Closed-loop verification of medical devices with model abstraction and refinement

The design and implementation of software for medical devices is challenging due to the closed-loop interaction with the patient, which is a stochastic physical environment. The safety-critical nature and the lack of existing industry standards for verification make this an ideal domain for exploring applications of formal modeling and closed-loop analysis. The biggest challenge is that the environment model(s) have to be both complex enough to express the physiological requirements and general enough to cover all possible inputs to the device. In this effort, we use a dual chamber implantable pacemaker as a case study to demonstrate verification of software specifications of medical devices as timed-automata models in UPPAAL. The pacemaker model is based on the specifications and algorithm descriptions from Boston Scientific. The heart is modeled using timed automata based on the physiology of heart. The model is gradually abstracted with timed simulation to preserve properties. A manual Counter-Example-Guided Abstraction and Refinement (CEGAR) framework has been adapted to refine the heart model when spurious counter-examples are found. To demonstrate the closed-loop nature of the problem and heart model refinement, we investigated two clinical cases of Pacemaker Mediated Tachycardia and verified their corresponding correction algorithms in the pacemaker. Along with our tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.

[1]  Stephan Merz,et al.  Model Checking , 2000 .

[2]  Rajeev Alur,et al.  Modeling and Verification of a Dual Chamber Implantable Pacemaker , 2012, TACAS.

[3]  Joseph Sifakis,et al.  Tools and Applications II: The IF Toolset , 2004 .

[4]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[5]  Hugo Daniel Macedo,et al.  Incremental Development of a Distributed Real-Time Model of a Cardiac Pacing System Using VDM , 2008, FM.

[6]  Marcel Vinícius Medeiros Oliveira,et al.  Formal Specification of a Cardiac Pacing System , 2009, FM.

[7]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[8]  Zhihao Jiang,et al.  Cyber–Physical Modeling of Implantable Cardiac Medical Devices , 2012, Proceedings of the IEEE.

[9]  Erika Ábrahám,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2014, Lecture Notes in Computer Science.

[10]  Taolue Chen,et al.  A simulink hybrid heart model for quantitative verification of cardiac pacemakers , 2013, HSCC '13.

[11]  Kim Guldstrand Larsen,et al.  Formal Methods for the Design of Real-Time Systems , 2004, Lecture Notes in Computer Science.

[12]  Man Chun Zheng,et al.  Modeling and Verification of Safety Critical Systems: A Case Study on Pacemaker , 2010, 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement.

[13]  Insup Lee,et al.  A Safety-Assured Development Approach for Real-Time Software , 2010, 2010 IEEE 16th International Conference on Embedded and Real-Time Computing Systems and Applications.

[14]  Kim G. Larsen,et al.  A Tutorial on Uppaal , 2004, SFM.

[15]  Laura Moy,et al.  Killed by Code: Software Transparency in Implantable Medical Devices , 2010 .

[16]  Insup Lee,et al.  From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study , 2012, 2012 IEEE 18th Real Time and Embedded Technology and Applications Symposium.

[17]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[18]  Raymond Turner,et al.  Specification , 2011, Minds and Machines.

[19]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[20]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.

[21]  Dominique Méry,et al.  Pacemaker's Functional Behaviors in Event-B , 2009 .

[22]  Satoshi Yamane,et al.  Timed Weak Simulation Verification and Its Application to Stepwise Refinement of Real-Time Software , 2005, EUC.

[23]  S. Serge Barold,et al.  Cardiac Pacemakers Step by Step , 2004 .

[24]  Mark E. Josephson,et al.  Clinical cardiac electrophysiology. , 2015, Clinical privilege white paper.

[25]  Taolue Chen,et al.  Quantitative Verification of Implantable Cardiac Pacemakers , 2012, 2012 IEEE 33rd Real-Time Systems Symposium.

[26]  Zhihao Jiang,et al.  Modeling cardiac pacemaker malfunctions with the Virtual Heart Model , 2011, 2011 Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[27]  N. H. Beebe on Software Tools for Technology Transfer ( STTT ) , 2005 .

[28]  Zhihao Jiang,et al.  Heart-on-a-Chip: A Closed-loop Testing Platform for Implantable Pacemakers , 2014 .

[29]  Zhihao Jiang,et al.  Model-Based Closed-Loop Testing of Implantable Pacemakers , 2011, 2011 IEEE/ACM Second International Conference on Cyber-Physical Systems.