Download Slides

Automata for Real-time Systems
B. Srivathsan
Chennai Mathematical Institute
1/26
In this lecture
An academic case-study that investigates methods to build
more reliable pacemakers
2/26
Lecture 10:
Towards reliable pacemakers
3/26
References
Modeling and verification of a dual chamber implantable pacemaker
Jiang, Pajic, Moarref, Alur, Mangharam. TACAS’12
Heart-on-a-chip: A closed-loop testing platform for implantable
pacemakers
Jiang, Radhakrishnan, Sampath, Sarode, Mangharam. 2013
mlab.seas.upenn.edu
4/26
Heart and pacemaker basics
Presentation of Zhihao Jiang (U Penn)
5/26
Pacemaker software
In-built algorithms to detect and terminate various
abnormal heart conditions
6/26
Pacemaker software
In-built algorithms to detect and terminate various
abnormal heart conditions
At least 6 implanted medical devices were recalled in 2010 due
to likely software defects
Killed by Code: Software Transparency in Implantable Medical Devices
Karen Sandler, Lysandra Ohrstrom, Laura Moy, Robert McVay
6/26
Two possible solutions for more reliable devices:
I
Model-based system/software design
I
Closed-loop testing
7/26
Model-based system/software design
UPPAAL
Heart
Pacemaker
automaton
automaton
Verification
UPP2SF tool
Simulink
Simulink
Simulink
model
model
Simulation
Code generation
Testbench
Heart on
chip
Pacemaker
(Simulink is a commercial tool developed by Mathworks Inc.)
Conformance
testing
8/26
rdinates the conlation within our
n and conduction
n abnormal heart
Rhythm managecemaker, are degnose the current
apies to maintain
etween the pacem a perfect examhe device opera-
ated. This end-to-end tool chain guarantees the verified properties
are preserved during model translation and code generation which
can save significant debugging time.
Closed-loop testing
Boston Scientific
Pacemaker
Heart on FPGA
iac devices were
th consequences
ice software, rehave been rising.
A) require device
the NSF CPS-
Analog Interface
Figure 1: The heart-on-a-chip testing platform consists of a heart im-
plementation on an programmable chip (FPGA) and an analog interface for signal isolation and attenuation to interface with a pacemaker.
Heart on
Conformance
In this figure, the platform is testing aPacemaker
Boston Scientific pacemaker.
Testbench
chip
testing
9/26
Coming next: Modeling and verification of heart and
pacemaker
10/26
Heart as a timed automaton
11/26
mulus, and
od of time
s possible,
as follows.
el built as
automata
the modnd can be
of events
t model in
models of
pacemaker
cking, with
model for Abstract electrical conduction system of heart into nodes and paths
Figure 1: Electrical conduction system of the heart.
AL against
develop a
ify it with
conducting
(AV)
node,
allowing verification
the bloodof cardiac
Picture
credits: A atrioventricular
Simulink hybrid heart
model
for quantitative
omata are
to empty out the atria and fill the ventricles. The fast conpacemakers
5] and hyducting Purkinje system spreads the electricity through the
Chen et. al. HSCC’13
h analysed
ventricles, causing all tissues in both ventricles to contract
d analyse a
simultaneously and to force blood out of the heart. This
12/26
Time
Zhihao Jiang et al.: Pacemaker
Verification
Time
7
ERP
RRP
Rest
ERP
RRP
Rest
ERP
RRP
Rest
ERP
RRP
Rest
Rest
Rest
Rest
Refractory Rest
Cond
Cond
Vout
Original
Originaltissue
tissueModel
Model
a
Rest
t<=Trest_maxRest
t<=Trest_max
bb
t>Trrp_min
t>Trrp_min
t=0
t=0
Time
RRP
RRP
ERP t<=Trrp_max
RRP
Rest
ERPt<=Trrp_max
RRP
Rest
Rest
Rest
t>Trest_min
t>Trest_min
t=0
t=0
Act_node?
Act_node?
t=0
Act_node? t=0
Act_node?
t=0
t=0
t>Terp_min
t>Terp_min
t=0
t=0
b
t>Trest_min
t=0
Abstraction
Abstraction11 t>Trest_min
Rest
t<=Trest_max
t>Trrp_min
Rest
t=0
Rest
t<=Trest_max RRP
t<=Trest_max
t<=Trrp_max
cond
cond
t<=Tcond_max
t<=Tcond_max
t>Tcond_min
t>Tcond_min
t=0
t=0
Act_next!
Act_next!
ERP
ERP
t<=Terp_max
t<=Terp_max
N0
N0
Cond
Original tissue Model
N0
N0
Act_node?
t=0
Act_node?
t>Trest_min
t=0
t=0
t=0
Act_node?
t>Terp_min
Act_node?
t=0
t=0
t=0
Act_node?
N0
Act_node?
t=0
t=0
N0
Act_path_1? Idle
Act_path_2?
Act_path_1? Idle Act_path_2?
t1=0
t2=0
t1=0
t2=0
cond
t<=Tcond_max
t>Tcond_min
t=0temp
Act_next!
temp
ERP
t<=Terp_max
N1
N1
t>1
t>1t<=1
Conflict
Conflict t2>Tcond_min
t<=1
Retro
t1>Tcond_min
t1>Tcond_min
t2>Tcond_min Retro
t>Trrp_min
Act_node_2!
Act_node_1!
Act_path!
t>Trrp_min
t=0
Act_node_2!
Act_node_1!
Act_path!
t2<=Tcond_max
t=0
t1<=Tcond_max
Act_path_1? Idle Act_path_2?
P1
Abstraction 1
t2<=Tcond_max
t1<=Tcond_max
N1
t>Trest_min
t1=0ERP
t2=0
t1+t2>Tcond_min
t=0 RRP
t1+t2>Tcond_min
Rest
RRP temp t>Terp_min
ERP
t>Terp_min
t>1
t<=Trest_max t<=Trrp_max
Act_node?
Act_node_2?
Act_node_1?
t<=Terp_max
Conflict
t<=1
t=0Ante
Act_node_2?
Act_node_1?
t=0
t<=Trrp_max
t<=Terp_max
t1>Tcond_min
t2>Tcond_min Retro
t=0
Double
t1+t2<=Tcond_max
Act_node?
t>Trrp_min
Double
t1+t2<=Tcond_max
Act_node_2!
Act_node_1!
t=0
Act_path!
cc
c
t=0
RRP
t>Terp_min
ERP
Abstraction
22
Abstraction
Rest
N1
t<=Trrp_max
t=0
N1
Node
N1
t<=Terp_max
Ante
Ante
t1<=Tcond_max
t1+t2>Tcond_min
Act_node_2?
Double
t2<=Tcond_max
Act_node_1?
t1+t2<=Tcond_max
Act_path_1?
P1
Path
P1
Act_path_2?
Act_path_1?
Act_path_2?
t>Trest_min
RestTrrp_min,
P1 acc. to node
Parameters
Trest_max,
t>Trest_minetc. chosen
t=0placement and patient
t=0 history
t<=Trest_max
Ante
t=0
t=0Retro
Idle
t=0
Ante Act_path_2?
Retro
Idle
Abstraction 2 t<=Trest_max
t=0
Act_path_1?
13/26
Heart automaton H: N1 || P1 || N2 || P2 || . . . || Nk
Ni Node automaton
Pi Path automaton
k Number of nodes to which heart is abstracted
|| Parallel composition (asynchronous product construction)
14/26
Pacemaker as a timed automaton
15/26
Heart-pacemaker interaction
Aget !
1
AP !
Pacemaker
Heart
Vget !
VP !
Fig. 6. (a) The heart model generates heart events (Aget,Vget) and resp
of DDD pacemaker which maintain minimal heart rate, minimal A-V dela
N 1 . Act_Path! → Aget!
N 2 . Act_Path! → Vget
to mimic the behavior of di↵erent heart conditions. For
example, the non-deterministic ERP range [Tmin , Tmax ]
N 1 node
atrial function:
lead
is interpolated
as aatlinear
N 2 node at ventricular lead
Tmin + (1 (1 t/T rrp)3 ) · (Tmax
Tmin )
(1)
RE
in
ER
in
16/26
Pacemaker timing cycles
Zhihao Jiang et al.: Pacemaker Verification
1
2
3
heart events (Aget,Vget) and responds to pacemaker events (AP,VP). (b) Basic 5 timing cycles
imal heart rate, minimal A-V delay and filter noises
17/26
Zhihao Jiang et al.: Pacemaker Verification
AS?
AS?
VS?
VP?
LRI
AP!
VS?
VP?
(a) LRI component
Aget?
VS?
VP?
VS?
VP!
AVI
11
(c) URI component
(b) AVI component
PVARP
AS!
Vget?
AR!
VP?
(d) PVARP component
URI
VP?
VRP
VS!
(e) VRP component
Fig. 7. (a)LRI component delivers AP! event if the V-A delay exceeds TLRI-TAVI; (b)AVI component delivers VP! if the A-V
delay exceeds TAVI while the V-V delay is longer than TURI; (c)URI component keeps track of the V-V delay; (d)PVARP
component filters certain Aget! from the heart and generates AS!; (e)VRP component filters certain Vget! from the heart and
generates VS!
Pacemaker automaton P: LRI || AVI || URI || PVARP || VRP
and for ventricular lead
4.1.1 Lower Rate Interval (LRI)
18/26
Heart-pacemaker automaton: H || P
19/26
An algorithm for Endless Loop
Tachycardia
20/26
Endless Loop Tachycardia (ELT)
Slides of Zhihao Jiang
21/26
ELT-detection: If VP-AS pattern within 500ms for at least 8 times
PELT_det
Pv_v
I ELT-termination: Increase PVARP to 500ms once
g. 10. (a) Any pattern other than VP-AS will result in error state (b) If the ventricular rate is slower than the Upper Rate
I
mit will go to error state
3
1
2
g. 11. (1) The component PVAS sends VP AS! event when a VP-AS pattern with delay between [150,200] is detected; (2)
omponent ELTct. After 8 VP-AS pattern, the1 algorithm
to 500ms. (3) Modified PVARP’ component.
VPAS increase
2 ELTctTPVARP
3 PVARP’
PVARP can only be set to 500 for one timing cycle.
nd
EkIDkRE
Pacemaker P1 : LRI || AVI || URI || PVARP 0 || VRP || ELTct || VPAS
AV I.t T AV I^U RI.t T U RI
V P !!Act node 2!
P.t P.T cond min
!
6.3 ELT termination algorithm
The ELT will persists without intervention and the pa-22/26
Is the modified pacemaker safe?
12
Question 1: Are 2 ventricular events within time?
Zhihao Jiang et al.: Pacemaker Verification
wait_1st
Vget?
t=0
VP?
t=0
wait_2nd
Vget?
wait_v
secV
VP?
t=0
(a) Monitor PLRI test
Vget?
t=0
VP?
t=0
wait_vp
VP
Vget? t=0
(b) Monitor PURI t
Fig. 8. (a) Monitor for LRL: Interval between two ventricular events should be less than TLRI, (
a ventricular event and a VP should be longer than TURI
Check in UPPAAL if in H || P1 || PLRItest, all paths satisfy
PLRItest.t ≤ TLRI
tween an atrial event and a ventricular event. If no ventricular event has been sensed (VS) within TAVI after
an atrial event (AS, AP), the component will deliver ventricular pacing (VP). In order to prevent the pacemaker
the safety of the pacem
check all possible para
are only a finite numbe
ter combinations [13], i
23/26
Is the modified pacemaker safe?
get?
t=0
P?
=0
Question 2: Are 2 ventricular events very fast?
Zhihao Jiang et al.: Pacemaker Verification
wait_2nd
Vget?
wait_v
secV
VP?
t=0
) Monitor PLRI test
Vget?
t=0
VP?
t=0
wait_vp
VP?
secV
t=0
Vget? t=0
(b) Monitor PURI test
tween two ventricular events should be less than TLRI, (b) Monitor for URL: Interval between
onger than TURI
Check in UPPAAL if in H || P1 || PURItest, all paths satisfy
ular event. If no ven) within TAVI after
nent will deliver venevent the pacemaker
PURItest.t ≥ TURI
the safety of the pacemaker software, it is important to
check all possible parameter combinations. Since there
are only a finite number (i.e. 8000) of di↵erent parameter combinations [13], in this paper we enumerate all of
24/26
Each time new algorithm is added, model it and check if basic safety
properties are satisfied
25/26
Take-home
I
Model-based system/software design
I
Closed-loop testing
26/26