This project is a collaboration under the NSF-FDA Scholar-In-Residence (SIR) program. The project focuses on computer-aided methods to facilitate the analysis of software properties of real-time cyber physical systems (CPS) by reverse architecting structures present in the source code. The new idea of this project is to extract and use elements from the source code in order to build architecture analysis and design language (AADL) models. These models are used to systematically evaluate emerging properties (e.g., safety, schedulability, end-to-end latency, and security) using AADL?s capability to analyze the software?s architecture. In practice, AADL models have to be built manually, which is tedious. In this project, a new bridge between AADL models and reverse-engineered architectural structures is sought so that AADL models can be built in an automated fashion. Using these models, implementations of real-time systems can be systematically analyzed for emergent properties using AADL.
The broader impact of this project is that software-based CPS that leverage the contributions of this project are expected to be safer to use in our daily lives. From an engineering standpoint, the work enables organizations to evaluate software properties such as safety and security of real-time systems in less time due to new automation support. In addition, the project is developing a catalog of software structures that facilitate or impede real-time CPS system's safety. The catalog can be used by engineers to build in formally verified software structures at design time, thereby advancing the manner in which new CPS are built and analyzed.
Our vision is to improve the understanding of safety and its relations to software constructs used in medical devices. Our goal is to develop foundations for systematically reasoning about software safety based on views of the implemented source code (software architecture), which directly impacts the safety of the device. We consider a system to be unsafe if it can fail abruptly, including the possibility of harming the user(s) of the system in the form of injuries or deaths. The background is that modern real-time embedded systems such as medical devices are controlled by large amounts of software. If such software fails, it has the potential to cause injury or death. To ensure that the device manufacturer has addressed all safety issues, these devices must be approved by the US Food and Drug Administration (FDA). However, there is a need for new methods because recent studies point to increasing failure rates of medical device software of which some can be linked to the death of patients. Embedded software in medical devices is increasing in content and complexity. For example, state-of-the-art cardiac pacemakers may contain up to 80,000 lines of code (LOC), while infusion pumps may have more than170,000 LOC. These devices must perform safely and effectively, and the FDA has the regulatory responsibility for making determinations about safety and effectiveness in the case for equipment sold in the United States. However, recent studies using the FDA database of medical device failures are pointing to increasing failure rates of medical devices due to software errors. In 1996, 10% of medical devices recalls were caused by software-related issues. In 2006, software errors in medical devices made up 21% of recalls. From 2005 to 2009, more than 10,000 complaints were received annually by the FDA about infusion pumps, including reports of 710 patient deaths linked to problems with these devices. A number of these deaths were attributed to malfunctioning device software. As software in medical devices has become ubiquitous, it is not surprising to see a rise in the number of software-related problems. One way to assess the quality of software is to reason about the software architecture of the implemented source code (in contrast to the intended software architecture as described in design documentation). For example, if the device has modular blocks, this suggests that a) individual blocks can be independently unit tested, and b) the device can be formally verified for safety properties by focusing testing and verification activities on each modular block. A system that is difficult to test and verify most likely has not been tested enough and therefore is less likely to perform as intended. Such software may be considered flawed, potentially unsafe, and must undergo more detailed analysis. In this project, research was performed at the Food and Drug Administration (FDA) to investigate the benefits of integrating architecture analysis into safety evaluations of medical-device software. This research discusses the use of a formal approach, which is based on mathematics, to analyze medical device software based on its reversed software architecture. The approach is general and applicable to any kind of software. In this project, we used as a testbed medical software that controls an infusion pump designed to provide automated assistance for transfusing blood. Due to the complexity in setting up testing environments for medical software, the FDA is unable to conduct large-scale safety testing; instead, it must rely on other techniques to build an argument for whether or not the software is safe. The architecture analysis approach is based on reconstructing abstract, yet precise, architectural views from source code to help build such arguments about safety. The research has developed the Architecture Discovery and Analysis Method (ADAM). ADAM supports the discovery of module and runtime views as well as the analysis of quality attributes, such as testability, performance, and maintainability, of software systems. The premise of ADAM is that the implementation constructs, architecture constructs, concerns, and quality attributes are all influenced by the external entities (e.g., libraries, frameworks, COTS software) used by the system under analysis. The analysis uses such external dependencies to identify, classify, and review a minimal set of key source-code files supported by a knowledge base of the external entities. Given the benefits of analyzing external dependencies as a way to discover architectures and potential risks, it is demonstrated that dependencies to external entities are useful not only for architecture discovery but also for analysis of quality attributes such as safety. ADAM has been evaluated on several critical systems. The results show that this method offers systematic guidelines for discovering the architecture and locating potential risks (e.g., safety, low testability and decreased performance)that are hidden deep inside the system implementation. Also, architectural analysis results can be used to help configure static analysis tools to improve their effectiveness for verifying safety properties.
