ArticlePDF Available

Abstract and Figures

Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.
Content may be subject to copyright.
A preview of the PDF is not available
... Safety verification [12], [13] and safety controller synthesis [14]- [17] for CPS operated in benign environment have been extensively studied. ...
Preprint
Full-text available
Cyber-physical systems (CPS) are required to operate safely under fault and malicious attacks. The simplex architecture and the recently proposed cyber resilient architectures, e.g., Byzantine fault tolerant++ (BFT++), provide safety for CPS under faults and malicious cyber attacks, respectively. However, these existing architectures make use of different timing parameters and implementations to provide safety, and are seemingly unrelated. In this paper, we propose an analytical framework to represent the simplex, BFT++ and other practical cyber resilient architectures (CRAs). We construct a hybrid system that models CPS adopting any of these architectures. We derive sufficient conditions via our proposed framework under which a control policy is guaranteed to be safe. We present an algorithm to synthesize the control policy. We validate the proposed framework using a case study on lateral control of a Boeing 747, and demonstrate that our proposed approach ensures safety of the system.
... This raises another challenge, i.e., the establishment of the correctness of automated model translation (Fig.11 2 ) and code generation (Fig.11 5 ). For example, Jiang et al. developed the UPP2SF compiler to automatically convert the verified UPPAAL models to simulation models [46]. Afterward, they used Simulink code generation for code synthesis The cycled numbers indicate various verification and validation activities. 1 Verifying that the abstract models fulfill (a subset of) system requirements using formal analysis, such as model checking. ...
Article
Full-text available
Abstract—Objective: Cardiovascular Implantable Electronic Devices (CIEDs) are used extensively for treating life-threatening conditions such as bradycardia, atrioventricular block and heart failure. The complicated heterogeneous physical dynamics of patients provide distinct challenges to device development and validation. We address this problem by proposing a device testing framework within the in-silico closed-loop context of patient physiology. Methods: We develop an automated framework to validate CIEDs in closed-loop with a high-level physiologically based computational heart model. The framework includes test generation, execution and evaluation, which automatically guides an integrated stochastic optimization algorithm for exploration of physiological conditions. Conclusion: The results show that using a closed loop device-heart model framework can achieve high system test coverage, while the heart model provides clinically relevant responses. The simulated findings of pacemaker mediated tachycardia risk evaluation agree well with the clinical observations. Furthermore, we illustrate how device programming parameter selection affects the treatment efficacy for specific physiological conditions. Significance: This work demonstrates that incorporating model based closed-loop testing of CIEDs into their design provides important indications of safety and efficacy under constrained physiological conditions.
... To bridge the gap between state-oriented models and formal verification, efforts are also made from research community to transform state-oriented modeling specifications/languages, such as UML (unified modeling language) statecharts [22,33], hierarchical timed automata (HTA) [6], discrete event system specification for realtime (RT-DEVS) [9], parallel object-oriented specification language (POOSL) [32], and Stateflow models [17,18] to UPPAAL timed automata. On the other hand, Pajic et al. developed a tool to transform UPPAAL timed automata to Stateflow models for implementation issues [24,25]. ...
Preprint
Improving the effectiveness and safety of patient care is the ultimate objective for medical cyber-physical systems. Many medical best practice guidelines exist, but most of the existing guidelines in handbooks are difficult for medical staff to remember and apply clinically. Furthermore, although the guidelines have gone through clinical validations, validations by medical professionals alone do not provide guarantees for the safety of medical cyber-physical systems. Hence, formal verification is also needed. The paper presents the formal semantics for a framework that we developed to support the development of verifiably safe medical guidelines. The framework allows computer scientists to work together with medical professionals to transform medical best practice guidelines into executable statechart models, Yakindu in particular, so that medical functionalities and properties can be quickly prototyped and validated. Existing formal verification technologies, UPPAAL timed automata in particular, is integrated into the framework to provide formal verification capabilities to verify safety properties. However, some components used/built into the framework, such as the open-source Yakindu statecharts as well as the transformation rules from statecharts to timed automata, do not have built-in semantics. The ambiguity becomes unavoidable unless formal semantics is defined for the framework, which is what the paper is to present.
... In the PAT-based (Chen et al. 2012) verification technique, they covered most of the advanced features of Stateflow, with limited support of the event interrupt dispatch mechanism and time operation support. There is also some nice work translating Uppaal timed automata to Simulink Stateflow for simulation and code generation (Pajic et al. 2012(Pajic et al. , 2014. Since the semantics of timed automata is simpler than that of Stateflow, the translation procedure is different from our setting, because we need to deal with the priority, event stack, transitional action, and so on, of Stateflow during our reverse transformation. ...
Article
Simulink is widely used for model-driven development (MDD) of cyber-physical systems. Typically, the Simulink-based development starts with Stateflow modeling, followed by simulation, validation, and code generation mapped to physical execution platforms. However, recent trends have raised the demands of rigorous verification on safety-critical applications to prevent intrinsic development faults and improve the system dependability, which is unfortunately challenging. Even though the constructed Stateflow model and the generated code pass the validation of Simulink Design Verifier and Simulink Polyspace, respectively, the system may still fail due to some implicit defects contained in the design model (design defect) and the generated code (implementation defects).
... Tools proven in use Not surprisingly, the largest stack of related work in the context of generating safety-critical software from models relies on tools that are proven in use. For example, Pajic et al. [53] use UPAAL for modeling and verification of models, then translate the models to Simulink/Stateflow, and finally use its proven-in-use code generator to generate the C implementation. Note that the transformation from UPAAL to Simulink is not proven in use; it has been "verified" through reviews. ...
Article
Full-text available
Language workbenches support the efficient creation, integration, and use of domain-specific languages. Typically, they execute models by code generation to programming language code. This can lead to increased productivity and higher quality. However, in safety-/mission-critical environments, generated code may not be considered trustworthy, because of the lack of trust in the generation mechanisms. This makes it harder to justify the use of language workbenches in such an environment. In this paper, we demonstrate an approach to use such tools in critical environments. We argue that models created with domain-specific languages are easier to validate and that the additional risk resulting from the transformation to code can be mitigated by a suitably designed transformation and verification architecture. We validate the approach with an industrial case study from the healthcare domain. We also discuss the degree to which the approach is appropriate for critical software in space, automotive, and robotics systems.
... The aforementioned controllers were designed and tested using testbed shown in Fig. 12. Specifically, (a) C freq was implemented directly in a Cortex-M3 microcontroller, (b) the exploration of temporal patterns for C patt , based on a search similar to the one from [3], was done in LabView using HIL real-time simulation support and directly employing the feedback from QoC monitors on the platform, and (c) for C adapt , modeling and simulation was done using the HIL real-time support, while the transition from the model to C adapt implementation on top of nanoRK RTOS was done manually (although code generation tools for such models exist, e.g., [25]). Each of the controllers was tested on Parkinsonian BGM with n = 10 neurons per BG region. ...
Conference Paper
Full-text available
Deep Brain Stimulation (DBS) is effective at alleviating symptoms of neurological disorders such as Parkinson's disease. Yet, despite its safety-critical nature, there does not exist a platform for integrated design and testing of new algorithms or devices. Consequently, we introduce a model-based design framework for DBS controllers based on a physiologically relevant basal-ganglia model (BGM) that we capture as a network of nonlinear hybrid automata, synchronized via neural activation events. The BGM is parametrized by the number of neurons used to model each of the BG regions, which supports tradeoffs between fidelity and complexity of the model. Our hybrid-automata representation is exploited for design of software (Simulink) and hardware (FPGA) BGM platforms, with the latter enabling real-time model simulation and device testing. We demonstrate that the BGM platform is capable of generating physiologically relevant responses to DBS, and validate the BGM using a set of requirements obtained from existing work. We present the use of our framework for design and test of DBS controllers with varying levels of adaptation/feedback. Our evaluations are based on Quality-of-Control metrics that we introduce for runtime monitoring of DBS effectiveness.
Article
During the system development process, domain experts and developers often make assumptions about specifications and implementations. However, most of the assumptions being taken for granted by domain experts and developers are too tedious to be documented by them. When these unspecified assumptions are violated in an environment in which the system operates, failures can occur. According to the U.S. Food and Drug Administration (FDA) medical device recall database, medical device recalls caused by software failures are at an all-time high. One major cause of these recalls is violations of unspecified assumptions made in medical systems. Therefore, it is crucial to have tools to automatically identify such unspecified assumptions at an early stage of the systems development process to avoid fatal failures. In this article, we present a tool called Unspecified Assumption Carrier Finder ( UACFinder ) that uses data mining techniques to automatically identify potential syntactic carriers of unspecified assumptions in system design models. The main idea of this tool is based on the observation we obtained from our earlier analysis of software failures in medical device recalls caused by unspecified assumptions. We observed that unspecified assumptions often exist in medical systems through syntactic carriers , such as constant variables , frequently read/updated variables , and frequently executed action sequences . Therefore, we develop the UACFinder to automatically find these potential unspecified assumption syntactic carriers rather than unspecified assumptions themselves. Once the UACFinder identifies the potential unspecified assumption syntactic carriers , domain experts and developers can validate whether these syntactic carriers indeed carry unspecified assumptions. We use a simplified cardiac arrest treatment scenario as a case study to evaluate the UACFinder in mining potential syntactic carriers of unspecified assumptions. In addition, we invite a medical doctor to validate unspecified assumptions carried by the mined syntactic carriers . The case study demonstrates that the UACFinder is effective in helping to identify potential unspecified assumptions from system design models.
Article
Improving safety of patient care is an ultimate objective for medical systems. Though many medical best practice guidelines exist and are in hospital handbooks, they are often lengthy and difficult for medical professionals to remember and apply clinically. Hence, developing safe medical best practice guideline systems is an urgent need. The paper presents a framework to support the development of verifiably safe medical best practice guideline systems. The framework facilitates medical professionals’ participation in computer modeling, clinical validation, formal verification and root cause identification of safety failures at both model and code levels. To implement the framework, our strategies are to maximally utilize existing models/tools designed for validation and verification respectively, but build bridges among different selected models/tools. In particular, we use statechart tool to build statechart models for medical best practice guidelines and use statechart models to interact with medical professionals for clinical validations. The statechart models are then automatically transformed to verifiable models by the framework so that the safety properties can be formally verified. The computer models that are both validated by medical professionals and verified by formal verification tools are then used to generate computer executable code. To improve code level safety, the framework further transforms safety properties specified at the model level to runtime code monitors to ensure that these safety properties are complied at runtime. We use a simplified version of cardiac arrest treatment scenario provided to our team by Carle Foundation Hospital as a case study to evaluate the framework in developing a verifiably safe medical system.
Chapter
We illustrate the ingredients of the state-of-the-art of model-based approach for the formal design and verification of cyber-physical systems. To capture the interaction between a discrete controller and its continuously evolving environment, we use the formal models of timed and hybrid automata. We explain the steps of modeling and verification in the tools Uppaal and SpaceEx using a case study based on a dual-chamber implantable pacemaker monitoring a human heart. We show how to design a model as a composition of components, how to construct models at varying levels of detail, how to establish that one model is an abstraction of another, how to specify correctness requirements using temporal logic, and how to verify that a model satisfies a logical requirement.
Article
Full-text available
The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this paper, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We present detailed models of different components of the pacemaker based on the algorithm descriptions from Boston Scientific. We formalize basic safety requirements based on specifications from Boston Scientific as well as additional physiological knowledge. The most critical potential safety violation for a pacemaker is that it may lead the closed-loop system into an undesirable pattern (for example, Tachycardia). Modern pacemakers are implemented with termination algorithms to prevent such conditions. We show how to identify these conditions and check correctness of corresponding termination algorithms by augmenting the basic models with monitors for detecting undesirable patterns. Along with emerging tools for code generation from UPPAAL models, this effort enables model driven design and certification of software for medical devices.
Article
Full-text available
This paper presents our effort of using model-driven engineering to establish a safety-assured implementation of Patient-Controlled Analgesic (PCA) infusion pump software based on the generic PCA reference model provided by the U.S. Food and Drug Administration (FDA). The reference model was first translated into a network of timed automata using the UPPAAL tool. Its safety properties were then assured according to the set of generic safety requirements also provided by the FDA. Once the safety of the reference model was established, we applied the TIMES tool to automatically generate platform-independent code as its preliminary implementation. The code was then equipped with auxiliary facilities to interface with pump hardware and deployed onto a real PCA pump. Experiments show that the code worked correctly and effectively with the real pump. To assure that the code does not introduce any violation of the safety requirements, we also developed a testbed to check the consistency between the reference model and the code through conformance testing. Challenges encountered and lessons learned during our work are also discussed in this paper.
Conference Paper
Full-text available
The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this study, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed models of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. We then define the state space of the closed-loop system based on its heart rate and developed a heart model which can non-deterministically cover the whole state space. For verification, we first specify unsafe regions within the state space and verify the closed-loop system against corresponding safety requirements. As stronger assertions are attempted, the closed-loop unsafe state may result from healthy open-loop heart conditions. Such unsafe transitions are investigated with two clinical cases of Pacemaker Mediated Tachycardia and their corresponding correction algorithms in the pacemaker. Along with emerging tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.
Article
Full-text available
In modern hospitals, patients are treated using a wide array of medical devices that are increasingly interacting with each other over the network, thus offering a perfect example of a cyber-physical system. We study the safety of a medical device system for the physiologic closed-loop control of drug infusion. The main contribution of the paper is the verification approach for the safety properties of closed-loop medical device systems. We demonstrate, using a case study, that the approach can be applied to a system of clinical importance. Our method combines simulation-based analysis of a detailed model of the system that contains continuous patient dynamics with model checking of a more abstract timed automata model. We show that the relationship between the two models preserves the crucial aspect of the timing behavior that ensures the conservativeness of the safety analysis. We also describe system design that can provide open-loop safety under network failure.
Article
Full-text available
Model-Driven Design (MDD) of cyber-physical systems advocates for design procedures that start with formal modeling of the real-time system, followed by the model's verification at an early stage. The verified model must then be translated to a more detailed model for simulation-based testing and finally translated into executable code in a physical implementation. As later stages build on the same core model, it is essential that models used earlier in the pipeline are valid approximations of the more detailed models developed downstream. The focus of this effort is on the design and development of a model translation tool, UPP2SF, and how it integrates system modeling, verification, model-based WCET analysis, simulation, code generation and testing into an MDD based framework. UPP2SF facilitates automatic conversion of verified timed automata-based models (in UPPAAL) to models that may be simulated and tested (in Simulink/State flow). We describe the design rules to ensure the conversion is correct, efficient and applicable to a large class of models. We show how the tool enables MDD of an implantable cardiac pacemaker. We demonstrate that UPP2SF preserves behaviors of the pacemaker model from UPPAAL to State flow. The resultant State flow chart is automatically converted into C and tested on a hardware platform for a set of requirements.
Article
Full-text available
The design of bug-free and safe medical device software is challenging, especially in complex implantable devices that control and actuate organs in unanticipated contexts. Safety recalls of pacemakers and implantable cardioverter defibrillators between 1990 and 2000 affected over 600 000 devices. Of these, 200 000 or 41% were due to firmware issues and their effect continues to increase in frequency. There is currently no formal methodology or open experimental platform to test and verify the correct operation of medical device software within the closed-loop context of the patient. To this effect, a real-time virtual heart model (VHM) has been developed to model the electrophysiological operation of the functioning and malfunctioning (i.e., during arrhythmia) heart. By extracting the timing properties of the heart and pacemaker device, we present a methodology to construct a timed-automata model for functional and formal testing and verification of the closed-loop system. The VHM's capability of generating clinically relevant response has been validated for a variety of common arrhythmias. Based on a set of requirements, we describe a closed-loop testing environment that allows for interactive and physiologically relevant model-based test generation for basic pacemaker device operations such as maintaining the heart rate, atrial-ventricle synchrony, and complex conditions such as pacemaker-mediated tachycardia. This system is a step toward a testing and verification approach for medical cyber-physical systems with the patient in the loop.
Conference Paper
Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of real-time systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of real-time systems. Its definition provides a simple way to annotate state-transition graphs with timing constraints using finitely many real-valued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of real-time systems.