Professional Documents
Culture Documents
Abstract
Embedded software in medical devices is increasing in content and complexity. Traditional software
verification and testing methods may not provide the optimum solution. This paper discusses the
application of sound verification techniques in the development of high integrity medical device software.
Specifically, this paper will explore the application of formal methods based Abstract Interpretation
techniques to mathematically prove the absence of a defined set of run-time errors. The verification
solution is then compared and contrasted to other software analysis and testing methods, such as code
review, static analysis and dynamic testing.
Introduction
Software is becoming ubiquitous in medical
The sophistication and complexity of embedded
devices and contributing to their complexity [5].
software contained within medical devices is
As a result, various worldwide regulatory
increasing. State of the art pacemakers may
organizations include language in their directives
contain up to 80,000 lines of code, while
to explicitly address device software [2]. Recent
infusion pumps may have over 170,000 lines of
studies are pointing to increasing failure rates of
code. These devices must operate with utmost
medical devices due to software coding errors. A
concern for safety and reliability [1].
study conducted by Bliznakov et al finds that
over the period of 1999-2005 11.3% of FDA
Historically, the typical options available for
initiated recalls were attributable to software
verifying medical device software have been
coding errors [6].
code reviews, static analysis, and dynamic
testing. Code reviews rely solely on the expertise
The FDA increased its involvement in reviewing
of the reviewer and may not be efficient for large
the development of medical device software in
code bases. Traditional static analysis techniques
the mid 1980s when software coding errors in a
rely mainly on a pattern-matching approach to
radiation therapy device contributed to the lethal
detect unsafe code patterns, but cannot prove the
overdose of a number of patients [2]. FDA has
absence of run-time errors. Lastly, with the
published several guidance documents and
increasing complexity of device software, it is
recognized several standards addressing good
virtually impossible to dynamically test for all
software development processes. More recently,
types of operating conditions.
the FDA has established a software laboratory
within the Center for Devices and Radiological
Medical Device Software Health (CDRH) Office of Science and
Medical devices address a continuum of Engineering Laboratories (OSEL) to identify
diagnosis and treatment applications varying in software coding errors in devices under recall
complexity from digital thermometers, insulin investigation [1]. As part of its investigation the
pumps, pacemakers, cardiac monitors, to software laboratory examines the source code to
anesthesia machines, large ultrasound imaging understand and identify the root cause of a
systems, chemistry analyzers and proton beam device failure.
therapy systems. As science and technology
advances, so does the complexity and capability Examination of the software verification
of next generation devices. The easily processes in other industries may be instructive
identifiable signature of these devices is that they in the development of high integrity embedded
are intended to directly or indirectly affect the software. For example, significant rigor is
public health. applied to the verification of software for
aerospace and automotive applications [3]. These
y + +
+ ++ +
+++ + + +
++ +
+ ++++ +
++ +
++ +++++ +
+ +
+ + ++ +
+ + ++ +
Fig 1: Lattice representation of variables + + ++ + + +
+
x=y + + ++
Over approximation is applied to all possible +
execution paths in a program. Techniques such
O x
as widening and narrowing [22] and iteration
with a solver are used to solve the equations and Fig 2: Plot of data for X and Y
constraints to prove the existence of or the
absence of run-time errors in source code. Dynamic testing would utilize enumeration over
various combinations of X and Y to determine if
Using Abstract Interpretation for Code there will be a failure. However, given the large
Verification number of tests that would have to be run, this
The identification and proving the absence of type of testing may not detect or prove the
dynamic errors such as run-time errors that can absence of the divide by zero run-time error.
occur during code execution can be
accomplished by defining a strongest global
y + +
invariant SGI(k). Where SGI(k) is the set of all + +
+ +
possible states that are reachable at point k in a +++ + + +
program P. A run-time error is triggered when ++ +
+ ++++ +
++ +
++ +++++ +
SGI(k) intersects a forbidden zone. SGI(k) is the + +
+ + ++ +
+ + ++ +
result of formal proof methods and can be + + ++ + + +
+
expressed as least fixed-points of a monotonic x=y + + ++
operator on the lattice of a set of states [19]. +
O x
To see the application of Abstract Interpretation
to code verification, consider the following Fig 3: Type analysis
operation in code:
Another methodology would be to apply type
X = X/(X-Y) analysis to examine the range of X and Y in
context of the run-time error condition (i.e. X=Y).
Several issues could cause a potential run-time In Fig 3, note the bounding box created by type
error. These run-time errors include: analysis. If the bounding box intersects X=Y,
y + +
+ +
+ +
+++ + +
++ +
+ ++++ ++
++ +
++ +++++ +
+ + + +++ +
+ + ++ +
+ + ++ + + +
+
x=y + + ++
+
Figure 5: PolySpace color scheme
O x Demonstrating the effective of application of
Fig 4: Abstract interpretation Abstract Interpretation using PolySpace is
explained with the following exercise. Consider
As described earlier, Abstract Interpretation is a the function:
sound verification technique. With Abstract
Interpretation, assertions regarding the specified 1 int where_are_errors(int input)
run-time aspects of the software are proven to be 2 {
3 int x, y, k;
correct. 4
5 k = input / 100;
A Code Verifier based on Abstract 6 x = 2;
Interpretation 7 y = k + 5;
8 while (x < 10)
The Abstract Interpretation concept can be 9 {
generalized as a tool set that can be used to 10 x++;
11 y = y + 3;
detect a wide range of run-time errors in 12 }
software. In this paper, we use PolySpace® as an 13
example to explain how such a tool can help 14 if ((3*k + 100) > 43)
detect and prove the absence of run-time errors 15 {
16 y++;
such as overflows, divide by zero, out of bound 17 x = x / (x - y);
array access, etc. PolySpace is a code 18 }
verification product from The MathWorks® that 19
20 return x;
utilizes Abstract Interpretation. The input to 21 }
PolySpace is C, C++, or Ada source code. The
output is source code painted in four colors. As The goal is to identify run time errors in the
described in Table 1 and as shown in Fig 5 function where_are_errors(). The function
PolySpace informs the user of the quality of the performs various mathematical computations,
code using this four color coded scheme. includes a while loop, and an if statement. Note
that all variables are initialized and used. On line
Green Indicates code is reliable 17 a potential divide by zero could occur if x=y.
Red Run-time error due to faulty code
As shown in Fig 6, PolySpace has proven there Example: Out of Bounds Pointer
are no run-time errors in this code. This is Dereferencing
because line 17 is executed only when the 1 void out_of_bounds_pointer(void)
condition (3*k + 100 > 43) evaluates to true. 2 {
Moreover, since the value of y is dependent on 3
4 int ar[100];
that of k, PolySpace determines that at line 17, 5 int *p = ar;
while x is equal to 10, y will always have a value 6 int i;
greater than 10. As a result, there cannot be a 7
divide-by-zero error at this line. 8 for (i = 0; i < 100; i++)
9 {
10 *p = 0;
This result is determined efficiently without the 11 p++;
need to execute code, write test-cases, add 12 }
instrumentation in source code, or debug the 13
14 *p = 5;
code. PolySpace also identifies all aspects of 15
code that could potentially have a run-time error. 16 }
These are underlined (see Fig 6). For this
example, since there are no run-time errors, the In the example code shown, note that the array
underlined code is painted in green. For example, ar has been allocated for 100 elements. Thru
on line 17 the underlined green on the division pointer aliasing, the pointer p points to the first
‘/’ operator proves safety for overflow as well as element of array ar. The for loop with counter i
division by zero. will increment from 0 to 99. The pointer p is also
incremented. On exit of the for loop the index
Code Verification and Medical will point to element 100 of the array ar.
Device Software Attempting to store data at this location will
cause a run-time error.
The use of Abstract Interpretation based code
verification to ensure high quality and reliability By using Abstract Interpretation, a lattice
of critical software is not new. Brat and Klemm containing the variable for pointer p is created.
document the use of PolySpace for mission Then by iteration and solving, it can be proven if
critical code used on the Mars Exploration it is possible to exceed the allocated range for p
Rover’s flight software [14]. Best practices
By using code verification tools early in the 6. Bliznakov, Mitalas, Pallikarakis, “Analysis
development phase, software teams may realize and Classification of Medical Device
substantial time and cost savings by finding and Recalls”, World Congress on Medical
eliminating run-time errors when they are easiest Physics and Biomedical Engineering, 2006
and cheapest to fix. Since Abstract Interpretation
operates at the source code level, it does not 7. Wallace, Kuhn, “Failure Modes in Medical
require execution of the software to determine
Device Software”, International Journal of
specified coding errors. Finally, Abstract
Interpretation streamlines the debugging process Reliability, Quality and Safety Engineering,
by identifying the source of run-time errors 2001
directly in source code, not just the symptom.
The solution eliminates time wasted tracing 8. Butler, Finelli “The Infeasibility of
system crashes and data corruption errors back to Quantifying the Reliability of Life-Critical
source, as well as time spent attempting to Real Time Software”, IEEE Transactions on
reproduce sporadic bugs. Software Engineering, 1993