Dr. Zhihao Jiang Real-Time & Embedded Systems Lab Dept. Electrical & Systems Engineering University of Pennsylvania zhihaoj@seas.upenn.edu 1
Implantable Pacemaker 2
1990-2000: 600,000 implantable pacemakers were recalled 200,000 of these recalls were due to software issue 2008-12: 15% of all the medical device recalls (Class I, II & III) due to software 3
• Messy Plant: – Partially understood physiology • Large Variability: – Every patient is different • Limited Observability: – Losing physiological context 4
Model-based Formal Design Methods Physiological Modeling High-confidence Software Development for Life-critical Cyber-Physical Systems 5
“Let our heart models catch bugs before your heart does.” 6
7
• Periodically generates electrical impulses to initialize heart beats SA node
• An impulse first triggers muscle contractions in the atria, pushing blood into the ventricles Atria
• Delay at AV node which allows the ventricles to fill fully AV node
• Strong muscle contractions pump blood out of the heart Ventricles
• Delay in generation and/or conduction of the electrical impulses results in low heart rate Generation Conduction
• Local electrical activations A V Pacemaker
• Generate sensed event when signal above threshold Threshold A V AS Pace Pacemaker
• Same for ventricular channel A V AS Pace Pacemaker VS
• Pace atrium when no AS within deadline A V AS AP Pace V-A Pacemaker VS
• Pace ventricle if no VS happen within deadline A V AS AP Pace A-V V-A Pacemaker VS VP
• Maximum interval between two ventricular events (max(V-A)+max(A-V)) A V AS AP Pace A-V V-A Pacemaker V-V VS VP
• Unnecessary details • Infeasible model identification Cellular Electrophysiology Whole heart Electrophysiology Deng et. al 2016 19 Tong et. al 2014
Refractory V out Time Rest ERP RRP Rest Rest ERP RRP Rest Refractory V out Electrical Conduction System 20 Time
Node Automata Path Automata 21
Represent variety of heart conditions using different topologies and timing parameters Normal Sinus Rhythm Atrial Flutter Ventricle Tachycardia AV Nodal Reentry 22
23
• Condition-specific heart models Simulator Stimuli Model of Atrial Flutter Expected Response 24
26
Commercial Pacemaker Heart On a Chip Analog Interface
28
• Explore the whole reachable state space of a model for property violations • Widely used in semi-conductor industries for verifying chip design 𝜒 Counter-example D M 29
Heart Conditions Normal Sinus Rhythm Bradycardia AV Block Bundle Branch Block Sinus Tachycardia Atrial Flutter AVNRT Atrial Fibrillation Premature Ventricle Contraction Ventricle Tachycardia Ventricle Fibrillation 30 Observable Behavior Space
• Properties satisfied by M are also satisfied by P1, P2 • Behaviors not exist in P1, P2 may also be physiologically-valid • Is this a valid counter-example? • Need a framework to provide context for counter-examples Counter-example 𝜒 D 𝜒′ M 31
• Multiple transitions are enabled • Relax guard conditions if 𝑢 ∈ [1,5] s=1 t==1 t==1 32
• Simplify the model to increase non- determinism for more behavior coverage REST IDLE REST ERP REST ANTE RETRO REST ERP ERP IDLE ERP Additional ERP REST Behavior IDLE IDLE REST ERP REST REST REST RETRO ANTE IDLE REST REST REST 33
• Combine models of different heart conditions for more behavior coverage Trest in [min a i , max b i ] Trest Trest in [a 2 , b 2 ] Trest in [a 1 , b 1 ] Trest in [a 3 , b 3 ] 34
Heart Conditions Normal Sinus Rhythm Bradycardia AV Block Bundle Branch Block Sinus Tachycardia Atrial Flutter AVNRT Atrial Fibrillation Premature Ventricle Contraction Ventricle Tachycardia Ventricle Fibrillation 35 Observable Behavior Space
Heart Conditions Normal R2 Sinus Rhythm R2 Bradycardia R2 AV Block Bundle R2 Branch Block R2 Sinus Tachycardia R2 Atrial R1 Flutter R2 R1 AVNRT R2 Atrial R1 Fibrillation Premature R2 Ventricle Contraction R1 R2 Ventricle Tachycardia R2 R1 Ventricle Fibrillation 36 Observable Behavior Space
Heart Conditions Normal R2 Sinus Rhythm R2 R4 Bradycardia R4 R6 R3 R2 R4 AV Block R4 Bundle R2 Branch R4 Block R2 Sinus Tachycardia R2 Atrial R1 R6 R3 R4 Flutter R5 R2 R4 R1 AVNRT R4 R2 Atrial R1 R4 Fibrillation Premature R2 Ventricle R4 Contraction R1 R2 Ventricle R4 R5 R6 R3 Tachycardia R2 R1 Ventricle Fibrillation R4 37 Observable Behavior Space
Heart Conditions Normal R2 Sinus Rhythm R2 R4 Bradycardia R4 R6 R3 R2 R4 AV Block R4 Bundle R2 Branch R4 Block R7 R2 Sinus Tachycardia 𝐼 𝑏𝑚𝑚 R2 Atrial R1 R6 R7 R3 R4 Flutter R5 R2 R4 R1 AVNRT R4 R2 Atrial R1 R4 R7 Fibrillation Premature R2 Ventricle R4 Contraction R1 R2 Ventricle R4 R5 R6 R3 Tachycardia R2 R1 Ventricle Fibrillation R4 38 Observable Behavior Space
Variability Heart Conditions Normal R2 Sinus Rhythm R2 R4 Bradycardia R4 R6 R3 R2 R4 AV Block R4 ⌐𝜒 Bundle R2 Branch R4 Block R7 R2 Sinus Tachycardia 𝐼 𝑏𝑚𝑚 R2 Atrial R1 R6 R7 R3 R4 Flutter R5 R2 R4 R1 AVNRT R4 R2 Atrial R1 R4 R7 Fibrillation Premature R2 Ventricle R4 Contraction R1 R2 Ventricle R4 R5 R6 R3 Tachycardia R2 R1 Ventricle Fibrillation R4 Physiological Context 39 Observable Behavior Space
• Basic Safety Properties – Heart rate never go too slow – Pacemaker never increase the heart rate too high • Pacemaker Mediated Tachycardia – Can pacemaker increase heart rate inappropriately? – Are there multiple cases of them? – Can the algorithm terminate the behavior in time? 40
41
Heart Pacemaker Non- UPPAAL Model Checking deterministic Model UPP2SF Refinement Model Translation Deterministic Stateflow Simulation VHM Chart Simulink Coder HDL Coder C Code Heart-on-Chip Platform Testing implementation 42
Research Impact Model-based Design Formal Methods RTAS’12 (Best Paper Award) TACAS’12 (Best Paper Nominee) TECS’14 STTT’14 FnEDA’16 MedCPS’16 IEEE Computer’16 HSCC’16 Cyber-Physical Systems Biomedical Engineering ICCPS’11 EMBC’10 ECRTS’11 EMBC’11 IEEE Proceedings’12 EMBC’16 43
Research Summary & Plan Clinical Development Heart Closed-loop Model Modeling Model Checking Translation Market in-silico Quantitative Security Data-driven Pre-clinical Validation Verification Modeling Trials Providing Regulatory-grade Safety Evidence With Computer Models
Safety Evidence for Medical Devices Animal Computer Bench Animal Human Human Computer Bench Today Future 45
Research Summary & Plan Clinical Development Heart Closed-loop Model Modeling Model Checking Translation Market in-silico Quantitative Security Data-driven Pre-clinical Validation Verification Modeling Trials Providing Regulatory-grade Safety Evidence With Computer Models
The clinical trial Animal testing The ultimate closed-loop validation 47
Implantable Cardiac Defibrillator Sense Therapy ICD Right Atrium Can (Shock) Lead Tip & Ring Electrode Left Atrium Left Ventricle Right Atrium Right Ventricle Shock Coils Right Ventricular Lead Tip & Ring AS AS AS VS VS VS Atrial Signal Ventricular Signal Shock Signal 48
RIGHT The Rhythm ID Going Head to Head Trial* Primary endpoint: occurrence of inappropriate therapy ~2,000 patients, 5 years Select Medtronic ICDs ( the control arm ) Vitality II ICD (Boston Sci.) Inappropriate ( the treatment arm ) Therapy Assumed 25% less risk of inappropriate therapy with Vitality II relative to Medtronic ICDs 49 *Berger et al., “The Rhythm ID Going Head to Head Trial”, Journal of Cardiovascular EP, Vol. 17, No. 7, July 2006
RIGHT Trial Results – Inappropriate Therapy Inappropriate Therapy VITALITY 2: 62.2% Medtronic: 45.9% Majority of the therapy episodes were inappropriate *Michael R. Gold, Primary results of the Rhythm ID Going Head to Head Trial, Heart 50 Rhythm, Vol 9, No 3, March 2012
Recommend
More recommend