About

Mats Heimdahl is a Professor and Distinguished University Teaching Professor at the University of Minnesota's Department of Computer Science & Engineering. He joined the department in 1996 and has served as the department head from 2015 to 2025. Heimdahl's research focuses on software engineering, specifically on methods and tools to develop software with predictable behavior free from critical defects. His group, the Critical Systems Research Group (CriSys), investigates issues in automated software engineering, emphasizing software requirements engineering, model-based software development, software validation and verification, and software test automation. Heimdahl holds a Ph.D. in Computer Science from the University of California Irvine (1994) and an M.S. in Computer Science and Engineering from KTH Royal Institute of Technology (1988). His professional background includes work as an assistant professor at Michigan State University and as vice president of Safeware Engineering Corporation. Since joining the University of Minnesota, he has been recognized for his contributions to education and research, receiving awards such as the NSF CAREER Award and the McKnight Land-Grant Professorship. His research has led to numerous grants and he has supervised multiple Ph.D. graduates in the field of software engineering.

Research topics

• Computer Science
• Data Mining
• Programming language
• Artificial Intelligence
• Machine Learning
• Mathematics
• Systems engineering
• Theoretical computer science
• Engineering
• Reliability engineering
• Software engineering

Selected publications

• Model-Based Systems Engineering and TCAS II: Thirty Years Later

  IEEE Transactions on Software Engineering · 2025-01-31 · 1 citations

  article1st authorCorresponding

  Thirty years ago, when the TCAS II modeling effort was undertaken, the notion of model-based design and model-based systems engineering were new concepts. The TCAS II modeling effort demonstrated that creating a formal model of a complex system and doing so in collaboration with a diverse group of application experts was eminently feasible and laid the groundwork for future research. In this retrospective, we revisit the effort in the context of model-based systems engineering, summarize the most relevant lessons learned, and discuss the state of model-based techniques today and steps to the future.

  PublisherDOI

• Counterexample-guided inductive repair of reactive contracts

  2022 · 1 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Programming language

  Executable implementations are ultimately the only dependable representations of a software component's behavior. Incorporating such a component in a rigorous model-based development of reactive systems poses challenges since a formal contract over its behaviors will have to be crafted for system verification. Simply hypothesizing a contract based on informal descriptions of the component is problematic: if it is too weak, we may fail in verifying valid system-level contracts; if it is too strong or simply erroneous, the system may fail in operation. Thus, establishing a valid and strong enough contract is crucially important.

  PublisherDOI

• Composition of Fault Forests

  Lecture notes in computer science · 2021-01-01 · 1 citations

  book-chapter
  PublisherDOI

• From Informal System Requirements to Formal Software Specifications - An Experience Report

  2021 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT) · 2021-07-09 · 1 citations

  articleSenior author

  Formal methods have been enormously useful in verifying complex system requirements, especially in the safety critical domain. However, their success depends on precisely formalizing what needs to be verified and thoroughly understanding how it is verified. Unfortunately, there is a lack of awareness and guidance in using formal techniques effectively, that often makes their use difficult and the results of their application leading to overconfidence in the correctness of the fielded system in its intended environment. In this paper, we share some of the lessons learnt while using formal methods to specify and verify a complex infusion pump system. While the effort was successful and has led to hierarchically verified software for the pump, it was not without challenges that we believe are not adequately presented in the research literature. We discuss the challenges we faced with (a) precisely “flowing down” system-level requirements to low level components, (b) thoroughly understanding the technicalities of the formal tools to avoid faulty premises and misplaced confidence on the overall system and (c) rigorously mitigating risks with using diverse formal tools in hierarchical system analysis. In the sequel, we also discuss our approach to mitigating them. We believe that the lessons we leaned in this effort serves informative for practitioners involved in similar efforts.

  PublisherDOI

• Counterexample Guided Inductive Repair of Reactive Contracts

  2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE) · 2021-11-01

  articleSenior author

  Using third-party executable components to build control systems poses challenges for verification. This is because the informal behavior descriptions that typically accompany the components often fall short of the needed rigor. Consequently, there is a need to formalize a component contract that is strong enough to help establish system properties and also weak enough to account for all potential component behaviors in the system’s context. In this paper, we present a novel approach that allows an analyst to hypothesize a component contract, explore if the component meets the contract, and, if not, have automated support to help repair the contract. Preliminary results show that, in more than 32% of the cases, the repaired contract is logically equivalent to a developer-written one; in a further 63% of cases, it is a distinct, valid, and non-trivial property of the component.

  PublisherDOI

• AADL-Based safety analysis using formal methods applied to aircraft digital systems

  Reliability Engineering & System Safety · 2021 · 44 citations

  • Computer Science
  • Computer Science
  • Reliability engineering
  PublisherDOI

• Black-Box Testing of Deep Neural Networks

  2021 · 9 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Artificial Intelligence

  Several test adequacy criteria have been developed for quantifying the the coverage of deep neural networks (DNNs) achieved by a test suite. Being dependent on the structure of the DNN, these can be costly to measure and use, especially given the highly iterative nature of the model training workflow. Further, testing provides higher overall assurance when such implementation dependent measures are used along with implementation independent ones. In this paper, we rigorously define a new black-box coverage criterion that is independent of the DNN model under test. We further describe a few desirable properties and associated evaluation metrics for assessing test coverage criteria and use those to empirically compare and contrast the black-box criterion with several DNN structural coverage criteria. Results indicate that the black-box criterion has comparable effectiveness and provides benefits that complement white-box criteria. The results also reveal a few weaknesses of coverage criteria for DNNs.

  PublisherDOI

• Requirements Capture and Evaluation in Nimbus: The Light-Control Case Study

  University of Minnesota Digital Conservancy (University of Minnesota) · 2020-04-07 · 10 citations

  articleOpen access

  Abstract: Evaluations of methods and tools applied to a reference problem are useful when comparing various techniques. In this paper, we present a solution to the challenge of capturing the requirements for the Light Control System case study, which was proposed before the Dagstuhl Seminar on Requirements Capture, Documentation, and Validation in June of 1999. The paper focuses primarily on how the requirements were specified: what techniques were used, and what the results were. The language used to capture the requirements is RSML −e; a state-based specification language with a fully specified formal denotational semantics. In addition, the Nimbus environment – a toolset supporting RSML −e –is used to visualize and execute the high-level requirements.

  PublisherDOI

• Inductive Validity Cores

  IEEE Transactions on Software Engineering · 2019-01-09 · 4 citations

  articleOpen accessSenior author

  Symbolic model checkers can construct proofs of properties over highly complex models. However, the results reported by the tool when a proof succeeds do not generally provide much insight to the user. It is often useful for users to have traceability information related to the proof: which portions of the model were necessary to construct it. This traceability information can be used to diagnose a variety of modeling problems such as overconstrained axioms and underconstrained properties, measure completeness of a set of requirements over a model, and assist with design optimization given a set of requirements for an existing or synthesized implementation. In this paper, we present a comprehensive treatment of a suite of algorithms to compute inductive validity cores (IVCs), minimal sets of model elements necessary to construct inductive proofs of safety properties for sequential systems. The algorithms are based on the UNSAT core support built into current SMT solvers and novel encodings of the inductive problem to generate approximate and guaranteed minimal inductive validity cores as well as all inductive validity cores. We demonstrate that our algorithms are correct, describe their implementation in the JKind model checker for Lustre models, and present several use cases for the algorithms. We then present a substantial experiment in which we benchmark the efficiency and efficacy of the algorithms.

  PublisherOA PDFDOI

• Requirements Reference Models Revisited: Accommodating Hierarchy in System Design

  2019-09-01 · 4 citations

  articleSenior author

  Reference models such as Parnas' four-variable model, Jackson's and Zaves' world machine model, and Gunther et al.'s WRSPM model abstractly define and relate key artifacts in requirements engineering. Such reference models are intended to serve as a frame of reference for engineers to understand and reason about the artifacts involved in requirements engineering. However, when discussing the requirements of modern systems that are developed in a hierarchical and middle-out manner, these reference models do not provide a framework in which the relationship between requirements and architecture is explicitly discussed. Conceptual clarity about this relationship is crucial since the architecture and requirements for such systems become intrinsically intertwined as the architectural choices made during development influence the requirements and vice-versa. Hence, to precisely determine the scope of specifying requirements, distinguish requirements from architecture details, reason about the requirements, and determine how the requirements are realized in the system, we argue that a requirements reference model intended as a reference for such systems must explicitly discuss the architecture - requirements relationship. To that end, we define a hierarchical reference model that formally, yet abstractly, captures the intertwined relationship between the architecture and requirements in a way that will serve the same purpose as other models, but be more suitable for modern systems where architecture and requirements co-evolve. To illustrate the concepts in this model, we use a generic patient-controlled analgesic infusion pump system as a case example.

  PublisherDOI

Recent grants

• A Catalytic Infrastructure for the Design, Development, and Deployment of Formal Modeling Tools

  NSF · $300k · 2004–2008

• SHF: Medium: Contract-Based Black-Box Assurance

  NSF · $1.0M · 2016–2022

Frequent coauthors

• Michael W. Whalen

  63 shared

• Sanjai Rayadurgam

  University of Minnesota System

  45 shared

• Anitha Murugesan

  Jawaharlal Institute of Post Graduate Medical Education and Research

  19 shared

• Matt Staats

  DNV (Netherlands)

  19 shared

• Jeffrey M. Thompson

  Mayo Clinic in Arizona

  18 shared

• Steven P. Miller

  SickKids Foundation

  16 shared

• Ajitha Rajan

  University of Edinburgh

  14 shared

• George Devaraj

  12 shared

Labs

• Critical Systems Research Group (CriSys)PI

Awards & honors

• Award for Outstanding Contributions to Postbaccalaureate, Gr…
• McKnight Presidential Fellows Award Program (2001)
• McKnight Land-Grant Professorship (1999)
• National Science Foundation Faculty Early Career Development…