skip to main content
research-article

Safety-critical medical device development using the UPP2SF model translation tool

Published:01 April 2014Publication History
Skip Abstract Section

Abstract

Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.

Skip Supplemental Material Section

Supplemental Material

References

  1. K. Altisen and S. Tripakis. 2005. Implementation of timed automata: An issue of semantics or modeling? In Formal Modeling and Analysis of Timed Systems, vol. 3829, 273--288. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. R. Alur. 1999. Timed automata. In Computer Aided Verification, 1633, 688--688. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. 1995. The algorithmic analysis of hybrid systems. Theoret. Comput. Sci. 138, 1, 3--34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. 2004. TIMES: A tool for schedulability analysis and code generation of real-time systems. In Formal Modeling and Analysis of Timed Systems, vol. 2791. 60--72.Google ScholarGoogle ScholarCross RefCross Ref
  5. A. Ayoub, A. Wahba, A. Salem, and M. Sheirah. 2010. Code synthesis for timed automata: A comparison using case study. In Abstract State Machines, Alloy, B and Z, Lecture Notes in Computer Science, vol. 5977, 403. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. G. Behrmann, A. David, and K. Larsen. 2004. A tutorial on UPPAAL. In Formal Methods for the Design of Real-Time Systems, vol. 3185, 33--35.Google ScholarGoogle Scholar
  7. J. Bengtsson and W. Yi. 2004. Timed automata: Semantics, algorithms and tools. In Lectures on Concurrency and Petri Nets, vol. 3098, 87--124.Google ScholarGoogle ScholarCross RefCross Ref
  8. Boston Scientific. 2007. PACEMAKER System Specification. (2007).Google ScholarGoogle Scholar
  9. D. Clarke and I. Lee. 1995. Testing real-time constraints in a process algebraic setting. In Proceedings of the International Conference on Software Engineering. 51--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. E. M. Clarke and E. A. Emerson. 1981. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proceedings of the Workshop on Logic of Programs. Lecture Notes in Computer Science, vol. 131, Springer, 52--71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. G. Hamon. 2005. A denotational semantics for stateflow. In EMSOFT'05: Proceedings of the 5th ACM International Conference on Embedded Software. 164--172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. G. Hamon and J. Rushby. 2007. An operational semantics for stateflow. Int. J. Softw. Tools Tech. Trans. 9, 5, 447--456. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. M. Hendriks. 2001. Translating UPPAAL to Not Quite C. Technical Report CSI-R0108. Computer Science Institute.Google ScholarGoogle Scholar
  14. Z. Jiang, M. Pajic, A. Connolly, S. Dixit, and R. Mangharam. 2010. Real-time heart model for implantable cardiac device validation and verification. In Proceedings of the 22nd Euromicro Conference on Real-Time Systems (ECRTS). 239--248. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Z. Jiang, M. Pajic, and R. Mangharam. 2012a. Cyber-physical modeling of implantable cardiac medical devices. Proc. IEEE 100, 1, 122--137.Google ScholarGoogle ScholarCross RefCross Ref
  16. Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012b. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the 18th Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'12). 188--203. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. B. G. Kim, A. Ayoub, P. Jones, O. Sokolsky Y. Zhang, R. Jetley, and I. Lee. 2011. Safety-assured development of the GPCA infusion pump software. In Proceedings of the ACM Conference on Embedded Software (EMSOFT'11). 89--98. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. K. G. Larsen, P. Pettersson, and W. Yi. 1997. Uppaal in a nutshell. Int. J. Softw. Tools Tech. Trans. 1, 1, 134--152.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. I. Lee, G. J. Pappas, R. Cleaveland, J. Hatcliff, B. H. Krogh, P. Lee, H. Rubin, and L. Sha. 2006. High-confidence medical device software and systems. IEEE Comput. 39, 4, 33--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. F. Leitner and S. Leue. 2008. Simulink design verifier vs. SPIN - a comparative case study. In Proceedings of the ERCIM Workshop on Formal Methods for Industrial Critical Systems.Google ScholarGoogle Scholar
  21. Matlab. 2012. Matlab R2012a Documentation → Stateflow. http://www.mathworks.com/help/toolbox/stateflow. (2012).Google ScholarGoogle Scholar
  22. Nano-RK. 2013. nano-RK Sensor RTOS. http://nanork.org.Google ScholarGoogle Scholar
  23. M. Pajic, Z. Jiang, I. Lee, O. Sokolsky, and R. Mangharam. 2012a. From verification to implementation: A model translation tool and a pacemaker case study. In Proceedings of the 18th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). 173--184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. M. Pajic, I. Lee, R. Mangharam, and O. Sokolsky. 2012b. UPP2SF: Translating UPPAAL models to Simulink. Tech. Rep. University of Pennsylvania.Google ScholarGoogle Scholar
  25. M. Pajic, R. Mangharam, O. Sokolsky, D. Arney, J. Goldman, and I. Lee. 2012c. Model-driven safety analysis of closed-loop medical systems. IEEE Trans. Indust. Inf. 99, 13. DOI: http://dx.doi.org/10. 1109/TII.2012.2226594Google ScholarGoogle Scholar
  26. K. Sandler, L. Ohrstrom, L. Moy, and R. McVay. 2010. Killed by code: Software transparency in implantable medical devices. Softw. Free. Law Center.Google ScholarGoogle Scholar
  27. N. Scaife, C. Sofronis, P. Caspi, S. Tripakis, and F. Maraninchi. 2004. Defining and translating a “safe” subset of simulink/stateflow into lustre. In Proceedings of the ACM Conference on Embedded Software. 259--268. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Max Schurenberg. 2012. Scalability analysis of the simulink design verifier on an avionic system. Bachelor thesis, TU Hamburg-Harburg.Google ScholarGoogle Scholar
  29. US FDA. 2010. List of Device Recalls, U.S. Food and Drug Admin., (Last accessed 7/10).Google ScholarGoogle Scholar

Index Terms

  1. Safety-critical medical device development using the UPP2SF model translation tool

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!