Mu Sun

Handling mixed-criticality in SoC-based real-time embedded systems

System-on-Chip (SoC) is a promising paradigm to implement safety-critical embedded systems, but it poses significant challenges from a design and verification point of view. In particular, in a mixed-criticality system, low criticality applications must be prevented from interfering with high criticality ones. In this paper, we introduce a new design methodology for SoC that provides strong isolation guarantees to applications with different criticalities. A set of certificates describing the assumed application behavior is extracted from a functional Architectural Analysis and Design Language (AADL) specification. Our tools then automatically generate hardware wrappers that enforce at run-time the behavior described by the certificates. In particular, we employ run-time monitoring to formally check all data communication in the system, and we enforce timing reservations for both computation and communication resources. Verification is greatly simplified because certificates are much simpler than the components used to implement low-criticality applications. The effectiveness of our methodology is proven on a case study consisting of a medical pacemaker.

A framework for the safe interoperability of medical devices in the presence of network failures

There exists a growing need for automated interoperability among medical devices in modern healthcare systems. This requirement is not just for convenience, but to prevent the possibility of errors due to the complexity of interactions between the devices and human operators. Hence, a system supporting such interoperability is supposed to provide the means to interconnect distributed medial devices in an open space, so must be designed to account for network failures. In this paper, we introduce a generic framework, the Network-Aware Supervisory System (NASS) to integrate medical devices into such a clinical interoperability system that uses real networks. It provides a development environment, in which medical-device supervisory logic can be developed based on the assumptions of an ideal, robust network. A case study shows that the NASS framework provides the same procedural effectiveness as the original logic based on the ideal network model but with protection against real-world network failures.

The System-Level Simplex Architecture for Improved Real-Time Embedded System Safety

Embedded systems in safety-critical environments demand safety guarantees while providing many useful services that are too complex to formally verify or fully test. Existing application-level fault-tolerance methods, even if formally verified, leave the system vulnerable to errors in the real-time operating system (RTOS), middleware, and microprocessor. We introduce the System-Level Simplex Architecture, which uses hardware/software co-design to provide fail-operational guarantees for both logical application-level faults, as well as faults in previously dependent layers including the RTOS and microprocessor. We also provide an end-to-end design process for the System-Level Simplex Architecture where the AADL architecture description is automatically constructed and checked and the VHDL hardware code is generated.To show the efficacy of System-Level Simplex design, we apply the approach to both a classic inverted pendulum and a cardiac pacemaker. We perform fault-injection tests on the inverted pendulum design which demonstrate robustness in spite of software controller and operating system faults. For the pacemaker, we contrast the provided safety guarantees with those of a previous-generation pacemaker.

A formal pattern architecture for safe medical systems

Design patterns have demonstrated major practical uses for cost savings and modular design in software engineering. For safety-critical systems, however, such patterns should also provide formal guarantees that critical safety properties are met. We leverage the power of rewriting logic and parameterization available in Real-Time Maude to add a formal basis for analysis of a novel safety pattern for medical devices. We demonstrate practicality and applicability of our pattern by instantiating it to a pacemaker specification, and we validate our pattern by verifying the safety invariant in the pacemaker instantiation.

Distributed Real-Time Emulation of Formally-Defined Patterns for Safe Medical Device Control

Safety of medical devices and of their interoperation is an unresolved issue causing severe and sometimes deadly accidents for patients with shocking frequency. Formal methods, particularly in support of highly reusable and provably safe patterns which can be instantiated to many device instances can help in this regard. However, this still leaves open the issue of how to pass from their formal specifications in logical time to executable emulations that can interoperate in physical time with other devices and with simulations of patient and/or doctor behaviors. This work presents a specification-based methodology in which virtual emulation environments can be easily developed from formal specifications in Real-Time Maude, and can support interactions with other real devices and with simulation models. This general methodology is explained in detail and is illustrated with two concrete scenarios which are both instances of a common safe formal pattern: one scenario involves the interaction of a provably safe pacemaker with a simulated heart; the other involves the interaction of a safe controller for patient-induced analgesia with a real syringe pump.

How to reliably integrate medical devices over wireless

This demonstration presents our NASS (Network Aware Supervisory System) framework prototype for medical device integration systems. The NASS framework interconnects medical devices over wireless for convenience, seamlessness and sanitation, and provides safety-guaranteed supervision. Our prototype was developed in Sun Java Real-time Environment. Real-time Java provides well-formed convenience of dynamically loading and unloading medical application logic and safety rules on the fly in real-time environments. To tackle the complexity of using real-time Java in the safety-critical system, we also applied HW/SW codesign method. Real-time Java Environment + Linux operating system may not be robust enough for medical devices to fully rely on. In our prototype, the supervisor software in Java performs all logical decisions including contingency plan generation derived from the safety rules. Once logic is decided, the decisions and plans for the devices are delivered to the hardware implemented in FPGA at each device to physically drive medical equipments. Since the execution of decisions and plans are delegated to the hardware, any failure in software does not harm the integrated safety. Our demonstration shows how safety is managed in different kinds of failures from wireless network failures to device software failures.

A Medical Device Safety Supervision over Wireless

Interoperability of medical devices is a growing need in modern healthcare systems, not just for convenience, but also to preclude potential human errors during medical procedures. Caregivers, as end users, strongly prefer the use of wireless networks for such interconnections between clinical devices due to its seamless connectivity and ease of use/maintenance. In [KSM+10], we introduced a Network-Aware Safety Supervisior framework to integrate medical devices into clinical supervisory systems using finite state machine (FSM). In this paper, we simplify FSM into Boolean Logic to minimize safety logic overhead and introduce a generic method, called pre-verified safety control (PVSC) framework to integrate medical devices into clinical management systems using wireless technologies that have their safety properties verified in a formal manner. Our method provides (i) a PVSC safety layer that automatically generates the safety engine to guarantee given safety requirements and (ii) an abstracted application development environment so that applications can be developed independent of underlying complications of wireless communication. To mitigate negative effects due to packet losses, the PVSC framework employs a pipelined “pre-planning” of the device controls. The key motivation of the work in this paper is to preserve safety and the application development environment, as is, even after adding unreliable communication media, such as wireless, along with a pre-planning mechanism.

Formal specification of button-related fault-tolerance micropatterns

Fault tolerance has been a major concern in the design of computing platforms. However, currently, fault tolerance has been done mostly with just heuristics, high level probabilistic analysis and extensive testing. In this work, we explore how we can use formal patterns to achieve fault-tolerance designs and methods. In particular, we look at faults that occur in mechanical button interfaces such as button bounce, button stuck, and phantom button faults. Our primary goal is the safety of such interfaces for medical devices [7], but the methods are more widely applicable. We formally describe corresponding patterns to address these faults including button debouncing, button stuck detection, and phantom press filtering. We prove stuttering-bisimulation results for some patterns showing their fault-masking capabilities. Furthermore, for patterns where fault-masking is not possible, we prove fault-detection properties. We also instantiate these patterns to a simple instance of a button-press counter and perform execution and model checking as further validation.