Infusion Pump Software Safety Research at FDA
- Software Safety
- Model-Based Design of Infusion Pumps
- Generic Infusion Pump Project
- Static Analysis
- Recent Publications About Model-Based Software Development
Many infusion pumps are controlled by software that governs key aspects of the user interface, controls the pumping mechanism to maintain the prescribed infusion rate, and performs key safety functions. The purpose of software is to make the device safer and easier to use. Users often do not realize the extent to which software determines many of the key functional and performance characteristics of the system until something goes wrong.
Unfortunately, in some cases, the software does “go wrong” and compromises patient safety. Because software is inevitably complex, abstract, and intangible, design errors can be difficult to detect. However the means to develop trusted software are well-known and readily available. Users and patients should expect infusion pump software to be free from errors. The occurrence of a software error should be a highly unusual event.
Historically, software safety has been focused on the software development process and system-level testing. Not coincidentally, the FDA has focused its regulatory oversight on these two elements as well. Having skilled engineers and a rigorous software development process, as required by FDA’s Quality System Regulation, is important to help minimize errors. However, assessing the software development process provides only indirect insight into the "goodness" of the resulting software. System-level testing that would comprehensively test software is currently beyond the state of the art for all but the simplest of systems. Moreover, it is very difficult to actually test the software under real-world conditions until it has been married with the hardware in a finished prototype, and that typically doesn't happen until late in the product development cycle. Thus, in recent years, the focus of the software engineering community has shifted from the traditional "design-test-fix" approach to a model-based approach.
Model-Based Design of Infusion Pumps
The FDA has recognized that if product developers had tools that enable them to examine and evaluate software earlier in the development cycle, then there would be a greater likelihood that the resulting software would be more robust. Just as architects now have 3D modeling tools that allow them to take their clients on virtual tours of a new building before ground has been broken, the software engineering community has been developing tools for modeling software and its interactions with the system it controls. The safety properties of the model can be systematically examined, and once the model has been verified, the software derived from it can be proven to conform to the model. The result is software designs that are far more robust than those developed using traditional methods.
Over a period of years, the Laboratory of Software Engineering at FDA (within the Center for Devices and Radiological Health) has been working with academic collaborators under the NSF/FDA Scholar-in-Residence program to develop and refine model-based engineering methods and associated verification techniques. Characteristically, these methods have been applied first in the aerospace and automotive industries, where the cost of failure is enormous in both social and economic terms and the incentive to make the necessary investment is correspondingly high. Years of research have finally been commercialized, yielding static analysis tools that are now readily available and being increasingly employed by medical device manufacturers.
Generic Infusion Pump Project
One of our ongoing research projects related to model-based software development is the Generic Infusion Pump Project. The goal of this project is to develop a set of infusion pump safety models and reference specifications that can be used / adapted by manufacturers to verify safety properties of their own infusion pumps. Our collaborators include researchers at the University of Pennsylvania in Philadelphia and the Fraunhofer Center for Experimental Software Engineering in College Park, MD.
The Generic Infusion Pump project team has a website that provides a sample hazard analysis and reference safety specifications for a generic patient-controlled analgesic infusion pump. This kind of device, often known as a "pain pump," is used to infuse medication to relieve chronic pain. Interested parties, including researchers and medical device software developers, are invited to participate with FDA in this research by refining and extending the models and specifications that have been developed. For details, please see the project website.
Software code is the name given by software engineers to the actual instructions — written in a programming language — that constitute a computer program. In modern infusion pumps, the software may contain more than 100,000 lines of code. Traditionally, three verification methods are used to determine whether the code is “correct”:
- manual code reviews, where one team of engineers systematically reviews the software developed by a different team.
- exhaustive testing of the system in which the software is used.
- simulating the execution of the software on a computer.
A fourth and relative new technique for verifying the “correctness” of the software is “static code analysis” — or “static analysis”. Static analysis is the name for a family of analytical techniques for finding bugs in software code and/or proving properties of the code related to its safety or correctness. Unlike traditional methods which run the software in a real or simulated environment to see how it performs, static analysis uses a computer to examine the source code looking for patterns that are indicative of potential design errors. Conceptually, this is exactly what human reviewers do when performing a code review, but static analysis examines the code exhaustively for certain kinds of insidious errors that are hard for human reviewers to detect.
For example, when a software program runs, it stores instructions and data values in the computer’s memory. Other parts of the software can then access this information and process it accordingly. When storing such information, the software must first request permission to access a specific amount of storage space from the operating system. Once the operating system specifies which part of memory to use, the software can place the information in the designated memory space.
Sometimes, due to a programming error, the software may inadvertently write beyond the allocated space it has been granted. In such a case, a portion of the instructions or data that were supposed to be stored is lost. Moreover, in some cases, the flawed software may overwrite data in an adjacent block of memory that was intended to be accessed by another part of the software. This problem, usually referred to as a “buffer overflow,” can result in device malfunction.
Buffer overflow is but one of many problems that can lurk in a body of software code. Static analysis is very effective in detecting a variety of different kinds of insidious software errors like buffer overflow. Since static analysis tools have to methodically trace all possible execution paths through the software, the analysis is very laborious. Until recently, these techniques were exclusively the province of the world's fastest supercomputers, but today's desktop machines have surpassed the performance of the supercomputers of a few years ago. As a result, static analysis tools have been made available commercially from a number of vendors, and as with model-based development techniques, are being increasingly embraced by medical device manufacturers.
Publications About Model-Based Software Development from the CDRH Laboratory of Software Engineering
Arney D, Jetley R, Jones P, Lee I, Sokolsky O. Formal methods based development of a PCA infusion pump reference model: Generic infusion pump (GIP) project. In: Proceedings of the High Confidence Medical Device Software and Systems (HCMDSS), Boston, Pages 23-33, June 2007.
Jetley R, Jones P. Safety requirements based analysis of infusion pump software. In: Proceedings of the Workshop on Software and Systems for Medical Devices and Services, held in conjunction with IEEE Real Time Systems Symposium, Tucson, AZ, Pages 21-24, December 2007.
Jetley R, Anderson P. Using static analysis to evaluate software in medical devices. Embedded Systems Design. Apr 2008; 21(4):40-44.
Jetley R, Jones P, Anderson P. Static analysis of medical device software using CodeSonar. In: Fong E, editor. Proceedings of the 2008 ACM SIGPLAN Workshop on Static Analysis; June 2008; Tuscon, Arizona. New York, New York: Association for Computing Machinery; 2008. p. 22-29. Available from: http://portal.acm.org/citation.cfm?id=1394507
Jetley R, Chelf B. Diagnosing medical device software defects using static analysis. Medical Device & Diagnostic Industry. May 2009; 31(5):72-83. Available from: http://www.mddionline.com/article/diagnosing-medical- device-software-defects-using-static-analysis
Ray A, Jetley R, Jones P. Engineering high confidence medical device software. In: Sololsky, O, editor. Second Joint Workshop on High Confidence Medical Devices, Software, and Systems (HCMDSS) and Medical Device Plug-and-Play; Apr 2009; San Francisco, California. New York SIGBED Review: 2009. Available from: http://sigbed.seas.upenn.edu/archives/ 2009-07/JetleySIGBED.pdf
Jones P, Jetley R, Abraham J. A formal methods-based verification approach to medical device software analysis. Embedded.com, February 2010.
Ray A, Jetley R. Model based development: An emerging approach for engineering medical device software. AAMI Biomedical Instrumentation & Technology (BI&T). Feb. 2010; 44(1): 51-3. Available from: http://www.aami-bit.org/doi/pdf/10.2345/0899-8205-44.1.51
Ray A, Jetley R, Jones P, and Zhang Y. Model based engineering for medical device software. Biomedical Instrumentation and Technology. May 2010; 44(6):507-18.
Zhang Y, Jones P and Jetley R. A hazard analysis for a generic insulin infusion pump. Journal of Diabetes Science and Technology. Mar 2010; 4(2): Pages 263-83.
Zhang Y, Jones PL, Klonoff DC. Second insulin pump safety meeting: Summary report. Journal of Diabetes Science and Technology. Mar 2010; 4(2):488-93. Available from: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2864186/
Kim B, Ayoub A, Sokolsky O, Lee I, Jones P, Zhang Y, Jetley R. Safety-assured development of the GPCA infusion pump software. In: 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT 2011); October 9-14; Taipei, Taiwan. New York, New York: Institute of Electrical and Electronics Engineers; 2011. pp. 155-64.
Zhang Y, Jetley R, Jones P, Ray A. Generic safety requirements for developing safe insulin pump software. Journal of Diabetes Science and Technology. 2011; 5(6):1403-19.
Masci P, Zhang Y, Jones P, Curzon P, Thimbleby H. Formal verification of medical device user interfaces using PVS. In: Gnesi S, Rensink A, editors. Fundamental Approaches to Engineering, 17th International Conference on Fundamental Approaches to Software Engineering (FASE’14), Held as Part of the European Joint Conferences on Theory and Practice in Software, ETAPS, April 5-13, 2014; Grenoble, France. New, York, New York: Springer; 2014. pp. 200-214.
Masci P, Zhang Y, Jones P, Thimbleby H, Curzon P. A generic user interface architecture for analyzing use hazards in infusion pump software. In: Turau V, Kwiatkowska M, Mangharam R, Weyer C, editors. Proceedings of the 5th Workshop on Medical Cyber-Physical Systems (MCPS’14) April 14, 2014; Berlin, Germany. Dagstuhl, Germany: Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik; 2014. pp.1-14. Available from: http://drops.dagstuhl.de/portals/oasics/index.php?semnr=14002