Kahina Gani, Marinette Bouet, Michel Schneider, and Farouk Toumani. 1 2

Transcription

1 Modeling Home Care Plans Kahina Gani, Marinette Bouet, Michel Schneider, and Farouk Toumani. 1 2 Research Report LIMOS/RR mai {gani,michel.schneider,ftoumani}@isima.fr 2. marinette.bouet@univ-bpclermont.fr

2 Abstract A (home) care plan defines the health cares or supportive cares delivered by health care professionals in patients homes. Such a care plan is usually constructed through a complex process involving a comprehensive assessment of patient s needs as well as its social and physical environment. Managing home care plans is challenging because care plans are inherently non-structured processes which require complex interdisciplinary cooperation. In this paper, we describe how home care plans, formalized as timed automata, can be generated from a set of high level and user-oriented abstractions. We propose a three-step approach which consists in (i) the identification of the elementary patterns that are useful to specify home care plans, (ii) the use of these elementary patterns to specify atomic activities, and then (iii) automatic construction of a global care plan by composition of the basic activities. The resulting care plan encompasses all the possible allowed schedules of activities for a given patient. We discuss then how verification and monitoring of the resulting care plan can be handled using existing techniques and tools. Keywords: Timed automata, Home care plan, Time Petri Nets, UPPAAL 1

3 1 Introduction A care plan is a set of medical-social activities that are carried out day after day at the patient s home for a determined period or not. It allows to control or pilot the execution of the various activities at the patient s home, and this, in a precise time interval. In fact the time constraints are major factors for the success of care at the patient s home. Care plan must respect specifications, ie ensures that the execution is in complies with expectations, and also satisfies the constraints on the execution time. It is therefore necessary to verify such a care plan formally trying to capture the various events that should not occur and ensure a good managing. Different formalisms There exist in the literature several formalisms that describe real-time systems [5, 9, 3, 1, 6, 4]. Among the well-known formalisms, we have the time extension for Petri Nets(PNs) [14] and Timed automata(ta) [4, 17]. There are several extensions of Petri Nets that take into account time constraints : Time Petri Nets(TPNs) [20] where a time interval is assigned to each transition, Timed Petri Nets(TdPNs) [22] whose transitions have exact duration. Other representations of time may involve tokens or arcs [18], among all these time variants, it has been proven in [10] that Time Petri Nets are more suitable for the expression of a large majority of temporal constraints. In addition to Petri Nets, another well-known model has been extended to represent the time constraint : Timed automata were introduced in [4, 2] as an extension of finite state automata that enables explicit modeling of time. Informally, a timed automata is a finite states automata enriched with clock variables. Moreover, transitions of timed automata are annotated with guards, expressed as time constraints, and clock resets. Several contributions aiming to compare the expressiveness of Time Petri Nets and Timed Automata have been made [12] [11]. The work done in [16] was very interesting in the sense that they have shown that TA and bounded TPNs are equally expressive in term of timed language acceptance. Another work [13] proves that timed Petri Nets are not more expressive than timed automata with respect to read-arc model of timed Petri Nets language which is equivalent to timed automata [21]. In our approach, we are interested in formalizing using Timed automata. The advantage of TA formalism is that the problem of reachability is decidable in polynomial space [4], while it is undecidable for TPNs [19]. On the other hand, timed automata benefit from a very active theoretical research, which among other things allowed to develop very efficient tools 2

4 such as Uppaal [8] or Kronos [15], which will enables us to efficiently use these tools in our verification phase. 2 Approach and objective As we said previously, we adopt as referring formal model for the specification of care plans, the model of timed automata. Several variants of timed automata have been proposed in the literature, we consider in our work timed automata with ɛ-transitions (i.e., silent transitions) and also guards on the states, also called invariants. When considering the care plan, activities that compose it are not instantaneous but have a duration, this is why we need to capture the notion of duration of activity in our timed automata, and this, through the identification of waiting states and execution states. We give in the following the main lines of our approach : The identification of the temporal specification patterns. A care plan is composed of a collection of repetitive activities each having a duration which varies from a few minutes to hours. Specification of irregular activities requires the use of suitable temporal specification patterns, these latter will principally plan the accomplishments (in term of : Times ranges, Day, Period, Duration) of activity for a given patient. The proposal of a model to represent the care plan. Figure 1 shows the approach to follow in order to build the "care plan timed automata" corresponding to a given patient. In fact, the care plan consists of a set of activities which are at their turn defined by a set of elementary temporal specifications that specify their scheduling. Thereby building the care plan timed automata also involves the construction of two types of automata : "Activity timed automata" and "Elementary temporal specification timed automata". The transition between each type of automata requires a set of operations. The use of this model for the verification of the behavior of the care plan. This phase consists in identifying the different treatments and reasoning which may be associated with our model. We long to verify the general properties, such as Reachability as well as the requirements imposed by the home care activities such as Monitoring, Grouping Activity, Regularity research,... etc. The rest of the report is organized as follows : in the next section, we describe the syntax and semantic of timed automata, we mention the work concerning representation activities with durations. Section 4 presents the different temporal specification patterns and shows the various operations required for the construction of activities timed automata and care plan 3

5 Figure 1 Approach to construct care plan timed automata timed automata. In section 5, we show the possible verifications that can be performed within the model. 3 Timed automata We give in this section the intuition and the formal definition of the timed automata model, and then we mention the model that takes into account the activity duration. 3.1 Basic notion of timed automata As mentioned previously, the timed automata is an extension of finite state automata enriched with a clock variables. Indeed, a timed automata is defined by a set of nodes (states), switches, actions and clocks. The nodes represent the states of the system, the transitions are labeled by event symbols, and clocks are variables with zero or positive real values. While state transitions are instantaneous, in every state, the time may elapse ; in fact, the clocks are used to define constraints on the transitions and/or states. Constraints on states are called invariants, they allow to specify that the system can remain in the state while the constraint is satisfied. As for the constraints associated to transitions, called guards, they allow to specify that the system can move from one state to another, triggering the transition only if the associated constraint is satisfied. Clocks valuations We define below the constraints allowed to express invariants and guards. The set of clocks is denoted by X. A clock constraint 4

6 φ is defined by the grammar : φ := x c x c x c x c φ1 φ2. Where x is a clock in X and c is an integer positive value. The set of clock constraints using clocks of X will denoted φ(x). Definition 1 A timed automata is a tuple A = (S, s 0, Σ, X, Inv, T, F ) where : S is a finite set of locations or states of the automata and F S is set of final states ; s 0 S is a set of initial locations ; Σ {ɛ} is a finite set of transition labels, where ɛ defines the silent transition ; X is a finite set of clocks ; Inv : S φ(x) associates an invariant to each state of the automata ; T S Σ {ɛ} φ(x) 2 X S is a set of transitions. A transition (s, a, φ, λ, s ) represents an edge from location s to location s on symbol a. φ is a clock constraint, and the set λ X gives the clocks to be reset after firing such a transition. As an example, Figure 2 depicts timed automata that is made of two states s 0 and s 1 and the clock variable x. This automata includes a transition labeled Toilet from state s 0 to s 1 which is guarded by the condition x >= 8h as well as ɛ-transition from state s 1 to state s 0 which is guarded by condition x == 24h. Figure 2 Example of a timed automata Semantic of timed automata To formally define the semantics of timed automata, we introduce the notion of variable valuation. We consider as a time domain the set of non-negative reals R 0. Let X be a set of variables with values in R 0. A (variable) valuation v : X R 0 is a mappings that assigns to each variable x X a time value v(x). Each state of the automata is represented by a pair (s, v) where s is a state of S and v is an evaluation over X s.t. v satisfies the invariant Inv(S). The semantics of a timed automata A is then expressed in terms of two types of transitions [4] : Action transition : this type of transition can be triggered instantaneously if the current value of the guard is checked. Formally : 5

7 For a state (s, v) and a real-valued time increment d 0, (s, v) d (s, v+d) if for all 0 d d, v+ d satisfies the invariant Inv(s). Time transition : this type of transition consists of staying in the same state and increases the values of clocks respecting the invariant. Formally : For a state (s, v) and a transition (s, a, φ, λ, s ) such that v satisfies φ, (s, v) a (s, v[λ :=0]). Resuming the timed automata shown in Figure 1, a possible implementation of the automata is : (s 0, 0) (s 0, 10.3) T oilet (s 1, 10.3) 10 (s 1, 20.3) 3.7 (s 1, 24) ɛ (s 0, 0). 3.2 Works on timed automata Several variants of timed automata have been proposed in the literature, among them the work proposed by [7] as an extension of timed automata in order to take into account the actions with durations Timed automata with non-instantaneous actions A natural way to represent the duration in a timed automata is to match each activity with two transitions, the first labelled with "start activity" and the second with "end activity". But this approach may alter the original alphabet and lose the information that the activity is unique. [7] proposes an interesting class of timed automata, which enables rightly keeping the same original alphabet and the concept of the unique activity. In this model, each transition is equipped with two constraints : (initiation constraint), (completion constraint), and a set of of clocks : (initiation reset), (completion reset). A transition can be taken if it (initiation constraints) is satisfied and at the same time the set of clocks (initiation reset) are reset to zero, and it can be completed if the (completions constraints) is satisfied and the set of clocks (completions reset) are then reset to zero. Definition 2 (Timed automaton with non-instantaneous actions)a timed automata with non-instantaneous actions (noted : TAD), is a tuple (Q, Σ, ξ, B, R, X), where : Q is a finite set of locations or states of the automaton ; B Q is a set of initial locations ; Σ is a finite set of transition labels ; X is a finite set of clocks ; R Q is the set of repeated states ; ξ is a tuple in Q Ψ x Γ x Σ Ψ x Γ x Q. 6

8 If e = (q, Ψ i, γ i, σ, Ψ j, γ j, q ) is a transition in ξ, q is the source, q is the target, Ψ j is the initiation constraint and Ψ j is the completion constraint, σ is the label, γ i is the initiation reset and γ j is the completion reset. Through its Model,[7] provides a way to match each timed automata with non-instantaneous action transition with timed automata with ɛ- transitions, as well as for the parallel product result of different TADs. This, in order to use the various tools of timed automata. When we look more closely at this model, we note the following information : taking the example of two timed automata with non-instantaneous action transitions T AD 1 and T AD 2, the parallel product result is T AD 1 T AD 2 = T AD 3. According to the model we match a timed automata with ɛ- transitions T A ɛ to the parallel product result in order to do any kind of verification. Now, if we want to match each T AD 1 and T AD 2 with two timed automata with ɛ-transitions T A ɛ1 and T A ɛ2, and calculate the parallel product T A ɛ1 T A ɛ2 = T A ɛ3. We should normally have equivalence between T A ɛ and T A ɛ3, which is far from being the case. Add to this, the fundamental results of this model which consists in, the Timed automata with non-instantaneous action transitions is more expressive than the timed automata and less expressive than timed automata with ɛ-transitions. This results and observations strengthens our choice to use the timed automata with ɛ-transition model. Therefore each activity will be captured by two transitions, the first labelled with the activity name and the second with ɛ, these two transitions will be joined by an execution state, which will allow to the automata to stay there throughout the duration of the activity execution. In this way the original alphabet will be preserved as well as the unicity of the activity and then we can efficiently use the verifications tools directly without having to transform our results. 4 Modeling home care plan using timed automata In this part we will present different patterns of temporal specification, followed by the reasoning used to build activities timed automata, and finally the construction of the overall care plan timed automata. 7

9 4.1 Elementary temporal specifications timed automata Each activity of the care plan is associated with a set of elementary temporal specifications. These specifications provide the information about the time when the activity is performed, expressed as a quadruplet (Days, Time ranges, Period, duration) and allow us to provide a language that can express regular or irregular repetitions of an activity in some period under a condensed form, similar to that used by doctors (e.g. Every day morning and evening). Table 1 shows a simple example of this language. Each line of the table corresponds to an elementary temporal specification associated with the activity "Toilet" and expressed in term of Days, Time ranges, Period and Duration. Both Days and Time ranges fields can take different forms to reflect the various possibilities encountered in the medical world. Bellow the specifications of a basic activity. Activity : contains the activity name ; Days : which can take the values : "Every day" ; Relative days as a list of days (eg. "Sunday, Monday") ; Absolute dates as a list of dates (eg. "07/03/13,09/03/13") ; "Holidays". Time ranges : which can take the values : "Morning" ; "Noon" ; "Afternoon" ; "Evening" ; "Night" ; Specific time (e.g., "9h15") ; Time slots (e.g., 10h-12, 15h30h-17h). Period : contains : start period date, end period date ; Duration : each activity has a theoretical duration, its value is expressed in terms of minutes. Activity Days Time ranges Period Duration Toilet Monday Wednesday morning evening 01/01/13-30 Friday 03/31/13 Sunday morning 01/01/13-03/31/13 Table 1 Elementary temporal specifications for activity "Toilet". Irregular activities are inherent to care plans. For example, a same activity, "Toilet" may be associated with complex temporal specification, (e.g., every day morning evening, Sunday evening). In the following example, there is an ambiguity because we don t know if on Sunday "Toilet" must 8

10 take place in the morning and evening or only in the morning. In order to resolve this ambiguity, we introduce the notion of exception via the keyword "except" then a specification can be expressed as (E 1 ) except (Days1 Days2...) where (E 1 ) is a specification that can be expressed by the quadruplet (days, time range, period, duration) and Days 1,2,3... are the days to exclude from the expression(e 1 ), we call them "exception Days". Thus, the above example is correctly specified as shown in Table 2. In this specification, we have an exception on Sunday, using a keyword "except" we understand that for Sunday it is only in the morning. Activity Days Time ranges Period Duration Toilet Everyday Morning Evening 01/01/13-30 except(sunday) 03/31/13 Sunday Morning 01/01/13-03/31/13 Table 2 Example of complex temporal specifications using "except" These specifications can be used as input for the generation of the timed automata corresponding to each activity of the care plan Temporal specification Patterns From the graphical user interface, the coordinator can specify multiple rows of elementary temporal specifications for the same activity, some of them to express the repetitiveness of the activity for certain days, and others introducing a slowdown or an increasing to the activity. In the following, the temporal specification patterns are introduced one by one. The objective of these patterns is to help us in the design of the elementary temporal specifications timed automata, which in turn will contribute to the construction of activity timed automata using technical operations. Each temporal specification pattern is designed to capture a specific temporality depending on possible combinations of quadruplet (Days, Time ranges, Period, Duration). Relative days Relative days combined with time ranges and period are used to express a regular repetition of the activity of the care plan. For each row of temporality expressed as (Relative days, Time ranges, Period, Duration) defined for an activity a of the care plan, the corresponding timed automata pattern A RD =(S, s 0, Σ, X, Inv, T, F ) is defined as follows : S is a finite set of states where the number of states NbStates= NbT imeranges + 2 +NbDays where NbT imeranges is the number 9

11 of times ranges, "2" corresponds to the two last states and NbDays is the number of specified Days. s 0 S is the set of initial states. We always have one initial state. F is the set of final states. We always have one final state. Σ = {Activity name} {ɛ} is the set of transition labels, where ɛ defines the silent transition. X ={ x d, x t, x p, x w } is the set of clocks expressed in terms of minutes where x d is used to control the execution of the activity in a time of the day, x t is used to control the activity duration, x w is used to control the execution of the activity in a day of the week and x p is used to control the execution of the activity in a day of the period. T S Σ {ɛ} φ(x) 2 X S is the set of transitions. Each transition corresponds to a day of the week. The number of transitions NbT ransitions = NbT imeranges* NbDays where "3" corresponds to the two return transitions to the start state (the first one to reset the x d in the same week, another one is to reset x w in order to move to the next week in the period) and the transition to the final state. φ is a clock constraint defined as follows : φ = x c x c x < c x > c φ 1 φ 2. Where x is a clock in X and c is an integer positive value. This timed automata recognizes timed words. A timed word over an alphabet is a sequence (Activity name, t 0 ),..., (Activity name, t n ) where Activity name belongs to and the occurrence of times increase monotonically, i.e., t 0 t 1... t n. The timed language accepted by the automata A RD is the set of timed words associated with accepting runs. It can be formulated as follows : L(A RD ) = {w/w = ((end(p ) start(p ))/(7 24)) 1 k=0 ( m 1 i=0 ( n 1 j=0 (a, tj i,k ))), tj i,k [d i + k start(p ) + start(i j ), d i + k start(p ) + end(i j )]}. This timed language L(A RD ) consists in concatenating successively the timed word (a, t j i,k ) according to three parameters : the existing time ranges in a day j [0,n-1], the different days of the week i [0,m-1], and finally, the different weeks contained in a period k [0,((end(P)-start(P))/(7*24))-1] such that Period is defined by start(p) and end(p), Time ranges by start(i j ) and end(i j ). d i are different relative days specified and k is the number of the week. The example bellow illustrates the mapping of an elementary temporal specification into timed automata using "Relative days" pattern automata. Consider the following specification of the activity Toilet that takes 30 minutes : Activity : Toilet Days : Monday, Thursday, Friday 10

12 Time ranges : Morning Period : [05/05/2013, 05/05/2014] The corresponding timed automata A RD =(S, s 0, Σ, X, Inv, T, F ) depicted in Figure 3 is defined as follows : Figure 3 Example of a timed automata in case of Relative days S= {s 0, s 1, s 2, s 3, s 4, s 5 } with s 0 the initial state, {s 0, s 4, s 5 } are the waiting states and {s 1, s 2, s 3 } are the execution states ; F ={s 5 } ; Σ = {T oilet} {ɛ} ; X= {x d, x t, x p,x w } ; T is the set of the following transitions : (s 0, T oilet, x d 480 && x w 1440 && x w < 2880, {x t }, s 1 ), this transition specifies that when the automata is at state s o, it can move to state s 1 to triggers the execution of the activity T oilet in the state s 1 on condition that the conjunction of state invariant (x d 720) at s 0 and the transition guard (x d 480 && x w 1440 && x w < 2880) allows it. (x d 480) ensures that the activity T oilet can be performed only in the morning and (x w 1440 && x w < 2880) ensures that the activity T oilet takes place every Monday of the period. {x t } ensures the beginning of the activity T oilet and the state invariant (x t 30) ensures that the automata stays at state s 1 during 30 minutes to perform the activity T oilet. The same principle is followed for the other transitions where the activity T oilet must be performed : (s 0, T oilet, x d 480 && x w 5760 && x w < 7200, {x t }, s 1 ) for Thursday and (s 0, T oilet, x d 11

13 480 && x w 7200 && x w < 8640, {x t }, s 1 ) for Friday. (s 1, ɛ, x t == 30, s 4 ), this transition specifies that when the automata is at state s 1, it can move to state s 4 triggering the end of the activity T oilet. the conjunction of the state invariant (x t 30) and the transition guard (x t == 30) ensure that the activity T oilet was performed at state s 1 during 30 minutes. The same principle is followed for the other transitions (s 2, ɛ, x t == 30, s 4 ) and (s 3, ɛ, x t == 30, s 4 ). (s 4, ɛ, x d == 1440 && x p < && x w < 10080, {x d }, s 0 ), this transition enables the automata to move back from s 4 to s 0, without performing any activity, at the end of the day (i.e., when x d equals 1440) within a specified week (i.e., x w < 10080) and a specific period (i.e., x p < ). Upon this transition, the variable x d is reset to record the beginning of a new day in the current week. (s 4, ɛ, x d == 1440 && x p < && x w == 10080, {x d, x w }, s 0 ), this transition enables the automata to move back from s 4 to s 0, without performing any activity, at the end of the week (i.e., when x w equals 10080) within the specified period (i.e., x p < ). Upon this transition, the variables x d and x w are reset to record the beginning of a new day in a new week. (s 4, ɛ, x d == 1440 && x p == ,, s 5 ), this transition is fired at the end of the period (i.e., when x p equals ) and it enables the automata to move to the final state s 2 and terminate the execution. "Every day" Every day combined with time ranges and period can be used as a particular case of Relative days. There are two ways to represent the corresponding temporal specification pattern. One is based on the representation of "Relative days" where all the seven transitions of a time range will be labeled with the activity name. And the other way is illustrated in the following example. Consider the following elementary temporal specification of the activity T oilet that takes 30 minutes : Activity : Toilet Days : Every day Time ranges : Morning Period : [05/05/2013, 05/05/2014] The corresponding elementary temporal timed automata A ED = (S, s 0, Σ, X, Inv, T, F ) depicted in Figure 4 is defined as follows : S= {s 0, s 1, s 2, s 3 } with s 0 the initial state, NbStates = NbT imeranges * 2+ 2= 4, {s 0, s 2, s 3 } are the waiting states and s 1 is the execution state ; 12

14 Figure 4 Example of a timed automata in case of "Every day" F ={s 3 } ; Σ = {T oilet} {ɛ} ; X= {x d, x t, x p } ; T is the set of transitions where NbT ransitions = NbT imeranges* We will see the meaning of each transition : (s 0, T oilet, x d 480, {x t }, s 1 ), this transition specifies that when the automata is at state s 0, it can move to state s 1 to triggers the execution of the activity T oilet in the state s 1. The conjunction of state invariant (x d 720) at s 0 and the transition guard (x d 480) ensure that the activity T oilet can be performed only in the morning (i.e., when the value of x d is between 480 and 720). {x t } ensures the beginning of the activity T oilet and the state invariant (x t 30) ensures that the automata stays at state s 1 during 30 minutes to perform the activity T oilet. (s 1, ɛ, x t == 30, s 2 ), this transition specifies that when the automata is at state s 1, it can move to state s 2 triggering the end of the activity T oilet. The conjunction of the state invariant (x t 30) and the transition guard (x t == 30) ensure that the activity T oilet was performed at state s 1 during 30 minutes. (s 2, ɛ, x d == 1440 && x p < , {x d }, s 0 ), this transition enables the automata to move back from s 2 to s 0, without performing any activity, at the end of the day (i.e., when x d equals 1440) within the specified period (i.e., x p < ). Upon this transition, the variable x d is reset to record the beginning of a new day. (s 2, ɛ, x d == 1440 && x p == ,, s 3 ), this transition is fired at the end of the period (i.e., when x p equals to ) and it enables the automata to move to the final state s 3 and terminate the execution. The timed language accepted by this timed automata can be formulated 13

15 as follows : L(A ED ) = {w/w = ((end(p ) start(p ))/24) 1 i=0 ( n 1 j=0 (a, tj i )), tj i [i 24 + start(p ) + start(i j ), i 24 + start(p ) + end(i j )]}. The timed language L(A AD ) consists in concatenating successively the timed word (a, t j i ) according to the existing time ranges in a day j [0,n-1], and the different days contained in a period i [0,((end(P)-start(P))/24)- 1]. Absolute dates Absolute dates option allows to define precise dates or single days for an activity of the care plan e.g.,12/12/2013,..., etc. For each elementary temporal specification expressed as (Absolute dates, Time ranges, Period, Duration) defined for an activity a of the care plan, the corresponding timed automata A AD =(S, s 0, Σ, X, Inv, T, F ) is defined as follows : S is a finite set of states where NbStates= NbT imeranges NbDates. s 0 S is the set of initial states. We always have one initial state. F is the set of final states. We always have one final state. Σ = {Activity name} {ɛ} is the set of transition labels. X ={ x d, x t, x p } is the set of clocks expressed in terms of minutes where x d is used to control the execution of the activity in a time of the day, x t is used to control the activity duration and x p is used to control the execution of the activity in a day of the period. T S Σ {ɛ} φ(x) 2 X S is the set of transitions. The number of transitions between two states of time range depends of the number of the specified dates for an activity. The formula to compute this number is as follows : NbT ransitions = NbDates * 2 + NbIntervals + 2 where NbDates is the the number of specific dates when the activity will be performed during the period, N bintervals is the number of intervals [Start date, End date] where the activity will not be performed, and "2" corresponds to the return transition to the start state and the transition to the final state. The timed language accepted by the automata A AD is the set of timed words associated with accepting runs. It can be formulated as follows : L(A AD ) = {w/w = m 1 i=0 ( n 1 j=0 (a, tj i )), tj i [D i + start(p ) + start(i j ), D i + start(p ) + end(i j )]}. Where the timed language L(A AD ) consists in concatenating successively the timed word (a, t j i ) according to the existing time ranges in a day j [0,n-1], and the different specified dates D i where i [0, m-1]. The example bellow illustrates the mapping of an elementary temporal specification into timed automata using "absolute dates " pattern auto- 14

16 mata. Consider the following specification of the activity Toilet that takes 30 minutes : Activity : Toilet Days : 05/06/2013, 05/08/2013, 05/09/2013 Time ranges : Morning Period : [05/05/2013, 05/05/2014] The corresponding timed automata A AD =(S, s 0, Σ, X, Inv, T, F ) depicted in Figure 5 is defined as follows : Figure 5 Example of a timed automata in case of "Absolute dates" S= {s 0, s 1, s 2, s 3, s 4, s 5 } is a finite set of states with s 0 the initial state, {s 0, s 4, s 5 } are the waiting states and {s 1, s 2, s 3 } are the execution state ; F ={s 5 } ; Σ = {T oilet} {ɛ} ; X= {x d, x t, x p } ; T is the set of the following transitions : (s 0, T oilet, x d 480 && x p 1440 && x p < 2880, {x t }, s 1 ), this transition specifies that when the automata is at state s o, it can move to state s 1 to triggers the execution of the activity T oilet in the state s 1 on condition that the conjunction of state invariant (x d 720) at s 0 and the transition guard (x d 480 && x w 1440 && x p < 2880) allow it. (x d 480) ensures that the activity T oilet can be performed only in the morning and (x w 1440 && x w < 2880) ensures that the activity T oilet takes place in the date 05/06/2013 of the period. {x t } ensures the beginning of the activity T oilet and the state invariant (x t 30) ensures that the automata stays at state s 1 during 30 minutes to perform the activity T oilet. The same principle is followed for the other transitions where the activity T oilet must be performed : (s 0, T oilet, x d 15

17 480 && x p 4320 && x p < 5760, {x t }, s 2 ) for 05/08/2013 and (s 0, T oilet, x d 480 && x p 5760 && x p < 7200, {x t }, s 3 ) for 05/09/2013. T 1 = (s 0, ɛ, x p 0 && x p < 1440,, s 4 ), T 2 = (s 0, ɛ, x p 2880 && x p < 4320,, s 4 ), T 3 = (s 0, ɛ, x p 7200 && x p < ,, s 4 ), the passage through these transitions results when x p is in the time interval different from that of specific dates. We have three transitions, T 1 represents the interval between the beginning of the period and the first specific date, T 2 represents the interval between two specific dates, and T 3 represents the interval between the last specific date and end date of the period. For those transitions the automata can move from s 0 to s 4 at any moment where (x d 0 && x d < 720), the guard is composed of a single condition on the clock x p, it ensures the validity of the interval where the activity should not be done. (s 4, ɛ, x d == 1440 && x p < , {x d }, s 0 ), this transition enables the automata to move back from s 4 to s 0, without performing any activity, at the end of the day (i.e., when x d equals to 1440) within the specified period (i.e., x p < ). Upon this transition, the variable x d is reset to record the beginning of a new day. (s 4, ɛ, x d == 1440 && x p == ,, s 5 ), this transition is fired at the end of the period (i.e., when x p equals to ) and enables the automata to move to the final state s 5 and terminate the execution. Patient unavailability Each patient has his/her own specific care plan, the care plan is elaborated for each patient on an individual basis that can take into account the pathology and the patient s needs. A further factor may occur and exert considerable influence in the elaboration of the care plan : "Patient agenda". Indeed, the patient agenda includes all temporal specifications that capture the unavailability of the patient, therefore the coordinator must specify the unavailability of the patient in the same way as the care plan activities in order to avoid predicting an activity when the patient will be unavailable. All temporal specification patterns that we have defined can be used to model the unavailability of the patient. The example in Figure 6 illustrates the patient agenda using the temporal specification patterns : Consider the following specification : "the patient will be unavailable on 06/06/2014 morning for 2 hours". The corresponding timed automata depicted in Figure 6 is made of four states : {s 0, s 2, s 3 } are the waiting states and {s 1 } the execution state, Σ {ɛ} = {unavailable} {ɛ}. This automata includes a transition labeled Unavailable from state s 0 to s 1 16

18 which is guarded by the condition (s 0, unavailable, x d 480 && x p && x p < 22520, {V t }, s 1 ) followed by an ɛ-transition from s 1 to s 2 both capture the information that on 06/06/2014 morning for 120 minutes the patient will be unavailable. Figure 6 Patient unavailability timed automata 4.2 Activities Timed Automata Now that we have seen how to build the "Elementary temporal specification timed automata" using temporal specification patterns, we will see in this section how to construct the "Activity timed automata" by combining its various "elementary temporal specification timed automata"(the same principle is used if we want to construct the patient unavailability timed automata). To do this we propose two procedures : The first procedure deals with the "Basic case" means the case where elementary temporal specifications are specified without any overlap in the Days field, and the second procedure deals with the "General case", ie the case where we can have a wide range of possible combination of the Days field. Each procedure will be followed by an example Basic case In this part, we will give the different steps to follow in order to construct activity timed automata from given elementary temporal specifications. Procedure 1 Given different elementary temporal specifications, the timed automata generation is built through the following steps : 1. Add a new elementary temporal specification : Everyday except (specified Days). 2. Build timed automata for each elementary temporal specification except the added one. 17

19 Activity Days Time ranges Period Duration Toilet Monday Thursday Morning 01/01/ /31/14 Sunday Evening 01/01/14 12/31/14 Table 3 Elementary temporal specifications "Basic case" Activity Days Time ranges Period Duration Toilet Monday Thursday Morning 01/01/ /31/14 Sunday Evening 01/01/14-12/31/14 Everyday except(monday None 01/01/14- Thursday Sunday ) 12/31/14 Table 4 Add a new elementary temporal specification 3. Build for each elementary temporal specification timed automata A, the corresponding special timed automata Â. 4. Build for the added elementary temporal specification the corresponding special timed automata Ã. 5. Build the intersection of all built special timed automata. Note that special timed automata are defined as follows :  "is the timed automata that recognizes timed words that are specified in a precise (Days, Time ranges, Period) and recognizes an infinite number of timed words (including the empty word) outside these specifications within a period". à "is the timed automata that recognizes an infinite number of timed words (including the empty word) within a specified "exception Days" within a period". Table 3 gives an example of two specified elementary temporal specifications for an activity T oilet. Following the procedure 1, we get a new table 4 which contains a new line of elementary temporal specification. Figures 7 and 8 represent successively the timed automata A and B of the first and the second elementary temporal specification built using timed automata patterns. Always following the procedure 1, we will define the special automata corresponding to A and B timed automata. Indeed, let  be the special automata of A timed automata. The timed automata  is defined as follows : Â=(Ŝ, ŝ 0, Σ, X, Înv, ˆT, ˆF ). This timed automata in addition to recognizing timed words defined on "Monday Thursday, morning", it can also recognize all possible timed words 18

20 Figure 7 Timed automata A (even the empty word) which are outside "Monday Thursday" but always within specified period (Figure 9). Among its transitions : (ŝ 1, T oilet, x d 480, {x t }, ŝ 2 ) and (ŝ 2, ɛ, x t == 30, ŝ 5 ) insures that the activity Toilet will be executed on Monday morning, in the same way as for the A timed automata. ŝ 2 is the executing state during 30 minutes, ŝ 1 and ŝ 5 are waiting state. the same principle for (ŝ 3, T oilet, x d 480, {x t }, ŝ 4 ) and (ŝ 4, ɛ, x t == 30, ŝ 5 ). All the transitions from ŝ 5 to ŝ 6 mean that for all days outside "Monday Thursday" we can execute the activity T oilet an infinite number of times and at any moment of the day. ŝ 6 is the execution state, and the transition (ŝ 6, ɛ, x t == 30, ŝ 5 ) allows to triggers the end of the execution of the activity T oilet after each execution. Regarding B timed automata, its corresponding special automata ˆB is defined as follows : ˆB=( Ŝ, ŝ 0, Σ, X, Înv, ˆT, ˆF ). This timed automata in addition to recognizing timed words defined on "Sunday, evening", it can also recognize all possible timed words (even the empty word) which are outside "Sunday" but always within specified period (Figure 10). Among its transitions : (ŝ 1, T oilet, x d 1020, {x t }, ŝ 2) and (ŝ 2, ɛ, x t == 30, ŝ 3) insures that the activity Toilet will be executed on Sunday morning, in the same way as for the B timed automata. ŝ 2 is the executing state during 30 minutes, ŝ 1 and ŝ 3 are waiting state. All the transitions from ŝ 3 to ŝ 4 mean that for all days outside "Sunday" we can execute the activity T oilet an infinite number of times and at any moment of the day. ŝ 4 is the execution state, and the transition (ŝ 4, ɛ, x t == 30, ŝ 3) allows to triggers the end of the execution of the activity T oilet after each execution. 19

21 Figure 8 Timed automata B Figure 9 Timed automata  Let s look at the added temporality. Following the steps 4 of the procedure 1, we have to define for this added temporality a special automata. Let C be the special automata corresponding to the added elementary specification, it is defined as follows : Ĉ=( S, s 0, Σ, X, Ĩnv, T, F ). This timed automata recognizes all possible timed words (even the empty word) which are specified on exception Days ie : "Monday Thursday Sunday" (Figure 11). Among its transitions : ( s 1, T oilet, x w 1440 && x w < 2880, {x t }, s 2 ), ( s 1, T oilet, x w 7200 && x w < 8640, {x t }, s 2 ) and ( s 1, T oilet, x w 5760 && x w < 7200, {x t }, s 2 ), those transitions mean that for "Monday Thursday Sunday" we can execute the activity T oilet an infinite number of times and at any moment of the day. s 2 is the execution state, and 20

22 Figure 10 Timed automata ˆB Figure 11 Timed automata C the transition ( s 2, ɛ, x t == 30, s 1 ) allows to trigger the end of the execution of the activity T oilet after each execution. The last step of the procedure 1 is to build the resulting timed automata intersection of all special automata. The intersection is achieved following the classical construction defined by (Alur and Dill). Here we consider the epsilon transitions in the same way than the activity ones. We recall below the definition of intersection of timed automata. Definition 3. Given two timed automata A 1 = ( S 1, s 0 1, Σ 1 {ɛ}, X1, Inv 1, T 1, F 1 ) and A 2 = ( S 2, s 0 2, Σ 2 {ɛ}, X2, Inv 2, T 2, F 2 ). The intersection A 3 = A 1 A 2 = ( S 3, s 0 3, Σ 3 {ɛ}, X1 X 2, Inv 3, T 3, F 3 ) is built through the following steps : The states are S 3 = S 1 S 2, the initial state is s 0 3 = (s 0 1, s 0 2) and the final state is F 3 = {(s 1, s 2 ) s 1 F 1, s 2 F 2 }). Two transitions e 1 = (s 1, a 1, φ 1, λ 1, s 1) A 1 and e 2 = (s 2, a 2, φ 2, λ 2, s 2) A 2 are synchronized if and only if a 1 = a 2, producing a new switch e 1 e 2 which is added to A 3 : e 1 e 2 = ((s 1, s 2 ), φ 1 φ 2, a 1, x e1 e 2, (s 1, s 2))), a new clock x e1 e 2 is created in A 3. 21

23 Figure 12 gives the intersection automata  ˆB C. The resulting automata encompasses all the possible schedules of the activity Toilet specified in the table 4. In this timed automata, the states are represented by a triple (ŝ i, ŝ j, s k ) where i, j, k {0.. 7}, and every state ŝ i, ŝ j, s k Ŝ, Ŝ, S respectively. (ŝ0, ŝ 0, s 0 ) is the initial state. The invariant of each state corresponds to Inv (ŝ i, ŝ j, s k ))= Inv (ŝ i ) Inv (ŝ j) Inv ( s k ) which specifies that the system can stay in that state while the invariant has a value "True". Figure 12 Activity timed automata (intersection automata) General case As we said previously, in the general case we can have a wide range of possible combination of the "Days" field, e.g., a date or a day that appears in several elementary temporal specifications of the same activity. In this section we will give the procedure to follow to transform a set of elementary temporal specifications expressed in the general case in order to fall in the basic case. Procedure 2 Given different elementary temporal specifications, if a "date" or a "day" appears in several temporal specifications, the activity timed automata is built through the following steps : 1. Extract the repetitive "day" or "date" from the elementary temporal specification where it appears combined with other "days" or "dates". 2. Group all the elementary temporal specifications having the same "day" or "date". 3. Apply the procedure 1 of the "Basic case". 22

24 Table 5 shows a representative example of the general case. Indeed, we note that "Tuesday" appears in both elementary temporal specifications, following the procedure 2, the first step consists to extract "Tuesday" from the first elementary temporal specification (see table 6), the second step consists to group all the specifications having the same fields "Days" (see table 7). Now we can see that with Table 7 we fall exactly in the "Basic case", it is then sufficient to apply the procedure 1 in order to build the "Activity timed automata". Activity Days Time ranges Period Duration Toilet Monday Tuesday Morning 01/01/ /31/14 Tuesday Evening 01/01/14-12/31/14 Table 5 Elementary temporal specifications "General case" Activity Days Time ranges Period Duration Toilet Monday Tuesday Morning 01/01/ /31/14 Tuesday Morning 01/01/14-12/31/14 Tuesday Evening 01/01/14-12/31/14 Table 6 Elementary temporal specifications (After extraction) 4.3 Care plan timed automata The care plan can be also described by means of timed automata which is obtained by composition of Activities timed automata. The composition is achieved following on one hand, the general principle of the parallel product : the transitions are obtained by synchronizing the transitions with the same labels and advance separately when they have different labels [2]. However, on the other hand, this composition must meet specific conditions in reference to our model. Indeed synchronization does not occur on Activity Days Time ranges Period Duration Toilet Monday Morning 01/01/14-12/31/14 30 Tuesday Morning Evening 01/01/14-12/31/14 Table 7 Elementary temporal specification (After grouping) 23

25 any label shared by both transitions but precisely on ɛ-transitions. Afterwards, we defined during the construction of our activities automata, the waiting and the execution states, condition on these states consists in : two successive transitions connected by an execution state should never be dissociated, thus, in order to keep information about the activity execution and its duration. We will see in what follows a more formal definition. Definition 4 (Composition of timed automata) Let A 1 = (S 1, s 1 0, Σ 1, X 1, Inv 1, T 1 ) and A 2 = (S 2, s 2 0, Σ 2, X 2, Inv 2, T 2 ) be two timed automata. The composition of A 1 and A 2, denoted A 1 A 2, is the timed automata (S 1 S 2, s 0 1 s 0 2, Σ 1 Σ 2, Xs 1 X 2, Inv, T), where Inv (S 1, S 2 ) = Inv (S 1 ) Inv (S 2 ) and the transitions are defined function T is defined as follows : 1. {((s 1, s 2 ), ɛ, φ, λ, (s 1, s 2)) : (s 1, ɛ, φ 1,λ 1,s 1) T 1 and (s 2,a,φ 2, λ 2,s 2) T 2, s 1 and s 2 are both waiting states }. 2. {((s 1, s 2 ), a, φ, λ, (s 1, s 2)) : ((s 1,a,φ 1,λ 1,s 1) T 1, s 2 =s 2) or ((s 2, a, φ 2, λ 2, s 2 ) T 2, s 1 =s 1), s 1 and s 2 are both start states }. 3. {((s 1, s 2 ), a, φ, λ, (s 1, s 2)) : ((s 1, a, φ 1, λ 1, s 1) T 1, s 2 =s 2, s 2 is a waiting/start state, s 1 is an execution state) or ((s 2, a, φ 2, λ 2, s 2) T 2,s 1 =s 1,s 1 is a waiting/start state, s 2 is an execution state)}. 4. {((s 1, s 2 ), a, φ, λ, (s 1, s 2)) : ((s 1, a, φ 1,λ 1,s 1) T 1, s 2 =s 2, s 2 is a waiting state,s 1 is a start state) or ((s 2, a, φ 2, λ 2, s 2) T 2, s 1 =s 1, s 1 is a waiting state, s 2 is a start state)}. Table 8 illustrates an example of care plan composed of two activities : T oilet and Dress. Activity Days Time ranges Period Duration Toilet Everyday Morning 01/01/14-12/31/14 30 Dress Everyday 09h00 01/01/14-12/31/14 20 Table 8 Example of care plan" Figure 13 shows the composition result of the automata (Toilet timed automata and Dress timed automata). The resulting automata encompass all the passible schedules of the activities T oilet and Dress. 5 Verification of home care plan model In this part we show some property verified by our model using Uppaal model checker. 24

26 Figure 13 Care plan timed automata 5.1 Realizability of care plans It is important to check the realizability of a care plan, i.e., to check whether or not the activities included in the plan can be effectively scheduled and performed according to the constraints specified in the plan. In other words, a care plan is realizable when each activity can be performed without interruption in the imposed time range on any specified period. Checking realizability of a care plan can be reduced to the emptiness problem of the corresponding timed automata. In fact, the emptiness problem for the timed automata A consists in verifying whatever or not L(A) is empty. To do it, is necessary to check reachability of some final states from an initial state. Consider again the timed automata shown in Figure 13, we check in the following if the final state (S 3, S 3) is reachable from initial state (S 0, S 0). The emptiness checking is performed using the following query : E<>( Process.S3S 3) Figure 14 shows the emptiness checking of a care plan timed automata in Figure

27 Figure 14 Emptiness checking timed automata with UPPAAL 5.2 Monitoring of care plans Note that most of the activities of a care plan are manual, i.e., performed manually by professionals. In current state of affairs, the activities that have been performed are often recorded manually on paper. Our goal is to enable electronic recording of executed activities in order to keep track of the execution traces of care plans. Such information can then be used to monitor care plans. For example, compliance of executions traces w.r.t. a care plan may be checked. In order to detect the executions that do not satisfy the constraints specified in the considered care plan. Also, the monitoring system may be used to detect executions that deviate from the specification. For example, if into the care plan the activity "Injection" is provided at 09h00 and takes 30 minutes, and after Checking compliance of execution traces can be reduces to language recognition in timed automata, it is performed using the following query : E<> ( Process. S0S 1 ) && (Process.xp >= 1440 && Process.xp <

28 && Process.xd >= 660 && Process.xd <= 720) This query checks that the activity "Dress" which was done on January 2 between 11h00 and 12Hh00 is well complying with the care plan timed automata Figure 13. the answer is "No" since Dress was scheduled starting from 9h00. E<> (Process.S1S 2 && Process.xd == 695 && Process.xt == 35) This one checks, that the activity "Toilet" which was done from 11h00 to 11h35 in 35 minutes is well complying with the care plan timed automata Figure 13. The answer is "No" since Toilet takes only 30 minutes. 6 Discussion We described in this paper an approach to generate formal specifications of home care plans, expressed as timed automata, from a set of high level and user-oriented abstractions. We propose a three-step approach which consists in (i) the identification of the elementary patterns that are useful to specify home care plans, (ii) the use of these elementary patterns to specify atomic activities, and then (iii) automatic construction of a global care plan by composition of the basic activities. The resulting care plan encompasses all the possible legal schedules of activities for a given patient. We briefly discussed then how verification and monitoring of the resulting care plan can be handled using existing existing techniques and tools (e.g., UPPAAL model checker). 27

29 Références [1] R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time systems, Jun [2] Rajeev Alur. Timed automata. In Nicolas Halbwachs and Doron A. Peled, editors, Proceedings of the 11th International Conference on Computer Aided Verification (CAV 99), volume 1633 of Lecture Notes in Computer Science, pages Springer-Verlag, July [3] Rajeev Alur and D. L. Dill. Automata for modeling real-time systems. In Proceedings of the Seventeenth International Colloquium on Automata, Languages and Programming, pages , New York, NY, USA, Springer-Verlag New York, Inc. [4] Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical Computer Science, 126 : , [5] Rajeev Alur and Thomas A. Henzinger. Logics and models of real time : A survey, [6] Rajeev Alur and Thomas A. Henzinger. A really temporal logic. J. ACM, 41(1) : , January [7] Roberto Barbuti, Nicoletta De Francesco, and Luca Tesei. Timed automata with non-instantaneous actions. Fundam. Inf., 47(3-4) : , October [8] Gerd Behrmann, Re David, and Kim G. Larsen. A tutorial on uppaal. pages Springer, [9] Bernard Berthomieu and Michel Diaz. Modeling and verification of time dependent systems using time petri nets. IEEE Trans. Softw. Eng., 17(3) : , March [10] Bernard Berthomieu and Miguel Menasche. An enumerative approach for analyzing time petri nets. In Proceedings IFIP, pages Elsevier Science Publishers, [11] Bernard Berthomieu, Florent Peres, and François Vernadat. Bridging the gap between timed automata and bounded time petri nets. In Proceedings of the 4th International Conference on Formal Modeling and Analysis of Timed Systems, FORMATS 06, pages 82 97, Berlin, Heidelberg, Springer-Verlag. [12] Patricia Bouyer. Extended timed automata and time petri nets, [13] Patricia Bouyer, Serge Haddad, and Pierre alain Reynier. Timed petri nets and timed automata : On the discriminating power of zeno sequences, [14] F.D.J Bowden. A brief survey and synthesis of the roles of time in petri nets. Mathematical and Computer Modelling. 28