Testing safety-critical software

Testing safety-critical software differs from conventional testing in that the test design approach must consider the defined and implied safety of the software at a level as high as the functionality to be tested, and the test software has to be developed and validated using the same quality assurance processes as the software itself.

Test technology is crucial for successful product development. Inappropriate or late tests, underestimated testing effort, or wrong test technology choices have often led projects to crisis and frustration. This software crisis results from neglecting the imbalance between constructive software engineering and analytic quality assurance. In this article we explain the testing concepts, the testing techniques, and the test technology approach applied to the patient monitors of the HP OmniCare family.

Patient monitors are electronic medical devices for observing critically ill patients by monitoring their physiological parameters (ECG, heart rate, blood pressure, respiratory gases, oxygen saturation, and so on) in real time. A monitor can alert medical personnel when a physiological value exceeds preset limits and can report the patient's status on a variety of external devices such as recorders, printers, and computers, or simply send the data to a network. The monitor maintains a database of the physiological values to show the trends of the patient's status and enable a variety of calculations of drug dosage or ventilation and hemodynamic parameters.

Patient monitors are used in hospitals in operating rooms, emergency rooms, and intensive care units and can be configured for every patient category (adult, pediatric, or neonate). Very often the patient attached to a monitor is unconscious and is sustained by other medical devices such as ventilators, anesthesia machines, fluid and drug pumps, and so on. These life-sustaining devices are interfaced with the patient monitor but not controlled from it.

Safety and reliability requirements for medical devices are set very high by industry and regulatory authorities. There is a variety of international and national standards setting the rules for the development, marketing, and use of medical devices. The legal requirements for electronic medical devices are, as far as these concern safety, comparable to those for nuclear plants and aircraft.

In the past, the safety requirements covered mainly the hardware aspects of a device, such as electromagnetic compatibility, radio interference, electronic parts failure, and so on. The concern for software safety, accentuated by some widely known software failures leading to patient injury or death, is increasing in the industry and the regulatory bodies. This concern is addressed in many new standards or directives such as the Medical Device Directive of the European Union or the U.S. Food and Drug Administration. These legal requirements go beyond a simple validation of the product; they require the manufacturer to provide all evidence of good engineering practices during development and validation, as well the proof that all possible hazards from the use of the medical instrument were addressed, resolved, and validated during the development phases.

The development of the HP OmniCare family of patient monitors started in the mid-1980s. Concern for the testing of the complex safety-critical software to validate the patient monitors led to the definition of an appropriate testing process based on the ANSI/IEEE software engineering standards published in the same time frame. The testing process is an integral part of our quality system and is continuously improved.

The Testing Process

During the specifications phase of a product, extended discussions are held by the crossfunctional team (especially the R&D and software quality engineering teams) to assess the testing needs. These discussions lead to a first estimation of the test technology needed in all phases of the development (test technology is understood as the set of all test environments and test tools). In the case of HP patient monitors the discussion started as early as 1988 and continues with every new revision of the patient monitor family, refining and in some cases redefining the test technology. Thus, the test environment with all its components and the tools for the functional, integration, system, and localization testing evolved over a period of seven years. Fig. 1 illustrates the testing process and the use of the tools..


sorce: findarticles.com