Importance of The Logic Design Tool (LDT) in Medical Device Software Development
The Logic Design Tool (LDT) is a graphical method that helps prevent logical errors in medical device software development, reducing costs and hazardous failures. A study by NIST revealed that logic errors account for a significant percentage of faults in recalled medical devices over a 15-year period. By utilizing LDT to model all conditions and actions, developers can effectively eliminate logical errors at the requirements design level and automate source code implementation at lower levels, improving overall software quality and reliability.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
The Logic Design Tool (LDT) A Graphical Method for Specifying Combinatorial and Sequential Logic (slide notes can be seen via view>notes page)
MEDICAL APPLICATION NEED In a study of recalled medical devices over a15 year period, the NIST found: Among the fault types, logic [errors] appear very high at 43%. This class includes possible errors such as incorrect logic in the requirement specification, unexpected behavior of two or more conditions occurring simultaneously, and improper limits. - FAILURE MODES IN MEDICAL DEVICE SOFTWARE: AN ANALYSIS OF 15 YEARS OF RECALL DATA DOLORES R. WALLACE and D. RICHARD KUHN Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 USA
Litigation/reputation/ schedule/opportunity costs unknown DIGITAL SYSTEM DEVELOPMENT V MODEL Requirements Design Acceptance Test Design Acceptance Testing $10,000 /Fix System Test Design System Design System Testing $1000 /Fix Integration Testing Architecture Design Integration Test Design $100/ Fix Problem: High level design errors result in large development costs, hazardous failures. Module Design Unit Unit Testing Test Design $10 /Fix Claim: LDT models all conditions and virtually eliminates logical errors at the inexpensive requirements design level. LDT also automates source code implementation at all lower levels. Solution: Create a CAD/CAM for logic which graphically displays all conditions and actions a digital system can take. Coding
V MODEL - COMPARISON Cost unknown WITHOUT LDT: WITH LDT: English text -based rqmt Blackbox showing inputs , outputs created for TACAN all combinations and states tuning lock acquisition. displayed in LDT, lost Functional rqmt derived, but TACAN re-acquistion analyze spec, agree spec correct, case is overlooked. generate code, test drivers, Requirements Design Acceptance Test Design Acceptance Testing case seen, considered, action entered $10000 Fix Customer and System engineer System Test Design System Design System Testing documentation via LDT autogen. $1000 Fix Integration Testing Architecture Design Integration Test Design $100 Fix Module Design Unit Unit Testing Test Design $10 Fix REQUIREMENTS / SYSTEM PHASE WITHOUT LDT: WITH LDT: UNCONSIDERED CASE OVERLOOKED Coding ALL CASES CONSIDERED, SPECIFIED EXAMPLE - TACAN acquisition display developed with and without LDT.
V MODEL - COMPARISON Cost unknown WITHOUT LDT: WITH LDT: English text -based rqmt Blackbox showing inputs , outputs created for TACAN all combinations and states tuning lock acquisition. displayed in LDT, lost Functional rqmt derived, but TACAN re-acquistion analyze spec, agree spec correct, case is overlooked. generate code, test drivers, Requirements Design Acceptance Test Design Acceptance Testing case seen, considered, action entered $10000 Fix Customer and System engineer System Test Design System Design System Testing documentation via LDT autogen. $1000 Fix SW rqmts derived from SW rqmts auto functional rqmt, but includes generated overlooked case Integration Testing Architecture Design Integration Test Design $100 Fix lacks TACAN display reset. upon TACAN tuning lock reaquisition. target, all code exercised, passed. SW metrics minimized. TACAN control module design Code and exhaustive unit test driver auto Module Design Unit Unit Testing Test Design generated, run on $10 Fix ARCHITECTURE / MODULE PHASE WITHOUT LDT: WITH LDT: OVERLOOKED CASE NOT IN DESIGN LOGICAL CODE AND TEST DRIVERS AUTO GENERATED AT SPEC TIME EXAMPLE - TACAN acquisition display developed with and without LDT. Coding
V MODEL - COMPARISON Cost unknown WITHOUT LDT: WITH LDT: English text -based rqmt Blackbox showing inputs , outputs created for TACAN all combinations and states tuning lock acquisition. displayed in LDT, lost Functional rqmt derived, but TACAN re-acquistion analyze spec, agree spec correct, case is overlooked. generate code, test drivers, Requirements Design Acceptance Test Design Acceptance Testing case seen, considered, action entered $10000 Fix Customer and System engineer System Test Design System Design System Testing documentation via LDT autogen. $1000 Fix SW rqmts derived from SW rqmts auto functional rqmt, but includes generated overlooked case Integration Testing Architecture Design Integration Test Design $100 Fix lacks TACAN display reset. upon TACAN tuning lock reaquisition. target, all code exercised, passed. SW metrics minimized. TACAN control module design Code and exhaustive unit test driver auto Module Design Unit Unit Testing Test Design generated, run on $10 Fix CODING PHASE WITHOUT LDT: WITH LDT: CODE HAND WRITTEN SEVERAL TIMES CODE AUTO GENERATED AT SPEC TIME TACAN control procedure written Coding EXAMPLE - TACAN acquisition display developed with and without LDT.
V MODEL - COMPARISON Cost unknown WITHOUT LDT: WITH LDT: English text -based rqmt Blackbox showing inputs , outputs created for TACAN all combinations and states tuning lock acquisition. displayed in LDT, lost Functional rqmt derived, but TACAN re-acquistion analyze spec, agree spec correct, case is overlooked. generate code, test drivers, Requirements Design Acceptance Test Design Acceptance Testing case seen, considered, action entered $10000 Fix Customer and System engineer System Test Design System Design System Testing documentation via LDT autogen. $1000 Fix SW rqmts derived from SW rqmts auto SW passes functional rqmt, but includes generated Integration test overlooked case for all cases. TACAN control module design lacks TACAN display reset. upon TACAN tuning lock reaquisition. target, all code also hand coded. exercised, passed. Test driver hand coded twice. SW metrics minimized. Labor intensive integration testing tests only positive result of system requirement. Test scripts hand coded three times. Integration Testing Architecture Design Integration Test Design $100 Fix Code and exhaustive Code complicated, challenging, unit test driver auto reworked twice before RBT Module Design Unit Unit Testing Test Design generated, run on test passes. Regression tests $10 Fix UNIT / INTEGRATION TEST PHASE WITHOUT LDT: WITH LDT: UNIT TEST DRIVERS HAND UNIT TEST DRIVERS AUTO WRITTEN SEVERAL TIMES GENERATED AT SPEC TIME EXAMPLE - TACAN acquisition display developed with and without LDT. TACAN control procedure written Coding
V MODEL - COMPARISON Cost unknown WITHOUT LDT: WITH LDT: English text -based rqmt Blackbox showing inputs , outputs , XXX , displayed created for TACAN all combinations and states is outside CONUS, tuning lock acquisition. displayed in LDT, lost TACAN freq case seen, considered, action entered inside CONUS. Functional rqmt derived, Customer and System engineer Documentation but TACAN re-acquistion analyze spec, agree spec correct, test drivers, case is overlooked. generate code, test drivers, results signed documentation via LDT autogen. first time by Aircraft flown overseas, TACAN tuning lost, XXX displayed, remains upon return to CONUS. Requirements Design Acceptance Test Design Acceptance Testing $10000 Fix ($10,000/FIX) ($10/FIX) Flight and ground test run over two weeks, but re-acquisition not checked. System Test Design System Design System Testing $1000 Fix customer. SW rqmts derived from SW rqmts auto SW passes functional rqmt, but includes generated Integration test overlooked case for all cases. TACAN control module design lacks TACAN display reset. upon TACAN tuning lock reaquisition. target, all code also hand coded. exercised, passed. Test driver hand coded twice. SW metrics minimized. Labor intensive integration testing tests only positive result of system requirement. Test scripts hand coded three times. Integration Testing Architecture Design Integration Test Design $100 Fix Code and exhaustive Code complicated, challenging, unit test driver auto reworked twice before RBT Module Design Unit Unit Testing Test Design generated, run on test passes. Regression tests $10 Fix SYSTEM / ACCEPTANCE PHASE WITHOUT LDT: ERROR DURING CUSTOMER TEST ALL TESTS PASS, CUSTOMER ACCEPTS, TACAN control procedure written WITH LDT: Coding DOCS AUTO GENERATED AT SPEC TIME EXAMPLE - TACAN acquisition display developed with and without LDT.
LDT APPLICATIONS High Assurance: Safety Critical Data Secure * Subject to Litigation Large Lot Quantities Aircraft Flight Controls Encryption Devices Medical Equipment Consumer Electronics FAA, NRC NSA, NASA FDA Hardware Development: Easy, fast design Larger set of variables, states Asynchronous execution speed increase System Reliability: Line Replaceable Units needed for system success Total system probability of failure Legacy Code Analysis System Specification / Logic Tutorial
CONCLUSION Because LDT finds most, if not all, logic errors, and because logic errors account for a large percentage of medical system errors, LDT can save a large portion of development cost and risk. LDT can also save a large portion (>60%) of test and integration costs because it auto generates exhaustive test drivers. Test itself accounts for at least 40% of complex system development.
MISSING TACAN XXXXX DISPLAY CASE MADE APPARENT TACAN NOT TACAN NOT TACAN 0 1 DISPLAY_FQ DISPLAY_XS TACAN STATE TRANSITION DIAGRAM Missed Condition FIELD_1 TACAN TACAN 0 1 1 0 0 1 1 0 VARIABLE DEFINITION FIELD_0 A0 1 1 STATE_BIT_0 = A TACAN = B A 0 DSPYXS A := not A and TACAN DISPLAY_XS := A
-- SECURITY CLASSIFICATION -- ************************************************************ -- CSCI_TITLE -- PACKAGE BODY -- CSC Transition -- DESCRIPTION: -- This package body implements state machine -- tacan. tacan is composed of -- 1 inputs, 2 states and 1 outputs. -- Included in this package body is the Transition procedure. -- Transition will output a new state value based upon the inputs -- and the present state. The Transition state machine is implemented with -- boolean logic equations. -- -- ABSTRACT: -- none -- REFERENCES: -- none -- EXCEPTION HANDLING AND ERROR PROCESSING: -- none -- LIMITATIONS: -- none -- WAIVERS: -- none -- MODIFICATIONS: -- NUMBER DATE RSE DESCRIPTION -- 1.0 163/53320/0 -- CODE CLASSIFICATION: -- Not yet given a classification. -- ************************************************************ package body tacan is State_field_upper_cnt : constant := (Number_state_bits - 1); Input_field_upper_cnt : constant := (Number_inputs - 1); Output_field_upper_cnt : constant := (Number_outputs - 1); type State_bit_array_type is array(0..State_field_upper_cnt) of Boolean; type Input_array_type is array(0..Input_field_upper_cnt) of Boolean; type Output_array_type is array(0..Output_field_upper_cnt) of Boolean; AUTOMATICALLY GENERATED SOURCE CODE FOR TACAN EXAMPLE (ADA) procedure Transition(Input : in Input_type ; State : in out State_type; Outputs : out Output_type) is SB : State_bit_array_type := (others => False); State_bit_next : State_bit_array_type := (others => False); IB : Input_array_type := (others => False); Output_boolean : Output_array_type := (others => False); Index_cnt : integer := 0; begin -- Transition
-- SECURITY CLASSIFICATION -- ********************************************************* -- CSCI_TITLE -- PROCEDURE -- CSC Transition_driver -- DESCRIPTION: -- This procedure is an example driver for procedure -- Transition found in state machine package tacan. -- The procedure asks the operator for 1 input values. -- The procedure then displays the next state to which the -- state machine has transitioned and the 1 -- output values for that state. -- The value of Present_state is initialized and maintained by -- this driver. -- INPUTS: -- Input number 0 named TACAN -- OUTPUTS: -- Output number 0 named DSPYXS -- STATES: -- State number 0 named State0 -- State number 1 named State1 -- REFERENCES: -- none -- EXCEPTION HANDLING AND ERROR PROCESSING: -- CONSTRAINT_ERROR -- NUMERIC_ERROR -- STORAGE_ERROR -- others -- LIMITATIONS: -- none -- WAIVERS: -- none -- MODIFICATIONS: -- NUMBER DATE RSE DESCRIPTION -- 1.0 18/80/0 -- CODE CLASSIFICATION: -- Not yet given a classification. -- ********************************************************* with tacan; with Text_IO; procedure Transition_driver is package Int_IO is new Text_IO.integer_IO(integer); State0 : constant := 0; State1 : constant := 1; Input : tacan.Input_type; Outputs : tacan.Output_type; Input_cnt : Integer; State_machine_valid : Boolean; AUTOMATICALLY GENERATED TEST DRIVER FOR TACAN EXAMPLE (ADA)
AUTOMATICALLY DOCUMENTED ARTIFACTS FOR TACAN EXAMPLE 1.0 Specification Description 2.0 Input To Output, State Bit Transform 3.0 Finite State Machine Karnaugh Maps 3.1 State 3.2 Intermediate 3.3 Transition 4.0 Source code Files 4.1 Ada 4.1.1 Specification 4.1.2 Body 4.1.3 Interactive Driver 4.1.4 Exhaustive Unit Test Driver 4.2 VHDL 4.3 C 4.4 Exhaustive Unit Test Driver 4.5 Body 5.0 Espresso Formated Truth Table 6.0 State and Output Bit Model 7.0 State Analysis