System expected function safety analysis method, device and computer equipment
By constructing the topology of an autonomous driving system using a multi-scale network model and generating a test scenario path library using event-driven chains and node criticality, the problem of overall expected functional safety analysis of autonomous driving systems is solved, and safety assessment of coupled software and hardware systems is realized, supporting the commercialization of autonomous vehicles.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA ELECTRONICS RELIABILITY AND ENVIRONMENTAL TESTING INSTITUTE ((THE FIFTH INSTITUTE OF ELECTRONICS MINISTRY OF INDUSTRY AND INFORMATION TECHNOLOGY) (CHINA SAIBAO LABORATORY)
- Filing Date
- 2022-01-18
- Publication Date
- 2026-07-03
AI Technical Summary
Existing technologies cannot effectively analyze the overall expected functional safety of autonomous driving systems, especially in hardware and software coupled systems. They cannot build a comprehensive and scalable expected functional safety test scenario library, making it difficult to assess safety risks.
A multi-scale network model approach is adopted, treating system components as nodes to construct a multi-layered system topology model. The starting node is determined by the event-driven chain and node criticality, generating a test scenario path library for system expected functional safety analysis.
This paper provides an effective analysis path that can accurately assess the expected functional safety of autonomous driving systems, solves the expected functional safety problem of software and hardware coupled systems, and provides technical support for the commercialization of autonomous vehicles.
Smart Images

Figure CN114579429B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of system reliability analysis technology, and in particular to a method, apparatus, computer equipment, storage medium and computer program product for analyzing the expected functional safety of a system. Background Technology
[0002] With the development and application of the "new four modernizations" technologies characterized by electrification, connectivity, intelligence, and sharing, autonomous vehicles have become a strategic direction for the global automotive industry, and their safety has become a major focus of public attention. The performance limitations and functional deficiencies of autonomous driving systems, such as perception and execution systems, the anticipated functional safety issues of autonomous driving systems (i.e., defects in perception, decision-making, and control algorithms), and the safety risks caused by adverse weather conditions, traffic congestion, and reasonably foreseeable human absence have become one of the biggest challenges in the research and development and industrialization of autonomous vehicles.
[0003] In autonomous vehicles, the coupling and interaction of software and hardware are increasingly integrating networks, computing, control, and physical perception into a single system, achieving a fusion of computational and physical processes. However, safety incidents caused by such software systems often have a more direct impact on the physical environment, sometimes even leading to catastrophic consequences. Current technologies primarily analyze the expected functional safety related to vehicle misoperation. Because these methods can only build models based on real-world hazardous scenarios and terrains where autonomous vehicles are prone to misoperation, they cannot analyze the overall expected functional safety of the autonomous driving system. Summary of the Invention
[0004] Therefore, it is necessary to provide a method, apparatus, computer device, computer-readable storage medium, and computer program product that can accurately analyze the expected functional safety of a system in response to the above-mentioned technical problems.
[0005] Firstly, this application provides a method for analyzing the expected functional safety of a system. The method includes:
[0006] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0007] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0008] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0009] In one embodiment, for any layer in the multi-layer structure that is not the highest layer, a node in any layer belongs to a node in the adjacent layer above it; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages and functions, the second layer includes network modules and design patterns, and the third layer includes functions and subsystems; the information interaction relationships include calling, aggregation and inheritance.
[0010] In one embodiment, determining the starting node in the lowest layer of the multi-scale network model includes:
[0011] Determine the starting node in the lowest layer based on the event-driven chain and / or node criticality.
[0012] In one embodiment, the process of obtaining the event-driven chain includes:
[0013] Based on the probability distribution function of harmful behavioral events caused by the expected function of the system, the event credibility corresponding to each event-driven chain is determined, and the event-driven chain with an event credibility greater than a preset threshold is taken as the obtained event-driven chain.
[0014] In one embodiment, the calculation process for node criticality includes:
[0015] For any given node, calculate its degree and betweenness number. The degree refers to the number of nodes that are connected to any given node, and the betweenness number is the ratio of the number of shortest paths through any given node to the total number of shortest paths in the network.
[0016] Calculate the criticality of any node based on its degree and betweenness.
[0017] In one embodiment, before calculating the criticality of any node based on its degree and betweenness, the method further includes:
[0018] According to the preset rules, obtain the first normalized result corresponding to the node degree of any node, the first normalized weight corresponding to the first normalized result, and the second normalized result corresponding to the node betweenness of any node and the second normalized weight corresponding to the second normalized result.
[0019] Accordingly, based on the degree and betweenness of any given node, the criticality of any given node is calculated, including:
[0020] Calculate the node criticality of any node based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight.
[0021] Secondly, this application also provides a system expected functional safety analysis apparatus. The apparatus includes:
[0022] The first determining module is used to take the constituent elements of the system as nodes, determine the system topology structure composed of each node according to the information interaction relationship between each node, and take the system topology structure as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves the expected function. The multi-scale network model is a multi-layer structure from high to low, and each layer includes at least one node.
[0023] The second determination module is used to determine the starting node in the lowest layer of the multi-scale network model. Based on the starting node, the test scenario path is determined in the multi-scale network model. All test scenario paths constitute the system's test scenario path library.
[0024] The analysis module is used to analyze the expected functional safety of the system based on the test scenario path library.
[0025] Thirdly, this application also provides a computer device. The computer device includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program to perform the following steps:
[0026] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0027] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0028] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0029] Fourthly, this application also provides a computer-readable storage medium. The computer-readable storage medium stores a computer program thereon, which, when executed by a processor, performs the following steps:
[0030] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0031] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0032] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0033] Fifthly, this application also provides a computer program product. The computer program product includes a computer program that, when executed by a processor, performs the following steps:
[0034] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0035] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0036] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0037] The aforementioned system's expected functional safety analysis method, apparatus, computer equipment, storage medium, and computer program product include the following steps: treating the system's constituent elements as nodes; determining the system topology based on the information interaction relationships between each node; using the system topology as a multi-scale network model, where each constituent element is the smallest unit of information interaction in achieving the expected function; the multi-scale network model is a multi-layered structure from high to low, with each layer containing at least one node; determining the starting node in the lowest layer of the multi-scale network model; determining test scenario paths within the multi-scale network model based on the starting node; and constructing a test scenario path library for the system based on all test scenario paths; and analyzing the system's expected functional safety based on the test scenario path library. This application models an autonomous driving hardware-software coupled system using a multi-scale network model method. By combining the statistical characteristics and influence domain characteristics of the multi-scale network model of the autonomous driving system, it determines a path library for basic test scenarios, providing an effective analysis path for solving the expected functional safety problem of hardware-software coupled systems and offering a solution for the later commercialization of autonomous vehicles. Attached Figure Description
[0038] Figure 1 This is a flowchart illustrating a system's expected functional safety analysis method in one embodiment;
[0039] Figure 2 This is a schematic diagram of the structure of an autonomous driving software system in one embodiment;
[0040] Figure 3 This is a schematic diagram of the class hierarchy in an autonomous driving software system in one embodiment;
[0041] Figure 4 This is a schematic diagram of an autonomous driving system structure based on multi-scale partitioning in one embodiment;
[0042] Figure 5 This is a schematic diagram of the test scenario path in one embodiment;
[0043] Figure 6 This is a flowchart illustrating the system's expected functional safety analysis method in yet another embodiment;
[0044] Figure 7 This is a structural block diagram of a system expected function safety analysis device in one embodiment;
[0045] Figure 8 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0046] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0047] With the development and application of the "new four modernizations" technologies characterized by electrification, connectivity, intelligence, and sharing, autonomous vehicles have become a strategic direction for the global automotive industry, and their safety issues have gradually become a focus of public attention. The performance limitations and functional deficiencies of autonomous driving perception and execution systems, algorithmic defects in perception, decision-making, and control algorithms, safety risks arising from special weather and traffic conditions, and reasonably foreseeable human misuse—that is, the issue of Safety of the Intended Functionality (SOTIF) of autonomous driving systems—have become one of the biggest challenges in the research and development and industrialization of autonomous vehicles.
[0048] In autonomous vehicles, the coupling and interaction of software and hardware are increasingly integrating networks, computing, control, and physical perception into a single system, achieving a fusion of computational and physical processes. However, safety incidents caused by such software systems often have a more direct impact on the physical environment, even leading to catastrophic consequences. Current software security technologies and engineering methods focus on the software system itself, while the issues of inter-software collaboration and collaboration between software and hardware systems have not received sufficient attention. For example, the two Boeing 737 Max crashes in 2018 and 2019, and the recent multiple Tesla crashes, are typical examples of serious aviation and traffic accidents caused by defects in software-hardware interaction and collaboration. It can be seen that the software system (designed and developed according to requirements) did not malfunction, but significant defects existed in the software-hardware interaction and collaboration process, putting autonomous vehicles in danger and ultimately causing major safety incidents.
[0049] In related technologies, the analysis primarily focuses on the anticipated functional safety (ECT) related to vehicle misoperation. However, because the methods can only build models based on real-world hazardous scenarios and terrains where ECT misoperation is likely to occur in autonomous vehicles, they cannot analyze the overall ECT of the autonomous driving system. Furthermore, the data formats of ECT scenario libraries built in existing technologies are inconsistent, requiring continuous adaptation during testing, and the number of scenarios is limited, resulting in poor scalability. Therefore, this paper proposes constructing an ECT test scenario library for autonomous driving for analysis.
[0050] In this context, a scene is used to describe a specific life scenario involving a task, action, or interpersonal relationship that occurs within a certain time and space. The term "scene" also broadly refers to specific scenarios or situations in life. Therefore, a traffic scene refers to a specific situation in road traffic. Current research suggests that a traffic scene should include at least the following six types of information: First, road geometry information. Second, road infrastructure, including roadside traffic facilities, traffic lights, and road markings. Third, temporary changes on the road, such as road construction or other new developments. Fourth, and more importantly, the dynamic relationships between road traffic participants. Fifth, information related to the traffic environment, such as weather and lighting. Sixth, newly added digital information. The digital information of the road is described by these six layers. It can be understood that an autonomous driving scene refers to the various traffic scenarios encountered by autonomous vehicles during operation.
[0051] To address the aforementioned technical issues, such as Figure 1 As shown, a method for analyzing the expected functional safety of a system is provided. Taking the application of this method to a server as an example, the method includes the following steps:
[0052] Step 102: Take the constituent elements of the system as nodes, determine the system topology structure composed of each node according to the information interaction relationship between each node, and take the system topology structure as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves the expected function. The multi-scale network model is a multi-layer structure from high to low, and each layer includes at least one node.
[0053] The concept of "multi-scale" is inspired by the multi-scale method in computer vision. It expresses the idea of constructing a "multi-scale model" where the node scales of the basic units of the software network are different in different dimensions of the software system (such as classes, functions, subroutines, systems, etc.). This model describes the process of information transmission and interactive control between nodes at different scales in the software system, and builds an analytical framework for the expected functional safety of the software system.
[0054] Specifically, see Figure 2 and Figure 3 This approach constructs autonomous driving software systems as topological structures. Depending on the scale, the components of a software system can be data objects, operations, modules, classes, subsystems, etc. Autonomous driving software achieves its functions through information interaction and collaboration between these elements. Viewing the components as nodes and their complex interactions as edges allows us to abstract the software system structure into a software structural relationship network. The network model obtained through relational extraction is then called the software network. A class-level hierarchical software network structure diagram constructs the dependencies and topological structure of classes in the software source code, including their call relationships, inheritance, and associations, thereby enabling analysis of the software system's structure and performance.
[0055] Step 104: Determine the starting node in the lowest layer of the multi-scale network model. Based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0056] It should be noted that a single event-driven test path or key point test scope can be represented as a test scenario. A basic test scenario path based on event-driven or key point testing is established, an event-driven chain is obtained, multiple nodes associated with the event-driven chain in the lowest layer are identified, the criticality of each node in the multiple nodes is calculated, and the node with the highest criticality in the lowest layer is taken as the starting node.
[0057] Specifically, driven by an event, the corresponding node in the lowest level of the multi-scale network model is determined. This involves the perception layer, such as various sensors, sensing raw data and importing it into the first-layer nodes. Then, based on the criticality of the nodes, the node with the highest criticality among the nodes corresponding to the raw data is selected as the starting node, and the process is pushed upwards level by level until it reaches the application layer, where it is then fed back to the hardware for execution. This determines the test scenario path corresponding to an event.
[0058] Step 106: Analyze the expected functional safety of the system based on the test scenario path library.
[0059] In the method provided in the above embodiments, the constituent elements of the system are treated as nodes. Based on the information interaction relationship between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layered structure from high to low, with at least one node in each layer. The starting node in the lowest layer of the multi-scale network model is determined. Based on the starting node, test scenario paths are determined in the multi-scale network model. All test scenario paths constitute the system's test scenario path library. Based on the test scenario path library, the expected functional safety of the system is analyzed. This application models the autonomous driving software and hardware coupled system using a multi-scale network model method. Combining the statistical characteristics and influence domain characteristics of the multi-scale network model of the autonomous driving system, a path library for basic test scenarios is determined. This provides an effective analysis path for solving the expected functional safety problem of the software and hardware coupled system and offers a solution for the later commercialization of autonomous vehicles.
[0060] In one embodiment, for any layer in the multi-layer structure that is not the highest layer, a node in any layer belongs to a node in the adjacent layer above it; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages and functions, the second layer includes network modules and design patterns, and the third layer includes functions and subsystems; the information interaction relationships include calling, aggregation and inheritance.
[0061] See details Figure 4 First, the entire autonomous driving system software network is divided into three layers. Basic functional units such as classes, functions, and packages in the software source code are set as the first layer; motifs, methods, and design patterns are set as the second layer; and the third layer of the software network represents the functional and subsystem layer. I, II, and III represent small, medium, and large-scale nodes, respectively. From the perspective of system decomposition, the scale structure is subdivided from top to bottom, with large-scale nodes constructed from local scale nodes.
[0062] The Layer I scale nodes of the software network are modeled as static global structural features. Using traditional software network construction methods, in object-oriented software systems, the nodes constructed by the interaction relationships of basic structures and basic functional units such as classes, functions, and interfaces (hereinafter referred to as "class") can be called the microstructure of the software network. The Layer II scale nodes of the software network are formed by the combination of simple class structures. A small number of classes frequently appear and aggregate to form structural modules. A single module consists of 3-4 nodes. The Layer III scale nodes of the software network are composed of some large modules, components, or subsystems with relatively independent functions in the software system. Due to the need for software version iteration, these structures are more easily reused. The higher the possibility of uncertainty in the software-hardware interaction process, the greater the probability of software functional safety problems occurring.
[0063] In the method provided in the above embodiments, for any layer other than the highest layer in the multi-layer structure, nodes in any layer belong to nodes in the adjacent layer above; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages, and functions; the second layer includes network modules and design patterns; and the third layer includes functions and subsystems; information interaction relationships include calls, aggregations, and inheritance. Due to the influence of uncertainties in the physical environment and software-hardware interaction, it is difficult to conduct detailed analysis of software system behavior and integration test analysis during the security analysis and testing of software-hardware coupled systems, making it impossible to build an effective test environment and accurately locate software failure points. Considering the security issues caused by the uncertainty of the software-hardware interaction process due to software system integration, a multi-scale software network modeling hierarchical structure is adopted. When information cannot be obtained in the integration environment, scenario testing of the software can be performed.
[0064] In one embodiment, determining the starting node in the lowest layer of the multi-scale network model includes:
[0065] Determine the starting node in the lowest layer based on the event-driven chain and / or node criticality.
[0066] Due to the event-driven nature of object-oriented software, software operation begins with events. In coupled hardware and software systems, the multi-scale software network model specifically starts event-driven operation from the physical system perception layer, passing through the software node layer, module layer, and system layer, to manipulate the hardware to complete system function events. Because the physical system perception layer is affected by uncertainties in the external physical environment, software expected functional safety issues affect the entire function-driven event chain.
[0067] A software event chain is a thread execution path that starts from the triggering of a physical event, proceeds through interactions between objects involved in the software and hardware collaboration, and finally completes the functional implementation and outputs data from the hardware system. Figure 5 As shown.
[0068] During autonomous driving, just like human drivers, autonomous driving systems cannot completely prevent harmful incidents from occurring when faced with various complex scenarios. The categories of harmful incidents are shown in Table 1.
[0069] Table 1 Classification of Hazardous Events Related to Autonomous Driving Systems
[0070]
[0071] Among them, node criticality refers to the importance of a node in a network model. The statistical characteristics of the multi-scale software network model, namely node betweenness and degree, are used to rank the importance of software network nodes. The key node expansion method is determined according to the network clustering coefficient and importance order of different key nodes. Scenario test cases are constructed with a single key node as the center and multiple secondary nodes as the expansion, forming a basic test scenario library for the expected functional safety of software.
[0072] In the method provided in the above embodiments, the starting node in the lowest layer is determined based on the event-driven chain and / or node criticality. The test path uses the connections between different critical nodes as the test path. According to the order of critical nodes, starting from the most critical node, the software network is traversed by depth-first search. The sum of the weights of the critical nodes traversed by the path is used as the basis for test priority ranking. This constructs a test scenario path library for software-hardware coupled systems, providing an effective analysis path for solving expected functional safety issues in software-hardware coupled systems.
[0073] In one embodiment, the process of obtaining the event-driven chain includes:
[0074] Based on the probability distribution function of harmful behavioral events caused by the expected function of the system, the event credibility corresponding to each event-driven chain is determined, and the event-driven chain with an event credibility greater than a preset threshold is taken as the obtained event-driven chain.
[0075] It should be noted that in probability density functions, the Poisson distribution describes the number of random events occurring within a unit of time (or space). According to the ISO 21448 standard, the number of hazardous events caused by autonomous driving functions in complex scenarios is described by a Poisson distribution, and the probability function of the Poisson distribution is:
[0076] n = 0, 1, 2, ...
[0077] In the above formula, m is the average number of hazardous events occurring per unit distance (or unit time); n is the number of hazardous events occurring.
[0078] Through transformation, the average mileage or time interval (i.e., accident-free mileage or duration) of harmful events can be obtained as follows:
[0079] τ=-ln(1-α) / m
[0080] In the above formula, α represents the confidence level.
[0081] When the credibility of a hazardous behavior event of an autonomous driving system meets the requirements, it can be considered that the autonomous driving system does not pose a significant unreasonable risk, and its overall safety risk is acceptable.
[0082] In the method provided in the above embodiments, the event credibility corresponding to each event-driven chain is determined based on the probability distribution function of the harmful behavior events caused by the expected function of the system. Event-driven chains with event credibility greater than a preset threshold are taken as the obtained event-driven chains. The application uses a multi-scale network model method to model the coupled hardware and software system of autonomous driving. Combining the statistical characteristics and influence domain characteristics of the multi-scale network model of the autonomous driving system, a path library for basic test scenarios is determined. This provides an effective analytical path for solving the expected functional safety problems of the coupled hardware and software system, and offers a solution for the later commercialization of autonomous vehicles.
[0083] In one embodiment, see Figure 6 The calculation process for node criticality includes:
[0084] Step 602: For any node, calculate the node degree and node betweenness of any node; the node degree refers to the number of nodes that are connected to any node, and the node betweenness refers to the ratio between the number of all shortest paths in the network that pass through any node and the total number of shortest paths in the network.
[0085] Since a network model contains nodes with different dimensions, the statistical characteristics of nodes are analyzed from the same level. Let the degree of the i-th node in layer I (this paper discusses degree regardless of direction; dependency and invocation are both expressed in degree) be represented as... i = 1, ..., n; l = I, II, III; the average degree of the network is expressed as... This represents the average degree of nodes in this layer. The degree distribution is the probability that k nodes in the current layer have a degree equal to the average degree, denoted as:
[0086] P l (k)=n l / n
[0087] The number of node connections is represented by the degree of the current node. The degree distribution of nodes in the network represents the probability that the degree of a randomly selected node is exactly the average degree of the nodes. The node degree measures the connection relationship of a single node. For the entire network, the degree distribution statistically summarizes the distribution of network nodes.
[0088] Node betweenness: The ratio of the number of shortest paths passing through a given node to the total number of shortest paths in the network. Specifically, it can be defined as follows: Assume σ st σ represents the number of shortest paths from a node s to another node t in the network. st (v) represents the number of nodes v in the shortest path. The betweenness of node v can be expressed as:
[0089]
[0090] Node betweenness represents a node's influence within the entire network, and to a certain extent, reflects the node's importance within the network. For software networks in coupled hardware and software systems, identifying nodes with high betweenness in the network structure can pinpoint the central role of the corresponding software package within the software system, and determine whether the node is a heavy information-loaded node in the network.
[0091] Step 604: Calculate the criticality of any node based on its degree and betweenness.
[0092] By employing the statistical characteristics of node betweenness and degree in a multi-scale software network model, the importance of software network nodes is ranked. Based on the network clustering coefficients and importance order of different key nodes, the expansion method of key nodes is determined. Scenario test cases are constructed with a single key node as the center and multiple secondary nodes as the expansion, forming a basic test scenario library for the expected functional safety of software.
[0093] The network clustering coefficient refers to all nodes in the software network that are directly connected by edges and are considered neighbors. For a given node i, the coefficient is determined by the existence of k nodes. i Given k adjacent nodes, if all these nodes are connected to each other, there can be at most k such nodes. i (k i -1) / 2 edges. Using the k-value of node i... i The number of edges F between neighboring nodes i Divide by the maximum number of possible edges k i (k i -1) / 2 gives the clustering coefficient C of node i. i The calculation method is as follows:
[0094]
[0095]
[0096]
[0097] The clustering coefficient C of the multi-scale software network model can be obtained by averaging the clustering coefficients of all nodes at all levels in the network. If C = 1, there is a direct edge between any two nodes in the network, indicating that the network is a globally coupled network. If C = 0, all nodes in the current software network are isolated nodes.
[0098] The node importance ranking method is based on node betweenness and degree, centering on the main nodes of the software and using multiple secondary nodes as nodes. It analyzes the expected functional safety of the software and constructs test scenario paths. Node criticality is represented by a weighted average of the node's degree and betweenness. Since the node degree is significantly larger than the node betweenness, the degree and betweenness are normalized before a weighted formula is applied to determine the node criticality, thus identifying key nodes.
[0099] In the method provided in the above embodiments, for any node, the node degree and node betweenness number of any node are calculated. The node degree refers to the number of nodes connected to any given node, and the node betweenness number refers to the ratio between the number of all shortest paths passing through any given node in the network and the total number of shortest paths in the network. Based on the node degree and node betweenness number of any given node, the node criticality is calculated. By modeling the coupled hardware and software system of autonomous driving using a multi-scale network model method, and combining the statistical characteristics and influence domain characteristics of the multi-scale network model of the autonomous driving system, a path library for basic test scenarios is determined. This provides an effective analytical path for solving the expected functional safety problems of the coupled hardware and software system, and offers a solution for the later commercialization of autonomous vehicles.
[0100] In one embodiment, before calculating the criticality of any node based on its degree and betweenness, the method further includes:
[0101] According to the preset rules, obtain the first normalized result corresponding to the node degree of any node, the first normalized weight corresponding to the first normalized result, and the second normalized result corresponding to the node betweenness of any node and the second normalized weight corresponding to the second normalized result.
[0102] Accordingly, based on the degree and betweenness of any given node, the criticality of any given node is calculated, including:
[0103] Calculate the node criticality of any node based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight.
[0104] The node importance ranking method is based on node betweenness and degree, centering on major software nodes and using multiple secondary nodes as nodes. It analyzes the expected functional safety of the software and constructs test scenario paths. The criticality of node i is calculated by weighting its degree and betweenness. Since the degree is significantly larger than the betweenness, both are normalized before a weighted formula is used to determine the node criticality, thus identifying key nodes.
[0105]
[0106] Where λ represents the first normalized weight corresponding to the node degree obtained after normalization, and β represents the second normalized weight corresponding to the node betweenness obtained after normalization; in a specific embodiment, the corresponding weight can be reflected by setting a function to calculate the node criticality.
[0107] In the generation of test cases for software-hardware coupled system scenarios, previous methods relied on path generation based on key nodes. However, this patent proposes a test case generation strategy for software expected functional safety scenarios. The test path uses the connections between different key nodes as the test path. Based on the ranking of key nodes, starting from the most critical node, the software network is traversed using a depth-first search method. The sum of the weights of the key nodes traversed along the path is used as the basis for test priority ranking to construct test scenarios for software-hardware coupled systems.
[0108] In the method provided in the above embodiments, according to preset rules, a first normalized result corresponding to the node degree of any node, a first normalized weight corresponding to the first normalized result, and a second normalized result corresponding to the node betweenness of any node and a second normalized weight corresponding to the second normalized result are obtained. Correspondingly, based on the node degree and node betweenness of any node, the node criticality of any node is calculated, including: calculating the node criticality of any node based on the first normalized result, the first normalized weight, the second normalized result, and the second normalized weight. By modeling the autonomous driving hardware-software coupled system using a multi-scale network model method, and combining the statistical characteristics and influence domain characteristics of the multi-scale network model of the autonomous driving system, a path library for basic test scenarios is determined. This provides an effective analytical path for solving the expected functional safety problems of the hardware-software coupled system and offers a solution for the later commercialization of autonomous vehicles.
[0109] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0110] Based on the same inventive concept, this application also provides a system expected function safety (SEM) analysis apparatus for implementing the aforementioned system expected function safety analysis method. The solution provided by this apparatus is similar to the implementation scheme described in the above method; therefore, the specific limitations in one or more SEM embodiments provided below can be found in the limitations of the system expected function safety analysis method described above, and will not be repeated here.
[0111] In one embodiment, such as Figure 7 As shown, a system expected functional safety analysis device is provided, including: a first determination module 701, a second determination module 702 and an analysis module 703;
[0112] The first determining module 701 is used to take the constituent elements of the system as nodes, determine the system topology structure composed of each node according to the information interaction relationship between each node, and take the system topology structure as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves the expected function. The multi-scale network model is a multi-layer structure from high to low, and each layer includes at least one node.
[0113] The second determining module 702 is used to determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. All test scenario paths constitute the test scenario path library of the system.
[0114] Analysis module 703 is used to analyze the expected functional safety of the system based on the test scenario path library.
[0115] In one embodiment, the first determining module 701 is further configured to: for any layer other than the highest layer in the multi-layer structure, a node in any layer belongs to a node in the adjacent layer above; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages and functions, the second layer includes network modules and design patterns, and the third layer includes functions and subsystems; the information interaction relationships include calling, aggregation and inheritance.
[0116] In one embodiment, the second determining module 702 is further configured to determine the starting node in the lowest layer based on the event-driven chain and / or node criticality.
[0117] In one embodiment, the second determining module 702 is further configured to determine the event credibility corresponding to each event-driven chain based on the probability distribution function of the harmful behavior events caused by the expected function of the system, and to take the event-driven chain with an event credibility greater than a preset threshold as the obtained event-driven chain.
[0118] In one embodiment, the second determining module 702 is further configured to calculate the node degree and node betweenness of any node for any node; the node degree refers to the number of nodes that have a connection relationship with any node, and the node betweenness refers to the ratio between the number of all shortest paths in the network that pass through any node and the total number of shortest paths in the network.
[0119] Calculate the criticality of any node based on its degree and betweenness.
[0120] In one embodiment, the second determining module 702 is further configured to obtain, according to preset rules, a first normalized result corresponding to the node degree of any node, a first normalized weight corresponding to the first normalized result, a second normalized result corresponding to the node betweenness of any node, and a second normalized weight corresponding to the second normalized result.
[0121] Accordingly, based on the degree and betweenness of any given node, the criticality of any given node is calculated, including:
[0122] Calculate the node criticality of any node based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight.
[0123] The modules in the aforementioned system's expected functional safety analysis device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the computer device's memory as software, so that the processor can invoke and execute the corresponding operations of each module.
[0124] In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 8 As shown, the computer device includes a processor, memory, and a network interface connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores network model data and event chain data. The network interface communicates with external terminals via a network connection. When executed by the processor, the computer program implements a system's intended functional safety analysis method.
[0125] Those skilled in the art will understand that Figure 8 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0126] In one embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0127] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0128] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0129] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0130] In one embodiment, when the processor executes the computer program, it further implements the following steps: for any layer in the multi-layer structure that is not the highest layer, a node in any layer belongs to a node in the adjacent layer above; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages and functions, the second layer includes network modules and design patterns, and the third layer includes functions and subsystems; information interaction relationships include invocation, aggregation and inheritance.
[0131] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0132] Determine the starting node in the lowest layer based on the event-driven chain and / or node criticality.
[0133] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0134] Based on the probability distribution function of harmful behavioral events caused by the expected function of the system, the event credibility corresponding to each event-driven chain is determined, and the event-driven chain with an event credibility greater than a preset threshold is taken as the obtained event-driven chain.
[0135] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0136] For any given node, calculate its degree and betweenness number. The degree refers to the number of nodes that are connected to any given node, and the betweenness number is the ratio of the number of shortest paths through any given node to the total number of shortest paths in the network.
[0137] Calculate the criticality of any node based on its degree and betweenness.
[0138] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0139] According to the preset rules, obtain the first normalized result corresponding to the node degree of any node, the first normalized weight corresponding to the first normalized result, and the second normalized result corresponding to the node betweenness of any node and the second normalized weight corresponding to the second normalized result.
[0140] Accordingly, based on the degree and betweenness of any given node, the criticality of any given node is calculated, including:
[0141] Based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight, the node criticality of any node is calculated. In one embodiment, when the processor executes the computer program, it further implements the following steps:
[0142] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0143] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0144] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0145] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0146] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: for any layer in the multi-layer structure that is not the highest layer, a node in any layer belongs to a node in the adjacent layer above; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages and functions, the second layer includes network modules and design patterns, and the third layer includes functions and subsystems; information interaction relationships include invocation, aggregation and inheritance.
[0147] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0148] Determine the starting node in the lowest layer based on the event-driven chain and / or node criticality.
[0149] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0150] Based on the probability distribution function of harmful behavioral events caused by the expected function of the system, the event credibility corresponding to each event-driven chain is determined, and the event-driven chain with an event credibility greater than a preset threshold is taken as the obtained event-driven chain.
[0151] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0152] For any given node, calculate its degree and betweenness number. The degree refers to the number of nodes that are connected to any given node, and the betweenness number is the ratio of the number of shortest paths through any given node to the total number of shortest paths in the network.
[0153] Calculate the criticality of any node based on its degree and betweenness.
[0154] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0155] According to the preset rules, obtain the first normalized result corresponding to the node degree of any node, the first normalized weight corresponding to the first normalized result, and the second normalized result corresponding to the node betweenness of any node and the second normalized weight corresponding to the second normalized result.
[0156] Accordingly, based on the degree and betweenness of any given node, the criticality of any given node is calculated, including:
[0157] Based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight, the node criticality of any node is calculated. In one embodiment, when the computer program is executed by the processor, the following steps are also performed:
[0158] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:
[0159] The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves its expected functions. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node.
[0160] Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all test scenario paths.
[0161] Based on the test scenario path library, the expected functional safety of the system is analyzed.
[0162] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: for any layer in the multi-layer structure that is not the highest layer, a node in any layer belongs to a node in the adjacent layer above; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages and functions, the second layer includes network modules and design patterns, and the third layer includes functions and subsystems; information interaction relationships include invocation, aggregation and inheritance.
[0163] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0164] Determine the starting node in the lowest layer based on the event-driven chain and / or node criticality.
[0165] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0166] Based on the probability distribution function of harmful behavioral events caused by the expected function of the system, the event credibility corresponding to each event-driven chain is determined, and the event-driven chain with an event credibility greater than a preset threshold is taken as the obtained event-driven chain.
[0167] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0168] For any given node, calculate its degree and betweenness number. The degree refers to the number of nodes that are connected to any given node, and the betweenness number is the ratio of the number of shortest paths through any given node to the total number of shortest paths in the network.
[0169] Calculate the criticality of any node based on its degree and betweenness.
[0170] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0171] According to the preset rules, obtain the first normalized result corresponding to the node degree of any node, the first normalized weight corresponding to the first normalized result, and the second normalized result corresponding to the node betweenness of any node and the second normalized weight corresponding to the second normalized result.
[0172] Accordingly, based on the degree and betweenness of any given node, the criticality of any given node is calculated, including:
[0173] Calculate the node criticality of any node based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight.
[0174] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium. When executed, the computer program can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.
[0175] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0176] The above embodiments are merely illustrative of several implementation methods of this application, and their descriptions are relatively specific and detailed. However, they should not be construed as limiting the scope of this application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A system intended functional safety analysis method, characterized by, The method includes: The system's constituent elements are treated as nodes. Based on the information interaction relationships between each node, the system topology structure composed of each node is determined. The system topology structure is used as a multi-scale network model. The constituent elements are the smallest units of information interaction in the system when it achieves the expected function. The multi-scale network model is a multi-layer structure from high to low, with each layer including at least one node. Determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model. The test scenario path library of the system is composed of all the test scenario paths. Based on the aforementioned test scenario path library, the expected functional safety of the system is analyzed; For any layer in the multi-layer structure that is not the highest layer, a node in that layer belongs to a node in the layer above it; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages, and functions; the second layer includes network modules and design patterns; and the third layer includes functions and subsystems; the information interaction relationships include calling, aggregation, and inheritance. Determining the starting node in the lowest layer of the multi-scale network model includes: The starting node in the lowest layer is determined based on the event-driven chain and / or node criticality. The process of obtaining the event-driven chain includes: Based on the probability distribution function of harmful behavioral events caused by the expected function of the system, the event credibility corresponding to each event-driven chain is determined, and the event-driven chain with an event credibility greater than a preset threshold is taken as the obtained event-driven chain.
2. The method of claim 1, wherein, The calculation process for the criticality of a node includes: For any node, calculate the node degree and node betweenness of that node; the node degree refers to the number of nodes that are connected to that node, and the node betweenness is the ratio between the number of all shortest paths in the network that pass through that node and the total number of shortest paths in the network. Calculate the criticality of any given node based on its degree and betweenness.
3. The method of claim 2, wherein, Before calculating the criticality of any node based on its degree and betweenness, the method further includes: According to preset rules, obtain the first normalized result corresponding to the node degree of any node, the first normalized weight corresponding to the first normalized result, the second normalized result corresponding to the node betweenness of any node, and the second normalized weight corresponding to the second normalized result. Accordingly, calculating the criticality of any node based on its degree and betweenness includes: Based on the first normalization result, the first normalization weight, the second normalization result, and the second normalization weight, calculate the node criticality of any node.
4. A system expected functional safety analysis device, characterized in that, The device includes: The first determining module is used to take the constituent elements of the system as nodes, determine the system topology structure composed of each node according to the information interaction relationship between each node, and take the system topology structure as a multi-scale network model. The constituent elements are the smallest units of information interaction when the system achieves the expected function. The multi-scale network model is a multi-layer structure from high to low, and each layer includes at least one node. The second determining module is used to determine the starting node in the lowest layer of the multi-scale network model, and based on the starting node, determine the test scenario path in the multi-scale network model, and the test scenario path library of the system is composed of all the test scenario paths. The analysis module is used to analyze the expected functional security of the system based on the test scenario path library; For any layer in the multi-layer structure that is not the highest layer, a node in that layer belongs to a node in the layer above it; correspondingly, the multi-layer structure has 3 layers; the first layer in the multi-layer structure includes classes, code packages, and functions; the second layer includes network modules and design patterns; and the third layer includes functions and subsystems; the information interaction relationships include calling, aggregation, and inheritance. The second determining module is also used to determine the starting node in the lowest layer based on the event-driven chain and / or node criticality; The second determining module is also used to determine the event credibility of each event-driven chain based on the probability distribution function of the harmful behavior events caused by the expected function of the system, and to take the event-driven chain with an event credibility greater than a preset threshold as the obtained event-driven chain.
5. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 3.
6. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 3.
7. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 3.