Master Thesis Defense: A Model Driven Development and Verification Approach for Medical Devices Video from defense: https://www.youtube.com/watch?v=YNypDQ8st04 Master Thesis: http://krex.k-state.edu/dspace/bitstream/handle/2097/18222/JakubJedryszek2014.pdf

1. A MODEL-DRIVEN DEVELOPMENT
AND
VERIFICATION APPROACH
FOR MEDICAL DEVICES
Major Professor: John Hatcliff
Committee members: John Hatcliff, Robby, Eugene Vasserman
Jakub Jedryszek
www.jj09.net
Computing and Information Sciences Department
Kansas State University

2. Motivation
 Medical Devices Interoperability
 ICE (Integrated Clinical Environment)
 MDCF (Medical Device Coordination Framework)
 PCA Pump
 Software Verification
 Model-Driven Development

3. Patient-Controlled Analgesia (PCA) Pump
 Method of pain control that gives patients the
power to control their pain
 Operational modes:
 Stopped
 Basal Rate
 Bolus
 Clinician Bolus (Square bolus)
 Keep Vein Open (KVO)

4. Integrated Clinical Environment

5. Integrated Clinical Environment

6. Medical Device Coordination Framework

7. Goals
 Create PCA Pump Prototype:
 ICE PCA Infusion Pump System Requirements
 PCA Pump models
 Analysis of implementation details
 Propose AADL to SPARK Ada translation
 Verify aspects of PCA pump with SPARK tools

8. Technologies
 AADL (Architecture Analysis & Design Language)
 BLESS (Behavior Language for Embedded Systems with Software)
 SPARK Ada programming language

9. AADL (Architecture Analysis & Design Language)
 "UML for hardware and software”
 Used for:
 real-time sytems
 safety critical systems
 embedded systems
 Graphical and textual representation
package Thermometer
public
with Base_Types;
system patient_thermometer
end patient_thermometer;
system implementation patient_thermometer.impl
subcomponents
thermomether : device thermometer_device.impl;
opi : device operator_interface.impl;
connections
tdn : port thermomether.temp -> opi.display;
end patient_thermometer.impl;
device operator_interface
features
display : in data port Base_Types::Integer;
end operator_interface;
device implementation operator_interface.impl
end operator_interface.impl;
device thermometer_device
features
temp : out data port Base_Types::Integer;
end thermometer_device;
device implementation thermometer_device.impl
end thermometer_device.impl;
end Thermometer;

10. BLESS(Behavior Language for Embedded Systems with Software)
 AADL annex sublanguage defining behavior of components
 BLESS’s goal: auto-check correctness proofs of AADL
models of embedded electronic systems with software
 3 AADL Annex Sublanguages:
 Assertion
 subBLESS
 BLESS
thread Some_Thread
features
Some_Port : out event port
{BLESS::Assertion =>
”<<(Var1 < Var2 and COND2())>>”;};
end Some_Thread;
thread implementation Some_Thread.impl
annex BLESS
{**
invariant <<(Some_Var < Other_Var)>>
assert
<<COND2 : :(Var1 > 0)>>
**};
end Some_Thread.impl;

11. Ada
 Programming language:
 Object oriented
 Statically typed
 Designed for safety critical systems
 Railway systems
 Airplanes software (e.g. Boeing 777)
 Medical devices
 (*) Ada was named after Ada Lovelace (1815–1852), who is
credited as being the first computer programmer (women)
with Ada.Text_IO;
use Ada.Text_IO;
procedure Hello is
begin
Put_Line ("Hello, world!");
end Hello;

12. SPARK
 Subset of Ada for Software Verification
 Versions:
 SPARK 83 (based on Ada 83)
 SPARK 95 (based on Ada 95)
 SPARK 2005 (based on Ada 2005)
 SPARK 2014 (based on Ada 2012)
 SPARK 2005 = subset of Ada + code contracts (annotations)
 SPARK 2014 = subset of Ada (code contracts in Ada 2012)
SPARK 2005 (based on Ada 2005) SPARK 2014 (based on Ada 2012)
procedure Inc (X : in out Integer);
--# pre X < Integer’Last;
--# post X = X~ + 1;
procedure Inc (X : in out Integer)
with Pre => X < Integer’Last,
Post => X = X’Old + 1;

13. SPARK – Concurrency
 Ravenscar profile – subset of Ada tasking features designed
for safety-critical hard real-time computing
 RavenSPARK – subset of Ravenscar profile, which allows to
verify concurrent programs with SPARK verification tools
 Used features:
 tasks
 protected types
 Ada.Real_Time library

14. SPARK – Verification
 SPARK 2005
 Examiner
 Simplifier
 ZombieScope
 ViCToR
 POGS
 Bakar Kiasan
 AUnit tests
 SPARK 2014
 GNATprove
 Bakar Kiasan v2
 Verification Conditions (VC)
 array index out of range
 type range violation
 division by zero
 numerical overflow
 Dead Path Conjectures (DPC)

15. Platform for PCA Pump Prototype
 BeagleBoard-xM
 Single-board computer produced by Texas
Instrument
 Specification:
 1GHz ARM Processor
 512 MB RAM
 4 USB 2.0 ports
 HDMI port
 Ethernet
 GPIO ports (PWM)
 Linux OS (Angstrom)
http://beagleboard.org/Products/BeagleBoard-xM

16. SPARK Ada on BeagleBoard-xM?
 No native GNAT compiler for ARM-based devices
 No official GNAT cross compiler for ARM-based
devices
 Cross compiler – compiler capable of creating
executable code for a platform other thatn the
on on which the compiler is running

17. Research plan
 Compile SPARK Ada program for BeagleBoard-xM
 SPARK 2005 (single and multithreaded)
 SPARK 2014
 Start PCA Pump Prototype implementation
 Create AADL/BLESS to SPARK Ada translations
 Based on Ocarina
 Verification:
 Implemented PCA Pump Prototype
 Translated AADL models to SPARK Ada
 Small separated module

18. SPARK Ada on BeagleBoard-xM
 AdaCore cross compiler for ARM-based device
(tested on Android)
 Cooperation with AdaCore to run CrossCompiler
 GNAT cross compiler for ARM-based devices
 Supported platforms: Linux x86

19. AADL/BLESS to SPARK Ada
 Translation schemas based on “Programming Language Annex Document”
 Data types (scalars, enums, records, arrays)
 Ports (event, data, in/out)
 Threads to tasks
 Subprograms
 Feature groups
 Packages
 Property sets
 BLESS to SPARK translations based on consultation with Brian Larson
 Port-based communication

20. PCA Pump Prototype implementation
 Implemented prototype in SPARK 2005
 Data types
 Operational module
 PCA Pump actuator module (PCA Engine)
 Simplified PCA Pump translated from AADL models

21. PCA Pump Verification
 Implemented PCA Pump verification with SPARK toolset
 Verification of module for maximum dose monitoring
 SPARK 2005
 SPARK Tools (Examiner, SPARKSimp, POGS)
 Bakar Kiasan
 SPARK 2014
 GNATprove

22. Contributions
 Developed approach for running SPARK/Ada programs on
BeagleBoard-xM platform
 Created PCA Prototype in SPARK 2005 (Ravenscar profile)
running on BeagleBoard-xM
 Designed AADL/BLESS to SPARK Ada translation schemas
 Translated simplified AADL models of PCA Pump to SPARK Ada
 Demonstrated example verification of PCA pump:
 SPARK 2005 tools
 Bakar Kiasan
 GNATprove

23. Problems
 SPARK limitations
 Lack of industry experience in SPARK Ada
 No consultation with domain experts
 Technologies and tools are under development:
 SPARK 2014
 BLESS
 Small community and limitation of resources:
 728 Ada related questions on StackOverflow
 3 SPARK Ada related questions on StackOverflow
 673,721 C# questions and 682,308 Java questions on StackOverflow

24. Future work
 Consultation with industry expert (in safety critical systems development)
 Automatic translator
 Translation extension:
 AADL properties
 Try apply generics for data translation
 Try child/nested packages for feature group mapping
 Decomposition
 Extend BLESS mapping (states and transitions)
 Translations for SPARK 2014
 Review port communication
 Extend PCA Prototype functionalities