Abstract
Complex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and architecture. The architecture describes the structure and this affects how requirements ``flow down'' to each subsystem. Moreover, discoveries in the design process may affect the requirements. Demonstrating that a complex system satisfies its requirements when the subsystems are composed is a challenging problem.
In this paper, we present a medical device case example where we apply an iterative approach to architecture and verification based on software architectural models. We represent the hierarchical composition of the system in the Architecture Analysis and Design Language (AADL), and use an extension to the AADL language to describe the requirements at different levels of abstraction for compositional verification. The component-level behavior for the model is described in Simulink/Stateflow. We assemble proofs of system level properties by using the Simulink Design Verifier to establish component-level properties and an open-source plug-in for the OSATE AADL environment to perform the compositional verification of the architecture. This combination of verification tools allows us to iteratively explore design and verification of detailed behavioral models, and to scale formal analysis to large software systems.
- Generic infusion pump project, http://rtg.cis.upenn.edu/gip.php3.Google Scholar
- A. Basu, S. Bensalem, M. Bozga, J. Combaz, M. Jaber, Nguyen, and J. Sifakis. Rigorous component-based system design using the BIP framework. Software, IEEE, 28(3):41--48, 2011. Google Scholar
Digital Library
- E. Clarke, D. Long, and K. L. McMillan. Compositional model checking. In Logic in Computer Science, 1989. LICS '89, Proceedings., Fourth Annual Symposium on, pages 353--362, 1989. Google Scholar
Digital Library
- J. M. Cobleigh, G. S. Avrunin, and L. A. Clarke. Breaking up is hard to do: an investigation of decomposition for assume-guarantee reasoning. In Proceedings of the 2006 international symposium on Software testing and analysis, ISSTA '06, pages 97--108, New York, NY, USA, 2006. ACM. Google Scholar
Digital Library
- D. D. Cofer, A. Gacek, S. P. Miller, M. W. Whalen, B. LaValley, and L. Sha. Compositional verification of architectural models. In A. E. Goodloe and S. Person, editors, Proceedings of the 4th NASA Formal Methods Symposium (NFM 2012), volume 7226, pages 126--140, Berlin, Heidelberg, April 2012. Springer-Verlag. Google Scholar
Digital Library
- L. de Alfaro and T. A. Henzinger. Interface automata. SIGSOFT Softw. Eng. Notes, 26(5):109--120, Sept. 2001. Google Scholar
Digital Library
- J.-F. Etienne, S. Fechter, and E. Juppeaux. Using simulink design verifier for proving behavioral properties on a complex safety critical system in the ground transportation domain. In M. Aiguier, F. Bretaudeau, and D. Krob, editors, Complex Systems Design & Management, pages 61--72. Springer Berlin Heidelberg, 2010.Google Scholar
Cross Ref
- H. Ganzinger, G. Hagen, R. Nieuwenhuis, A. Oliveras, and C. Tinelli. DPLL(T): Fast decision procedures. In R. Alur and D. Peled, editors, Proceedings of the 16th International Conference on Computer Aided Verification, CAV'04 (Boston, Massachusetts), volume 3114 of Lecture Notes in Computer Science, pages 175--188. Springer, 2004.Google Scholar
- O. Grumberg and D.E.Long. Model checking and modular verification. ACM Transactions on Programming Languages and Systems, 16(3):843--871, May 1994. Google Scholar
Digital Library
- G. Hagen and C. Tinelli. Scaling up the formal verification of lustre programs with smt-based techniques. In Formal Methods in Computer-Aided Design, 2008. FMCAD '08, pages 1--9, 2008. Google Scholar
Digital Library
- N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous data ow programming language LUSTRE. Proceedings of the IEEE, 79(9):1305--1320, 1991.Google Scholar
Cross Ref
- A. Hall. Seven myths of formal methods. IEEE Software, September 1990. Google Scholar
Digital Library
- J. Hammond, R. Rawlings, and A. Hall. Will it work? {requirements engineering}. In Requirements Engineering, 2001. Proceedings. Fifth IEEE International Symposium on, pages 102--109, 2001. Google Scholar
Digital Library
- D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8(3):231--274, June 1987. Google Scholar
Digital Library
- D. Harel, R. Lampert, A. Marron, and G. Weiss. Model-checking behavioral programs. In Proceedings of the ninth ACM international conference on Embedded software, EMSOFT '11, pages 279--288, New York, NY, USA, 2011. ACM. Google Scholar
Digital Library
- IEEE. IEEE Std. 1850-2005. Property Specification Language (PSL). IEEE, 2005.Google Scholar
- M. Jackson and P. Zave. Deriving specifications from requirements: An example. In Proceedings of the Seventeenth International Conference on Software Engineering (ICSE'95), pages 15--24, May 1995. Google Scholar
Digital Library
- C. B. Jones. Tentative steps toward a development method for interfering programs. ACM Trans. Program. Lang. Syst., 5(4):596--619, Oct. 1983. Google Scholar
Digital Library
- J. A. W. Kamp. Tense Logic and the Theory of Linear Order. PhD thesis, UCLA, 1968.Google Scholar
- B. Larson, P. Chalin, and J. Hatcli. BLESS: Formal specification and verification of behaviors for embedded systems with software. In Proceedings of the 5th NASA Formal Methods Symposium. Springer-Verlag, 2013.Google Scholar
Cross Ref
- N. A. Lynch and M. R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proceedings of the sixth annual ACM Symposium on Principles of distributed computing, PODC '87, pages 137--151, New York, NY, USA, 1987. ACM. Google Scholar
Digital Library
- MathWorks. The MathWorks Inc. corporate web page. Via the world-wide-web: http://www.mathworks.com, 2004.Google Scholar
- Mathworks Inc. Simulink Design Verifier product web site. http://www.mathworks.com/products/sldesignverier/.Google Scholar
- Mathworks Inc. Simulink product web site. http://www.mathworks.com/products/simulink.Google Scholar
- Mathworks Inc. Stateow product web site. http://www.mathworks.com.Google Scholar
- K. McMillan. A methodology for hardware verification using compositional model checking. Science of Computer Programming, 37(1} U3):279--309, 2000. Google Scholar
Digital Library
- K. L. McMillan. Circular compositional reasoning about liveness. Technical Report 1999-02, Cadence Berkeley Labs, Berkeley, CA 94704, 1999.Google Scholar
Cross Ref
- S. P. Miller, A. C. Tribble, M. W. Whalen, and M. P. E. Heimdahl. Proving the shalls: Early validation of requirements through formal methods. Int. J. Softw. Tools Technol. Transf., 8(4):303--319, 2006. Google Scholar
Digital Library
- J. Misra and K. Chandy. Proofs of networks of processes. Software Engineering, IEEE Transactions on, SE-7(4):417--426, 1981. Google Scholar
Digital Library
- A. Murugesan, S. Rayadurgam, and M. Heimdahl. Modes, features, and state-based modeling for clarity and exibility. In Fifth International Workshop on Modeling in Software Engineering, May 2013.Google Scholar
Cross Ref
- B. Nuseibeh. Weaving together requirements and architectures. Computer, 34:115--117, 2001. Google Scholar
Digital Library
- A. Pnueli. In transition from global to modular temporal reasoning about programs. In K. Apt, editor, Logics and Models of Concurrent Systems, volume 13 of NATO ASI Series, pages 123--144. Springer Berlin Heidelberg, 1985. Google Scholar
Digital Library
- SAE-AS5506. Architecture Analysis and Design Language. SAE, Nov 2004.Google Scholar
- M. Sheeran, S. Singh, and G. Stålmarck. Checking safety properties using induction and a sat-solver. In FMCAD, pages 108--125, 2000. Google Scholar
Digital Library
- SPEculative and Exporatory Design in System engineering. http://www.speeds.eu.com/, 2006-2009.Google Scholar
- M. W. Whalen, A. Gacek, D. Cofer, A. Murugesan, M. P. Heimdahl, and S. Rayadurgam. Your what is my how: Iteration and hierarchy in system design. Software, IEEE, 30(2):54--60, 2013. Google Scholar
Digital Library
Index Terms
Compositional verification of a medical device system
Recommendations
Compositional verification of a medical device system
HILT '13: Proceedings of the 2013 ACM SIGAda annual conference on High integrity language technologyComplex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and ...
Up and out: scaling formal analysis using model-based development and architecture modeling
HILT '13: Proceedings of the 2013 ACM SIGAda annual conference on High integrity language technologySystems are naturally constructed in hierarchies in which design choices made at higher levels of abstraction ``flow down'' to requirements on system components at lower levels of abstraction. Thus, whether an aspect of the system is a design choice or ...
Architecture-driven verification of concurrent systems
This paper proposes a method to construct a set of proof obligations from the architectural specification of a concurrent system. The architectural specifications used express correctness requirements of a concurrent system at a high level without any ...







Comments