A Unified Approach for Modeling, Developing, and Assuring Critical Systems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11244)


Developing and assuring safety- and security-critical real-time embedded systems is a challenging endeavor that requires many activities applied at multiple levels of abstraction. For these activities to be effective and trustworthy, they must be grounded in a common understanding of the system architecture and behavior.

We believe that these activities are best addressed in a unified framework of modeling and programming that enables developers, analysts, and auditors to freely move up and down layers of abstraction, shifting their viewpoints to suit the activities at hand, while maintaining strong traceability across the different layers and views. In this approach, the distinction between “models”, “specifications”, and “programs” is often blurred.

In this paper, we summarize an architecture-centric approach to critical system development and assurance that emphasizes the use of formally specified architectures as the “scaffolding” through which many different activities are organized and synchronized. We provide examples of: (a) analyses, behavioral constraints, and implementations, (b) important abstraction transitions, and (c) key traceability relationships within the framework. We discuss how these features are being used to develop systems on time and space partitioned execution and communication platforms for systems in the medical domain. We use an open-source medical device that we are developing – Patient-Controlled Analgesic (PCA) infusion pump as a concrete example.


  1. 1.
    Amtoft, T., et al.: A certificate infrastructure for machine-checked proofs of conditional information flow. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 369–389. Springer, Heidelberg (2012). Scholar
  2. 2.
    Amyot, D.: jUCMNav - Eclipse Plugin for the User Requirements Notation (2018).
  3. 3.
    AVSI: System Architecture Virtual Integration (SAVI) Initiative (2012).
  4. 4.
    Booch, G., Rumbaugh, J., Jacobson, I.: The Unified Modeling Language User Guide, 2nd edn. Addison-Wesley, Boston (2005)Google Scholar
  5. 5.
    Joint Commission: Preventing patient-controlled analgesia overdose. Joint Commission Perspectives on Patient Safety, p. 11, October 2005Google Scholar
  6. 6.
    US FDA Infusion Pump Improvement Initiative, April 2010Google Scholar
  7. 7.
    Feiler, P., Gluch, D.: Model-based engineering with AADL. In: An Introduction to the SAE Architecture Analysis and Design Language. Addison-Wesley, Boston (2013)Google Scholar
  8. 8.
    Feiler, P.H., Hansson, J., de Niz, D., Wrage, L.: System architecture virtual integration: an industrial case study. Technical Report CMU/SEI-2009-TR-017, CMU (2009)Google Scholar
  9. 9.
    Harp, S., Carpenter, T., Hatcliff, J.: A reference architecture for secure medical devices. Biomed. Instrum. Technol., September 2018. Association for the Advancement of Medical Instrumentation (AAMI)Google Scholar
  10. 10.
    Hatcliff, J., Vasserman, E.Y., Carpenter, T., Whillock, R.: Challenges of distributed risk management for medical application platforms. In: 2018 IEEE Symposium on Product Compliance Engineering (ISPCE), pp. 1–14, May 2018Google Scholar
  11. 11.
    Hatcliff, J., Larson, B., Carpenter, T., Jones, P., Zhang, Y., Jorgens, J.: The open PCA pump project: an exemplar open source medical device as a community resource. In: Proceedings of the 2018 Medical Cyber-Physical Systems (MedCPS) Workshop (2018)Google Scholar
  12. 12.
    Hatcliff, J., Leavens, G.T., Leino, K.R.M., Müller, P., Parkinson, M.: Behavioral interface specification languages. ACM Comput. Surv. 44(3), 16:1–16:58 (2012)CrossRefGoogle Scholar
  13. 13.
    Hatcliff, J., Wassyng, A., Kelly, T., Comar, C., Jones, P.L.: Certifiably safe software-dependent systems: challenges and directions. In: Proceedings of the on Future of Software Engineering (ICSE FOSE), pp. 182–200 (2014)Google Scholar
  14. 14.
    Hicks, R.W., Sikirica, V., Nelson, W., Schein, J.R., Cousins, D.D.: Medication errors involving patient-controlled analgesia. Am. J. Health-Syst. Pharm. 65(5), 429–440 (2008)CrossRefGoogle Scholar
  15. 15.
    SAE International: SAE AS5506/1, AADL Annex E: Error Model Annex. SAE International (2015).
  16. 16.
    SAE International: SAE AS5506 Rev. C Architecture Analysis and Design Language (AADL). SAE International (2017).
  17. 17.
    Larson, B., Hatcliff, J., Fowler, K., Delange, J.: Illustrating the AADL error modeling annex (v.2) using a simple safety-critical medical device. In: Proceedings of the 2013 ACM SIGAda Annual Conference on High Integrity Language Technology, HILT 2013, pp. 65–84. ACM, New York (2013)Google Scholar
  18. 18.
    Larson, B.: Behavior language for embedded systems with software (BLESS).
  19. 19.
    Larson, B.R., Chalin, P., Hatcliff, J.: BLESS: formal specification and verification of behaviors for embedded systems with software. In: Brat, G., Rungta, N., Venet, A. (eds.) NFM 2013. LNCS, vol. 7871, pp. 276–290. Springer, Heidelberg (2013). Scholar
  20. 20.
    Larson, B., Jones, P., Zhang, Y., Hatcliff, J.: Principles and benefits of explicitly designed medical device safety architecture. Biomed. Instrum. Technol., September 2018. Association for the Advancement of Medical Instrumentation (AAMI)Google Scholar
  21. 21.
    Larson, B.R., Hatcliff, J., Chalin, P.: Open source patient-controlled analgesic pump requirements documentation. In: Proceedings of the 5th International Workshop on Software Engineering in Health Care, pp. 28–34. IEEE, Piscataway (2013)Google Scholar
  22. 22.
    Lasnier, G., Zalila, B., Pautet, L., Hugues, J.: Ocarina: An environment for AADL models analysis and automatic code generation for high integrity applications. In: Kordon, F., Kermarrec, Y. (eds.) Ada-Europe 2009. LNCS, vol. 5570, pp. 237–250. Springer, Heidelberg (2009). Scholar
  23. 23.
    Lempia, D., Miller, S.: Requirement engineering management handbook. Technical Report DOT/FAA/AR-08/32, US Federal Aviation Administration (2009)Google Scholar
  24. 24.
    Medvidovic, N., Taylor, R.N.: A classification and comparison framework for software architecture description languages. IEEE Trans. Softw. Eng. 26(1), 70–93 (2000)CrossRefGoogle Scholar
  25. 25.
    Gdansk University of Technology: NOR-STA: Support for achieving and assessing conformance to norms and standards (2018).
  26. 26.
    Procter, S., Hatcliff, J.: An architecturally-integrated, systems-based hazard analysis for medical applications. In: 2014 Twelfth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE), pp. 124–133. IEEE (2014)Google Scholar
  27. 27.
    Ranganath, V.P., Hatcliff, J.: Pruning interference and ready dependence for slicing concurrent java programs. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 39–56. Springer, Heidelberg (2004). Scholar
  28. 28.
    Ranganath, V.P., Hatcliff, J.: Slicing concurrent Java programs using Indus and Kaveri. Int. J. Softw. Tools Technol. Transf. 9(5), 489–504 (2007)CrossRefGoogle Scholar
  29. 29.
    Ray, A., Cleaveland, R.: Architectural interaction diagrams: Aids for system modeling. In: Proceedings of the 25th International Conference on Software Engineering, ICSE 2003, pp. 396–406 (2003)Google Scholar
  30. 30.
    SAE International: SAE AS5506/2. Architecture Analysis & Design Language (AADL) Annex, vol. 2 (2011)Google Scholar
  31. 31.
    Thiagarajan, H., Hatcliff, J., Belt, J., Robby, R.: Bakar Alir: supporting developers in construction of information flow contracts in SPARK. In: 2012 IEEE 12th International Working Conference on Source Code Analysis and Manipulation, pp. 132–137 (2012)Google Scholar
  32. 32.
    Kansas State University: Open PCA pump project (2018).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Kansas State UniversityManhattanUSA
  2. 2.US Food and Drug AdministrationSilver SpringUSA

Personalised recommendations