emulink: a graphical modelling environment for pvs
DESCRIPTION
Emulink is graphical tool that allows software engineers to create PVS specifications starting from a StateCharts based diagram.TRANSCRIPT
Emulink: a modelling graphical environment for PVS
Candidate: Enrico D'Urso
Supervisors: Prof. Cinzia Bernardeschi; Prof. Andrea Domenici
In collaboration with Queen Mary University Of London
Outline● Motivation ● Development of Emulink
– The graphical modelling language (Emucharts)
– Model visualisation and animation
● Case study– Demonstration of a software design error in a
commercial medical device
Motivation (1)
Software: first failure cause of computing systems
– 10-200 faults / KLOC created during development
0.01-10 faults / KLOC residual
✔ Proof✔ Model-checking✔ Testing
Motivation (2)
Safety cannot rely only on testing.Testing shows the presence, not the absence of bugs. ( Edsger Wybe Dijkstra )
International safety standards such as IEC 61508 highly recommend the use of formal methods in the development of safety critical or safety related components
Verification based on formal methods tools can significantly reduce the number of design errors
Motivation (3)
Formal methods tools have a steep learning curve– Specialized mathematically based modelling languages
– Complex analysis techniques– Not yet mature for widespread use in industry
Several manufacturers do not use formal verification tools routinely despite of the potential advantages– As a consequence, design errors are usually identified too late in
the design process, or even after system deployment
The focus of this thesis
● Develop a graphical tool to simplify the use of PVS, a state-of-the-art formal verification tool
● PVS (Prototype Verification System)– Part of the NASA Langley Verification Tools
– Extensive libraries of mathematical theories
PVS languagePurely declarative logical language(system: set of functions)
HA : THEORYBEGIN x,y : VAR bool HA(x,y) : [bool, bool] = ((x AND y) , % carry (x XOR y)) % sum % convert Boolean to natural b2n(x) : nat = IF x THEN 1 ELSE 0 ENDIF HA_corr : THEOREM % correctness LET (carry, sum) = HA(x, y) IN b2n(sum) + 2*b2n(carry) = b2n(x) + b2n(y)END HA
The intuition
Software engineers are familiar with graphical modelling languages such as Statecharts.
PVS specifications would be more accessible if they were presented using a graphical language similar to Statecharts
Statecharts: an example
Emulink: a graphical modelling environment for PVS
Graphical modelling tool for emulating statecharts in PVS:– Emucharts (essential subset of Statechart constructs)
– Automatic generation of PVS models
– Animation of PVS models during simulations (useful when debugging PVS models)
– Visualisation of existing annotated PVS models
Emucharts editor
Constructs currently supported
● StatesStates● Transition● Self transition● Default transition● Transition Condition● Transition Action
Constructs currently supported
● States● TransitionTransition● Self transition● Default transition● Transition Condition● Transition Action
Constructs currently supported
● States● Transition● Self transitionSelf transition● Default transition● Transition Condition● Transition Action
Constructs currently supported
● States● Transition● Self transition● Default transitionDefault transition● Transition Condition● Transition Action
Constructs currently supported
● States● Transition● Self transition● Default transition● Transition ConditionTransition Condition● Transition Action
Constructs currently supported
● States● Transition● Self transition● Default transition● Transition Condition● Transition ActionTransition Action
Interface simulation
PVSio is an extension that enables PVS specifications to be executed
Emulink: Emucharts animation During the simulation the diagram is animated, highlighting states and transitions
Case study
Infusion pumps are devices in use in hospitals to deliver medications or nutrients to patients at controlled rates and precise volumes
Safety requirement: No over- or under-treatment
Modelling and simulation of the device
Device Source Code
Emulink ModelPVS specification
Device interface animation
PVSio
A critical interface failure
User types 102.3 units
Pump inoculates 1023 units without any warning
For doses above 100 units:
Emulink helps pinpoint the design fault
Conclusions
A graphical tool has been developed to semplify the adoption of formal methods in software development.
The utility of the tool has been demonstrated using a case study based on a real medical device.
Emulink is part of PVSio-web, a graphical frontend for the PVS formal verification tool.
Future work:Extension of the statecharts subset notation supported; Use of the tool in different domains.