Safety Analysis of Software Components of a Dialysis Machine Using Model Checking

The paper describes the practical use of a model checking technique to contribute to the risk analysis of a new paediatric dialysis machine. The formal analysis focuses on one component of the system, namely the table-driven software controller which drives the dialysis cycle and deals with error management. The analysis provided evidence of the verification of risk control measures relating to the software component. The paper describes the productive dialogue between the developers of the device, who had no experience or knowledge of formal methods, and an analyst who had experience of using the formal analysis tools. There were two aspects to this dialogue. The first concerned the translation of safety requirements so that they preserved the meaning of the requirement. The second involved understanding the relationship between the software component under analysis and the broader concern of the system as a whole. The paper focuses on the process, highlighting how the team recognised the advantages over a more traditional testing approach.

[1]  Constance L. Heitmeyer,et al.  SCR*: A Toolset for Specifying and Analyzing Software Requirements , 1998, CAV.

[2]  Michael D. Harrison,et al.  Systematic Analysis of Control Panel Interfaces Using Formal Tools , 2008, DSV-IS.

[3]  Michael J. Butler,et al.  Structuring Functional Requirements of Control Systems to Facilitate Refinement-based Formalisation , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[4]  Stephan Merz,et al.  Model Checking , 2000 .

[5]  Michael D. Harrison,et al.  Demonstrating that Medical Devices Satisfy User Related Safety Requirements , 2014, FHIES/SEHC.

[6]  Yi Zhang,et al.  Safety-assured development of the GPCA infusion pump software , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[7]  Randy Johnson,et al.  Engineering the Tokeneer Enclave Protection Software , 2006 .

[8]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[9]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[10]  John Gannon,et al.  State-based model checking of event-driven system requirements , 1991, SIGSOFT '91.

[11]  Andrew F. Monk,et al.  Why Industry Doesn’t Use the Wonderful Notations We Researchers Have Given Them to Reason About Their Designs , 1994 .

[12]  Insup Lee,et al.  Verification of interactive software for medical devices: PCA infusion pumps and FDA regulation as an example , 2013, EICS.

[13]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[14]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[15]  Gerard J. Holzmann,et al.  Trends in Software Verification , 2003, FME.

[16]  Antonio Coronato,et al.  IEC 62304: medical device software - software life-cycle processes , 2018 .