Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs
Sam Procter, John Hatcliff, Kim Fowler SAnToS Lab
Kansas State University
ISPCE 2015 – Chicago, IL, USA
Support:
This work is supported in part by the US National Science Foundation (NSF) (#1239543), the NSF US Food and Drug Administration Scholar-in-Residence Program (#1355778) and the National Institutes of Health / NIBIB Quantum Program.
Anura Fernando Underwriters Laboratories
Sandy Weininger Food and Drug Admin.
Health Care Involves A Variety of System Components
Information Systems
Sensors
Actuators
Sensor Data Displays
Clinical Protocols Clinicians
Patient!
Motivation
n What are the types of things we could do with device integration? n Information forwarding n Automation of clinical workflows n Closed loop control between devices
n Unlike personal computing, medical devices are not designed to work together
n Integrating medical devices would bring myriad benefits
n … how can we do so safely?
Outline
n Background n PCA Interlock Scenario n Medical Application Platforms n AADL
n Vision n Language n Tool n Hazard Analysis n Future
Status Quo: MDDS
Devices Data Consumers
Display Gadgets
Medical Device Data Systems – Data only flows from producers to consumers; data must be faithfully re-presented
EMR Databases
PCA Interlock Scenario n Patients are commonly given
patient-controlled analgesics after surgery
n Crucial to care, but numerous issues related to safety
n Data for disabling the pump exists now (just a system invariant) -- we just need to integrate it
Clinically Supported Motivating Clinical Problem: PCA Overdose
n “A particularly attractive feature may be the ability to automatically terminate or reduce PCA (or PCEA) infusions when monitoring technology suggests the presence of opioid-induced respiratory depression. To facilitate such capabilities, we strongly endorse the efforts to develop international standards for device interoperability and device-device communication.
n It is critical that any monitoring system be linked to a reliable process to summon a competent health care professional to the patient's bedside in a timely manner. “
PCA Pump Safety Interlock
Devices
Fully leverage device data streams and the ability to control devices
Enable Pump for safe time window
Device Task
controller
Enable bolus dose only when ticket present
Combined PCA Vitals Monitoring
PCA Bolus “Enable” Ticket
PCA Pump
Capnograph
Pulse Oximeter
Monitoring Data + Alarm Information
Monitoring Data + Alarm Information
Aggregated Monitoring Status
Status Display for PCA Monitoring
Application
Clinician / Monitoring
Medical Application Platforms
n A Medical Application Platform is a safety- and security- critical real-time computing platform for… n Integrating heterogeneous devices, medical IT systems, and
information displays via communications infrastructure, and n Hosting applications (“apps”) that provide medical utility via the
ability to acquire information from and update/control integrated devices, IT systems, and displays
Bus EMR
Databases
Devices Displays Clinician Console
Computational Platform
Apps
Background PCA Pump Interlock Architecture
Patient
Pulse Oximeter, Capnograph, and Patient Controlled Analgesia Pump RR
Clin
icia
n (A
pp A
dmin
istr
ator
)
Medical Application Platform
App
SUI App Display
View Display
Configuration, Alarm Clear
View Display
Attach Sensors
ETCO2 PCA
Start / Stop Commands
PR
Sensor + Alarm Data
SPO2
Data for Display
Data should arrive once per second
Background Architecture Analysis and Description Language (AADL)
n SAE Standard, used in e.g., Avionics n Enables model-driven, component-based
development of n Software n Hardware n And the bindings between the two
n Previously applied to a single medical device, what about a system of multiple medical devices?
n How well can it work on a managed platform? n Can we do anything beyond describing an app’s
architecture with it?
Outline
n Background n Vision
n Analyses n Code generation
n Language n Tool n STPA n Hazard Analysis n Future
Vision
FDA Evaluators
Assurance Case
3rd Party Certifiers
Risk Assessment
Hazard Analysis
Requirements
Clinical Use Case / Workflow Description
3rd Party ICE Conformance
& Safety Certification Submission Package
FDA 510K Submission Package
App Deployment
Medical Device Coordination Framework
Analyses and Regulatory Artifacts
App Developer
Vision Code Generation
A. The app’s architecture is specified in AADL
1. Components as AADL Devices / Processes
2. Connections are specified
3. RT/QoS Parameters are via AADL’s property-specification mechanism
B. The app is programmatically translated to Java and XML
C. The app is launched on a compatible MAP
Instantiates as…
C
Outline
n Background n Vision n Language
n Why MDD? n Why (a subset of) AADL? n Constructs
n Tool n Hazard Analysis n Future
PCA Interlock
App
MAP Characteristics MAP constituted device instances are variable – the constituents that form the MAP constituted device may different on different invocations of the device.
Bus
MAPs-R-Us Platform
NellCore Pulse Ox
AnyPCA PCA Pump
Bus
ACME Platform
Masimo Pulse Ox
PCA+ PCA Pump
PCA Interlock
App
n Same app, and thus same conceptual “system”
n Just one architecture and development framework
n But, different component instances.
PCA Interlock
App
MAP Characteristics MAP constituted device instances are variable – the constituents that form the MAP constituted device may different on different invocations of the device.
Bus
MAPs-R-Us Platform
NellCore Pulse Ox
AnyPCA PCA Pump
Bus
ACME Platform
Masimo Pulse Ox
PCA+ PCA Pump
PCA Interlock
App
n Same app, and thus same conceptual “system”
n Just one architecture and development framework
n But, different component instances.
Language Why use AADL?
n History of successful safety-critical projects n Avionics / Boeing (SAVI): “integrate-then-build”
approach n Previously found that MAPs lend themselves
to pub-sub n Device as publisher, apps as subscriber n Natural to model with AADL’s port connections
n Annexes support a number of regulatory and verification artifacts n Hazard Analysis (EMV2), Interface contracts
(BLESS), etc.
Language Why subset AADL?
n AADL is targeted at co-design, ie: complete systems n MAPs are managed platforms
n Semantic mismatches n Processes
n Insufficiency of pre-declared properties n Unrealizable communication patterns
n No shared-memory access in pub/sub middleware
Language Model
Dev
ice1
D
evic
e2
AADL System
AADL Process: Logic AADL Process: Display
Thread1
Channel Delay: 50ms Period: 50ms
WCET: 5ms
Output rate: 1 sec .. 5 sec
Thread1
Thread2
Thread3
Thread2
Language System
Communication links between components
… and properties of those links!
Medical Devices
Software Components
Language System
Software Components
Communication links between Components
… and properties of those links!
Medical Devices
Language Device Interface Specification
Device API Only -- Presents the app’s view of
the required device capabilities, not the full device capabilities
Ports
Properties of those ports
Language Device Interface Specification
Ports
Device API Only -- Presents the app’s view of
the required device capabilities, not the full device capabilities
Properties on those ports
Language Process Specification
External ports
Tasks (Threads)
Connections between external ports and
threads
Language Process Specification
External ports
Tasks (Threads)
Connections between external ports and
threads
Language Thread Specification
External ports
Properties
Language Thread Specification
External ports
Properties
Any necessary architectural annotations can be created!
Component Development
n Development of component architecture using AADL / OSATE2
n Automatic generation of component architecture (skeletons)
n Automatic generation of component layout and app topology (configuration)
n Development of core behavioral code (business logic) using IDE of choice
n Translator can be retargeted to other languages as desired
AADL Component Architecture
Behavioral code written by component developer
Component “skeleton” generation
Automatic code generation
Language Subset AADL Constructs Used
AADL Construct MAP Concept
Components
System Layout
Device Medical Device API for App
Process Software Component
Thread Task
Connections
System-level port connection Channel
Process implementation-level port connection
Task-Port Communication
Display.compsig.xml (QoS/RT) Logic.compsig.xml (QoS/RT)
Language Translation Target
Dev
2.ja
va
LogicSuperType.java
Logic.java
DisplaySuperType.java
Display.java
Task1
Task2
Task3 Task2
Task1
System.cfg.xml
Dev
1.ja
va
Outline
n Background n Vision n Language n Tool
n OSATE2 n Availability
n Hazard Analysis n Future
Tool OSATE2
n Open-source, Eclipse-based tool n Our work is available as a plugin
n Uses the model-traversal built into OSATE2
Tool OSATE2
Tool OSATE2
Outline
n Background n Vision n Language n Tool n Hazard Analysis
n History n Fundamentals n Control Actions
n Future
Hazard Analysis
FDA Evaluators
Assurance Case
3rd Party Certifiers
Risk Assessment
Hazard Analysis
Requirements
Clinical Use Case / Workflow Description
3rd Party ICE Conformance
& Safety Certification Submission Package
FDA 510K Submission Package
App Deployment
MDCF
Leveraging Semiformal Architectural Descriptions
App Developer
Hazard Analysis History: FTA
n FTA: Bell Labs, 1962 n Looks for contributory causes to undesired
events Too Large of Dose Allowed
G1
Bad Physiological
Data Received
Undetected Error
G2
Incorrect Physiological
Reading
Message Garbled by Network
Software Encoding or
Decoding Error
G3
Physiological Data within Max
Range
Internal Diagnostics Fail
Hazard Analysis History: FMEA
n FMEA: US Military, 1949 n Analyses impacts of individual components
Function Failure Mode
Fail Rate
Causal Factors
Effect System Effect
Detected by
Current Control
Hazard Risk Rec. Action
Provide SpO2
Fails to Provide
N/A Network or dev. Failure
No SpO2 data
Unknown patient state
App Potential OD
3D Default to KVO
Provides late
N/A Network slowness
No SpO2 data
Unknown patient state
App
Potential OD
3C Default to KVO
Provides wrong
N/A Device error
SpO2 wrong
Wrong patient state
None Potential OD
1E Dev. should report data quality
Analyst: Sam Procter Date: September 26, 2014 Page 3/14
System: PCA Interlock Scenario Subsystem: Pulse Oximeter Device Mode/Phase: Execution
Hazard Analysis History: STPA
n STPA: Nancy Leveson / MIT, 2005(ish)
n Applies systems theory, focuses on control… n Loops n Actions
Sensor Actuator
Controller
Controlled Process
Control Actions
STPA in AADL
Sensor: Pulse Oximeter Actuator: PCA Pump
Controller: App Logic
Controlled Process: Patient
Feedback Message: PulseOx –> App
Control Action: App –> PCA Pump
Sensor: Pulse Oximeter
Inadequate Operation: SpO2 value incorrect
Controller: App Logic
Process Model Incorrect: Wrongly believes patient to be healthy
Control Action: App –> PCA Pump
Inappropriate Control Action: Inadvertent “Pump Normally” command
Actuator: PCA Pump
Inadequate Operation: Pumps Normally
Controlled Process: Patient
Feedback: PulseOx –> App
Inadequate Feedback: Sends bad SpO2
The Annotated Control Loop
STPA: Fundamentals STPA: Background & Fundamentals
n Fundamentals n Accident Levels n Accidents n System
Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Hazard Analysis STPA: Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
1. A human is killed or seriously injured.
2. A medical device’s services are unavailable
Tie into ISO 14971’s notions of criticality?
Hazard Analysis STPA: Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
1. The patient is killed or seriously injured [DeathOrInjury]
2. The PCA pump stops responding to commands [DenialOfService]
Hazard Analysis STPA: Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
Process Boundary Patient
App PCA Pump
Pulse Oxi-
meter
Capno-graphy Device
Display
App Boundary
Clinician
System Boundary
Hazard Analysis STPA: Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
1. An inadvertent “Pump Normally” command is sent to the pump [PatientHarmed]
2. Commands are sent to the pump too quickly [PCADoS]
Regulators: Supports strong traceability both in code and in
(hypertext) reports
Benefits:
Hazard Analysis STPA: Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
1. The app must only instruct the pump to run at a normal rate when the patient can tolerate more analgesic [InadvertentPumpNormally]
2. The app must wait for a designated length of time between sending pump commands [TooManyCommands]
STPA in AADL Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
• App -> Pump: Pump Normally
Sensor Actuator
Controller
Process
Developers: Hazard Analysis artifacts are automatically in-sync
with system architecture
Benefits:
Hazard Analysis STPA: Fundamentals
n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
Example
Display
Patient
PCA Pump
Pulse Oximeter
Capnography Device
Clinician
★ Physiological D
ata D
evice Ok
Device Error
Pump Normal Pump KVO
★ Physiological D
ata Pum
p Norm
al Pum
p KVO
Device O
k D
evice Error
★Physiological Status
★ P
rovi
de R
x Au
thor
ize
Ove
rrid
e
Verify Rx
Requ
est
Mor
e
Pump Status
App
★ View Patient Status View Device Status
Hazard Analysis STPA: Identifying Hazardous Control Actions
Control Action
Providing Not Providing
Applied too Long
Stopped too Soon
Early Late
App -> Pump: Pump Normally
PH Not Hazardous
PH Not Hazardous
PH Not Hazardous
App -> Disp: Patient Ok
BID BID BID BID BID BID
PulseOx->App: Provide SpO2
Not Hazardous
PH, BID Not Hazardous
PH, BID Not Hazardous
PH, BID
PulseOx->App: Provide Pulse Rate
Not Hazardous
PH, BID Not Hazardous
PH, BID Not Hazardous
PH, BID
n Hazardous Control Action Table n Cross-product of control actions and STPA
guidewords
PH = Patient Harmed BID = Bad Info Displayed
Hazard Analysis STPA: Hazardous Causes and Compensations
Control Action: App -> Pump: Pump Normally
n Providing: n Bad Data:
n Cause: n Incorrect values are gathered from one of the
physiological sensors
n Compensation: n Rely on multiple sensed physiological parameters to
provide redundancy
n Not Providing: n Not hazardous
Hazard Analysis STPA: Hazardous Causes and Compensations
Control Action: App -> Pump: Pump Normally
n Wrong Timing or Order: n Not applicable
n Too Long n Network Drop
n Cause: n Network drops out, leaving the pump running normally
regardless of the patient’s health
n Compensation: n Commands to pump normally have an associated
maximum time, after which the pump returns to KVO
STPA in AADL Where should we start?
Sensor: Pulse Oximeter Actuator: PCA Pump
Controller: App Logic
Controlled Process: Patient
Feedback Message: PulseOx –> App
Control Action: App –> PCA Pump A control action is provided
in an unsafe way How would the control action be unsafe?
What constraint would be violated?
What should the occurrence be named?
What would cause this to occur?
How can this occurrence be compensated for?
Hazard Analysis Annotating our Architectural Model
How would the control action be unsafe?
What constraint would be violated?
What should the occurrence be named?
What would cause this to occur?
How can this occurrence be compensated for?
We’ll come back to this one in a moment
Report Generation Development
n Development of component architecture using AADL / OSATE2
n Addition of Hazard Analysis Annotations
n Automatic generation of STPA-Styled Hazard Analysis Report
AADL Component Architecture with Hazard Annotations
Automatic report
generation
Example “In Progress” Report Online at: http://santoslab.org/pub/mdcf-architect/HazardAnalysis.html
STPA’s Causality Guidewords Annotated Control Loop
Nancy Leveson. Figure 4.8, Page 93, Engineering A Safer World. MIT Press, 2011
Managers: Constrains developers so style and architectural
assumptions are consistent
Developers: Guides analysis so “starting from scratch” isn’t
necessary
Benefits:
AADL EM Fault Types
Error Library Type STPA Error Type App Error Type
Errors with Physiological Monitors
LateDelivery DelayedOperation SpO2ValueLate
IncorrectValue IncorrectInformation SpO2ValueLow
N/A NoInformation NoSpO2Data
Errors with App Logic
ServiceCommission InnapropriateCtrlAction InadvertentPumpNormally
ServiceOmission MissingCtrlAction InadvertentPumpMinimally
Type Hierarchy
AADL Standard Error Types STPA Guidewords App Specific Error Types
AADL EM Fault Types App Specific Error Library
Application independent: Sourced from STPA
Application specific: Defined by app risk
management process
Sensor: Pulse Oximeter Actuator: PCA Pump
Controller: App Logic
Controlled Process: Patient
Feedback Message: PulseOx –> App
Control Action: App –> PCA Pump
STPA in AADL Using our fault type
Inadvertent Pump Normally
Integrated Hazard Analysis Using our fault type
What specific fault will result?
What can we do with our model + specific fault information?
Sensor: Pulse Oximeter Actuator: PCA Pump
Controller: App Logic
Controlled Process: Patient
Feedback Message: PulseOx –> App
Control Action: App –> PCA Pump
STPA in AADL Where would the bad control action come from?
Controller: App Logic
Process Model Incorrect: Wrongly believes patient to be healthy
Propagates error out
Integrated Hazard Analysis Specification Step 1: Out Propagation
Outgoing Port Outgoing Fault
App Logic SpO2 PumpCmd
Sensor: Pulse Oximeter Actuator: PCA Pump
Controller: App Logic
Controlled Process: Patient
Feedback Message: PulseOx –> App
Control Action: App –> PCA Pump
STPA in AADL Where would the bad control action come from?
Controller: App Logic
Process Model Incorrect: Wrongly believes patient to be healthy
Bad information in
Integrated Hazard Analysis Specification Step 2: In Propagation
Incoming Port
Incoming Fault
App Logic SpO2 PumpCmd
Integrated Hazard Analysis Specification Step 3: Relation between incoming and outgoing
Name of flow
Type of flow
Specific Ports
Specific faults
App Logic PumpCmd SpO2
Sensor: Pulse Oximeter Actuator: PCA Pump
Controller: App Logic
Controlled Process: Patient
Feedback Message: PulseOx –> App
Control Action: App –> PCA Pump
STPA in AADL Where should we go now?
Controller: App Logic
Process Model Incorrect: Wrongly believes patient to be healthy
Option 1: Look for the source
Option 2: Look for the impact
Pulse Oximeter PCA Pump
App Logic
Patient
STPA in AADL Where should we go now?
Display
Clinician
Option 3: Look for other sources / impacts
Integrated Hazard Analysis OSATE Remembers A Neglected Connection
Pulse Oximeter
App Logic Display
Tool Supported Process
1. Here’s an empty cell (STPA Keyword + Control Action)… could anything go wrong?
2. Create occurrence and supporting EM annotations
Interaction between Report and Model
3. Where else could this fault go?
4. What else could cause this error?
Effect –> Cause Ca
use
–> E
ffect
Impacts
n Automation n Traditionally, analysts have to mine a system
and maintain it – without tool support
n Architectural integration n Faults can be “bound” to specific components
and ports
n Future: n Testing + Fault Injection
n If a compensation is claimed, we can auto-generate a test
Outline
n Background n Vision n Language n Tool n STPA n Future
n Next Steps n Tool Extensions
Next Steps
FDA Evaluators
Assurance Case
3rd Party Certifiers
Risk Assessment
Hazard Analysis
Requirements
Clinical Use Case / Workflow Description
3rd Party ICE Conformance
& Safety Certification Submission Package
FDA 510K Submission Package
App Deployment
MDCF
Compositional Reasoning and Assurance Cases
App Developer
Future Tool extensions
n Abstraction Depth n Model methods / functions
n Data Types n CORBA IDL
n MAP Device Drivers n Logging Annotations
Further Reading
n Source available online at https://github.com/santoslab/aadl-translator
n Installable into OSATE2 via update site: http://santoslab.org/pub/mdcf-architect/updatesite
n Full documentation online at http://santoslab.org/pub/mdcf-architect
n Publications online at http://people.cis.ksu.edu/~samprocter
Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs
Sam Procter, John Hatcliff, Kim Fowler SAnToS Lab
Kansas State University
ISPCE 2015 – Chicago, IL, USA
Support:
This work is supported in part by the US National Science Foundation (NSF) (#1239543), the NSF US Food and Drug Administration Scholar-in-Residence Program (#1355778) and the National Institutes of Health / NIBIB Quantum Program.
Anura Fernando Underwriters Laboratories
Sandy Weininger Food and Drug Admin.