From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study

Pajić, Miroslav; Jiang, Zhihao; Lee, Insup; Sokolsky, Oleg; Mangharam, Rahul

doi:10.1109/rtas.2012.25

Cited by 52 publications

(41 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…to build models with costs and probabilities for quantitative analysis of the efficacy of pacemaker algorithms; development of patient-specific algorithms). In particular, the verified pacemaker model can be automatically translated into Stateflow charts in Simulink for test generation and code generation [11].…”

Section: Introductionmentioning

confidence: 99%

Modeling and Verification of a Dual Chamber Implantable Pacemaker

Jiang

Pajić

Moarref

et al. 2012

Tools and Algorithms for the Construction and Analysis of Systems

Self Cite

112

View full text Add to dashboard Cite

Abstract. The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safetycritical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this study, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed models of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. We then define the state space of the closed-loop system based on its heart rate and developed a heart model which can nondeterministically cover the whole state space. For verification, we first specify unsafe regions within the state space and verify the closed-loop system against corresponding safety requirements. As stronger assertions are attempted, the closed-loop unsafe state may result from healthy openloop heart conditions. Such unsafe transitions are investigated with two clinical cases of Pacemaker Mediated Tachycardia and their corresponding correction algorithms in the pacemaker. Along with emerging tools for code generation from UPPAAL models, this effort enables modeldriven design and certification of software for medical devices.

show abstract

Section: Introductionmentioning

confidence: 99%

Modeling and Verification of a Dual Chamber Implantable Pacemaker

Jiang

Pajić

Moarref

et al. 2012

Tools and Algorithms for the Construction and Analysis of Systems

Self Cite

112

View full text Add to dashboard Cite

show abstract

“…In PAT [7] based verification technique, they covered most advanced features of Stateflow, while with limited support of event interrupt dispatch mechanism and time operation support. Besides, there is also some nice work translating Uppaal timed automata to Simulink Stateflow for simulation and code generation [20], [21]. Since the semantics of timed automata is simpler than that of Stateflow, the translation procedure is different from our setting, because we need to deal with the priority, event stack, transitional action etc of Stateflow during our reverse transformation.…”

Section: Related Workmentioning

confidence: 99%

From Stateflow Simulation to Verified Implementation: A Verification Approach and A Real-Time Train Controller Design

Jiang

Yang

Liu

et al. 2016

2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS)

View full text Add to dashboard Cite

Abstract-Simulink is widely used for model driven development (MDD) of industrial software systems. Typically, the Simulink based development is initiated from Stateflow modeling, followed by simulation, validation and code generation mapped to physical execution platforms. However, recent industrial trends have raised the demands of rigorous verification on safety-critical applications, which is unfortunately challenging for Simulink.In this paper, we present an approach to bridge the Stateflow based model driven development and a well-defined rigorous verification. First, we develop a self-contained toolkit to translate Stateflow model into timed automata, where major advanced modeling features in Stateflow are supported. Taking advantage of the strong verification capability of Uppaal, we can not only find bugs in Stateflow models which are missed by Simulink Design Verifier, but also check more important temporal properties. Next, we customize a runtime verifier for the generated nonintrusive VHDL and C code of Stateflow model for monitoring. The major strength of the customization is the flexibility to collect and analyze runtime properties with a pure software monitor, which opens more opportunities for engineers to achieve high reliability of the target system compared with the traditional act that only relies on Simulink Polyspace. We incorporate these two parts into original Stateflow based MDD seamlessly. In this way, safety-critical properties are both verified at the model level, and at the consistent system implementation level with physical execution environment in consideration. We apply our approach on a train controller design, and the verified implementation is tested and deployed on a real hardware platform.

show abstract

“…A number of techniques for discretization have been developed in the literature, such as [13,15]. Our UPPAAL model satisfies the conditions put forth in [22], which guarantee that whenever a transition is enabled during an execution, it can occur at an integer-valued time instance. Thus, the model can be faithfully simulated in discrete time.…”

Section: Related Workmentioning

confidence: 99%

Linking abstract analysis to concrete design: A hierarchical approach to verify medical CPS safety

Murugesan

Sokolsky

Rayadurgam

et al. 2014

2014 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS)

Self Cite

View full text Add to dashboard Cite

Complex cyber-physical systems are typically hierarchically organized into multiple layers of abstraction in order to manage design complexity and provide verification tractability. Formal reasoning about such systems, therefore, necessarily involves the use of multiple modeling formalisms, verification paradigms, and concomitant tools, chosen as appropriate for the level of abstraction at which the analysis is performed. System properties verified using an abstract component specification in one paradigm must then be shown to logically follow from properties verified, possibly using a different paradigm, on a more concrete component description, if one is to claim that a particular component when deployed in the overall system context would still uphold the system properties. But, as component specifications at one layer get elaborated into more concrete component descriptions in the next, abstraction induced differences come to the fore, which have to be reconciled in some meaningful way. In this paper, we present our approach for providing a logical glue to tie distinct verification paradigms and reconcile the abstraction induced differences, to verify safety properties of a medical cyber-physical system. While the specifics are particular to the case example at hand -a high-level abstraction of a safety-interlock system to stop drug infusion along with a detailed design of a generic infusion pump -we believe the techniques are broadly applicable in similar situations for verifying complex cyberphysical system properties. ABSTRACTComplex cyber-physical systems are typically hierarchically organized into multiple layers of abstraction in order to manage design complexity and provide verification tractability. Formal reasoning about such systems, therefore, necessarily involves the use of multiple modeling formalisms, verification paradigms, and concomitant tools, chosen as appropriate for the level of abstraction at which the analysis is performed. System properties verified using an abstract component specification in one paradigm must then be shown to logically follow from properties verified, possibly using a different paradigm, on a more concrete component description, if one is to claim that a particular component when deployed in the overall system context would still uphold the system properties. But, as component specifications at one layer get elaborated into more concrete component descriptions in the next, abstraction induced differences come to the fore, which have to be reconciled in some meaningful way. In this paper, we present our approach for providing a logical glue to tie distinct verification paradigms and reconcile the abstraction induced differences, to verify safety properties of a medical cyberphysical system. While the specifics are particular to the case example at hand -a high-level abstraction of a safety-interlock system to stop drug infusion along with * This work has been partially supported by NSF grants CNS-0931931 and CNS-1035715.Permission to make digital or hard co...

show abstract

From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study

Cited by 52 publications

References 14 publications

Modeling and Verification of a Dual Chamber Implantable Pacemaker

Modeling and Verification of a Dual Chamber Implantable Pacemaker

From Stateflow Simulation to Verified Implementation: A Verification Approach and A Real-Time Train Controller Design

Linking abstract analysis to concrete design: A hierarchical approach to verify medical CPS safety

Contact Info

Product

Resources

About