Formal Verification of Medical Device User Interfaces Using PVS

  • Paolo Masci
  • Yi Zhang
  • Paul Jones
  • Paul Curzon
  • Harold Thimbleby
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8411)


We present a formal verification approach for detecting design issues related to user interaction, with a focus on user interface of medical devices. The approach makes a novel use of configuration diagrams proposed by Rushby to formally verify important human factors properties of user interface implementation. In particular, it first translates the software implementation of user interface into an equivalent formal specification, from which a behavioral model is constructed using theorem proving; human factors properties are then verified against the behavioral model; lastly, a comprehensive set of test inputs are produced by exploring the behavioral model, which can be used to challenge the real interface implementation and to ensure that the issues detected in the behavior model do apply to the implementation.

We have prototyped the approach based on the PVS proof system, and applied it to analyze the user interface of a real medical device. The analysis detected several interaction design issues in the device, which may potentially lead to severe consequences.


Software verification Medical devices User interfaces 


  1. 1.
    AAMI Medical Device Software Committee. Medical device software risk management. AAMI Tech. Rep. TIR32:2004 (2004)Google Scholar
  2. 2.
    Ball, T., Cook, B., Das, S., Rajamani, S.K.: Refining approximations in software predicate abstraction. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 388–403. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bolton, M.L., Bass, E.J.: Formally verifying human-automation interaction as part of a system model: Limitations and tradeoffs. Innovations in Systems and Software Engineering 6(3), 219–231 (2010)CrossRefGoogle Scholar
  4. 4.
    Campos, J.C., Harrison, M.D.: Modelling and analysing the interactive behaviour of an infusion pump. Electronic Communications of the EASST (2011)Google Scholar
  5. 5.
    Cauchi, A., Gimblett, A., Thimbleby, H., Curzon, P., Masci, P.: Safer 5-key number entry user interfaces using differential formal analysis. In: BCS-HCI (2012)Google Scholar
  6. 6.
    Center for Devices and Radiological Health, US Food and Drug Administration. White Paper: Infusion Pump Improvement Initiative (2010)Google Scholar
  7. 7.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Dwyer, M.B., Tkachuk, O., Visser, W., et al.: Analyzing interaction orderings with model checking. In: ASE 2004, pp. 154–163. IEEE Computer Society (2004)Google Scholar
  9. 9.
    Gelman, G.E., Feigh, K.M., Rushby, J.: Example of a complementary use of model checking and agent-based simulation. In: SMC 2013. IEEE (2013)Google Scholar
  10. 10.
    Ginsburg, G.: Human factors engineering: A tool for medical device evaluation in hospital procurement decision-making. Journal of Bio. Informatics 38(3) (2005)Google Scholar
  11. 11.
    Harrison, M.D., Campos, J.C., Masci, P.: Reusing models and properties in the analysis of similar interactive devices. Innovations in Systems and Software Engineering, 1–17 (2013)Google Scholar
  12. 12.
    Harrison, M.D., Masci, P., Campos, J.C., Curzon, P.: Automated theorem proving for the systematic analysis of interactive systems. In: FMIS 2013 (2013)Google Scholar
  13. 13.
    Jetley, R., Purushothaman Iyer, S., Jones, P.L.: A formal methods approach to medical device review. Computer 39(4), 61–67 (2006)CrossRefGoogle Scholar
  14. 14.
    Masci, P., Curzon, P., Harrison, M.D., Ayoub, A., Lee, I., Thimbleby, H.: Verification of interactive software for medical devices: PCA infusion pumps and FDA regulation as an example. In: EICS 2013. ACM Digital Library (2013)Google Scholar
  15. 15.
    Masci, P., Rukšėnas, R., Oladimeji, P., Cauchi, A., Gimblett, A., Li, Y., Curzon, P., Thimbleby, H.: On formalising interactive number entry on infusion pumps. Electronic Communications of the EASST 45 (2011)Google Scholar
  16. 16.
    Masci, P., Rukšėnas, R., Oladimeji, P., Cauchi, A., Gimblett, A., Li, Y., Curzon, P., Thimbleby, H.: The benefits of formalising design guidelines: a case study on the predictability of drug infusion pumps. Innovations in Systems and Software Engineering, 1–21 (2013)Google Scholar
  17. 17.
    Masci, P., Zhang, Y., Curzon, P., Harrison, M.D., Jones, P., Thimbleby, H.: Verification of software for medical devices in PVS. CHI+MED Tech. Rep. (2013),
  18. 18.
    Munoz, C.: Rapid prototyping in PVS. National Institute of Aerospace, Hampton, VA, USA, Tech. Rep. NIA, 3 (2003)Google Scholar
  19. 19.
    Oladimeji, P., Masci, P., Curzon, P., Thimbleby, H.: PVSio-web: A tool for rapid prototyping device user interfaces in PVS. In: FMIS 2013 (2013)Google Scholar
  20. 20.
    Owre, S., Rajan, S., Rushby, J., Shankar, N., Srivas, M.: PVS: Combining specification, proof checking, and model checking. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 411–414. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  21. 21.
    Rukšėnas, R., Curzon, P., Blandford, A.E., Back, J.: Combining human error verification and timing analysis: A case study on an infusion pump. Formal Aspects of Computing (2013) (in press)Google Scholar
  22. 22.
    Rukšėnas, R., Masci, P., Harrison, M.D., Curzon, P.: Developing and verifying user interface requirements for infusion pumps: A refinement approach. In: FMIS 2013 (2013)Google Scholar
  23. 23.
    Rushby, J.: Verification diagrams revisited: Disjunctive invariants for easy verification. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 508–520. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering & System Safety 75(2), 167–177 (2002)CrossRefGoogle Scholar
  25. 25.
    Shankar, N., Owre, S.: Principles and pragmatics of subtyping in PVS. In: Bert, D., Choppy, C., Mosses, P.D. (eds.) WADT 1999. LNCS, vol. 1827, pp. 37–52. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  26. 26.
    Shankar, N., Owre, S., Rushby, J., Stringer-Calvert, D.: PVS prover guide. Computer Science Laboratory, vol. 1, pp. 11–12. SRI International, Menlo Park (2001)Google Scholar
  27. 27.
    Story, M.F.: The FDA perspective on human factors in medical device software Development. In: IQPC Software Design for Medical Devices Europe (2012)Google Scholar
  28. 28.
    Thimbleby, H.: Press on: Principles of Interaction Programming. Mit Press (2007)Google Scholar
  29. 29.
    Thimbleby, H., Cairns, P.: Reducing number entry errors: solving a widespread, serious problem. Journal of the Royal Society Interface 7(51), 1429–1439 (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Paolo Masci
    • 1
  • Yi Zhang
    • 2
  • Paul Jones
    • 2
  • Paul Curzon
    • 1
  • Harold Thimbleby
    • 3
  1. 1.School of Electronic Engineering and Computer ScienceQueen Mary University of LondonUnited Kingdom
  2. 2.Center for Device and Radiological HealthU.S. Food and Drug AdministrationSilver SpringUSA
  3. 3.FIT Lab, Future Interaction Technology LaboratorySwansea UniversityUnited Kingdom

Personalised recommendations