How to Assure Correctness and Safety of Medical Software: The Hemodialysis Machine Case Study

  • Paolo Arcaini
  • Silvia Bonfanti
  • Angelo Gargantini
  • Elvinia Riccobene
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9675)


Medical devices are nowadays more and more software dependent, and software malfunctioning can lead to injuries or death for patients. Several standards have been proposed for the development and the validation of medical devices, but they establish general guidelines on the use of common software engineering activities without any indication regarding methods and techniques to assure safety and reliability.

This paper takes advantage of the Hemodialysis machine case study to present a formal development process supporting most of the engineering activities required by the standards, and provides rigorous approaches for system validation and verification. The process is based on the Abstract State Machine formal method and its model refinement principle.


Ground Model Linear Temporal Logic Computation Tree Logic Error Handling Medical Software 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ISO 13485: medical devices - quality management systems - requirements for regulatory purposes (2003)Google Scholar
  2. 2.
    IEC 60601–1:2005 medical electrical equipment part 1: General requirements for basic safety and essential performance (2005)Google Scholar
  3. 3.
    IEC 62304 - medical device software - software lifecycle processes (2006)Google Scholar
  4. 4.
    ISO 14971: medical devices - application of risk management to medical devices (2007)Google Scholar
  5. 5.
    Arcaini, P., Bonfanti, S., Gargantini, A., Mashkoor, A., Riccobene, E.: Formal validation and verification of a medical software critical component. In: ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE), pp. 80–89. IEEE, Sept 2015Google Scholar
  6. 6.
    Arcaini, P., Gargantini, A., Riccobene, E.: AsmetaSMV: a way to link high-level ASM models to low-level NuSMV specifications. In: Frappier, M., Glässer, U., Khurshid, S., Laleau, R., Reeves, S. (eds.) ABZ 2010. LNCS, vol. 5977, pp. 61–74. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Arcaini, P., Gargantini, A., Riccobene, E.: Automatic review of abstract state machines by meta property verification. In: Proceedings of the Second NASA Formal Methods Symposium (NFM 2010), pp. 4–13. NASA (2010)Google Scholar
  8. 8.
    Arcaini, P., Gargantini, A., Riccobene, E.: CoMA: Conformance monitoring of Java programs by abstract state machines. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 223–238. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Arcaini, P., Gargantini, A., Riccobene, E.: Offline model-based testing and runtime monitoring of the sensor voting module. In: Boniol, F., Wiels, V., Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014. CCIS, vol. 433, pp. 95–109. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  10. 10.
    Arcaini, P., Gargantini, A., Riccobene, E.: Rigorous development process of a safety-critical system: from ASM models to Java code. Int. J. Softw. Tools Tech. Transf., 1–23 (2015)Google Scholar
  11. 11.
    Arcaini, P., Gargantini, A., Riccobene, E., Scandurra, P.: A model-driven process for engineering a toolset for a formal method. Softw. Pract. Experience 41, 155–166 (2011)CrossRefGoogle Scholar
  12. 12.
    Boniol, F., Wiels, V.: The landing gear system case study. In: Boniol, F., Wiels, V., Ameur, Y.A., Schewe, K.-D. (eds.) ABZ 2014. Communications in Computer and Information Science. Springer International Publishing, Switzerland (2014)CrossRefGoogle Scholar
  13. 13.
    Börger, E., Stärk, R.: Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, Heidelberg (2003)CrossRefzbMATHGoogle Scholar
  14. 14.
    BRAUN. Dialog \(^{+^{\textregistered }}\) Dialysis Machine - Instructions for Use: Software Version 9.1xGoogle Scholar
  15. 15.
    Carioni, A., Gargantini, A., Riccobene, E., Scandurra, P.: A scenario-based validation language for ASMs. In: Börger, E., Butler, M., Bowen, J.P., Boca, P. (eds.) ABZ 2008. LNCS, vol. 5238, pp. 71–84. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    EU. Directive 2007/47/EC of the European Parliament and of the Council. Official Journal of the European Union, September 2007Google Scholar
  17. 17.
    Gargantini, A., Riccobene, E., Rinzivillo, S.: Using spin to generate testsfrom ASM specifications. In: Börger, E., Gargantini, A., Riccobene, E. (eds.) ASM 2003. LNCS, vol. 2589, pp. 263–277. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Gargantini, A., Riccobene, E., Scandurra, P.: A metamodel-based language and a simulation engine for abstract state machines. J. UCS 14(12), 1949–1983 (2008)Google Scholar
  19. 19.
    Jetley, R., Purushothaman Iyer, S., Jones, P.L.: A formal methods approach to medical device review. Computer 39(4), 61–67 (2006)CrossRefGoogle Scholar
  20. 20.
    Mashkoor, A.: The hemodialysis machine case study. In: Butler, M., Schewe, K.-D., Mashkoor, A., Biro, M. (eds.) ABZ 2016. LNCS, vol. 9675, pp. 329–343. Springer, Heidelberg (2016)Google Scholar
  21. 21.
    U.S. Food and Drug Administration (FDA). General principles of software validation; final guidance for industry and FDA staff, version 2.0, January 2002Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Paolo Arcaini
    • 1
  • Silvia Bonfanti
    • 2
  • Angelo Gargantini
    • 2
  • Elvinia Riccobene
    • 3
  1. 1.Faculty of Mathematics and PhysicsCharles University in PraguePragueCzech Republic
  2. 2.Department of Economics and Technology Management, Information Technology and ProductionUniversità degli Studi di BergamoBergamoItaly
  3. 3.Dipartimento di InformaticaUniversità degli Studi di MilanoMilanoItaly

Personalised recommendations