面向机载软件的预期功能安全分析验证过程及方法研究

预期功能安全（Safety of the Intended Functionality，SOTIF）关注系统与外界环境、交联设备、任务场景和操作人员交互时，由自身功能设计不足而导致的安全隐患，非常适用于具有复杂功能逻辑的系统和软件研制过程。但目前尚未见到SOTIF在机载软件安全性分析验证工作中的研究与应用，导致机载软件安全性分析验证过程难以适用于复杂失效的分析识别。因此借鉴SOTIF在汽车领域的成功应用经验，开展面向机载软件的SOTIF分析验证过程与方法研究。首先，参考ISO 21448标准，提出机载软件SOTIF分析验证框架。然后，借助功能危险分析、故障树模型、场景驱动等理论，针对过程中涉及的SOTIF分析验证技术进行研究，识别机载系统危险，分析软件异常控制行为及其原因，构建SOTIF测试场景与测试用例，形成基于SOTIF的机载软件安全性分析验证完整闭环。最后，通过SOTIF技术在机轮转弯控制软件的典型工程应用，验证了该研究成果的有效性和可行性，形成了面向机载软件的SOTIF分析验证过程与能力，可支撑研制人员充分识别机载软件运行过程中软硬耦合冲突、人机交互异常、场景切换异常等复杂失效模式，确保机载软件满足高安全、高可靠研制要求。

The Analysis and Validation Process and Approach of the Intended Function Safety For the Airborne Software

Safety of the intended functionality (SOTIF) focuses on the safety problems for the insufficient function design when the system is interactive with environment,equipment,task scenario and operators.Thus SOTIF is suitable for the system and software development process with complex function logic.However,there is currently no research and application of SOTIF in the safety analysis and validation of airborne software,so the safety analysis and validation of airborne software is difficult to be applied to the analysis and identification of complex failures.Therefore,based on the successful application experience of SOTIF in the automotive field,the research on the analysis and validation process and methods of expected functions for airborne software are carried out.Firstly,the analysis and validation framework of airborne software is proposed based on the ISO 21448 standard.Then,with the help of functional hazard analysis,fault tree model,scenario-driven and other theories,the SOTIF analysis and validation technology involved in the process is researched to identify the dangers of the airborne system,analyze the abnormal control behaviours of the software and their causes,construct the SOTIF test scenarios and test cases,and form a complete closed-loop of the analysis and validation of the safety of the airborne software based on SOTIF.Finally,the effectiveness and feasibility of the research results are verified through the typical engineering application of SOTIF technology in the wheel turning control software,the SOTIF alanysis and verification process and capability for airborne software are formed,which can support the developers to fully identify the complex failures such as soft-hard-coupling conflicts,human-computer interaction anomalies,and scenario switching anomalies in the process of the operation of the airborne software,so as to ensure that the airborne software meets the requirements of high-security and high-reliability development.