Methods and Formal Models for Healthcare Systems Management

A healthcare system is an organization of people, institutions, and resources that deliver healthcare services to meet the health needs of target populations. The size of the systems, the huge number of agents involved and their different expectations make the management of healthcare systems a tough task which could be alleviated through the use of technology. In this thesis, new methods and formal models for healthcare system management are presented. Particularly, the thesis is divided in two main parts: the first one has to do with the modeling and analysis in hospitals by the use of clinical pathways while the second one deals with the planning and scheduling of patients in the operation rooms.Regarding the modeling and analysis of healthcare systems, depending on different visions and expectations, the system can be treated from different perspectives called facets. In chapter 2, the formal definition and characterization of two facets are given: (1) facet of resource management and (2) handshake between clinical pathways facet. They are obtained by applying to Stochastic Well-formed Nets (colored Petri Nets) modeling the healthcare system a set of relaxations, abstraction and modifications. In the first facet the subclass of S4PR is obtained which is a characteristic model of the resource allocation systems while in the second facet Deterministically Synchronized Sequential Process (DSSP) are considered. Both nets (S4PR and DSSP) are formal subclasses of Petri Nets where net level techniques can be applied.In chapters 3 and 4, we will focus on the liveness of the DSSP systems resulting from the facet of communication between clinical pathways. These kinds of nets are composed by agents (modeling clinical pathways) cooperating in a distributed way by the asynchronous messaging passing through the buffers (modeling the communication channels). In particular two approaches have been proposed.The idea behind the first approach is to advance the buffer consumption to the first conflict transition in the agents. Considering healthcare systems modeled by a DSSP, this means that before a patient starts a clinical pathway, all required information must be available. Unfortunately, this pre-assignment method only works in some particular DSSP structures which are characterized. A more general approach (than buffer pre-assignment) for liveness enforcing in non-live DSSP is given in Chapter. 4. The approach is formalized on two levels: execution and control. The execution level uses the original DSSP structure while for the control level we compute a new net system called the control PN. This net system is obtained from the original DSSP and has a predefined type of structure. The control PN will evolve synchronously with the non-live DSSP ensuring that the deadlock states will not be reached. The states (marking) of the control PN will enable or disable some transitions in the original DSSP, while some transitions in the control PN should fire synchronously with some transitions of the original DSSP.The second part of the thesis deals with surgery scheduling of patients in a hospital department. The Operating Rooms (ORs) are one of the most expensive material resources in hospitals, being the bottleneck of surgical services. Moreover, the aging population together with the improvement in surgical techniques are producing an increase in the demand for surgeries. So, the optimal use of the ORs time is crucial inhealthcare service management. We focus on the planning and scheduling of patients in Spanish hospital departments considering its organizational structure particularities as well as the concerns and specifications of their doctors.In chapter 5, the scheduling of elective patients under ORs block booking is considered. The first criterion is to optimize the use of the OR, the second criterion is to prevent that the total available time in a block will be exceeded and the third criterion is to respect the preference order of the patient in the waiting list. Three different mathematical programming models for the scheduling of elective patients are proposed. These are combinatorial problems with high computational complexity, so three different heuristic solution methods are proposed and compared. The results show that a Mixed Integer Linear Programming (MILP) problem solved by Receding Horizon Strategy (RHS)obtains better scheduling in lowest time.Doctors using the MILP problem must fix an appropriate occupation rate for optimizing the use of the ORs but without exceeding the available time. This has two main problems: i) inexperienced doctors could find difficult to fix an appropriate occupation rate, and ii) the uncertain in the surgery durations (large standard deviation) could results in scheduling with an over/under utilization. In order to overcome these problems, a New Mixed-Integer Quadratic Constrained Programming (N-MIQCP) model is proposed. Considering some probabilistic concepts, quadratic constraints are included in N-MIQCP model to prevent the scheduling of blocks with a high risk of exceeding the available time. Two heuristic methods for solving the N-MIQCP problem are proposed and compared with other chance-constrained approaches in bibliography. The results conclude that the best schedulings are achieved using our Specific Heuristic Algorithm (SHA) due to similar occupation rates than using other approaches are obtained but our SHA respects much more the order of the patients in the waiting list.In chapter 6, a three steps approach is proposed for the combined scheduling of elective and urgent patients. In the first step, the elective patients are scheduled for a target Elective Surgery Time (EST) in the ORs, trying to respect the order of the patients on the waiting list. In the second one, the urgent patients are scheduled in the remaining time ensuring that an urgent patient does not wait more than 48 hours. Finally, in the third step, the surgeries assigned to each OR (elective and urgent) are sequenced in such a way that the maximum time that an emergency patient should wait is minimized. Considering realistic data, different policies of time reserved in the ORs for elective and urgent patients are evaluated. The results show that all ORs must be used to perform elective and urgent surgeries instead of reserving some ORs exclusively for one type of patient.Finally, in chapter 7 a software solution for surgery service management is given. A Decision Support System for elective surgery scheduling and a software tool called CIPLAN are proposed. The DSS use as core the SHA for the scheduling of elective patients, but it has other features related to the management of a surgery department. A software tool called CIPLAN which is based on the DSS is explained. The software tool has a friendly interface which has been developed in collaboration with doctors in the “Lozano Blesa” Hospital in Zaragoza. A real case study comparing the scheduling using the manual method with the scheduling obtained by using CIPLAN is discussed. The results show that 128.000 euros per year could be saved using CIPLAN in the mentioned hospital. Moreover, the use of the tool allows doctors to reduce the time spent in scheduling to use it medical tasks.<br /

Petri net controllers for Generalized Mutual Exclusion Constraints with floor operators

In this paper a special type of nonlinear marking specifications called stair generalized mutual exclusion constraints (stair-GMECs) is defined. A stair-GMEC can be represented by an inequality whose left-hand is a linear combination of floor functions. Stair-GMECs have higher modeling power than classical GMECs and can model legal marking sets that cannot be defined by OR–AND GMECs. We propose two algorithms to enforce a stair-GMEC as a closed-loop net, in which the control structure is composed by a residue counter, remainder counters, and duplicate transitions. We also show that the proposed control structure is maximally permissive since it prevents all and only the illegal trajectories of a plant net. This approach can be applied to both bounded and unbounded nets. Several examples are proposed to illustrate the approach

A branch and bound approach for the design of decentralized supervisors in Petri net models

The paper addresses the design of compact and maximally permissive decentralized supervisors for Petri nets, based on generalized mutual exclusion constraints. Decentralization constraints are formulated with respect to the net transitions, instructing each local supervisor to detect and disable transitions of its own control site only. A solution is characterized in terms of the states it allows and its feasibility is assessed by means of two separate tests, one checking the required behavioral properties (e.g., liveness, reversibility and controllability) of the induced reachability subgraph and the other ensuring the existence of a decentralized supervisor enforcing exactly the considered set of allowed states. The second test employs an integer linear programming formulation. Maximal permissivity is ensured by efficiently exploring the solution space using a branch and bound method that operates on the reachable states. Particular emphasis is posed on the obtainment of the controllability property, both in the structural and the behavioral interpretation

Obstructions in Security-Aware Business Processes

This Open Access book explores the dilemma-like stalemate between security and regulatory compliance in business processes on the one hand and business continuity and governance on the other. The growing number of regulations, e.g., on information security, data protection, or privacy, implemented in increasingly digitized businesses can have an obstructive effect on the automated execution of business processes. Such security-related obstructions can particularly occur when an access control-based implementation of regulations blocks the execution of business processes. By handling obstructions, security in business processes is supposed to be improved. For this, the book presents a framework that allows the comprehensive analysis, detection, and handling of obstructions in a security-sensitive way. Thereby, methods based on common organizational security policies, process models, and logs are proposed. The Petri net-based modeling and related semantic and language-based research, as well as the analysis of event data and machine learning methods finally lead to the development of algorithms and experiments that can detect and resolve obstructions and are reproducible with the provided software

Contributions to the deadlock problem in multithreaded software applications observed as Resource Allocation Systems

Desde el punto de vista de la competencia por recursos compartidos sucesivamente reutilizables, se dice que un sistema concurrente compuesto por procesos secuenciales está en situación de bloqueo si existe en él un conjunto de procesos que están indefinidamente esperando la liberación de ciertos recursos retenidos por miembros del mismo conjunto de procesos. En sistemas razonablemente complejos o distribuidos, establecer una política de asignación de recursos que sea libre de bloqueos puede ser un problema muy difícil de resolver de forma eficiente. En este sentido, los modelos formales, y particularmente las redes de Petri, se han ido afianzando como herramientas fructíferas que permiten abstraer el problema de asignación de recursos en este tipo de sistemas, con el fin de abordarlo analíticamente y proveer métodos eficientes para la correcta construcción o corrección de estos sistemas. En particular, la teoría estructural de redes de Petri se postula como un potente aliado para lidiar con el problema de la explosión de estados inherente a aquéllos. En este fértil contexto han florecido una serie de trabajos que defienden una propuesta metodológica de diseño orientada al estudio estructural y la correspondiente corrección física del problema de asignación de recursos en familias de sistemas muy significativas en determinados contextos de aplicación, como el de los Sistemas de Fabricación Flexible. Las clases de modelos de redes de Petri resultantes asumen ciertas restricciones, con significado físico en el contexto de aplicación para el que están destinadas, que alivian en buena medida la complejidad del problema. En la presente tesis, se intenta acercar ese tipo de aproximación metodológica al diseño de aplicaciones software multihilo libres de bloqueos. A tal efecto, se pone de manifiesto cómo aquellas restricciones procedentes del mundo de los Sistemas de Fabricación Flexible se muestran demasiado severas para aprehender la versatilidad inherente a los sistemas software en lo que respecta a la interacción de los procesos con los recursos compartidos. En particular, se han de resaltar dos necesidades de modelado fundamentales que obstaculizan la mera adopción de antiguas aproximaciones surgidas bajo el prisma de otros dominios: (1) la necesidad de soportar el anidamiento de bucles no desplegables en el interior de los procesos, y (2) la posible compartición de recursos no disponibles en el arranque del sistema pero que son creados o declarados por un proceso en ejecución. A resultas, se identifica una serie de requerimientos básicos para la definición de un tipo de modelos orientado al estudio de sistemas software multihilo y se presenta una clase de redes de Petri, llamada PC2R, que cumple dicha lista de requerimientos, manteniéndose a su vez respetuosa con la filosofía de diseño de anteriores subclases enfocadas a otros contextos de aplicación. Junto con la revisión e integración de anteriores resultados en el nuevo marco conceptual, se aborda el estudio de propiedades inherentes a los sistemas resultantes y su relación profunda con otros tipos de modelos, la confección de resultados y algoritmos eficientes para el análisis estructural de vivacidad en la nueva clase, así como la revisión y propuesta de métodos de resolución de los problemas de bloqueo adaptadas a las particularidades físicas del dominio de aplicación. Asimismo, se estudia la complejidad computacional de ciertas vertientes relacionadas con el problema de asignación de recursos en el nuevo contexto, así como la traslación de los resultados anteriormente mencionados sobre el dominio de la ingeniería de software multihilo, donde la nueva clase de redes permite afrontar problemas inabordables considerando el marco teórico y las herramientas suministradas para subclases anteriormente explotadas

On the decidability of problems in liveness of controlled Discrete Event Systems modeled by Petri Nets

A Discrete Event System (DES) is a discrete-state system, where the state changes at discrete-time instants due to the occurrence of events. Informally, a liveness property stipulates that a 'good thing' happens during the evolution of a system. Some examples of liveness properties include starvation freedom -- where the 'good thing' is the process making progress; termination -- in which the good thing is for an evolution to not run forever; and guaranteed service -- such as in resource allocation systems, when every request for resource is satisfied eventually. In this thesis, we consider supervisory policies for DESs that, when they exist, enforce a liveness property by appropriately disabling a subset of preventable events at certain states in the evolution of DES. One of the main contributions of this thesis is the development of a system-theoretic framework for the analysis of Liveness Enforcing Supervisory Policies (LESPs) for DESs. We model uncertainties in the forward- and feedback-path, and present necessary and sufficient conditions for the existence of Liveness Enforcing Supervisory Policies (LESPs) for a general model of DESs in this framework. The existence of an LESP reduces to the membership of the initial state to an appropriately defined set. The membership problem is undecidable. For characterizing decidable instances of this membership problem, we consider a modeling paradigm of DESs known as Petri Nets, which have applications in modeling concurrent systems, software design, manufacturing systems, etc. Petri Net (PN) models are inherently monotonic in the sense that if a transition (which loosely represents an event of the DES) can fire from a marking (a non-negative integer-valued vector that represents the state of the DES being modeled), then it can also fire from any larger marking. The monotonicity creates a possibility of representing an infinite-state system using what can be called a "finite basis" that can lead to decidability. However, we prove that several problems of our interest are still undecidable for arbitrary PN models. That is, informally, a general PN model is still too powerful for the analysis that we are interested in. Much of the thesis is devoted to the characterization of decidable instances of the existence of LESPs for arbitrary PN models within the system-theoretic framework introduced in the thesis. The philosophical implication of the results in this thesis is the existence of what can be called a "finite basis" of an infinite state system under supervision, on which the membership tests can be performed in finite time; hence resulting in the decidability of problems and finite-time termination of algorithms. The thesis discusses various scenarios where such a finite basis exists and how to find them

Basis marking representation of Petri net reachability spaces and its application to the reachability problem

In this paper a compact representation of the reachability graph of a Petri net is proposed. The transition set of a Petri net is partitioned into the subsets of explicit and implicit transitions, in such a way that the subnet induced by implicit transitions does not contain directed cycles. The firing of implicit transitions can be abstracted so that the reachability set of the net can be completely characterized by a subset of reachable markings called basis makings. We show that to determine a max-cardinality-T_I basis partition is an NPhard problem, but a max-set-T_I basis partition can be determined in polynomial time. The generalized version of the marking reachability problem in a Petri net can be solved by a practically efficient algorithm based on the basis reachability graph. Finally this approach is further extended to unbounded nets

Modeling and formal verification of probabilistic reconfigurable systems

In this thesis, we propose a new approach for formal modeling and verification of adaptive probabilistic systems. Dynamic reconfigurable systems are the trend of all future technological systems, such as flight control systems, vehicle electronic systems, and manufacturing systems. In order to meet user and environmental requirements, such a dynamic reconfigurable system has to actively adjust its configuration at run-time by modifying its components and connections, while changes are detected in the internal/external execution environment. On the other hand, these changes may violate the memory usage, the required energy and the concerned real-time constraints since the behavior of the system is unpredictable. It might also make the system's functions unavailable for some time and make potential harm to human life or large financial investments. Thus, updating a system with any new configuration requires that the post reconfigurable system fully satisfies the related constraints. We introduce GR-TNCES formalism for the optimal functional and temporal specification of probabilistic reconfigurable systems under resource constraints. It enables the optimal specification of a probabilistic, energetic and memory constraints of such a system. To formally verify the correctness and the safety of such a probabilistic system specification, and the non-violation of its properties, an automatic transformation from GR-TNCES models into PRISM models is introduced. Moreover, a new approach XCTL is also proposed to formally verify reconfigurable systems. It enables the formal certification of uncompleted and reconfigurable systems. A new version of the software ZIZO is also proposed to model, simulate and verify such GR-TNCES model. To prove its relevance, the latter was applied to case studies; it was used to model and simulate the behavior of an IPV4 protocol to prevent the energy and memory resources violation. It was also used to optimize energy consumption of an automotive skid conveyor.In dieser Arbeit wird ein neuer Ansatz zur formalen Modellierung und Verifikation dynamisch rekonfigurierbarer Systeme vorgestellt. Dynamische rekonfigurierbare Systeme sind in vielen aktuellen und zukünftigen Anwendungen, wie beispielsweise Flugsteuerungssystemen, Fahrzeugelektronik und Fertigungssysteme zu finden. Diese Systeme weisen ein probabilistisches, adaptives Verhalten auf. Um die Benutzer- und Umgebungsbedingungen kontinuierlich zu erfüllen, muss ein solches System seine Konfiguration zur Laufzeit aktiv anpassen, indem es seine Komponenten, Verbindungen zwischen Komponenten und seine Daten modifiziert (adaptiv), sobald Änderungen in der internen oder externen Ausführungsumgebung erkannt werden (probabilistisch). Diese Anpassungen dürfen Beschränkungen bei der Speichernutzung, der erforderlichen Energie und bestehende Echtzeitbedingungen nicht verletzen. Eine nicht geprüfte Rekonfiguration könnte dazu führen, dass die Funktionen des Systems für einige Zeit nicht verfügbar wären und potenziell menschliches Leben gefährdet würde oder großer finanzieller Schaden entstünde. Somit erfordert das Aktualisieren eines Systems mit einer neuen Konfiguration, dass das rekonfigurierte System die zugehörigen Beschränkungen vollständig einhält. Um dies zu überprüfen, wird in dieser Arbeit der GR-TNCES-Formalismus, eine Erweiterung von Petrinetzen, für die optimale funktionale und zeitliche Spezifikation probabilistischer rekonfigurierbarer Systeme unter Ressourcenbeschränkungen vorgeschlagen. Die entstehenden Modelle sollen über probabilistische model checking verifiziert werden. Dazu eignet sich die etablierte Software PRISM. Um die Verifikation zu ermöglichen wird in dieser Arbeit ein Verfahren zur Transformation von GR-TNCES-Modellen in PRISM-Modelle beschrieben. Eine neu eingeführte Logik (XCTL) erlaubt zudem die einfache Beschreibung der zu prüfenden Eigenschaften. Die genannten Schritte wurden in einer Softwareumgebung für den automatisierten Entwurf, die Simulation und die formale Verifikation (durch eine automatische Transformation nach PRISM) umgesetzt. Eine Fallstudie zeigt die Anwendung des Verfahren

Model-driven development of data intensive applications over cloud resources

The proliferation of sensors over the last years has generated large amounts of raw data, forming data streams that need to be processed. In many cases, cloud resources are used for such processing, exploiting their flexibility, but these sensor streaming applications often need to support operational and control actions that have real-time and low-latency requirements that go beyond the cost effective and flexible solutions supported by existing cloud frameworks, such as Apache Kafka, Apache Spark Streaming, or Map-Reduce Streams. In this paper, we describe a model-driven and stepwise refinement methodological approach for streaming applications executed over clouds. The central role is assigned to a set of Petri Net models for specifying functional and non-functional requirements. They support model reuse, and a way to combine formal analysis, simulation, and approximate computation of minimal and maximal boundaries of non-functional requirements when the problem is either mathematically or computationally intractable. We show how our proposal can assist developers in their design and implementation decisions from a performance perspective. Our methodology allows to conduct performance analysis: The methodology is intended for all the engineering process stages, and we can (i) analyse how it can be mapped onto cloud resources, and (ii) obtain key performance indicators, including throughput or economic cost, so that developers are assisted in their development tasks and in their decision taking. In order to illustrate our approach, we make use of the pipelined wavefront array