Abstract
Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Safety-critical medical device development using the UPP2SF model translation tool
- K. Altisen and S. Tripakis. 2005. Implementation of timed automata: An issue of semantics or modeling? In Formal Modeling and Analysis of Timed Systems, vol. 3829, 273--288. Google Scholar
Digital Library
- R. Alur. 1999. Timed automata. In Computer Aided Verification, 1633, 688--688. Google Scholar
Digital Library
- R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. 1995. The algorithmic analysis of hybrid systems. Theoret. Comput. Sci. 138, 1, 3--34. Google Scholar
Digital Library
- T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. 2004. TIMES: A tool for schedulability analysis and code generation of real-time systems. In Formal Modeling and Analysis of Timed Systems, vol. 2791. 60--72.Google Scholar
Cross Ref
- A. Ayoub, A. Wahba, A. Salem, and M. Sheirah. 2010. Code synthesis for timed automata: A comparison using case study. In Abstract State Machines, Alloy, B and Z, Lecture Notes in Computer Science, vol. 5977, 403. Google Scholar
Digital Library
- G. Behrmann, A. David, and K. Larsen. 2004. A tutorial on UPPAAL. In Formal Methods for the Design of Real-Time Systems, vol. 3185, 33--35.Google Scholar
- J. Bengtsson and W. Yi. 2004. Timed automata: Semantics, algorithms and tools. In Lectures on Concurrency and Petri Nets, vol. 3098, 87--124.Google Scholar
Cross Ref
- Boston Scientific. 2007. PACEMAKER System Specification. (2007).Google Scholar
- D. Clarke and I. Lee. 1995. Testing real-time constraints in a process algebraic setting. In Proceedings of the International Conference on Software Engineering. 51--60. Google Scholar
Digital Library
- E. M. Clarke and E. A. Emerson. 1981. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proceedings of the Workshop on Logic of Programs. Lecture Notes in Computer Science, vol. 131, Springer, 52--71. Google Scholar
Digital Library
- G. Hamon. 2005. A denotational semantics for stateflow. In EMSOFT'05: Proceedings of the 5th ACM International Conference on Embedded Software. 164--172. Google Scholar
Digital Library
- G. Hamon and J. Rushby. 2007. An operational semantics for stateflow. Int. J. Softw. Tools Tech. Trans. 9, 5, 447--456. Google Scholar
Digital Library
- M. Hendriks. 2001. Translating UPPAAL to Not Quite C. Technical Report CSI-R0108. Computer Science Institute.Google Scholar
- Z. Jiang, M. Pajic, A. Connolly, S. Dixit, and R. Mangharam. 2010. Real-time heart model for implantable cardiac device validation and verification. In Proceedings of the 22nd Euromicro Conference on Real-Time Systems (ECRTS). 239--248. Google Scholar
Digital Library
- Z. Jiang, M. Pajic, and R. Mangharam. 2012a. Cyber-physical modeling of implantable cardiac medical devices. Proc. IEEE 100, 1, 122--137.Google Scholar
Cross Ref
- Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012b. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the 18th Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'12). 188--203. Google Scholar
Digital Library
- B. G. Kim, A. Ayoub, P. Jones, O. Sokolsky Y. Zhang, R. Jetley, and I. Lee. 2011. Safety-assured development of the GPCA infusion pump software. In Proceedings of the ACM Conference on Embedded Software (EMSOFT'11). 89--98. Google Scholar
Digital Library
- K. G. Larsen, P. Pettersson, and W. Yi. 1997. Uppaal in a nutshell. Int. J. Softw. Tools Tech. Trans. 1, 1, 134--152.Google Scholar
Digital Library
- I. Lee, G. J. Pappas, R. Cleaveland, J. Hatcliff, B. H. Krogh, P. Lee, H. Rubin, and L. Sha. 2006. High-confidence medical device software and systems. IEEE Comput. 39, 4, 33--38. Google Scholar
Digital Library
- F. Leitner and S. Leue. 2008. Simulink design verifier vs. SPIN - a comparative case study. In Proceedings of the ERCIM Workshop on Formal Methods for Industrial Critical Systems.Google Scholar
- Matlab. 2012. Matlab R2012a Documentation → Stateflow. http://www.mathworks.com/help/toolbox/stateflow. (2012).Google Scholar
- Nano-RK. 2013. nano-RK Sensor RTOS. http://nanork.org.Google Scholar
- M. Pajic, Z. Jiang, I. Lee, O. Sokolsky, and R. Mangharam. 2012a. From verification to implementation: A model translation tool and a pacemaker case study. In Proceedings of the 18th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). 173--184. Google Scholar
Digital Library
- M. Pajic, I. Lee, R. Mangharam, and O. Sokolsky. 2012b. UPP2SF: Translating UPPAAL models to Simulink. Tech. Rep. University of Pennsylvania.Google Scholar
- M. Pajic, R. Mangharam, O. Sokolsky, D. Arney, J. Goldman, and I. Lee. 2012c. Model-driven safety analysis of closed-loop medical systems. IEEE Trans. Indust. Inf. 99, 13. DOI: http://dx.doi.org/10. 1109/TII.2012.2226594Google Scholar
- K. Sandler, L. Ohrstrom, L. Moy, and R. McVay. 2010. Killed by code: Software transparency in implantable medical devices. Softw. Free. Law Center.Google Scholar
- N. Scaife, C. Sofronis, P. Caspi, S. Tripakis, and F. Maraninchi. 2004. Defining and translating a “safe” subset of simulink/stateflow into lustre. In Proceedings of the ACM Conference on Embedded Software. 259--268. Google Scholar
Digital Library
- Max Schurenberg. 2012. Scalability analysis of the simulink design verifier on an avionic system. Bachelor thesis, TU Hamburg-Harburg.Google Scholar
- US FDA. 2010. List of Device Recalls, U.S. Food and Drug Admin., (Last accessed 7/10).Google Scholar
Index Terms
Safety-critical medical device development using the UPP2SF model translation tool
Recommendations
Model Translation from Papyrus-RT into the nuXmv Model Checker
Software Engineering and Formal Methods. SEFM 2020 Collocated WorkshopsAbstractPapyrus-RT is an eclipse based modelling tool for embedded systems that makes use of the Model-Driven Engineering approach to generate executable C++ code from UML-RT models. The UML-RT state diagrams are very similar to Finite State Machines used ...
Automated Translation of UML Models of Architectures for Verification and Simulation Using SPIN
ASE '99: Proceedings of the 14th IEEE international conference on Automated software engineeringThe Unified Modeling Language (UML) is fast becoming an industry standard for object-oriented modeling and analysis. Applying the UML to model, analyze and design dependable systems require methods and tools for model checking that are integrated with ...
Generating SysML views from an OPM model: Design and evaluation
Conceptual modeling is key to Model-Based Systems Engineering (MBSE) approaches. OPM (Object-Process Methodology) and SysML (OMG Systems Modeling Language) are two state-of-the-art conceptual modeling languages. While both languages aim at the same ...






Comments