modeling and certification of infusion pumps alan wassyng, mark lawford, tom maibaum, linna pang,...
TRANSCRIPT
Modeling and certification of infusion pumps
Alan Wassyng, Mark Lawford, Tom Maibaum,
Linna Pang, Grant Whinton, John Stribbell, Esteban Bucio, Hao Xu, Scott Watter
McMaster Centre for Software Certification
McSCert Public WorkshopNov 11, 2011
The Generic Insulin Pump
Specific infusion pump we are looking at is the generic insulin pump
Plan• Look at simplest pump we can imagine to start
• Still has essential functionality• Does not assume anything regarding hardware or
software – think of it as almost an artificial pancreas without the feedback mechanisms
• Use it to explore a particular development strategy
• Describe “top level” behaviour – perform hazards analysis – mitigate hazards by adding behaviour – perform hazards analysis ….
2
McSCert Public WorkshopNov 11, 2011
Generic?
One approach:• Examine products on the market and distil what is
“generic” Another approach:
• Start with something so simple that every product will need the included functionality
3
McSCert Public WorkshopNov 11, 2011
System Context
4
McSCert Public WorkshopNov 11, 2011
Monitored & Controlled Variables
5
McSCert Public WorkshopNov 11, 2011
M & C
Provide the necessary details right from the start Need units at the requirements level! Make two lists:
• For each C give a set of Ms it depends on• For each M give a set of Cs it will affect• Compare the lists
Finding/setting the system boundaries, requires modeling/examination of the environment (NAT in the 4 variable model)
6
McSCert Public WorkshopNov 11, 2011
Behaviour
7
McSCert Public WorkshopNov 11, 2011
System Ready
8
McSCert Public WorkshopNov 11, 2011
System Delivering Insulin
9
McSCert Public WorkshopNov 11, 2011
Infusion
10
McSCert Public WorkshopNov 11, 2011
Hazards Analysis
11
McSCert Public WorkshopNov 11, 2011
HA Under-Dosed Top
12
McSCert Public WorkshopNov 11, 2011
C_InfuFlowRate is Low
13
McSCert Public WorkshopNov 11, 2011
Complete Hazards Analysis
Rev 0
14
McSCert Public WorkshopNov 11, 2011
Mitigation
There are classes of hazards related to the user doing something “wrong”
Mitigation at this level almost always includes raining an alarm
So – we have to go back to our system description and add both Ms and Cs• Cs to display alarm messages etc• Ms to react to the alarms
Other mitigation is more traditional/expected Important: creates an iterative process
15
McSCert Public WorkshopNov 11, 2011
Next Steps
System Design• Introduce hardware/software components• Actual user interface
New hazards/hazards analysis
Software design• New hazards – and hazards analysis
Code• New hazards – and hazards analysis
16
McSCert Public WorkshopNov 11, 2011
Hazards Analysis
This talk was not supposed to be about hazards analysis – but …
It is, in many disguises, the basis of the assurance cases we are interested in!
17
McSCert Public WorkshopNov 11, 2011
Not so random thoughts
Complexity SCC vs ORF-RE Certification should be integral – but there is a
reality on the ground Research Questions
18