An An Arch Archit itect ctura rally-I lly-Integra rated, Syst - - PowerPoint PPT Presentation

an an arch archit itect ctura rally i lly integra rated
SMART_READER_LITE
LIVE PREVIEW

An An Arch Archit itect ctura rally-I lly-Integra rated, Syst - - PowerPoint PPT Presentation

Oct 18, 2023 247 likes •484 views

An An Arch Archit itect ctura rally-I lly-Integra rated, Syst Systems-Ba ms-Base sed Haza zard rd An Analysis lysis for r Me Medica ical l Ap Applica licatio ions s http://cis.ksu.edu/~samprocter Sam Procter and John

slide-1
SLIDE 1

An An Arch Archit itect ctura rally-I lly-Integra rated, Syst Systems-Ba ms-Base sed Haza zard rd An Analysis lysis for r Me Medica ical l Ap Applica licatio ions s

Sam Procter and John Hatcliff SAnToS Lab Kansas State University

http://cis.ksu.edu/~samprocter

Support: This work is supported in part by the US National Science Foundation (NSF) (#1239543), the NSF US Food and Drug Administration Scholar- in-Residence Program (#1355778) and the National Institutes of Health / NIBIB Quantum Program.

slide-2
SLIDE 2

Healt lth Care re Invo volve lves s A A Va Varie riety y of Syst System m Comp mponents s

Information Systems Sensors Actuators Sensor Data Displays Clinical Protocols Clinicians Patient !

slide-3
SLIDE 3

Outlin line

n Motivation n Report

n Annotations n Generation

n Language n Impacts

slide-4
SLIDE 4

PC PCA A Interlo rlock ck Sce Scenario rio

n Patients are commonly given

patient-controlled analgesics after surgery

n Crucial to care, but numerous

issues related to safety

n Data for disabling the pump

exists now (just a system invariant) -- we just need to integrate it

slide-5
SLIDE 5

PC PCA A Pu Pump mp Sa Safety y Interlo rlock ck

Devices

Fully leverage device data streams and the ability to control devices

Enable Pump for safe time window

Device Task controller

Enable bolus dose only when ticket present

Combined PCA Vitals Monitoring

PCA Bolus “Enable” Ticket PCA Pump Capnograph Pulse Oximeter Monitoring Data + Alarm Information Monitoring Data + Alarm Information Aggregated Monitoring Status Status Display for PCA Monitoring Application Clinician / Monitoring

slide-6
SLIDE 6

Visio Vision

FDA Evaluators

Assurance Case

3rd Party Certifiers

Risk Assessment Hazard Analysis Requirements Clinical Use Case / Workflow Description 3rd Party ICE Conformance & Safety Certification Submission Package FDA 510K Submission Package App Deployment

Medical Application Platform

Analyses and Regulatory Artifacts

App Developer

slide-7
SLIDE 7

Language Language

Model

Device1 Device2 AADL System AADL Process: Logic AADL Process: Display Thread1 Channel Delay: 50ms Period: 50ms WCET: 5ms Output rate: 1 sec .. 5 sec Thread1 Thread2 Thread3 Thread2

slide-8
SLIDE 8

ST STPA PA

Fundamentals

n Fundamentals

n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure

Example

  • 1. An inadvertent “Pump Normally”

command is sent to the pump [PatientHarmed]

  • 2. Commands are sent to the pump too

quickly [PCADamage]

slide-9
SLIDE 9

ST STPA PA

Fundamentals

n Fundamentals

n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure

Example

  • 1. App -> Pump: Pump Normally
  • 2. PulseOx -> App1: SpO2 = 95
  • 3. App -> Display: Patient = Ok

1: Also referred to as “Feedback”

slide-10
SLIDE 10

ST STPA PA

Step 1: Identifying Potentially Hazardous Control Actions

Control Action Providing Not Providing Applied too Long Stopped too Soon Early Late

App -> Pump: Pump Normally PH Not Hazardous PH Not Hazardous PH Not Hazardous App -> Disp: Patient Ok BID BID BID BID BID BID PulseOx->App: Provide SpO2 Not Hazardous PH, BID Not Hazardous PH, BID Not Hazardous PH, BID PulseOx->App: Provide Pulse Rate Not Hazardous PH, BID Not Hazardous PH, BID Not Hazardous PH, BID

n Hazardous Control Actions

n Cross-product of control actions and STPA

guidewords

slide-11
SLIDE 11

ST STPA PA

Step 2: Determining How Unsafe Control Actions Could Occur

Control Action: App -> Pump: Pump Normally

n Providing:

n Bad Data:

n Cause:

n Incorrect values are gathered from one of the

physiological sensors

n Compensation:

n Rely on multiple sensed physiological parameters to

provide redundancy

n Not Providing:

n Not hazardous

slide-12
SLIDE 12

Haza zard rd An Analysis lysis

Annotating our Architectural Model

Feedback or control action is provided in an unsafe way How would the message be unsafe? What hazard would be caused? What constraint would be violated? What should the occurrence be named? What would cause this to occur? How can this occurrence be compensated for?

slide-13
SLIDE 13

Haza zard rd An Analysis lysis

Annotating our Architectural Model

How would the message be unsafe? What hazard would be caused? What constraint would be violated? What should the occurrence be named? What would cause this to occur? How can this occurrence be compensated for? We’ll come back to these two in a moment.

slide-14
SLIDE 14

Report rt Genera ratio ion Deve velo lopme ment

n Development of

component architecture using AADL / OSATE2

n Addition of Hazard

Analysis Annotations

n Automatic generation of

STPA-Styled Hazard Analysis Report

AADL Component Architecture with Hazard Annotations Automatic report generation

Example “In Progress” Report Online at: http://santoslab.org/pub/mdcf-architect/HazardAnalysis.html

slide-15
SLIDE 15

An Annotatin ing our r Arch Archit itect ctura ral l Mo Model l

Inside the AADL System Component

What specific fault will result? What channel will be affected? What can we do with our model + specific fault information?

slide-16
SLIDE 16

Haza zard rd An Analysis lysis

Annotating the Architectural Model

The fault is traced to its source component / port

slide-17
SLIDE 17

Haza zard rd An Analysis lysis

Specification Step 1: Propagation

Port the fault will propagate on Direction of the propagation Specific Fault

slide-18
SLIDE 18

Anything missing?

Haza zard rd An Analysis lysis

Annotating the Architectural Model

There are two missed error propagations!

slide-19
SLIDE 19

Haza zard rd An Analysis lysis

OSATE Remembers A Neglected Connection

slide-20
SLIDE 20

Haza zard rd An Analysis lysis

  • 1. Report indicates analysis

incomplete

  • 2. Developer creates
  • ccurrence property and

supporting EMV2 annotations

Interaction between Report and Model

  • 3. Tool highlights unconsidered

propagation paths

  • 4. Developer creates supporting
  • ccurrence property, considers

alternative impacts of hazard

Top Down Bottom Up

slide-21
SLIDE 21

Imp mpact cts s

n Automation

n Traditionally, analysts have to mine a system

and maintain it – without tool support

n Architectural integration

n Faults can be “bound” to specific components

and ports

n Future:

n Testing + Fault Injection

n If a compensation is claimed, we can auto-

generate a test

slide-22
SLIDE 22

An An Arch Archit itect ctura rally-I lly-Integra rated, Syst Systems-Ba ms-Base sed Haza zard rd An Analysis lysis for r Me Medica ical l Ap Applica licatio ions s

Sam Procter and John Hatcliff SAnToS Lab Kansas State University

http://cis.ksu.edu/~samprocter

Support: This work is supported in part by the US National Science Foundation (NSF) (#1239543), the NSF US Food and Drug Administration Scholar- in-Residence Program (#1355778) and the National Institutes of Health / NIBIB Quantum Program.