A DEVELOPMENT AND ASSURANCE PROCESS FOR MEDICAL APPLICATION PLATFORM APPS by SAM PROCTER B.S., University of Nebraska { Lincoln, 2009 M.S., Kansas State University, 2011 AN ABSTRACT OF A DISSERTATION submitted in partial fulfillment of the requirements for the degree DOCTOR OF PHILOSOPHY Department of Computing and Information Sciences College of Engineering KANSAS STATE UNIVERSITY Manhattan, Kansas 2016 Abstract Medical devices have traditionally been designed, built, and certified for use as monolithic units. A new vision of \Medical Application Platforms" (MAPs) is emerging that would enable compositional medical systems to be instantiated at the point of care from a collection of trusted components. This work details efforts to create a development environment for applications that run on these MAPs. The first contribution of this effort is a language and code generator that can be used to model and implement MAP applications. The language is a subset of the Architecture, Analysis and Design Language (AADL) that has been tailored to the platform-based envi- ronment of MAPs. Accompanying the language is software tooling that provides automated code generation targeting an existing MAP implementation. The second contribution is a new hazard analysis process called the Systematic Analysis of Faults and Errors (SAFE). SAFE is a modified version of the previously-existing System Theoretic Process Analysis (STPA), that has been made more rigorous, partially composi- tional, and easier. SAFE is not a replacement for STPA, however, rather it more effectively analyzes the hardware- and software-based elements of a full safety-critical system. SAFE has both manual and tool-assisted formats; the latter consists of AADL annotations that are designed to be used with the language subset from the first contribution. An automated report generator has also been implemented to accelerate the hazard analysis process. Third, this work examines how, independent of its place in the system hierarchy or the precise configuration of its environment, a component may contribute to the safety (or lack thereof) of an entire system. Based on this, we propose a reference model which generalizes notions of harm and the role of components in their environment so that they can be applied to components either in isolation or as part of a complete system. Connections between these formalisms and existing approaches for system composition and fault propagation are also established. This dissertation presents these contributions along with a review of relevant literature, evaluation of the SAFE process, and concludes with discussion of potential future work. A DEVELOPMENT AND ASSURANCE PROCESS FOR MEDICAL APPLICATION PLATFORM APPS by Sam Procter B.S., University of Nebraska { Lincoln, 2009 M.S., Kansas State University, 2011 A DISSERTATION submitted in partial fulfillment of the requirements for the degree DOCTOR OF PHILOSOPHY Department of Computing and Information Sciences College of Engineering KANSAS STATE UNIVERSITY Manhattan, Kansas 2016 Approved by: Major Professor John Hatcliff Copyright Sam Procter 2016 Abstract Medical devices have traditionally been designed, built, and certified for use as monolithic units. A new vision of \Medical Application Platforms" (MAPs) is emerging that would enable compositional medical systems to be instantiated at the point of care from a collection of trusted components. This work details efforts to create a development environment for applications that run on these MAPs. The first contribution of this effort is a language and code generator that can be used to model and implement MAP applications. The language is a subset of the Architecture, Analysis and Design Language (AADL) that has been tailored to the platform-based envi- ronment of MAPs. Accompanying the language is software tooling that provides automated code generation targeting an existing MAP implementation. The second contribution is a new hazard analysis process called the Systematic Analysis of Faults and Errors (SAFE). SAFE is a modified version of the previously-existing System Theoretic Process Analysis (STPA), that has been made more rigorous, partially composi- tional, and easier. SAFE is not a replacement for STPA, however, rather it more effectively analyzes the hardware- and software-based elements of a full safety-critical system. SAFE has both manual and tool-assisted formats; the latter consists of AADL annotations that are designed to be used with the language subset from the first contribution. An automated report generator has also been implemented to accelerate the hazard analysis process. Third, this work examines how, independent of its place in the system hierarchy or the precise configuration of its environment, a component may contribute to the safety (or lack thereof) of an entire system. Based on this, we propose a reference model which generalizes notions of harm and the role of components in their environment so that they can be applied to components either in isolation or as part of a complete system. Connections between these formalisms and existing approaches for system composition and fault propagation are also established. This dissertation presents these contributions along with a review of relevant literature, evaluation of the SAFE process, and concludes with discussion of potential future work. Table of Contents List of Figures xiii List of Tables xvii Acknowledgements xviii 1 Introduction1 2 Literature Review5 2.1 Integrating Medical Devices . .5 2.1.1 Medical Application Platforms . .5 2.1.2 The Integrated Clinical Environment . .8 2.1.3 The Medical Device Coordination Framework . .9 2.1.4 Connecting Medical Devices . 13 2.1.5 A PCA Interlock App . 15 2.2 System Safety . 17 2.2.1 A Note on Terminology . 17 2.2.2 Hazard Analyses . 19 2.2.3 The Fault Propagation and Transformation Calculus . 25 2.2.4 Documenting Safety: Assurance Cases . 26 2.2.5 Standardization Efforts . 29 2.3 Architecture Modeling . 38 2.3.1 Why Model System Architecture? . 38 viii 2.3.2 Architecture Modeling Techniques . 41 2.3.3 Technological Approaches to Architecture Modeling . 44 3 An AADL Subset for MAP Apps 54 3.1 Introduction . 54 3.1.1 App Development Environment Vision . 56 3.1.2 Mechanization and Regulatory Authorities . 57 3.2 Why AADL for MAPs? . 58 3.2.1 Medical Application Platforms . 58 3.2.2 Architecture Analysis & Design Language . 60 3.2.3 Why subset AADL? . 61 3.3 Language Walkthrough . 63 3.3.1 Preliminary tasks: Types and Default Properties . 65 3.3.2 The AADL System . 67 3.3.3 The AADL Process and Device . 69 3.3.4 The AADL Thread . 72 3.4 Code Generation and Instantiation . 73 3.4.1 Executable Code Skeletons . 73 3.4.2 App Configuration . 77 3.4.3 Launching the App . 79 3.5 Tailoring AADL to a Domain . 81 4 The SAFE Process 83 4.1 Core Concepts . 85 4.1.1 Successor Dangers . 87 4.1.2 Manifestations . 89 4.1.3 Fault Classification . 92 ix 4.1.4 Formality in Causation and Decomposition . 94 4.1.5 Terminology . 99 4.1.6 Parallel and Compositional Aspects of SAFE . 101 4.2 Activity 0: Fundamentals . 103 4.2.1 System-Level Fundamentals . 104 4.2.2 Specifying a Control Structure . 113 4.3 Activity 1: Externally Caused Dangers . 117 4.3.1 Successor Dangers and Process Models . 117 4.3.2 Deriving an Element's Dangers . 123 4.3.3 Documenting External Interactions . 126 4.4 Activity 2: Internally Caused Faults . 131 4.4.1 Eliminating Classes of Faults . 132 4.4.2 Documenting Internal Faults . 134 4.5 Assessment . 138 4.5.1 Objective Attributes . 138 4.5.2 Subjective Attributes of Previous Hazard Analyses . 142 4.5.3 Subjective Evaluation of SAFE . 147 4.5.4 Threats to Validity . 153 5 Theoretical Foundations 154 5.1 Introduction . 154 5.1.1 Hierarchical Depth, Component Role, and Undesirability . 155 5.2 Process . 157 5.3 Formalisms . 163 5.4 Compositionality . 167 5.4.1 A Baseline System . 169 x 5.4.2 Compositional Approach: App . 175 5.4.3 Compositional Approach: Pump . 178 5.4.4 Analyzing the Composed System . 181 5.4.5 Refining a Component . 185 5.5 Fault Propagation and Transformation . 190 5.5.1 Example System . 191 5.5.2 Differences Found . 193 5.5.3 Methodological Discussion and Vocabulary . 195 5.6 Gaps in the Analysis . 198 6 Evaluation 201 6.1 Analysis of the PCA Interlock System . 201 6.1.1 Previously Discovered Issues . 201 6.1.2 Newly Discovered Issues . 204 6.1.3 Threats to Validity . 207 6.2 Proposed User Study . 207 6.2.1 Methodology . 207 6.2.2 Hypothesis . 209 6.2.3 Threats to Validity . 210 6.2.4 Further Studies . 210 7 Future Work and Conclusions 212 7.1 Future Work . 212 7.1.1 MDCF Architect . 212 7.1.2 The SAFE Process . 214 7.1.3 Theoretical Work . 216 7.2 Concluding Remarks . 217 xi Bibliography 218 A SAFE Process 233 B SAFE Worksheets 254 C Full PCA Example 257 xii List of Figures 2.1 The ICE Architecture, figure adapted from [1,2].................8 2.2 The MDCF Architecture, figure adapted from [1]................ 10 2.3 The App Developer's view of the PCA Interlock Application . 16 2.4 The MDCF view of the PCA Interlock Application . ..