A Healthcare Case Study (Extended abstract)

Similar documents
Using Agent-Based Methodologies in Healthcare Information Systems

STUDY ON FIREWALL APPROACH FOR THE REGRESSION TESTING OF OBJECT-ORIENTED SOFTWARE

WHO WE ARE MISSION STATEMENT

Translational scientist competency profile

THE AXIOMATIC APPROACH IN THE UNIVERSAL DESIGN THEORY

REAL-TIME SYSTEMS SAFETY CONTROL CONSIDERING HUMAN MACHINE INTERFACE

19 and 20 November 2018 RC-4/DG.4 15 November 2018 Original: ENGLISH NOTE BY THE DIRECTOR-GENERAL

The Rodin Platform. Jean-Raymond Abrial. 2nd Rodin Industrial Day. September 10th 2007

Handling Failures In A Swarm

Model-Based Testing. CSCE Lecture 18-03/29/2018

STPA FOR LINAC4 AVAILABILITY REQUIREMENTS. A. Apollonio, R. Schmidt 4 th European STAMP Workshop, Zurich, 2016

Failure modes and effects analysis through knowledge modelling

PERFORMANCE MODELLING OF RECONFIGURABLE ASSEMBLY LINE

Co-evolution of agent-oriented conceptual models and CASO agent programs

Object-Oriented Design

Here we will briefly give you the following information (like very short and oversimplified overview and conclusions):

Adaptive Action Selection without Explicit Communication for Multi-robot Box-pushing

The secret behind mechatronics

DSM-Based Methods to Represent Specialization Relationships in a Concept Framework

MAS336 Computational Problem Solving. Problem 3: Eight Queens

Industry 4.0. Advanced and integrated SAFETY tools for tecnhical plants

Designing Semantic Virtual Reality Applications

CHAPTER 1: INTRODUCTION TO SOFTWARE ENGINEERING DESIGN

An Integrated Modeling and Simulation Methodology for Intelligent Systems Design and Testing

Towards Integrated System and Software Modeling for Embedded Systems

AN AUTONOMOUS SIMULATION BASED SYSTEM FOR ROBOTIC SERVICES IN PARTIALLY KNOWN ENVIRONMENTS

The AMADEOS SysML Profile for Cyber-physical Systems-of-Systems

Data Flow Modelling. Fault Tolerant Systems Research Group. Budapest University of Technology and Economics

Issues in Emerging Health Technologies Bulletin Process

Structural Analysis of Agent Oriented Methodologies

Validation Plan: Mitchell Hammock Road. Adaptive Traffic Signal Control System. Prepared by: City of Oviedo. Draft 1: June 2015

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Chapter 2 Mechatronics Disrupted

Verification & Validation

A MARINE FAULTS TOLERANT CONTROL SYSTEM BASED ON INTELLIGENT MULTI-AGENTS

Guidelines for Modelling Reactive Systems with Coloured Petri Nets

A State Equivalence and Confluence Checker for CHR

HELPING THE DESIGN OF MIXED SYSTEMS

INTELLIGENT SOFTWARE QUALITY MODEL: THE THEORETICAL FRAMEWORK

UNIT-III LIFE-CYCLE PHASES

An Ontology for Modelling Security: The Tropos Approach

Reduce cost sharing and fees Include other services. Services: which services are covered? Population: who is covered?

Easy To Use Electronic Pipettes Reduce Burden On Researchers

To Model or Not to Model? Formalizing the Conceptual Modeling Thought Process to Benefit Engineers and Scientists

A Unified Model for Physical and Social Environments

24 Challenges in Deductive Software Verification

A NEW SIMULATION FRAMEWORK OF OPERATIONAL EFFECTIVENESS ANALYSIS FOR UNMANNED GROUND VEHICLE

Cognitive dimensions and grounded theory in learning software modeling.

Engineering Autonomy

Advances and Perspectives in Health Information Standards

TOWARDS AN UNIFIED APPROACH FOR MODELING AND ANALYSIS OF REAL-TIME EMBEDDED SYSTEMS USING MARTE/UML

Robot Task-Level Programming Language and Simulation

AGENT PLATFORM FOR ROBOT CONTROL IN REAL-TIME DYNAMIC ENVIRONMENTS. Nuno Sousa Eugénio Oliveira

IMAGE ANALYSIS BASED CONTROL OF COPPER FLOTATION. Kaartinen Jani*, Hätönen Jari**, Larinkari Martti*, Hyötyniemi Heikki*, Jorma Miettunen***

Institute of Theoretical and Applied Mechanics AS CR, v.v.i, Prosecka 809/76, , Praha 9

Examining the CARA Specification. Elsa L Gunter, Yi Meng NJIT

SWEN 256 Software Process & Project Management

Modelling of robotic work cells using agent basedapproach

55. IWK Internationales Wissenschaftliches Kolloquium International Scientific Colloquium

SAFETY CASE PATTERNS REUSING SUCCESSFUL ARGUMENTS. Tim Kelly, John McDermid

Formalising Concurrent UML State Machines Using Coloured Petri Nets

Biometrics 2/23/17. the last category for authentication methods is. this is the realm of biometrics

Robots in the Loop: Supporting an Incremental Simulation-based Design Process

Guidance of a Mobile Robot using Computer Vision over a Distributed System

Unit 5: Unified Software Development Process. 3C05: Unified Software Development Process USDP. USDP for your project. Iteration Workflows.

Towards an MDA-based development methodology 1

Mobile UNITY: Reasoning and Specification in Mobile Computing

Introduction to Real-time software systems Draft Edition

Modeling Supervisory Control of Autonomous Mobile Robots using Graph Theory, Automata and Z Notation

QbD Application in Japan: PMDA Perspective

Failures: Their definition, modelling & analysis

Dr Daniela Cancila. Laboratoire des composants logiciels pour la Sécurité et la Sûreté des Systèmes (L3S)

An "asymmetric" approach to the assessment of safety-critical software during certification and licensing

Software Project Management 4th Edition. Chapter 3. Project evaluation & estimation

Prof. Steven S. Saliterman. Department of Biomedical Engineering, University of Minnesota

Safety of programmable machinery and the EC directive

CADTH HEALTH TECHNOLOGY MANAGEMENT PROGRAM Horizon Scanning Products and Services Processes

Virtual Reality Immersion: A Tool for Early Human Factors Intervention

About Software Engineering.

Analysing UML 2.0 activity diagrams in the software performance engineering process

Strategic Considerations when Introducing Model Based Systems Engineering

WEB-BASED QUALITY CONTROL OF PRECAST CONCRETE

Requirements Gathering using Object- Oriented Models

reusing design experience for petri nets through patterns Matthias Gries, Jorn W. Janneck, Martin Naedele Computer Engineering and Networks Laboratory

Model 9302 Amplifier-Discriminator Operating and Service Manual

The Behavior Evolving Model and Application of Virtual Robots

Safety Manual VEGATOR 121, 122. With SIL qualification. Document ID: 49221

DESIGN TYPOLOGY AND DESIGN ORGANISATION

Alessandro Cincotti School of Information Science, Japan Advanced Institute of Science and Technology, Japan

Use of Multi-Mode Methods in Census Data Collection

Logic Solver for Tank Overfill Protection

How to Keep a Reference Ontology Relevant to the Industry: a Case Study from the Smart Home

ON THE EVOLUTION OF TRUTH. 1. Introduction

Synergy Model of Artificial Intelligence and Augmented Reality in the Processes of Exploitation of Energy Systems

MATHEMATICAL MODELS Vol. I - Measurements in Mathematical Modeling and Data Processing - William Moran and Barbara La Scala

Definitions proposals for draft Framework for state aid for research and development and innovation Document Original text Proposal Notes

Available online at ScienceDirect. Procedia Computer Science 56 (2015 )

UML based risk analysis - Application to a medical robot

Deviational analyses for validating regulations on real systems

How to turn any breadboarded circuit into a valid troubleshooting assessment

Transcription:

A Healthcare Case Study (Extended abstract) The MATISSE-project 1 L. Petre, E. Troubitsyna and M. Waldén 2 Åbo Akademi University / TUCS Finland 1. Motivation for using formal methods Within our healthcare case study we develop a safety-critical drug discovery system. When developing safety-critical systems, it is necessary to satisfy not only functional requirements defining the set of tasks to be performed by the system, but also safety requirements describing which characteristics the system should possess in order to ensure proper safety. Safety and reliability are acute issues for these systems under construction [Storey96, Troub00]. Reliability means the correct functioning of the system under a given set of operating conditions. It should guarantee an extremely high precision and a constant level of quality of experiments to be performed. Enhancement of safety and reliability can be achieved by applying formal methods. In the past few years regulatory requirements for drug discovery systems have tightened. Due to this there is a need to introduce formal methods in the development lifecycle to prepare for future regulations. Hence, we introduce a UMLbased development process that incorporates safety analysis and interfaces with a formal development in B-action systems. A more detailed description of the development process can be found elsewhere [PTWBEJ01]. 2. The integrated development process proposed for the case study Within the healthcare case study we propose to depict the informal requirements with UML diagrams. UML (the Unified Modeling Language) is a graphical language for specifying, visualizing, developing and documenting software-intensive systems [UML1.4]. Due to its scalable approach UML is suitable for producing the initial specification of a control system. Already the initial specification should ensure safety and be proved to be consistent. This can be achieved by translating the UML specification into B-action systems [BW96,WS98]. The translation is supported by the tool U2B [SB00]. The B-action systems is a formalism for supporting the development of complex distributed systems. The B Method [Abrial96] and its associated tool Atelier B [Steria96] provide us with a good mechanised support for the consistency proof of the B-action systems. Using superposition refinement we stepwise add more functionality to the specification and turn it into a more concrete and deterministic system. In each step, safety properties of the system are preserved. Each step is proved using the provers of Atelier B. During the refinement procedure the system is also transformed into a modular form from the control system s point of view. A component in the final contol system will consist of a collection of sensors, actuators, plant, and controller entities. Safety and reliability considerations are incorporated into the entire process. We have UML statechart diagrams as a graphical documentation of the whole B-action systems development, since we keep the two specification models consistent with each other. Hence, UML provides us with consistent documentation means at every stage of the development process. Our contribution here is to establish an interface between a UML-based development process and safety analysis together with correctness proofs within B-action systems. 1 IST-1999-11435, http://www.matisse.qinetiq.com/ 2 Financing from the Academy of Finland. 1

3. Presentation of the healthcare case study PerkinElmer Life Sciences designs, manufactures and markets analytical systems for use in drug discovery, mass population screening, and other bioresearch and clinical diagnostics areas. The systems are used to provide researchers and clinicians with reliable determinations of difficult to measure substances found in blood or other biological sample materials. A team at Åbo Akademi University is conducting a parallel development of a new product of PerkinElmer s Fillwell, a microplate liquid handling workstation preparing samples [PE01]. The system belongs to the class of products for drug discovery and bioresearch. The Fillwell workstation offers advanced features in the line of the sample preparation systems, such as plate replication, dilution and transfer of liquid in the plates, as well as rapid plate filling to homogenous and cell based systems. The Fillwell base unit consists of a dispense head dispensing liquid into microplates on a processing table. A gantry moves the dispense head with high precision and speed from one plate to another. The system is modular and can function as a standalone workstation or be integrated into a robot. The FillWell system is a safety-critical system. Safety is the property of a system, which ensures that it will not harm humans, environment or equipment. The direct harm to the humans using the drug discovery systems is quite moderate according to the classification for normal safety-critical systems. However, the indirect harm caused by the results of incorrectly performed experiments might be catastrophic. Furthermore, the system can be used to handle extremely expensive substances (valued up to a billion EURO per kg) as well as serve as a part of an expensive production chain. Hence, failures of such a system might result in significant economical losses and the system can also be considered as money critical. 4. Safety aspects of the development The development process should ensure safety and reliability of the system under construction. Therefore, we need to incorporate safety analysis in the development process. Only if safety and reliability attributes are considered from the early stages of the system development, the required dependability of the system can be achieved. The safety requirements result from safety analysis, which includes hazard analysis, assignment of dependability attributes and assessment of system criticality [Storey96]. Hazard analysis allows the designers to identify the potential danger associated with a system. It includes hazard identification, classification and decision on methods required to handle the hazards. Hazard analysis supplies information regarding routine system behaviour, behaviour in presence of failures, and failure modes of system components. While designing software for safety-critical systems, it is necessary to ensure that the suggested design does not introduce additional hazards. Moreover, we should ensure that the controlling software reacts promptly on hazardous situations by trying to force the system back to a safe state. We conduct the software development hand-in-hand with the safety analysis. The safety analysis starts by identifying hazards that are potentially dangerous in the abstract specification. The analysis proceeds by producing detailed descriptions of the hazards and finding the means to cope with them while stepwise refining the system. To incorporate the results of the safety analysis in a systematic way in the refinement process the following methodological aspects should be modelled: - fault occurrence and detection, - system behaviour in the presence of faults, - synchronization in the presence of faults, - different operating modes and transitions between modes including the system failure. 2

5. UML-development incorporating safety aspects We have defined a method for using UML for designing a control system specification [PS00], where the informal requirements of the system are depicted with UML diagrams. The functional requirements are captured together with their relationships in a use case diagram. Each use case expresses a service that the system will provide to a user. For example, the functional requirements of the Fillwell is to aspirate from and dispense liquid into plates, as well as to move the operating head vertically and horisontally. The reliability and safety issues of the system are given in the specification of the use cases as structured English text. The logically related use cases are determined, and grouped together into control system components in component and class diagrams. The component diagram is deduced from the use case diagram. Each use case can be mapped to a component service. The dynamic behaviour of the component is then specified with statechart diagrams. The informal specification of the system is given as a primitive statechart diagram as shown in Fig. 1. The services in the diagram are derived from the services in the use case diagrams. We merely model state transitions and events causing these transitions at this level. We then gradually capture the details of the services in refined and more complex statechart diagrams. Fig. 1: A primitive statechart diagram for a component. 6. B-action systems in the development In order to prove the consistency of the initial specification, we need a formal analysis tool. A formal method that comes with such tools is the B Method [Abrial96]. We rely here on one of the tools supporting it, Atelier B [Steria96], when performing the development and the proving. In order to be able to reason about distributed systems within the B Method we use B-action systems [WS98] related to Event based B [ClearSy01]. The abstract specification. The first task in our formal development is to create an abstract B-action system from the statechart diagram in Fig. 1. The tool U2B [SB00] supports this translation. The B-action system is identified by a unique name, Component. The attributes/variables of the system are given in the VARIABLES-clause. In the basic statechart diagram the attributes cmd, corresponding to the services, and state form the variables of the system. The types and the invariant properties of the local variables are given in the INVARIANT-clause and their initial value in the INITIALISATION-clause. The operations/ services on the variables are given in the OPERATIONS-clause. Each transition of the statechart diagram corresponds to an operation in this clause. The operation Service1 models the proper execution of the command serv1, while Service1_ok refer to its succesful result. 3

MACHINE Component VARIABLES state, cmd INVARIANT state : {Idle,Service1,Service2,Service3,Suspension,Abort} /\ cmd : {serv1,serv2,serv3} INITIALISATION state := Idle cmd :: {serv1,serv2,serv3} OPERATIONS Service1 = SELECT cmd = serv1 /\ state = Idle THEN state := Service1 END; Service1_fail = SELECT cmd = serv1 /\ state = Idle THEN state := Suspension END; Service1_ok = SELECT state = Service1 THEN state := Idle END; Service1_notok = SELECT state = Service1 THEN state := Suspension END; Service_notready = SELECT state = Idle THEN state := Suspension END; Remedy = SELECT state = Suspension THEN state :: {Idle,Service1,Service2,Service3} END; Failure = SELECT state = Suspension THEN state := Abort END END Already in the initial specification we reserve a possibility of fault occurrence and system failure. The actions Service1_fail and Service1_notok in the machine Component above model failures of the execution of a command serv1. There is also a possibility of spontaneous fault occurrence even when a service is not requested, as modelled by the action Service_notready. In all these failure actions the system reacts on fault occurrence by entering state Suspension. From that state the system tries to execute a recovery procedure and continue functioning as specified by the action Remedy. When the fault tolerance limit has been reached and the system cannot carry out its functions anymore we have a failure of the system and enter state Abort. In Component we model this with the action Failure. This action represents the transition of the system into a fail-safe state. With this B-action system we model parallel and distributed systems, where operations are selected for execution in a non-deterministic manner. The operations are given in the form Oper = SELECT P THEN S END, where P is a predicate on the variables (also called a guard) and S is a substitution statement. When P holds the operation Oper is said to be enabled. Only enabled operations are considered for execution. When there are no enabled operations the system terminates. The operations are considered to be atomic, and hence, only their inputoutput behaviour is of interest. Refining the system. An important feature coming with the B-action systems formalism consists in the possibility of stepwise refining specifications. The refinement is a process transforming a specification A into a system C when A is abstract and non-deterministic and C is more concrete, more deterministic and preserves the functionality of A. A particular refinement method consists in adding new functionality to a specification, i.e., new variables and substitutions on these, in a way that preserves the old behavior. This type of refinement is referred to as superposition refinement. When dealing with complex control systems it is especially convenient to stepwise introduce details about the system to the specification and not to have to handle all the implementation issues at once. In the refinement process we identify the attributes suggested in the complex statechart diagram and the use case descriptions. These attributes/variables are then added gradually to the specification with their safety conditions and properties from the requirements specification. We add the computation concerning the new variable to the existing operations by strengthening their guards and adding new substitutions on the variables. New operations that only assign the new variables may also be introduced. In the Fillwell we introduce coarse grained vertical (ref_point) and 4

horisontal (plate_pos) positioning for the operating head in the first refinement step and in later steps add more information on these positions (offset, internal_pos). As the system development proceeds we obtain more elaborated information about faults and conditions of failure occurrence. The refinement step introduces a distinction between faults. The operation Service1_fail models fault resulted from an attempt to provide a service from an incorrect initial state. This situation might be caused by faults occurred previously or by a logical error in the calling command. For example, in the Fillwell the operating head might be too high up to dispense liquid in a safe manner. The operation Service1_notok models fault occurrence during the execution of the action, the postcondition of Service1 is false. These kinds of faults are caused by the physical failures of the system components involved in the execution. For example, the Fillwell operating head does not reach its destination. We also introduce a distinction between different repair procedures by adjusting the Remedy operation for each fault accordingly. The safety analysis proceeds by an identification of different failure modes of the system. It is conducted by considering the consequences of multiple faults. We proceed by specifying statuses of components (failed or functioning), specifying system failure modes and finally by introducing error messages. Using Atelier B we can formally prove that the refinement is sound. For this a number of proof obligations [BW96,WS98] are generated automatically by Atelier B with the help of the Evt2b translator [ClearSy01]. The proof obligations can be discharged using the autoprover and interprover in Atelier B. 7. Conclusion As reliability of software applications is now a central concern, we witness an increased need for a better balance between the theoretical and the practical sides of computer science. The goal of the software industry is to have a tool-assisted, well-defined software development process that includes safety and correctness evaluation of the deliverables and is usable in a timely fashion, i.e., it is predictable. Here we propose a process that covers as much as possible of the development life cycle by formal methods. Furthermore, the process integrate informal and formal languages and methods, most notably UML, safety analysis and B-action systems including tool support. We consider that this combination will facilitate the acceptance of formal methods in general for industrial use. 8. References [Abrial96] J.-R. Abrial. The B-Book: Assigning Programs to Meanings. Cambridge University Press, 1996. [BW96] M. Butler and M. Waldén. Distributed system development in B. Proceedings of the 1 st Conference on the B Method, Nantes, France, pp 155-168, November 1996. [ClearSy01] Event B Reference Manual (Draft) v1. ClearSy, 2001. [PE01] Fillwell 2002 Features Guide. Via http://lifesciences.perkinelmer.com/. [PS00] L. Petre and K. Sere. Developing Control Systems Components. In Proceedings of IFM'2000 - Second International Conference on Integrated Formal Methods, Germany, November 2000. LNCS 1945, pp. 156-175, Springer-Verlag. [PTWBEJ01] L. Petre, E. Troubitsyna, M. Waldén, P. Boström, N. Engblom and M. Jansson. Methodology of integration of formal methods within a healthcare case study. TUCS Technical Reports, No 436, Turku Centre for Computer Science, Finland. To appear. [SB00] C. Snook and M. Butler. U2B Downloads. http://www.ecs.soton.ac.uk/~cfs98r/u2bdownloads.htm [Steria96] Stéria Méditerranée. Atelier B. France, 1996. [Storey96] N. Storey. Safety-critical computer systems, Addison-Wesley, 1996 [Troub00] E. Troubitsyna. Stepwise Development of Dependable Systems. Turku Centre for Computer Science, TUCS, Ph.D. thesis, No 29, June 2000. [UML1.4] [WS98] Unified Modeling Language (UML) 1.4 specification. http://cgi.omg.org/cgi-bin/doc?formal/01-09-67 M. Waldén and K. Sere. Reasoning About Action Systems Using the B-Method. Formal Methods in Systems Design 13(5-35), 1998. Kluwer Academic Publishers. 5

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback