MDevSPICE - A comprehensive solution for manufacturers and assessors of safety-critical medical device software

Software development is frequently challenged with quality concerns. One of the primary reasons for such issues is the very nature of the software development process. First, it can be difficult to accurately and completely identify the requirements for a software development product. Also, the implementation on various platforms and the need to integrate with sometimes unforeseeable additional systems adds complexity. For safety critical domains, such as the medical device and healthcare sectors, these hurdles are amplified. Whereas a failure in a desktop application may be resolved through a restart with no harm incurred, a failure in a medical device can have life threatening consequences. Our work in the Regulated Software Research Centre (RSRC) aims to support medical device producers in the production of safer medical device software. In this paper, we describe the MDevSPICE framework and how it addresses the safety concerns faced by medical device producers

Reduce Cost of ISO 26262 Compliance while Driving Productivity Gains

International audienceIn response to the increased use of electronic systems within the automotive industry and particularly in recognition of their application to safety critical functions, the ISO 26262 standard has been created in order to comply with needs specific to the application sector of electrical / electronic / programmable electronic (E/E/PE) systems within road vehicles.It is an adaptation of the IEC 61508 standard which was designed for use as the foundation for other industry specific standards. Previous examples of such adaptations include the CENELEC EN 50128 standard in the rail industry and the IEC 61511 standard in the process industry. It also has much in common with the DO-178B standard seen in aerospace applications, particularly with respect to the requirement for MC/DC (Modified Condition/Decision Coverage) and the structural coverage analysis process.The standard provides detailed industry specific guidelines for the production of all software for automotive systems and equipment, whether it is safety critical or not. It provides a risk-management approach including the determination of risk classes (Automotive Safety Integrity Levels, ASILs)

Software development in the post-PC era : towards software development as a service

PhD ThesisEngineering software systems is a complex task which involves various stakeholders and requires planning and management to succeed. As the role of software in our daily life is increasing, the complexity of software systems is increasing. Throughout the short history of software engineering as a discipline, the development practises and methods have rapidly evolved to seize opportunities enabled by new technologies (e.g., the Internet) and to overcome economical challenges (e.g., the need for cheaper and faster development). Today, we are witnessing the Post-PC era. An era which is characterised by mobility and services. An era which removes organisational and geographical boundaries. An era which changes the functionality of software systems and requires alternative methods for conceiving them. In this thesis, we envision to execute software development processes in the cloud. Software processes have a software production aspect and a management aspect. To the best of our knowledge, there are no academic nor industrial solutions supporting the entire software development process life-cycle(from both production and management aspects and its tool-chain execution in the cloud. Our vision is to use the cloud economies of scale and leverage Model-Driven Engineering (MDE) to integrate production and management aspects into the development process. Since software processes are seen as workflows, we investigate using existing Workflow Management Systems to execute software processes and we find that these systems are not suitable. Therefore, we propose a reference architecture for Software Development as a Service (SDaaS). The SDaaS reference architecture is the first proposal which fully supports development of complex software systems in the cloud. In addition to the reference architecture, we investigate three specific related challenges and propose novel solutions addressing them. These challenges are: Modelling & enacting cloud-based executable software processes. Executing software processes in the cloud can bring several benefits to software develop ment. In this thesis, we discuss the benefits and considerations of cloud-based software processes and introduce a modelling language for modelling such processes. We refer to this language as EXE-SPEM. It extends the Software and Systems Process Engineering (SPEM2.0) OMG standard to support creating cloudbased executable software process models. Since EXE-SPEM is a visual modelling language, we introduce an XML notation to represent EXE-SPEM models in a machine-readable format and provide mapping rules from EXE-SPEM to this notation. We demonstrate this approach by modelling an example software process using EXE-SPEM and mapping it to the XML notation. Software process models expressed in this XML format can then be enacted in the proposed SDaaS architecture. Cost-e cient scheduling of software processes execution in the cloud. Software process models are enacted in the SDaaS architecture as workflows. We refer to them sometimes as Software Workflows. Once we have executable software process models, we need to schedule them for execution. In a setting where multiple software workflows (and their activities) compete for shared computational resources (workflow engines), scheduling workflow execution becomes important. Workflow scheduling is an NP-hard problem which refers to the allocation of su cient resources (human or computational) to workflow activities. The schedule impacts the workflow makespan (execution time) and cost as well as the computational resources utilisation. The target of the scheduling is to reduce the process execution cost in the cloud without significantly a ecting the process makespan while satisfying the special requirements of each process activity (e.g., executing on a private cloud). We adapt three workflow scheduling algorithms to fit for SDaaS and propose a fourth one; the Proportional Adaptive Task Schedule. The algorithms are then evaluated through simulation. The simulation results show that the our proposed algorithm saves between 19.74% and 45.78% of the execution cost, provides best resource (VM) utilisation and provides the second best makespan compared to the other presented algorithms. Evaluating the SDaaS architecture using a case study from the safety-critical systems domain. To evaluate the proposed SDaaS reference architecture, we instantiate a proof-of-concept implementation of the architecture. This imple mentation is then used to enact safety-critical processes as a case study. Engineering safety-critical systems is a complex task which involves multiple stakeholders. It requires shared and scalable computation to systematically involve geographically distributed teams. In this case study, we use EXE-SPEM to model a portion of a process (namely; the Preliminary System Safety Assessment - PSSA) adapted from the ARP4761 [2] aerospace standard. Then, we enact this process model in the proof-of-concept SDaaS implementation. By using the SDaaS architecture, we demonstrate the feasibility of our approach and its applicability to di erent domains and to customised processes. We also demonstrate the capability of EXE-SPEM to model cloud-based executable processes. Furthermore, we demonstrate the added value of the process models and the process execution provenance data recorded by the SDaaS architecture. This data is used to automate the generation of safety cases argument fragments. Thus, reducing the development cost and time. Finally, the case study shows that we can integrate some existing tools and create new ones as activities used in process models. The proposed SDaaS reference architecture (combined with its modelling, scheduling and enactment capabilities) brings the benefits of the cloud to software development. It can potentially save software production cost and provide an accessible platform that supports collaborating teams (potentially across di erent locations). The executable process models support unified interpretation and execution of processes across team(s) members. In addition, the use of models provide managers with global awareness and can be utilised for quality assurance and process metrics analysis and improvement. We see the contributions provided in this thesis as a first step towards an alternative development method that uses the benefits of cloud and Model-Driven Engineering to overcome existing challenges and open new opportunities. However, there are several challenges that are outside the scope of this study which need to be addressed to allow full support of the SDaaS vision (e.g., supporting interactive workflows). The solutions provided in this thesis address only part of a bigger vision. There is also a need for empirical and usability studies to study the impact of the SDaaS architecture on both the produced products (in terms of quality, cost, time, etc.) and the participating stakeholders

Comparison of umbilical artery Doppler and non-stress test in assessment of fetal well-being in gestational diabetes mellitus: A prospective cohort study

There exist currently in production an immense number of applications that are considered safety critical, meaning that the execution of them is directly related to issues concerning the well being of people. A domain where these applications are particularly present is in the aeronautics industry. A piece of critical software that’s embedded into an airplane’s calculator cannot, under any circumstance, fail while the aircraft is in-flight. And this restriction becomes more and more severe when the priority of the application escalates. This situation also poses an inconvenient at the moment of testing software. Since for applications to be tested on their real environment (flight test) it is necessary to have certain guarantees that it won’t fail, other methods such as unitary tests and simulations have to be used. But none of these methods are sound, meaning that if some particular case is unintentionally left out of the executions, then the behavior of the program in such scenario is not contemplated in the performed analysis. But when we are talking about safety critical applications, these small cases could mean a very big difference. This is why more and more companies that produce this kind of software are starting to include in their verification process sound techniques to validate the absence of run-time errors on their programs. Particularly Airbus, one of the main aircraft manufacturers of the world, uses AstréeA, a static analyzer based on abstract interpretation, to prove that the programs embedded in their calculators cannot possibly fail. In the following report an investigation will be presented were AstréeA was used at Airbus to prove the absence of run-time errors on the ATSU. The introductory chapter presents a description of the software analyzed, an explanation of the objectives set for the project and its scope. Then, on chapter 2 all the necessary theoretical concepts will be presented. Sections 2.1 - 2.3 give an overview of the basics of abstract interpretation, while section 2.4 presents the analyzer used. Then chapters 3 and 4 describe in depth the solution given and how the investigation was carried out. Finally chapters 5 and 6 enter into the presentation and analysis of the results obtained in the period of study and the current state of the solution

Modeling Guidelines for Code Generation in the Railway Signaling Context

Modeling guidelines constitute one of the fundamental cornerstones for Model Based Development. Their relevance is essential when dealing with code generation in the safety-critical domain. This article presents the experience of a railway signaling systems manufacturer on this issue. Introduction of Model-Based Development (MBD) and code generation in the industrial safety-critical sector created a crucial paradigm shift in the development process of dependable systems. While traditional software development focuses on the code, with MBD practices the focus shifts to model abstractions. The change has fundamental implications for safety-critical systems, which still need to guarantee a high degree of confidence also at code level. Usage of the Simulink/Stateflow platform for modeling, which is a de facto standard in control software development, does not ensure by itself production of high-quality dependable code. This issue has been addressed by companies through the definition of modeling rules imposing restrictions on the usage of design tools components, in order to enable production of qualified code. The MAAB Control Algorithm Modeling Guidelines (MathWorks Automotive Advisory Board)[3] is a well established set of publicly available rules for modeling with Simulink/Stateflow. This set of recommendations has been developed by a group of OEMs and suppliers of the automotive sector with the objective of enforcing and easing the usage of the MathWorks tools within the automotive industry. The guidelines have been published in 2001 and afterwords revisited in 2007 in order to integrate some additional rules developed by the Japanese division of MAAB [5]. The scope of the current edition of the guidelines ranges from model maintainability and readability to code generation issues. The rules are conceived as a reference baseline and therefore they need to be tailored to comply with the characteristics of each industrial context. Customization of these recommendations has been performed for the automotive control systems domain in order to enforce code generation [7]. The MAAB guidelines have been found profitable also in the aerospace/avionics sector [1] and they have been adopted by the MathWorks Aerospace Leadership Council (MALC). General Electric Transportation Systems (GETS) is a well known railway signaling systems manufacturer leading in Automatic Train Protection (ATP) systems technology. Inside an effort of adopting formal methods within its own development process, GETS decided to introduce system modeling by means of the MathWorks tools [2], and in 2008 chose to move to code generation. This article reports the experience performed by GETS in developing its own modeling standard through customizing the MAAB rules for the railway signaling domain and shows the result of this experience with a successful product development story

Reliability demonstration for safety-critical systems

This paper suggests a new model for reliability demonstration of safety-critical systems, based on the TRW Software Reliability Theory. The paper describes the model; the test equipment required and test strategies based on the various constraints occurring during software development. The paper also compares a new testing method, Single Risk Sequential Testing (SRST), with the standard Probability Ratio Sequential Testing method (PRST), and concludes that: • SRST provides higher chances of success than PRST • SRST takes less time to complete than PRST • SRST satisfies the consumer risk criterion, whereas PRST provides a much smaller consumer risk than the requirement

Environmental Audit improvements in industrial systems through FRAM

Environmental risk management requires specific methodologies to focus audit activities on the most critical elements of production systems. Limited resources require a clear motivation to put attention on specific technological, human, organizational components, and often should address the monitor of interactions among these elements. Recent research in environmental risk looks at methods to deal with complexity as interesting tools to reduce real impacts on pollution and consumption. In this paper, we provide evidence of the advantage in using the Functional Resonance Analysis Method (FRAM), not only to identify the criticalities of a complex production system but to provide a methodology to continuously improve the audit activities in parallel with the introduction of technique to reduce environmental risk. The case study presents the evolution of environmental audit in a sinter plant, proving the need for a review of the criticality list and the successful application of FRAM to refocus the control activities

Assurance Benefits of ISO 26262 compliant Microcontrollers for safety-critical Avionics

The usage of complex Microcontroller Units (MCUs) in avionic systems constitutes a challenge in assuring their safety. They are not developed according to the development requirements accepted by the aerospace industry. These Commercial off-the-shelf (COTS) hardware components usually target other domains like the telecommunication branch. In the last years MCUs developed in compliance to the ISO 26262 have been released on the market for safety-related automotive applications. The avionic assurance process could profit from these safety MCUs. In this paper we present evaluation results based on the current assurance practice that demonstrates expected assurance activities benefit from ISO 26262 compliant MCUs.Comment: Submitted to SafeComp 2018: http://www.es.mdh.se/safecomp2018