, the non-safety control operation UCA in steps 1-4 comprises:
no control operation is performed;
unsafe control operations that cause danger are performed;
control operations are performed but the operations are performed too early, too late, or in the wrong order;
the control operation is performed but the operation is stopped prematurely or lasts too long.
Preferably, the formalization method in step 2 is as follows: Event-B method.
Preferably, the step 3 further comprises: and (4) judging whether the code generation condition is met or not after the certification of the safety vital model is finished, if so, executing the step 4, otherwise, searching for deficiency or error in system requirements, and continuously finishing the certification of the safety vital model.
More preferably, the code generation condition is: the system model has completed all proofs and all requirements are not in conflict with each other.
A security critical systems formalization development system for use in the STPA-based security critical systems formalization development method as described above, the development system comprising:
the STPA safety analysis module is used for analyzing the UCA of the unsafe control operation of the safety critical system and generating corresponding constraint conditions;
the formal modeling module is used for performing formal modeling on the safety-critical system and adopting the unsafe control operation UCA constraint condition generated by the STPA safety analysis module;
the model certification module is used for realizing certification of the safety-critical system formalized model;
and the code generation module is used for generating executable codes according to the formalized model of the finished certification.
A storage medium having stored therein the STPA-based security critical systems formalization development method according to any of the above.
Compared with the prior art, the invention has the following beneficial effects:
the safety-critical system formalization development method combines the STPA safety analysis technology with the Event-B method, integrates the more comprehensive advantages of the STPA in the safety analysis and the strict property proof characteristic of the Event-B, and forms the formalization development method based on the safety analysis; deriving security constraints for the system by systematically analyzing the hazards present in the security critical system and all possible improper operations in the system; the safety requirements are embedded into the system in the development process, so that inaccuracy and inconsistency of the system requirements can be discovered early; the mathematical proof is used in the model to ensure the consistent compliance of the safety requirements, thereby achieving the aim of constructing the safety system, and the constructed safety critical system has higher reliability and reliability.
Drawings
FIG. 1 is a schematic flow chart of a safety critical system formalization development method of the present invention;
FIG. 2 is a control block diagram of a railway interlock system in an embodiment of the present invention;
FIG. 3 is a diagram illustrating a request iteration update of the system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, shall fall within the scope of protection of the present invention.
A STPA-based security critical system formalization development method, whose flow is shown in fig. 1, includes:
step 1: determining constraint conditions corresponding to each unsafe operation UCA based on an STPA safety analysis method;
step 1-1: determining accidents and hazards in the safety critical system, specifically:
determining the purpose of the safety critical system, the boundaries of the system, the incidents that are unacceptable to the system, and the presence of hazardous events associated with each incident;
step 1-2: acquiring a control structure diagram, specifically:
determining the control relationship and information exchange condition among all components in the safety critical system, then drawing a control structure chart, and clearly controlling the control relationship and the control operation;
step 1-3: the system requirements are arranged, and a model refinement strategy is determined;
step 1-4: identifying an unsafe control operation UCA, comprising:
no control operation is performed;
unsafe control operations that cause danger are performed;
control operations are performed but the operations are performed too early, too late, or in the wrong order;
control operations are performed, but the operations are stopped prematurely or are of too long duration;
step 1-5: acquiring constraint conditions of various UCAs, and describing constraints by using a natural language;
step 2: modeling a safety-critical system by using a formal method, and adding each constraint condition obtained in the step 1 in a corresponding level;
in the embodiment, an Event-B formalization method is adopted to model the safety critical system;
and step 3: finishing the certification of the safety vital model, judging whether a code generation condition is met, if so, executing the step 4, otherwise, searching for deficiency or error in system requirements, and continuously finishing the certification of the safety vital model;
the code generation conditions are as follows: the system model has completed all proofs and all requirements are not in conflict with each other;
and 4, step 4: and generating executable codes to complete the development of the safety critical system.
The following takes a railway interlock system as an example:
step 1: determining constraint conditions corresponding to each unsafe operation UCA based on an STPA safety analysis method;
step 1-1: determining accidents and hazards in the safety critical system, specifically:
determining the purpose of the safety critical system, the boundaries of the system, the incidents that are unacceptable to the system, and the presence of hazardous events associated with each incident;
table 1 shows the incidents associated with the system and the hazard events associated with each incident.
TABLE 1 interlock system related incidents and hazard events associated with each incident
Step 1-2: acquiring a control structure diagram, as shown in FIG. 2;
step 1-3: the system requirements are arranged, and a model refinement strategy is determined;
interlock system requirements are shown in table 2.
TABLE 2 interlock System requirements
Step 1-4: identifying an unsafe control operation UCA has several scenarios: (1) no control operation is performed; (2) unsafe control operations are performed, which may cause danger; (3) control operations are performed, but the operations are performed too early, too late, or in the wrong order; (4) the control operation is performed but the operation is stopped prematurely or lasts too long. For each control operation in the system, all potentially unsafe control operations that may cause harm must be identified, and the following table of unsafe control operations UCA, as shown in table 3, can be analyzed from the control structure diagram of fig. 2 and four categories of unsafe control operations, taking the interlock system as an example.
TABLE 3 UNSAFE CONTROL OPERATION UCA TABLE
Step 1-5: the constraints for each item of UCA are obtained and the constraints are described using natural language, as shown in table 4.
TABLE 4 safety constraints
Safety restraint
The switches occupied by the SC1 train are all locked in the correct direction.
When the section where the SC2 switch is located is not released, the switch cannot be unlocked.
The locking operation is performed only after the switching of the SC3 switch is finished.
After the SC4 lock is completed, the route can be passed.
The SC5 signal light complies with the fail-safe principle.
The SC6 only has the route established and no train is driven in, and the signal lamp is open.
SC7 may issue a pass grant for an enemy approach only if the train leaves the switch a distance.
Step 2: modeling a safety-critical system by using a formal method, and adding each constraint condition obtained in the step 1 in a corresponding level;
the model is built and perfected step by step in a continuous refinement mode, various requirements including safety constraints are mapped to corresponding positions of the model in a proper mode in the model building process, the model building is accompanied with the model certification, and the certification process can perfect and optimize a requirement table.
The method specifically comprises the following steps of:
initial model: including segment and route concepts, the most basic route establishment and release events.
First refining: add physical track concept, switch transition event, SC 1.
And (3) refining for the second time: increasing route ready concepts
And (3) refining for the third time: concept of adding turnouts
And (3) refining for the fourth time: add locking concepts and events SC2, SC3, SC4, SC 5.
And (5) fifth refinement: add train concept, destination request event.
And sixth refinement: concept of increasing driving permission
And seventh refinement: a signal light concept, SC6, is added.
And eighth refinement: the contact limit concept, SC7, is added.
FIG. 3 is a schematic diagram showing the iterative update of system requirements, which shows the process from establishment to update of system requirements, and in step three of the method, a system requirement table is established for the first time; in the step 1-5, safety requirements in system requirements are perfectly supplemented by using safety constraints; and 2-4, a modeling process is carried out, the conditions that the original system requirements are imperfect or conflict with each other can be found in the construction and the perfection of the model, and at the moment, the model and the system requirement table need to be modified and rewritten into a non-conflicting version.
And step 3: finishing the certification of the safety vital model, judging whether a code generation condition is met, if so, executing the step 4, otherwise, searching for deficiency or error in system requirements, and continuously finishing the certification of the safety vital model;
the code generation conditions are as follows: the system model has completed all proofs and all requirements are not in conflict with each other;
and 4, step 4: and generating executable codes to complete the development of the safety critical system.
A formalization method is a systematic way to determine whether a program has certain desirable properties. The traditional software development method takes functional requirements as the center, and the safety requirements are usually verified after the development is finished. The earlier an error is found in the life cycle of the software, the simpler the error correction and the lower the error correction cost. The earlier the formalization method is used in the software life cycle, the less likely an error will occur. Compared with the traditional development and verification, the formal method is applied in the development process, so that the inconsistency of the requirements can be effectively and timely found, and the system can be modified as early as possible. The Event-B method is a formalization method based on theorem proving, and the method constructs and perfects a model in a continuous refinement mode so that the model completes the process from abstraction to concrete and from requirement to implementation; at different refinement levels, the Event-B method uses rigorous mathematical proofs to ensure consistency between levels, and properties verified at lower levels will not be violated by higher levels.
The system theoretical process analysis STPA method of the embodiment determines the hazard event, establishes the train safety constraint and the control structure, further identifies the unsafe control operation according to the hazard event, and sets the safety constraint for the system according to the unsafe control operation. The system requirements are fully analyzed when the system is known in the early stage, and then the safety constraint obtained by the safety analysis is used as the safety requirement for complementing and perfecting the system, which is the first complementary modification of the system requirements. In the building and refinement of the model, mapping each requirement to a corresponding level of the model, and simultaneously proving the generated proof obligations; the aspect of previous demand analysis imperfection can be found in the modeling and certification process, which is a second supplemental modification to the system demand. After the model is built and the model is completely proved, target codes can be selected to be generated, and the development of the system is completed. In the whole process, the unsafe problem of harming the system is comprehensively analyzed, the safety requirement is integrated into the establishment of the system, a formalization method is applied to the system in the early stage of a software development period to prove the safety property of the system, and a low-risk development method is constructed.
The security analysis technology of STPA is combined with the Event-B method, the advantages of STPA in the security analysis and the strict proof characteristic of Event-B to the property are combined, and a formalized development method based on the security analysis is formed. According to the method, more comprehensive hazard factors and safety constraints (safety requirements) are captured, the safety constraints are mapped in corresponding levels of the model, and the nature is guaranteed not to be violated through mathematic proof; after the refinement is completed, the executable code can be automatically generated, and the safe development process of the system is completed.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.