Cyber-Physical Modeling of Implantable Cardiac Medical Devices

The design of bug-free and safe medical device software is challenging, especially in complex implantable devices that control and actuate organs in unanticipated contexts. Safety recalls of pacemakers and implantable cardioverter defibrillators between 1990 and 2000 affected over 600,000 devices. Of these, 200,000 or 41%, were due to firmware issues and their effect continues to increase in frequency. There is currently no formal methodology or open experimental platform to test and verify the correct operation of medical device software within the closed-loop context of the patient. To this effect, a real-time Virtual Heart Model (VHM) has been developed to model the electrophysiological operation of the functioning and malfunctioning (i.e., during arrhythmia) heart. By extracting the timing properties of the heart and pacemaker device, we present a methodology to construct a timed-automata model for functional and formal testing and verification of the closed-loop system. The VHM\u27s capability of generating clinically-relevant response has been validated for a variety of common arrhythmias. Based on a set of requirements, we describe a closed-loop testing environment that allows for interactive and physiologically relevant model-based test generation for basic pacemaker device operations such as maintaining the heart rate, atrial-ventricle synchrony and complex conditions such as pacemaker-mediated tachycardia. This system is a step toward a testing and verification approach for medical cyber-physical systems with the patient-in-the-loop

High-Confidence Medical Device Software Development

The design of bug-free and safe medical device software is challenging, especially in complex implantable devices. This is due to the device\u27s closed-loop interaction with the patient\u27s organs, which are stochastic physical environments. The life-critical nature and the lack of existing industry standards to enforce software validation make this an ideal domain for exploring design automation challenges for integrated functional and formal modeling with closed-loop analysis. The primary goal of high-confidence medical device software is to guarantee the device will never drive the patient into an unsafe condition even though we do not have complete understanding of the physiological plant. There are two major differences between modeling physiology and modeling man-made systems: first, physiology is much more complex and less well-understood than man-made systems like cars and airplanes, and spans several scales from the molecular to the entire human body. Secondly, the variability between humans is orders of magnitude larger than that between two cars coming off the assembly line. Using the implantable cardiac pacemaker as an example of closed-loop device, and the heart as the organ to be modeled, we present several of the challenges and early results in model-based device validation. We begin with detailed timed automata model of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. For closed-loop evaluation, a real-time Virtual Heart Model (VHM) has been developed to model the electrophysiological operation of the functioning and malfunctioning (i.e., during arrhythmia) hearts. By extracting the timing properties of the heart and pacemaker device, we present a methodology to construct timed-automata models for formal model checking and functional testing of the closed-loop system. The VHM\u27s capability of generating clinically-relevant response has been validated for a variety of common arrhythmias. Based on a set of requirements, we describe a framework of Abstraction Trees that allows for interactive and physiologically relevant closed-loop model checking and testing for basic pacemaker device operations such as maintaining the heart rate, atrial-ventricle synchrony and complex conditions such as avoiding pacemaker-mediated tachycardia. Through automatic model translation of abstract models to simulation-based testing and code generation for platform-level testing, this model-based design approach ensures the closed-loop safety properties are retained through the design toolchain and facilitates the development of verified software from verified models. This system is a step toward a validation and testing approach for medical cyber-physical systems with the patient-in-the-loop

Automated Closed-Loop Model Checking of Implantable Pacemakers using Abstraction Trees

Autonomous medical devices such as implantable cardiac pacemakers are capable of diagnosing the patient condition and delivering therapy without human intervention. Their ability to autonomously affect the physiological state of the patient makes them safety-critical. Sufficient evidence for the safety and efficacy of the device software, which makes these autonomous decisions, should be provided before these devices can be released on the market. Formal methods like model checking can provide safety evidence that the devices can safely operate under a large variety of physiological conditions. The challenge is to develop physiological models that are general enough to cover the large variability of human physiology, and also expressive enough to provide physiological contexts to counter-examples returned by the model checker. In this paper, the authors develop a set of physiological abstraction rules that introduce physiological constraints to heart models. By applying these abstraction rules to a initial set of heart models, an abstraction tree is created. The root model covers all possible inputs to a pacemaker and derived models cover inputs from different heart conditions. If a counter-example is returned by the model checker, the abstraction tree is traversed so that the most concrete counter-example(s) with physiological contexts can be returned to the domain experts for validity check. The abstraction tree framework replaces the manual abstraction and refinement framework, which reduced the amount of domain knowledge required to perform closed-loop model checking. It encourages the use of model checking during the development of autonomous medical devices, and identifies safety risks earlier in the design process

From Verified Models to Verified Code for Safe Medical Devices

Medical devices play an essential role in the care of patients around the world, and can have a life-saving effect. An emerging category of autonomous medical devices like implantable pacemakers and implantable cardioverter defibrillators (ICD) diagnose conditions of the patient and autonomously deliver therapies. Without trained professionals in the loop, the software component of autonomous medical devices is responsible for making critical therapeutic decisions, which pose a new set of challenges to guarantee patient safety. As regulation effort to guarantee patient safety, device manufacturers are required to submit evidence for the safety and efficacy of the medical devices before they can be released to the market. Due to the closed-loop interaction between the device and the patient, the safety and efficacy of autonomous medical devices must ultimately be evaluated within their physiological context. Currently the primary closed-loop validation of medical devices is in form of clinical trials, in which the devices are evaluated on real patients. Clinical trials are expensive and expose the patients to risks associated with untested devices. Clinical trials are also conducted after device development, therefore issues found during clinical trials are expensive to fix. There is urgent need for closed-loop validation of autonomous medical devices before the devices are used in clinical trials. In this thesis, I used implantable cardiac devices to demonstrate the applications of model-based approaches during and after device development to provide confidence towards the safety and efficacy of the devices. A heart model structure is developed to mimic the electrical behaviors of the heart in various heart conditions. The heart models created with the model structure are capable of interacting with implantable cardiac devices in closed-loop and can provide physiological interpretations for a large variety of heart conditions. With the heart models, I demonstrated that closed-loop model checking is capable of identifying known and unknown safety violations within the pacemaker design. More importantly, I developed a framework to choose the most appropriate heart models to cover physiological conditions that the pacemaker may encounter, and provide physiological context to counter-examples returned by the model checker. A model translation tool UPP2SF is then developed to translate the pacemaker design in UPPAAL to Stateflow, and automatically generated to C code. The automated and rigorous translation ensures that the properties verified during model checking still hold in the implementation, which justifies the model checking effort. Finally, the devices are evaluated with a virtual patient cohort consists of a large number of heart models before evaluated in clinical trials. These in-silico pre-clinical trials provide useful insights which can be used to increase the success rate of a clinical trial. The work in this dissertation demonstrated the importance and challenges to represent physiological behaviors during closed-loop validation of autonomous medical devices, and demonstrated the capability of model-based approaches to provide safety and efficacy evidence during and after device development

The Tongue as an Excitable Medium

Geographic tongue (GT) is a benign condition affecting approximately 2% of the population, whereby the papillae covering the upper part of the tongue are lost due to a slowly expanding inflammation. The resultant dynamical appearance of the tongue has striking similarities with well known phenomena observed in excitable media, such as forest fires, cardiac dynamics and chemically-driven reaction-diffusion systems. Here we explore the dynamics associated with GT from a dynamical systems perspective, utilizing cellular automata simulations. We emphasize similarities with other excitable systems as well as unique features observed in GT. Our results shed light on the evolution of the inflammation and contribute to the classification of the severity of the condition, based on the characteristic patterns observed in GT patients

A Framework for Validation of Implantable Medical Devices

Designing bug-free medical device software is difficult, especially in complex implantable devices used for rhythm management of the cardiac or the neurological system. There is currently no formal methodology or open experimental platform to validate the correct operation of implantable medical device software. We describe our recent work on heart modeling for the validation and verification of artificial cardiac pacemakers. As we extend this platform to more complex devices such as cardioverter-defibrillators, there are several significant challenges in the modeling of biological systems and their patient-specific response to external stimulus. Our goal over the longer term is to explore the methodologies for experimental evaluation, modeling for validation and verification of implantable devices within the context of the underlying biological system. We present our early and promising results for simplified models and propose steps toward an integrated platform for validation of medical device systems

Technical Report on Formalisation of the Heart using Analysis of Conduction Time and Velocity of the Electrocardiography and Cellular-Automata

Formal methods based tools and techniques have been recognised to be a promising approach to support the process of verification and validation of a critical system in early stage of the development. Specially, medical devices are very prone to show an unexpected behavior of the system in operating due to stochastic nature of the system and when a system uses traditional methods for system testing. Device-related problems are responsible for a large number of serious injuries. FDA officials has found that many deaths and injuries related to the devices are caused by product design and engineering flaws. Cardiac pacemaker and implantable cardioverter-defibrillators (ICDs) are main critical medical devices, which require close-loop modeling (integration of system and environment modeling) for verification purpose to obtain a certificate from certification bodies. No any technique is available to provide an environment modeling to verify the developed system model. This report presents a methodology to model a biological system, like heart, for modeling a biological environment. The heart model is mainly based on electrocardiography analysis, which models the heart system at cellular level. Main objective of this methodology is to model the heart system and integrate with medical device model like cardiac pacemaker to specify a close-loop model. Close-loop model of an environment and a device is an open problem in real world. Industries are striving for such kind of approach from long time to validate a system model under a virtual biological environment. Our approach involves the pragmatic combination of formal specification of a system and a biological environment to model a close-loop system to verify the correctness of a system and helps in quality improvement of the system