Malte Schmitz

Three-valued asynchronous distributed runtime verification

This paper studies runtime verification of distributed asynchronous systems and presents a monitor generation procedure for this purpose, which allows three-valued monitoring. The properties used in the monitors are specified in a logic that was newly created for this purpose and is called Distributed Temporal Logic (DTL). DTL combines the three-valued Linear Temporal Logic (LTL3) with the past-time Distributed Temporal Logic (ptDTL), which allows to mark subformulas for remote evaluation. The monitor generation presented in this paper is based on an adopted version of the LTL3 monitor generation, which integrates the ptDTL monitor construction. The aim of this new procedure is to increase the amount of monitorable properties compared to the properties monitorable with ptDTL. Runtime verification using this new monitoring has been implemented on LEGO Mindstorms NXT robots communicating via Bluetooth.

Runtime Monitoring with Union-Find Structures

This paper is concerned with runtime verification of object-oriented software system. We propose a novel algorithm for monitoring the individual behaviour and interaction of an unbounded number of runtime objects. This allows for evaluating complex correctness properties that take runtime data in terms of object identities into account. In particular, the underlying formal model can express hierarchical interdependencies of individual objects. Currently, the most efficient monitoring approaches for such properties are based on lookup tables. In contrast, the proposed algorithm uses union-find data structures to manage individual instances and thereby accomplishes a significant performance improvement. The time complexity bounds of the very efficient operations on union-find structures transfer to our monitoring algorithm: the execution time of a single monitoring step is guaranteed logarithmic in the number of observed objects. The amortised time is bound by an inverse of Ackermanns function. We have implemented the algorithm in our monitoring tool Mufin. Benchmarks show that the targeted class of properties can be monitored extremely efficient and runtime overhead is reduced substantially compared to other tools.

Runtime Verification for Interconnected Medical Devices

In this tool paper we present a software development kit (SDK) for the Open Surgical Communication Protocol (OSCP) that supports the development of interconnected medical devices according to the recent IEEE 11073 standards for interoperable medical device communication. Building on service-oriented architecture (SOA), dynamically interconnected medical devices publish their connectivity interface, via which these systems provide data and can be controlled. To achieve the safety requirements necessary for medical devices, our tool, the OSCP Device Modeler, allows the specification of temporal assertions for the respective data streams of the systems and generates automatically corresponding monitors that may be used during testing, but also during the application in field to ensure adherence to the interface specification. A further tool, the OSCP Swiss Army Knife, allows subscribing to the services provided via the interfaces of the system under development and thereby supports its debugging. The whole OSCP SDK makes heavy use of runtime verification techniques and shows their advantages in this application area.

Rapidly Adjustable Non-Intrusive Online Monitoring for Multi-core Systems

This paper presents an approach for rapidly adjustable embedded trace online monitoring of multi-core systems, called RETOM. Today, most commercial multi-core SoCs provide accurate runtime information through an embedded trace unit without affecting program execution. Available debugging solutions can use it to reconstruct the run offline, but usually for up to a few seconds only. RETOM employs a novel online reconstruction technique that makes the program run available outside the SoC and allows for evaluating a specification formulated in the stream-based specification language TeSSLa in real time. The necessary computing performance is provided by an FPGA-based event processing system. In contrast to other hardware-based runtime verification techniques, changing the specification requires no circuit synthesis and thus seconds rather than minutes or hours. Therefore, iterated testing and property adjustment during development and debugging becomes feasible while preserving the option of arbitrarily extending observation time, which may be necessary to detect rarely occurring errors. Experiments show the feasibility of the approach.

TeSSLa: runtime verification of non-synchronized real-time streams

We present TeSSLa, a specification language based on stream run-time verification, designed for monitoring a specific class of real-time signals. Our monitors can observe concurrent systems with a shared clock, but where each component reports observations as signals that arrive to the monitor at different speeds and with different and varying latencies. The signals and streams that TeSSLa supports (including inputs and final verdicts) are not restricted to be Booleans but can be data from richer domains, including integers and reals with arithmetic operations and aggregations. Consequently, TeSSLa can be used both for checking logical properties, and for computing statistics and general numeric temporal metrics (and properties on these richer metrics). We present an online evaluation algorithm for TeSSLa specifications and show a formal proof of the correctness of concurrent implementations of the evaluation algorithm. Finally, we report an empirical evaluation of a highly concurrent Erlang implementation of the monitoring algorithm.

From SOMDA to application – integration strategies in the OR.NET demonstration sites

Abstract The effective development and dissemination of the open integration for the next generation of operating rooms require a comprehensive testing environment. In this paper, we present the various challenges to be addressed in demonstration applications, and we discuss the implementation approach, the foci of the demonstration sites and the evaluation efforts. Overall, the demonstrator setups have proven the feasibility of the service-oriented medical device architecture (SOMDA) and real-time approaches with a large variety of example applications. The applications demonstrate the potentials of open device interoperability. The demonstrator implementations were technically evaluated as well as discussed with many clinicians from various disciplines. However, the evaluation is still an ongoing research at the demonstration sites. Technical evaluation focused on the properties of a network of medical devices, latencies in data transmission and stability. A careful evaluation of the SOMDA design decisions and implementations are essential to a safe and reliable interoperability of integrated medical devices and information technology (IT) system in the especially critical working environment. The clinical evaluation addressed the demands of future users and stakeholders, especially surgeons, anesthesiologists, scrub nurses and hospital operators. The opinions were carefully collected to gain further insights into the potential benefits of the technology and pitfalls in future work.

Extended device profiles and testing procedures for the approval process of integrated medical devices using the IEEE 11073 communication standard

Abstract Nowadays, only closed and proprietary integrated operating room systems (IORS) from big manufacturers are available on the market. Hence, the interconnection of components from third-party vendors is only possible with increased time and costs. In the context of the German Federal Ministry of Education and Research (BMBF)-funded project OR.NET (2012–2016), the open integration of medical devices from different manufacturers was addressed. An integrated operating theater based on the open communication standard IEEE 11073 shall give clinical operators the opportunity to choose medical devices independently of the manufacturer. This approach would be advantageous especially for hospital operators and small- and medium-sized enterprises (SME) of medical devices. Actual standards and concepts regarding technical feasibility and the approval process do not cope with the requirements for a modular integration of medical devices in the operating room (OR), based on an open communication standard. Therefore, innovative approval strategies and corresponding certification and test procedures, which cover actual legal and normative standards, have to be developed in order to support the future risk management and the usability engineering process of open integrated medical devices in the OR. The use of standardized device and service profiles and a three-step testing procedure, including conformity, interoperability and integration tests are described in this paper and shall support the manufacturers to integrate their medical devices without disclosing the medical devices’ risk analysis and related confidential expertise or proprietary information.

Integration of Runtime Verification into Metamodeling for Simulation and Code Generation (Position Paper)

Runtime verification is an approach growing in popularity to verify the correctness of complex and distributed systems by monitoring their executions. Domain Specific Modeling Languages are a technique used for specifying such systems in an abstract way, but still close to the solution domain. This paper aims at integrating runtime verification and domain specific modeling into the development process of complex systems. Such integration is achieved by linking the elements of the system model with the atomic propositions of the temporal correctness properties used to specify monitors. We provide a unified approach used for both the code generation and the simulation of the system through instance model transformations. This unification allows to check correctness properties on different abstraction levels of the modeled system.

Dynamic remote control through service orchestration of point-of-care and surgical devices based on IEEE 11073 SDC

Nowadays, the staff of modern operation rooms (ORs) and intensive care units (ICUs) has to handle increasingly complex medical devices and their user interfaces. Inconsistent and often non-sterile user interfaces lead to error-prone and slow reconfiguring actions which in the end may even harm the patient. To overcome these issues interconnected medical devices are necessary. We introduce a new concept for flexible and easy-to-use remote controls which allow to control a range of different devices from different manufacturers. Current solutions are vendor-, and mostly even device-specific and tightly coupled. The effort for manufacturers is high and the maintainability is bad. Thus, controls that can be assigned dynamically to different medical devices are rare or mostly not available. Yet such dynamic controls are badly needed to improve clinical workflows especially in ORs and ICUs. We establish such a remote control setup using the service-oriented architecture defined in the IEEE 11073 SDC standards family. The presented concept is based on dynamic service orchestration to overcome existing problems: The control device and the controlled medical device are published as independent services in the network and an additional composed service interconnects them. We successfully implemented this concept for dynamically assignable controls in a real-world demonstrator with several medical devices from more than five different manufacturers. Performance evaluations show its practicability.