CN108829955A - A kind of aero-engine seaworthiness security verification method - Google Patents

A kind of aero-engine seaworthiness security verification method Download PDF

Info

Publication number
CN108829955A
CN108829955A CN201810557848.2A CN201810557848A CN108829955A CN 108829955 A CN108829955 A CN 108829955A CN 201810557848 A CN201810557848 A CN 201810557848A CN 108829955 A CN108829955 A CN 108829955A
Authority
CN
China
Prior art keywords
aero
engine
prism
dtmc
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810557848.2A
Other languages
Chinese (zh)
Inventor
黄志球
宛伟健
谢健
葛晓瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN201810557848.2A priority Critical patent/CN108829955A/en
Publication of CN108829955A publication Critical patent/CN108829955A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation
    • G06F30/23Design optimisation, verification or simulation using finite element methods [FEM] or finite difference methods [FDM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/10Geometric CAD
    • G06F30/15Vehicle, aircraft or watercraft design

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Geometry (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)

Abstract

The invention discloses a kind of aero-engine seaworthiness security verification methods, belong to security of system verification technique field, a kind of aero-engine seaworthiness security verification method, the dynamic behaviour of aero-engine system is described by the dynamic logic gate of the description temporal and logic relation introduced in Dynamic fault tree, sequential relationship between critical aircraft engine parts failure is modeled, and Formal specification language is carried out to the Dynamic fault tree of generation, convert thereof into DTMC model, then DTMC model is described and is expressed by the method for probabilistic model checking, and Formal Verification is carried out to seaworthiness security requirement attribute.The present invention considers the sequential relationship having between the generation of the aero-engine system failure, solves the problems, such as to always assume that failure has independence between occurring in traditional analysis.

Description

A kind of aero-engine seaworthiness security verification method
Technical field
The present invention relates to a kind of aero-engine seaworthiness security verification methods, more particularly to a kind of fault tree and generally The aero-engine seaworthiness security verification method that rate model inspection combines, belongs to security of system verification technique field.
Background technique
Structure is complicated for aero-engine, often works under high speed, high-temperature severe environment, once it is possible for breaking down Lead to catastrophic consequence, therefore, during reseach of engine, it is necessary to carry out safety Design, analysis, assess and meet Property verifying work, the engine for finally ensuring to develop can satisfy relevant security requirement.
CCAR33-R2《Aero-engine seaworthiness regulation》It is the minimum safe standard that aero-engine must satisfy.Its In, the security requirement of engine of the 75th clause CCAR33-R2.75 clear stipulaties.The verifying of CCAR33-R2.75 clause is wanted Ask as follows:
1) the expection probability of happening of harmfulness engine consequence is no more than minimum possible probability (1E-7~1E-9 of definition Secondary/Engine Flight Hour);
2) the expection probability of happening of important engine consequence be no more than definition small possible probability (1E-5~1E-7 times/ Engine Flight Hour).
Traditional technology means of the Fault Tree Analysis as safety analysis, be widely used in aviation electronics, nuclear energy and The safety-criticals such as chemical field field, but conventional failure tree cannot carry out fault modeling to dynamical system, because of conventional failure Tree only describes the static logic relationship of system, cannot describe the temporal and logic relation of system.
Dynamic fault tree DFT extends conventional failure tree by introducing the dynamic logic gate of description temporal and logic relation, from And reliability and safety analysis can be carried out to dynamical system, it is widely used in the fault modeling of dynamical system.But it is dynamic State fault tree is the model of one and half formalization, safety analysis and verifying cannot be directly carried out to it, therefore, it is necessary to first right Dynamic fault tree carries out Formal specification language, then carries out safety analysis and verifying again.
For the safety issue of aero-engine, domestic and foreign scholars expand a series of researchs, the University of Pennsylvania S professor Gupata etc. propose the aircraft turbine engine initial stage detection method based on data-driven, with Markov mould Type carries out modeling analysis to the transient data in stage of taking off, finally by NASA CMAPSS transient test use-case generator Demonstrate the feasibility and correctness of this method.
Royal Melbourne Institute of Technology S Arthasartsri etc. with FMEA to aircraft engine main modular and function into Row analysis, article describes the analytical procedure that FMEA is carried out using RCMcost simulation software, to find out all potential mistakes Effect mode, and its possible consequence is analyzed, it is improved in design process, improves the safety and reliability of engine.
Dalian University of Technology harasses Shandong combines fail-safe analysis and emulation technology and failure tree analysis (FTA) in its thesis Method realizes and the fault tree of aero-engine Full Authority Digital formula control system FADEC is contribute, analyzes and emulated.
Shenyang engine design and research institute Huang celebrates male etc., with Fault Tree Analysis, carries out to certain type aero-engine The analysis of rotor inclusiveness fault tree safety comprehensive.
Li Yan army of Nanjing Aero-Space University etc. proposes the aero-engine seaworthiness safety based on FEMECA and FTA Verification method, selecting engine consequence endanger in CCAR33-R2.75 and important first is top event, is then used The analysis method that FMECA and FTA are combined carries out safety analysis and verifying to aero-engine, utilizes Isograph Reliability software draws fault tree and calculates the probability of happening of top event.
The studies above shows that classical secrecy analysis is mostly based on artificial mode with verification method, and there are calculating process Complicated, the disadvantages of result is inaccurate, further, since the complexity of aero-engine itself, the failure generation of component often has Have strong coupling, however existing analysis method does not consider this dynamic characteristic and assumes that failure occurs to have independence, Based on this, Aviation engine CCAR33-R2.75 seaworthiness clause is needed to propose a kind of by Dynamic fault tree and probability mould Type detects the aero-engine seaworthiness security verification method combined, realizes the fault modeling and safety of system dynamic behaviour Property verifying.
Summary of the invention
The main object of the present invention is to provide for a kind of aero-engine seaworthiness security verification method, solves biography The disadvantages of system safety analysis and verification method are based on manual type, and existing calculating process is complicated, result is inaccurate, simultaneously Solve the problems, such as that existing analysis method does not consider aeroplane engine dynamics and assumes failure and occur to have independence.
The purpose of the present invention can reach by using following technical solution:
A kind of aero-engine seaworthiness security verification method passes through the description sequential logic introduced in Dynamic fault tree The dynamic logic gate of relationship describes the dynamic behaviour of aero-engine system, between critical aircraft engine parts failure when Order relation is modeled, and carries out Formal specification language to the Dynamic fault tree of generation, is converted thereof into DTMC model, is then led to The method for crossing probabilistic model checking is described and expresses to DTMC model, and carries out form to seaworthiness security requirement attribute Chemical examination card.
Further, specifically comprise the following steps:
Step 1:Modeling and Formal specification language are carried out to aero-engine failure
It is modeled by the dynamic behaviour to aero-engine, the timing between description aero-engine failure generation Dynamic fault tree is converted into DTMC model, is accurately described to Dynamic fault tree semanteme, as security verification by relationship Basis;
Step 2:Carry out probabilistic model checking
It is described and is expressed with DTMC model of the probabilistic model checking language PRISM to generation, converted thereof into PRISM code, while attribute extraction is carried out to seaworthiness security requirement, PCTL formula is generated, and by the PRISM code of generation It is put into PRISM tool with PCTL formula, the attribute verifying automated.
Further, step 1 specifically comprises the following steps:
Step 1.1:The dynamic behaviour of aero-engine is modeled using Dynamic fault tree, to describe aviation hair Sequential relationship between motivation failure;
Step 1.2:Formal specification language is carried out to Dynamic fault tree, converts it to DTMC model, fault tree event conduct The input of logic gate is converted into the variable in DTMC model state, the transfer of the probability of malfunction DTMC model of fault tree event Probability describes, and the process of DFT Formal specification language is mainly that logic gate is converted into the process of DTMC model.
Further, step 1.1 is realized by the following method:
Detailed retouch is carried out to the sequential relationship between aero-engine failure by the dynamic logic gate of Dynamic fault tree It states, the sequential relationship between failure is modeled;
Dynamic logic gate includes PAND, SPRAE, FDEP;
When component failures generation cause in a certain order other failures occur, can be by PAND to such case It is modeled, when having dependence between component failures, such case can be modeled with FDEP, when a structure When part is shared with multiple components, SPRAE this relationships of description can be used.
Further, PAND are used to describe between failure generation to there is certain ordinal relation can just lead to other failures There is a situation where;
SPARE are used to describe multiple component failures, have the case where priority relationship between component, in secondary member Break down, when main member does not break down, cannot cause other failures there is a situation where;
FDEP are used to describe dependence between failure, when a component breaks down, therewith with dependence Component breaks down.
Further, in step 1.2, logic gate is mainly converted into DTMC model by the process of DFT Formal specification language Process, by the way that AND gate, OR, PAND, FDEP are converted into DTMC model respectively, that is, be respectively converted into logic gate One finite state migratory system
Wherein:S indicates one group of finite state set;
For the original state in state set S;
P:S × S → [0,1] is probability transfer matrix, and all state s ∈ S, available Σs′∈SP(s,s′) =1;
L:S→2APIt is a label function, each of state set S state is mapped to and is obtained from one group of AP One group of atomic proposition.
Further, step 2 specifically comprises the following steps:
Step 2.1:The DTMC model that step 1.2 generates is described with probabilistic model checking language PRISM, by it Be converted into PRISM code, with modular method to the corresponding code block of DTMC module of the logic gate of entire fault tree into Row combination, generates the corresponding PRISM code of entire fault tree;
Step 2.2:Security requirement to be verified will be extracted and carry out attribute extraction, generate PCTL formula, and by step The 2.1 PRISM codes generated and PCTL formula are put into togerther in PRISM tool, carry out attribute verifying.
Further, the implementation method of step 2.1 is as follows:
DTMC model is described with PRISM language, each DTMC model conversion is at the code block inside PRISM, i.e., One module;
Each module can describe a finite state system, and each module format is as follows:
module XXX
... (DTMC model is expressed in PRISM order)
endmodule
Wherein, the format of PRISM order is as follows:
It is made of tuple cmd=(act, guard, rate, action),
And format is:[<act>]<guard>→<rate>:<action>,
Wherein, act is a movement label;
Guard is the predicate of a movement;
Rate is a number, indicates the probability that a movement occurs;
Action is the migration movement in model, indicates the update of one group of n variable.
Further, the implementation method of step 2.2 is as follows:
The PRISM code that step 2.1 is generated, i.e., the corresponding module code block of each DTMC, is put into PRISM tool Module module inside, security requirement is analyzed, attribute is carried out to security requirement according to probability tree calculating logic Extract, be converted into PCTL formula, and be put into inside the Property module of PRISM tool, inside PRISM tool automatically into The verifying of row security attributes.
Advantageous effects of the invention:Aero-engine seaworthiness security verification method according to the invention, the present invention The aero-engine seaworthiness security verification method of offer is based on traditional safety analysis compared with verification method PRISM tool carries out the mode of security verification automatically, solves the complicated, result based on manual type bring calculating process The disadvantage of inaccuracy, simultaneously as the complexity of aero-engine itself, the failure of building occur between often have it is strong Coupling, however existing analysis method does not consider this dynamic characteristic and assumes that failure has independence between occurring, The present invention considers the sequential relationship having between the generation of the aero-engine system failure, solves in traditional analysis often Often assume that failure has the problem of independence between occurring.
Detailed description of the invention
Fig. 1 is the aero-engine of a preferred embodiment of aero-engine seaworthiness security verification method of the invention Seaworthiness security verification frame principle;
Fig. 2 is the fault tree logic of a preferred embodiment of aero-engine seaworthiness security verification method of the invention Men Tu;
Fig. 3 is the DTMC of the AND gate of a preferred embodiment of aero-engine seaworthiness security verification method of the invention Illustraton of model;
Fig. 4 is the AND gate of a preferred embodiment of aero-engine seaworthiness security verification method of the invention PRISM code map;
Fig. 5 is the DTMC of the OR door of a preferred embodiment of aero-engine seaworthiness security verification method of the invention Illustraton of model;
Fig. 6 is the PRISM of the OR door of a preferred embodiment of aero-engine seaworthiness security verification method of the invention Code map;
Fig. 7 is the PAND door of a preferred embodiment of aero-engine seaworthiness security verification method of the invention DTMC illustraton of model;
Fig. 8 is the PAND door of a preferred embodiment of aero-engine seaworthiness security verification method of the invention PRISM code map;
Fig. 9 is the FEDP door of a preferred embodiment of aero-engine seaworthiness security verification method of the invention DTMC illustraton of model;
Figure 10 is the FEDP door of a preferred embodiment of aero-engine seaworthiness security verification method of the invention PRISM code map;
Figure 11 is the 2-Gate example of a preferred embodiment of aero-engine seaworthiness security verification method of the invention DTMC illustraton of model;
Figure 12 is the 2-Gate example of a preferred embodiment of aero-engine seaworthiness security verification method of the invention PRISM code map;
Figure 13 is that the engine of a preferred embodiment of aero-engine seaworthiness security verification method of the invention can not Control fire behavior failure tree graph;
Figure 14 is that the attribute of a preferred embodiment of aero-engine seaworthiness security verification method of the invention verifies knot Fruit figure.
Specific embodiment
To make the more clear and clear technical solution of the present invention of those skilled in the art, below with reference to embodiment and attached The present invention is described in further detail for figure, and embodiments of the present invention are not limited thereto.
As shown in Figure 1, a kind of aero-engine seaworthiness security verification method provided in this embodiment, passes through dynamic event Hinder the dynamic logic gate of the description temporal and logic relation introduced in tree to describe the dynamic behaviour of aero-engine system, to boat Sequential relationship between empty engine pack failure is modeled, and carries out Formal specification language to the Dynamic fault tree of generation, will It is converted into DTMC model, and then DTMC model is described and is expressed by the method for probabilistic model checking, and to suitable The security requirement attribute that navigates carries out Formal Verification, specifically comprises the following steps:
Step 1:Modeling and Formal specification language are carried out to aero-engine failure
It is modeled by the dynamic behaviour to aero-engine, the timing between description aero-engine failure generation Dynamic fault tree is converted into DTMC model, is accurately described to Dynamic fault tree semanteme, as security verification by relationship Basis;
Step 1.1:The dynamic behaviour of aero-engine is modeled using Dynamic fault tree, to describe aviation hair Sequential relationship between motivation failure;
Detailed retouch is carried out to the sequential relationship between aero-engine failure by the dynamic logic gate of Dynamic fault tree It states, the sequential relationship between failure is modeled;
Dynamic logic gate includes PAND, SPRAE, FDEP;
When component failures generation cause in a certain order other failures occur, can be by PAND to such case It is modeled, when having dependence between component failures, such case can be modeled with FDEP, when a structure When part is shared with multiple components, SPRAE this relationships of description can be used;
Further, PAND are used to describe between failure generation to there is certain ordinal relation can just lead to other failures There is a situation where;
SPARE are used to describe multiple component failures, have the case where priority relationship between component, in secondary member Break down, when main member does not break down, cannot cause other failures there is a situation where;
FDEP are used to describe dependence between failure, when a component breaks down, therewith with dependence Component breaks down.
Step 1.2:Formal specification language is carried out to Dynamic fault tree, converts it to DTMC model, fault tree event conduct The input of logic gate is converted into the variable in DTMC model state, the transfer of the probability of malfunction DTMC model of fault tree event Probability describes, and the process of DFT Formal specification language is mainly that logic gate is converted into the process of DTMC model;
The process of DFT Formal specification language is mainly the process of DTMC model of being converted into logic gate, by by AND gate, OR Door, PAND, FDEP be converted into DTMC model respectively, that is, logic gate is converted into a finite state migratory system respectively
Wherein:S indicates one group of finite state set;
For the original state in state set S;
P:S × S → [0,1] is probability transfer matrix, and all state s ∈ S, available Σs′∈SP(s,s′) =1;
L:S→2APIt is a label function, each of state set S state is mapped to and is obtained from one group of AP One group of atomic proposition;
Step 2:Carry out probabilistic model checking
It is described and is expressed with DTMC model of the probabilistic model checking language PRISM to generation, converted thereof into PRISM code, while attribute extraction is carried out to seaworthiness security requirement, PCTL formula is generated, and by the PRISM code of generation It is put into PRISM tool with PCTL formula, the attribute verifying automated specifically comprises the following steps:
Step 2.1:The DTMC model that step 1.2 generates is described with probabilistic model checking language PRISM, by it Be converted into PRISM code, with modular method to the corresponding code block of DTMC module of the logic gate of entire fault tree into Row combination, generates the corresponding PRISM code of entire fault tree, implementation method is as follows:
DTMC model is described with PRISM language, each DTMC model conversion is at the code block inside PRISM, i.e., One module;
Each module can describe a finite state system, and each module format is as follows:
module XXX
... (DTMC model is expressed in PRISM order)
endmodule
Wherein, the format of PRISM order is as follows:
It is made of tuple cmd=(act, guard, rate, action),
And format is:[<act>]<guard>→<rate>:<action>,
Wherein, act is a movement label;
Guard is the predicate of a movement;
Rate is a number, indicates the probability that a movement occurs;
Action is the migration movement in model, indicates the update of one group of n variable;
Step 2.2:Security requirement to be verified will be extracted and carry out attribute extraction, generate PCTL formula, and by step The 2.1 PRISM codes generated and PCTL formula are put into togerther in PRISM tool, carry out attribute verifying, and its implementation is as follows:
The PRISM code that step 2.1 is generated, i.e., the corresponding module code block of each DTMC, is put into PRISM tool Module module inside, security requirement is analyzed, attribute is carried out to security requirement according to probability tree calculating logic Extract, be converted into PCTL formula, and be put into inside the Property module of PRISM tool, inside PRISM tool automatically into The verifying of row security attributes.
In the present embodiment, the present embodiment is suitable in conjunction with certain type aero-engine using aero-engine airworthiness standard as foundation The engineering background of boat airworthiness compliance, establishes the compound validation framework of seaworthiness of aero-engine CCAR33-R2.75 clause. The method validation combined using fault tree with probabilistic model checking certain type turbogenerator uncontrollable fire behavior failure pair The accordance of CCAR33-R2.75 clause.Practice have shown that the feasibility and correctness of this method, can be aero-engine The airworthiness compliance work of CCAR33-R2.75 clause provides support.Specific step is as follows, the visible attached drawing 1 of detailed process.
Step 1:Modeling and Formal specification language are carried out to aero-engine failure, pass through the dynamic row to aero-engine To be modeled, to describe the sequential relationship between the generation of aero-engine failure;Again by constructed Dynamic fault tree Formal specification language is carried out, Dynamic fault tree is converted into DTMC model, Dynamic fault tree semanteme is accurately described, is used to Basis as security verification.
Step 1.1:By taking the uncontrollable fire behavior failure of certain type turbine aircraft engines as an example, dynamic fault tree graph such as Fig. 7 It is shown, by this be described in detail how using using Dynamic fault tree come to uncontrollable fire behavior failure carry out fault modeling, knot It closes domain knowledge and engineering background can be to the side that the uncontrollable fire behavior failure of certain type turbine aircraft engines is deducted Formula, the top-down subdivision layer by layer for carrying out failure, top event is " the uncontrollable fire behavior of engine " event, that is, works as engine When kindling and discovery fire-extinguishing function concurrently failure, it is uncontrollable to will lead to engine fire behavior.So engine ignition and fire-extinguishing function concurrently failure By being preferentially connected with door with uncontrollable fire behavior failure, wherein engine ignition mainly has kindling caused by fuel leakage and fire It catches fire caused by going here and there outside flame two classes, so fuel leakage causes kindling and flame unofficial biography to cause to catch fire and pass through or door and engine Kindling is connected.Mainly there is fuel leakage in the reason of kindling caused by fuel oil leakage, and fuel passage temperature is excessively high caused simultaneously, institute Cross high pass with fuel leakage and fuel passage temperature causes kindling to be connected with door and fuel leakage, and fuel oil leakage is mainly Because fuel pipe rupture or fuel inlet fitting failure, fuel passage rupture and fuel inlet fitting fail by with Door is connected with fuel leakage, and excessively high fuel passage temperature is because the failure of oil system refrigerating function or electronic component are short Road, thus have the failure of system refrigerating function and electronic component short circuit pass through or door with fuel passage temperature is excessively high is connected, cunning The failure of oil system refrigerating function is mainly since booster pump or scavenge oil pump fail, then either fails because of check valve, institute It is connected with booster pump failure, scavenge oil pump failure and check valve failure with oil cooling system disabler, goes here and there and cause outside flame Kindling is mainly caused due to the rupture of fuel oil room or the rupture of turbine lock, so fuel oil room ruptures and turbine lock passes through or door Kindling is caused to be connected with going here and there outside flame.The reason of blow out of an engine disabler mainly fire detector failure and fire-suppression bottle Failure, so fire detector and fire-suppression bottle failure are connected with blow out of an engine disabler, and fire detector failure may be used also It is failure and the failure of cold-zone detector to be subdivided into hot-zone detector, so hot-zone detector and cold-zone detector passes through or door It is connected with fire detector, subdivision from top to down is carried out to the uncontrollable failure of fire behavior by way of deducting above, it can Dynamic fault tree to obtain certain uncontrollable failure of type turbogenerator fire behavior is as shown in figure 13.
Step 1.2:Formal specification language is carried out to Dynamic fault tree, DTMC model is converted thereof into, in the formalization of DFT During specification, fault tree event is converted into the variable in DTMC model state as the input of logic gate, fault tree event Probability of malfunction is described with the transition probability of DTMC model.So the process of DFT Formal specification language mainly turns logic gate Change the process of DTMC model into.Next the conversion of logic gate to DTMC model is discussed in detail in conjunction with attached drawing.
Attached drawing 3 is the DTMC model of AND gate shown in attached drawing 2 (a), the definition that the DTMC model of AND gate can be formalized For a finite state migratory systemWherein, S is state set S=(S0,S1,S2,S3,S4,S5),It is initial State S0, P is probability transfer matrix, wherein p1And p2Respectively indicate the probability of happening of input A and B.Probability transfer matrix P is such as Shown in lower:
Wherein, L:S→2APLabel function, in state and Mapping relations are established between interested attribute, herein L (S5)=propagete.The DTMC model of AND gate is denoted as AND- DTMC, as shown in Figure 3.
The DTMC model that attached drawing 5 and Fig. 6 are OR shown in attached drawing 2 (b), OR DTMC models are similar with AND gate, can With by formal definitions be a finite state migratory systemWherein, S is state set S=(S0,S1,S2,S3, S4),It is original state S0, P is probability transfer matrix, wherein p4And p5Respectively indicate the probability of happening of input X and Y.Probability Transfer matrix P is as follows:
Wherein, And L:S→ 2APIt is a label function, mapping relations is established between state and interested attribute, herein L (S5)=propagete.It will OR DTMC models are denoted as OR-DTMC, as shown in Figure 5 and Figure 6.
The DTMC model that Fig. 7 and Fig. 8 is PAND shown in attached drawing 2 (c), PAND DTMC models are also referred to as one A finite state migratory systemWherein, S is state set S=(S0,S1,S2,S3,S4),It is original state S0, P is probability transfer matrix, wherein p6And p7Respectively indicate the probability of happening of input O and P.The following institute of probability transfer matrix P Show:
Wherein, And L:S→ 2APIt is a label function, mapping relations is established between state and interested attribute, herein L (S5)=propagete.It will PAND DTMC models are denoted as PAND-DTMC, as shown in Figure 7 and Figure 8.
The DTMC model that attached drawing 9 and Figure 10 are FDEP shown in attached drawing 2 (d), FDEP DTMC models are also referred to as One finite state migratory systemWherein, S is state set S=(S0,S1,S2,S3,S4),It is initial shape State S0, P is probability transfer matrix, wherein p8p9And p10Respectively indicate the probability of happening of triggering input Q and correlated inputs M and N. Probability transfer matrix P is as follows:
Wherein, And L:S →2APIt is a label function, mapping relations is established between state and interested attribute, herein L (S5)=happend.It will FDEP DTMC models are denoted as FDEP-DTMC, as shown in Figure 9 and Figure 10.
Fig. 7 is the DTMC model of 2-Gate example shown in attached drawing 2 (e), and 2-Gate example shown in attached drawing 2 (e) is by multiple Logic gate composition, the present invention is referred to as combinational logics, how to allow to carry out Formal specification language to combinational logics be in the present invention Pith.By carrying out Formal specification language to single logic gate, then by modular method, to single logic gate DTMC model be combined, pass through one logic gate of addition and specify logic gate order of occurrence in fault tree, generate combinational logic The DTMC model of door, the example are preferentially constituted with door and one with door by one, and there are three incoming event O, and P and E and one defeated Outgoing event F.As shown in Fig. 2 (e), D is an intermediate event, and F is top event.Fault tree inputs O and P since PAND, Become intermediate event D when exporting S and entering AND gate, and after output S is propagated, input E just has an opportunity to be triggered.
Step 2:Method based on probabilistic model checking, with probabilistic model checking language PRISM to the DTMC model of generation It is described and expresses, convert thereof into PRISM code, while attribute extraction is carried out to seaworthiness security requirement, generate PCTL Formula, and the code of generation and PCTL formula are put into PRISM tool, the attribute verifying automated.
Step 2.1:The step is described in detail at PRISM code by the DTMC model conversion for generating each logic gate Suddenly.
The state transition process of AND gate DTMC model shown in 3 with reference to the accompanying drawings realizes AND-DTMC to PRISM code Conversion.The finite state system of AND gate starts from original state S0 (A=0, B=0), and next state is likely to be S1 (A= 1, B=0) or S2 (A=0, B=1), transition probability are respectively p1 and p2.May not also generating state migration, rest on state S0 (A=0, B=0), probability 1-p1-p2.After system reaches state S1 or S2, system be possible to respectively with Probability p 2 or P1 moves to S3 (A=1, B=1, C=0), then moves to state S5 (A=0, B=0, C=1), indicates fault propagation.Or Due to the relationship of fault masking, system moves to state S4 (A=0, B=0, M=1) person with Probability p 3, indicates fault masking. System can also rest on state S1 and S2 and not migrate.By the DTMC model conversion of AND gate at PRISM code such as Fig. 4 institute Show.Wherein, variable M indicates fault masking, and representation module is in idle condition when variable and=0, and when and=1 indicates to wait One input indicates when and=2 to wait second input.
With reference to the accompanying drawings 5 and OR DTMC model shown in fig. 6 transition process, realize OR- DTMC to PRISM code Conversion.OR finite state systems start from original state S0 (X=0, Y=0), it is possible to be moved respectively with Probability p 4 and p5 State S1 (X=1, Y=0) and S2 (X=0, Y=1) are moved on to, or rests on original state.In order to subtract state space as far as possible It is small, we by by one input break down so as to cause fault propagation (X=1, Y=0, Z=1) and (X=0, Y=1, Z =1), and the caused fault propagation (X=1, Y=1, Z=1) that all breaks down is inputted by two regard a state S3 (X as =0, Y=0, Z=1).After system migration is to state S1 or S2, it is possible to be moved respectively from state S1 and state S2 with Probability p 3 It moves on to state S4 (X=0, Y=0, M=1), indicates fault masking.Or state S3 (X is moved to from state S1 or S2 respectively =0, Y=0, Z=1), probability 1-p3 indicates fault propagation.By OR DTMC model conversions at PRISM code such as Fig. 5 With shown in Fig. 6.Wherein, variable M indicates fault masking, and representation module is in idle condition when variable or=0, and when or=1 indicates Wait an input, when or=2 indicates to wait second input.
According to the transition process of Fig. 7 and PAND DTMC model shown in Fig. 8, PAND- DTMC to PRISM code is realized Conversion.PAND finite state machine systems start from original state S0 (O=0, P=0), can be respectively with 6 He of Probability p P7 moves to state S1 (O=1, P=0) and state S2 (O=0, P=1), or the state S0 of resting on is not migrated.Work as migration When arrival state S2, since preferentially with the temporal characteristics of door, state S4 (O=0, P=0, M=can only be moved to from state S2 1), indicate that failure is not propagated.Herein, in order to make system composition simplify, reduce the number of state transition, by it is all by PAND sequential relationships influence, and the non-spread state of the failure moved to and fault masking state regard a state as.Work as system After moving to state S1, state S4 (O=0, P=0, M=1) and state S3 (O=can be moved to respectively with Probability p 3 and p7 1, P=1, S=O), wherein state S4 indicates fault masking.State S3 can move to state S5 (O=0, P=0, S=1), Indicate fault propagation.It is PAND DTMC model conversions is as shown in Figure 7 and Figure 8 at PRISM code, wherein variable M is indicated Fault masking, representation module is in idle condition when variable pand=0, and when pand=1 indicates to wait an input, pand=2 When indicate wait second input.
With reference to the accompanying drawings 9 and FDEP DTMC model shown in Fig. 10 transition process, realize FDEP-DTMC to PRISM generation The conversion of code.FDEP finite state machine systems from original state S0 (O=0, P=0) start, can respectively with Probability p 8, P9, p10 move to next state S1 (R=1, T=0, M=0), S2 (N=1, T=0, M=0) and S3 (Q=1, T=1, M =0).State S0 can also be rested on and do not do state transition.It, can be respectively with probability after system migration is to state S1 or S2 P10, p9 move to state S3 (R=1, N=1, Q=1, T=1, M=0).State transition can not also be done or with Probability p 3 Move to state S4 (R=0, N=0, Q=0, T=0, M=1).By FDEP in Fig. 9 and Figure 10 DTMC model conversions at PRISM code is as shown in Figure 9 and Figure 10, wherein variable M indicates fault masking, and representation module is in sky when variable fdep=0 Not busy state, indicates to wait an input when fdep=1, and when fdep=2 indicates to wait second input.
The transition process of 2-Gate example DTMC model according to figure 7 realizes 2-Gate DTMC model to PRISM The conversion of code.Since state S0, system is initialised and moves to state S1, and system can be respectively with Probability p 1 later State S2 and state S3 are moved to p2, state S1 can also be rested on and do not migrated, when system migration is to state S3, by First occur in P event than O event, by preferentially with the characteristic of door known to state S3 can only move to state S9, and state S2 can be with Move to state S4 and state S9, transition probability is respectively p2 and p3, and state S4 moves to state S5 later, indicate preferentially with Door fault propagation, then incoming event of the PAND outgoing event S as AND gate, system move to S6 by state S5, After state S6, into AND gate, event E has the Probability p 4 being triggered, and system moves to state S7 by state S6, then arrives shape State S8 indicates that fault propagation, top event F occur.Otherwise state S9 directly is moved to from state S6, indicates that failure is shielded.? In DTMC model, during being transformed into state S6 by state S5, PAND fault propagations are needed to AND gate The process of propagation is controlled in Controller module, the Probability p 5 in AND gate module is 0, i.e. the incoming event D of AND has to It is propagated from PAND output S.The PRISM code of 2- Gate instance model is as shown in Figure 7.
Step 2.2:It extracts security requirement to be verified and carries out attribute extraction, generate PCTL formula, and by step 2.1 The PRISM code and PCTL formula of generation are put into togerther in PRISM tool, carry out attribute verifying.
It is as follows that the engine seaworthiness security requirement that CCAR33-R2.7 regulations propose is converted into PCTL attribute formula:
P<0.0000001[(F<=1000x1=1)]
Then method Dynamic fault tree shown in attached drawing 13 proposed with step 1.2, step 2.1, the DTMC of generation Model is simultaneously converted into PRISM code, the Module mould being then respectively put into PRISM code and PCTL formula in PRISM tool Block and Property module, it is as shown in figure 14 to obtain final verification result.
In conclusion in the present embodiment, according to the aero-engine seaworthiness security verification method of the present embodiment, originally The aero-engine seaworthiness security verification method that embodiment provides, with traditional safety analysis compared with verification method, base The mode for carrying out security verification automatically in PRISM tool solves, knot complicated based on manual type bring calculating process The disadvantage of fruit inaccuracy, simultaneously as the complexity of aero-engine itself, the failure of building occur between often have It is strong coupling, however existing analysis method does not consider this dynamic characteristic and assumes that failure between occurring with independent Property, the present invention considers the sequential relationship having between the generation of the aero-engine system failure, solves in traditional analysis Always assume that failure has the problem of independence between occurring.
The above, further embodiment only of the present invention, but scope of protection of the present invention is not limited thereto, appoints What those familiar with the art within the scope of the present disclosure, according to the technique and scheme of the present invention and its structure Think of is subject to equivalent substitution or change, belongs to protection scope of the present invention.

Claims (9)

1. a kind of aero-engine seaworthiness security verification method, which is characterized in that pass through the description introduced in Dynamic fault tree The dynamic logic gate of temporal and logic relation describes the dynamic behaviour of aero-engine system, to critical aircraft engine parts failure it Between sequential relationship modeled, and to the Dynamic fault tree of generation carry out Formal specification language, convert thereof into DTMC model, so DTMC model is described and is expressed by the method for probabilistic model checking afterwards, and shape is carried out to seaworthiness security requirement attribute Formula chemical examination card.
2. a kind of aero-engine seaworthiness security verification method according to claim 1, which is characterized in that specifically include Following steps:
Step 1:Modeling and Formal specification language are carried out to aero-engine failure
It is modeled by the dynamic behaviour to aero-engine, the sequential relationship between description aero-engine failure generation, Dynamic fault tree is converted into DTMC model, Dynamic fault tree semanteme is accurately described, the basis as security verification;
Step 2:Carry out probabilistic model checking
It is described and is expressed with DTMC model of the probabilistic model checking language PRISM to generation, convert thereof into PRISM generation Code, while attribute extraction is carried out to seaworthiness security requirement, PCTL formula is generated, and the PRISM code and PCTL of generation is public Formula is put into PRISM tool, the attribute verifying automated.
3. a kind of aero-engine seaworthiness security verification method according to claim 2, which is characterized in that step 1 tool Body includes the following steps:
Step 1.1:The dynamic behaviour of aero-engine is modeled using Dynamic fault tree, to describe aero-engine event Sequential relationship between barrier;
Step 1.2:Formal specification language is carried out to Dynamic fault tree, converts it to DTMC model, fault tree event is as logic The input of door is converted into the variable in DTMC model state, the probability of malfunction of fault tree event with the transition probability of DTMC model come Description, the process of DFT Formal specification language are mainly that logic gate is converted into the process of DTMC model.
4. a kind of aero-engine seaworthiness security verification method according to claim 3, which is characterized in that step 1.1 It is realized by the following method:
The sequential relationship between aero-engine failure is described in detail by the dynamic logic gate of Dynamic fault tree, it is right Sequential relationship modeling between failure;
Dynamic logic gate includes PAND, SPRAE, FDEP;
When component failures generation cause in a certain order other failures occur, such case can be built by PAND Mould can model such case with FDEP when having dependence between component failures, when a component is shared and When multiple components, SPRAE this relationships of description can be used.
5. a kind of aero-engine seaworthiness security verification method according to claim 4, which is characterized in that PAND use To describe failure there is a situation where between there is certain ordinal relation other failures can just be caused to occur;
SPARE are used to describe multiple component failures, have the case where priority relationship between component, and event occurs in secondary member Barrier, when main member does not break down, cannot cause other failures there is a situation where;
FDEP are used to describe dependence between failure, when a component breaks down, therewith with the component of dependence It breaks down.
6. a kind of aero-engine seaworthiness security verification method according to claim 3, which is characterized in that step 1.2 In, the process of DFT Formal specification language is mainly that logic gate is converted into the process of DTMC model, by by AND gate, OR, PAND, FDEP are converted into DTMC model respectively, that is, logic gate is converted into a finite state migratory system respectively
Wherein:S indicates one group of finite state set;
For the original state in state set S;
P:S × S → [0,1] is probability transfer matrix, and all state s ∈ S, available Σs′∈SP (s, s ')=1;
L:S→2APIt is a label function, each of state set S state is mapped to and obtains one group of original from one group of AP Subproposition.
7. a kind of aero-engine seaworthiness security verification method according to claim 3, which is characterized in that step 2 tool Body includes the following steps:
Step 2.1:The DTMC model that step 1.2 generates is described with probabilistic model checking language PRISM, is converted thereof into PRISM code is combined with the corresponding code block of DTMC module of the modular method to the logic gate of entire fault tree, Generate the corresponding PRISM code of entire fault tree;
Step 2.2:Security requirement to be verified will be extracted and carry out attribute extraction, generate PCTL formula, and step 2.1 is generated PRISM code and PCTL formula be put into togerther in PRISM tool, carry out attribute verifying.
8. a kind of aero-engine seaworthiness security verification method according to claim 7, which is characterized in that step 2.1 Implementation method it is as follows:
DTMC model is described with PRISM language, each DTMC model conversion is at the code block inside PRISM, i.e., one module;
Each module can describe a finite state system, and each module format is as follows:
module XXX
... (DTMC model is expressed in PRISM order)
endmodule
Wherein, the format of PRISM order is as follows:
It is made of tuple cmd=(act, guard, rate, action),
And format is:[<act>]<guard>→<rate>:<action>,
Wherein, act is a movement label;
Guard is the predicate of a movement;
Rate is a number, indicates the probability that a movement occurs;
Action is the migration movement in model, indicates the update of one group of n variable.
9. a kind of aero-engine seaworthiness security verification method according to claim 8, which is characterized in that step 2.2 Implementation method it is as follows:
The PRISM code that step 2.1 is generated, i.e., the corresponding module code block of each DTMC, is put into PRISM tool Inside Module module, security requirement is analyzed, attribute pumping is carried out to security requirement according to probability tree calculating logic It takes, is converted into PCTL formula, and be put into inside the Property module of PRISM tool, pacified automatically inside PRISM tool Full property attribute verifying.
CN201810557848.2A 2018-06-01 2018-06-01 A kind of aero-engine seaworthiness security verification method Pending CN108829955A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810557848.2A CN108829955A (en) 2018-06-01 2018-06-01 A kind of aero-engine seaworthiness security verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810557848.2A CN108829955A (en) 2018-06-01 2018-06-01 A kind of aero-engine seaworthiness security verification method

Publications (1)

Publication Number Publication Date
CN108829955A true CN108829955A (en) 2018-11-16

Family

ID=64145558

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810557848.2A Pending CN108829955A (en) 2018-06-01 2018-06-01 A kind of aero-engine seaworthiness security verification method

Country Status (1)

Country Link
CN (1) CN108829955A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109657699A (en) * 2018-11-22 2019-04-19 昆明理工大学 A method of the Dynamic fault tree analysis based on Markov evaluates turbogenerator
CN109726230A (en) * 2018-12-04 2019-05-07 重庆大学 A kind of method of big data analysis model prediction engine performance
CN109783870A (en) * 2018-12-18 2019-05-21 北京航空航天大学 A kind of human-computer interaction risk scene recognition method based on Formal Verification
CN109919181A (en) * 2019-01-24 2019-06-21 南京航空航天大学 Dynamic fault tree quantitative analysis method based on probabilistic model checking
CN110377005A (en) * 2019-07-15 2019-10-25 南京航空航天大学 Short trouble sends interval determining method in a kind of TLD based on Markov model
CN111382500A (en) * 2020-02-20 2020-07-07 中国民航管理干部学院 Safety analysis and verification method for turbocharging system of aircraft engine
CN111766846A (en) * 2020-05-25 2020-10-13 北京航空航天大学 Safety analysis method based on STAMP aircraft engine control system
CN112416336A (en) * 2020-11-11 2021-02-26 北京京航计算通讯研究所 Software architecture design method for aerospace embedded system
CN115824498A (en) * 2022-10-08 2023-03-21 中国航发湖南动力机械研究所 Method for diagnosing internal fuel leakage fault of aircraft engine

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107703914A (en) * 2017-09-30 2018-02-16 中国民用航空飞行学院 A kind of aero-engine FADEC security of system appraisal procedures

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107703914A (en) * 2017-09-30 2018-02-16 中国民用航空飞行学院 A kind of aero-engine FADEC security of system appraisal procedures

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
司佳: "基于概率模型检测的动态故障树定量分析方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
施志坚 等: "基于多元联系数集对分析的航空维修风险态势评估", 《***工程与电子技术》 *
王祥: "面向持续适航的民机***安全性分析技术研究", 《中国优秀硕士学位论文全文数据库 工程科技Ⅱ辑》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109657699B (en) * 2018-11-22 2023-08-11 昆明理工大学 Method for analyzing and evaluating turbine engine based on dynamic fault tree of Markov
CN109657699A (en) * 2018-11-22 2019-04-19 昆明理工大学 A method of the Dynamic fault tree analysis based on Markov evaluates turbogenerator
CN109726230B (en) * 2018-12-04 2021-06-01 重庆大学 Method for predicting engine performance by big data analysis model
CN109726230A (en) * 2018-12-04 2019-05-07 重庆大学 A kind of method of big data analysis model prediction engine performance
CN109783870A (en) * 2018-12-18 2019-05-21 北京航空航天大学 A kind of human-computer interaction risk scene recognition method based on Formal Verification
CN109919181A (en) * 2019-01-24 2019-06-21 南京航空航天大学 Dynamic fault tree quantitative analysis method based on probabilistic model checking
CN109919181B (en) * 2019-01-24 2021-08-17 南京航空航天大学 Dynamic fault tree quantitative analysis method based on probability model detection
CN110377005A (en) * 2019-07-15 2019-10-25 南京航空航天大学 Short trouble sends interval determining method in a kind of TLD based on Markov model
CN110377005B (en) * 2019-07-15 2021-11-23 南京航空航天大学 TLD medium-short-time fault dispatching interval determining method based on Markov model
CN111382500B (en) * 2020-02-20 2021-03-30 中国民航管理干部学院 Safety analysis and verification method for turbocharging system of aircraft engine
CN111382500A (en) * 2020-02-20 2020-07-07 中国民航管理干部学院 Safety analysis and verification method for turbocharging system of aircraft engine
CN111766846A (en) * 2020-05-25 2020-10-13 北京航空航天大学 Safety analysis method based on STAMP aircraft engine control system
CN111766846B (en) * 2020-05-25 2022-01-04 北京航空航天大学 Safety analysis method based on STAMP aircraft engine control system
CN112416336A (en) * 2020-11-11 2021-02-26 北京京航计算通讯研究所 Software architecture design method for aerospace embedded system
CN112416336B (en) * 2020-11-11 2023-04-28 北京京航计算通讯研究所 Software architecture design method for aerospace embedded system
CN115824498A (en) * 2022-10-08 2023-03-21 中国航发湖南动力机械研究所 Method for diagnosing internal fuel leakage fault of aircraft engine

Similar Documents

Publication Publication Date Title
CN108829955A (en) A kind of aero-engine seaworthiness security verification method
CN106528407B (en) A kind of embedded software safety automatic Verification system and its verification method
Bozzano et al. ESACS: an integrated methodology for design and safety analysis of complex systems
Bozzano et al. Design and safety assessment of critical systems
Mavin et al. Big ears (the return of" easy approach to requirements engineering")
CN106874200A (en) Embedded software reliability modeling and appraisal procedure based on AADL
CN103901320A (en) Method for diagnosing power system fault considering multi-source data
Cai et al. On relative observability of discrete-event systems
Li et al. Study on generation of fault trees from Altarica models
CN103823978B (en) Method and system for authenticating safety of alternative fuel in aircraft engine
Gan et al. Model-based safety analysis with time resolution (MBSA-TR) method for complex aerothermal–mechanical systems of aero-engines
CN112487711B (en) AltaRica fault tree generation method and system based on probability distribution
Sun et al. Reliability of cyber physical systems assessment of the aircraft fuel management system
Rodriguez et al. Model-based safety assessment using OCL and Petri nets
CN106599492B (en) A kind of the aircraft flutter analysis and its QMU appraisal procedure of logic-based recurrence
Mehrpouyan et al. Complex engineered systems design verification based on assume‐guarantee reasoning
Mao et al. Physics-based semantic reasoning for function model decomposition
Hu et al. Model-based safety analysis for an aviation software specification
Gomes et al. Constructive model-based analysis for safety assessment
Krus et al. Function-based failure propagation for conceptual design
CN113111494B (en) Specific risk modeling and analyzing method of man-machine object fusion system
Quan et al. Qualitative analysis for state/event fault trees using formal model checking
Malicki et al. Simulation of SB-LOCA of typical PWR with MELCOR code
Zhu et al. Reliability and safety assessment with AltaRica for complex aircraft systems
Vesely Probabilistic risk assessment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181116

RJ01 Rejection of invention patent application after publication