Abstract
The paper is concerned with the practical use of formal techniques to contribute to the risk analysis of a new neonatal dialysis machine. The described formal analysis focuses on the controller component of the software implementation. The controller drives the dialysis cycle and deals with error management. The logic was analysed using model checking techniques and the source code was analysed formally, checking type correctness conditions, use of pointers and shared memory. The analysis provided evidence of the verification of risk control measures relating to the software component. The productive dialogue between the developers of the device, who had no experience or knowledge of formal methods, and the analyst using the formal analysis tools, provided a basis for the development of rationale for the effectiveness of the evidence.

Abstract
The paper describes templates for model-based analysis of usability and safety aspects of user interface software design. The templates crystallize general usability principles commonly addressed in user-centred safety requirements, such as the ability to undo user actions, the visibility of operational modes, and the predictability of user interface behavior. These requirements have standard forms across different application domains, and can be instantiated as properties of specific devices. The modeling and analysis process is carried out using the Prototype Verification System (PVS), and is further facilitated by structuring the specification of the device using a format that is designed to be generic across interactive systems. A concrete case study based on a commercial infusion pump is used to illustrate the approach. A detailed presentation of the automated verification process using PVS shows how failed proof attempts provide precise information about problematic user interface software features.

Abstract
The IVY workbench is a model-based tool that supports the formal verification of interactive computing systems. It adopts a plugin-based architecture to support a flexible development model. Over the years the chosen architectural solution revealed a number of limitations, resulting both from technological deprecation of some of the adopted solutions and a better understanding of the verification process to support. This paper presents the redesign and implementation of the original plugin infrastructure, originating a new version of the tool: IVY 2. It describes the limitations of the original solutions and the new architecture, which resorts to the Java module system in order to solve them.

Abstract
Formal verification has the potential to provide a level of evidence based assurance not possible by more traditional development approaches. For this potential to be fulfilled, its integration into existing practices must be achieved. Starting from this premise, the position paper discusses the opportunities created and the challenges faced by the use of formal verification in the analysis of critical interactive computing systems. Three main challenges are discussed: the accessibility of the modelling stage; support for expressing relevant properties; the need to provide analysis results that are comprehensible to a broad range of expertise including software, safety and human factors. Copyright © 2019 for this paper by its authors.

Abstract
Cyber-Physical Systems, as distributed systems of computational elements interacting with the physical world, are highly complex systems. They can, in many instances, be considered safety critical interactive systems, as errors in interaction can have disastrous consequences (consider the case of autonomous vehicles or integrated clinical environments). High assurance is, then, an underlying requirement, also at their user interface. In this position paper we identify five challenges to be solved both in the short and in the long term, regarding the modelling of (1) distributed and (2) heterogeneous interactive systems, (3) the analysis and relation between the different abstraction layers of Cyber-Physical Systems, (4) the modelling of real time/hybrid systems, and (5) the modelling of the dynamic nature of such systems. Solutions for these challenges are not presented, but possible directions are discussed. Copyright © 2019 for this paper by its authors.

Abstract
The IVY Workbench is a tool that supports the modeling and formal verification of interactive systems. The tool features a set of plugins that support the modeling and analysis process, including a models editor, a properties checker, and a models animator. The latter, allows visualizing and interacting with a model, but does not support associating it with a prototype of the system. Interaction with the model facilitates its validation by modelling experts. It does not, however, facilitate communication with domain experts and users, to whom a prototype would be a more effective means of communication. This article presents the work done to remedy this gap in IVY. The article details the preliminary research carried out, architectural decisions and the obtained end result.