Summary: This dissertation introduced how timing aspects of safety-critical systems can be modeled, verified, and implemented by demonstrating it through the PCA pump case study. By separating concerns of the platform-independent and the platform-dependent timing aspects, timed behavior of a system can be modeled, verified and implemented in- dependently of platform-specific timing aspects. Such a development framework enables software not only to be reused across a range of platforms, but also to be developed in the absence of the platform-specific timing information. In addition, such decoupled devel- opment processes facilitate a system to be modeled through different levels of abstraction using modeling languages that can appropriately express each abstraction layer. In our work, we used state-transition formalism (e.g., UPPAAL) to abstract the input/output timed behavior of the platform-independent aspect, while the architectural modeling (e.g., AADL) is used to abstract the platform-dependent aspects, such as the thread components and interactions with sensors and actuators.
Besides, since software is developed independently of a particular platform, software may not be integrated with any platform in a way that the final implementation preserves timing constraints that have been verified in the platform-independent model. This is because how the timing overhead, originating from a chosen platform, impacts the timed behavior of the platform-independent model is not guaranteed. Therefore, our integration stage provides two different approaches to check whether such integration can be performed by conform- ing the timing constraints. The first approach is to systematically extend the platform- independent model into the platform-specific model that explicitly models the timing over- head of a platform. Hence, the platform-specific model has a similar timed behavior with that of the final implementation, so one can formally verify it to check whether the timing constraints are satisfied at the implementation level. The second approach is to optimize the platform-independent code by adjusting the timing parameters of the platform-independent model in a way that the platform-specific timing overhead can be appropriately compen-
sated to hold the timing constraints in the final implementation. Hence, as long as the code is integrated with a platform that is used to adjust the timing parameters, the implemen- tation guarantees the timing constraints that has been verified in the platform-independent model.
Perspective: This dissertation gave special focus on the safety assurance associated with the timing aspects. Apart from the timing aspects, we believe that it is also worthwhile to discuss the advantages of the model-based development in building safety critical systems from a more general perspective.
The complexity of safety critical systems is growing fast. Hence, it becomes more challenging to reason about system-wide safety properties as a result of various internal interactions occurring across many different system layers that affect those properties in a complicated pattern. Unless complexity is handled in a way that a system can be developed in a traceable way, it is hard to expect the final implementation to meet high safety standards.
We believe that the model-based development - one example of such an application was demonstrated in this dissertation - is promising in a sense that a system can be formally modeled so that rigorous safety analysis is performed in the early development stage; con- sequently, implementations are systematically constructed from the verified model. The resulting implementation has a higher safety assurance in comparison to those developed in an adhoc fashion.
Applying this technique throughout the complete development cycle of building complex systems is challenging. One reason is that many modeling languages have different seman- tics, expressiveness and verification capability that may fit better than others to abstract certain aspects of systems. The associated modeling, verification and code generation tech- niques need to be used in concert to reason about the safety of the whole systems in order to gain the benefit from the model-based development to the fullest extent. We believe that more research has to be conducted especially regarding such interoperability for the
seamless connection among different modeling languages.
Development cost is an important issue from the industrial perspective. The development cost includes not only the money spent for the system development, but also the time dura- tion until the system is released to the market and the reviewing efforts by the government authorities to approve the systems to be sold in the market. Even though we have not quan- tified such a cost in this PCA pump case study, we believe that the overall development cost can be reduced or at least worth spending on improving system safety in comparison to other development processes (i.e.,non model-based development process) for the following reasons:
Development Cost: Modeling and verification will add more costs to the early development stage since one needs an additional step of modeling systems to be developed. However, those additional modeling costs can be well compensated by the rest of the development: automatic code generation will reduce the implementation cost in comparison to the manual coding; automatic test case generation will reduce the cost in comparison to the manual test case generation from informal requirements and specifications.
Maintenance Cost: The model-based development can adapt to users’ requirements that may change over time in a cost-effective way. Accommodating a minor requirement change can be costly in the safety-critical domain since one needs to argue how the change affects the safety claims that have been established in the existing implementation. In particular, if a system is complex, it is non-trivial how such minor changes will impact the whole system behavior without any means to trace them from the specification level down to the implementation level. In the model-based development, by modifying existing models, one can trace how such changes impact the system behavior through the model verification process. In addition, those modified aspects of the models can be systematically reflected to the implementation and testing process which will reduce the maintenance cost.