• No results found

Our process relies on seven formalisms, which we now document and explain. An instan- tiation of the architecture from Figure 2.3 corresponding to the PCA interlock app from Section 2.1.5 is shown in Table5.1.

Definition 2: Component —As discussed in step one of the process, we define a compo- nent as a five-tuple, (m, S, r, I, Sub) where:

ˆ m is a unique identifier

ˆ S is the set of concrete states that the component can be in

ˆ r ∈ {sensor, controller, controlledprocess, actuator, top} is the components role

ˆ I ∈ (name, dir) is the set of interaction points that the component uses to communicate with other components in its environment

– dir ∈ in, out is a direction

ˆ Sub is the set of subcomponents that this component decomposes into We write Im

in and Ioutm to denote the set of m’s interaction points where dir = in or

out, respectively. We denote the concrete states of m as Sm, and we write the concrete

environmental states of m as Srm

, which reflects our findings that a component’s view of its environment role-specific.

Definition 3: Concrete Undesirability —Given a component m, n ∈ Sm (a concrete

state of m), x ∈ Srm

(a concrete state of m’s environment), and u (a notion of undesirability); we define the relation (using a double-struck turnstile: ⊫ to denote undesirability) (n, x) ⊫ u, where:

ˆ (n, x) ⊫ u signifies that the observable aspects of n are undesirable with regards to u when m is in state n and its environment is in state x

ˆ (n, x) ⊯ u signifies that the observable aspects of n are not undesirable with regards to u when m is in state n and its environment is in state x

When this relation holds, it means that m is observably undesirable according to u when it is in state n and its environment is in state x; thus, this definition represents a formalization of Definition 1.

Definition 4: Distinguishability —As discussed in step three of the process, we want to—when given two concrete states (which we term n1 and n2 if they are states of a com-

ponent and x1 and x2 if they are states of a component’s environment)—be able to say if

the states are equivalent to one another according to u. That is, we define the equivalence relation ∼u where:

ˆ n1, n2 ∈ Sm ∶ n1 ∼u n2 ⇐⇒ ∀x ∈ Sr

m

, (((n1, x) ⊫ u) ∧ ((n2, x) ⊫ u)) ∨ (((n1, x) ⊯

ˆ x1, x2 ∈ Sr

m

∶ x1 ∼u x2 ⇐⇒ ∀n ∈ Sm, (((n, x1) ⊫ u) ∧ ((n, x2) ⊫ u)) ∨ (((n, x1) ⊯

u) ∧ ((n, x2) ⊯u))

Intuitively, the first relation holds if two component states produce the same result under ⊫for all environmental states of u (that is, the states are indistinguishable to u). Similarly, the second relation holds if two environmental states produce the same result under ⊫ for all component states.

Definition 5: Abstraction —As discussed in step four of the process, given a component m, and a notion of undesirability u, we (using the notation for a collection of equivalence classes of S/∼u from, e.g., Beachy and Blair [105]) partition the concrete states of the

component and its environment into a set of representative abstract states, which we denote with a ˆ. That is, Abs(m, u) = ( ˆSm

u , ˆSr m u ), where: ˆ ˆSm u =Sm/∼u ˆ ˆSrm u =Sr m /∼u

For convenience, we often want to speak of individual (representative) abstract states, even though ˆSm

u and ˆSr

m

u are sets of equivalence classes. When we write n ∈ ˆSum, we mean

that n is a representative of the equivalence class [n] ∈ ˆSm

u . For example, for the pulse

oximeter, we write “1%” as the canonical representative of the equivalence class of concrete sensor readings that would be reported to the clinician through a pulse oximeter’s display panel as 1%. On the other hand, the abstract states for the pump (relative to the notion of pumping when unsafe) are GiveDrug, which abstracts all the states where the pump is running, and N oDrug, which abstracts the states where it is not pumping. Examples of this notation (and this definition) are in Table 5.1.

Definition 6: Abstract Undesirability —Corresponding to process step four, given an abstract state n of component m and a notion of undesirability u, we (using the convention that a doublestruck letter (e.g., S) signifies desirability while a boldface letter (e.g., S) signifies undesirability), define U ndes(n) = ( ˆSm

ˆ ˆSm u,n= {x ∈ ˆSr m u ∣(n, x) ⊫ u} ˆ ˆSm u,n= {x ∈ ˆSr m u ∣(n, x) ⊯ u}

This relation uses ⊫ to split (according to u) the abstract environmental states of com- ponent m (when it is in state n) into two subsets: those that are undesirable ( ˆSm

u,n) and

those that are not (ˆSm

u,n). For example, given the abstract pulse oximeter state of 95%, and

wanting to avoid overestimating the patient’s respiratory health, any environmental state where the patient’s true SpO2 is below 95% would be undesirable. Similarly, if the pump is

running (GiveDrug), it is clearly undesirable for the patient to be in such a state that more analgesic will lead to an overdose (ShldntGiveDrug). Table 5.1 gives examples of ˆSm

u,n and

ˆ

Smu,n for some components of the PCA Interlock scenario.

Abstraction functions necessarily destroy information about their input in order to pro- duce their (simplified) outputs. The end result of definitions 5 and 6 is a collection of abstract states, in ˆSm

u,n and ˆSu,nm , that preserve the undesirability (or its absence) from the

concrete states of m relative to u. That is, these functions preserve only whether or not a particular component state is undesirable relative to some notion that the analyst wants to avoid. If an analyst were to compare a real-world system to the output of Definition 6, she would note that the only correspondence between the two would be the undesirability of the system’s component’s states relative to u.

Definition 7: Environmental Awareness—Given a subset of component m’s incoming interaction points J ⊆ Im

in and a subset of the concrete states of m’s environment X ⊆ Sr

m , we define the relation J ⇛ X, where:

ˆ J ⇛ X signifies that m will know when it is in any state x ∈ X if every i ∈ J is connected when the system is instantiated.

ˆ J ⇛̸ X signifies that m will not know when it is in one or more x ∈ X even if every i ∈ J is connected when the system is instantiated.

Intuitively, this relation describes which interaction points carry information that can inform the component what state its environment is in. J is a set of input interaction points (e.g., “SpO2”) and X is a set of environmental states (e.g., “Patient’s blood-oxygen saturation is 98%”).

Definition 8: Avoidance—As discussed in the final step of the process, given a compo- nent m and a notion of undesirability u, we define Avoid(m, u) = Im

u, where:

ˆ Im

u = {J ∈ Iinm∣∀n ∈ ˆSum, J ⇛ ˆSr

m

u,n}

This definition leverages the set of undesirable abstract states ( ˆSm

u,n) from Definition 6

and the relation (⇛) from Definition7to derive the set of input interaction points necessary to avoid a particular notion of undesirability. The final row of Table 5.1 has examples of its application to the components of the PCA interlock scenario. For example, in order for the pulse oximeter to avoid overestimating the patient’s respiratory health, a system composition would need to provide the device with access to the patient’s blood. Similarly, in order for the PCA pump to avoid running when it should not, it must have access to pump commands from a controller.