We see the future of medicine as highly automated. Improvement in care-provision will be achieved by both increased clinician efficiency, as well as new computing assisted treatments and diagnoses. In other safety-critical industries, such as avionics and automotive, certification is dependability-driven. In contrast, medical certification is clinical-trial driven, which we argue will become increasingly problematic with increasing medical device and software complexity. By dependability, we mean the dictionary notion: reliable and trustworthy. Thus, failures are either avoided by design, or are accountable to a measured extent. This touches upon the verification (intent) versus validation (outcome) problem. Even though correctness does not imply safety, we do believe from our experiences that, the process of striving for correctness (verification) done right does shed light on safety; on whether the requirements/assumptions were addressed as intended (validation).

Medical device trials can lead to adequate assurances of safety, as defined by the local regulatory burden. Nevertheless, the nature of such complex systems means that certain errors may not be detected by trials and so additional efforts to reduce errors is needed. Our intent is, at least for software, to explore the contrast between approaches: correctness-by-construction versus correct-by-trial. Additionally, these levels of safety and effectiveness of systems vary across regulatory domains in different countries. A key challenge is how to achieve a successful interaction between verification tasks using formal methods and system development tasks within engineering teams without prior knowledge of formal techniques.

This paper describes a pragmatic process for the application of formal techniques, which is illustrated for three medical devices during pre-clinical development prior to certification. That means, the techniques are not only applied to realistic systems, but are also taken up by development teams themselves (i.e. cannot be entirely formal expert driven). We demonstrate differences in applying formalisms at the start, midpoint and final development stages. In particular, we describe the underlying socio-technical challenges and how we developed mitigation methods for each exemplar case. This paper is not about a general technique for medical automation, as we do not believe this is practical/possible given the varied/dynamic nature of medical problems.

我们认为医学的未来将高度自动化。通过提高临床医生的效率以及新的计算机辅助治疗和诊断，将可以改善护理水平。在航空电子和汽车等其他对安全至关重要的行业中，认证是由可靠性驱动的。相反，医学认证是由临床试验驱动的，我们认为随着医疗设备和软件复杂性的提高，医学认证将变得越来越有问题。可靠性是指字典概念：可靠且值得信赖。因此，可以通过设计避免故障，或者在一定程度上负责。这涉及到验证（意图）与验证（结果）问题。即使正确并不意味着安全，但我们确实从经验中相信，正确地进行正确性（验证）的过程确实可以证明安全性；要求/假设是否按预期解决（验证）。

如当地法规规定的那样，对医疗设备进行试验可以确保足够的安全性。然而，这种复杂系统的性质意味着某些错误可能无法通过试验检测到，因此需要采取更多的措施来减少错误。至少对于软件，我们的目的是探索方法之间的对比：“构造正确性”与“试验正确性”。此外，系统的这些安全性和有效性水平在不同国家/地区的不同监管领域中有所不同。一个关键的挑战是如何在不具备正式技术知识的情况下，使用形式化方法与工程团队中的系统开发任务在验证任务之间实现成功的交互。

本文介绍了应用正式技术的实用过程，该过程在认证之前的临床前开发过程中针对三种医疗设备进行了说明。这意味着，这些技术不仅适用于现实系统，而且还由开发团队自己使用（即不能完全由正式的专家驱动）。我们展示了在开始，中点和最终开发阶段在应用形式主义方面的差异。特别是，我们描述了潜在的社会技术挑战以及我们如何为每个示例案例开发缓解方法。本文不是关于医学自动化的通用技术，因为鉴于医学问题的变化/动态性质，我们认为这是不实际/不可能的。