PVSio-web: mathematically based tool support for the design of interactive and interoperable medical systems

Use errors, where medical devices work to speciﬁcation but lead to the clinicians making mistakes resulting in patient harm, is a critical problem. Manufacturers need tools to help them ﬁnd such design ﬂaws at an early stage and regulators need tools to help check devices are safe to approve for market. We have developed a prototyping tool, PVSio-web, to help check the safety of medical device interface and interaction design. It supports a model-based design process: that is, it is based on precise mathematical descriptions of the device’s behaviour. This allows sophisticated proof and model checking technology to be used to verify that devices meet essential safety requirements. The architecture allows for the ﬂexible addition of ‘plug-in’ modules to extend its functionality giving diﬀerent views of the design that allow diﬀerent stakeholders to work together. Working with the US regulator, the Food and Drug Administration (FDA), our tool has helped identify problems in a series of commercial medical devices. Hospitals have used it as part of training programmes highlighting safety-related design issues. In ongoing work we are developing plug-ins that support the veriﬁcation and validation of interoperable medical systems.


INTRODUCTION
Tools that help manufacturers and regulators rigorously check both prototypes and final designs of devices are vital if use of those devices involve safety issues.Interaction design is an important but under-researched area in this respect.Poor interaction design of medical devices can lead to hazards due to clinicians making mistakes when setting up or using the devices.This is being taken increasingly seriously by regulators, due to the large number of incidents and subsequent recalls of devices.
Regulators such as the Food and Drug Administration are promoting the use of model-based engineering techniques to explore design solutions and identify design defects in advance as a solution to these problems [14].The process is based on the idea of creating mathematical models that describe the behaviour of the real system, and then analysing these models to gain confidence that the real system can operate safely.The advantage of this process is that developers can use it from the early stages of development (a full physical prototype of the device is not needed), and enables rapid and precise exploration of different alternative solutions and different scenarios.We have focussed on extending such techniques to the interaction and interface design of medical devices, and have developed a tool, PVSio-web [10] that supports this process.

RAPIDLY GENERATING PROTOTYPES
PVS is an industry standard tool used for verifying systems that need high levels of assurance.It is used within a model-based design process: a mathematical description of the way a device behaves (a model) is checked against similar descriptions of what it should do, using powerful theorem proving and model checking technology.Such techniques re- quire a great deal of mathematical expertise however.An issue is in how to make them more accessible and more naturally fit with design processes.PVSio-web is a sophisticated graphical front-end that extends PVS.
PVSio-web makes it easy to create and check realistic prototypes of a device, focussing on the interface that doctors, nurses or patients must interact with.The prototypes have the appearance and behaviour of the real system being analysed.We took a pragmatic approach to the rapid generation of prototypes.A picture of the real system, or if early in the development, a design mock up, is used to represent the prototype's appearance.The developer creates programmable areas over interactive parts, like the buttons and displays.The prototype's behaviour in these programmable areas is given by an underlying mathematical model.Its behaviour is demonstrated or explored by clicking on buttons in the picture, with the results of the interactions seen immediately on the display areas of the picture.PVSio-web, while making prototypes quick and easy to create, also supports model based-engineering of both stand-alone and interoperable medical systems.
The standard view provided by the tool of the realistic looking and interactive prototype interface is designed for domain specialists and end users.It allows them to explore the behaviour of the prototype as they would in the final design.PVSio-web is particularly suitable for presenting mathematical properties, as well as the results of checking them, to engineers and domain specialists in a way that is easy to understand.Through this view, traces of behaviour determined to be problematic can be demonstrated and explored directly on the interface.It is also good for checking assumptions made in the models before analysis.It can also be used in a user-centred design process, allowing early evaluation of prototypes with the people who will have to use the device.

EXTENDING TOOL FUNCTIONALITY WITH PLUGINS
The architecture of PVSio-web is designed to be extensible and suitable for supporting stakeholders from wide-ranging backgrounds.It combines different views of the device designed for people with different roles and expertise.This allows a development team and their stakeholders to work together using a single underlying mathematical model be-cause only those that need to see the model do so.The extensible nature means that it is easy to combine PVSioweb with the tools already used.For example an early plug-in [13] allows the interface model to be co-simulated with control software developed separately using traditional tools, such as MathWorks Simulink.Additional plugins enable mathematical analysis with different verification tools, such as Overture [7] and IVY/NuSMV [1].

Model editor
The behaviour of the prototypes developed using PVSio-web is specified using mathematical descriptions (i.e., models).
The models drive the execution of prototypes as well as being the target of checking by the verification tools.A model editor allows formal methods experts to create and edit the underlying models that describe the device's behaviour and do basic sanity checks on it (correct use of types, coverage and disjointness of conditional statements used in function definitions).

Emucharts plugin and code generation
Developers on the whole do not currently possess the formal methods backgrounds to develop models directly.The models, however, can be created through a graphical editor.The designer works with a graphical notation they are used to and does not need to see the mathematical notation beneath.That notation can still be accessed by verification experts to check requirements mathematically and exhaustively.Developers normally create and edit designs using a graphical notation such as Statecharts.The tool therefore provides an editor for a notation based on Statecharts, called Emucharts.Using Emucharts, designers can declare variables, constants and states of an interactive system.They can also declare transitions between the states, as well as any conditions necessary for the transitions to occur, and how variables change when a transition occurs.Mathematical models are then created automatically from these design drawings in a variety of languages including formal languages like PVS or Ada, and general purpose programming languages like Javascript and C.This process of visually creating a state transition representation of an interactive system makes the model based design paradigm accessible to a variety of developers.Even those with no training in formal methods or computer science can reap its benefits.

INTEROPERABLE MEDICAL SYSTEMS
Medical devices have communication capabilities that can be exploited for improving the safety and effectiveness of healthcare systems.For example, consider a clinical situation where an infusion pump is infusing opioids to a patient.A patient monitor analysing the patient's conditions could alert the nurses if the patient enters respiratory depression, and at the same time immediately stop the infusion of the opioid, thus saving the patient's life.
The benefits of interoperable medical devices are clear.However, careful design decisions need to be taken to ensure safety of operation.For example, with reference to the previous example, what happens if the patient monitor is configured incorrectly, is operated incorrectly, or is malfunctioning?It is certainly desirable that the infusion pump operates as safely as in a situation when the pump is not connected to the patient monitor.
In [8], we have introduced a new mechanism in the tool that allows developers to install virtual communication ports on device prototypes developed using PVSio-web.Using these virtual ports, device prototypes can be connected to real communication networks, and thus use standard communication protocols to exchange data and commands with other devices connected to the same network.This mechanism therefore enables realistic prototypes of interoperable systems to be created that include both PVSio-web prototypes and real devices (e.g., physical prototypes, or final products).These prototypes are particularly suitable for exploring design requirements and regulatory issues of this new generation of medical systems.

APPLICATION AND IMPACT
We have successfully used PVSio-web in several different ways.In collaboration with the FDA, we developed Generic infusion pump prototypes [6] for exploring the definition of essential safety and usability requirements for infusion pumps.
We have also developed demonstrative prototypes for interoperable medical systems with infusion pumps and patient monitors [8].Each interoperable device can be executed on a different physical machine, and exchange data and commands with the other prototypes using an open communication service for mobile devices.Future work on interoperable devices includes developing new demonstrative prototypes based on the Medical Application Platform [4] architecture.
It was developed by the FDA in collaboration with other universities for the analysis of requirements for interoperable medical systems.
We have used PVSio-web to demonstrate previously undetected software defects in commercial medical devices that have safety implications [9,12].We have validated mathematical versions of a set of safety/usability requirements for infusion pumps [2,3,11].We have also created training material [5] to help manufacturers, regulators, clinicians, and procurement staff identify design issues, before expensive design commitments are taken and/or before the final product is placed on the market.These demonstrations have been used as part of hospital training programmes to raise awareness about device design issues.
International research groups are exploring applications of our tool in other application domains.For example Honeywell and NASA Langley are using it to check new flight decks, and next generation protocols for air traffic collision avoidance.Universities are using it to teach interactive and safety-critical systems, and explain formal methods technologies to students.
PVSio-web was downloaded over 1,600 times in 2014 alone, and over 1,200 times in the first six months of 2015.It is available for download with the main PVS distribution from SRI International, and from http://www.pvsioweb.org.