The emerging network-enabled medical devices impose new challenges for the safety assurance of medical cyber-physical systems (MCPS). In this paper, we present a case study of building a high-level safety argument for a patient-controlled analgesia (PCA) closed-loop system, with the purpose of exploring potential methodologies for assuring the safety of MCPS.
BACKGROUND: PCA CLOSED-LOOP SYSTEM
Figure 1 shows the architecture and essential data flow of a PCA closed-loop system. A pulse oximeter receives physiological signals from a clip on the patient’s finger and calculates the SpO2 values (i.e., the measure of blood oxygenation). The computer controller makes control decisions based on SpO2 readings received from the pulse oximeter, and periodically issues a “ticket” to the infusion pump. Each ticket limits the bolus and basal time period that the pump can infuse before the patient could possibly be pushed into respiratory distress.
In this section, we develop a high-level safety argument for the PCA closed-loop system. Figure 2 shows our argument using the Goal Structuring Notation (GSN), a popular graphical notation for organizing and presenting safety argument (we refer readers who are unfamiliar with GSN.
The top-level goal (G1) is to show that “The PCA closed-loop system is at least as safe as the stand-alone infusion pump, with respect to the overdose hazard”. Here, we assume that the closed-loop system is built on top of a stand-alone infusion pump whose safety has already been assessed in a separate safety argument, and the pulse oximeter’s behavior is not affected by putting in the PCA closed-loop. This context is documented as C1.1 in Figure 2.
To address G1, our strategy is to argue by risk-benefit analysis (S1), which is defined in the context C1.2. If the benefit brought by the closed-loop system outweighs its introduced risk, then we can assert that the goal G1 is true. More specifically, the benefit refers to how much residual risk of the stand-alone pump can be mitigated by the closed-loop system.
Following strategy S1, we decompose G1 into three sub-goals:
- G2.1: The introduced risk due to hazards of closed-loop system is acceptable.
- G2.2: Some residual risk of the stand-alone infusion pump is adequately mitigated by the closed-loop system.
- G2.3: The benefit of closed-loop system outweighs its introduced risk.
We have presented a high-level safety argument for a patient-controlled analgesia (PCA) closed-loop system, where an infusion pump, a pulse oximeter, and a computer controller are interconnecting over a network. The goal of the argument is to show that “The PCA closed-loop system is at least as safe as the stand-alone infusion pump, with respect to the overdose hazard”, and the strategy is to argue by risk-benefit analysis. This case study has the potential of being generalized for other network-enabled medical devices. We hope to further explore this direction in the future. Ultimately, we would like to develop a safety argument pattern for closed-loop systems.
Source: University of Pennsylvania
Authors: Lu Feng | Andrew L. King | Sanjian Chen | Anaheed Ayoub | Junkil Park | Nicola Bezzo | Oleg Sokolsky | Insup Lee