Safety-Critical Medical Device Development Using the UPP2SF Model

Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems

From Verified Models to Verified Code for Safe Medical Devices

Medical devices play an essential role in the care of patients around the world, and can have a life-saving effect. An emerging category of autonomous medical devices like implantable pacemakers and implantable cardioverter defibrillators (ICD) diagnose conditions of the patient and autonomously deliver therapies. Without trained professionals in the loop, the software component of autonomous medical devices is responsible for making critical therapeutic decisions, which pose a new set of challenges to guarantee patient safety. As regulation effort to guarantee patient safety, device manufacturers are required to submit evidence for the safety and efficacy of the medical devices before they can be released to the market. Due to the closed-loop interaction between the device and the patient, the safety and efficacy of autonomous medical devices must ultimately be evaluated within their physiological context. Currently the primary closed-loop validation of medical devices is in form of clinical trials, in which the devices are evaluated on real patients. Clinical trials are expensive and expose the patients to risks associated with untested devices. Clinical trials are also conducted after device development, therefore issues found during clinical trials are expensive to fix. There is urgent need for closed-loop validation of autonomous medical devices before the devices are used in clinical trials. In this thesis, I used implantable cardiac devices to demonstrate the applications of model-based approaches during and after device development to provide confidence towards the safety and efficacy of the devices. A heart model structure is developed to mimic the electrical behaviors of the heart in various heart conditions. The heart models created with the model structure are capable of interacting with implantable cardiac devices in closed-loop and can provide physiological interpretations for a large variety of heart conditions. With the heart models, I demonstrated that closed-loop model checking is capable of identifying known and unknown safety violations within the pacemaker design. More importantly, I developed a framework to choose the most appropriate heart models to cover physiological conditions that the pacemaker may encounter, and provide physiological context to counter-examples returned by the model checker. A model translation tool UPP2SF is then developed to translate the pacemaker design in UPPAAL to Stateflow, and automatically generated to C code. The automated and rigorous translation ensures that the properties verified during model checking still hold in the implementation, which justifies the model checking effort. Finally, the devices are evaluated with a virtual patient cohort consists of a large number of heart models before evaluated in clinical trials. These in-silico pre-clinical trials provide useful insights which can be used to increase the success rate of a clinical trial. The work in this dissertation demonstrated the importance and challenges to represent physiological behaviors during closed-loop validation of autonomous medical devices, and demonstrated the capability of model-based approaches to provide safety and efficacy evidence during and after device development

From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study

Model-Driven Design (MDD) of cyber-physical systems advocates for design procedures that start with formal modeling of the real-time system, followed by the model’s verification at an early stage. The verified model must then be translated to a more detailed model for simulation-based testing and finally translated into executable code in a physical implementation. As later stages build on the same core model, it is essential that models used earlier in the pipeline are valid approximations of the more detailed models developed downstream. The focus of this effort is on the design and development of a model translation tool, UPP2SF, and how it integrates system modeling, verification, model-based WCET analysis, simulation, code generation and testing into an MDD based framework. UPP2SF facilitates automatic conversion of verified timed automata-based models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the design rules to ensure the conversion is correct, efficient and applicable to a large class of models. We show how the tool enables MDD of an implantable cardiac pacemaker. We demonstrate that UPP2SF preserves behaviors of the pacemaker model from UPPAAL to Stateflow. The resultant Stateflow chart is automatically converted into C and tested on a hardware platform for a set of requirements

High-Confidence Medical Device Software Development

The design of bug-free and safe medical device software is challenging, especially in complex implantable devices. This is due to the device\u27s closed-loop interaction with the patient\u27s organs, which are stochastic physical environments. The life-critical nature and the lack of existing industry standards to enforce software validation make this an ideal domain for exploring design automation challenges for integrated functional and formal modeling with closed-loop analysis. The primary goal of high-confidence medical device software is to guarantee the device will never drive the patient into an unsafe condition even though we do not have complete understanding of the physiological plant. There are two major differences between modeling physiology and modeling man-made systems: first, physiology is much more complex and less well-understood than man-made systems like cars and airplanes, and spans several scales from the molecular to the entire human body. Secondly, the variability between humans is orders of magnitude larger than that between two cars coming off the assembly line. Using the implantable cardiac pacemaker as an example of closed-loop device, and the heart as the organ to be modeled, we present several of the challenges and early results in model-based device validation. We begin with detailed timed automata model of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. For closed-loop evaluation, a real-time Virtual Heart Model (VHM) has been developed to model the electrophysiological operation of the functioning and malfunctioning (i.e., during arrhythmia) hearts. By extracting the timing properties of the heart and pacemaker device, we present a methodology to construct timed-automata models for formal model checking and functional testing of the closed-loop system. The VHM\u27s capability of generating clinically-relevant response has been validated for a variety of common arrhythmias. Based on a set of requirements, we describe a framework of Abstraction Trees that allows for interactive and physiologically relevant closed-loop model checking and testing for basic pacemaker device operations such as maintaining the heart rate, atrial-ventricle synchrony and complex conditions such as avoiding pacemaker-mediated tachycardia. Through automatic model translation of abstract models to simulation-based testing and code generation for platform-level testing, this model-based design approach ensures the closed-loop safety properties are retained through the design toolchain and facilitates the development of verified software from verified models. This system is a step toward a validation and testing approach for medical cyber-physical systems with the patient-in-the-loop

Extending a user interface prototyping tool with automatic MISRA~C code generation

We are concerned with systems, particularly safety-critical systems, that involve interaction between users and devices, such as the user interface of medical devices. We therefore developed a MISRA~C code generator for formal models expressed in the PVSio-web prototyping toolkit. PVSio-web allows developers to rapidly generate realistic interactive prototypes for verifying usability and safety requirements in human-machine interfaces. The visual appearance of the prototypes is based on a picture of a physical device, and the behaviour of the prototype is defined by an executable formal model. Our approach transforms the PVSio-web prototyping tool into a model-based engineering toolkit that, starting from a formally verified user interface design model, will produce MISRA~C code that can be compiled and executed for a final product. An initial validation of our tool is presented for the data entry system of an actual medical device

Heart-on-a-Chip: A Closed-loop Testing Platform for Implantable Pacemakers

Implantable cardiac pacemakers restore normal heart rhythm by delivering external electrical pacing to the heart. The pacemaker software is life-critical as the timing of the pulses determine its ability to control the heart rate. Recalls due to software issues have been on the rise with the increasing complexity of pacing algorithms. Open-loop testing remains the primary approach to evaluate the safety of pacemaker software. While this tests how the pacemaker responds to stimulus, it cannot reveal pacemaker malfunctions which drive the heart into an unsafe state over multiple cycles. To evaluate the safety and efficacy of pacemaker software we have developed a heart model to generate different heart conditions and interact with real pacemakers. In this paper, we introduce the closed-loop testing platform which consists of a programmable hardware implementation of the heart that can interact with a commercial pacemaker in closed-loop. The heart-on-a-chip implementation is automatically generated from the Virtual Heart Model in Simulink which models different heart conditions. We describe a case study of Endless Loop Tachycardia to demonstrate potential closed-loop pacemaker malfunctions which inappropriately increase the heart rate. The test platform is part of our model-based design framework for verification and testing of medical devices with the patient--in-the-loop

From stateflow simulation to verified implementation: A verification approach and a real-time train controller design

Simulink is widely used for model driven development (MDD) of industrial software systems. Typically, the Simulink based development is initiated from Stateflow modeling, followed by simulation, validation and code generation mapped to physical execution platforms. However, recent industrial trends have raised the demands of rigorous verification on safety-critical applications, which is unfortunately challenging for Simulink. In this paper, we present an approach to bridge the Stateflow based model driven development and a well- defined rigorous verification. First, we develop a self- contained toolkit to translate Stateflow model into timed automata, where major advanced modeling features in Stateflow are supported. Taking advantage of the strong verification capability of Uppaal, we can not only find bugs in Stateflow models which are missed by Simulink Design Verifier, but also check more important temporal properties. Next, we customize a runtime verifier for the generated nonintrusive VHDL and C code of Stateflow model for monitoring. The major strength of the customization is the flexibility to collect and analyze runtime properties with a pure software monitor, which opens more opportunities for engineers to achieve high reliability of the target system compared with the traditional act that only relies on Simulink Polyspace. We incorporate these two parts into original Stateflow based MDD seamlessly. In this way, safety-critical properties are both verified at the model level, and at the consistent system implementation level with physical execution environment in consideration. We apply our approach on a train controller design, and the verified implementation is tested and deployed on a real hardware platform

Verifying Timed LTL Properties Using Simulink Design Verifier

RÉSUMÉ Les logiciels jouent un rôle de plus en plus important dans les systèmes embarqués notamment dans les domaines de la santé, de l’automobile et de l’avionique. Un objectif important du génie logiciel est d’offrir, aux développeurs, un support ainsi que les outils d’aide à la conception de systèmes fiables nonobstant leur complexité. Dans le but d’atteindre cet objectif, des environnements de développement comme Simulink et SCADE proposent un processus de développement, basé sur des modèles, qui intègre, d’une manière réfléchie, différentes approches et outils de vérification (test, simulation, vérification formelle, évaluation, génération de code, etc). Ils permettent ainsi de concevoir, tester, simuler, vérifier, corriger des modèles puis de générer automatiquement du code à partir de ces modèles. Cette thèse s’intéresse aux méthodes formelles et à l’intégration de celles-ci dans l’environnement de développement Simulink. Les méthodes formelles s’appuient sur des outils mathématiques pour spécifier, par des modèles, le comportement et les propriétés d’un système et prouver qu’il satisfait ses requis. Simulink-Design-Verifier (SLDV) est un outil de vérification formelle, intégré à l’environnement de développement Simulink, qui permet de vérifier des propriétés de sûreté (assertions) sur des modèles Simulink. Cette thèse vise à étendre cette classe de propriétés à des propriétés linéaires LTL (Linear Temporal Logic), LTL temporisé et LTL à base d’événements. Les contributions de cette thèse sont présentées sous forme de trois articles. Le premier article présente une étude de cas qui a permis d’expérimenter l’environnement de développement Simulink, d’identifier ses caractéristiques et ses limitations. Il s’agit de modéliser et vérifier un dispositif médical appelé sonde d’intubation. Une sonde d’intubation est une tubulure mise en place sur un sujet inconscient qui permet notamment d’assurer en permanence le passage de l’air vers les poumons. Ce système est composé de deux ballonnets, deux robinets d’accès pour gonflage manuel, deux capteurs de pression, un distributeur de puissance, une pompe et un réservoir d’air. Tous ces composants sont concurrents et contrôlés par contrôleur programmable décrit par un grafcet. Cet article montre comment utiliser l’environnement Simulink pour, d’une part, modéliser ces différents composants ainsi que leurs interactions, et d’autre part, vérifier formellement des propriétés, afin de s’assurer du bon fonctionnement du système. Cependant, la spécification de certaines propriétés temporelles n’est pas évidente car elles doivent être exprimées sous forme d’assertions. Les articles suivants proposent des blocks canevas pour des propriétés temporelles linéaires. Le deuxième article est une version améliorée et étendue du premier article. Il s’est intéressé à réduire la complexité de vérification en modifiant significative le modèle et en proposant des blocks de spécification de propriétés linéaires basées sur les événements émis par le contrôleur. Le troisième article est dédié à la spécification de propriétés LTL en utilisant SLDV. Il propose des blocs Simulink configurables qui spécifient ces propriétés. Le but de ces blocs est de transformer les propriétés en assertions qui sont vérifiables par SLDV. La solution proposée dans le seconde et troisième article, est donc une extension de la bibliothèque de blocs de Simulink qui permet aux utilisateurs moins experts de spécifier et vérifier certaines propriétés LTL. Ce travail est donc limité aux propriétés LTL à temps discret, et restreint à certaines propriétés LTL. Nos travaux futurs consisteraient à l’extension de la bibliothèque de blocs de Simulink pour supporter des propriétés LTL plus complexes et à plus grande échelle.----------ABSTRACT Software plays increasingly a significant role in embedded systems particularly used in healthcare, automotive and avionics. An important goal of software engineering is to offer developers support tools to design reliable systems despite the system complexity. In order to achieve this, development environments like Simulink and SCADE propose a model-based development process, which integrates in a thoughtful way, different approaches and verification tools (test, simulation, formal verification, evaluation, code generation, etc.). They allow to design, test, simulate, verify, correct the models and then automatically generate code from these models. This thesis is interested in formal methods and integrating them in the Simulink development environment. Formal methods are based on mathematical tools to specify the behavior and properties of a system by models, and prove, if it meets its requirements. Simulink Design Verifier (SLDV) is a formal verification tool, integrated in Simulink development environment, to verify safety properties (assertions) on Simulink models. This thesis aims to extend this class of properties to linear properties LTL (Linear Temporal Logic), timed LTL and event based LTL. The contributions of this thesis are presented in three articles. The first article presents a case study that experiment the Simulink development environment, to identify its characteristics and limitations. It consists of modeling and verifying a medical device called intubation tube. An intubation tube is a tube that assures permanent air flow to the lungs of unconscious person. This system consists of two balloons, two access valves for manual inflation, two pressure sensors, a power distributor, a pump and an air reservoir. All these components work in parallel and are controlled by a programmable controller described by grafcet. This article shows how to use the Simulink environment, to model these components and also how to verify formally the properties to ensure the system is well functioning. However, the specification of certain temporal properties is not obvious because they must be expressed as assertions. The following articles propose canvas blocks for linear temporal properties. The second article is an improved and extended version of the first article. It is interested in reducing verification complexity by changing significantly the model, and proposing specification blocks of linear properties, based on events issued by the controller. The third article is dedicated to the specification of LTL properties using SLDV. It proposes configurable Simulink blocks that specify these properties. The purpose of these blocks is to transform the properties into assertions that are verifiable by SLDV. The solution proposed in the second and third articles, is to extend the block library of Similink, which allows less-expert users to specify and verify some Linear Temporal Logic (LTL) properties. This work is limited to discrete time LTL properties, and restricted to specify some LTL properties. Our future work is devoted to extend the block library of Simulink to have support for a large scale and more complex LTL properties