Poster abstract: Formal analysis of fresenius infusion pump (FIP)

Abstract

Summary form only given. Today's medical devices are based on embedded architecture, with software used to control the underlying hardware. They are highly critical since errors in the software can endanger end users such as patients and medics. Medical devices should be designed and manufactured in such a way that when used, they perform as intended and they ensure a high level of safety. Current industrial practices are based on testing processes to check if the software meets the specifications and if it fulfills its purpose. However, testing does have several disadvantages that limit the reliability of this verification and validation process. Testing cannot guarantee that a device will function properly under all conditions and bugs can never be completely identified withing a program. Several attempts have already been made to provide standards for the formal verification of safety properties of medical devices, initiated by the Generic Infusion Pump project [2]. Our work is a collaboration between Objet Direct R&D and Fresenius [1]. Fresenius is a leading international health care group which produces and markets pharmaceuticals and medical devices. We aim to investigate innovative methods for software development, validation and verification. We study existing results provided amongst others by [3, 4] which we intend to extend by analyzing the Fresenius Infusion Pump (FIP) software. FIP automatizes the delivery process of fluid medical solution into patient's body. Its design is based on three layers. The highest level is the user interface and consists of three components, the administration protocol, the application system and the power management. The middle level consists of the pumping control components and the lowest level contains driver components such as Door, Watchdog, Optical Disk, Motor. FIP is modeled in UML (a total of 100 state machines) and the requirements are written in natural language. The implementation of the model is done in C++ with automatic code generation. For the V&V process, software testing checks if the implementation meets the requirements using fault scenarios written in UML. The main objective of this project is to use model-based design for migrating from software testing to formal based solution for verifying the Fresenius Infusion Pump. The goal is to use model checking technologies in order to verify requirements and eliminate bugs during the design process. Several faulty design patterns have already been identified to be caused by deadlocks, lost signal events, stack overflow, violation of real-time properties, incoherent behavior of UML state machines. We present and analyze the case study of the FIP's Motor component, a driver component of the lowest level. Its interest lies on the fact that while the Motor Control is stopped, the Motor Driver is still running. This faulty behavior was detected during the test checks and bug was partially corrected in code review.