Open PCA Pump Artifacts

Open PCA Pump Concept of Operations

The purpose of a Concept of Operations (ConOps) is to identify users (more generally stakeholders), the environment in which system will operate, the needs to the users to be addressed by system functionality, and use cases of how users expect to interact with the pump. The ConOps documents the detailed use and exception cases following the methodology presented in the FAA's Requirements Engineering Management Handbook (DOT/FAA-0832) (which is based on Cockburn's Writing Effective Use Cases. Use cases describe normal operation. Exception cases describe response to hazards or other deviations from expected operation.

Researchers can experiment with different use case formalizations, and techniques to derive requirements and tests from use cases.

  • Open PCA Pump Concept of Operations (see Part 1 of .pdf)

Open PCA Pump Requirements

This document presents engineering requirements for the Open PCA Pump based on the methodology presented in the
FAA Requirements Engineering Management Handbook (DOT/FAA/AR-08/32). While the requirements do address aspects of the architecture and hardware, the focus is on functional, safety, and security requirements for the system and the software.

Open PCA Pump requirements derive from use and exception cases of the ConOps. The requirements address the infusion functionality of the primary infusion modes, correctness of information input/output over the operator interface (including standards compliant alarm notifications), validation of operator-entered infusion settings using drug libraries, functionality of risk controls that system faults and exceptional circumstances, and security features of the pump. The requirements also address functionality of an interoperability interface for accessing pump functionality over the network via a medical application platform. Each requirement has a unique textual identifier to support traceability.

The requirements document also includes a section on system design. This section provides a high-level overview of the Open PCA Pump architecture, and listings that allocate each requirement to one or more components of the design. This enables traceability between the architecture and the requirements (using the requirements identifiers mentioned above).

Researchers can use the requirements as case studies for analyzing requirements consistency and completeness, expressing requirements in various formal specification languages, decomposing requirements to interface specifications, or building requirements compliant implementations.

  • Open PCA Pump Requirements (.pdf)

Open PCA Pump Architecture Specification

An AADL system architecture defines the structure of the PCA pump as components with precisely-defined interactions. AADL is used because it was was created specifically for describing the architecture of embedded electronics systems using software.

The Open PCA Pump architecture specification is an important artifact because it serves as a single source of truth about system components and communication from which source code for interfaces and communication is automatically generated. The architecture provides structural abstraction of the system for framing several different types of analyses including schedulability, control/data flow, and error propagation. It is also used for defining interaction points and interfaces to which one may add contracts that capture behavioral interface specifications. Having the architecture serve as a touch point for all of these aspects helps ensure consistency and traceability.

Researchers can use the architecture description to compare and contrast other architecture description languages, evaluate different forms of architecture level analyses, and evaluate architecture-driven code generation approaches.

Open PCA Pump Interface Behavioral Specifications

The Open PCA Pump artifacts provide an excellent opportunity to illustrate and evaluate formal behavioral specification languages as well techniques for demonstrating the implementations comply to formal specification languages. The Open PCA Pump artifacts include specifications and behaviors written in the Behavior Language for Embedded Systems with Software (BLESS) and the SAnToS Lab's forth-coming Sireum verification framework. A full release of these artifacts is expected at a later date.

Open PCA Pump Risk Management Artifacts

International standards such as ISO 14971 mandate risk management processes for medical device develop that including identify how a device might harm the patient, performing hazard analysis to identify the faults and other root causes that can lead to harms, designing risk controls to reduce the severity or likelihood of such scenarios, and verifying the risk controls are appropriately implemented. AADL's Error Modeling annex (EMv2) provides annotations that can be attached to the architecture specifications to document possible sources of faults, component failure modes, propagations of the effects of faults and errors, and points at which a system can cause harms by interacting with its environment. Various reports can be automatically derived from this information including Fault Tree Analyses (FTA) diagrams and Failure Modes and Effects Analysis (FMEA) tables.

The following paper (submitted for publication) provides an overview of how AADL EMv2 has been extended to support ISO 14971 aligned risk analysis for the Open PCA Pump.

  • "Model-based Risk Analysis for an Open-Source PCA Pump using the AADL Error Modeling Annex", Hariharan Thiagarajan, Brian Larson, John Hatcliff, and Yi Zhang. May 2020. (.pdf)

The Sireum Awas AADL dependence analysis tool is one of the primary tools being used to support Open PCA Pump risk analysis. This linkhere goes directly to a summary of Awas applied to support risk management for the Open PCA Pump.

Also see the following paper for an illustration of EMv2 applied to a simpler infant incubator medical device.

"Illustrating the AADL Error Modeling Annex (v. 2) Using a Simple Safety-Critical Medical Device", Brian Larson, John Hatcliff, Kim Fowler, Julien Delange. Proceedings of the 2013 ACM Conference on High Integrity Language Technology (HILT 2013), Philadelphia, PA. November, 2013.

Open PCA Pump Assurance Case

This document presents a draft of a safety case for the Open PCA Pump driven, in large part, by hazards identified in the US FDA Guidance on Infusion Pumps. The safety case is built using the NOR-STA assurance case tool.

The assurance case document can also be viewed directly (read only mode) in the web-based NOR-STA tool.

  • Open PCA Assurance Case Report (.pdf)

A full release of the assurance case is expected at a later date.

Open PCA Pump Implementation

The Open PCA Pump Project provides two ways to experiment with pump implementations. The KSU Sireum framework is used to automatically generate source-level interfaces and communication infrastructure, and developers can use Sireum to (a) implement the internal behaviors of components (or these can be autogenerated from BLESS) and (b) simulate the behavior of the entire pump. The simulation prototype provides an operator interface graphical user interface and demonstration interfaces for seeding various types of faults and safety-related events.

The ISOSCELES project is providing a platform on which the Open PCA Pump can be deployed. ISOSCELES is a reference implementation for mixed-criticality medical and Internet of Things (IoT) systems. Based on a strong separation architecture, the reference implementation enables manufacturers to focus on the clinical side of their product, reducing the time and effort recreating the underlying safe and secure platform and associated regulatory evidence. ISOSCELES has been instantiated on the Xen hypervisor, and the seL4 and NOVA separation microkernels. The Xen version is suitable for low criticality devices, and easily supports rapid prototyping. The seL4 version is highly hardened and fits in a small memory footprint. ISOSCELES targets low-power x86 and ARM embedded processors. The current seL4 prototype runs on Intel-Atom and AMD G-series. The Xen prototype runs on ARM Cortex-A7 and AMD G-series. To realize the hardware aspects of the Open PCA Pump, these embedded prototypes drive the electromechanical components of a decommissioned PCA pump.

For an overview of the ISOSCELES project, see the following paper.

  • "A Reference Separation Architecture for Mixed-Criticality Medical and IoT Devices", Carpenter, Hatcliff, and Vasserman. Proceedings of ACM Workshop on the Internet of Safe Things. Nov. 2017. (.pdf)