计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (12): 48-59.doi: 10.11896/jsjkx.250600027

• 计算机软件&体系架构 • 上一篇    下一篇

飞行模式转换的RSML-e到Lustre模型转换与验证方法

王智艺, 胡军, 徐恒   

  1. 南京航空航天大学计算机科学与技术学院 南京 211106
  • 收稿日期:2025-06-04 修回日期:2025-09-10 出版日期:2025-12-15 发布日期:2025-12-09
  • 通讯作者: 胡军(hujun.nju@139.com)
  • 作者简介:(371608761@qq.com)
  • 基金资助:
    :国家自然科学基金联合基金项目(U22412044)

Transition and Verification Method from RSML-e to Lustre Model for Flight Mode Transition

WANG Zhiyi, HU Jun, XU Heng   

  1. School of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China
  • Received:2025-06-04 Revised:2025-09-10 Published:2025-12-15 Online:2025-12-09
  • About author:WANG Zhiyi,born in 2000,postgra-duate.His main research interests include software analysis,model checking and formal verification.
    HU Jun,born in 1973,Ph.D,associate professor,is a senior member of CCF.His main research interests include intelligent computing and analysis for advanced systems,model-based systems engineering,and system safety modeling and analysis.
  • Supported by:
    This work was supported by the Joint Founds of the National Natural Science Foundation of China(U22412044).

PDF (PC)

31

摘要: 自动飞行系统是现代大型飞机飞行控制的核心系统,飞行导引系统作为自动飞行系统的核心子系统,管理和控制自动飞行系统的模式转换。自动飞行系统的不同飞行阶段本质上是飞行模式的转换,决定了飞机的飞行安全。然而,飞行模式转换具有耦合兼容的多维度复杂静态结构,以及交互合作和过渡切换的多层次模式动态组合的本质特征,因此保证飞行模式转换的正确性至关重要。基于模型驱动的软件建模方法将飞行模式转换需求建模为半形式化模型或形式化模型,从而分析和验证模型满足的性质。现有方法面临两方面挑战:1)自然语言需求到半形式化需求模型的建模,大多为手工建模,且不同建模语言建立的需求模型之间存在差异;2)半形式化需求模型无法直接进行模型检验,需将其转换为模型检验工具的输入模型,且不同的验证工具的验证效率也存在差异。为此,基于自动飞行模式转换的RSML-e需求模型,提出一种将RSML-e模型转换为Lustre同步数据流语言的系统性方法。首先,从数据类型、变量、逻辑短语、AND-OR表、宏等多个维度构建映射规则,将RSML-e模型中元素逐一转换为Lustre同步数据流语言所支持的形式,并在描述安全性质时对变量的数量进行缩减;其次,模型转换后,将转换所得的 Lustre 模型及安全性质输入Jkind模型检验工具进行验证,基于Jkind模型检验工具内置的多种优化技术,较好地缓解了模型验证过程中状态空间爆炸的问题,实现了对大规模模型的高效验证;最终,通过该流程成功验证了自动飞行系统模式转换需求相关的安全性质,确保系统在各类工况下运行的可靠性。

关键词: 形式化验证, RSML-e, Lustre, 模型转换, 安全性, 自动飞行系统

Abstract: The automatic flight system is the core system of flight control for modern large aircraft.The flight guidance system,as the core subsystem of the automatic flight system,manages and controls the mode transition of the automatic flight system.The different flight stages of an automatic flight system are essentially flight mode transition,which determine the flight safety of the aircraft.However,flight mode transition has the essential characteristics of a multi-dimensional complex static structure that is coupled and compatible,as well as a multi-level dynamic combination of interactive cooperation and transitional switching.Therefore,ensuring the correctness of flight mode transition is of crucial importance.The model-driven software modeling method models the flight mode transition requirements as semi-formal or formal models,thereby analyzing and verifying the properties satisfied by the model.The existing methods face two challenges:1)The modeling from natural language requirements to semi-formal requirement models is mostly done manually,and there are differences among the requirement models established by different modeling languages;2)The semi-formal requirements model cannot be directly used for model checking.It needs to be transitioned into the input model of the model checking tool,and the verification efficiency of different verification tools also varies.Based on the RSML-e requirement model of automatic flight mode transition,this paper proposes a systematic method for transitioning the RSML-e model into the Lustre synchronous data flow language.Firstly,mapping rules are constructed from multiple dimensions such as data types,variables,logical phrases,AND-OR tables,and macros.It transitions the elements in the RSML-e model one by one into the forms supported by the Lustre synchronous data stream language,and reduces the number of variables when describing the safety properties.Secondly,after the model transition,the Lustre model and safety properties obtained from the transition are input into the Jkind model checking tool for verification.Based on the various optimization techniques built into the Jkind model checking tool,the problem of state space explosion during the model verification process is better alleviated,and efficient verification of large-scale models is achieved.Ultimately,the safety properties related to the mode transition requirements of the automatic flight system are successfully verified through this process,ensuring the operational reliability of the system under various working conditions.

Key words: Formal verification, RSML-e, Lustre, Model transition, Safety, Automatic flight system

中图分类号: 

  • TP311
[1]BOWEN J,STAVRIDOU V.Safety-critical systems,formalmethods and standards[J].IEE Software Engineering Journal,1993,8(4):189-209.
[2]PREDUT S N,IPATE F,GHEORGHE M,et al.Formal modelling of cruise control system using Event-B and Rodin platform[C]//2018 IEEE 20th International Conference on High Performance Computing and Communications;IEEE 16th International Conference on Smart City;IEEE 4th International Confe-rence on Data Science and Systems(HPCC/SmartCity/DSS).IEEE,2018:1541-1546.
[3]BONFANTI S,GARGANTINI A,MASHKOOR A.Design and validation of a C++ code generator from abstract state machines specifications[J].Journal of Software:Evolution and Process,2020,32(2):e2205.
[4]SYRIANI E,SOUSA V,LÚCIO L.Structure and behavior preserving statecharts refinements[J].Science of Computer Programming,2019,170:45-79.
[5]HOARE CAR.Communicating sequential processes[M]//Theories of Programming:The Life and Works of Tony Hoare.2021:157-186.
[6]GORRIERI R,VERSARI C.CCS:a calculus of communicating systems[M]//Introduction to Concurrency Theory:Transition Systems and CCS.2015:81-161.
[7]STEWART D,LIU J J,COFER D,et al.AADL-Based safetyanalysis using formal methods applied to aircraft digital systems[J].Reliability Engineering & System Safety,2021,213:107649.
[8]HEIMDAHL M P E,LEVESON N G,REESE J D.Experiences from specifying the TCAS II requirements using RSML[C]//17th DASC.AIAA/IEEE/SAE.Digital Avionics Systems Conference.Proceedings(Cat.No.98CH36267).IEEE,1998:C43/1-C43/8.
[9]MILLER S,TRIBBLE A,CARLSON T,et al.Flight guidance system requirements specification:NAS/CR-2003-212426[R].Washington DC:National Aeronautics and Space Adminis-tration,Langley Research Center,2003.
[10]BU L,WANG Q,REN X,et al.Scenario-based online reachability validation for CPS fault prediction[J].IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,2019,39(10):2081-2094.
[11]LI Z,LIU B,LU M,et al.Modeling and verification of de-icing software safety requirement based on expanded Petri net[J].Journal of Beijing University of Aeronautics and Astronautics,2012,38(1):64-69.
[12]CHEN Z,GU Y,HUANG Z,et al.Model checking aircraft controller software:A case study[J].Software:Practice and Experience,2015,45(7):989-1017.
[13]HU J,ZHANG W J,LI W Q.A requirement oriented formalmodeling and verification method for safety critical systems[J].Computer Engineering & Science,2019,41(8):1426-1433.
[14]CHEN S,HU J,TANG H Y,et al.Transformation method for AltaRica3.0 model to NuSMV model[J].Computer Science,2020,47(12):73-86.
[15]LIU C,JIANG Y P,MA C Y,et al.Formal verification of AADL models by NuSMV[J].Acta Aeronautica et Astronautica Sinica,2022,43(1):451-466.
[16]ZHANG Y,HU J,WANG L S,et al.Formal verification method for SCR requirement model[J].Journal of Chinese Computer Systems,2022,43(1):193-202.
[17]LI J A,HU J,WANG L S,et al.Formal Modeling and Verification of Automatic Flight Mode Transition Logic[J].Journal of Nanjing University of Aeronautics & Astronautics/Nanjing Hangkong Hangtian Daxue Xuebao,2023,55(5):768-779.
[18]RAN D,CHEN Z,SUN Y,et al.SCADE Model Checking Based on Program Transformation[J].Computer Science,2021,48(12):125-130.
[19]TRIBBLE A C,LEMPIA D L,MILLER S P.Software safetyanalysis of a flight guidance system[C]//Proceedings.The 21st Digital Avionics Systems Conference.IEEE,2002:13C1-13C1.
[20]LUTZ R R.Analyzing software requirements errors in safety-critical,embedded systems[C]//Proceedings of the IEEE International Symposium on Requirements Engineering.IEEE,1993:126-133.
[21]GACEK A,BACKES J,WHALEN M,et al.TheJKind model checker[C]//Computer Aided Verification:30th International Conference.Springer,2018:20-27.
[22]HALBWACHS N,CASPI P,RAYMOND P,et al.The synchronous data flow programming language LUSTRE[C]//Procee-dings of the IEEE.1991:1305-1320.
[23]ANDREWS S,SOTOUDEH M,BARRETT C.Efficient sat-based bounded model checking of evolving systems[C]//2025 Design,Automation & Test in Europe Conference(DATE).IEEE,2025:1-7.
[24]CHATTERJEE P,ROY S,DIEP B P,et al.Distributed bounded model checking[J].Formal Methods in System Design,2024,64(1):50-72.
[25]HSU T H,SÁNCHEZ C,BONAKDARPOUR B.Bounded mo-del checking for hyperproperties[C]//International Conference on Tools and Algorithms for the Construction and Analysis of Systems.Cham:Springer,2021:94-112.
[26]KAHSAI T,GAROCHE P L,TINELLI C,et al.Incremental verification with mode variable invariants in state machines[C]//NASA Formal Methods:4th International Symposium.Berlin:Springer,2012:388-402.
[27]EÉN N,MISHCHENKO A,BRAYTON R.Efficient implementation of property directed reachability[C]//2011 Formal Me-thods in Computer-Aided Design(FMCAD).IEEE,2011:125-134.
[28]CIMATTI A,GRIGGIO A,MOVER S,et al.IC3 modulo theories via implicit predicate abstraction[C]//Tools and Algorithms for the Construction and Analysis of Systems:20th International Conference.Berlin:Springer,2014:46-61.
[29]DUREJA R,ROZIER K Y.Incremental design-space modelchecking via reusable reachable state approximations[J].Formal Methods in System Design,2021,58(3):375-398.
[30]GaimminLtd.Garmin G1000 pilot’s guide for CessnaNav III[M].USA:GaiminLtd,2005:429-477.
[31]KOLANO E P.Pilot’s operating handbook and FAA approved airplane flight manual[M].USA:FAA,2011
[32]WANG J,ZHAN N J,FENG X Y,et al.Overview of Formal Methods[J].Journal of Software,2019,30(1):33-61.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发