Model-Based Analysis of User Behaviors in Medical Cyber-Physical Systems

Human operators play a critical role in various Cyber-Physical System (CPS) domains, for example, transportation, smart living, robotics, and medicine. The rapid advancement of automation technology is driving a trend towards deep human-automation cooperation in many safety-critical applications, making it important to explicitly consider user behaviors throughout the system development cycle. While past research has generated extensive knowledge and techniques for analyzing human-automation interaction, in many emerging applications, it remains an open challenge to develop quantitative models of user behaviors that can be directly incorporated into the system-level analysis. This dissertation describes methods for modeling different types of user behaviors in medical CPS and integrating the behavioral models into system analysis. We make three main contributions. First, we design a model-based analysis framework to evaluate, improve, and formally verify the robustness of generic (i.e., non-personalized) user behaviors that are typically driven by rule-based clinical protocols. We conceptualize a data-driven technique to predict safety-critical events at run-time in the presence of possible time-varying process disturbances. Second, we develop a methodology to systematically identify behavior variables and functional relationships in healthcare applications. We build personalized behavior models and analyze population-level behavioral patterns. Third, we propose a sequential decision filtering technique by leveraging a generic parameter-invariant test to validate behavior information that may be measured through unreliable channels, which is a practical challenge in many human-in-the-loop applications. A unique strength of this validation technique is that it achieves high inter-subject consistency despite uncertain parametric variances in the physiological processes, without needing any individual-level tuning. We validate the proposed approaches by applying them to several case studies

The MIDdleware Assurance Substrate: Enabling Strong Real-Time Guarantees in Open Systems With OpenFlow

Middleware designed for use in Distributed Real-Time and Embedded (DRE) systems enable cost and development time reductions by providing simple communications abstractions and hiding operating system-level networking API details from developers. While current middleware technologies can hide many low-level details, designers must provide a static configuration for the system’s underlying network in order to achieve required performance characteristics. This has not been a problem for many types of DRE systems where the configuration of the system is relatively fixed from the factory (e.g., aircraft or naval vessels). However for truly open systems (i.e., systems where end users can add or subtract components at runtime) the standard static network configuration approach cannot guarantee that required performance will be met because network resource demands are not fully known a priori. Open systems with stringent performance requirements need middleware that can dynamically manage the underlying network configuration automatically in response to changing demands. Fortunately, recent trends in networking have resulted in a wide variety of networking equipment that expose a standardized low-level interface to their configuration via the OpenFlow protocol. In this paper we discuss how OpenFlow can be leveraged by DRE middleware to automatically provide performance guarantees. In order to make the discussion concrete, we describe the architecture of our prototype middleware MIDAS as well as the details of one example network resource management strategy. We demonstrate the feasibility of our approach via performance assesment of a simple DRE application using our MIDAS and commerically available OpenFlow hardware

Data-driven Adaptive Safety Monitoring using Virtual Subjects in Medical Cyber-Physical Systems: A Glucose Control Case Study

Medical cyber-physical systems (MCPS) integrate sensors, actuators, and software to improve patient safety and quality of healthcare. These systems introduce major challenges to safety analysis because the patient’s physiology is complex, nonlinear, unobservable, and uncertain. To cope with the challenge that unidentified physiological parameters may exhibit short-term variances in certain clinical scenarios, we propose a novel run-time predictive safety monitoring technique that leverages a maximal model coupled with online training of a computational virtual subject (CVS) set. The proposed monitor predicts safety-critical events at run-time using only clinically available measurements. We apply the technique to a surgical glucose control case study. Evaluation on retrospective real clinical data shows that the algorithm achieves 96% sensitivity with a low average false alarm rate of 0.5 false alarm per surgery

Parameter-Invariant Design of Medical Alarms

The recent explosion of low-power low-cost communication, sensing, and actuation technologies has ignited the automation of medical diagnostics and care in the form of medical cyber physical systems (MCPS). MCPS are poised to revolutionize patient care by providing smarter alarm systems, clinical decision support, advanced diagnostics, minimally invasive surgical care, improved patient drug delivery, and safety and performance guarantees. With the MCPS revolution emerges a new era in medical alarm systems, where measurements gathered via multiple devices are fused to provide early detection of critical conditions. The alarms generated by these next generation monitors can be exploited by MCPS to further improve performance, reliability, and safety. Currently, there exist several approaches to designing medical monitors ranging from simple sensor thresholding techniques to more complex machine learning approaches. While all the current design approaches have different strengths and weaknesses, their performance degrades when underlying models contain unknown parameters and training data is scarce. Under this scenario, an alternative approach that performs well is the parameter-invariant detector, which utilizes sufficient statistics that are invariant to unknown parameters to achieve a constant false alarm rate across different systems. Parameter-invariant detectors have been successfully applied in other cyber physical systems (CPS) applications with structured dynamics and unknown parameters such as networked systems, smart buildings, and smart grids; most recently, the parameter-invariant approach has been recently extended to medical alarms in the form of a critical shunt detector for infants undergoing a lung lobectomy. The clinical success of this case study application of the parameter-invariant approach is paving the way for a range of other medical monitors. In this tutorial, we present a design methodology for medical parameter-invariant monitors. We begin by providing a motivational review of currently employed medical alarm techniques, followed by the introduction of the parameter-invariant design approach. Finally, we present a case study example to demonstrate the design of a parameter-invariant alarm for critical shunt detection in infants during surgical procedures

Data Freshness Over-Engineering: Formulation and Results

In many application scenarios, data consumed by real-time tasks are required to meet a maximum age, or freshness, guarantee. In this paper, we consider the end-to-end freshness constraint of data that is passed along a chain of tasks in a uniprocessor setting. We do so with few assumptions regarding the scheduling algorithm used. We present a method for selecting the periods of tasks in chains of length two and three such that the end-to-end freshness requirement is satisfied, and then extend our method to arbitrary chains. We perform evaluations of both methods using parameters from an embedded benchmark suite (E3S) and several schedulers to support our result

Evaluation and Enhancement of an Intraoperative Insulin Infusion Protocol via In-Silico Simulation

Intraoperative glycemic control, particularly in cardiac surgical patients, remains challenging. Patients with impaired insulin sensitivity and/or secretion (i.e., type 1 diabetes mellitus) often manifest extremely labile blood glucose measurements during periods of stress and inflammation. Most current insulin infusion protocols are developed based on clinical experiences and consensus among a local group of physicians. Recent advances in human glucose metabolism modeling have established a computer model that invokes algorithms representing many of the pathways involved in glucose dysregulation for patients with diabetes. In this study, we used an FDA approved glucose metabolism model to evaluate an existing institutional intraoperative insulin infusion protocol via closedloop simulation on the virtual diabetic population that comes with the computer model. A comparison of simulated responses to actual retrospective clinical data from 57 type 1 diabetic patients undergoing cardiac surgery managed by the institutional protocol was performed. We then designed a proportional-derivative controller that overcomes the weaknesses exhibited by our old protocol while preserving its strengths. In-silico evaluation results show that our proportional-derivative controller more effectively manages intraoperative hyperglycemia while simultaneously reducing hypoglycemia and glycemic variability. By performing insilico simulation on intraoperative glucose and insulin responses, robust and seemingly efficacious algorithms can be generated that warrant prospective evaluation in human subjects

Removing Abstraction Overhead in the Composition of Hierarchical Real-Time System

The hierarchical real-time scheduling framework is a widely accepted model to facilitate the design and analysis of the increasingly complex real-time systems. Interface abstraction and composition are the key issues in the hierarchical scheduling framework analysis. Schedulability is essential to guarantee that the timing requirements of all components are satisfied. In order for the design to be resource efficient, the composition must be bandwidth optimal. Associativity is desirable for open systems in which components may be added or deleted at run time. Previous techniques on compositional scheduling are either not resource efficient in some aspects, or cannot achieve optimality and associativity at the same time. In this paper, several important properties regarding the periodic resource model are identified. Based on those properties, we propose a novel interface abstraction and composition framework which achieves schedulability, optimality, and associativity. Our approach eliminates abstraction overhead in the composition

Dual Periodic Resource Model

The paper considers compositional scheduling for hierarchical real-time systems using periodic resource models, which has been extensively studied in the past. We identify an unrealistic assumption in the existing literature that can make the computed component interfaces unimplementable. Namely, resource bandwidth can be expressed using arbitrary rational numbers. We show that resource bandwidth, computed by an algorithm that removes this assumption becomes overly pessimistic, and offer a new notion of a dual-periodic resource model (DPRM) interface that improves resource bandwidth of the interface. We study composition using DPRM interfaces and show properties of the new approach in terms of required resource bandwidth and preemption overhead

An Intraoperative Glucose Control Benchmark for Formal Verification

Diabetes associated complications are affecting an increasingly large population of hospitalized patients. Since glucose physiology is significantly impacted by patient-specific parameters, it is critical to verify that a clinical glucose control protocol is safe across a wide patient population. A safe protocol should not drive the glucose level into dangerous low (hypoglycemia) or high (hyperglycemia) ranges. Verification of glucose controllers is challenging due to the high-dimensional, non-linear glucose physiological models which contain both unobservable states and unmeasurable patient-specific parameters. This paper presents a hybrid system model of a closed-loop physiological system that includes an existing FDA-accepted high-fidelity physiological model tailored to intraoperative settings and a validated improvement to a clinical glucose control protocol for diabetic cardiac surgery patients. We propose the closed-loop model as a physiological system benchmark for verification and present our initial results on verifying the system using the SMT-based hybrid system verification tool dReach