A Formal Verification Methodology for DDD Mode Pacemaker Control Programs

Abstract EN

Pacemakers are safety-critical devices whose faulty behaviors can cause harm or even death.

Often these faulty behaviors are caused due to bugs in programs used for digital control of pacemakers.

We present a formal verification methodology that can be used to check the correctness of object code programs that implement the safety-critical control functions of DDD mode pacemakers.

Our methodology is based on the theory of Well-Founded Equivalence Bisimulation (WEB) refinement, where both formal specifications and implementation are treated as transition systems.

We develop a simple and general formal specification for DDD mode pacemakers.

We also develop correctness proof obligations that can be applied to validate object code programs used for pacemaker control.

Using our methodology, we were able to verify a control program with millions of transitions against the simple specification with only 10 transitions.

Our method also found several bugs during the verification process.