An architecturally-integrated, systems-based hazard analysis for medical applications

Medical devices are increasingly being developed not as standalone units but as network-aware machines that can be integrated via high-assurance middleware and coordinated with software into clinically useful applications for Medical Application Platforms (MAP apps). While this concept is still emerging, both regulators and vendors recognize that these apps can be as powerful as purpose-built medical devices, and they are struggling to understand the appropriate techniques to support risk assessment and safety claims. Before being approved for market, the reliability of medical devices is typically ascertained by performing one of a number of hardware-centric, reliability-focused analyses. However, these techniques are not a good fit for the combined hardware and software systems that are defined by MAP apps, nor is their emphasis on reliability appropriate when the end goal is safety. In this work, we tailor a modern, systems-based hazard analysis technique (STAMP / STPA) to the domain of MAP apps by leveraging our prior work in safety-critical systems engineering for medical software. We also build on our previously developed AADL-based language and tooling for the semi-formal modeling of MAP app architectures to provide a proof-of-concept tool that aids the transition between design and analysis. This tool takes as input an architectural model annotated with both new and re-purposed constructs from AADL (as well as its error modeling annex) and produces as output a report in our proposed format. We ground our approach by using a clinically-sourced scenario that serves as a motivating example: we provide an annotated architectural model and hazard analysis report that serve as exemplars of our technique and tooling.