1. High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical Engineering OGI School of Science & Engineering Oregon Health & Science University Beaverton, OR 97006

2. What is “High Confidence”?  Others take a more realistic (pessimistic?) view:  From a presentation by Dan Schultz, MD, and Director of CDRH, FDA  Some doctors don’t know what we mean by “high confidence”  They use products, and they expect them to work  This is how it should be!  Our goal:  Move from “reasonable” to “high” assurance  If we are successful, the first group of doctors won’t notice

3. Software Validation:  Process-oriented software validation is a requirement of the Quality System Regulation (21 CFR 820)  Of 3140 medical device recalls between 1992 and 1998 …  242 were attributable to software failures  192 of those were caused by defects introduced when changes were made to software after initial production & distribution (Source: FDA guidance on “General Principles of Software Validation”)  “Lessons from 342 Medical Device Failures” (Wallace and Kuhn, HASE99) classifies recalls between 1983-1997:  Logic: 43%; Calculation: 24%; Change impact: 6%; …  Process-oriented techniques are extremely valuable  Claim: artifact-oriented techniques will provide an essential supplement

4. Candidate Technologies: Formal Methods: Intel is building & using theorem proving technology:  e.g., software/microcode verification of floating point unit, memory hierarchies, etc…) Microsoft is building & using model checking technology:  e.g., the Static Driver Verifier (SDV), including SLAM, uncovers critical bugs in device drivers, and will ship with the next Windows DDK Domain Specific Languages: Galois has developed Cryptol as a DSL for cryptography:  significant productivity boost for developers of Type 1 crypto Project Timber developed a DSL for component configuration:  smaller code (factor>30), prevented 100s of errors in non-DSL version

5. Technology Drivers:  To date, the key drivers for the adoption of formal methods and domain specific language technologies have been:  government  security  aviation safety  military ……  economics  Few organizations have the resources of Intel, Microsoft, or the Federal Government to invest in these technologies  But legislative incentives are coming:  FDA approval is no longer a “shield against litigation”  We must prepare Industry  We must protect Innovation

6. Change Management:  Change is the norm:  requirements, systems, and assurance needs all change  change is a significant contributor to device recalls …  Several commercial software packages have been developed in support of the Quality System Regulations  Programmer’s perspective: “make” tools for quality systems  “Programatica”  Integrate broad and open spectrum of assurance techniques in a software development environment  Fine-grained, automated dependency tracking to reduce cost of recertification  Tools like these can:  embrace current evaluation methodologies  offer an evolution path for introducing and applying formal methods

7. Open Experimental Platforms:  The academic community needs relevant, open platforms:  to serve as case studies  to provide baselines for comparison and evaluation  to drive development of new tools & prototypes  Examples like this are currently hard to find:  Trade secrets, proprietary IP, patents, …  Nobody likes to advertise their failures …  … or give away their corporate crown jewels  Significant benefits in the long term for device manufacturers and for society  How do we leverage community?  “Open Source” Medical Devices?

8. Bio Mark Jones is an Associate Professor at the School of Science and Engineering at Oregon Health & Science University (OGI). His area of expertise is in the design, implementation, and application of programming languages. He has worked as an Associate Research Scientist at Yale University, and as a Reader at the University of Nottingham, where he founded and led a research group on Languages and Programming. He was Principal Investigator on the DARPA-funded Project Timber, dealing with the development of new programming language technology to support the design of reliable, real-time embedded systems. Jones is now leading the Programatica project, which is using the construction of a micro kernel implementation with strong security properties to demonstrate and inform the design of tools for evidence management and validation of complex, high-confidence software. He has a Ph.D. from the University of Oxford.