A MODEL-DRIVEN DEVELOPMENT

AND

VERIFICATION APPROACH

FOR MEDICAL DEVICES

Major Professor: John Hatcliff

Committee members: John Hatcliff, Robby, Eugene Vasserman

Jakub Jedryszekwww.jj09.net

Computing and Information Sciences Department

Kansas State University

Motivation Medical Devices Interoperability

ICE (Integrated Clinical Environment)

MDCF (Medical Device Coordination Framework)

PCA Pump

Software Verification

Model-Driven Development

Patient-Controlled Analgesia (PCA) Pump

Method of pain control that gives patients the

power to control their pain

Operational modes:

Stopped

Basal Rate

Bolus

Clinician Bolus (Square bolus)

Keep Vein Open (KVO)

Integrated Clinical Environment

Integrated Clinical Environment

Medical Device Coordination Framework

Goals

Create PCA Pump Prototype:

ICE PCA Infusion Pump System Requirements

PCA Pump models

Analysis of implementation details

Propose AADL to SPARK Ada translation

Verify aspects of PCA pump with SPARK tools

Technologies

AADL (Architecture Analysis & Design Language)

BLESS (Behavior Language for Embedded Systems with Software)

SPARK Ada programming language

AADL (Architecture Analysis & Design Language)

"UML for hardware and software”

Used for:

real-time sytems

safety critical systems

embedded systems

Graphical and textual representation

package Thermometerpublicwith Base_Types;

system patient_thermometerend patient_thermometer;

system implementation patient_thermometer.implsubcomponentsthermomether : device thermometer_device.impl;opi : device operator_interface.impl;

connectionstdn : port thermomether.temp -> opi.display;

end patient_thermometer.impl;

device operator_interfacefeaturesdisplay : in data port Base_Types::Integer;

end operator_interface;

device implementation operator_interface.implend operator_interface.impl;

device thermometer_devicefeaturestemp : out data port Base_Types::Integer;

end thermometer_device;

device implementation thermometer_device.implend thermometer_device.impl;end Thermometer;

BLESS (Behavior Language for Embedded Systems with Software)

AADL annex sublanguage defining behavior of components

BLESS’s goal: auto-check correctness proofs of AADL

models of embedded electronic systems with software

3 AADL Annex Sublanguages:

Assertion

subBLESS

BLESS

thread Some_Threadfeatures

Some_Port : out event port{BLESS::Assertion =>

”<<(Var1 < Var2 and COND2())>>”;};end Some_Thread;

thread implementation Some_Thread.implannex BLESS{**

invariant <<(Some_Var < Other_Var)>>assert

<<COND2 : :(Var1 > 0)>> **};end Some_Thread.impl;

Ada

Programming language:

Object oriented

Statically typed

Designed for safety critical systems

Railway systems

Airplanes software (e.g. Boeing 777)

Medical devices

(*) Ada was named after Ada Lovelace (1815–1852), who is

credited as being the first computer programmer (women)

with Ada.Text_IO; use Ada.Text_IO; procedure Hello is begin

Put_Line ("Hello, world!"); end Hello;

SPARK Subset of Ada for Software Verification

Versions:

SPARK 83 (based on Ada 83)

SPARK 95 (based on Ada 95)

SPARK 2005 (based on Ada 2005)

SPARK 2014 (based on Ada 2012)

SPARK 2005 = subset of Ada + code contracts (annotations)

SPARK 2014 = subset of Ada (code contracts in Ada 2012)

SPARK 2005 (based on Ada 2005) SPARK 2014 (based on Ada 2012)

procedure Inc (X : in out Integer); --# pre X < Integer’Last; --# post X = X~ + 1;

procedure Inc (X : in out Integer)with Pre => X < Integer’Last,

Post => X = X’Old + 1;

SPARK – Concurrency

Ravenscar profile – subset of Ada tasking features designed

for safety-critical hard real-time computing

RavenSPARK – subset of Ravenscar profile, which allows to

verify concurrent programs with SPARK verification tools

Used features:

tasks

protected types

Ada.Real_Time library

SPARK – Verification SPARK 2005

Examiner

Simplifier

ZombieScope

ViCToR

POGS

Bakar Kiasan

AUnit tests

SPARK 2014

GNATprove

Bakar Kiasan v2

Verification Conditions (VC)

array index out of range

type range violation

division by zero

numerical overflow

Dead Path Conjectures (DPC)

Platform for PCA Pump Prototype

BeagleBoard-xM

Single-board computer produced by Texas

Instrument

Specification:

1GHz ARM Processor

512 MB RAM

4 USB 2.0 ports

HDMI port

Ethernet

GPIO ports (PWM)

Linux OS (Angstrom)http://beagleboard.org/Products/BeagleBoard-xM

SPARK Ada on BeagleBoard-xM?

No native GNAT compiler for ARM-based devices

No official GNAT cross compiler for ARM-based

devices

Cross compiler – compiler capable of creating

executable code for a platform other thatn the

on on which the compiler is running

Research plan

Compile SPARK Ada program for BeagleBoard-xM

SPARK 2005 (single and multithreaded)

SPARK 2014

Start PCA Pump Prototype implementation

Create AADL/BLESS to SPARK Ada translations

Based on Ocarina

Verification:

Implemented PCA Pump Prototype

Translated AADL models to SPARK Ada

Small separated module

SPARK Ada on BeagleBoard-xM

AdaCore cross compiler for ARM-based device

(tested on Android)

Cooperation with AdaCore to run CrossCompiler

GNAT cross compiler for ARM-based devices

Supported platforms: Linux x86

AADL/BLESS to SPARK Ada

Translation schemas based on “Programming Language Annex Document”

Data types (scalars, enums, records, arrays)

Ports (event, data, in/out)

Threads to tasks

Subprograms

Feature groups

Packages

Property sets

BLESS to SPARK translations based on consultation with Brian Larson

Port-based communication

PCA Pump Prototype implementation

Implemented prototype in SPARK 2005

Data types

Operational module

PCA Pump actuator module (PCA Engine)

Simplified PCA Pump translated from AADL models

PCA Pump Verification

Implemented PCA Pump verification with SPARK toolset

Verification of module for maximum dose monitoring

SPARK 2005

SPARK Tools (Examiner, SPARKSimp, POGS)

Bakar Kiasan

SPARK 2014

GNATprove

Contributions

Developed approach for running SPARK/Ada programs on

BeagleBoard-xM platform

Created PCA Prototype in SPARK 2005 (Ravenscar profile)

running on BeagleBoard-xM

Designed AADL/BLESS to SPARK Ada translation schemas

Translated simplified AADL models of PCA Pump to SPARK Ada

Demonstrated example verification of PCA pump:

SPARK 2005 tools

Bakar Kiasan

GNATprove

Problems

SPARK limitations

Lack of industry experience in SPARK Ada

No consultation with domain experts

Technologies and tools are under development:

SPARK 2014

BLESS

Small community and limitation of resources:

728 Ada related questions on StackOverflow

3 SPARK Ada related questions on StackOverflow

673,721 C# questions and 682,308 Java questions on StackOverflow

Future work Consultation with industry expert (in safety critical systems development)

Automatic translator

Translation extension:

AADL properties

Try apply generics for data translation

Try child/nested packages for feature group mapping

Decomposition

Extend BLESS mapping (states and transitions)

Translations for SPARK 2014

Review port communication

Extend PCA Prototype functionalities