Raoul Jetley

Safety-assured development of the GPCA infusion pump software

This paper presents our effort of using model-driven engineering to establish a safety-assured implementation of Patient-Controlled Analgesic (PCA) infusion pump software based on the generic PCA reference model provided by the U.S. Food and Drug Administration (FDA). The reference model was first translated into a network of timed automata using the UPPAAL tool. Its safety properties were then assured according to the set of generic safety requirements also provided by the FDA. Once the safety of the reference model was established, we applied the TIMES tool to automatically generate platform-independent code as its preliminary implementation. The code was then equipped with auxiliary facilities to interface with pump hardware and deployed onto a real PCA pump. Experiments show that the code worked correctly and effectively with the real pump. To assure that the code does not introduce any violation of the safety requirements, we also developed a testbed to check the consistency between the reference model and the code through conformance testing. Challenges encountered and lessons learned during our work are also discussed in this paper.

An open test bed for medical device integration and coordination

Medical devices historically have been monolithic units — developed, validated, and approved by regulatory authorities as stand-alone entities. Modern medical devices increasingly incorporate connectivity mechanisms that offer the potential to stream device data into electronic health records, integrate information from multiple devices into single customizable displays, and coordinate the actions of groups of cooperating devices to realize “closed loop” scenarios and automate clinical workflows. However, it is not clear what middleware and integration architectures may be best suited for these possibly numerous scenarios. More troubling, current verification and validation techniques used in the device industry are not targeted to assuring groups of integrated devices. In this paper, we propose a publish-subscribe architecture for medical device integration based on the Java Messaging Service, and we report on our experience with this architecture in multiple scenarios that we believe represent the types of deployments that will benefit from rapid device integration. This implementation and the experiments presented in this paper are offered as an open test bed for exploring development, quality assurance, and regulatory issues related to medical device coordination.

A Hazard Analysis for a Generic Insulin Infusion Pump

Background: Researchers at the Food and Drug Administration (FDA)/Center for Device and Radiological Health/Office of Science and Engineering Laboratories have been exploring the concept of model-based engineering as a means for improving the quality of medical device software. Insulin pumps were chosen as a research subject because their design provides the desired degree of research complexity and these types of devices present an ongoing regulatory challenge. Methods: Insulin pump hazards and their contributing factors are considered in the context of a highly abstract generic insulin infusion pump (GIIP) model. Hazards were identified by consulting with manufacturers, pump users, and clinicians; by reviewing national and international standards and adverse event reports collected by the FDA; and from workshops sponsored by Diabetes Technology Society. This information has been consolidated in tabular form to facilitate further community analysis and discussion. Results: A generic insulin infusion pump model architecture has been established. A fairly comprehensive hazard analysis document, corresponding to the GIIP model, is presented in this article. Conclusions: We believe that this work represents the genesis of an insulin pump safety reference standard upon which future insulin pump designs can be based to help ensure a basic level of safety. More interaction with the diabetes community is needed to assure the quality of this safety modeling process.

Static analysis of medical device software using CodeSonar

Post-market investigators at the United States Food and Drug Administration may need to review medical device software to assess its integrity. They have to do this with little or no prior knowledge of the software. Historically, the only way to perform such a review has been to manually search the code for potential sources of error --- a process that is both tedious and error-prone. Static analysis tools can improve this process by providing a means for automated error detection. By using symbolic execution techniques to explore execution paths of the software, static analysis provides complete, or almost complete, coverage of the code, and helps detect potentially fatal errors that may not easily be detected through conventional testing methods. Using automated static analysis tools can help reduce the effort involved in analysis and provide a more accurate assessment of the software. In this paper, we discuss CodeSonar, a whole-program interprocedural static analysis tool for C/C++ programs, and illustrate how it was used to facilitate error detection during a post-market investigation.

Generic Safety Requirements for Developing Safe Insulin Pump Software

Background: The authors previously introduced a highly abstract generic insulin infusion pump (GIIP) model that identified common features and hazards shared by most insulin pumps on the market. The aim of this article is to extend our previous work on the GIIP model by articulating safety requirements that address the identified GIIP hazards. These safety requirements can be validated by manufacturers, and may ultimately serve as a safety reference for insulin pump software. Together, these two publications can serve as a basis for discussing insulin pump safety in the diabetes community. Method: In our previous work, we established a generic insulin pump architecture that abstracts functions common to many insulin pumps currently on the market and near-future pump designs. We then carried out a preliminary hazard analysis based on this architecture that included consultations with many domain experts. Further consultation with domain experts resulted in the safety requirements used in the modeling work presented in this article. Results: Generic safety requirements for the GIIP model are presented, as appropriate, in parameterized format to accommodate clinical practices or specific insulin pump criteria important to safe device performance. Conclusion: We believe that there is considerable value in having the diabetes, academic, and manufacturing communities consider and discuss these generic safety requirements. We hope that the communities will extend and revise them, make them more representative and comprehensive, experiment with them, and use them as a means for assessing the safety of insulin pump software designs. One potential use of these requirements is to integrate them into model-based engineering (MBE) software development methods. We believe, based on our experiences, that implementing safety requirements using MBE methods holds promise in reducing design/implementation flaws in insulin pump development and evolutionary processes, therefore improving overall safety of insulin pump software.

Model-Based Engineering for Medical-Device Software

This paper demonstrates the benefits of adopting model-based design techniques for engineering medical device software. By using a patient-controlled analgesic (PCA) infusion pump as a candidate medical device, the authors show how using models to capture design information allows for i) fast and efficient construction of executable device prototypes ii) creation of a standard, reusable baseline software architecture for a particular device family, iii) formal verification of the design against safety requirements, and iv) creation of a safety framework that reduces verification costs for future versions of the device software. 1.

A static code analysis tool for control system software

Latent errors in control system software can be hard to detect through traditional testing techniques. Such errors, if left undetected, could manifest themselves as failures during run-time that could be potentially catastrophic and very expensive to fix. In this paper, we present a static code analysis approach to detect potential sources of such run-time errors during compile time itself, thus ensuring easy identification, safe execution and reducing the effort required during debugging. In order to detect run-time errors, the control system application is first parsed to generate a set of abstract syntax trees, which in turn are used to derive the control flow graph for the application. A hybrid algorithm, based on abstract interpretation and traditional data flow analysis techniques is used to check the control flow graph for type constraints, reachability and liveness properties. Additionally, the abstract syntax trees are used to check for datatype mismatches and compliance violations. A proof of concept prototype is implemented to demonstrate how the algorithm/approach can be used to analyze control applications developed using domain specific languages such as those complying with the IEC 61131-3 standard.

Model-Based Development: A New Approach to Engineering Medical Software

With an increasing number of medical device features being implemented in code, the amount of software that is present in a modern device as well as its complexity and criticality has grown sharply over the years. Existing quality-control regimes for software, dependent as they are on traditional inspection and ad-hoc testing techniques, has been unable to meet many of these challenges. The numbers tell the story. In 1998, close to 8% of device failures could be traced to software errors. Currently, the number of device recalls due to software problems is believed by some to be about 18%. Model-based development (MBD) is often suggested as a candidate solution, a novel way of doing software development and quality control. So what is model-based development and what it does it mean for professioals working in the medical instrumentation field? Read on.

Engineering high confidence medical device software

The increasing complexity of medical device software has created new challenges in ensuring that a medical device operates correctly. This paper discusses how two technologies---model-based development and static analysis---may be used to facilitate the successful engineering of medical software and some possible regulatory side benefits.

Solving circular dependencies in industrial automation programs

Prevention of data loss in each scan cycle is of utmost importance in control system programming. For each variable to reflect the latest value, compilers compute the order of execution of control logic objects according to data flow. But this technique for ensuring data integrity fails when a circular dependency or a “code loop” is found. In this paper, we propose an approach to help solve this issue in 2 steps — by providing an interactive visual representation and providing a list of possible solutions. A tool is implemented based on this approach which can take either the control logic code or the dump created by the compiler as input. The tool has been validated for effectiveness with industrial use cases from different domains.