End to End Verification and Validation with SPIN

Over the last several years the tools used for model checking have become more efficient and usable. This has enabled users to apply model checking to industrial-scale problems, however the task of validating the implementation of the model is usually much harder. In this paper we present an approach to do end to end verification and validation of a real time system using the SPIN model checker. Taking the example of the cardiac pacemaker system proposed in the SQRL Pacemaker Formal Methods Challenge we demonstrate our framework by building a formal model for the cardiac pacemaker in SPIN, checking for desirable temporal properties of the model (expressed as LTL formulas), generating C code from the model (by refinement of PROMELA) and validating the generated implementation (using SPIN). We argue that a state of the art model checking tool like SPIN can be used to do formal specification as well as validation of the implementation. To evaluate our approach we show that our pacemaker model is expressive enough to derive consistent operating modes and that the refinement rules preserve LTL properties. KeywordsModel Checking, Verification, Validation, Pacemaker