Closed-loop verification of medical devices with model abstraction and refinement

  • Zhihao JiangEmail author
  • Miroslav Pajic
  • Rajeev Alur
  • Rahul Mangharam
TACAS 2012


The design and implementation of software for medical devices is challenging due to the closed-loop interaction with the patient, which is a stochastic physical environment. The safety-critical nature and the lack of existing industry standards for verification make this an ideal domain for exploring applications of formal modeling and closed-loop analysis. The biggest challenge is that the environment model(s) have to be both complex enough to express the physiological requirements and general enough to cover all possible inputs to the device. In this effort, we use a dual chamber implantable pacemaker as a case study to demonstrate verification of software specifications of medical devices as timed-automata models in UPPAAL. The pacemaker model is based on the specifications and algorithm descriptions from Boston Scientific. The heart is modeled using timed automata based on the physiology of heart. The model is gradually abstracted with timed simulation to preserve properties. A manual Counter-Example-Guided Abstraction and Refinement (CEGAR) framework has been adapted to refine the heart model when spurious counter-examples are found. To demonstrate the closed-loop nature of the problem and heart model refinement, we investigated two clinical cases of Pacemaker Mediated Tachycardia and verified their corresponding correction algorithms in the pacemaker. Along with our tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.


Medical devices Implantable pacemaker Software verification Cyber-physical systems Model abstraction and refinement CEGAR 



The authors would like to thank Ashutosh Trivedi, from the University of Pennsylvania and the Indian Institute of Technology, Mumbai, for fruitful discussions during the preparation of this paper.


  1. 1.
    List of Device Recalls, U.S. Food and Drug Admin., (last visited Jul. 19, 2010)Google Scholar
  2. 2.
    Sandler, K., Ohrstrom, L., Moy, L., McVay R.: Killed by Code: Software Transparency in Implantable Medical Devices. Software Freedom Law Center (2010)Google Scholar
  3. 3.
  4. 4.
  5. 5.
    Alur, R., Dill, D.L.: A theory of timed automata. Theoret. Comput. Sci. 126, 183–235 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. Int. J. Softw. Tools Technol. Transf. (STTT) 134–152 (1997)Google Scholar
  7. 7.
    Josephson, M.E.: Clinical Cardiac Electrophysiology. Lippincot Williams and Wilkins, Baltimore (2008)Google Scholar
  8. 8.
    Barold, S., Stroobandt, R., Sinnaeve, A.: Cardiac Pacemakers Step by Step. Blackwell Futura, Hoboken (2004)CrossRefGoogle Scholar
  9. 9.
    Clarke, E.M., Grumberg, O., Long, D.E.: Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16(5), 1512–1542 (1994)CrossRefGoogle Scholar
  10. 10.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model checking (2000)Google Scholar
  11. 11.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Helmut, V.: Counter example-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Jiang, Z., Pajic, M., Moarref, S., Alur, R., Mangharam, R.: Modeling and verification of a dual chamber implantable pacemaker. Tools Algorith. Construct. Anal. Syst. 7214, 188–203 (2012)CrossRefGoogle Scholar
  13. 13.
    The Compass–Technical Guide to Boston Scientific Cardiac Rhythm Management Products (2007)Google Scholar
  14. 14.
    Jiang, Z., Pajic, M., Alur, A., Rahul, M.: Pacemaker UPPAAL model download:
  15. 15.
    Pajic, M., Jiang, Z., Lee, I., Sokolsky, O., Rahul, M.: From verification to implementation: a model translation tool and a pacemaker case study. In: Proceedings of the 2012 IEEE 18th Real Time and Embedded Technology and Applications Symposium, RTAS ’12, pp. 173–184 (2012)Google Scholar
  16. 16.
    Fogoros, R.N.: EP testing. Blackwell Science, New York (1999)Google Scholar
  17. 17.
    Yamane, S.: Timed weak simulation verification and its application to stepwise refinement of real time software. Int. J. Comput. Sci. Netw. Secur. 6 (2006) Google Scholar
  18. 18.
    Behrmann, G., David, A., Larsen, K.G.: A tutorial on UPPAAL, pp. 200–236. Formal Methods for the Design of Real-Time Systems. Lecture Notes in Computer Science (2004)Google Scholar
  19. 19.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Logic of Programs, Workshop, pp. 52–71 (1982)Google Scholar
  20. 20.
    Jiang, Z., Pajic, M., Mangharam, R.: Cyber-Physical modeling of implantable cardiac medical devices. Proc. IEEE 100(1), 122–137 (2012)CrossRefGoogle Scholar
  21. 21.
    Jiang, Z., Mangharam, R.: Modeling cardiac pacemaker malfunctions with the virtual heart model. In: Engineering in Medicine and Biology Society, EMBC, 2011 Annual International Conference of the IEEE, pp. 263–266 (2011)Google Scholar
  22. 22.
    Jiang, Z., Pajic, M., Mangharam, R.: Model-based closed-loop testing of implantable pacemakers. In: ICCPS’11: ACM/IEEE 2nd Intl. Conf. on Cyber-Physical Systems (2011)Google Scholar
  23. 23.
    PACEMAKER System Specification. Boston Scientific, Natick (2007)Google Scholar
  24. 24.
    Jiang, Z., Radhakrishnan, S., Sampath, V., Sarode, S., Pajic, M., Mangharam, R.: Heart-on-a-Chip: a closed-loop testing platform for implantable pacemakers. In: Third Workshop on Design, Modeling and Evaluation of Cyber Physical Systems (CyPhy), CPS Week (2013)Google Scholar
  25. 25.
    Chen, T., Diciolla, M., Kwiatkowska, M., Mereacre, A.: Quantitative verification of implantable cardiac pacemakers. In: Hybrid Systems: Computation and Control (HSCC 2013) (2013)Google Scholar
  26. 26.
    Jee, E., Wang, S., Kim, J. K., Lee, J., Sokolsky, O., Lee, I.: A safety-assured development approach for real-time software. In: The Proceedings of 16th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, pp. 133–142 (2010)Google Scholar
  27. 27.
    Tuan, L.A., Zheng, M.C., Tho, Q.T.: Modeling and verification of safety critical systems: a case study on pacemaker. Fourth International Conference on Secure Software Integration and Reliability Improvement, pp. 23–32 (2010)Google Scholar
  28. 28.
    Wiggelinkhuizen, J.E.: Feasibility of Formal Model Checking in the Vitatron Environment. Eindhoven University of Technology, Master thesis (2007)Google Scholar
  29. 29.
    Macedo, H.D., Larsen, P.G., Fitzgerald, J.: Incremental Development of a Distributed Real-Time Model of a Cardiac Pacing System using VDM, pp. 28–30. Formal Methods (2008)Google Scholar
  30. 30.
    Gomes, A.O., Oliveira, M.V.: Formal specification of a cardiac pacing system. In: Proceedings of the 2nd World Congress on Formal Methods (FM ’09), pp. 692–707 (2009)Google Scholar
  31. 31.
    Mery, D., Singh, N.K.: Pacemaker’s Functional Behaviors in Event-B. Research report, INRIA (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Zhihao Jiang
    • 1
    Email author
  • Miroslav Pajic
    • 1
  • Rajeev Alur
    • 1
  • Rahul Mangharam
    • 1
  1. 1.University of PennsylvaniaPhiladelphiaUSA

Personalised recommendations