Model-Driven Development of High-Assurance Active Medical Devices

Advanced medical devices exploit the advantages of embedded software whose development is subject to compliance with stringent requirements of standardization and certification regimes due to the critical nature of such systems. This paper presents initial results and lessons learned from an ongoing project focusing on the development of a formal model of a subsystem of a software-controlled safety-critical Active Medical Device (AMD) responsible for renal replacement therapy. The use of formal approaches for the development of AMDs is highly recommended by standards and regulations, and motivates the recent advancement of the state of the art of related methods and tools including Event-B and Rodin applied in this paper. It is expected that the presented model development approach and the specification of a high-confidence medical system will contribute to the still sparse experience base available at the disposal of the scientific and practitioner community of formal methods and software engineering.

💡 Research Summary

The paper presents an initial experience with a formal, model‑driven development approach for a safety‑critical active medical device (AMD), specifically a software‑controlled subsystem of a hemodialysis machine. Recognizing that modern medical devices are increasingly software‑centric and subject to stringent regulatory frameworks (EU directives 93/42/EEC and 2007/47/EC, FDA QSR, ISO 13485, IEC 60601‑1, IEC 62304, and especially IEC 61508‑3), the authors argue that formal methods are “highly recommended” for achieving the high safety integrity levels required for such systems.

The authors adopt a refinement‑based Model‑Driven Development (MDD) methodology built around the Event‑B formalism and its supporting toolset, Rodin. Their development workflow consists of three tightly coupled phases: (1) formal requirements specification, (2) formal verification, and (3) formal validation. In the first phase, informal clinical and system requirements are translated into Event‑B machines and contexts. Variables capture domain concepts such as blood‑flow rate, dialysate composition, pump state, and alarm status; invariants encode physical constraints (e.g., flow must stay within safe limits) and safety rules (e.g., stop pump on high‑blood‑pressure alarm).

The refinement phase incrementally enriches the abstract model. New variables and invariants are introduced, existing events are refined to incorporate additional state, events are split into finer‑grained actions, and completely new events are added to model error‑recovery and user‑interaction logic. Each refinement step generates proof obligations (POs) that Rodin attempts to discharge automatically; the authors report a high automatic discharge rate, with the remaining POs handled manually.

Verification is performed through theorem proving (to ensure invariant preservation, guard strengthening, and dead‑lock freedom) and model checking (to explore reachable states and confirm liveness properties such as eventual completion of a dialysis cycle). The authors stress that verification alone does not guarantee that the model reflects stakeholder intent, so they add a validation step based on model animation. Using Rodin’s animation facilities, they execute the specification in a graphical, interactive environment, allowing clinicians and domain experts to observe system behavior without any code generation. This feedback loop enables early detection of requirement mismatches and supports iterative refinement.

The case study focuses on the control logic of a hemodialysis machine. The authors model core functions—blood pump operation, dialysate preparation, filtration, alarm handling, and fault recovery—across several refinement levels. The final model demonstrates that (i) blood flow remains within prescribed bounds, (ii) dialysate concentrations are adjusted correctly, (iii) alarms trigger appropriate safety actions, and (iv) the system can recover from sensor failures. The formal model serves as a single source of truth for subsequent certification documentation and potential code generation.

Beyond technical contributions, the paper discusses the impact on Small and Medium‑Sized Enterprises (SMEs). While the upfront investment in formal methods can be non‑trivial, the authors cite empirical data (e.g., three‑fold reduction in development time, five‑fold reduction in cost, and 92 % of projects reporting quality improvements) to argue that the approach yields significant economic benefits, especially for SMEs that dominate the medical‑device supply chain.

In conclusion, the authors affirm that refinement‑based, model‑driven development using Event‑B and Rodin provides a rigorous, traceable, and stakeholder‑inclusive pathway for building high‑assurance medical software. They propose future work on integrating real‑time clinical data, automating code generation from verified models, and extending the approach to broader classes of active medical devices.