Compositional verification of a medical device system

Complex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and architecture. The architecture describes the structure and this affects how requirements ``flow down'' to each subsystem. Moreover, discoveries in the design process may affect the requirements. Demonstrating that a complex system satisfies its requirements when the subsystems are composed is a challenging problem. In this paper, we present a medical device case example where we apply an iterative approach to architecture and verification based on software architectural models. We represent the hierarchical composition of the system in the Architecture Analysis and Design Language (AADL), and use an extension to the AADL language to describe the requirements at different levels of abstraction for compositional verification. The component-level behavior for the model is described in Simulink/Stateflow. We assemble proofs of system level properties by using the Simulink Design Verifier to establish component-level properties and an open-source plug-in for the OSATE AADL environment to perform the compositional verification of the architecture. This combination of verification tools allows us to iteratively explore design and verification of detailed behavioral models, and to scale formal analysis to large software systems.

[1]  Thomas A. Henzinger,et al.  Interface automata , 2001, ESEC/FSE-9.

[2]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[3]  Orna Grumberg,et al.  Model checking and modular verification , 1994, TOPL.

[4]  Lui Sha,et al.  Compositional Verification of Architectural Models , 2012, NASA Formal Methods.

[5]  Cesare Tinelli,et al.  DPLL( T): Fast Decision Procedures , 2004, CAV.

[6]  Edmund M. Clarke,et al.  Compositional model checking , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[7]  Pamela Zave,et al.  Deriving Specifications from Requirements: an Example , 1995, 1995 17th International Conference on Software Engineering.

[8]  L. McMillanmcmillan Circular Compositional Reasoning about Liveness , 1999 .

[9]  Johan Anthory Willem Kamp,et al.  Tense logic and the theory of linear order , 1968 .

[10]  Joseph Sifakis,et al.  Rigorous Component-Based System Design Using the BIP Framework , 2011, IEEE Software.

[11]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[12]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[13]  Sanjai Rayadurgam,et al.  Modes, features, and state-based modeling for clarity and flexibility , 2013, 2013 5th International Workshop on Modeling in Software Engineering (MiSE).

[14]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[15]  Jean-Frédéric Étienne,et al.  Using Simulink Design Verifier for Proving Behavioral Properties on a Complex Safety Critical System in the Ground Transportation Domain , 2010, CSDM.

[16]  Cesare Tinelli,et al.  Scaling Up the Formal Verification of Lustre Programs with SMT-Based Techniques , 2008, 2008 Formal Methods in Computer-Aided Design.

[17]  Patrice Chalin,et al.  BLESS: Formal Specification and Verification of Behaviors for Embedded Systems with Software , 2013, NASA Formal Methods.

[18]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[19]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[20]  David Harel,et al.  Model-checking behavioral programs , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[21]  Sanjai Rayadurgam,et al.  Your "What" Is My "How": Iteration and Hierarchy in System Design , 2013, IEEE Software.

[22]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[23]  Anthony Hall,et al.  Seven myths of formal methods , 1990, IEEE Software.

[24]  George S. Avrunin,et al.  Breaking up is hard to do: an investigation of decomposition for assume-guarantee reasoning , 2006, ISSTA '06.

[25]  Kenneth L. McMillan,et al.  A methodology for hardware verification using compositional model checking , 2000, Sci. Comput. Program..

[26]  Michael W. Whalen,et al.  Proving the Shalls Early Validation of Requirements Through Formal Methods , 2004 .

[27]  Anthony Hall,et al.  Will it work? [Requirements engineering] , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[28]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.