From Verified Models to Verified Code for Safe Medical Devices

Medical devices play an essential role in the care of patients around the world, and can have a life-saving effect. An emerging category of autonomous medical devices like implantable pacemakers and implantable cardioverter defibrillators (ICD) diagnose conditions of the patient and autonomously deliver therapies. Without trained professionals in the loop, the software component of autonomous medical devices is responsible for making critical therapeutic decisions, which pose a new set of challenges to guarantee patient safety. As regulation effort to guarantee patient safety, device manufacturers are required to submit evidence for the safety and efficacy of the medical devices before they can be released to the market. Due to the closed-loop interaction between the device and the patient, the safety and efficacy of autonomous medical devices must ultimately be evaluated within their physiological context. Currently the primary closed-loop validation of medical devices is in form of clinical trials, in which the devices are evaluated on real patients. Clinical trials are expensive and expose the patients to risks associated with untested devices. Clinical trials are also conducted after device development, therefore issues found during clinical trials are expensive to fix. There is urgent need for closed-loop validation of autonomous medical devices before the devices are used in clinical trials. In this thesis, I used implantable cardiac devices to demonstrate the applications of model-based approaches during and after device development to provide confidence towards the safety and efficacy of the devices. A heart model structure is developed to mimic the electrical behaviors of the heart in various heart conditions. The heart models created with the model structure are capable of interacting with implantable cardiac devices in closed-loop and can provide physiological interpretations for a large variety of heart conditions. With the heart models, I demonstrated that closed-loop model checking is capable of identifying known and unknown safety violations within the pacemaker design. More importantly, I developed a framework to choose the most appropriate heart models to cover physiological conditions that the pacemaker may encounter, and provide physiological context to counter-examples returned by the model checker. A model translation tool UPP2SF is then developed to translate the pacemaker design in UPPAAL to Stateflow, and automatically generated to C code. The automated and rigorous translation ensures that the properties verified during model checking still hold in the implementation, which justifies the model checking effort. Finally, the devices are evaluated with a virtual patient cohort consists of a large number of heart models before evaluated in clinical trials. These in-silico pre-clinical trials provide useful insights which can be used to increase the success rate of a clinical trial. The work in this dissertation demonstrated the importance and challenges to represent physiological behaviors during closed-loop validation of autonomous medical devices, and demonstrated the capability of model-based approaches to provide safety and efficacy evidence during and after device development

Fujaba days 2009 : proceedings of the 7th international Fujaba days, Eindhoven University of Technology, the Netherlands, November 16-17, 2009

Fujaba is an Open Source UML CASE tool project started at the software engineering group of Paderborn University in 1997. In 2002 Fujaba has been redesigned and became the Fujaba Tool Suite with a plug-in architecture allowing developers to add functionality easily while retaining full control over their contributions. Multiple Application Domains Fujaba followed the model-driven development philosophy right from its beginning in 1997. At the early days, Fujaba had a special focus on code generation from UML diagrams resulting in a visual programming language with a special emphasis on object structure manipulating rules. Today, at least six rather independent tool versions are under development in Paderborn, Kassel, and Darmstadt for supporting (1) reengineering, (2) embedded real-time systems, (3) education, (4) specification of distributed control systems, (5) integration with the ECLIPSE platform, and (6) MOF-based integration of system (re-) engineering tools. International Community According to our knowledge, quite a number of research groups have also chosen Fujaba as a platform for UML and MDA related research activities. In addition, quite a number of Fujaba users send requests for more functionality and extensions. Therefore, the 7th International Fujaba Days aimed at bringing together Fujaba developers and Fujaba users from all over the world to present their ideas and projects and to discuss them with each other and with the Fujaba core development team

Tackling Dierent Business Process Perspectives

Business Process Management (BPM) has emerged as a discipline to design, control, analyze, and optimize business operations. Conceptual models lie at the core of BPM. In particular, business process models have been taken up by organizations as a means to describe the main activities that are performed to achieve a specific business goal. Process models generally cover different perspectives that underlie separate yet interrelated representations for analyzing and presenting process information. Being primarily driven by process improvement objectives, traditional business process modeling languages focus on capturing the control flow perspective of business processes, that is, the temporal and logical coordination of activities. Such approaches are usually characterized as \u201cactivity-centric\u201d. Nowadays, activity-centric process modeling languages, such as the Business Process Model and Notation (BPMN) standard, are still the most used in practice and benefit from industrial tool support. Nevertheless, evidence shows that such process modeling languages still lack of support for modeling non-control-flow perspectives, such as the temporal, informational, and decision perspectives, among others. This thesis centres on the BPMN standard and addresses the modeling the temporal, informational, and decision perspectives of process models, with particular attention to processes enacted in healthcare domains. Despite being partially interrelated, the main contributions of this thesis may be partitioned according to the modeling perspective they concern. The temporal perspective deals with the specification, management, and formal verification of temporal constraints. In this thesis, we address the specification and run-time management of temporal constraints in BPMN, by taking advantage of process modularity and of event handling mechanisms included in the standard. Then, we propose three different mappings from BPMN to formal models, to validate the behavior of the proposed process models and to check whether they are dynamically controllable. The informational perspective represents the information entities consumed, produced or manipulated by a process. This thesis focuses on the conceptual connection between processes and data, borrowing concepts from the database domain to enable the representation of which part of a database schema is accessed by a certain process activity. This novel conceptual view is then employed to detect potential data inconsistencies arising when the same data are accessed erroneously by different process activities. The decision perspective encompasses the modeling of the decision-making related to a process, considering where decisions are made in the process and how decision outcomes affect process execution. In this thesis, we investigate the use of the Decision Model and Notation (DMN) standard in conjunction with BPMN starting from a pattern-based approach to ease the derivation of DMN decision models from the data represented in BPMN processes. Besides, we propose a methodology that focuses on the integrated use of BPMN and DMN for modeling decision-intensive care pathways in a real-world application domain