Brian R. Larson

BLESS: Formal Specification and Verification of Behaviors for Embedded Systems with Software

Recent experience in the avionics sector has demonstrated the benefits of using rigorous system architectural models, such as those supported by the standard Architectural and Analysis Definition Language (AADL), to ensure that multi-organization composition and integration tasks are successful. Despite its ability to capture interface signatures and system properties, such as scheduling periods and communication latencies as model attributes, AADL lacks a formal interface specification language, a formal semantics for component behavioral descriptions, and tools for reasoning about the compliance of behaviors to interface contracts. In this paper we introduce the Behavioral Language for Embedded Systems with Software (BLESS)—a behavioral interface specification language and proof environment for AADL. BLESS enables engineers to specify contracts on AADL components that capture both functional and timing properties. BLESS provides a formal semantics for AADL behavioral descriptions and automatic generation of verification conditions that, when proven by the BLESS proof tool, establish that behavioral descriptions conform to AADL contracts. We report on the application of BLESS to a collection of embedded system examples, including definition of multiple modes of a pacemaker.

Requirements specification for apps in medical application platforms

Existing regulatory agency guidance documents and process standards for medical devices (i.e., IEC 62304) generally consider medical devices to be stand-alone monolithic systems. The format and content of a system requirements document largely follows that of conventional embedded safety-critical systems. However, a vision is emerging of a new paradigm of medical system based on the notion of a medical application platform (MAP). A MAP is a safety- and security-critical real-time computing platform for (a) integrating heterogeneous devices, medical IT systems, and information displays via a communication infrastructure and (b) hosting application programs (i.e., apps) that provide medical utility via the ability to both acquire information from and update/control integrated devices, IT systems, and displays. To ensure a regulatory pathway for MAPs, it is necessary to adapt traditional development processes and artifacts to the specific characteristics of MAP architectures and constituent components. In this paper, we provide an initial proposal for developing and formatting requirements for MAP apps. For illustration, we consider an app that implements two “smart alarms” for pulse oximetry monitoring in a clinical context.

Open source patient-controlled analgesic pump requirements documentation

The dynamic nature of the medical domain is driving a need for continuous innovation and improvement in techniques for developing and assuring medical devices. Un-fortunately, research in academia and communication between academics, industrial engineers, and regulatory authorities is hampered by the lack of realistic non-proprietary development artifacts for medical devices. In this paper, we give an overview of a detailed requirements document for a Patient-Controlled Analgesic (PCA) pump developed under the US NSFs Food and Drug Administration (FDA) Scholar-in-Residence (SIR) program. This 60+ page document follows the methodology outlined in the US Federal Aviation Administrations (FAA) Requirements Engineering Management Handbook (REMH) and includes a domain overview, use cases, statements of safety & security requirements, and formal top-level system architectural description. Based on previous experience with release of a requirements document for a cardiac pacemaker that spawned a number of research and pedagogical activities, we believe that the described PCA requirements document can be an important research enabler within the formal methods and software engineering communities.

Behavior modeling and verification of movement authority scenario of Chinese Train Control System using AADL

Train control systems like most digital controllers are, by definition, hybrid systems as they interact with or try to control some aspects of the physical world. Detailed behavior modeling with constraints specification and formal verification, required for reliability prediction, is a great challenge for hybrid system designers. Train control systems further intensify this challenge with extensive interaction between computing units and their physical environment and their mutual dependence on each other. In this paper, we investigate behavior modeling and formal verification of Chinese Train Control System Level 3 (CTCS-3) using Architectural Analysis & Design Language (AADL) to cope with this challenge. AADL is an architecture description language for embedded systems and is based on model-based engineering paradigm. Along with structural modeling of embedded systems using the core language constructs, AADL also provides support for language extension through annex sublanguages. In system requirements specification document, the behavior of the CTCS-3 is specified as a set of basic operation scenarios that cooperate with each other to achieve safe and secure functionality of trains. Movement Authority (MA) scenario, explored in this paper, is considered as a basic and most crucial scenario to prevent trains from colliding with each other. The detailed discrete behavior of control system is modeled and verified using the Behavior Language for Embedded Systems with Software (BLESS) annex sublanguage of AADL, and the continuous behavior of train with the cyber–physical interaction (communication between train and control system) is modeled using the Hybrid annex sublanguage. The behavior of the MA scenario at system level is verified using the Hybrid Hoare Logic theorem prover. Behavior constraints are specified as assertions using first-order logic formulas augmented with a simple temporal operator.摘要创新点列控系统像大多数数字控制系统一样, 需要和物理部件交互或者控制它们行为, 因而是混成系统。对混成系统行为建模与验证, 从而使得混成系统行为可靠并可以预测, 是混成系统设计的一个挑战。列控系统中, 计算单元和物理环境相互依赖, 交替影响, 是复杂混成系统, 这增加建模与验证的难度。本文考虑如何使用AADL对中国高速铁路3级控制系统( CTCS-3) 建模与验证。AADL是基于模型的嵌入式系统体系结构描述语言, 它提供了结构化建模机制, 同时通过附件子语言支持对语言本身的扩充。在CTCS-3的系统级别规范文档中, CTCS-3包含14个基本场景, 在任意时刻, 列车由CTCS-3中的某些基本场景相互作用, 共同控制列车的功能与安全。本文考虑的移动授权场景是其中最重要的基本场景, 它能够保证列车间不会发生碰撞。我们使用AADL的BLESS附件描述和验证移动授权场景中的离散行为, 使用混成附件描述和验证其中的连续行为, 使用混成Hoare逻辑及其定理证明器验证该场景整体性质。

Enabling Safe Interoperation by Medical Device Virtual Integration

The safe compositionality and integration of heterogeneous components represents a major challenge in medical cyber-physical systems. The paradigm of medical application platforms allows the virtual integration of heterogeneous devices with various communication infrastructures, but does not fully address the safety properties of the overall system. This paper presents a medical device virtual integration framework for composing medical devices and control applications into an interoperable system without violating the safety properties.

Hybrid annex: an AADL extension for continuous behavior and cyber-physical interaction modeling

Correct design, and system-level dependability prediction of highly-integrated systems demand the collocation of requirements and architectural artifacts within an integrated development environment. Hybrid systems, having dependencies and extensive interactions between their control portion and their environment, further intensify this need. AADL is a model-based engineering language for the architectural design and analysis of embedded control systems. Core AADL has been extended with a mechanism for discrete behavioral modeling and analysis of control systems, but not for the continuous behavior of the physical environment. In this paper, we introduce a lightweight language extension to AADL called the Hybrid Annex for continuous-time modeling, fulfilling the need for integrated modeling of the computing system along with its physical environment in their respective domains. The Isolette system described in the FAA Requirement Engineering Management Handbook is used to illustrate continuous behavior modeling with the proposed Hybrid Annex.

Assurance Case Considerations for Interoperable Medical Systems

Modern medical devices are increasingly developed by composing a variety of interoperable elements such as medical devices, services, and platform infrastructures. In many scenarios, multi-vendor consortia are organized to support the development and deployment of interoperable medical systems, in which safety-critical element implementations, risk management results, and safety assurance are reused across organizational boundaries. This reality calls for an assurance case approach that supports interfacing, refinement, and composition of distributed, component-level claims and evidences to construct system-level assurance argumentation. We present a collection of objectives and top-level safety claims towards the development of such an approach for interoperable systems built using medical application platforms.

Principles and Benefits of Explicitly Designed Medical Device Safety Architecture

The complexity of medical devices and the processes by which they are developed pose considerable challenges to producing safe designs and regulatory submissions that are amenable to effective reviews. Designing an appropriate and clearly documented architecture can be an important step in addressing this complexity. Best practices in medical device design embrace the notion of a safety architecture organized around distinct operation and safety requirements. By explicitly separating many safety-related monitoring and mitigation functions from operational functionality, the aspects of a device most critical to safety can be localized into a smaller and simpler safety subsystem, thereby enabling easier verification and more effective reviews of claims that causes of hazardous situations are detected and handled properly. This article defines medical device safety architecture, describes its purpose and philosophy, and provides an example. Although many of the presented concepts may be familiar to those with experience in realization of safety-critical systems, this article aims to distill the essence of the approach and provide practical guidance that can potentially improve the quality of device designs and regulatory submissions.

A Unified Approach for Modeling, Developing, and Assuring Critical Systems

Developing and assuring safety- and security-critical real-time embedded systems is a challenging endeavor that requires many activities applied at multiple levels of abstraction. For these activities to be effective and trustworthy, they must be grounded in a common understanding of the system architecture and behavior.

Panel summary: finding safety in numbers: new languages for safe multicore programming and modeling

This panel brings together designers of both traditional programming languages, and designers of behavioral specification languages for modeling systems, in each case with a concern for the challenges of multicore programming. Furthermore, several of these efforts have attempted to provide data-race-free programming models, so that multicore programmers need not be faced with the added burden of trying to debug race conditions on top of the existing challenges of building reliable systems.