research-article

Safety-critical medical device development using the UPP2SF model translation tool

Authors:

Miroslav Pajic,

Rahul MangharamAuthors Info & Claims

ACM Transactions on Embedded Computing Systems (TECS), Volume 13, Issue 4s

Article No.: 127, Pages 1 - 26

https://doi.org/10.1145/2584651

Published: 01 April 2014 Publication History

Abstract

Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.

Supplementary Material

a127-pajic-apndx.pdf (pajic.zip)

Supplemental movie, appendix, image and software files for, Safety-critical medical device development using the UPP2SF model translation tool

Download
354.64 KB

References

[1]

K. Altisen and S. Tripakis. 2005. Implementation of timed automata: An issue of semantics or modeling&quest; In Formal Modeling and Analysis of Timed Systems, vol. 3829, 273--288.

Digital Library

[2]

R. Alur. 1999. Timed automata. In Computer Aided Verification, 1633, 688--688.

Digital Library

[3]

R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. 1995. The algorithmic analysis of hybrid systems. Theoret. Comput. Sci. 138, 1, 3--34.

Digital Library

[4]

T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. 2004. TIMES: A tool for schedulability analysis and code generation of real-time systems. In Formal Modeling and Analysis of Timed Systems, vol. 2791. 60--72.

[5]

A. Ayoub, A. Wahba, A. Salem, and M. Sheirah. 2010. Code synthesis for timed automata: A comparison using case study. In Abstract State Machines, Alloy, B and Z, Lecture Notes in Computer Science, vol. 5977, 403.

Digital Library

[6]

G. Behrmann, A. David, and K. Larsen. 2004. A tutorial on UPPAAL. In Formal Methods for the Design of Real-Time Systems, vol. 3185, 33--35.

[7]

J. Bengtsson and W. Yi. 2004. Timed automata: Semantics, algorithms and tools. In Lectures on Concurrency and Petri Nets, vol. 3098, 87--124.

[8]

Boston Scientific. 2007. PACEMAKER System Specification. (2007).

[9]

D. Clarke and I. Lee. 1995. Testing real-time constraints in a process algebraic setting. In Proceedings of the International Conference on Software Engineering. 51--60.

Digital Library

[10]

E. M. Clarke and E. A. Emerson. 1981. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proceedings of the Workshop on Logic of Programs. Lecture Notes in Computer Science, vol. 131, Springer, 52--71.

Digital Library

[11]

G. Hamon. 2005. A denotational semantics for stateflow. In EMSOFT'05: Proceedings of the 5th ACM International Conference on Embedded Software. 164--172.

Digital Library

[12]

G. Hamon and J. Rushby. 2007. An operational semantics for stateflow. Int. J. Softw. Tools Tech. Trans. 9, 5, 447--456.

Digital Library

[13]

M. Hendriks. 2001. Translating UPPAAL to Not Quite C. Technical Report CSI-R0108. Computer Science Institute.

[14]

Z. Jiang, M. Pajic, A. Connolly, S. Dixit, and R. Mangharam. 2010. Real-time heart model for implantable cardiac device validation and verification. In Proceedings of the 22nd Euromicro Conference on Real-Time Systems (ECRTS). 239--248.

Digital Library

[15]

Z. Jiang, M. Pajic, and R. Mangharam. 2012a. Cyber-physical modeling of implantable cardiac medical devices. Proc. IEEE 100, 1, 122--137.

[16]

Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam. 2012b. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the 18th Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'12). 188--203.

Digital Library

[17]

B. G. Kim, A. Ayoub, P. Jones, O. Sokolsky Y. Zhang, R. Jetley, and I. Lee. 2011. Safety-assured development of the GPCA infusion pump software. In Proceedings of the ACM Conference on Embedded Software (EMSOFT'11). 89--98.

Digital Library

[18]

K. G. Larsen, P. Pettersson, and W. Yi. 1997. Uppaal in a nutshell. Int. J. Softw. Tools Tech. Trans. 1, 1, 134--152.

Digital Library

[19]

I. Lee, G. J. Pappas, R. Cleaveland, J. Hatcliff, B. H. Krogh, P. Lee, H. Rubin, and L. Sha. 2006. High-confidence medical device software and systems. IEEE Comput. 39, 4, 33--38.

Digital Library

[20]

F. Leitner and S. Leue. 2008. Simulink design verifier vs. SPIN - a comparative case study. In Proceedings of the ERCIM Workshop on Formal Methods for Industrial Critical Systems.

[21]

Matlab. 2012. Matlab R2012a Documentation → Stateflow. http://www.mathworks.com/help/toolbox/stateflow. (2012).

[22]

Nano-RK. 2013. nano-RK Sensor RTOS. http://nanork.org.

[23]

M. Pajic, Z. Jiang, I. Lee, O. Sokolsky, and R. Mangharam. 2012a. From verification to implementation: A model translation tool and a pacemaker case study. In Proceedings of the 18th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). 173--184.

Digital Library

[24]

M. Pajic, I. Lee, R. Mangharam, and O. Sokolsky. 2012b. UPP2SF: Translating UPPAAL models to Simulink. Tech. Rep. University of Pennsylvania.

[25]

M. Pajic, R. Mangharam, O. Sokolsky, D. Arney, J. Goldman, and I. Lee. 2012c. Model-driven safety analysis of closed-loop medical systems. IEEE Trans. Indust. Inf. 99, 13. 1109/TII.2012.2226594

[26]

K. Sandler, L. Ohrstrom, L. Moy, and R. McVay. 2010. Killed by code: Software transparency in implantable medical devices. Softw. Free. Law Center.

[27]

N. Scaife, C. Sofronis, P. Caspi, S. Tripakis, and F. Maraninchi. 2004. Defining and translating a “safe” subset of simulink/stateflow into lustre. In Proceedings of the ACM Conference on Embedded Software. 259--268.

Digital Library

[28]

Max Schurenberg. 2012. Scalability analysis of the simulink design verifier on an avionic system. Bachelor thesis, TU Hamburg-Harburg.

[29]

US FDA. 2010. List of Device Recalls, U.S. Food and Drug Admin., (Last accessed 7/10).

Cited By

Al Maruf ANiu LClark AMertoguno JPoovendran R(2023)A Timing-Based Framework for Designing Resilient Cyber-Physical Systems under Safety ConstraintACM Transactions on Cyber-Physical Systems10.1145/35946387:3(1-25)Online publication date: 13-Jul-2023
https://dl.acm.org/doi/10.1145/3594638
Niu LSahabandu DClark APoovendran R(2022)Verifying Safety for Resilient Cyber-Physical Systems via Reactive Software Restart2022 ACM/IEEE 13th International Conference on Cyber-Physical Systems (ICCPS)10.1109/ICCPS54341.2022.00016(104-115)Online publication date: May-2022
https://doi.org/10.1109/ICCPS54341.2022.00016
Niu LAl Maruf AClark AMertoguno JPoovendran R(2022)An Analytical Framework for Control Synthesis of Cyber-Physical Systems with Safety Guarantee2022 IEEE 61st Conference on Decision and Control (CDC)10.1109/CDC51059.2022.9993062(1533-1540)Online publication date: 6-Dec-2022
https://doi.org/10.1109/CDC51059.2022.9993062
Show More Cited By

Index Terms

Safety-critical medical device development using the UPP2SF model translation tool

Recommendations

Model Translation from Papyrus-RT into the nuXmv Model Checker
Software Engineering and Formal Methods. SEFM 2020 Collocated Workshops
Abstract
Papyrus-RT is an eclipse based modelling tool for embedded systems that makes use of the Model-Driven Engineering approach to generate executable C++ code from UML-RT models. The UML-RT state diagrams are very similar to Finite State Machines used ...
Generating SysML views from an OPM model: Design and evaluation

Conceptual modeling is key to Model-Based Systems Engineering (MBSE) approaches. OPM (Object-Process Methodology) and SysML (OMG Systems Modeling Language) are two state-of-the-art conceptual modeling languages. While both languages aim at the same ...
Tools for secure systems development with UML

For model-based development to be a success in practice, it needs to have a convincing added-value associated with its use. Our goal is to provide such added-value by developing tool-support for the analysis of UML models against difficult system ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Embedded Computing Systems

ACM Transactions on Embedded Computing Systems Volume 13, Issue 4s

Special Issue on Real-Time and Embedded Technology and Applications, Domain-Specific Multicore Computing, Cross-Layer Dependable Embedded Systems, and Application of Concurrency to System Design (ACSD'13)

July 2014

571 pages

ISSN:1539-9087

EISSN:1558-3465

DOI:10.1145/2601432

Editors:
Sandeep K. Shukla
Virginia Tech, USA
,
Josep Carmona
Universitat Politècnica de Catalunya, Spain
,
Mihai Teodor Lazarescu
Politecnico di Torino, Italy
,
Marta Pietkiewicz-koutny
Newcastle University, UK

Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 01 April 2014

Accepted: 01 September 2013

Revised: 01 April 2013

Received: 01 July 2012

Published in TECS Volume 13, Issue 4s

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
686
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Al Maruf ANiu LClark AMertoguno JPoovendran R(2023)A Timing-Based Framework for Designing Resilient Cyber-Physical Systems under Safety ConstraintACM Transactions on Cyber-Physical Systems10.1145/35946387:3(1-25)Online publication date: 13-Jul-2023
https://dl.acm.org/doi/10.1145/3594638
Niu LSahabandu DClark APoovendran R(2022)Verifying Safety for Resilient Cyber-Physical Systems via Reactive Software Restart2022 ACM/IEEE 13th International Conference on Cyber-Physical Systems (ICCPS)10.1109/ICCPS54341.2022.00016(104-115)Online publication date: May-2022
https://doi.org/10.1109/ICCPS54341.2022.00016
Niu LAl Maruf AClark AMertoguno JPoovendran R(2022)An Analytical Framework for Control Synthesis of Cyber-Physical Systems with Safety Guarantee2022 IEEE 61st Conference on Decision and Control (CDC)10.1109/CDC51059.2022.9993062(1533-1540)Online publication date: 6-Dec-2022
https://doi.org/10.1109/CDC51059.2022.9993062
Fu ZGuo CZhang ZRen SSha L(2020)UACFinderACM Transactions on Cyber-Physical Systems10.1145/33754054:3(1-25)Online publication date: 12-Mar-2020
https://dl.acm.org/doi/10.1145/3375405
Ai WPatel NRoop PMalik ATrew M(2020)Closing the Loop: Validation of Implantable Cardiac Devices With Computational Heart ModelsIEEE Journal of Biomedical and Health Informatics10.1109/JBHI.2019.294700724:6(1579-1588)Online publication date: Jun-2020
https://doi.org/10.1109/JBHI.2019.2947007
Guo CFu ZZhang ZRen SSha L(2020)A framework for supporting the development of verifiably safe medical best practice guideline systemsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2019.101693104:COnline publication date: 1-Mar-2020
https://dl.acm.org/doi/10.1016/j.sysarc.2019.101693
Voelter MKolb BBirken KTomassetti FAlff PWiart LWortmann ANordmann A(2019)Using language workbenches and domain-specific languages for safety-critical software developmentSoftware and Systems Modeling (SoSyM)10.1007/s10270-018-0679-018:4(2507-2530)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10270-018-0679-0
Bak SBeg OBogomolov SJohnson TNguyen LSchilling C(2019)Hybrid automataInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-017-0458-121:1(87-104)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s10009-017-0458-1
Jiang YSong HYang YLiu HGu MGuan YSun JSha L(2018)Dependable Model-driven Development of CPSACM Transactions on Cyber-Physical Systems10.1145/30786233:1(1-31)Online publication date: 29-Aug-2018
https://dl.acm.org/doi/10.1145/3078623
Wolf MSerpanos D(2018)Safety and Security in Cyber-Physical Systems and Internet-of-Things SystemsProceedings of the IEEE10.1109/JPROC.2017.2781198106:1(9-20)Online publication date: Jan-2018
https://doi.org/10.1109/JPROC.2017.2781198
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents