ABSTRACT
Complex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and architecture. The architecture describes the structure and this affects how requirements ``flow down'' to each subsystem. Moreover, discoveries in the design process may affect the requirements. Demonstrating that a complex system satisfies its requirements when the subsystems are composed is a challenging problem.
In this paper, we present a medical device case example where we apply an iterative approach to architecture and verification based on software architectural models. We represent the hierarchical composition of the system in the Architecture Analysis and Design Language (AADL), and use an extension to the AADL language to describe the requirements at different levels of abstraction for compositional verification. The component-level behavior for the model is described in Simulink/Stateflow. We assemble proofs of system level properties by using the Simulink Design Verifier to establish component-level properties and an open-source plug-in for the OSATE AADL environment to perform the compositional verification of the architecture. This combination of verification tools allows us to iteratively explore design and verification of detailed behavioral models, and to scale formal analysis to large software systems.
- Generic infusion pump project, http://rtg.cis.upenn.edu/gip.php3.Google Scholar
- A. Basu, S. Bensalem, M. Bozga, J. Combaz, M. Jaber, Nguyen, and J. Sifakis. Rigorous component-based system design using the BIP framework. Software, IEEE, 28(3):41--48, 2011. Google ScholarDigital Library
- E. Clarke, D. Long, and K. L. McMillan. Compositional model checking. In Logic in Computer Science, 1989. LICS '89, Proceedings., Fourth Annual Symposium on, pages 353--362, 1989. Google ScholarDigital Library
- J. M. Cobleigh, G. S. Avrunin, and L. A. Clarke. Breaking up is hard to do: an investigation of decomposition for assume-guarantee reasoning. In Proceedings of the 2006 international symposium on Software testing and analysis, ISSTA '06, pages 97--108, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- D. D. Cofer, A. Gacek, S. P. Miller, M. W. Whalen, B. LaValley, and L. Sha. Compositional verification of architectural models. In A. E. Goodloe and S. Person, editors, Proceedings of the 4th NASA Formal Methods Symposium (NFM 2012), volume 7226, pages 126--140, Berlin, Heidelberg, April 2012. Springer-Verlag. Google ScholarDigital Library
- L. de Alfaro and T. A. Henzinger. Interface automata. SIGSOFT Softw. Eng. Notes, 26(5):109--120, Sept. 2001. Google ScholarDigital Library
- J.-F. Etienne, S. Fechter, and E. Juppeaux. Using simulink design verifier for proving behavioral properties on a complex safety critical system in the ground transportation domain. In M. Aiguier, F. Bretaudeau, and D. Krob, editors, Complex Systems Design & Management, pages 61--72. Springer Berlin Heidelberg, 2010.Google ScholarCross Ref
- H. Ganzinger, G. Hagen, R. Nieuwenhuis, A. Oliveras, and C. Tinelli. DPLL(T): Fast decision procedures. In R. Alur and D. Peled, editors, Proceedings of the 16th International Conference on Computer Aided Verification, CAV'04 (Boston, Massachusetts), volume 3114 of Lecture Notes in Computer Science, pages 175--188. Springer, 2004.Google Scholar
- O. Grumberg and D.E.Long. Model checking and modular verification. ACM Transactions on Programming Languages and Systems, 16(3):843--871, May 1994. Google ScholarDigital Library
- G. Hagen and C. Tinelli. Scaling up the formal verification of lustre programs with smt-based techniques. In Formal Methods in Computer-Aided Design, 2008. FMCAD '08, pages 1--9, 2008. Google ScholarDigital Library
- N. Halbwachs, P. Caspi, P. Raymond, and D. Pilaud. The synchronous data ow programming language LUSTRE. Proceedings of the IEEE, 79(9):1305--1320, 1991.Google ScholarCross Ref
- A. Hall. Seven myths of formal methods. IEEE Software, September 1990. Google ScholarDigital Library
- J. Hammond, R. Rawlings, and A. Hall. Will it work? {requirements engineering}. In Requirements Engineering, 2001. Proceedings. Fifth IEEE International Symposium on, pages 102--109, 2001. Google ScholarDigital Library
- D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8(3):231--274, June 1987. Google ScholarDigital Library
- D. Harel, R. Lampert, A. Marron, and G. Weiss. Model-checking behavioral programs. In Proceedings of the ninth ACM international conference on Embedded software, EMSOFT '11, pages 279--288, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- IEEE. IEEE Std. 1850-2005. Property Specification Language (PSL). IEEE, 2005.Google Scholar
- M. Jackson and P. Zave. Deriving specifications from requirements: An example. In Proceedings of the Seventeenth International Conference on Software Engineering (ICSE'95), pages 15--24, May 1995. Google ScholarDigital Library
- C. B. Jones. Tentative steps toward a development method for interfering programs. ACM Trans. Program. Lang. Syst., 5(4):596--619, Oct. 1983. Google ScholarDigital Library
- J. A. W. Kamp. Tense Logic and the Theory of Linear Order. PhD thesis, UCLA, 1968.Google Scholar
- B. Larson, P. Chalin, and J. Hatcli. BLESS: Formal specification and verification of behaviors for embedded systems with software. In Proceedings of the 5th NASA Formal Methods Symposium. Springer-Verlag, 2013.Google ScholarCross Ref
- N. A. Lynch and M. R. Tuttle. Hierarchical correctness proofs for distributed algorithms. In Proceedings of the sixth annual ACM Symposium on Principles of distributed computing, PODC '87, pages 137--151, New York, NY, USA, 1987. ACM. Google ScholarDigital Library
- MathWorks. The MathWorks Inc. corporate web page. Via the world-wide-web: http://www.mathworks.com, 2004.Google Scholar
- Mathworks Inc. Simulink Design Verifier product web site. http://www.mathworks.com/products/sldesignverier/.Google Scholar
- Mathworks Inc. Simulink product web site. http://www.mathworks.com/products/simulink.Google Scholar
- Mathworks Inc. Stateow product web site. http://www.mathworks.com.Google Scholar
- K. McMillan. A methodology for hardware verification using compositional model checking. Science of Computer Programming, 37(1} U3):279--309, 2000. Google ScholarDigital Library
- K. L. McMillan. Circular compositional reasoning about liveness. Technical Report 1999-02, Cadence Berkeley Labs, Berkeley, CA 94704, 1999.Google ScholarCross Ref
- S. P. Miller, A. C. Tribble, M. W. Whalen, and M. P. E. Heimdahl. Proving the shalls: Early validation of requirements through formal methods. Int. J. Softw. Tools Technol. Transf., 8(4):303--319, 2006. Google ScholarDigital Library
- J. Misra and K. Chandy. Proofs of networks of processes. Software Engineering, IEEE Transactions on, SE-7(4):417--426, 1981. Google ScholarDigital Library
- A. Murugesan, S. Rayadurgam, and M. Heimdahl. Modes, features, and state-based modeling for clarity and exibility. In Fifth International Workshop on Modeling in Software Engineering, May 2013.Google ScholarCross Ref
- B. Nuseibeh. Weaving together requirements and architectures. Computer, 34:115--117, 2001. Google ScholarDigital Library
- A. Pnueli. In transition from global to modular temporal reasoning about programs. In K. Apt, editor, Logics and Models of Concurrent Systems, volume 13 of NATO ASI Series, pages 123--144. Springer Berlin Heidelberg, 1985. Google ScholarDigital Library
- SAE-AS5506. Architecture Analysis and Design Language. SAE, Nov 2004.Google Scholar
- M. Sheeran, S. Singh, and G. Stålmarck. Checking safety properties using induction and a sat-solver. In FMCAD, pages 108--125, 2000. Google ScholarDigital Library
- SPEculative and Exporatory Design in System engineering. http://www.speeds.eu.com/, 2006-2009.Google Scholar
- M. W. Whalen, A. Gacek, D. Cofer, A. Murugesan, M. P. Heimdahl, and S. Rayadurgam. Your what is my how: Iteration and hierarchy in system design. Software, IEEE, 30(2):54--60, 2013. Google ScholarDigital Library
Index Terms
- Compositional verification of a medical device system
Recommendations
Compositional verification of a medical device system
HILT '13Complex systems are by necessity hierarchically organized. Decomposition into subsystems allows for intellectual control, as well as enabling different subsystems to be created by distinct teams. This decomposition affects both requirements and ...
Automated interface refinement for compositional verification
Compositional verification is essential for verifying large systems. However, approximate environments are needed when verifying the constituent modules in a system. Effective compositional verification requires finding a simple but accurate ...
Architecture-driven verification of concurrent systems
This paper proposes a method to construct a set of proof obligations from the architectural specification of a concurrent system. The architectural specifications used express correctness requirements of a concurrent system at a high level without any ...
Comments