Modeling and Verification of a Dual Chamber Implantable Pacemaker

  • Zhihao Jiang
  • Miroslav Pajic
  • Salar Moarref
  • Rajeev Alur
  • Rahul Mangharam
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7214)


The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this study, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed models of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. We then define the state space of the closed-loop system based on its heart rate and developed a heart model which can non-deterministically cover the whole state space. For verification, we first specify unsafe regions within the state space and verify the closed-loop system against corresponding safety requirements. As stronger assertions are attempted, the closed-loop unsafe state may result from healthy open-loop heart conditions. Such unsafe transitions are investigated with two clinical cases of Pacemaker Mediated Tachycardia and their corresponding correction algorithms in the pacemaker. Along with emerging tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.


Medical Devices Implantable Pacemaker Software Verification Cyber-Physical Systems 


  1. 1.
    List of Device Recalls, U.S. Food and Drug Admin. (last visited July 19, 2010)Google Scholar
  2. 2.
    Sandler, K., Ohrstrom, L., Moy, L., McVay, R.: Killed by Code: Software Transparency in Implantable Medical Devices. Software Freedom Law Center (2010)Google Scholar
  3. 3.
    AUTOSAR website:
  4. 4.
    AVSI website:
  5. 5.
    Alur, R., Arney, D., Gunter, E.L., Lee, I., Lee, J., Nam, W., Pearce, F., Van Albert, S., Zhou, J.: Formal Specifications and Analysis of the Computer-Assisted Resuscitation Algorithm (CARA) Infusion Pump Control System. Intl. Journal on Software Tools for Technology Transfer (STTT) 5, 308–319 (2004)CrossRefGoogle Scholar
  6. 6.
    ten Teije, A., et al.: Improving medical protocols by formal methods. Artificial Intelligence in Medicine 36(3), 193–209 (2006)CrossRefGoogle Scholar
  7. 7.
    PACEMAKER System Specification. Boston Scientific (2007)Google Scholar
  8. 8.
    The Compass - Technical Guide to Boston Scientific Cardiac Rhythm Management Products (2007)Google Scholar
  9. 9.
    Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a Nutshell. International Journal on Software Tools for Technology Transfer (STTT), 134–152 (1997)Google Scholar
  10. 10.
    Jiang, Z., Pajic, M., Moarref, S., Alur, R., Mangharam, R.: Pacemaker UPPAAL model download:
  11. 11.
    Pajic, M., Jiang, Z., Sokolsky, O., Lee, I., Mangharam, R.: From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study. In: 18th IEEE Real-Time and Embedded Technology and Applications Symposium, IEEE RTAS (2012)Google Scholar
  12. 12.
    Barold, S., Stroobandt, R., Sinnaeve, A.: Cardiac Pacemakers Step by Step. Blackwell Futura (2004)Google Scholar
  13. 13.
    Alur, R., Dill, D.L.: A Theory of Timed Automata. Theoretical Computer Science 126, 183–235 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Behrmann, G., David, A., Larsen, K.G.: A Tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Clarke, E.M., Allen Emerson, E.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Logic of Programs, Workshop, pp. 52–71 (1982)Google Scholar
  16. 16.
    Jiang, Z., Pajic, M., Mangharam, R.: Model-based Closed-loop Testing of Implantable Pacemakers. In: ICCPS 2011: ACM/IEEE 2nd Intl. Conf. on Cyber-Physical Systems (2011)Google Scholar
  17. 17.
    Jee, E., Wang, S., Kim, J.K., Lee, J., Sokolsky, O., Lee, I.: A Safety-Assured Development Approach for Real-Time Software. In: The Proceedings of 16th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, pp. 133–142 (2010)Google Scholar
  18. 18.
    Tuan, L.A., Zheng, M.C., Tho, Q.T.: Modeling and Verification of Safety Critical Systems: A Case Study on Pacemaker. In: Fourth International Conference on Secure Software Integration and Reliability Improvement, pp. 23–32 (2010)Google Scholar
  19. 19.
    Wiggelinkhuizen, J.E.: Feasibility of Formal Model Checking in the Vitatron Environment. Master thesis, Eindhoven University of Technology (2007)Google Scholar
  20. 20.
    Macedo, H.D., Larsen, P.G., Fitzgerald, J.S.: Incremental Development of a Distributed Real-Time Model of a Cardiac Pacing System Using VDM. In: Cuellar, J., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Gomes, A.O., Oliveira, M.V.M.: Formal Specification of a Cardiac Pacing System. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 692–707. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Mery, D., Singh, N.K.: Pacemaker’s Functional Behaviors in Event-B. Research report, INRIA (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Zhihao Jiang
    • 1
  • Miroslav Pajic
    • 1
  • Salar Moarref
    • 1
  • Rajeev Alur
    • 1
  • Rahul Mangharam
    • 1
  1. 1.University of PennsylvaniaPhiladelphiaUSA

Personalised recommendations