Closed-loop verification of medical devices with model abstraction and refinement

Abstract

The design and implementation of software for medical devices is challenging due to the closed-loop interaction with the patient, which is a stochastic physical environment. The safety-critical nature and the lack of existing industry standards for verification make this an ideal domain for exploring applications of formal modeling and closed-loop analysis. The biggest challenge is that the environment model(s) have to be both complex enough to express the physiological requirements and general enough to cover all possible inputs to the device. In this effort, we use a dual chamber implantable pacemaker as a case study to demonstrate verification of software specifications of medical devices as timed-automata models in UPPAAL. The pacemaker model is based on the specifications and algorithm descriptions from Boston Scientific. The heart is modeled using timed automata based on the physiology of heart. The model is gradually abstracted with timed simulation to preserve properties. A manual Counter-Example-Guided Abstraction and Refinement (CEGAR) framework has been adapted to refine the heart model when spurious counter-examples are found. To demonstrate the closed-loop nature of the problem and heart model refinement, we investigated two clinical cases of Pacemaker Mediated Tachycardia and verified their corresponding correction algorithms in the pacemaker. Along with our tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.

Appendix

Proof for \(N_2^1\Vert P_2\Vert N_2^2\preceq _t N_3^1\Vert P_3\Vert N_3^2\) In this section we manually prove the timed simulation relation \(N_2^1\Vert P_2\Vert N_2^2\preceq _t N_3^1\Vert P_3\Vert N_3^2\). The other relations can be proved accordingly.

1.1 Timed simulation relation sim

For two timed automata \(T^1\) and \(T^2\), we write timed simulation relation sim is defined on \(\varOmega _1\times \varOmega _2\) where \((s,v)\in \varOmega _1\) and \(v\) is the valuation of all clocks \(t_1\in X_1\). \(((s,v),(s',v'))\) is in sim if and only if \(v'=v(\lambda +\delta )\), for \(\delta \in D\), such that sim \((s,v)=(s',v(\lambda +D))\).

Let \(T^1=N_2^1\Vert P_2\Vert N_2^2\) and \(T^2=N_3^1\Vert P_3\Vert N_3^2\). \(X_1=\{tn_2^1,tp_2,tn_2^2\}\) and \(X_2=\{tn_3^1,tp_3,tn_3^2\}\), the state mapping for the timed simulation relation is shown below:

sim \((RE\Vert ID\Vert RE,v)=(RE\Vert ID\Vert RE,v(tn_3^1+D_1,tn_3^2+D_2))\) where \(D_1=[N_2^1.Terp\_min,N_2^1.Terp\_max]\),

$$\begin{aligned} D_2=[N_2^2.Terp\_min,N_2^2.Terp\_max] \end{aligned}$$

A special condition for this mapping is the initial state: sim \((RE\Vert ID\Vert RE,v(tn_3^1:=0,tp_3:=0,tn_3^2:=0))= (RE\Vert ID\Vert RE,v(tn_3^1+D_1,tn_3^2+D_2))\)

$$\begin{aligned} \mathsf{sim} (ER\Vert AN\Vert RE,v)&= (RE\Vert AN\Vert RE,v) \\ \mathsf{sim} (RE\Vert RT\Vert ER,v)&= (RE\Vert RT\Vert RE,v) \\ \mathsf{sim} (ER\Vert ID\Vert ER,v)&= (RE\Vert ID\Vert RE,v) \\ \mathsf{sim} (ER\Vert ID\Vert RE,v)&= (RE\Vert ID\Vert RE,v(tn_3^2+D)) \end{aligned}$$

where \(D=[N_2^2.Terp\_min,N_2^2.Terp\_max]\)

$$\begin{aligned} \mathsf{sim}(RE\Vert ID\Vert ER,v)=(RE\Vert ID\Vert RE,v(tn_3^1+D)) \end{aligned}$$

where \(D=[N_2^1.Terp\_min,N_2^1.Terp\_max]\)

The location mapping is shown in Fig. 5.

1.2 Timed transitions

Here we want to ensure every timed transition for \(T^1\) has a corresponding timed transition in \(T^2\). We denote \(S=(s,v)\) and \(S_\delta =(s,v+\delta )\). For each location in \(T^1\) we have \(S\xrightarrow {\delta }S_\delta \) for \(\forall \delta \in \mathbb{R }\) under condition \(v+\delta \models inv(s)\). In \(T^2\) we use \(S'=(s',v')\) and \(S_\delta '=(s',v'+\delta )\). For \((S,S')\in \) sim we show that there exists \(S_\delta '\) such that \(s'\xrightarrow {\delta }s_\delta '\) and \((s_\delta ,s_\delta ')\in \) sim. For every location we list all the corresponding components and provide proof.

For location \(RE\Vert ID\Vert RE\) in \(T^1\) we have:

$$ \begin{aligned} S&= (RE\Vert ID\Vert RE,v)\\ S_\delta&= (RE\Vert ID\Vert RE,v+\delta )\\ inv(s)&= tn_2^1+\delta \le N_2^1.Trest\_max\, \& \& \\&tn_2^2+\delta \le N_2^2.Trest\_max)\\ D_1&= [N_2^1.Terp\_min,N_2^1.Terp\_max],\\ D_2&= [N_2^2.Terp\_min,N_2^2.Terp\_max].\\ S'&= (RE\Vert ID\Vert RE,v(tn_3^1+D_1,tn_3^2+D_2))\\ S_\delta '&= (RE\Vert ID\Vert RE,v(tn_3^1+D_1,tn_3^2+D_2)+\delta )\\ inv(s')&= tn_3^1+D_1+\delta \le N_3^1.Trest\_max\hbox { and }tn_3^2 \\&+D_2+\delta \le N_3^2.Trest\_max \end{aligned}$$

Since

$$\begin{aligned} N_3.Trest\_max = N_2.Trest\_max+N_2.Terp\_max \end{aligned}$$

we have \(inv(s)\equiv inv(s')\) so the correspondence holds.

For location \(ER\Vert AN\Vert RE\) in \(T^1\) we have:

$$\begin{aligned} S&= (ER\Vert AN\Vert RE,v)\\ S_\delta&= (ER\Vert AN\Vert RE,v+\delta )\\ inv(s)&= tp_2+\delta \le P_2.Tcond\_max\\ S'&= (RE\Vert AN\Vert RE,v)\\ S_\delta '&= (RE\Vert AN\Vert RE,v+\delta )\\ inv(s')&= tp_3+\delta \le P_3.Tcond\_max \end{aligned}$$

Since \(P_2.Tcond\_max==P_3.Tcond\_max\), we have \(inv(s)\equiv inv(s')\) so the correspondence holds.

For location \(RE\Vert RT\Vert ER\) in \(T^1\) we have:

$$\begin{aligned} S&= (RE\Vert RT\Vert ER,v)\\ S_\delta&= (RE\Vert RT\Vert ER,v+\delta )\\ inv(s)&= tp_2+\delta \le P_2.Tcond\_max\\ S'&= (RE\Vert RT\Vert RE,v)\\ S_\delta '&= (RE\Vert RT\Vert RE,v+\delta )\\ inv(s')&= tp_3+\delta \le P_3.Tcond\_max \end{aligned}$$

Since \(P_2.Tcond\_max==P_3.Tcond\_max\), we have \(inv(s)\equiv inv(s')\) so the correspondence holds.

For location \(ER\Vert ID\Vert ER\) in \(T^1\) we have:

$$ \begin{aligned} S&= (ER\Vert ID\Vert ER,v)\\ S_\delta&= (ER\Vert ID\Vert ER,v+\delta )\\ inv(s)&= tn_2^1+\delta \le N_2^1.Terp\_max \& \& \\&tn_2^2+\delta \le N_2^2.Terp\_max\\ S'&= (RE\Vert ID\Vert RE,v)\\ S_\delta '&= (RE\Vert ID\Vert RE,v+\delta )\\ inv(s')&= tn_3^1+\delta \le N_3^1.Trest\_max \& \& \\&tn_3^2+\delta \le N_3^2.Trest\_max \end{aligned}$$

Since

$$\begin{aligned} N_3.Trest\_max = N_2.Trest\_max+N_2.Terp\_max \end{aligned}$$

We have \(inv(s)\subseteq inv(s')\) so the correspondence holds.

For location \(ER\Vert ID\Vert RE\) in \(T^1\) we have:

$$ \begin{aligned} S&= (ER\Vert ID\Vert RE,v)\\ S_\delta&= (ER\Vert ID\Vert RE,v+\delta )\\ inv(s)&= tn_2^1+\delta \le N_2^1.Terp\_max \& \& \\&tn_2^2+\delta \le N_2^2.Trest\_max\\ D&= [N_2^2.Terp\_min,N_2^2.Terp\_max]\\ S'&= (RE\Vert ID\Vert RE,v(tn_3^2+D)\\ S_\delta '&= (RE\Vert ID\Vert RE,v(tn_3^2+D)+\delta )\\ inv(s')&= tn_3^1+\delta \le N_3^1.Trest\_max \& \& \\&tn_3^2+D+\delta \le N_3^2.Trest\_max \end{aligned}$$

Since

$$\begin{aligned} N_3.Trest\_max = N_2.Trest\_max+N_2.Terp\_max \end{aligned}$$

We have \(inv(s)\subseteq inv(s')\) so the correspondence holds.

For location \(RE\Vert ID\Vert ER\) in \(T^1\) we have:

$$ \begin{aligned} S&= (RE\Vert ID\Vert ER,v)\\ S_\delta&= (RE\Vert ID\Vert ER,v+\delta )\\ inv(s)&= tn_2^1+\delta \le N_2^1.Trest\_max \& \& \\&tn_2^2+\delta \le N_2^2.Terp\_max\\ D&= [N_2^1.Terp\_min,N_2^1.Terp\_max]\\ S'&= (RE\Vert ID\Vert RE,v(tn_3^1+D)\\ S_\delta '&= (RE\Vert ID\Vert RE,v(tn_3^1+D)+\delta )\\ inv(s')&= tn_3^1+D+\delta \le N_3^1.Trest\_max \& \& \\&tn_3^2+\delta \le N_3^2.Trest\_max \end{aligned}$$

Since

$$\begin{aligned} N_3.Trest\_max = N_2.Trest\_max+N_2.Terp\_max \end{aligned}$$

We have \(inv(s)\subseteq inv(s')\) so the correspondence holds.

1.3 Discrete transitions

During a discrete transition, a state \(S=(s,v)\) proceed to \(S_\lambda =(s',v(\lambda :=0))\). Here we prove that for every discrete transition \(S\xrightarrow {\sigma }S_\lambda \) in \(T^1\), there exists \(S_1=(s_1,v)\) such that \((S,S_1)\in \) sim, \(S_1\xrightarrow {\sigma }S_{\lambda ,1}\) for \(S_{\lambda ,1}=(s_1',v(\lambda ':=0))\) and \((S_\lambda ,S_{\lambda ,1})\in \) sim.

Self-activation for \(N_2^1\) triggers antegrade conduction, we have \(N_3.Trest=N_2.Terp+N_2.Trest\)

$$\begin{aligned}&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_1!]{tn_2^1>N_2^1.Trest\_min \Vert Act\_node\_1?} \\&(ER\Vert AN\Vert RE,v(tn_2^1:=0,tp_2:=0))\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_1!]{tn_3^1>N_3^1.Trest\_min\Vert Act\_node\_1?} \\&(RE\Vert AN\Vert RE,v(tn_3^1:=0,tp_3:=0)) \end{aligned}$$

Self-activation for \(N_2^2\) triggers retrograde conduction, we have \(N_3.Trest=N_2.Terp+N_2.Trest\).

$$\begin{aligned}&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_2!]{tn_2^2>N_2^2.Trest\_min\Vert Act\_node\_2?} \\&(RE\Vert RT\Vert ER,v(tp_2:=0,tn_2^2:=0))\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_2!]{tn_3^2>N_3^2.Trest\_min)\Vert Act\_node\_2?} \\&(RE\Vert RT\Vert RE,v(tp_3:=0,tn_3^2:=0)) \end{aligned}$$

\(N_2^2\) activated after antegrade conduction

$$\begin{aligned}&(ER\Vert AN\Vert RE,v) \xrightarrow [Act\_node\_2!]{tp_2>Tcond\_min} \\&(ER\Vert ID\Vert ER,v(tn_2^2:=0))\\&\Downarrow \\&(RE\Vert AN\Vert RE,v) \xrightarrow [Act\_node\_2!]{tp_3>Tcond\_min} \\&(RE\Vert ID\Vert RE,v(tn_3^2:=0)) \end{aligned}$$

\(N_2^1\) activated after retrograde conduction

$$\begin{aligned}&(RE\Vert RT\Vert ER,v) \xrightarrow [Act\_node\_1!]{tp_2>Tcond\_min)} \\&(ER\Vert ID\Vert ER,v(tn_2^1:=0))\\&\Downarrow \\&(RE\Vert RT\Vert RE,v) \xrightarrow [Act\_node\_1!]{tp_3>Tcond\_min)} \\&(RE\Vert ID\Vert RE,v(tn_3^1:=0)) \end{aligned}$$

ERP of \(N_2^1\) finishes first

$$\begin{aligned}&(ER\Vert ID\Vert ER,v) \xrightarrow {tn_2^1>N_2^1.Terp\_min} \\&(RE\Vert ID\Vert ER,v(tn_2^1:=0))\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow {tn_3^1>N_3^1.Terp\_min} \\&(RE\Vert ID\Vert RE,v) \end{aligned}$$

ERP of \(N_2^2\) finishes first

$$\begin{aligned}&(ER\Vert ID\Vert ER,v) \xrightarrow {tn_2^2>N_2^2.Terp\_min} \\&(ER\Vert ID\Vert RE,v(tn_2^2:=0))\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow {tn_3^2>N_3^2.Terp\_min} \\&(RE\Vert ID\Vert RE,v) \end{aligned}$$

ERP of \(N_2^2\) finishes after \(N_2^1\)

$$\begin{aligned}&(RE\Vert ID\Vert ER,v) \xrightarrow {tn_2^2>N_2^2.Terp\_min} \\&(RE\Vert ID\Vert RE,v(tn_2^2:=0))\\&\Downarrow \\&D=[N_2^1.Terp\_min,N_2^1.Terp\_max]\\&(RE\Vert ID\Vert RE,v(tn_3^1+D)) \xrightarrow {tn_3^2>N_3^2.Terp\_min} \\&(RE\Vert ID\Vert RE,v(tn_3^1+D)) \end{aligned}$$

ERP of \(N_2^1\) finishes after \(N_2^2\)

$$\begin{aligned}&(ER\Vert ID\Vert RE,v) \xrightarrow {tn_2^1>N_2^1.Terp\_min} \\&(RE\Vert ID\Vert RE,v(tn_2^1:=0))\\&\Downarrow \\&D=[N_3^1.Terp\_min,N_3^1.Terp\_max]\\&(RE\Vert ID\Vert RE,v(tn_3^2+D)) \xrightarrow {tn_3^1>N_3^1.Terp\_min} \\&(RE\Vert ID\Vert RE,v(tn_3^2+D)) \end{aligned}$$

\(N_2^2\) is activated when \(N_2^1\) is in ERP

$$\begin{aligned}&(ER\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_2!]{Act\_node\_2?} \\&(ER\Vert ID\Vert ER,v(tn_2^2:=0))\\&(\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_2!]{Act\_node\_2?} \\&(RE\Vert ID\Vert RE,v(tn_3^2:=0)) \end{aligned}$$

\(N_2^2\) is activated when \(N_2^1\) is in ERP

$$\begin{aligned}&(RE\Vert ID\Vert ER,v) \xrightarrow [Act\_path\_1!]{Act\_node\_1?} \\&(ER\Vert ID\Vert ER,v(tn_2^1:=0))\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_1!]{Act\_node\_1?} \\&(RE\Vert ID\Vert RE,v(tn_3^1:=0)) \end{aligned}$$

Blocking during ERP is simulated by a non-deterministic transition in the path

$$\begin{aligned}&(ER\Vert ID\Vert ER,v) \xrightarrow {Act\_node\_1?} (ER\Vert ID\Vert ER,v)\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_1!]{Act\_node\_1?} \xrightarrow {Act\_path\_1?} \\&(RE\Vert ID\Vert RE,v)\\&(ER\Vert ID\Vert ER,v) \xrightarrow {Act\_node\_2?} (ER\Vert ID\Vert ER,v)\\&\Downarrow \\&(RE\Vert ID\Vert RE,v) \xrightarrow [Act\_path\_2!]{Act\_node\_2?} \xrightarrow {Act\_path\_2?} \\&(RE\Vert ID\Vert RE,v)\\&(ER\Vert ID\Vert RE,v) \xrightarrow {Act\_node\_1?} (ER\Vert ID\Vert RE,v)\\&\Downarrow \\&D=[N_2^2.Terp\_min,N_2^2.Terp\_max]\\&(RE\Vert ID\Vert RE,v(tn_3^2+D)) \xrightarrow [Act\_path\_1!]{Act\_node\_1?} \xrightarrow {Act\_path\_1?} \\&(RE\Vert ID\Vert RE,v(tn_3^2+D))\\&(RE\Vert ID\Vert ER,v) \xrightarrow {Act\_node\_2?} (RE\Vert ID\Vert ER,v)\\&\Downarrow \\&D=[N_2^1.Terp\_min,N_2^1.Terp\_max]\\&(RE\Vert ID\Vert RE,v(tn_3^1+D)) \xrightarrow [Act\_path\_2!]{Act\_node\_2?} \xrightarrow {Act\_path\_2?} \\&(RE\Vert ID\Vert RE,v(tn_3^1+D)). \end{aligned}$$