Synthesis of Specifications and Refinement Maps for Real-Time Object Code Verification

Formal verification methods have been shown to be very effective in finding corner-case bugs and ensuring the safety of embedded software systems. The use of formal verification requires a specification, which is typically a high-level mathematical model that defines the correct behavior of the system to be verified. However, embedded software requirements are typically described in natural language. Transforming these requirements into formal specifications is currently a big gap. While there is some work in this area, we proposed solutions to address this gap in the context of refinement-based verification, a class of formal methods that have shown to be effective for embedded object code verification. The proposed approach also addresses both functional and timing requirements and has been demonstrated in the context of safety requirements for software control of infusion pumps. The next step in the verification process is to develop the refinement map, which is a mapping function that can relate an implementation state (in this context, the state of the object code program to be verified) with the specification state. Actually, constructing refinement maps often requires deep understanding and intuitions about the specification and implementation, it is shown very difficult to construct refinement maps manually. To go over this obstacle, the construction of refinement maps should be automated. As a first step toward the automation process, we manually developed refinement maps for various safety properties concerning the software control operation of infusion pumps. In addition, we identified possible generic templates for the construction of refinement maps. Recently, synthesizing procedures of refinement maps for functional and timing specifications are proposed. The proposed work develops a process that significantly increases the automation in the generation of these refinement maps. The refinement maps can then be used for refinement-based verification. This automation procedure has been successfully applied on the transformed safety requirements in the first part of our work. This approach is based on the identified generic refinement map templates which can be increased in the future as the application required

Model-Based Analysis of User Behaviors in Medical Cyber-Physical Systems

Human operators play a critical role in various Cyber-Physical System (CPS) domains, for example, transportation, smart living, robotics, and medicine. The rapid advancement of automation technology is driving a trend towards deep human-automation cooperation in many safety-critical applications, making it important to explicitly consider user behaviors throughout the system development cycle. While past research has generated extensive knowledge and techniques for analyzing human-automation interaction, in many emerging applications, it remains an open challenge to develop quantitative models of user behaviors that can be directly incorporated into the system-level analysis. This dissertation describes methods for modeling different types of user behaviors in medical CPS and integrating the behavioral models into system analysis. We make three main contributions. First, we design a model-based analysis framework to evaluate, improve, and formally verify the robustness of generic (i.e., non-personalized) user behaviors that are typically driven by rule-based clinical protocols. We conceptualize a data-driven technique to predict safety-critical events at run-time in the presence of possible time-varying process disturbances. Second, we develop a methodology to systematically identify behavior variables and functional relationships in healthcare applications. We build personalized behavior models and analyze population-level behavioral patterns. Third, we propose a sequential decision filtering technique by leveraging a generic parameter-invariant test to validate behavior information that may be measured through unreliable channels, which is a practical challenge in many human-in-the-loop applications. A unique strength of this validation technique is that it achieves high inter-subject consistency despite uncertain parametric variances in the physiological processes, without needing any individual-level tuning. We validate the proposed approaches by applying them to several case studies

Evidence-based Development of Trustworthy Mobile Medical Apps

abstract: Widespread adoption of smartphone based Mobile Medical Apps (MMAs) is opening new avenues for innovation, bringing MMAs to the forefront of low cost healthcare delivery. These apps often control human physiology and work on sensitive data. Thus it is necessary to have evidences of their trustworthiness i.e. maintaining privacy of health data, long term operation of wearable sensors and ensuring no harm to the user before actual marketing. Traditionally, clinical studies are used to validate the trustworthiness of medical systems. However, they can take long time and could potentially harm the user. Such evidences can be generated using simulations and mathematical analysis. These methods involve estimating the MMA interactions with human physiology. However, the nonlinear nature of human physiology makes the estimation challenging. This research analyzes and develops MMA software while considering its interactions with human physiology to assure trustworthiness. A novel app development methodology is used to objectively evaluate trustworthiness of a MMA by generating evidences using automatic techniques. It involves developing the Health-Dev β tool to generate a) evidences of trustworthiness of MMAs and b) requirements assured code generation for vulnerable components of the MMA without hindering the app development process. In this method, all requests from MMAs pass through a trustworthy entity, Trustworthy Data Manager which checks if the app request satisfies the MMA requirements. This method is intended to expedite the design to marketing process of MMAs. The objectives of this research is to develop models, tools and theory for evidence generation and can be divided into the following themes: • Sustainable design configuration estimation of MMAs: Developing an optimization framework which can generate sustainable and safe sensor configuration while considering interactions of the MMA with the environment. • Evidence generation using simulation and formal methods: Developing models and tools to verify safety properties of the MMA design to ensure no harm to the human physiology. • Automatic code generation for MMAs: Investigating methods for automatically • Performance analysis of trustworthy data manager: Evaluating response time generating trustworthy software for vulnerable components of a MMA and evidences.performance of trustworthy data manager under interactions from non-MMA smartphone apps.Dissertation/ThesisDoctoral Dissertation Computer Science 201

A Data-Driven Behavior Modeling and Analysis Framework for Diabetic Patients on Insulin Pumps

About 30%-40% of Type 1 Diabetes (T1D) patients in the United States use insulin pumps. Current insulin infusion systems require users to manually input meal carb count and approve or modify the system-suggested meal insulin dose. Users can give correction insulin boluses at any time. Since meal carbohydrates and insulin are the two main driving forces of the glucose physiology, the user-specific eating and pump-using behavior has a great impact on the quality of glycemic control. In this paper, we propose an “Eat, Trust, and Correct” (ETC) framework to model the T1D insulin pump users’ behavior. We use machine learning techniques to analyze the user behavior from a clinical dataset that we collected on 55 T1D patients who use insulin pumps. We demonstrate the usefulness of the ETC behavior modeling framework by performing in silico experiments. To this end, we integrate the user behavior model with an individually parameterized glucose physiological model, and perform probabilistic model checking on the user-in-the-loop system. The experimental results show that switching behavior types can significantly improve a patient’s glycemic control outcomes. These analysis results can boost the effectiveness of T1D patient education and peer support

Linking Abstract Analysis to Concrete Design: A Hierarchical Approach to Verify Medical CPS Safety

Complex cyber-physical systems are typically hierarchically organized into multiple layers of abstraction in order to manage design complexity and provide verification tractability. Formal reasoning about such systems, therefore, necessarily involves the use of multiple modeling formalisms, verification paradigms, and concomitant tools, chosen as appropriate for the level of abstraction at which the analysis is performed. System properties verified using an abstract component specification in one paradigm must then be shown to logically follow from properties verified, possibly using a different paradigm, on a more concrete component description, if one is to claim that a particular component when deployed in the overall system context would still uphold the system properties. But, as component specifications at one layer get elaborated into more concrete component descriptions in the next, abstraction induced differences come to the fore, which have to be reconciled in some meaningful way. In this paper, we present our approach for providing a logical glue to tie distinct verification paradigms and reconcile the abstraction induced differences, to verify safety properties of a medical cyber-physical system. While the specifics are particular to the case example at hand - a high-level abstraction of a safety-interlock system to stop drug infusion along with a detailed design of a generic infusion pump - we believe the techniques are broadly applicable in similar situations for verifying complex cyber-physical system properties

The Safety Challenges of Deep Learning in Real-World Type 1 Diabetes Management

Blood glucose simulation allows the effectiveness of type 1 diabetes (T1D) management strategies to be evaluated without patient harm. Deep learning algorithms provide a promising avenue for extending simulator capabilities; however, these algorithms are limited in that they do not necessarily learn physiologically correct glucose dynamics and can learn incorrect and potentially dangerous relationships from confounders in training data. This is likely to be more important in real-world scenarios, as data is not collected under strict research protocol. This work explores the implications of using deep learning algorithms trained on real-world data to model glucose dynamics. Free-living data was processed from the OpenAPS Data Commons and supplemented with patient-reported tags of challenging diabetes events, constituting one of the most detailed real-world T1D datasets. This dataset was used to train and evaluate state-of-the-art glucose simulators, comparing their prediction error across safety critical scenarios and assessing the physiological appropriateness of the learned dynamics using Shapley Additive Explanations (SHAP). While deep learning prediction accuracy surpassed the widely-used mathematical simulator approach, the model deteriorated in safety critical scenarios and struggled to leverage self-reported meal and exercise information. SHAP value analysis also indicated the model had fundamentally confused the roles of insulin and carbohydrates, which is one of the most basic T1D management principles. This work highlights the importance of considering physiological appropriateness when using deep learning to model real-world systems in T1D and healthcare more broadly, and provides recommendations for building models that are robust to real-world data constraints.Comment: 15 pages, 3 figure

Improving Glycemic Control in the Acute Care Setting Through Nurse Education

Patients with a primary or secondary diagnosis of diabetes present unique challenges during an inpatient hospital stay to treat an acute or chronic illness. Upon review of current hospital practice, an interprofessional team embarked on a performance improvement project to improve outcomes for the complex medical-surgical diabetic patient. The methods detailed herein—a comprehensive education plan, preceptorship and peer accountability, active engagement and support by the unit nursing leadership team, and interprofessional collaboration—offer strategies any organization can implement to positively impact diabetes care

Safety Verification of SEITR Epidemic Model on Recombination HIV and Hepatitis B Virus using Taylor Model

Human Immunodeficiency Virus (HIV) is an AIDS (Acquired Immuno Deficiency Syndrome) virus that attacks the immune system for which there is no cure. When the immune system has decreased, it is prone to diseases such as Hepatitis B disease. To reduce the error value of the number of subpopulations, we use an interval approximation. One of the simulation calculations that the number of variables initially intervals is Taylor model. Taylor's model can be used to verify that the number of people infected with HIV and Hepatitis B will not exceed the specified number of unsafe sets. To calculate the set of states that are reached by the system over a certain period of time, given the initial conditions and parameters. The initial condition is divided into three scenarios, an affordable set of states, safety verification can be done. As a result of the safety verification of the three scenarios provided there is no set of states that are not safe, so the results of all three scenarios are safe

Proof support for hybridised logics

Dissertação de mestrado em Engenharia InformáticaFormal methods are mathematical techniques used to certify safe systems. Such methods abound and have been successfully used in classical Engineering domains, yet informatics is the exception. There, they are still immature and costly; furthermore, software engineers frequently view them with "fear". Thus, the use of formal methods is typically restricted to cases where they are essential. In other words, they are mostly used in the class of systems where safety is imperative, as the lack of it can lead to significant losses (material or human). We denote such systems critical. The present is leading us to a future where critical systems are ubiquitous. Recent research in the Mondrian project emphasises the need for expressive logics to formally specify reconfigurable systems, i.e., systems capable of evolving in order to adapt to the different contexts induced by the dynamics of their surroundings. In the same project, theoretical foundations for the formal specification of reconfigurable systems, were developed in a sound, generic, and systematic way, resorting for this to hybrid logics – their intrinsic properties make them natural candidates for such job. From those foundations a methodology for specifying reconfigurable systems was built and proposed: Instead of choosing a logic for the specification, build an hybrid ad-hoc one, by taking into account the particular characteristics of each reconfigurable system to be specified. The purpose of this dissertation is to bring the proposed methodology into practice, by creating suitable tools for it, and by illustrating its application to relevant case studies.Métodos formais são técnicas matemáticas usadas para certificar sistemas fiáveis. Tais métodos são comuns e usados com sucesso nas engenharias clássicas. No entanto, informática é a excepção. No que respeita este campo, os métodos formais são prematuros e relativamente dispendiosos; para além disso, os engenheiros de software vêem estas técnicas com alguma apreensão. Assim, o emprego de métodos formais está tipicamente restrito a casos onde são absolutamente essenciais. Por outras palavras, são maioritariamente usados na classe de sistemas, cujas falhas têm o potencial de tragédia, seja ela material ou humana; tais sistemas têm a denominação de críticos. O presente leva-nos para um futuro em que os sistemas críticos são ubíquos. Investigação recente no project Mondrian enfatiza a necessidade de lógicas expressivas, para especificar formalmente sistemas reconfiguráveis, i.e., sistemas que evoluem de modo a se adaptarem aos diferentes contextos, induzidos pela dinâmica do meio que os rodeia. No mesmo projecto, bases teóricas para a especificação formal de sistemas reconfiguráveis foram establecidas de forma sólida, genérica e sistemática, recorrendo-se para isso às lógicas híbridas – as suas propriedades intrínsecas, fazem delas candidatos naturais para a especificação de sistemas reconfiguráveis. Dessas teorias foi inferida e proposta uma metodologia para especificar sistemas reconfiguráveis: Em vez de escolher uma lógica para a especificação, construir uma outra, híbrida ad-hoc, tendo em conta as características particulares de cada sistema reconfigurável a especificar. O propósito desta dissertação é de trazer a metodologia proposta à práctica, criando-se para isso, ferramentas que a suportem, e ilustrando a sua aplicação a casos de estudo relevantes