A Modal Specification Approach for Assuring the Safety of On-Demand Medical Cyber-Physical Systems

Transcription

1 A Modal Specification Approach for Assuring the Safety of On-Demand Medical Cyber-Physical Systems Lu Feng PRECISE Center Department of Computer and Information Science University of Pennsylvania S5, June 2014 Joint work with: Andrew L. King, Oleg Sokolsky, Insup Lee

2 On-Demand Medical Cyber-Physical Systems What is on-demand MCPS and why? Multiple medical devices assembled at the bedside to coordinate with each other, for providing better medical treatment to patients Examples: PCA closed-loop system: detect respiratory disturbance and safety lock over infusion X-ray machine / Ventilator: synchronization to guarantee patient safety Ventilator / Laser Scalpel: airway-laser interlock to prevent fatal burns to the patient Autonomous and timed behavior are essential for the safety of medical devices that coordinate therapy over a network.

3 Safety Certification Safety assessment: the state of the art Traditional safety critical systems such as aircraft and nuclear power plants are evaluated for safety before they are delivered to the user Consider the completely assembled system as a whole, because safety is an emergent property Medical CPS are safety-critical systems FDA approves (standalone) medical devices for specific use Safety and effectiveness are assessed Challenges for on-demand MCPS How can we assess the safety of on-demand MCPS a priori if we don t know precisely what medical devices (i.e., make, model, brand, etc.) will be used? Complexity and variability of medical device product lines Can we predict a priori the emergent behavior of the assembled system?

4 Our Approach Virtual Medical Devices We consider interoperable medical devices such as those promoted by the Medical Device Plug and Play (MDPnP) project Since plug and play systems do not exist physically prior to assembly, we call these on-demand systems Virtual Medical Devices (VMDs) Typically, a VMD implements a particular clinical scenario + = Device Coordination Algorithm Medical Device Types Virtual Medical Device (VMD)

5 Assuring the Safety of VMD We use a rigorously defined specification language to model a specific clinical scenario the types of medical devices used logic modules (e.g., Apps) that implement device coordination algorithms how data flows between the devices and logic modules We use a trusted base called a Medical Application Platform (MAP), which ensures that VMDs are instantiated correctly Checks if medical devices satisfy the VMD's requirements Hosts the logic part of the VMD (Apps) Applies a variety of scheduling and resource management techniques to ensure that the VMD's performance requirements are met

6 VMD Safety Assurance Step 1: The clinician connects PCA pump and pulse oximeter to the network. Each device will register a capabilities specification with the MAP. Step 2: The clinician selects the PCA-Interlock VMD and then specific devices to use. Step 3: The MAP determines whether the selected devices are compatible. If the devices are not compatibile the clinician is notified. Step 4: If the devices are compatible, the MAP will then analyze the VMD s timing constraints by performing a schedulability test. If the MAP can guarantee the timing constraints, then the VMD is instantiated; otherwise the user is notified.

7 Specification Language Design 1. The language should be amendable for formal verification. 2. The language should allow modular specification to reflect the physical composition of scenario instantiations. 3. The language should allow us to express both required and allowed functional behaviors of the devices involved in the scenario, such as timing characteristics of devices behaviors, interconnections between devices, as well as end-to-end timing constraints of the overall scenario. 4. The language should support instantiation of the modules in the model with actual devices. Technically, this requires support for compositional property-preserving refinement.

8 Main Contributions We developed a novel specification theory based on the formalism of time-parametric modal specifications Modal refinement checking (specification <-> device models) Compositional operator Reachability model checking We have implemented a prototype tool named ModalT and applied it to case studies such as the closed-loop PCA system The tool is available at The framework can also be applied to product line analysis.

9 Time-Parametric Modal Specification Extends Timed I/O Automata by using may and must transitions to capture functional variability, and using parameters in clock constraints for timing variability Functional variability All the must actions of the specification have to be preserved in the implementation Every action in the implementation could be found in the specification as a may or must action Timing variability patterns Bounded deadline: an implementation that is always able to commit an action earlier than the required deadline is acceptable Suppose the system must commit an action after a delay (t 1 ) and before a deadline (t 2 ). Then a valid implementation should commit the action between t' 1 and t' 2 such that t 1 t' 1 t' 2 t 2

10 Time-Parametric Modal Specification (TPMS) Example: PCA infusion pump specification o pump? x 5 disabled o pump? o pump? detect alarm! bolus? start x apple pump ison! x infusion x apple C : apple apple 3 and apple 4 and,, 2 N x pump iso! The operational semantics of a TPMS yields a finite set of modal timed transition systems (MTTSs) A MTTS is an (infinite) state transition system with three types of transitions: delay, must action, and may action

11 Modal Refinement We say that a MTTS m 1 modally refines a MTTS m 2, iff there exits a binary relation R S 1 S 2 such that for each (s,t) R we have A timed I/O automaton (TIOA) A is an implementation of a TPMS M iff there exist a MTTS m modally refines [A] and m [M], where [A] and [M] are the operational semantics of A and M, respectively.

12 Modal Refinement: Examples o pump? x 5 disabled o pump? o pump? detect alarm! bolus? start x apple pump ison! x infusion x apple x pump iso! C : apple apple 3 and apple 4 and,, 2 N Specification Valid Implementation Invalid Implementation

13 Other Key Results Property preservation Suppose a TPMS is guaranteed to satisfy a safety property, then the property must also be held in any valid implementation of the TPMS. Compositional reasoning Define a composition operator: synchronizing over common actions and interleaving otherwise. Modal refinement is preserved under the composition operator. Efficient algorithms Define the symbolic semantics of TPMS as parametric zone-graphs Develop symbolic algorithms for reachability analysis and modal refinement checking Implement the algorithms using the data structure of (modified) Difference Bound Matrices (DBMs)

14 The ModalT tool

15 Example: PCA closed-loop system The ModalT tool

16 The ModalT tool o pump? x 5 disabled o pump? o pump? Specification of the PCA Pump. detect alarm! bolus? start x apple pump ison! x infusion x apple C : apple apple 3 and apple 4 and,, 2 N x pump iso!

17 Conclusions Assuring the safety of on-demand MCPS is a challenge problem that traditional safety assessment approach of integrated system certification does not scale. We treat each on-demand MCPS as a Virtual Medical Device, and assure its safety via a rigorously defined specification language and a trusted Medical Application Platform. We develop a novel specification theory based on the formalism of timed-parametric modal specifications. We also implement a prototype tool named ModalT, which can be used as a model and refinement checker for product lines of cyber-physical systems.

18 Thank You! Questions?