8,040 research outputs found
Towards Realizability Checking of Contracts using Theories
Virtual integration techniques focus on building architectural models of
systems that can be analyzed early in the design cycle to try to lower cost,
reduce risk, and improve quality of complex embedded systems. Given appropriate
architectural descriptions and compositional reasoning rules, these techniques
can be used to prove important safety properties about the architecture prior
to system construction. Such proofs build from "leaf-level" assume/guarantee
component contracts through architectural layers towards top-level safety
properties. The proofs are built upon the premise that each leaf-level
component contract is realizable; i.e., it is possible to construct a component
such that for any input allowed by the contract assumptions, there is some
output value that the component can produce that satisfies the contract
guarantees. Without engineering support it is all too easy to write leaf-level
components that can't be realized. Realizability checking for propositional
contracts has been well-studied for many years, both for component synthesis
and checking correctness of temporal logic requirements. However, checking
realizability for contracts involving infinite theories is still an open
problem. In this paper, we describe a new approach for checking realizability
of contracts involving theories and demonstrate its usefulness on several
examples.Comment: 15 pages, to appear in NASA Formal Methods (NFM) 201
Machine-Checked Proofs For Realizability Checking Algorithms
Virtual integration techniques focus on building architectural models of
systems that can be analyzed early in the design cycle to try to lower cost,
reduce risk, and improve quality of complex embedded systems. Given appropriate
architectural descriptions, assume/guarantee contracts, and compositional
reasoning rules, these techniques can be used to prove important safety
properties about the architecture prior to system construction. For these
proofs to be meaningful, each leaf-level component contract must be realizable;
i.e., it is possible to construct a component such that for any input allowed
by the contract assumptions, there is some output value that the component can
produce that satisfies the contract guarantees. We have recently proposed (in
[1]) a contract-based realizability checking algorithm for assume/guarantee
contracts over infinite theories supported by SMT solvers such as linear
integer/real arithmetic and uninterpreted functions. In that work, we used an
SMT solver and an algorithm similar to k-induction to establish the
realizability of a contract, and justified our approach via a hand proof. Given
the central importance of realizability to our virtual integration approach, we
wanted additional confidence that our approach was sound. This paper describes
a complete formalization of the approach in the Coq proof and specification
language. During formalization, we found several small mistakes and missing
assumptions in our reasoning. Although these did not compromise the correctness
of the algorithm used in the checking tools, they point to the value of
machine-checked formalization. In addition, we believe this is the first
machine-checked formalization for a realizability algorithm.Comment: 14 pages, 1 figur
An intracardiac electrogram model to bridge virtual hearts and implantable cardiac devices
Virtual heart models have been proposed to enhance the safety of implantable
cardiac devices through closed loop validation. To communicate with a virtual
heart, devices have been driven by cardiac signals at specific sites. As a
result, only the action potentials of these sites are sensed. However, the real
device implanted in the heart will sense a complex combination of near and
far-field extracellular potential signals. Therefore many device functions,
such as blanking periods and refractory periods, are designed to handle these
unexpected signals. To represent these signals, we develop an intracardiac
electrogram (IEGM) model as an interface between the virtual heart and the
device. The model can capture not only the local excitation but also far-field
signals and pacing afterpotentials. Moreover, the sensing controller can
specify unipolar or bipolar electrogram (EGM) sensing configurations and
introduce various oversensing and undersensing modes. The simulation results
show that the model is able to reproduce clinically observed sensing problems,
which significantly extends the capabilities of the virtual heart model in the
context of device validation
A Denotational Semantics for Communicating Unstructured Code
An important property of programming language semantics is that they should
be compositional. However, unstructured low-level code contains goto-like
commands making it hard to define a semantics that is compositional. In this
paper, we follow the ideas of Saabas and Uustalu to structure low-level code.
This gives us the possibility to define a compositional denotational semantics
based on least fixed points to allow for the use of inductive verification
methods. We capture the semantics of communication using finite traces similar
to the denotations of CSP. In addition, we examine properties of this semantics
and give an example that demonstrates reasoning about communication and jumps.
With this semantics, we lay the foundations for a proof calculus that captures
both, the semantics of unstructured low-level code and communication.Comment: In Proceedings FESCA 2015, arXiv:1503.0437
The JKind Model Checker
JKind is an open-source industrial model checker developed by Rockwell
Collins and the University of Minnesota. JKind uses multiple parallel engines
to prove or falsify safety properties of infinite state models. It is portable,
easy to install, performance competitive with other state-of-the-art model
checkers, and has features designed to improve the results presented to users:
inductive validity cores for proofs and counterexample smoothing for test-case
generation. It serves as the back-end for various industrial applications.Comment: CAV 201
From Requirements to Code: Model Based Development of a Medical Cyber Physical System
The advanced use of technology in medical devices has improved the way health care is delivered to patients. Unfortunately, the increased complexity of modern medical devices poses challenges for development, assurance, and regulatory approval. In an e ort to improve the safety of advanced medical devices, organizations such as FDA have supported exploration of techniques to aid in the development and regulatory approval of such systems. In an ongoing research project, our aim is to provide effective development techniques and exemplars of system development artifacts that demonstrate state of the art development techniques.
In this paper we present an end-to-end model-based approach to medical device software development along with the artifacts created in the process. While outlining the approach, we also describe our experiences, challenges, and lessons learned in the process of formulating and analyzing the requirements, modeling the system, formally verifying the models, generating code, and executing the generated code in the hardware for generic patient controlled analgesic infusion pump (GPCA). We believe that the development artifacts and techniques presented in this paper could serve as a generic reference to be used by researchers, practitioners, and authorities while developing and evaluating cyber physical medical devices
Linking Abstract Analysis to Concrete Design: A Hierarchical Approach to Verify Medical CPS Safety
Complex cyber-physical systems are typically hierarchically organized into multiple layers of abstraction in order to manage design complexity and provide verification tractability. Formal reasoning about such systems, therefore, necessarily involves the use of multiple modeling formalisms, verification paradigms, and concomitant tools, chosen as appropriate for the level of abstraction at which the analysis is performed. System properties verified using an abstract component specification in one paradigm must then be shown to logically follow from properties verified, possibly using a different paradigm, on a more concrete component description, if one is to claim that a particular component when deployed in the overall system context would still uphold the system properties. But, as component specifications at one layer get elaborated into more concrete component descriptions in the next, abstraction induced differences come to the fore, which have to be reconciled in some meaningful way. In this paper, we present our approach for providing a logical glue to tie distinct verification paradigms and reconcile the abstraction induced differences, to verify safety properties of a medical cyber-physical system. While the specifics are particular to the case example at hand - a high-level abstraction of a safety-interlock system to stop drug infusion along with a detailed design of a generic infusion pump - we believe the techniques are broadly applicable in similar situations for verifying complex cyber-physical system properties
- …