Automated Closed-Loop Model Checking of Implantable Pacemakers using Abstraction Trees

Autonomous medical devices such as implantable cardiac pacemakers are capable of diagnosing the patient condition and delivering therapy without human intervention. Their ability to autonomously affect the physiological state of the patient makes them safety-critical. Sufficient evidence for the safety and efficacy of the device software, which makes these autonomous decisions, should be provided before these devices can be released on the market. Formal methods like model checking can provide safety evidence that the devices can safely operate under a large variety of physiological conditions. The challenge is to develop physiological models that are general enough to cover the large variability of human physiology, and also expressive enough to provide physiological contexts to counter-examples returned by the model checker. In this paper, the authors develop a set of physiological abstraction rules that introduce physiological constraints to heart models. By applying these abstraction rules to a initial set of heart models, an abstraction tree is created. The root model covers all possible inputs to a pacemaker and derived models cover inputs from different heart conditions. If a counter-example is returned by the model checker, the abstraction tree is traversed so that the most concrete counter-example(s) with physiological contexts can be returned to the domain experts for validity check. The abstraction tree framework replaces the manual abstraction and refinement framework, which reduced the amount of domain knowledge required to perform closed-loop model checking. It encourages the use of model checking during the development of autonomous medical devices, and identifies safety risks earlier in the design process

High-Confidence Medical Device Software Development

The design of bug-free and safe medical device software is challenging, especially in complex implantable devices. This is due to the device\u27s closed-loop interaction with the patient\u27s organs, which are stochastic physical environments. The life-critical nature and the lack of existing industry standards to enforce software validation make this an ideal domain for exploring design automation challenges for integrated functional and formal modeling with closed-loop analysis. The primary goal of high-confidence medical device software is to guarantee the device will never drive the patient into an unsafe condition even though we do not have complete understanding of the physiological plant. There are two major differences between modeling physiology and modeling man-made systems: first, physiology is much more complex and less well-understood than man-made systems like cars and airplanes, and spans several scales from the molecular to the entire human body. Secondly, the variability between humans is orders of magnitude larger than that between two cars coming off the assembly line. Using the implantable cardiac pacemaker as an example of closed-loop device, and the heart as the organ to be modeled, we present several of the challenges and early results in model-based device validation. We begin with detailed timed automata model of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. For closed-loop evaluation, a real-time Virtual Heart Model (VHM) has been developed to model the electrophysiological operation of the functioning and malfunctioning (i.e., during arrhythmia) hearts. By extracting the timing properties of the heart and pacemaker device, we present a methodology to construct timed-automata models for formal model checking and functional testing of the closed-loop system. The VHM\u27s capability of generating clinically-relevant response has been validated for a variety of common arrhythmias. Based on a set of requirements, we describe a framework of Abstraction Trees that allows for interactive and physiologically relevant closed-loop model checking and testing for basic pacemaker device operations such as maintaining the heart rate, atrial-ventricle synchrony and complex conditions such as avoiding pacemaker-mediated tachycardia. Through automatic model translation of abstract models to simulation-based testing and code generation for platform-level testing, this model-based design approach ensures the closed-loop safety properties are retained through the design toolchain and facilitates the development of verified software from verified models. This system is a step toward a validation and testing approach for medical cyber-physical systems with the patient-in-the-loop

High-Level Analysis of the Impact of Soft-Faults in Cyberphysical Systems

As digital systems grow in complexity and are used in a broader variety of safety-critical applications, there is an ever-increasing demand for assessing the dependability and safety of such systems, especially when subjected to hazardous environments. As a result, it is important to identify and correct any functional abnormalities and component faults as early as possible in order to minimize performance degradation and to avoid potential perilous situations. Existing techniques often lack the capacity to perform a comprehensive and exhaustive analysis on complex redundant architectures, leading to less than optimal risk evaluation. Hence, an early analysis of dependability of such safety-critical applications enables designers to develop systems that meets high dependability requirements. Existing techniques in the field often lack the capacity to perform full system analyses due to state-explosion limitations (such as transistor and gate-level analyses), or due to the time and monetary costs attached to them (such as simulation, emulation, and physical testing). In this work we develop a system-level methodology to model and analyze the effects of Single Event Upsets (SEUs) in cyberphysical system designs. The proposed methodology investigates the impacts of SEUs in the entire system model (fault tree level), including SEU propagation paths, logical masking of errors, vulnerability to specific events, and critical nodes. The methodology also provides insights on a system's weaknesses, such as the impact of each component to the system's vulnerability, as well as hidden sources of failure, such as latent faults. Moreover, the proposed methodology is able to identify and categorize the system's components in order of criticality, and to evaluate different approaches to the mitigation of such criticality (in the form of different configurations of TMR) in order to obtain the most efficient mitigation solution available. The proposed methodology is also able to model and analyze system components individually (system component level), in order to more accurately estimate the component's vulnerability to SEUs. In this case, a more refined analysis of the component is conducted, which enables us to identify the source of the component's criticality. Thereafter, a second mitigation mechanic (internal to the component) takes place, in order to evaluate the gains and costs of applying different configurations of TMR to the component internally. Finally, our approach will draw a comparison between the results obtained at both levels of analysis in order to evaluate the most efficient way of improving the targeted system design

Closed-Loop Quantitative Verification of Rate-Adaptive Pacemakers

Rate-adaptive pacemakers are cardiac devices able to automatically adjust the pacing rate in patients with chronotropic incompetence, i.e. whose heart is unable to provide an adequate rate at increasing levels of physical, mental or emotional activity. These devices work by processing data from physiological sensors in order to detect the patient’s activity and update the pacing rate accordingly. Rate-adaptation parameters depend on many patient-specific factors, and effective personalisation of such treatments can only be achieved through extensive exercise testing, which is normally intolerable for a cardiac patient. In this work, we introduce a data-driven and model-based approach for the automated verification of rate-adaptive pacemakers and formal analysis of personalised treatments. To this purpose, we develop a novel dual-sensor pacemaker model where the adaptive rate is computed by blending information from an accelerometer, and a metabolic sensor based on the QT interval. Our approach enables personalisation through the estimation of heart model parameters from patient data (electrocardiogram), and closed-loop analysis through the online generation of synthetic, model-based QT intervals and acceleration signals. In addition to personalisation, we also support the derivation of models able to account for the varied characteristics of a virtual patient population, thus enabling safety verification of the device. To capture the probabilistic and non-linear dynamics of the heart, we define a probabilistic extension of timed I/O automata with data and employ statistical model checking for quantitative verification of rate modulation. We evaluate our rate-adaptive pacemaker design on three subjects and a pool of virtual patients, demonstrating the potential of our approach to provide rigorous, quantitative insights into the closed-loop behaviour of the device under different exercise levels and heart conditions

Regulating Artificial Intelligence and machine learning-enabled medical devices in Europe and the United Kingdom

Recent achievements in respect of Artificial Intelligence (AI) open up opportunities for new tools to assist medical diagnosis and care delivery. However, the typical process for the development of AI is through repeated cycles of learning and implementation, something that poses challenges to our existing system of regulating medical devices. Product developers face tensions between the benefits of continuous improvement/deployment of algorithms and keeping products unchanged. The latter more easily facilitates collecting evidence for safety assurance processes but sacrifices optimisation of performance and adaptation to user needs gained through learning-implementation cycles. The challenge is how to balance potential benefits with the need to assure their safety. Governance and assurance processes are needed that can accommodate real-time or near-real-time machine learning. Such an approach is of great importance in healthcare and other fields of application. AI has stimulated an intense process of learning as this new technology embeds in application contexts. The process is not only about the application of AI in the real world but also about the institutional arrangements for its safe and dependable deployment, including regulatory experimentation involving new market pathways, monitoring and surveillance, and sandbox schemes. We review the key themes, challenges and potential solutions raised at two stakeholder workshops and highlight recent attempts to adapt the laws for AI-enabled medical devices (AIeMD) with a special focus on the regulatory proposals in the UK and internationally. The UK regulatory trajectory shows signs of alignment with the US thinking, and yet the European Union model is still the most closely aligned framework.</p

The ZARF Architecture for Recursive Functions

For highly critical workloads, the legitimate fear of catastrophic failure leads to both highlyconservative design practices and excessive assurance costs. One import part of the problem isthat modern machines, while providing impressive performance and efficiency, are difficult toreason about formally. We explore the microarchitectural support needed to create a machinewith a compact and well defined semantics, lowering the difficulty of sound and compositionalreasoning across the hardware/software interface. Specifically, we explore implementationoptions for a machine organization devoid of programmer-visible memory, registers, or stateupdate, built instead around function primitives. The resulting machine can be precisely andmathematically described in a brief set of semantics, which we quantitatively and qualitativelydemonstrate is amenable to software proofs at the binary level.As time continues, we become increasingly dependent on computational devices for allfacets of our lives — including our health, well-being, and safety. Many of these devices live“in the wild,” in resource-constrained and/or embedded environments, without access to largesoftware stacks and heavy language run-times. At the same, increasing trends in heterogeneityin computer architecture gives the opportunity for new cores in system-on-chips (SoC’s) thatprovide support for increasing critical workloads. We propose an implementation and providean evaluation of such a device, the Zarf Architecture for Recursive Functions (Zarf), provid-ing a interface of reduced semantic complexity at the ISA level, giving designers a platformamenable to reasoning and static analysis. The described prototype is comparable to normalembedded systems in size and resource usage, but it is far easier to reason about programsaccording to analysis. This can serve both resource-constrained devices, providing a new hard-ware platform, and resource-rich SoC’s, serving as a small, trusted co-processor that can handlecritical workloads in the larger ecosystem

Regulating Artificial Intelligence and Machine Learning-Enabled Medical Devices in Europe and the United Kingdom

Recent achievements in respect of Artificial Intelligence (AI) open up opportunities for new tools to assist medical diagnosis and care delivery. However, the typical process for the development of AI is through repeated cycles of learning and implementation, something that poses challenges to our existing system of regulating medical devices. Product developers face tensions between the benefits of continuous improvement/deployment of algorithms and keeping products unchanged. The latter more easily facilitates collecting evidence for safety assurance processes but sacrifices optimisation of performance and adaptation to user needs gained through learning-implementation cycles. The challenge is how to balance potential benefits with the need to assure their safety. Governance and assurance processes are needed that can accommodate real-time or near-real-time machine learning. Such an approach is of great importance in healthcare and other fields of application. AI has stimulated an intense process of learning as this new technology embeds in application contexts. The process is not only about the application of AI in the real world but also about the institutional arrangements for its safe and dependable deployment, including regulatory experimentation involving new market pathways, monitoring and surveillance, and sandbox schemes. We review the key themes, challenges and potential solutions raised at two stakeholder workshops and highlight recent attempts to adapt the laws for AI-enabled medical devices (AIeMD) with a special focus on the regulatory proposals in the UK and internationally. The UK regulatory trajectory shows signs of alignment with the US thinking, and yet the European Union model is still the most closely aligned framework

Surgimiento de actividades de exportación exitosas en Uruguay: cuatro casos específicos

En este trabajo se presenta el análisis de cuatro casos específicos de surgimiento de cuatro actividades de exportación exitosas de Uruguay: software de computación, productos madereros, caviar y carne de esturión, y vacunas para animales. En cada uno de esos casos específicos se trata cómo empresas, asociaciones y varios gobiernos a varios niveles han manejado crisis de mercado y facilitado el suministro de los bienes públicos necesarios para cada actividad. El análisis de estos casos específicos presenta además una descripción de las características de los actores principales en cada ramo de actividad así como las externalidades positivas que brindan a los emuladores, especialmente la difusión de conocimientos sobre exportación. También se presenta en cada área un caso opuesto de actividad menos exitosa (electrónica, vino, carne de rana y biotecnología, respectivamente) así como una sección sobre implicaciones de políticas.Agriculture, Exports, Manufacturing, Services, Uruguay

Internet of Things From Hype to Reality

The Internet of Things (IoT) has gained significant mindshare, let alone attention, in academia and the industry especially over the past few years. The reasons behind this interest are the potential capabilities that IoT promises to offer. On the personal level, it paints a picture of a future world where all the things in our ambient environment are connected to the Internet and seamlessly communicate with each other to operate intelligently. The ultimate goal is to enable objects around us to efficiently sense our surroundings, inexpensively communicate, and ultimately create a better environment for us: one where everyday objects act based on what we need and like without explicit instructions