Synthesis of Specifications and Refinement Maps for Real-Time Object Code Verification

Formal verification methods have been shown to be very effective in finding corner-case bugs and ensuring the safety of embedded software systems. The use of formal verification requires a specification, which is typically a high-level mathematical model that defines the correct behavior of the system to be verified. However, embedded software requirements are typically described in natural language. Transforming these requirements into formal specifications is currently a big gap. While there is some work in this area, we proposed solutions to address this gap in the context of refinement-based verification, a class of formal methods that have shown to be effective for embedded object code verification. The proposed approach also addresses both functional and timing requirements and has been demonstrated in the context of safety requirements for software control of infusion pumps. The next step in the verification process is to develop the refinement map, which is a mapping function that can relate an implementation state (in this context, the state of the object code program to be verified) with the specification state. Actually, constructing refinement maps often requires deep understanding and intuitions about the specification and implementation, it is shown very difficult to construct refinement maps manually. To go over this obstacle, the construction of refinement maps should be automated. As a first step toward the automation process, we manually developed refinement maps for various safety properties concerning the software control operation of infusion pumps. In addition, we identified possible generic templates for the construction of refinement maps. Recently, synthesizing procedures of refinement maps for functional and timing specifications are proposed. The proposed work develops a process that significantly increases the automation in the generation of these refinement maps. The refinement maps can then be used for refinement-based verification. This automation procedure has been successfully applied on the transformed safety requirements in the first part of our work. This approach is based on the identified generic refinement map templates which can be increased in the future as the application required

Pengaruh Dimensi Reservoir terhadap Flow Rate Pompa Infus Insulin

Pompa infus insulin adalah peralatan medis semi otomatis yang digunakan untuk mengontrol tingkat gula darah penderita diabetes. Cara kerja perangkat tersebut yaitu dengan cara memasukkan insulin dari reservoir insulin kedalam tubuh pasien secara kontinu. Reservoir insulin adalah tempat penyimpanan insulin sebelum dimasukkan ke dalam tubuh pasien. Komponen utama pompa infus insulin terdiri dari pompa, motor, reservoir, tube, dan microprocessor. Perangkat tersebut memasukkan insulin sesuai dengan flow rate yang telah diatur. Dimensi dari reservoir insulin mempengaruhi flow rate perangkat tersebut. Dimensi reservoir perlu dipertimbangkan agar flow rate yang keluar dari perangkat tersebut akurat. Simulasi pemberian kecepatan fluida pada reservoir insulin dapat dilakukan dengan perangkat lunak berbasis computational fluid dynamics. Kecepatan yang dimasukkan dapat dipakai untuk menghitung flow rate fluida. Hasil penelitian ini menunjukkan bahwa simulasi perubahan diameter reservoir insulin akan mempengaruhi flow rate. An insulin infusion pump is a semi-automatic medical device used to control blood glucose level of diabetic patient. The device works by infusing insulin from the insulin reservoir into the patient's body continuously. Insulin reservoir is a container where insulin is stored before being injected into the patient's body. The main components of insulin infusion pumps consist of a pump, a motor, a reservoir, tubes and a microprocessor. The device injects the insulin according to a regulated flow rate. The dimensions of the reservoir need to be considered so that the flow rate of the insulin is delivered accurately. The simulation of fluid velocity in the insulin reservoir was carried out using a computational fluid dynamics software. The entered fluid velocity were used to calculate fluid flow rates. The results of this study indicate that the simulation of changes in the diameter of the insulin reservoir will affect the flow rate. The smaller reservoir dimension make the flow rate that comes out of the nozzle approaches the flow rate that has been set in the insulin infusion pump program

Challenges and Research Directions in Medical Cyber-Physical Systems

Medical cyber-physical systems (MCPS) are lifecritical, context-aware, networked systems of medical devices. These systems are increasingly used in hospitals to provide highquality continuous care for patients. The need to design complex MCPS that are both safe and effective has presented numerous challenges, including achieving high assurance in system software, intoperability, context-aware intelligence, autonomy, security and privacy, and device certifiability. In this paper, we discuss these challenges in developing MCPS, some of our work in addressing them, and several open research issue

A method for rigorous design of reconfigurable systems

Reconfigurability, understood as the ability of a system to behave differently in different modes of operation and commute between them along its lifetime, is a cross-cutting concern in modern Software Engineering. This paper introduces a specification method for reconfigurable software based on a global transition structure to capture the system's reconfiguration space, and a local specification of each operation mode in whatever logic (equational, first-order, partial, fuzzy, probabilistic, etc.) is found expressive enough for handling its requirements. In the method these two levels are not only made explicit and juxtaposed, but formally interrelated. The key to achieve such a goal is a systematic process of hybridisation of logics through which the relationship between the local and global levels of a specification becomes internalised in the logic itself.This work is financed by the ERDF – European Regional Development Fund through the Operational Programme for Competitiveness and Internationalisation – COMPETE 2020 Programme and by National Funds through the Portuguese funding agency, FCT – Fundação para a Ciência e a Tecnologia within projects POCI-01-0145-FEDER-016692 and UID/MAT/04106/2013. The first author is further supported by the BPD FCT Grant SFRH/BPD/103004/2014, and R. Neves is sponsored by FCT Grant SFRH/BD/52234/2013. M.A. Martins is also funded by the EU FP7 Marie Curie PIRSESGA-2012-318986 project GeTFun: Generalizing Truth-Functionality

Model-Based Analysis of User Behaviors in Medical Cyber-Physical Systems

Human operators play a critical role in various Cyber-Physical System (CPS) domains, for example, transportation, smart living, robotics, and medicine. The rapid advancement of automation technology is driving a trend towards deep human-automation cooperation in many safety-critical applications, making it important to explicitly consider user behaviors throughout the system development cycle. While past research has generated extensive knowledge and techniques for analyzing human-automation interaction, in many emerging applications, it remains an open challenge to develop quantitative models of user behaviors that can be directly incorporated into the system-level analysis. This dissertation describes methods for modeling different types of user behaviors in medical CPS and integrating the behavioral models into system analysis. We make three main contributions. First, we design a model-based analysis framework to evaluate, improve, and formally verify the robustness of generic (i.e., non-personalized) user behaviors that are typically driven by rule-based clinical protocols. We conceptualize a data-driven technique to predict safety-critical events at run-time in the presence of possible time-varying process disturbances. Second, we develop a methodology to systematically identify behavior variables and functional relationships in healthcare applications. We build personalized behavior models and analyze population-level behavioral patterns. Third, we propose a sequential decision filtering technique by leveraging a generic parameter-invariant test to validate behavior information that may be measured through unreliable channels, which is a practical challenge in many human-in-the-loop applications. A unique strength of this validation technique is that it achieves high inter-subject consistency despite uncertain parametric variances in the physiological processes, without needing any individual-level tuning. We validate the proposed approaches by applying them to several case studies

A Generic User Interface Architecture for Analyzing Use Hazards in Infusion Pump Software

This paper presents a generic infusion pump user interface (GIP-UI) architecture that intends to capture the common characteristics and functionalities of interactive software incorporated in broad classes of infusion pumps. It is designed to facilitate the identification of use hazards and their causes in infusion pump designs. This architecture constitutes our first effort at establishing a model-based risk analysis methodology that helps manufacturers identify and mitigate use hazards in their products at early stages of the development life-cycle. The applicability of the GIP-UI architecture has been confirmed in a hazard analysis focusing on the number entry software of existing infusion pumps, in which the GIP-UI architecture is used to identify a substantial set of user interface design errors that may contribute to use hazards found in infusion pump incidents

Evidence-based Development of Trustworthy Mobile Medical Apps

abstract: Widespread adoption of smartphone based Mobile Medical Apps (MMAs) is opening new avenues for innovation, bringing MMAs to the forefront of low cost healthcare delivery. These apps often control human physiology and work on sensitive data. Thus it is necessary to have evidences of their trustworthiness i.e. maintaining privacy of health data, long term operation of wearable sensors and ensuring no harm to the user before actual marketing. Traditionally, clinical studies are used to validate the trustworthiness of medical systems. However, they can take long time and could potentially harm the user. Such evidences can be generated using simulations and mathematical analysis. These methods involve estimating the MMA interactions with human physiology. However, the nonlinear nature of human physiology makes the estimation challenging. This research analyzes and develops MMA software while considering its interactions with human physiology to assure trustworthiness. A novel app development methodology is used to objectively evaluate trustworthiness of a MMA by generating evidences using automatic techniques. It involves developing the Health-Dev β tool to generate a) evidences of trustworthiness of MMAs and b) requirements assured code generation for vulnerable components of the MMA without hindering the app development process. In this method, all requests from MMAs pass through a trustworthy entity, Trustworthy Data Manager which checks if the app request satisfies the MMA requirements. This method is intended to expedite the design to marketing process of MMAs. The objectives of this research is to develop models, tools and theory for evidence generation and can be divided into the following themes: • Sustainable design configuration estimation of MMAs: Developing an optimization framework which can generate sustainable and safe sensor configuration while considering interactions of the MMA with the environment. • Evidence generation using simulation and formal methods: Developing models and tools to verify safety properties of the MMA design to ensure no harm to the human physiology. • Automatic code generation for MMAs: Investigating methods for automatically • Performance analysis of trustworthy data manager: Evaluating response time generating trustworthy software for vulnerable components of a MMA and evidences.performance of trustworthy data manager under interactions from non-MMA smartphone apps.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Managing diabetes in preschool children

This article is a new chapter in the ISPAD Clinical Practice Consensus Guidelines Compendium. The complete set of guidelines can be found for free download at www.ispad.org. The evidence grading system used in the ISPAD Guidelines is the same as that used by the American Diabetes Association

A cluster randomised trial, cost-effectiveness analysis and psychosocial evaluation of insulin pump therapy compared with multiple injections during flexible intensive insulin therapy for type 1 diabetes: the REPOSE Trial.

BACKGROUND: Insulin is generally administered to people with type 1 diabetes mellitus (T1DM) using multiple daily injections (MDIs), but can also be delivered using infusion pumps. In the UK, pumps are recommended for patients with the greatest need and adult use is less than in comparable countries. Previous trials have been small, of short duration and have failed to control for training in insulin adjustment. OBJECTIVE: To assess the clinical effectiveness and cost-effectiveness of pump therapy compared with MDI for adults with T1DM, with both groups receiving equivalent structured training in flexible insulin therapy. DESIGN: Pragmatic, multicentre, open-label, parallel-group cluster randomised controlled trial, including economic and psychosocial evaluations. After participants were assigned a group training course, courses were randomly allocated in pairs to either pump or MDI. SETTING: Eight secondary care diabetes centres in the UK. PARTICIPANTS: Adults with T1DM for > 12 months, willing to undertake intensive insulin therapy, with no preference for pump or MDI, or a clinical indication for pumps. INTERVENTIONS: Pump or MDI structured training in flexible insulin therapy, followed up for 2 years. MDI participants used insulin analogues. Pump participants used a Medtronic Paradigm(®) Veo(TM) (Medtronic, Watford, UK) with insulin aspart (NovoRapid, Novo Nordisk, Gatwick, UK). MAIN OUTCOME MEASURES: Primary outcome - change in glycated haemoglobin (HbA1c) at 2 years in participants whose baseline HbA1c was ≥ 7.5% (58 mmol/mol). Key secondary outcome - proportion of participants with HbA1c ≤ 7.5% at 2 years. Other outcomes at 6, 12 and 24 months - moderate and severe hypoglycaemia; insulin dose; body weight; proteinuria; diabetic ketoacidosis; quality of life (QoL); fear of hypoglycaemia; treatment satisfaction; emotional well-being; qualitative interviews with participants and staff (2 weeks), and participants (6 months); and ICERs in trial and modelled estimates of cost-effectiveness. RESULTS: We randomised 46 courses comprising 317 participants: 267 attended a Dose Adjustment For Normal Eating course (132 pump; 135 MDI); 260 were included in the intention-to-treat analysis, of which 235 (119 pump; 116 MDI) had baseline HbA1c of ≥ 7.5%. HbA1c and severe hypoglycaemia improved in both groups. The drop in HbA1c% at 2 years was 0.85 on pump and 0.42 on MDI. The mean difference (MD) in HbA1c change at 2 years, at which the baseline HbA1c was ≥ 7.5%, was -0.24% [95% confidence interval (CI) -0.53% to 0.05%] in favour of the pump (p = 0.098). The per-protocol analysis showed a MD in change of -0.36% (95% CI -0.64% to -0.07%) favouring pumps (p = 0.015). Pumps were not cost-effective in the base case and all of the sensitivity analyses. The pump group had greater improvement in diabetes-specific QoL diet restrictions, daily hassle plus treatment satisfaction, statistically significant at 12 and 24 months and supported by qualitative interviews. LIMITATION: Blinding of pump therapy was not possible, although an objective primary outcome was used. CONCLUSION: Adding pump therapy to structured training in flexible insulin therapy did not significantly enhance glycaemic control or psychosocial outcomes in adults with T1DM. RESEARCH PRIORITY: To understand why few patients achieve a HbA1c of < 7.5%, particularly as glycaemic control is worse in the UK than in other European countries. TRIAL REGISTRATION: Current Controlled Trials ISRCTN61215213. FUNDING: This project was funded by the National Institute for Health Research (NIHR) Health Technology Assessment programme and will be published in full in Health Technology Assessment; Vol. 21, No. 20. See the NIHR Journals Library website for further project information

The Safety Challenges of Deep Learning in Real-World Type 1 Diabetes Management

Blood glucose simulation allows the effectiveness of type 1 diabetes (T1D) management strategies to be evaluated without patient harm. Deep learning algorithms provide a promising avenue for extending simulator capabilities; however, these algorithms are limited in that they do not necessarily learn physiologically correct glucose dynamics and can learn incorrect and potentially dangerous relationships from confounders in training data. This is likely to be more important in real-world scenarios, as data is not collected under strict research protocol. This work explores the implications of using deep learning algorithms trained on real-world data to model glucose dynamics. Free-living data was processed from the OpenAPS Data Commons and supplemented with patient-reported tags of challenging diabetes events, constituting one of the most detailed real-world T1D datasets. This dataset was used to train and evaluate state-of-the-art glucose simulators, comparing their prediction error across safety critical scenarios and assessing the physiological appropriateness of the learned dynamics using Shapley Additive Explanations (SHAP). While deep learning prediction accuracy surpassed the widely-used mathematical simulator approach, the model deteriorated in safety critical scenarios and struggled to leverage self-reported meal and exercise information. SHAP value analysis also indicated the model had fundamentally confused the roles of insulin and carbohydrates, which is one of the most basic T1D management principles. This work highlights the importance of considering physiological appropriateness when using deep learning to model real-world systems in T1D and healthcare more broadly, and provides recommendations for building models that are robust to real-world data constraints.Comment: 15 pages, 3 figure