Model-Based Development of the Generic PCA Infusion Pump User Interface Prototype in PVS

  • Paolo Masci
  • Anaheed Ayoub
  • Paul Curzon
  • Insup Lee
  • Oleg Sokolsky
  • Harold Thimbleby
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8153)


A realistic user interface is rigorously developed for the US Food and Drug Administration (FDA) Generic Patient Controlled Analgesia (GPCA) pump prototype. The GPCA pump prototype is intended as a realistic workbench for trialling development methods and techniques for improving the safety of such devices. A model-based approach based on the use of formal methods is illustrated and implemented within the Prototype Verification System (PVS) verification system. The user interface behaviour is formally specified as an executable PVS model. The specification is verified with the PVS theorem prover against relevant safety requirements provided by the FDA for the GPCA pump. The same specification is automatically translated into executable code through the PVS code generator, and hence a high fidelity prototype is then developed that incorporates the generated executable code.


Formal methods Model-based development Medical devices User interface prototyping 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    GPCA Hazards and Safety Requirements,
  2. 2.
    The GPCA-UI Prototype,
  3. 3.
    Babamir, S.: Constructing a model-based software monitor for the insulin pump behavior. Journal of Medical Systems 36 (2012)Google Scholar
  4. 4.
    Cauchi, A., Gimblett, A., Thimbleby, H., Curzon, P., Masci, P.: Safer “5-key” number entry user interfaces using differential formal analysis. In: BCS-HCI 2012 (2012)Google Scholar
  5. 5.
    Center for Devices and Radiological Health, U.S. Food and Drug Administration. White Paper: Infusion Pump Improvement Initiative (2010)Google Scholar
  6. 6.
    Harrison, M.D., Campos, J., Masci, P.: Reusing models and properties in the analysis of similar interactive devices. Innovations in Systems and Software Engineering (2013)Google Scholar
  7. 7.
    Institute for Safe Medication Practices (ISMP). Guidelines for standard order sets,
  8. 8.
    Jetley, R., Carlos, C., Purushothaman Iyer, S.: A case study on applying formal methods to medical devices. International Journal on Software Tools for Technology Transfer 5(4), 320–330 (2004)CrossRefGoogle Scholar
  9. 9.
    Jetley, R., Jones, P.: Safety requirements based analysis of infusion pump software. In: IEEE RTSS/SMDS (2007)Google Scholar
  10. 10.
    Kim, B., Ayoub, A., Sokolsky, O., Lee, I., Jones, P., Zhang, Y., Jetley, R.: Safety-assured development of the GPCA infusion pump software. In: ACM International Conference on Embedded software, EMSOFT 2011. ACM (2011)Google Scholar
  11. 11.
    Lensink, L., Smetsers, S., van Eekelen, M.: Generating Verifiable Java Code from Verified PVS Specifications. In: Goodloe, A.E., Person, S. (eds.) NFM 2012. LNCS, vol. 7226, pp. 310–325. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Masci, P., Ayoub, A., Curzon, P., Harrison, M.D., Lee, I., Thimbleby, H.: Verification of interactive software for medical devices: PCA infusion pumps and FDA regulation as an example. In: EICS 2013. ACM Digital Library (2013)Google Scholar
  13. 13.
    Masci, P., Rukšėnas, R., Oladimeji, P., Cauchi, A., Gimblett, A., Li, Y., Curzon, P., Thimbleby, H.: On formalising interactive number entry on infusion pumps. ECEASST 45 (2011)Google Scholar
  14. 14.
    Masci, P., Rukšėnas, R., Oladimeji, P., Cauchi, A., Gimblett, A., Li, Y., Curzon, P., Thimbleby, H.: The benefits of formalising design guidelines: A case study on the predictability of drug infusion pumps. Innovations in Systems and Software Engineering (2013)Google Scholar
  15. 15.
    Muñoz, C.: Rapid prototyping in PVS. Technical Report NIA Report No. 2003-03, NASA/CR-2003-212418, National Institute of Aerospace (2003)Google Scholar
  16. 16.
    Oladimeji, P., Masci, P., Curzon, P., Thimbleby, H.: PVSio-web: a tool for rapid prototyping device user interfaces in PVS. To appear in FMIS 2013 (2013)Google Scholar
  17. 17.
    Oladimeji, P., Thimbleby, H., Cox, A.: Number entry interfaces and their effects on error detection. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds.) INTERACT 2011, Part IV. LNCS, vol. 6949, pp. 178–185. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Owre, S., Rajan, S., Rushby, J., Shankar, N., Srivas, M.K.: PVS: Combining Specification, Proof Checking, and Model Checking. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 411–414. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  19. 19.
    Owre, S., Shankar, N.: Theory Interpretations in PVS. Technical Report SRI-CSL-01-01, Computer Science Lab, SRI International, Menlo Park, CA (2001)Google Scholar
  20. 20.
    Owre, S., Shankar, N.: A brief overview of PVS. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 22–27. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Ray, A., Jetley, R., Jones, P., Zhang, Y.: Model-based engineering for medical-device software. Biomedical Instrumentation & Technology 44(6), 507–518 (2010)CrossRefGoogle Scholar
  22. 22.
    Rukšėnas, R., Masci, P., Harrison, M.D., Curzon, P.: Developing and verifying user interface requirements for infusion pumps: a refinement approach. To appear in FMIS 2013 (2013)Google Scholar
  23. 23.
    Shankar, N.: Efficiently Executing PVS. Technical report, Computer Science Laboratory, SRI International, Menlo Park (1999)Google Scholar
  24. 24.
    Shankar, N., Owre, S.: Principles and pragmatics of subtyping in PVS. In: Bert, D., Choppy, C., Mosses, P.D. (eds.) WADT 1999. LNCS, vol. 1827, pp. 37–52. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Thimbleby, H., Cairns, H.: Reducing number entry errors: Solving a widespread, serious problem. Journal Royal Society Interface 7(51) (2010)Google Scholar
  26. 26.
    UK National Patient Safety Agency. Design for patient safety: A guide to the design of electronic infusion devices (2010)Google Scholar
  27. 27.
    Xu, H., Maibaum, T.: An Event-B Approach to Timing Issues Applied to the Generic Insulin Infusion Pump. In: Liu, Z., Wassyng, A. (eds.) FHIES 2011. LNCS, vol. 7151, pp. 160–176. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Paolo Masci
    • 1
  • Anaheed Ayoub
    • 2
  • Paul Curzon
    • 1
  • Insup Lee
    • 2
  • Oleg Sokolsky
    • 2
  • Harold Thimbleby
    • 3
  1. 1.Queen Mary University of LondonUK
  2. 2.University of PennsylvaniaUSA
  3. 3.Swansea UniversityUK

Personalised recommendations