A Model Driven Development and Verification Approach for Medical Devices (Jakub Jedryszek)
-
Upload
jakub-jedryszek -
Category
Science
-
view
76 -
download
2
Transcript of A Model Driven Development and Verification Approach for Medical Devices (Jakub Jedryszek)
A MODEL-DRIVEN DEVELOPMENT
AND
VERIFICATION APPROACH
FOR MEDICAL DEVICES
Major Professor: John Hatcliff
Committee members: John Hatcliff, Robby, Eugene Vasserman
Jakub Jedryszekwww.jj09.net
Computing and Information Sciences Department
Kansas State University
Motivation Medical Devices Interoperability
ICE (Integrated Clinical Environment)
MDCF (Medical Device Coordination Framework)
PCA Pump
Software Verification
Model-Driven Development
Patient-Controlled Analgesia (PCA) Pump
Method of pain control that gives patients the
power to control their pain
Operational modes:
Stopped
Basal Rate
Bolus
Clinician Bolus (Square bolus)
Keep Vein Open (KVO)
Integrated Clinical Environment
Integrated Clinical Environment
Medical Device Coordination Framework
Goals
Create PCA Pump Prototype:
ICE PCA Infusion Pump System Requirements
PCA Pump models
Analysis of implementation details
Propose AADL to SPARK Ada translation
Verify aspects of PCA pump with SPARK tools
Technologies
AADL (Architecture Analysis & Design Language)
BLESS (Behavior Language for Embedded Systems with Software)
SPARK Ada programming language
AADL (Architecture Analysis & Design Language)
"UML for hardware and software”
Used for:
real-time sytems
safety critical systems
embedded systems
Graphical and textual representation
package Thermometerpublicwith Base_Types;
system patient_thermometerend patient_thermometer;
system implementation patient_thermometer.implsubcomponentsthermomether : device thermometer_device.impl;opi : device operator_interface.impl;
connectionstdn : port thermomether.temp -> opi.display;
end patient_thermometer.impl;
device operator_interfacefeaturesdisplay : in data port Base_Types::Integer;
end operator_interface;
device implementation operator_interface.implend operator_interface.impl;
device thermometer_devicefeaturestemp : out data port Base_Types::Integer;
end thermometer_device;
device implementation thermometer_device.implend thermometer_device.impl;end Thermometer;
BLESS (Behavior Language for Embedded Systems with Software)
AADL annex sublanguage defining behavior of components
BLESS’s goal: auto-check correctness proofs of AADL
models of embedded electronic systems with software
3 AADL Annex Sublanguages:
Assertion
subBLESS
BLESS
thread Some_Threadfeatures
Some_Port : out event port{BLESS::Assertion =>
”<<(Var1 < Var2 and COND2())>>”;};end Some_Thread;
thread implementation Some_Thread.implannex BLESS{**
invariant <<(Some_Var < Other_Var)>>assert
<<COND2 : :(Var1 > 0)>> **};end Some_Thread.impl;
Ada
Programming language:
Object oriented
Statically typed
Designed for safety critical systems
Railway systems
Airplanes software (e.g. Boeing 777)
Medical devices
(*) Ada was named after Ada Lovelace (1815–1852), who is
credited as being the first computer programmer (women)
with Ada.Text_IO; use Ada.Text_IO; procedure Hello is begin
Put_Line ("Hello, world!"); end Hello;
SPARK Subset of Ada for Software Verification
Versions:
SPARK 83 (based on Ada 83)
SPARK 95 (based on Ada 95)
SPARK 2005 (based on Ada 2005)
SPARK 2014 (based on Ada 2012)
SPARK 2005 = subset of Ada + code contracts (annotations)
SPARK 2014 = subset of Ada (code contracts in Ada 2012)
SPARK 2005 (based on Ada 2005) SPARK 2014 (based on Ada 2012)
procedure Inc (X : in out Integer); --# pre X < Integer’Last; --# post X = X~ + 1;
procedure Inc (X : in out Integer)with Pre => X < Integer’Last,
Post => X = X’Old + 1;
SPARK – Concurrency
Ravenscar profile – subset of Ada tasking features designed
for safety-critical hard real-time computing
RavenSPARK – subset of Ravenscar profile, which allows to
verify concurrent programs with SPARK verification tools
Used features:
tasks
protected types
Ada.Real_Time library
SPARK – Verification SPARK 2005
Examiner
Simplifier
ZombieScope
ViCToR
POGS
Bakar Kiasan
AUnit tests
SPARK 2014
GNATprove
Bakar Kiasan v2
Verification Conditions (VC)
array index out of range
type range violation
division by zero
numerical overflow
Dead Path Conjectures (DPC)
Platform for PCA Pump Prototype
BeagleBoard-xM
Single-board computer produced by Texas
Instrument
Specification:
1GHz ARM Processor
512 MB RAM
4 USB 2.0 ports
HDMI port
Ethernet
GPIO ports (PWM)
Linux OS (Angstrom)http://beagleboard.org/Products/BeagleBoard-xM
SPARK Ada on BeagleBoard-xM?
No native GNAT compiler for ARM-based devices
No official GNAT cross compiler for ARM-based
devices
Cross compiler – compiler capable of creating
executable code for a platform other thatn the
on on which the compiler is running
Research plan
Compile SPARK Ada program for BeagleBoard-xM
SPARK 2005 (single and multithreaded)
SPARK 2014
Start PCA Pump Prototype implementation
Create AADL/BLESS to SPARK Ada translations
Based on Ocarina
Verification:
Implemented PCA Pump Prototype
Translated AADL models to SPARK Ada
Small separated module
SPARK Ada on BeagleBoard-xM
AdaCore cross compiler for ARM-based device
(tested on Android)
Cooperation with AdaCore to run CrossCompiler
GNAT cross compiler for ARM-based devices
Supported platforms: Linux x86
AADL/BLESS to SPARK Ada
Translation schemas based on “Programming Language Annex Document”
Data types (scalars, enums, records, arrays)
Ports (event, data, in/out)
Threads to tasks
Subprograms
Feature groups
Packages
Property sets
BLESS to SPARK translations based on consultation with Brian Larson
Port-based communication
PCA Pump Prototype implementation
Implemented prototype in SPARK 2005
Data types
Operational module
PCA Pump actuator module (PCA Engine)
Simplified PCA Pump translated from AADL models
PCA Pump Verification
Implemented PCA Pump verification with SPARK toolset
Verification of module for maximum dose monitoring
SPARK 2005
SPARK Tools (Examiner, SPARKSimp, POGS)
Bakar Kiasan
SPARK 2014
GNATprove
Contributions
Developed approach for running SPARK/Ada programs on
BeagleBoard-xM platform
Created PCA Prototype in SPARK 2005 (Ravenscar profile)
running on BeagleBoard-xM
Designed AADL/BLESS to SPARK Ada translation schemas
Translated simplified AADL models of PCA Pump to SPARK Ada
Demonstrated example verification of PCA pump:
SPARK 2005 tools
Bakar Kiasan
GNATprove
Problems
SPARK limitations
Lack of industry experience in SPARK Ada
No consultation with domain experts
Technologies and tools are under development:
SPARK 2014
BLESS
Small community and limitation of resources:
728 Ada related questions on StackOverflow
3 SPARK Ada related questions on StackOverflow
673,721 C# questions and 682,308 Java questions on StackOverflow
Future work Consultation with industry expert (in safety critical systems development)
Automatic translator
Translation extension:
AADL properties
Try apply generics for data translation
Try child/nested packages for feature group mapping
Decomposition
Extend BLESS mapping (states and transitions)
Translations for SPARK 2014
Review port communication
Extend PCA Prototype functionalities