Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs

Sam Procter, John Hatcliff, Kim Fowler SAnToS Lab

Kansas State University

ISPCE 2015 – Chicago, IL, USA

Support:

This work is supported in part by the US National Science Foundation (NSF) (#1239543), the NSF US Food and Drug Administration Scholar-in-Residence Program (#1355778) and the National Institutes of Health / NIBIB Quantum Program.

Anura Fernando Underwriters Laboratories

Sandy Weininger Food and Drug Admin.

Health Care Involves A Variety of System Components

Information Systems

Sensors

Actuators

Sensor Data Displays

Clinical Protocols Clinicians

Patient!

Motivation

n  What are the types of things we could do with device integration? n  Information forwarding n  Automation of clinical workflows n  Closed loop control between devices

n  Unlike personal computing, medical devices are not designed to work together

n  Integrating medical devices would bring myriad benefits

n  … how can we do so safely?

Outline

n  Background n  PCA Interlock Scenario n  Medical Application Platforms n  AADL

n  Vision n  Language n  Tool n  Hazard Analysis n  Future

Status Quo: MDDS

Devices Data Consumers

Display Gadgets

Medical Device Data Systems – Data only flows from producers to consumers; data must be faithfully re-presented

EMR Databases

PCA Interlock Scenario n  Patients are commonly given

patient-controlled analgesics after surgery

n  Crucial to care, but numerous issues related to safety

n  Data for disabling the pump exists now (just a system invariant) -- we just need to integrate it

Clinically Supported Motivating Clinical Problem: PCA Overdose

n  “A particularly attractive feature may be the ability to automatically terminate or reduce PCA (or PCEA) infusions when monitoring technology suggests the presence of opioid-induced respiratory depression. To facilitate such capabilities, we strongly endorse the efforts to develop international standards for device interoperability and device-device communication.

n  It is critical that any monitoring system be linked to a reliable process to summon a competent health care professional to the patient's bedside in a timely manner.  “  

PCA Pump Safety Interlock

Devices

Fully leverage device data streams and the ability to control devices

Enable Pump for safe time window

Device Task

controller

Enable bolus dose only when ticket present

Combined PCA Vitals Monitoring

PCA Bolus “Enable” Ticket

PCA Pump

Capnograph

Pulse Oximeter

Monitoring Data + Alarm Information

Monitoring Data + Alarm Information

Aggregated Monitoring Status

Status Display for PCA Monitoring

Application

Clinician / Monitoring

Medical Application Platforms

n  A Medical Application Platform is a safety- and security- critical real-time computing platform for… n  Integrating heterogeneous devices, medical IT systems, and

information displays via communications infrastructure, and n  Hosting applications (“apps”) that provide medical utility via the

ability to acquire information from and update/control integrated devices, IT systems, and displays

Bus EMR

Databases

Devices Displays Clinician Console

Computational Platform

Apps

Background PCA Pump Interlock Architecture

Patient

Pulse Oximeter, Capnograph, and Patient Controlled Analgesia Pump RR

Clin

icia

n (A

pp A

dmin

istr

ator

)

Medical Application Platform

App

SUI App Display

View Display

Configuration, Alarm Clear

View Display

Attach Sensors

ETCO2 PCA

Start / Stop Commands

PR

Sensor + Alarm Data

SPO2

Data for Display

Data should arrive once per second

Background Architecture Analysis and Description Language (AADL)

n  SAE Standard, used in e.g., Avionics n  Enables model-driven, component-based

development of n  Software n  Hardware n  And the bindings between the two

n  Previously applied to a single medical device, what about a system of multiple medical devices?

n  How well can it work on a managed platform? n  Can we do anything beyond describing an app’s

architecture with it?

Outline

n  Background n  Vision

n  Analyses n  Code generation

n  Language n  Tool n  STPA n  Hazard Analysis n  Future

Vision

FDA Evaluators

Assurance Case

3rd Party Certifiers

Risk Assessment

Hazard Analysis

Requirements

Clinical Use Case / Workflow Description

3rd Party ICE Conformance

& Safety Certification Submission Package

FDA 510K Submission Package

App Deployment

Medical Device Coordination Framework

Analyses and Regulatory Artifacts

App Developer

Vision Code Generation

A.  The app’s architecture is specified in AADL

1.  Components as AADL Devices / Processes

2.  Connections are specified

3.  RT/QoS Parameters are via AADL’s property-specification mechanism

B.  The app is programmatically translated to Java and XML

C.  The app is launched on a compatible MAP

Instantiates as…

C

Outline

n  Background n  Vision n  Language

n  Why MDD? n  Why (a subset of) AADL? n  Constructs

n  Tool n  Hazard Analysis n  Future

PCA Interlock

App

MAP Characteristics MAP constituted device instances are variable – the constituents that form the MAP constituted device may different on different invocations of the device.

Bus

MAPs-R-Us Platform

NellCore Pulse Ox

AnyPCA PCA Pump

Bus

ACME Platform

Masimo Pulse Ox

PCA+ PCA Pump

PCA Interlock

App

n  Same app, and thus same conceptual “system”

n  Just one architecture and development framework

n  But, different component instances.

PCA Interlock

App

MAP Characteristics MAP constituted device instances are variable – the constituents that form the MAP constituted device may different on different invocations of the device.

Bus

MAPs-R-Us Platform

NellCore Pulse Ox

AnyPCA PCA Pump

Bus

ACME Platform

Masimo Pulse Ox

PCA+ PCA Pump

PCA Interlock

App

n  Same app, and thus same conceptual “system”

n  Just one architecture and development framework

n  But, different component instances.

Language Why use AADL?

n  History of successful safety-critical projects n  Avionics / Boeing (SAVI): “integrate-then-build”

approach n  Previously found that MAPs lend themselves

to pub-sub n  Device as publisher, apps as subscriber n  Natural to model with AADL’s port connections

n  Annexes support a number of regulatory and verification artifacts n  Hazard Analysis (EMV2), Interface contracts

(BLESS), etc.

Language Why subset AADL?

n  AADL is targeted at co-design, ie: complete systems n  MAPs are managed platforms

n  Semantic mismatches n  Processes

n  Insufficiency of pre-declared properties n  Unrealizable communication patterns

n  No shared-memory access in pub/sub middleware

Language Model

Dev

ice1

D

evic

e2

AADL System

AADL Process: Logic AADL Process: Display

Thread1

Channel Delay: 50ms Period: 50ms

WCET: 5ms

Output rate: 1 sec .. 5 sec

Thread1

Thread2

Thread3

Thread2

Language System

Communication links between components

… and properties of those links!

Medical Devices

Software Components

Language System

Software Components

Communication links between Components

… and properties of those links!

Medical Devices

Language Device Interface Specification

Device API Only -- Presents the app’s view of

the required device capabilities, not the full device capabilities

Ports

Properties of those ports

Language Device Interface Specification

Ports

Device API Only -- Presents the app’s view of

the required device capabilities, not the full device capabilities

Properties on those ports

Language Process Specification

External ports

Tasks (Threads)

Connections between external ports and

threads

Language Process Specification

External ports

Tasks (Threads)

Connections between external ports and

threads

Language Thread Specification

External ports

Properties

Language Thread Specification

External ports

Properties

Any necessary architectural annotations can be created!

Component Development

n  Development of component architecture using AADL / OSATE2

n  Automatic generation of component architecture (skeletons)

n  Automatic generation of component layout and app topology (configuration)

n  Development of core behavioral code (business logic) using IDE of choice

n  Translator can be retargeted to other languages as desired

AADL Component Architecture

Behavioral code written by component developer

Component “skeleton” generation

Automatic code generation

Language Subset AADL Constructs Used

AADL Construct MAP Concept

Components

System Layout

Device Medical Device API for App

Process Software Component

Thread Task

Connections

System-level port connection Channel

Process implementation-level port connection

Task-Port Communication

Display.compsig.xml (QoS/RT) Logic.compsig.xml (QoS/RT)

Language Translation Target

Dev

2.ja

va

LogicSuperType.java

Logic.java

DisplaySuperType.java

Display.java

Task1

Task2

Task3 Task2

Task1

System.cfg.xml

Dev

1.ja

va

Outline

n  Background n  Vision n  Language n  Tool

n  OSATE2 n  Availability

n  Hazard Analysis n  Future

Tool OSATE2

n  Open-source, Eclipse-based tool n  Our work is available as a plugin

n  Uses the model-traversal built into OSATE2

Tool OSATE2

Tool OSATE2

Outline

n  Background n  Vision n  Language n  Tool n  Hazard Analysis

n  History n  Fundamentals n  Control Actions

n  Future

Hazard Analysis

FDA Evaluators

Assurance Case

3rd Party Certifiers

Risk Assessment

Hazard Analysis

Requirements

Clinical Use Case / Workflow Description

3rd Party ICE Conformance

& Safety Certification Submission Package

FDA 510K Submission Package

App Deployment

MDCF

Leveraging Semiformal Architectural Descriptions

App Developer

Hazard Analysis History: FTA

n  FTA: Bell Labs, 1962 n  Looks for contributory causes to undesired

events Too Large of Dose Allowed

G1

Bad Physiological

Data Received

Undetected Error

G2

Incorrect Physiological

Reading

Message Garbled by Network

Software Encoding or

Decoding Error

G3

Physiological Data within Max

Range

Internal Diagnostics Fail

Hazard Analysis History: FMEA

n  FMEA: US Military, 1949 n  Analyses impacts of individual components

Function Failure Mode

Fail Rate

Causal Factors

Effect System Effect

Detected by

Current Control

Hazard Risk Rec. Action

Provide SpO2

Fails to Provide

N/A Network or dev. Failure

No SpO2 data

Unknown patient state

App Potential OD

3D Default to KVO

Provides late

N/A Network slowness

No SpO2 data

Unknown patient state

App

Potential OD

3C Default to KVO

Provides wrong

N/A Device error

SpO2 wrong

Wrong patient state

None Potential OD

1E Dev. should report data quality

Analyst: Sam Procter Date: September 26, 2014 Page 3/14

System: PCA Interlock Scenario Subsystem: Pulse Oximeter Device Mode/Phase: Execution

Hazard Analysis History: STPA

n  STPA: Nancy Leveson / MIT, 2005(ish)

n  Applies systems theory, focuses on control… n  Loops n  Actions

Sensor Actuator

Controller

Controlled Process

Control Actions

STPA in AADL

Sensor: Pulse Oximeter Actuator: PCA Pump

Controller: App Logic

Controlled Process: Patient

Feedback Message: PulseOx –> App

Control Action: App –> PCA Pump

Sensor: Pulse Oximeter

Inadequate Operation: SpO2 value incorrect

Controller: App Logic

Process Model Incorrect: Wrongly believes patient to be healthy

Control Action: App –> PCA Pump

Inappropriate Control Action: Inadvertent “Pump Normally” command

Actuator: PCA Pump

Inadequate Operation: Pumps Normally

Controlled Process: Patient

Feedback: PulseOx –> App

Inadequate Feedback: Sends bad SpO2

The Annotated Control Loop

STPA: Fundamentals STPA: Background & Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System

Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Hazard Analysis STPA: Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

1.  A human is killed or seriously injured.

2.  A medical device’s services are unavailable

Tie into ISO 14971’s notions of criticality?

Hazard Analysis STPA: Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

1.  The patient is killed or seriously injured [DeathOrInjury]

2.  The PCA pump stops responding to commands [DenialOfService]

Hazard Analysis STPA: Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

Process Boundary Patient

App PCA Pump

Pulse Oxi-

meter

Capno-graphy Device

Display

App Boundary

Clinician

System Boundary

Hazard Analysis STPA: Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

1.  An inadvertent “Pump Normally” command is sent to the pump [PatientHarmed]

2.  Commands are sent to the pump too quickly [PCADoS]

Regulators: Supports strong traceability both in code and in

(hypertext) reports

Benefits:

Hazard Analysis STPA: Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

1.  The app must only instruct the pump to run at a normal rate when the patient can tolerate more analgesic [InadvertentPumpNormally]

2.  The app must wait for a designated length of time between sending pump commands [TooManyCommands]

STPA in AADL Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

•  App -> Pump: Pump Normally

Sensor Actuator

Controller

Process

Developers: Hazard Analysis artifacts are automatically in-sync

with system architecture

Benefits:

Hazard Analysis STPA: Fundamentals

n  Fundamentals n  Accident Levels n  Accidents n  System Boundaries n  Hazards n  Safety Constraints n  Control Actions n  Control Structure

Example

Display

Patient

PCA Pump

Pulse Oximeter

Capnography Device

Clinician

★ Physiological D

ata D

evice Ok

Device Error

Pump Normal Pump KVO

★ Physiological D

ata Pum

p Norm

al Pum

p KVO

Device O

k D

evice Error

★Physiological Status

★ P

rovi

de R

x Au

thor

ize

Ove

rrid

e

Verify Rx

Requ

est

Mor

e

Pump Status

App

★ View Patient Status View Device Status

Hazard Analysis STPA: Identifying Hazardous Control Actions

Control Action

Providing Not Providing

Applied too Long

Stopped too Soon

Early Late

App -> Pump: Pump Normally

PH Not Hazardous

PH Not Hazardous

PH Not Hazardous

App -> Disp: Patient Ok

BID BID BID BID BID BID

PulseOx->App: Provide SpO2

Not Hazardous

PH, BID Not Hazardous

PH, BID Not Hazardous

PH, BID

PulseOx->App: Provide Pulse Rate

Not Hazardous

PH, BID Not Hazardous

PH, BID Not Hazardous

PH, BID

n  Hazardous Control Action Table n  Cross-product of control actions and STPA

guidewords

PH = Patient Harmed BID = Bad Info Displayed

Hazard Analysis STPA: Hazardous Causes and Compensations

Control Action: App -> Pump: Pump Normally

n  Providing: n  Bad Data:

n  Cause: n  Incorrect values are gathered from one of the

physiological sensors

n  Compensation: n  Rely on multiple sensed physiological parameters to

provide redundancy

n  Not Providing: n  Not hazardous

Hazard Analysis STPA: Hazardous Causes and Compensations

Control Action: App -> Pump: Pump Normally

n  Wrong Timing or Order: n  Not applicable

n  Too Long n  Network Drop

n  Cause: n  Network drops out, leaving the pump running normally

regardless of the patient’s health

n  Compensation: n  Commands to pump normally have an associated

maximum time, after which the pump returns to KVO

STPA in AADL Where should we start?

Sensor: Pulse Oximeter Actuator: PCA Pump

Controller: App Logic

Controlled Process: Patient

Feedback Message: PulseOx –> App

Control Action: App –> PCA Pump A control action is provided

in an unsafe way How would the control action be unsafe?

What constraint would be violated?

What should the occurrence be named?

What would cause this to occur?

How can this occurrence be compensated for?

Hazard Analysis Annotating our Architectural Model

How would the control action be unsafe?

What constraint would be violated?

What should the occurrence be named?

What would cause this to occur?

How can this occurrence be compensated for?

We’ll come back to this one in a moment

Report Generation Development

n  Development of component architecture using AADL / OSATE2

n  Addition of Hazard Analysis Annotations

n  Automatic generation of STPA-Styled Hazard Analysis Report

AADL Component Architecture with Hazard Annotations

Automatic report

generation

Example “In Progress” Report Online at: http://santoslab.org/pub/mdcf-architect/HazardAnalysis.html

STPA’s Causality Guidewords Annotated Control Loop

Nancy Leveson. Figure 4.8, Page 93, Engineering A Safer World. MIT Press, 2011

Managers: Constrains developers so style and architectural

assumptions are consistent

Developers: Guides analysis so “starting from scratch” isn’t

necessary

Benefits:

AADL EM Fault Types

Error Library Type STPA Error Type App Error Type

Errors with Physiological Monitors

LateDelivery DelayedOperation SpO2ValueLate

IncorrectValue IncorrectInformation SpO2ValueLow

N/A NoInformation NoSpO2Data

Errors with App Logic

ServiceCommission InnapropriateCtrlAction InadvertentPumpNormally

ServiceOmission MissingCtrlAction InadvertentPumpMinimally

Type Hierarchy

AADL Standard Error Types STPA Guidewords App Specific Error Types

AADL EM Fault Types App Specific Error Library

Application independent: Sourced from STPA

Application specific: Defined by app risk

management process

Sensor: Pulse Oximeter Actuator: PCA Pump

Controller: App Logic

Controlled Process: Patient

Feedback Message: PulseOx –> App

Control Action: App –> PCA Pump

STPA in AADL Using our fault type

Inadvertent Pump Normally

Integrated Hazard Analysis Using our fault type

What specific fault will result?

What can we do with our model + specific fault information?

Sensor: Pulse Oximeter Actuator: PCA Pump

Controller: App Logic

Controlled Process: Patient

Feedback Message: PulseOx –> App

Control Action: App –> PCA Pump

STPA in AADL Where would the bad control action come from?

Controller: App Logic

Process Model Incorrect: Wrongly believes patient to be healthy

Propagates error out

Integrated Hazard Analysis Specification Step 1: Out Propagation

Outgoing Port Outgoing Fault

App Logic SpO2 PumpCmd

Sensor: Pulse Oximeter Actuator: PCA Pump

Controller: App Logic

Controlled Process: Patient

Feedback Message: PulseOx –> App

Control Action: App –> PCA Pump

STPA in AADL Where would the bad control action come from?

Controller: App Logic

Process Model Incorrect: Wrongly believes patient to be healthy

Bad information in

Integrated Hazard Analysis Specification Step 2: In Propagation

Incoming Port

Incoming Fault

App Logic SpO2 PumpCmd

Integrated Hazard Analysis Specification Step 3: Relation between incoming and outgoing

Name of flow

Type of flow

Specific Ports

Specific faults

App Logic PumpCmd SpO2

Sensor: Pulse Oximeter Actuator: PCA Pump

Controller: App Logic

Controlled Process: Patient

Feedback Message: PulseOx –> App

Control Action: App –> PCA Pump

STPA in AADL Where should we go now?

Controller: App Logic

Process Model Incorrect: Wrongly believes patient to be healthy

Option 1: Look for the source

Option 2: Look for the impact

Pulse Oximeter PCA Pump

App Logic

Patient

STPA in AADL Where should we go now?

Display

Clinician

Option 3: Look for other sources / impacts

Integrated Hazard Analysis OSATE Remembers A Neglected Connection

Pulse Oximeter

App Logic Display

Tool Supported Process

1. Here’s an empty cell (STPA Keyword + Control Action)… could anything go wrong?

2. Create occurrence and supporting EM annotations

Interaction between Report and Model

3. Where else could this fault go?

4. What else could cause this error?

Effect –> Cause Ca

use

–> E

ffect

Impacts

n  Automation n  Traditionally, analysts have to mine a system

and maintain it – without tool support

n  Architectural integration n  Faults can be “bound” to specific components

and ports

n  Future: n  Testing + Fault Injection

n  If a compensation is claimed, we can auto-generate a test

Outline

n  Background n  Vision n  Language n  Tool n  STPA n  Future

n  Next Steps n  Tool Extensions

Next Steps

FDA Evaluators

Assurance Case

3rd Party Certifiers

Risk Assessment

Hazard Analysis

Requirements

Clinical Use Case / Workflow Description

3rd Party ICE Conformance

& Safety Certification Submission Package

FDA 510K Submission Package

App Deployment

MDCF

Compositional Reasoning and Assurance Cases

App Developer

Future Tool extensions

n  Abstraction Depth n  Model methods / functions

n  Data Types n  CORBA IDL

n  MAP Device Drivers n  Logging Annotations

Further Reading

n  Source available online at https://github.com/santoslab/aadl-translator

n  Installable into OSATE2 via update site: http://santoslab.org/pub/mdcf-architect/updatesite

n  Full documentation online at http://santoslab.org/pub/mdcf-architect

n  Publications online at http://people.cis.ksu.edu/~samprocter

Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs

Sam Procter, John Hatcliff, Kim Fowler SAnToS Lab

Kansas State University

ISPCE 2015 – Chicago, IL, USA

Support:

This work is supported in part by the US National Science Foundation (NSF) (#1239543), the NSF US Food and Drug Administration Scholar-in-Residence Program (#1355778) and the National Institutes of Health / NIBIB Quantum Program.

Anura Fernando Underwriters Laboratories

Sandy Weininger Food and Drug Admin.