Masci P, Rukšėnas R, Oladimeji P, Cauchi A, Gimblett A, Li Y, Curzon P, Thimbleby H.  2015.  The benefits of formalising design guidelines: a case study on the predictability of drug infusion pumps. Innovations in Systems and Software Engineering. 11:73-93. Abstractmasci-predictability-isse2015.pdf

A demonstration is presented of how automated reasoning tools can be used to check the predictability of a user interface. Predictability concerns the ability of a user to determine the outcomes of their actions reliably. It is especially important in situations such as a hospital ward where medical devices are assumed to be reliable devices by their expert users (clinicians) who are frequently interrupted and need to quickly and accurately continue a task. There are several forms of predictability. A definition is considered where information is only inferred from the current perceptible output of the system. In this definition, the user is not required to remember the history of actions that led to the current state. Higher-order logic is used to specify predictability, and the Symbolic Analysis Laboratory (SAL) is used to automatically verify predictability on real interactive number entry systems of two commercial drug infusion pumps -- devices used in the healthcare domain to deliver fluids (e.g., medications, nutrients) into a patient’s body in controlled amounts. Areas of unpredictability are precisely identified with the analysis. Verified solutions that make an unpredictable system predictable are presented through design modifications and verified user strategies that mitigate against the identified issues.

Furniss D, Masci P, Curzon P, Mayer A, Blandford A.  2014.  7 Themes for guiding situated ergonomic assessments of medical devices: A case study of an inpatient glucometer. Applied Ergonomics. 45(6):1668-1677. Abstract

There is relatively little guidance on the situated ergonomic assessment of medical devices, and few case studies that detail this type of evaluation. This paper reports results of a detailed case study that focuses on the design and use of a modern blood glucose meter on an oncology ward. We spent approximately 150 h in-situ, over 11 days and 4 nights, performing observations and interviews with users. This was complemented by interviews with two staff with oversight and management responsibility related to the device. We identified 19 issues with the design and use of this device. These issues were grouped into 7 themes which can help guide the situated study of medical devices: usability, knowledge gaps and mental models, workarounds, wider tasks and equipment, the patient, connection between services, and policy.

Di Giandomenico F, Itria ML, Masci P, Nostro N.  2014.  Automated synthesis of dependable mediators for heterogeneous interoperable systems. Reliability Engineering & System Safety. 132:220-232. Abstractress.pdf

Approaches to dependability and performance are challenged when systems are made up of networks of heterogeneous applications/devices, especially when operating in unpredictable open-world settings. The research community is tackling this problem and exploring means for enabling interoperability at the application level. The EU project CONNECT has developed a generic interoperability mechanism which relies on the on-the-fly synthesis of CONNECTors, that is software bridges that enable and adapt communication among heterogeneous devices. Dependability and Performance are relevant aspects of the system. In our previous work, we have identified generic dependability mechanisms for enhancing the dependability of CONNECTors. In this work, we introduce a set of generic strategies for automating the selection and application of an appropriate dependability mechanism. A case study based on a global monitoring system for environment and security (GMES) is used as a means for demonstrating the approach.

Harrison M, Campos JC, Masci P.  2013.  Reusing models and properties in the analysis of similar interactive devices. Innovations in Systems and Software Engineering. 2(11):95-111. Abstractharrisoncm15-authorsversion.pdf

The paper is concerned with the comparative analysis of interactive devices. It compares two devices by checking a battery of template properties that are designed to explore important interface characteristics. The two devices are designed to support similar tasks in a clinical setting but differ in a number of respects as a result of judgements based on a range of considerations including software. Variations between designs are often relatively subtle and do not always become evident through even relatively thorough user testing. Notwithstanding their subtlety these differences may be important to the safety or usability of the device. The illustrated approach uses formal techniques to provide the analysis. This means that similar analysis can be applied systematically.

Avvenuti M, Bernardeschi C, Francesco ND, Masci P.  2012.  JCSI: A tool for checking secure information flow in Java Card applications. Journal of Systems and Software. 85:2479-2493. Abstract

This paper describes a tool for checking secure information flow in Java Card applications. The tool performs a static analysis of Java Card CAP files and includes a CAP viewer. The analysis is based on the theory of abstract interpretation and on a multi-level security policy assignment. Actual values of variables are abstracted into security levels, and bytecode instructions are executed over an abstract domain. The tool can be used for discovering security issues due to explicit or implicit information flows and for checking security properties of Java Card applications downloaded from untrusted sources.

Bernardeschi C, Cassano L, Domenici A, Masci P.  2011.  Simulation and Test-Case Generation for PVS Specifications of Control Logics. International Journal on Advances in Software. 4 Abstract

We describe a framework for the simulation of control logics specified in the higher-order logic of the Prototype Verification System. The framework offers a library of predefined modules, a method for the composition of more complex modules, and an event-driven simulation engine. A developer defines a system architecture by composing its model out of library modules, possibly introducing new module definitions, and simulates the behaviour of the system model by providing its input waveforms, which are given as functions from time to logic levels. The generation of simulation scenarios (test cases) can be automated by using parametric waveforms that can be instantiated through universal and existential quantifiers. We demonstrate the simulation capabilities of our framework on two simple case studies from a nuclear power plant application. The main feature of this approach is that our formal specifications are executable. Moreover, once the simulation experiments give developers sufficient confidence in the correctness of the specification, the logic models can serve as the basis for its formal verification.

Bernardeschi C, Francesco ND, Lettieri G, Martini L, Masci P.  2008.  Decomposing bytecode verification by abstract interpretation. ACM Transactions on Programming Languages and Systems. 31(1):1-63. Abstract

Bytecode verification is a key point in the security chain of the Java platform. This feature is only optional in many embedded devices since the memory requirements of the verification process are too high. In this article we propose an approach that significantly reduces the use of memory by a serial/parallel decomposition of the verification into multiple specialized passes. The algorithm reduces the type encoding space by operating on different abstractions of the domain of types. The results of our evaluation show that this bytecode verification can be performed directly on small memory systems. The method is formalized in the framework of abstract interpretation.

Avvenuti M, Corsini P, Masci P, Vecchio A.  2007.  An application adaptation layer for wireless sensor networks. Pervasive and Mobile Computing. 3:413–438. Abstract

In wireless sensor networks, poor performance or unexpected behavior may be experienced for several reasons, such as trivial deterioration of sensing hardware, unsatisfactory implementation of application logic, or mutated network conditions. This leads to the necessity of changing the application behavior after the network has been deployed. Such flexibility is still an open issue as it can be achieved either at the expense of significant energy consumption or through software complexity. This paper describes an approach to adapt the behavior of running applications by intercepting the calls made to the operating system services and changing their effects at run-time. Customization is obtained through small fragments of interpreted bytecode, called adaptlets, injected into the network by the base station. Differently from other approaches, where the entire application is interpreted, adaptlets are tied only to specific services, while the bulk of the application is still written in native code. This makes our system able to preserve the compactness and efficiency of native code and to have little impact on the overall application performance. Also, applications must not be rewritten because the operating system interfaces are unaffected. The adaptation layer has been implemented in the context of TinyOS using an instruction set inspired to the Java bytecode. Examples that illustrate the programming of the adaptation layer are presented together with their experimental validation.

Avvenuti M, Corsini P, Masci P, Vecchio A.  2007.  Energy-efficient reception of large preambles in MAC protocols for wireless sensor networks. Electronics Letters. 43:300–301. Abstract

A technique able to significantly reduce the energy consumption of contention-based MAC protocols for wireless sensor networks is presented. Address and timing information is embedded into the packet preamble, allowing receivers to power off their radio during part of the transmission. Analytical and experimental evaluations show a significant extension of the network lifetime.

Bernardeschi C, Lettieri G, Martini L, Masci P.  2006.  Using postdomination to reduce space requirements of data flow analysis. Information Processing Letters. 98:11–18.
Bernardeschi C, Lettieri G, Martini L, Masci P.  2006.  Using Control Dependencies for Space-Aware Bytecode Verification. Computer Journal. 49:234–248. Abstract

Java applets run on a Virtual Machine that checks code integrity and correctness before execution using a module called the Bytecode Verifier. Java Card technology allows Java applets to run on smart cards. The large memory requirements of the verification process do not allow the implementation of an embedded Bytecode Verifier in the Java Card Virtual Machine. To address this problem, we propose a verification algorithm that optimizes the use of system memory by imposing an ordering on the verification of the instructions. This algorithm is based on control flow dependencies and immediate postdominators in control flow graphs.

Bernardeschi C, Lettieri G, Martini L, Masci P.  2005.  A Space-Aware Bytecode Verifier for Java Cards. Electronic Notes in Theoretical Computer Science. 141:237–254. Abstract

The bytecode verification is a key point of the security chain of the Java Platform. This feature is optional in many embedded devices since the memory requirements of the verification process are too high. In this paper we propose a verification algorithm that remarkably reduces the use of the memory by performing the verification during multiple specialized passes. The algorithm reduces the type encoding space by operating on different abstractions of the domain of types. The results of the experiments show that this bytecode verification can be performed directly on small memory systems.

Zhang Y, Jones P, Masci P.  2015.  Model Based Design and Safety Analysis of Medical Device User Interfaces. Abstract

Plain Language Synopsis: This research applies model based engineering techniques to develop novel verification and hazard analysis methods, which help manufacturers establish the quality and safety in medical device user interface designs. Artifacts produced by these methods provide evidence for regulators to quickly and objectively assess the safety of devices' interaction with users.

Abstract: Designs of medical device Human Computer Interfaces (HCI) need to be robust and appropriately reactive to user actions. There is evidence that the HCI design of some devices on the market can cause use errors and erroneously process user input, which may subsequently lead to serious patient harm. Model based engineering (MBE) technology can be used to model HCI design decisions with mathematical precision. This technology can facilitate the development of HCI models that clearly define the device's interaction behavior with users; offering a formal (mathematical) basis to reason about and verify the safety of the design. Automatic tool support is available to facilitate such reasoning and verification activities. Tool artifacts provide manufacturers and regulators an objective and scientific basis for assessing the safety of medical device user interfaces. The authors have successfully applied MBE techniques to the analysis of medical device user interfaces in two studies. In the first study, automatic model extraction was applied to the user interface software of a marketed infusion pump to produce a model that resembles the pump's use interaction behavior. Automated formal proving on the model uncovered several design flaws in the pump's user interface that could lead to severe consequences including the pump ignoring key presses that might cause patient overdose. In the second study, the authors captured the user interface software design common in medical devices with a generic user interface model. Based on this generic model, a hazard analysis technique was proposed that integrates human cognition process models and general interaction design principles to guide more comprehensive and systematic identification of design flaws in user interfaces. Preliminary experiments showed that this hazard analysis technique can identify 3 times more software-related hazards in user interface designs, compared to standard hazard analysis techniques.

Masci P.  2014.  A preliminary hazard analysis for the GIP number entry software. Abstracttechrep-pha.pdf

The results of a preliminary hazard analysis are presented that identify common design errors in infusion pump software that may potentially cause use hazards. Many identified problems apply to other types of interactive medical devices, including ventilators and radiotherapy machines. The identified issues may be used as a basis to define safety requirements that, if satisfied by user interface software, can substantially improve the quality and safety of broad classes of medical devices

Bernardeschi C, Cassano L, Domenici A, Masci P.  2010.  Analysis of FPGAs Using the SAN Formalism. Technical Report, University of Pisa - Department of Information Engineering. Abstract

We describe a model of FPGA based systems realised with the Stochastic Activity Networks (SAN) formalism. The model can be used (i) to debug the FPGA circuit design synthesised from the high level description of the system, and (ii) to calculate the signal probabilities and transition densities of the FPGA circuit design, that can be used for reliability analysis, power consumption estimation and pseudo random testing of digital circuit design. We validate the model by reproducing results presented in other studies for some representative combinatorial circuits, and we explore the applicability of the model in the analysis of real-world devices by studying a circuit for the generation of CRC codes.