Model-based development can offer many advantages compared to other techniques. This paper will demonstrate how models are used to develop safe systems in a medical devices company. The approach described uses a combination of model-driven analysis, model-driven design, model-driven test and model-driven safety analysis. Different approaches have been developed and followed in the past. The approach presented has been developed in an evolutionary manner and by combining approaches described in literature. It turned out to be well suited for the medical device domain and is considered to be a best practice approach. As such it is part of the development process that must be followed when developing new medical devices. The development process has to be defined in a written way and is checked by TÜV and FDA auditors on a yearly base. It is considered to be well above-average and thus may be adopted by other companies developing safety-relevant devices. During the audit process it is verified that the documentation of the process is as expected and that the actual development process is performed according to the defined process. This assures for companies adopting the approach that it is authenticated by daily practice and its use requires only modest overhead.


medical devices design process model-driven analysis MDRE model-driven design model-driven test model-driven safety analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cepin, M., de Lemos, R., Mavko, B., Riddle, S., Saeed, A.: An Object–Based Approach to Modelling and Analysis of Failure Properties. In: Daniel, P. (ed.) Proceedings of the 16th International Conference on Computer Safety, Reliability and Security (SAFECOMP 1997), September 1997, pp. 281–294. Springer, Berlin (1997)Google Scholar
  2. 2.
    Cepin, M., Riddle, S.: Object Modelling and Safety Analysis of Engineered Safety Features Actuation System, Technical Report TR ISAT 96/11 University of Newcastle upon Tyne (December 1996)Google Scholar
  3. 3.
    de Lemos, R., Saeed, A., Anderson, T.: On the Integration of Requirements Analysis and Safety Analysis for Safety-Critical Software, Department of Computing Science, University of Newcastle upon Tyne. Technical Report Series No. 630 (May 1998)Google Scholar
  4. 4.
    de Lemos, R., Saeed, A.: Validating Formal Verification using Safety Analysis Techniques, Computing Science, Technical Report Series, No. 668 (March 1999)Google Scholar
  5. 5.
    de Lemos, R., Saeed, A., Anderson, T.: On the Safety Analysis of Requirements Specifications. In: Maggioli, V. (ed.) Proceedings of the 13th International Conference on Computer Safety, Reliability and Security (SAFECOMP 1994), October 1994, pp. 217–227 (1994)Google Scholar
  6. 6.
    Heitemeyer, C., Kirby, J., Labaw, B., Archer, M., Bharadwaj, R.: Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications. IEEE Transactions on Software Engineering 24(11) (November 1998)Google Scholar
  7. 7.
    Holcombe, M., Ipate, F., Groundoudis, A.: Complete Functional Testing of Safety Critical Systems. In: Proceedings of the IFAC Workshop on Safety Reliabity in Emerging Control Technologies, November 1995, pp. 199–204. Pergamon Press, Oxford (1996)Google Scholar
  8. 8.
    Hussey, A.: HAZOP Analysis of Formal Models of Safety-Critical Interactive Systems. In: Koornneef, F., van der Meulen, M.J.P. (eds.) SAFECOMP 2000. LNCS, vol. 1943, pp. 371–381. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Ortmeier, F., Reif, W.: Failure-sensitive specification: A formal method for finding failure modes, Technical Report 3, Institut fuer Informatik, University Augsburg (2004)Google Scholar
  10. 10.
    Ortmeier, F., Reif, W.: Safety optimization: A combination of fault tree analysis and optimization techniques. In: Proceedings of the Conference on Dependable Systems and Networks (DSN 2004). IEEE Computer Society, Los Alamitos (2004)Google Scholar
  11. 11.
    Ortmeier, F., Schellhorn, G., Thums, A., Reif, W., Hering, B., Trappschuh, H.: Safety Analysis of the Height Control System for the Elbtunnel. In: Anderson, S., Bologna, S., Felici, M. (eds.) SAFECOMP 2002. LNCS, vol. 2434, pp. 296–308. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Ortmeier, F., Thums, A., Schellhorn, G., Reif, W.: Combining formal methods and safety analysis – the forMoSA approach. In: Ehrig, H., Damm, W., Desel, J., Große-Rhode, M., Reif, W., Schnieder, E., Westkämper, E. (eds.) INT 2004. LNCS, vol. 3147, pp. 474–493. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Saeed, A., de Lemos, R., Anderson, T.: An Approach for the Risk Analysis of Safety Specifications, In: Proceedings of the 9th Annual Conference on Computer Assurance (COMPASS 1994), pp. 209–221 (June 1994)Google Scholar
  14. 14.
    Saeed, A., de Lemos, R., Anderson, T.: Safety Analysis for Requirements Specifications: Methods and Techniques. In: Proceedings of the 15th International Conference on Computer Safety, Reliability and Security (SAFECOMP 1995), October 1995, pp. 27–41 (1995)Google Scholar
  15. 15.
    Telelogic, A.B.: Writing Effective User Requirements; Education MaterialGoogle Scholar
  16. 16.
    Thums, A., Ortmeier, F.: Formale Methoden und Sicherheitsanalyse, Technical Report, University Augsburg, Institut fuer Informatik (2002)Google Scholar
  17. 17.
    Thums, A., Schellhorn, G., Ortmeier, F., Reif, W.: Interactive verification of statecharts. In: Ehrig, H., Damm, W., Desel, J., Große-Rhode, M., Reif, W., Schnieder, E., Westkämper, E. (eds.) INT 2004. LNCS, vol. 3147, pp. 355–373. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Chan, W.: Model Checking Large Software Specifications. IEEE Transactions on Software Engineering 27(7), 498–520 (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Uwe Becker
    • 1
  1. 1.Dräger Medical AG & Co KGLübeckGermany

Personalised recommendations