Demonstrating that Medical Devices Satisfy User Related Safety Requirements

One way of contributing to a demonstration that a medical device is acceptably safe is to show that the device satisfies a set of requirements known to mitigate hazards. This paper describes experience using formal techniques to model an IV infusion device and to prove that the modelled device captures a set of requirements. The requirements chosen for the study are based on a draft proposal developed by the US Food and Drug Administration (FDA). A major contributor to device related errors are (user) interaction errors. For this reason the chosen models and requirements focus on user interface related issues.FEDER - Federación Española de Enfermedades Raras(000062)This work has been funded by the EPSRC research grant EP/G059063/1: CHI+MED (Computer–Human Interaction for Medical Devices). J. C. Campos was funded by project NORTE-07-0124-FEDER-00006

Verification templates for the analysis of user interface software design

The paper describes templates for model-based analysis of usability and safety aspects of user interface software design. The templates crystallize general usability principles commonly addressed in user-centred safety requirements, such as the ability to undo user actions, the visibility of operational modes, and the predictability of user interface behavior. These requirements have standard forms across different application domains, and can be instantiated as properties of specific devices. The modeling and analysis process is carried out using the Prototype Verification System (PVS), and is further facilitated by structuring the specification of the device using a format that is designed to be generic across interactive systems. A concrete case study based on a commercial infusion pump is used to illustrate the approach. A detailed presentation of the automated verification process using PVS shows how failed proof attempts provide precise information about problematic user interface software features.This work has been funded by the EPSRC research grant EP/G059063/1: CHI+ MED (Computer-Human Interaction for Medical Devices). We are grateful to Harold Thimbleby's team at Swansea University, part of the CHI+ MED project, and especially Patrick Oladimeji who developed the infusion pump simulation that helped us develop the models. We also thank the anonymous reviewers for valuable feedback. Jose C. Campos and Paolo Masci were funded by project NORTE-01-0145-FEDER-000016, financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF)

Verification of User Interface Software: The Example of Use-Related Safety Requirements and Programmable Medical Devices

One part of demonstrating that a device is acceptably safe, often required by regulatory standards, is to show that it satisfies a set of requirements known to mitigate hazards. This paper is concerned with how to demonstrate that a user interface software design is compliant with use-related safety requirements. A methodology is presented based on the use of formal methods technologies to provide guidance to developers about addressing three key verification challenges: 1) how to validate a model, and show that it is a faithful representation of the device; 2) how to formalize requirements given in natural language, and demonstrate the benefits of the formalization process; and 3) how to prove requirements of a model using readily available formal verification tools. A model of a commercial device is used throughout the paper to demonstrate the methodology. A representative set of requirements are considered. They are based on US Food and Drug Administration (FDA) draft documentation for programmable medical devices, and on best practice in user interface design illustrated in relevant international standards. The methodology aims to demonstrate how to achieve the FDA's agenda of using formal methods to support the approval process for medical devices.This work was supported by the EPSRC research Grant EP/G059063/1: CHI+MED (Computer-Human Interaction for Medical Devices). The work of P. Masci and J.C. Campos was supported under Project NORTE-01-0145-FEDER-000016, financed by the North Portugal Regional Operational Programme (NORTE 2020), through the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF)

A method for rigorous design of reconfigurable systems

Reconfigurability, understood as the ability of a system to behave differently in different modes of operation and commute between them along its lifetime, is a cross-cutting concern in modern Software Engineering. This paper introduces a specification method for reconfigurable software based on a global transition structure to capture the system's reconfiguration space, and a local specification of each operation mode in whatever logic (equational, first-order, partial, fuzzy, probabilistic, etc.) is found expressive enough for handling its requirements. In the method these two levels are not only made explicit and juxtaposed, but formally interrelated. The key to achieve such a goal is a systematic process of hybridisation of logics through which the relationship between the local and global levels of a specification becomes internalised in the logic itself.This work is financed by the ERDF – European Regional Development Fund through the Operational Programme for Competitiveness and Internationalisation – COMPETE 2020 Programme and by National Funds through the Portuguese funding agency, FCT – Fundação para a Ciência e a Tecnologia within projects POCI-01-0145-FEDER-016692 and UID/MAT/04106/2013. The first author is further supported by the BPD FCT Grant SFRH/BPD/103004/2014, and R. Neves is sponsored by FCT Grant SFRH/BD/52234/2013. M.A. Martins is also funded by the EU FP7 Marie Curie PIRSESGA-2012-318986 project GeTFun: Generalizing Truth-Functionality

Model-Based Analysis of User Behaviors in Medical Cyber-Physical Systems

Human operators play a critical role in various Cyber-Physical System (CPS) domains, for example, transportation, smart living, robotics, and medicine. The rapid advancement of automation technology is driving a trend towards deep human-automation cooperation in many safety-critical applications, making it important to explicitly consider user behaviors throughout the system development cycle. While past research has generated extensive knowledge and techniques for analyzing human-automation interaction, in many emerging applications, it remains an open challenge to develop quantitative models of user behaviors that can be directly incorporated into the system-level analysis. This dissertation describes methods for modeling different types of user behaviors in medical CPS and integrating the behavioral models into system analysis. We make three main contributions. First, we design a model-based analysis framework to evaluate, improve, and formally verify the robustness of generic (i.e., non-personalized) user behaviors that are typically driven by rule-based clinical protocols. We conceptualize a data-driven technique to predict safety-critical events at run-time in the presence of possible time-varying process disturbances. Second, we develop a methodology to systematically identify behavior variables and functional relationships in healthcare applications. We build personalized behavior models and analyze population-level behavioral patterns. Third, we propose a sequential decision filtering technique by leveraging a generic parameter-invariant test to validate behavior information that may be measured through unreliable channels, which is a practical challenge in many human-in-the-loop applications. A unique strength of this validation technique is that it achieves high inter-subject consistency despite uncertain parametric variances in the physiological processes, without needing any individual-level tuning. We validate the proposed approaches by applying them to several case studies

Design-time formal verification for smart environments: an exploratory perspective

Smart environments (SmE) are richly integrated with multiple heterogeneous devices; they perform the operations in intelligent manner by considering the context and actions/behaviors of the users. Their major objective is to enable the environment to provide ease and comfort to the users. The reliance on these systems demands consistent behavior. The versatility of devices, user behavior and intricacy of communication complicate the modeling and verification of SmE's reliable behavior. Of the many available modeling and verification techniques, formal methods appear to be the most promising. Due to a large variety of implementation scenarios and support for conditional behavior/processing, the concept of SmE is applicable to diverse areas which calls for focused research. As a result, a number of modeling and verification techniques have been made available for designers. This paper explores and puts into perspective the modeling and verification techniques based on an extended literature survey. These techniques mainly focus on some specific aspects, with a few overlapping scenarios (such as user interaction, devices interaction and control, context awareness, etc.), which were of the interest to the researchers based on their specialized competencies. The techniques are categorized on the basis of various factors and formalisms considered for the modeling and verification and later analyzed. The results show that no surveyed technique maintains a holistic perspective; each technique is used for the modeling and verification of specific SmE aspects. The results further help the designers select appropriate modeling and verification techniques under given requirements and stress for more R&D effort into SmE modeling and verification researc

MODELFY: A Model-driven Solution for Decision Making based on Fuzzy Information

There exist areas, such as the disease prevention or inclement weather protocols, in which the analysis of the information based on strict protocols require a high level of rigor and security. In this situation, it would be desirable to apply formal methodologies that provide these features. In this scope, recently, it has been proposed a formalism, fuzzy automaton, that captures two relevant aspects for fuzzy information analysis: imprecision and uncertainty. However, the models should be designed by domain experts, who have the required knowledge for the design of the processes, but do not have the necessary technical knowledge. To address this limitation, this paper proposes MODELFY, a novel model-driven solution for designing a decision-making process based on fuzzy automata that allows users to abstract from technical complexities. With this goal in mind, we have developed a framework for fuzzy automaton model design based on a Domain- Specific Modeling Language (DSML) and a graphical editor. To improve the interoperability and functionality of this framework, it also includes a model-to-text transformation that translates the models designed by using the graphical editor into a format that can be used by a tool for data analysis. The practical value of this proposal is also evaluated through a non-trivial medical protocol for detecting potential heart problems. The results confirm that MODELFY is useful for defining such a protocol in a user-friendly and rigorous manner, bringing fuzzy automata closer to domain expert

Proceedings of the First NASA Formal Methods Symposium

Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000