Top

Published in:

2016 | OriginalPaper | Chapter

Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers

Authors : Stuart Pernsteiner, Calvin Loncaric, Emina Torlak, Zachary Tatlock, Xi Wang, Michael D. Ernst, Jonathan Jacky

Published in: Computer Aided Verification

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Formal techniques for guaranteeing software correctness have made tremendous progress in recent decades. However, applying these techniques to real-world safety-critical systems remains challenging in practice. Inspired by goals set out in prior work, we report on a large-scale case study that applies modern verification techniques to check safety properties of a radiotherapy system in current clinical use. Because of the diversity and complexity of the system’s components (software, hardware, and physical), no single tool was suitable for both checking critical component properties and ensuring that their composition implies critical system properties. This paper describes how we used state-of-the-art approaches to develop specialized tools for verifying safety properties of individual components, as well as an extensible tool for composing those properties to check the safety of the system as a whole. We describe the key design decisions that diverged from previous approaches and that enabled us to practically apply our approach to provide machine-checked guarantees. Our case study uncovered subtle safety-critical flaws in a pre-release of the latest version of the radiotherapy system’s control software.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Model Checking at Scale: Automated Air Traffic Control Design Space Exploration

next chapter End-to-End Verification of Processors with ISA-Formal

The manual override exists to enable treatment to continue if a sensor for a machine setting generates a false alarm.

Alloy: a language and tool for relational models (2014). http://alloy.mit.edu/alloy/

Java PathFinder (2015). http://babelfish.arc.nasa.gov/trac/jpf

Safety case for CNTS prescription safety, August 2015. http://neutrons.uwplse.org

Babic, D., Hu, A.J.: Calysto: scalable and precise extended static checking. In: ICSE (2008)

Barnett, M., Rustan, M., Leino, K., Schulte, W.: The Spec# programming system: an overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)CrossRef

Beringer, L., Petcher, A., Ye, K.Q., Appel, A.W.: Verified correctness and security of openSSL HMAC. In: 24th USENIX Security Symposium (USENIX Security 2015), Washington, D.C., pp. 207–221 (2015). USENIX Association. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/beringer. ISBN:978-1-931971-232

Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th Symposium on Operating Systems Designand Implementation (OSDI), San Diego, CA, pp. 209–224, December 2008

Clarke, E., Kroning, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)CrossRef

Coq development team. Coq Reference Manual, Version 8.4pl5. INRIA, October 2014. http://coq.inria.fr/distrib/current/refman/

10.

Cruanes, S., Hamon, G., Owre, S., Shankar, N.: Tool integration with the evidential tool bus. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 275–294. Springer, Heidelberg (2013)CrossRef

11.

de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRef

12.

Denney, E., Pai, G.: Evidence arguments for using formal methods in software certification. In: 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 375–380, November 2013. doi:10.1109/ISSREW.2013.6688924

13.

Denney, E., Pai, G., Pohl, J.: AdvoCATE: an assurance case automation toolset. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP Workshops 2012. LNCS, vol. 7613, pp. 8–21. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33675-1_2 CrossRef

14.

Dependability Research Group. Safety cases repository, February 2006. http://dependability.cs.virginia.edu/info/Safety_Cases:Repository

15.

Dolby, J., Vaziri, M., Tip, F.: Finding bugs efficiently with a SAT solver. In: FSE (2007)

16.

EPICS. CalcOut Release Notes. http://www.aps.anl.gov/bcda/synApps/calc/calcReleaseNotes.html

17.

EPICS. http://www.aps.anl.gov/epics/

18.

Ernst, M.D., Grossman, D., Jacky, J., Loncaric, C., Pernsteiner, S., Tatlock, Z., Torlak, E., Wang, X.: Toward a dependability case language and workflow for a radiation therapy system. In: Summit on Advances in Programming Languages (SNAPL) (2015)

19.

Gacek, A., Backes, J., Cofer, D.D., Slind, K., Whalen, M.: Resolute: an assurance case language for architecture models (2014). CoRR, abs/1409.4629. http://arxiv.org/abs/1409.4629

20.

Galeotti, J.P.: Software verification using alloy. Ph.D. thesis, University of Buenos Aires (2010)

21.

Greenwell, W.S., Knight, J.C., Holloway, C.M., Pease, J.J.: A taxonomy of fallacies in system safety arguments. In: International System Safety Conference (2006)

22.

Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S., Zill, B.: Ironfleet: proving practical distributed systems correct. In: Proceedings of the 25th Symposium on Operating Systems Principles, SOSP 2015, pp. 1–17. ACM, New York (2015). doi:10.1145/2815400.2815428, ISBN:978-1-4503-3834-9

23.

Holzmann, G.J.: The power of 10: rules for developing safety-critical code. Computer 39(6), 95–97 (2006). doi:10.1109/MC.2006.212. ISSN:0018-9162CrossRef

24.

Holzmann, G.J.: Mars code. Commun. ACM 57(2), 64–73 (2014). doi:10.1145/2560217.2560218. ISSN:0001-0782CrossRef

25.

Jackson, D.: A direct path to dependable software. Commun. ACM 52(4), 78–88 (2009)CrossRef

26.

Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2012)

27.

Jackson, D., Kang, E.: Property-part diagrams: a dependence notation for software systems. Technical report, Massachusetts Institute of Technology (2009). http://hdl.handle.net/1721.1/61343

28.

Jackson, D., Thomas, M.: Software for Dependable Systems: Sufficient Evidence?. National Academy Press, Washington, D.C. (2007). ISBN:0309103940, 9780309103947

29.

Jacky, J.: The Clinical Neutron Therapy System. http://staff.washington.edu/jon/cnts/index.html

30.

Jacky, J.: Formal safety analysis of the control program for a radiation therapy machine. In: Schlegel, W., Bortfeld, T. (eds.) The Use of Computers in Radiation Therapy, pp. 68–70. Springer, Heidelberg (2000)CrossRef

31.

Jacky, J.: EPICS-based control system for a radiation therapy machine. In: International Conference on Accelerator and Large Experimental Physics Control Systems (ICALEPCS) (2013)

32.

Jacky, J., Risler, R.: Clinical neutron therapy system therapist’s guide. Technical report 99–07-01, University of Washington, Department of Radiation Oncology (2002)

33.

Jacky, J., Risler, R.: Clinical neutron therapy system reference manual. Technical report 99–10-01, University of Washington, Department of Radiation Oncology (2002)

34.

Jacky, J., Risler, R., Kalet, I., Wootton, P.: Clinical neutron therapy system control system specification part I. Technical report 90–12-01, University of Washington, Department of Radiation Oncology (1990)

35.

Jacky, J., Risler, R., Reid, D., Emery, R., Unger, J., Patrick, M.: A control system for a radiation therapy machine. Technical report 2001–05-01, University of Washington, Department of Radiation Oncology (2001)

36.

John, K.H., Tiegelkamp, M.: IEC 61131–3: Programming Industrial Automation Systems: Concepts and Programming Languages, Requirements for Programming Systems Decision-Making Aids, 2nd edn. Springer Publishing Company, Incorporated, New York (2010). ISBN:3642120148, 9783642120145MATH

37.

Kelly, T., Weaver, R.: The goal structuring notation - a safety argument notation. In: Proceedings of the Dependable Systems and Networks 2004 Workshop on Assurance Cases, July 2004

38.

Lyu, M.R. (ed.): Handbook of Software Reliability Engineering. McGraw-Hill Inc., Hightstown (1996)

39.

Near, J.P., Milicevic, A., Kang, E., Jackson, D.: A lightweight code analysis and its role in evaluation of a dependability case. In: Proceedings of the 33rd International Conference of Computer Safety, Reliability and Security, Waikiki, Honolulu, HI, pp. 31–40, May 2011

40.

Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL – A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)MATH

41.

Owre, S., Rushby, J.M., Shankar, N.: PVS: a prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS(LNAI), vol. 607, pp. 748–752. Springer, Heidelberg (1992)

42.

Rushby, J.: Formalism in safety cases. In: Safety-Critical Systems Symposium (2010)

43.

Rushby, J.: Mechanized support for assurance case argumentation. In: Nakano, Y., Satoh, K., Bekki, D. (eds.) JSAI-isAI 2013. LNCS, vol. 8417, pp. 304–318. Springer, Heidelberg (2014). doi:10.1007/978-3-319-10061-6_20

44.

Torlak, E.: Constraint solver for software engineering: finding models and cores of large relational specifications. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge (2009). AAI0821754

45.

Torlak, E., Bodik, R.: Growing solver-aided languages with Rosette. In: Proceedings of the 2013 ACM International Symposium on New Ideas. New Paradigms, and Reflections on Programming & Software, Onward! 2013, Indianapolis, IN, pp. 135–152 (2013)

46.

Torlak, E., Bodik, R.: A lightweight symbolic virtual machine for solver-aided host languages. In: Proceedings of the 2014 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Edinburgh, UK, pp. 530–541, June 2014

47.

Torlak, E., Jackson, D.: Kodkod: a relational model finder. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 632–647. Springer, Heidelberg (2007)CrossRef

48.

Weinstock, C., Goodenough, J., Hudak, J.: Dependability cases. Technical report CMU/SEI-2004-TN-016, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2004)

49.

Xie, Y., Aiken, A.: Saturn: a scalable framework for error detection using Boolean satisfiability. ACM Trans. Program. Lang. Syst. (2007)

Title: Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers
Authors: Stuart Pernsteiner
Calvin Loncaric
Emina Torlak
Zachary Tatlock
Xi Wang
Michael D. Ernst
Jonathan Jacky
Publisher: Springer International Publishing
Book: Computer Aided Verification
Print ISBN: 978-3-319-41539-0

Electronic ISBN: 978-3-319-41540-6

Copyright Year: 2016
DOI: https://doi.org/10.1007/978-3-319-41540-6_2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner