Abstract
We are developing a control program for a unique radiation therapy machine. The program is safety-critical, executes several concurrent tasks, and must meet real-time deadlines. Development employs both formal and traditional methods: we produce an informal specification in prose (supplemented by tables, diagrams and a few formulas) and a formal description in Z. The Z description includes an abstract level that expresses overall safety requirements and a concrete level that serves as a detailed design, where Z paragraphs correspond to data structures, functions and procedures in the code. We validate the Z texts against the prose specification by inspection. We derive most of the code from the Z texts by intuition and verify it by inspection but a small amount of code is derived and verified more formally. We have produced about 250 pages of informal specification and design description, about 1200 lines of Z and about 6000 lines of code. Experiences developing a large Z specification and writing the program are reported, and some errors we discovered and corrected are described.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
References
Richard J. Anderson, Paul Beame, Steve Burns, William Chan, Francesmary Modugno, David Notkin, and Jon Reese. Model checking large software specifications. In David Garlan, editor, SIGSOFT '96: Proceedings of the Fourth ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 156–166, 1996. (also published as ACM Software Engineering Notes 21(6), Nov. 1996).
Joanne M. Atlee and John Gannon. State-based model checking of event-driven system requirements. IEEE Transactions on Software Engineering, 19(1):24–40, January 1993.
L. R. Dalesio, M. R. Kraimer, and A. J. Kozubal. EPICS architecture. In C. O. Pak, S. Kurokawa, and T. Katoh, editors, Proceedings of the International Conference on Accelerator and Large Experimental Physics Control Systems, pages 278–282, 1991. ICALEPCS, KEK, Tsukuba, Japan.
Andy S. Evans. Specifying and verifying concurrent systems using Z. In Maurice Naftalin, Tim Denvir, and Miquel Bertran, editors, FME '94: Industrial Benefit of Formal Methods, pages 366–380. Springer-Verlag, 1994. (Lecture Notes in Computer Science number 873).
Jonathan Jacky. Formal specifications for a clinical cyclotron control system. In Mark Moriconi, editor, Proceedings of the ACM SIGSOFT International Workshop on Formal Methods in Software Development, pages 45–54, Napa, California, USA, May 9–11 1990. (Also in ACM Software Engineering Notes, 15(4), Sept. 1990).
Jonathan Jacky. Formal specification and development of control system input/output. In J. P. Bowen and J. E. Nicholls, editors, Z User Workshop, London 1992, pages 95–108. Proceedings of the Seventh Annual Z User Meeting, Springer-Verlag, Workshops in Computing Series, 1993.
Jonathan Jacky. Specifying a safety-critical control system in Z. IEEE Transactions on Software Engineering, 21(2):99–106, 1995.
Jonathan Jacky. The Way of Z: Practical Programming with Formal Methods. Cambridge University Press, 1997.
Jonathan Jacky and Michael Patrick. Modelling, checking, and implementing a control program for a radiation therapy machine. In Daniel Jackson, editor, AAS '97: First ACM SIGPLAN Workshop on Automated Analysis of Software, 1997. (in press).
Jonathan Jacky, Michael Patrick, and Ruedi Risler. Clinical neutron therapy system, control system specification, Part III: Therapy console internals. Technical Report 95-08-03, Radiation Oncology Department, University of Washington, Seattle, WA, August 1995.
Jonathan Jacky, Michael Patrick, and Jonathan Unger. Formal specification of control software for a radiation therapy machine. Technical Report 95-12-01, Radiation Oncology Department, University of Washington, Seattle, WA, December 1995.
Jonathan Jacky, Ruedi Risler, Ira Kalet, and Peter Wootton. Clinical neutron therapy system, control system specification, Part I: System overview and hardware organization. Technical Report 90-12-01, Radiation Oncology Department, University of Washington, Seattle, WA, December 1990.
Jonathan Jacky, Ruedi Risler, Ira Kalet, Peter Wootton, and Stan Brossard. Clinical neutron therapy system, control system specification, Part II: User operations. Technical Report 92-05-01, Radiation Oncology Department, University of Washington, Seattle, WA, May 1992.
Jonathan Jacky and Jonathan Unger. From Z to code: A graphical user interface for a radiation therapy machine. In J. P. Bowen and M. G. Hinchey, editors, ZUM '95: The Z Formal Specification Notation, pages 315–333. Ninth International Conference of Z Users, Springer-Verlag, 1995. Lecture Notes in Computer Science 967.
Jonathan Jacky, Jonathan Unger, and Michael Patrick. CNTS implementation. Technical Report 96-04-01, Department of Radiation Oncology, University of Washington, Box 356043, Seattle, Washington 98195-6043, USA, April 1996.
Jonathan Jacky and Cheryl P. White. Testing a 3-D radiation therapy planning program. International Journal of Radiation Oncology, Biology and Physics, 18:253–261, January 1990.
Irwin Meisels and Mark Saaltink. The Z/EVES reference manual. Technical Report TR-95-5493-03, ORA Canada, 267 Richmond Road, Suite 100, Ottawa, Ontario K1Z 6X3 Canada, December 1995.
Ruedi Risler, Jüri Eenmaa, Jonathan P. Jacky, Ira J. Kalet, Peter Wootton, and S. Lindbaeck. Installation of the cyclotron based clinical neutron therapy system in Seattle. In Proceedings of the Tenth International Conference on Cyclotrons and their Applications, pages 428–430, East Lansing, Michigan, May 1984. IEEE.
J. M. Spivey. The Fuzz Manual. J. M. Spivey Computing Science Consultancy, Oxford, second edition, July 1992.
J. M. Spivey. The Z Notation: A Reference Manual. Prentice-Hall, New York, second edition, 1992.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1997 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jacky, J., Unger, J., Patrick, M., Reid, D., Risler, R. (1997). Experience with Z developing a control program for a radiation therapy machine. In: Bowen, J.P., Hinchey, M.G., Till, D. (eds) ZUM '97: The Z Formal Specification Notation. ZUM 1997. Lecture Notes in Computer Science, vol 1212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0027295
Download citation
DOI: https://doi.org/10.1007/BFb0027295
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-62717-3
Online ISBN: 978-3-540-68490-9
eBook Packages: Springer Book Archive