ArticlePDF Available

Model Checking Implantable Cardioverter Defibrillators


Abstract and Figures

Ventricular Fibrillation is a disorganized electrical excitation of the heart that results in inadequate blood flow to the body. It usually ends in death within seconds. The most common way to treat the symptoms of fibrillation is to implant a medical device, known as an Implantable Cardioverter Defibrillator (ICD), in the patient's body. Model-based verification can supply rigorous proofs of safety and efficacy. In this paper, we build a hybrid system model of the human heart+ICD closed loop, and show it to be a STORMED system, a class of o-minimal hybrid systems that admit finite bisimulations. In general, it may not be possible to compute the bisimulation. We show that approximate reachability can yield a finite simulation for STORMED systems, which improves on the existing verification procedure. In the process, we show that certain compositions respect the STORMED property. Thus it is possible to model check important formal properties of ICDs in a closed loop with the heart, such as delayed therapy, missed therapy, or inappropriately administered therapy. The results of this paper are theoretical and motivate the creation of concrete model checking procedures for STORMED systems.
Content may be subject to copyright.
Model Checking Implantable Cardioverter Defibrillators
Houssam Abbas, Kuk Jin Jang, Zhihao Jiang, Rahul Mangharam
Department of Electrical and Systems Engineering
University of Pennsylvania, Philadelphia, PA, USA
{habbas, jangkj, zhihaoj, rahulm}
Ventricular Fibrillation is a disorganized electrical excita-
tion of the heart that results in inadequate blood flow to
the body. It usually ends in death within seconds. The
most common way to treat the symptoms of fibrillation is
to implant a medical device, known as an Implantable Car-
dioverter Defibrillator (ICD), in the patient’s body. Model-
based verification can supply rigorous proofs of safety and
efficacy. In this paper, we build a hybrid system model
of the human heart+ICD closed loop, and show it to be a
STORMED system, a class of o-minimal hybrid systems that
admit finite bisimulations. In general, it may not be possi-
ble to compute the bisimulation. We show that approximate
reachability can yield a finite simulation for STORMED sys-
tems, which improves on the existing verification procedure.
In the process, we show that certain compositions respect
the STORMED property. Thus it is possible to model check
important formal properties of ICDs in a closed loop with
the heart, such as delayed therapy, missed therapy, or inap-
propriately administered therapy. The results of this paper
are theoretical and motivate the creation of concrete model
checking procedures for STORMED systems.
Implantable Cardioverter Defibrillators (ICDs) are life-saving
medical devices. An ICD is implanted under the shoulder,
and connects directly to the heart muscle though two elec-
trodes and continuously measures the heart’s rhythm (Fig.
1). If it detects a potentially fatal accelerated rhythm known
as Ventricular Tachycardia (VT), the ICD delivers a high-
energy electric shock or sequence of pulses through the elec-
trodes to reset the heart’s electrical activity. Without this
therapy, the VT can be fatal within seconds of onset. In the
US alone, 10,000 people receive an ICD every month. Stud-
ies have presented evidence that patients implanted with
ICDs have a mortality rate reduced by up to 31% [19].
Unfortunately, ICDs suffer from a high rate of inappropri-
ate therapy due to poor detection of the current rhythm
on the part of the ICD. In particular, a class of rhythms
Right Ventricular Electrode
Left Atrium
Left Ventricle
Right Atrium
Right Ventricle
Can (Shock)
Sensed Event (AS)
Sensed Event (VS)
Right Atrium
Figure 1: ICD connected to a human heart via two
electrodes. The ICD monitors three electrical signals
(known as electrograms) traversing the heart muscle.
known as SupraVentricular Tachycardias (SVTs) can fool
the detection algorithms. Inappropriate shocks increase pa-
tient stress, reduce their quality of life, and are linked to
increased morbidity [22]. Depending on the particular ICD
and its settings, the rates of inappropriate therapy can range
from 46% to 62% of all delivered therapy episodes [9]. Cur-
rent practice for ICD verification relies heavily on testing
and software cycle reviews. With the advent of computer
models of the human heart, Model-Based Design (MBD) can
supply rigorous evidence of safety and efficacy. This paper
presents hybrid system models of the human heart and of
the common modules of ICDs currently on the market, and
shows that the closed loop formed by these models is for-
mally verifiable. The objective is to develop model checkers
for ICDs to further their MBD process.
No work exists on ICD verification. Earlier work on verifi-
cation of medical devices (formal or otherwise) focuses on
pacemakers. In [14] the authors developed timed automata
models of the whole heart+pacemaker loop which allows ver-
ification of LTL properties. In [6] the authors perform prob-
abilistic testing of Hybrid I/O automata models of heart and
pacemaker. However, they can not be symbolically verified.
Later work on pacemakers [18] develops a formalized cellu-
lar automata (CA) model of the heart and uses Event-B for
expressing its properties, and in [12] invariants of pacemaker
and cardiac cells are verified. The ICD algorithms are more
complex than a pacemaker’s: an ICD measures the timing of
events, but also measures and processes the morphology of
arXiv:1512.08083v1 [cs.SY] 26 Dec 2015
Atrial Electrode
Ventricular Electrode
(SA) Node
(AV) Node
Right Ventricular
Apex (RVA)
Cellular Automata Model
Human Heart
Peak Tracking
Dynamic Sensitivity
(Exponential Decay)
ICD Sensing ICD
Three Consecutive
Fast Intervals
Vector Timing
Figure 2: The whole heart is modeled as a 2D mesh of cells (Section 3). The ICD electrodes are shown in the right
atrium and ventricle. The electrogram signals measured through the electrodes are processed by the sensing module
(ICD Sensing, see Section 4). The detection algorithm (Section 5) determines the current rhythm using the processed
signal (ICD Detection).
the electrical signal in the heart to distinguish many types of
arrhythmias. Thus, we need three models for ICD verifica-
tion: a timing and voltage model of the heart, a model of the
ICD’s algorithms, and a model for voltage measurement by
the ICD electrodes. This takes the model out of the realm
of timed automata and into hybrid automata proper. More
generally, approaches to approximate verification of similar
hybrid systems include falsification of general Metric Tem-
poral Logic properties [5] and δ-reachability [16].
The first contribution of this paper is to develop a hybrid
system model of the heart, the ICD measurement process,
and of the algorithmic components of ICDs from most ma-
jor manufacturers on the market (Fig. 2). We show that
the composition of these three models admits a finite bisim-
ulation [1]. The ICD models presented here are the first
formalization of ICD operation to the best of our knowl-
To establish this result we use the theory of STORMED hy-
brid systems [27], a class of hybrid systems that have finite
bisimulations. Our second contribution is two general results
for STORMED systems. First we prove that parallel com-
positions of STORMED systems yield STORMED systems.
Secondly, we show that any definable over-approximate reach
tubes can replace the exact trajectories of a STORMED sys-
tem, yielding a system that still admits a finite simulation
(but no longer a bisimulation). Finally, we show that the
reach sets computed by the reachability tool SpaceEx [8] (a
widely used and scalable reachability tool) are definable and
so can be used to build the simulation. Thus SpaceEx can
be used as part of a model checker for STORMED systems.
Our interest in not simply in a particular manufacturer’s
arrhythmia detection algorithm: rather, we are interested
in those components that are common to most of them,
thus making our results relevant to them. The compo-
nents we model or some variation on them are included in
the ICDs of Boston Scientific, Medtronic, Saint-Jude Med-
ical and Biotronik. This is the first example of a practical
STORMED system that the authors are aware of.
Organization. Section 2 covers some preliminaries on hy-
brid systems. Sections 3 presents the heart model, and
Sections 4-5 model the ICD. Sections 6 and 7 prove gen-
eral results on STORMED systems: namely that a defin-
Algorithm 1 Computing a bismimulation respecting
Require: Transition system T= (Q, Σ,, Q0), equiva-
lence relation .
Set S=Q/
while P, P 0∈ S and σΣ s.t. ∅ 6=P0P ostσ(P)6=P0
Set S=S \ {P0} ∪ {P0P ostσ(P), P 0\P ostσ(P)}
end while
Return S
able over-approximation of the flows such as that computed
by SpaceEx preserves finiteness of the simulation, and that
compositions of STORMED systems are STORMED.
This section presents fairly standard definitions on hybrid
systems and their simulations [1]. It also defines STORMED
hybrid systems, which admit finite bisimulations [27].
2.1 Transition and hybrid systems
Definition 2.1. Atransition system T= (Q, Σ,, Q0)
consists of a set of states Q, a set of events Σ, a transi-
tion relation →⊂ Q×Σ×Q, a set of initial states Q0. We
write qσ
q0to denote a transition element (q, σ, q0)∈−.
Given PQ, we define P ostσ(P) := {q0| ∃qP.q σ
Given an equivalence relation on Q, the quotient system
T/ is T / = (Q/ ,{∗},, Q0/)where [q]
iff qσ
q0for some σΣ. Here [q]is the equivalence class
of qand Q/ is the set of equivalence classes of .
Definition 2.2. Given two transition systems T1and T2
with the same state space Q, a simulation relation from T1
to T2is a relation S ⊂ Q×Qsuch that for all (q1, q2)
S, if q1
1, there exists a q0
2Qs.t. q2
1, q0
2)∈ S. A bisimulation relation between T1and T2is
both a simulation relation from T1to T2and from T2to T1.
The bisimulation Bis said to respect if (q, q0)∈ B =
qq0. The following algorithm, if it terminates, yields a
finite bisimulation for Tthat respects the given equivalence
relation [1]. Moreover, it is the coarsest bisimulation (with
respect to inclusion) that respects . Given a set of atomic
propositions AP , if is s.t. qq0iff both states sat-
isfy exactly the same set of atomic propositions, then model
checking temporal logic properties can be done on the finite
bisimulation instead of the possibly infinite T.
Definition 2.3. Ahybrid automaton is a tuple
H= (X, L, H0,{f`}, I nv, E, {Rij }(i,j)E,{Gij }(i,j )E)
where XRnis the continuous state space equipped with
the Euclidian norm k·k,LNis a finite set of modes,
H0X×Lis an initial set, {f`}`Ldetermine the contin-
uous evolutions with unique solutions, Inv :L2Xdefines
the invariants for every mode, EL2is a set of discrete
transitions, Gij Xis guard set for the transitions (so H
transitions ijwhen xGij), Rij :XXis an edge-
specific reset function.
Set H=L×X. Given (`, x0)H, the flow θ`(; x0) : R+
Rnis the solution to the IVP ˙x(t) = f`(x(t)),x(0) = x0.
The associated transition system is TH= (H, E ∪ {τ},
, H0) with = (SeE
where (i, x)e
(j, y) iff e=
(i, j), x Gij , y =Rij (x) and (i, x)τ
(j, y) iff i=jand
there exists a flow θi(·;x) of Hand t0 s.t. θi(t;x) = y
and t0t,θi(t0;x)Inv(i). For a set PH,P|Xdenotes
its projection onto X, and P|Lits projection onto L.
Definition 2.4. [Reachability] Let Hbe a hybrid system
with hybrid state space H,I= [0, b)[0,+)be a (possibly
unbounded) interval, tI, and  > 0. The -approximate
continuous reachability operator,R
t: 2H2His given by
t(P) = {(i, x)X|∃x0P|X, t 0.||θi(t;x0)x|| ≤ }
where P={i} × W,WInv(i). Define also R
I(P) =
t(P). The (exact) discrete reachability operator is:
Rd(P) = j:(i,j)ERij (PGij )
For a hybrid system, P ostσcomputes the forward reach sets,
and is implemented by R0
[0,)and Rd. Algorithm 1, applied
to TH, implements the following iteration, in which Ft(P)
is the coarsest bisimulation with respect to τ
the partition P, and Fd(P) := {(h1, h2)|(h1
1) =
(e0E, h0
2)} ∩ P [27]:
W0=Ft(Q/ ),i0, Wi+1 =Ft(Fd(Wi)) (1)
This iteration (equivalently, Alg. 1) does not necessarily ter-
minate for hybrid systems because the reach set might in-
tersect a given block of Q/ an infinite number of times
(see [17] for an example). The class of systems introduced
in the next section has the property that Algorithm 1 does
terminate for it and returns a finite S.
2.2 O-minimality and STORMED systems
We give a very brief introduction to o-minimal structures.
A more detailed introduction can be found in [17] and ref-
erences therein. We are interested in sets and functions
in Rnthat enjoy certain finiteness properties, called order-
minimal sets (o-minimal). These are defined inside struc-
tures A= (R, <, +,,·,exp, . . .). The subsets YRn
we are interested in are those that are definable using first-
order formulas ϕ:Y={(a1,...,an)Rn|ϕ(a1,...,an)}.
(First-order formulas use the boolean connectives and the
1I.e., Ftonly considers the continuous transition relation.
Namely, it is a bisimulation of Tc
H:= (Q/ ,{∗},τ
, Q0/).
quantifiers ,). The atomic propositions from which the
formulas are recursively built allow only the operations of
the structure Aon the real variables and constants, and the
relations of Aand equality. For example 2x3.6y < 3z
and x=yare valid atomic propositions of the structure
LR= (R, <, +,,·), while cosh(x)<3zis not because cosh
is not in the structure. These structures are already suf-
ficient to describe a set of dynamics rich enough for our
purposes and for various classes of linear systems.
Definition 2.5. A theory of (R, . . .)is o-minimal if the
only definable subsets of Rare finite unions of points and
(possibly unbounded) intervals. A function f:x7→ f(x)is
o-minimal if its graph {(x, y)|y=f(x)}is a definable set.
We use the terms o-minimal and definable interchangeably,
and they refer to Lexp = (R, <, +,,·,exp) which is known
to be o-minimal. The dot product between x, y Rnis
denoted x·y, and d(Y, S ) = inf{kysk | (y, s)Y×S}.
Definition 2.6. [27]. A STORMED hybrid system (SHS)
Σis a tuple (H,A, φ, b, b+, dmin, , ζ )where His a hybrid
automaton, Ais an o-minimal structure, dmin, , ζ are pos-
itive reals, b, b+Rand φXsuch that:
(S) The system is dmin-separable, meaning that for any
e= (`, `0)Eand `00 6=`0,d(Re(G(`,`0)), G(`0,`00))> dmin 2
(T) The flows (i.e., the solutions of the ODEs) are Time-
Independent with the Semi-Group property (TISG), meaning
that for any `L, x X, the flow θ`starting at (`, x)sat-
isfies: 1) θ`(0; x) = x, 2) for every t, t00,θ`(t+t0;x) =
(O) All the sets and functions of Hare definable in the o-
minimal structure A
(RM) The resets and flows are monotonic with respect to
the same vector φ, meaning that
1) (Flow monotonicity) for all `L,xXand t, τ 0,
φ·(θ`(t+τ;x)θ`(t;x)) ||θ`(t+τ;x)θ`(t;x)||, and
2) (Reset monotonicity) for any edge (`, `0)Eand any
x, x+Xs.t. x+=R`,`0(x),
1. if `=`0, then either x=x+or φ·(x+x)ζ
2. if `6=`0, then φ·(x+x)||x+x||
(ED) Ends are Delimited: for all eEwe have φ·x
(b, b+)for all xGe
Intuitively, the above conditions imply the trajectories of the
system always move a minimum distance along φwhether
flowing or jumping, which guarantees that no area of the
state space will be visited infinitely often. This is at the
root of the finiteness properties of STORMED systems. The
following result justifies the interest in STORMED systems:
they admit finite bisimulations.
Theorem 2.1. [27] Let Hbe a STORMED hybrid system,
2The original definition of separability [27] required the
guards themselves to be separated, which is insufficient to
guarantee that if Hflows, it flows a uniform minimum dis-
tance along φ. Indeed assume the guards are separated. If
xG(`,`0)and y=R(`,`0)(x), it can be that yG(`0,`00 )
and thus a jump happens, even though G(`,`0)and G(`0,`00)
are separated. Therefore we need d(y, G`0,`00 )> dmin for
all yRe(Ge), which is the condition we use in Def. 2.6.
The properties of SHS, in particular the existence of finite
bisimulation, are therefore preserved by this change.
V T/SV T ?
Figure 3: When the ICD makes a VT/SVT decision,
all systems transition to mode End.
and let Pbe an o-minimal partition of its hybrid state space.
Then Hadmits a finite bisimulation that respects P.
We need the following result in what follows.
Proposition 2.1. If the state space Xof a hybrid automa-
ton His bounded, then its guards have delimited ends.
Proof. For all guard sets Gand all xG,||φ·x|| ≤ ||φ|| ·
||x|| ≤ ||φ||.max{||x||, x X}<.
For the verification of ICDs, we adopt the cellular automata
(CA)-based heart model developed in [24],[7]. This model
lies in-between high spatial fidelity but slow to compute
PDE-based whole heart models [26], and low spatial fidelity
but very fast-to-compute automata-based models [20]. PDE-
based models are not currently amenable to formal verifica-
tion, both theoretically and practically. Models based on
ionic currents [13] might be more accurate but are likely to
be more computationally expensive. Timed automata mod-
els can not simulate the electrograms needed for ICD verifi-
cation. CA-based models are appealing due to their intuitive
correspondence with the heart’s anatomy and function and
their relative computational simplicity. CA-based models
were used in [18],[2] and [6]. This paper’s model also has the
important advantage of forming the basis of software used
to train electrophysiologists, and allows interactive simula-
tion of surgical procedures like ablation [23]. In particular,
it can simulate fibrillation and other tachycardias.
This paper’s automata:All hybrid automata in this paper
have the whole state space as invariants and transitions are
urgent (taken immediately when the guard is enabled). We
also observe that, as will be seen in Section 5, i) the ICD
will always reach a decision of VT or SVT in finite time, ii)
at which point it resets its controlled (software) variables so
new values are computed for the next arrhythmia episode.
So while the heart can beat indefinitely, for the purposes
of ICD verification, there’s a uniform upper bound on the
length of time of any execution. Let D0 be this duration
(Dis on the order of 30sec depending on device settings).
Also, the electrogram (EGM) voltage signal shas upper and
lower bounds sand s. Therefore, every mode of every au-
tomaton in what follows has a transition to mode End shown
in Fig. 3. We don’t show these transitions in the automata
figures to avoid congestion.
3.1 Cellular automata model
The heart has two upper chambers called the atria and two
lower chambers called the ventricles (Fig. 1) The synchro-
nized contractions of the heart are driven by electrical activ-
ity. Under normal conditions, the SinoAtrial (SA) node (a
tissue in the right atrium) spontaneously depolarizes, pro-
V(i, j)>V
V(i, j)=0
V(i, j)=a(i, j)|V
V(i, j)=d2,(d2<d)
tp t
V(i, j)>V
tp t
V(i, j)Vmin?
V(i, j)Vth
V(i, j)Vth,2?
tp t
V(i, j)=b, (b>0)
V(i, j)=a(i, j)|V
V(i, j)=d(d>0)
V(i, j)=g, (g>0)
V(i, j)Vmax,2?
tp t
Figure 4: Hybrid model Hcof one cell of the heart
model. AP figure from [11]. Vth,2> Vth ,Vmax,2< Vmax
ducing an electrical wave that propagates to the atria and
then down to the ventricles (Fig.2) In this model, the my-
ocardium (heart’s muscle) is treated as a 2D surface (so it
has no depth), and discretized into cells, which are simply
regions of the myocardium (Fig. 2). Thus we end up with
N2cells in a square N-by-Ngrid. A cell’s voltage changes
in reaction to current flow from neighboring cells, and in re-
sponse to its own ion movements across the cell membrane.
This results in an Action Potential (AP).
Fig. 4 shows how the AP is generated by a given cell [15]:
in its quiescent mode (Phase 4), a cell (i, j) in the grid has
a cross-membrane voltage V(i, j, t) equal to Vmin <0. As it
gathers charge, V(i, j, t) increases until it exceeds a thresh-
old voltage Vth. In Phase 0, the voltage then experiences a
very fast increase (Phase 0), called the upstroke, to a level
Vmax >0, after which it decreases (Phase 1) to a plateau
(Phase 2). It stays at the plateau level for a certain amount
of time PD then decreases linearly to below Vth (Phase 3 -
ERP). Once below Vth it is said to be in the Relative Re-
fractory Period (Phase 3 - RRP) . In Phase 3 - RRP, the cell
can be depolarized a second time, albeit at a higher thresh-
old Vth,2, slower and to a lower plateau level Vmax,2< Vmax
(Upstroke 2). Otherwise, when the voltage reaches Vmin
again, the cell enters the quiescent stage again. This model
is suitable for both pacemaker and non-pacemaker cells, the
main differences being in the duration of the plateau (virtu-
ally non-existent for pacemaker cells), and the duration of
phases 0 and 4 (both are shorter for pacemaker cells).
In Fig. 4, V(i, j )Rdenotes the voltage in cell (i, j) of
the grid, and V= (V(1,1),...,V(N2, N 2))Tin RN2groups
the cross-membrane voltages of all cells in the heart. The
whole heart model HCA is the parallel composition of these
N2single-cell models. The (i, j)th cell’s voltage at time t
in Phase 4 depends on that of its neighbors and its own as
follows [24]
V(i, j, t) = 1
[V(i1, j, t) + V(i+ 1, j, t)2V(i, j, t)]
[V(i, j 1, t) + V(i, j + 1, t)2V(i, j, t)]
=a(i, j)TV(t), a(i, j )RN2(2)
where Rh,Rvare conduction constants that can vary across
the myocardium. Thus Vevolves according to a linear ODE
V=AV where Ais the matrix whose rows are the a(i, j).
The two states tand tpare clocks. Clock tpkeeps track of
the value of the last discrete jump. We will use this arrange-
ment in all our models: it avoids resetting the clocks which
preserves Reset Monotonicity.
ICDs observe the electrical activity through three channels
(Fig. 1). Each signal is called an electrogram (EGM) signal.
The signal read on a channel is given by [7]:
s(t) = 1
i,j 1
||pi,j p0|| 1
||pi,j p1||˙
V(i, j, t) (3)
where k·k is the Euclidian norm, p0and p1are the electrodes’
positions and pi,j is the position of the (i, j )th cell on the
2D myocardium (p0, p1, pi,j R2). Positions p0, p1should
be chosen different from pi,j to avoid infinities.
Extensions. The Action Potential Duration (APD) resti-
tution mechanism of heart cells as modeled in [24] can be
included in this model without changing its formal proper-
ties. More detailed APD restitution models exist [10]. Also,
note that cell topology (the way cells are connected to each
other) is not a factor in determining the STORMED prop-
erty, so other topologies than a rectangular mesh may be
We now state and prove the main result of this section.
Theorem 3.1. Let HCA be the whole heart cellular automa-
ton model obtained by parallel composition of N2models Hc
with state vector x= [V, t, tp, s]RN2×R3. Assume that
all executions of the system have a duration of D0. Then
Proof. We verify each property of STORMED. In this and
all the proofs that follow, the approach is the same: (ED)
holds by Prop. 2.1 because our state spaces are bounded. Af-
ter establishing properties (S),(T) and (O), we draw up the
constraints on φand εimposed by reset and flow monotonic-
ity (property (RM)). Then we argue that these constraints
can be solved for φand ε. Often there is more than one
solution and we just point to one.
(S) Separability holds because Vmin < Vth < Vth,2< Vmax,2<
Vmax and P D > 0, DP h1>0. For example, on transition
Phase 4 Phase 0,V(i, j ) = Vth, which is separated from
the next guard {V(i, j)> Vmax }by |Vmax Vth|.
(T) All flows are linear or exponential and thus are TISG.
(O) The flows, resets and guard sets are all definable in Lexp.
In particular the flow of ˙
V=AV is exponential with real
exponent, and sis a sum of exponentials and linear terms.
(RM) We seek a vector φ= (φV, φt, φp, φs)TRN2+3 such
that resets and flows are monotonic along φ. Only transi-
tions pq6=pare to be found in HCA , during which only
tpis reset. Always, t+
p, thus the reset is indeed
monotonic as can be seen by choosing any ε > 0 and φp> ε.
Monotonic flows: φmust also be such that in all modes:
φ·(θ`(t+τ;x)θ`(t;x)) ε||θ`(t+τ;x)θ`(t;x)||
Decomposing, we want
φV·(V(t+τ)V(t)) + φtτ+φp·0 (4)
+φs·(s(x, t +τ)s(x, t)) ε||θ`(x, t +τ)θ`(x, t)||
Peak Tracking Blanking
ttpblankingP er iod ?
tp t
Exponential Decay
decT h := Th
TC t}
y:= |s|;˙
eF = 0; ˙
Th =0
Th =0
Th =0
Th =max{minT h, decT h}
eF (1
3)ln{minT h
Th }
0 minT h
t, tp 0
˙y== 0 ^¨y<0?
yM y
f 1
tp t
yM 0
f 0
ttpMinTP ^f== 1?
eF (1/3)ln{minT h
Th }
o (3/4) yM
tp t
Figure 5: HS ense. States not shown in a mode have a 0
derivative, e.g., ˙
eF = 0 in all modes.
Seconds (ms)
9100 9200 9300 9400 9500 9600 9700 9800 9900 10000
Amplitude (mV)
500 Ventricular Signal
Threshold Minimum
Blanking Period
Period Threshold
Minimum Threshold
Figure 6: Example of dynamic threshold adjustment in
ICD sensing algorithm. The shown signal is rectified.
Now note that all flows have bounded derivatives in every
bounded duration of flow and are thus Lipschitz. Let LVbe
the Lipshitz constant of V(t) and Lsthat of s(t). Then on
the LHS of the above inequality we have φV·(V(t+τ)
V(t)) + φs·(s(t+τ)s(t)) ≥ −φVLVτφsLsτ. On the
RHS we have ε(LVτ+Lsτ+τ)ε(||V(t+τ)V(t)|| +
||s(t+τ)s(t)||+τ)ε(||θ`(x, t +τ)θ`(x, t)||) Thus (4)
is satisfied if the stronger inequality
is satisfied. But this can be achieved by, for example, choos-
ing φV=φs= 0 and φtε(LV+Ls+ 1).
(ED) Our system has bounded state spaces: Vand sare
voltages typically in the range [80,60] mV and tptD.
So (ED) holds by Lemma 2.1.
Sensing is the process by which cardiac signals smeasured
through the leads of the ICD are converted to cardiac tim-
ing events. The ICD sensing algorithm is a threshold-based
algorithm which declares events when the signal exceeds a
dynamically-adjusted threshold T h.
Fig. 5 shows the model HS ense of the sensing algorithm,
and Fig. 6 illustrates its operation. The sensing takes place
on the rectified EGM signal y=|s|. After an event is
declared at the current threshold value (y(t)T h(t) in
Fig. 5), the algorithm tracks the signal in order to measure
the next peak’s amplitude (Peak Tracking). For a duration
M inT P (min tracking period) the latest peak is saved in
yM. A variable findicates that a peak was found. Af-
ter a peak is found (f== 1) and after the end of the
tracking period, the algorithm enters a fixed Blanking Pe-
riod (Blanking), during which additional events are ignored.
On the transition to Blanking, T h and T h0are set to 3/4
the current value of yMand the exponential factor of de-
cay is updated (eF = (1/3) ln minT h
T H ). At the end of
the blanking period, the algorithm then transitions to the
Exponential Decay mode in which T h decays exponentially
from T h0to a minimum level (Exponential Decay): T h(t) =
max(minT h, T h0·exp((eF /T C)t)). The algorithm stays
in the Exponential Decay mode for at least a sampling pe-
riod of M inDecP . Correspondingly, there is a de facto Max-
imum Decay Period M axDecP after which the system tran-
sitions again to PeakTracking since the signal yis bound
to exceed the minimum threshold minT h. Different manu-
facturers may use a step-wise decay instead of exponential,
but the principle is the same. Local peak detection is mod-
eled via the ˙y= 0 ¨y < 0 transition. While y=|s|is
non-differentiable at 0, the peak will occur away from 0, as
shown in Fig. 6. The other states in Fig. 5 are t, tp(clocks).
minT h and T C are constant parameters.
Theorem 4.1. HS ense is STORMED.
Proof. (S) By definition, we only need to consider transi-
tions between different modes to establish separability. For
all such transitions, there is a minimum dwell time in the
mode before taking the transition, namely M inT P in Peak-
Tracking, Blanking P eriod in Blanking, and M inDecP in
mode ExponentialDecay. So the system is separable since
there is a uniform minimum flow before jumping.
(T) Flows are either constant, (piece-wise) linear, or piece-
wise linear and exponential (in the case of yand its deriva-
tives) and therefore are TISG.
(O) All the flows, resets and guard sets are definable in
Lexp. (The absolute value and max functions can be broken
down into boolean disjunctions of definable functions, and
t7→ ln(t) is o-minimal by o-minimality of exp).
(RM) The state is x= (t, tp, y, yM, f, T h, T h0, eF )R8,
and let φ= (φt, φp, φy, φm, φf, φT h, φ0, φeF ) be the corre-
sponding φvector. Recall that the EGM voltage s, and so
y=|s|, is upper-bounded by VM.
ExponentialDecay PeakTracking. Only tp, yMand
fare modified, so monotonicity produces the constraint
φp(ttp)+φm(0yM)+φf(0 1) W ant
We require the stronger constraint to hold:
φtMinDecP φmVMφf
W ant
ε(MaxDecP +VM+ 1)
PeakTracking PeakTracking. Only yMand fare
reset. Algebraic manipulation yields 2VMφm+φf
W ant
PeakTracking, eF, T h and T h0are reset,
so we get
φp(ttp) + φeF ((1/3) ln(minT h/T h)eF )
+φT h(3yM/4T h) + φ0(3yM/4T h0)
ε(|ttp|+| − 1
3ln( minT h
T h )eF |
4T h|+|3yM
4T h0|)
T h is lower-bounded by minTh at all times, and it is nat-
urally upper-bounded by VMas the threshold should never
exceed the largest possible attainable voltage. By the same
token, 0 eF (1/3) ln(VM/minT h). Then we want the
stronger inequality
φpM inT P +φeF (0 (1/3) ln(VM/minT h)
+φT h(VM) + φ0(VM)
ε(M axT P +|1
3ln( VM
T h )|+|VM|+|VM|)
Blanking ExponentialDecay. Only tpis reset and
therefore we want, φp(ttp)ε(|ttp|), thus the transition
yields φpε.
The above equations can be simultaneously satisfied. The
simplest thing would be to set all φterms that appear above
to 0 except for φt, φpwhich are calculated accordingly.
The flows can be shown to be monotonic along the same φ
and with the same ε. For example, in mode ExponentialDe-
cay, only t, y and T h flow. Making use of the VMbound on y,
we get the constraint φtτ2VMφy+φTh (T h(t+τ)T h(t))
ε(τ+2VM+|T h(t+τ)T h(t)|), which yields φtε,φy≤ −ε
and φT h ε. Similarly for the rest.
Ventricular Tachycardia (VT) is an example of a tachycardia
originating in the ventricles, in which the ventricles sponta-
neously beat at a very high rate. If the VT is sustained,
or degenerates into Ventricular Fibrillation (VF), it can be
fatal. A tachycardia that originates above the ventricles is
referred to as a SupraVentricular Tachycardia (SVT) and is
a diseased but non-fatal condition. In what follows, we will
refer to sustained VT and VF together as VT. The ICD’s
main task is to discriminate VT from SVT and deliver ther-
apy to the former only.
Most VT/SVT detection algorithms found in ICDs today
are composed of individual discriminators. A discrimina-
tor is a software function whose task is to decide whether
the current arrhythmia is SVT or VT. No one discrimi-
nator can fully distinguish between SVT and VT. Thus a
detection algorithm is often a decision tree built using a
number of discriminators running in parallel. The detec-
tion algorithm of Boston Scientific is shown in Fig. 7 [3].
We have modeled each discriminator in this detection al-
gorithm as a STORMED hybrid system. The algorithm
itself is then a hybrid system. The ICD system is thus
HICD =HSense||HDetectionAlgo where HDetectionAlgo
is the parallel composition of the discriminator sys-
tems. In what follows, we present three of these discrimina-
tors we modeled, which are found in most ICDs and model
them as hybrid systems, and prove they are STORMED.
5.1 Three Consecutive Fast Intervals
Our first module simply detects whether three consecutive
fast intervals have occurred, where ‘fast’ means the interval
length, measured between 2 consecutive peaks on the EGM
signal, is shorter than some pre-set amount. See Fig. 8.
States tand tpare clocks as before. The vector L3is three-
dimensional, and stores the values of the last three intervals.
The event VEvent? is shorthand for the transition y(t)T h
being taken by the HSense automaton. In other words, it
indicates a ventricular event. Then L3gets reset to L+
VT Duration
V rate>A rate
by at least 10bpm
A-fib Rate=TRUE
& V rate unstable
Initial Detection
VF Duration
Last 10
8/10 intervals faster
than VT threshold
8/10 intervals faster
than VF threshold
No No
Figure 7: Boston Scientific’s detection algorithm
tp t
L3 Circulate(L3,t)
Figure 8: Three Consecutive Fast Intervals HT CF I
(z1, z2, z3)+:= Circulate(L3, t tp) where
Lemma 5.1. HT C F I is STORMED.
Proof. We show that the reset are monotonic - the other
properties are easily checked. For reset monotonicity, we
invoke the fact that there is a minimum beat-to-beat sepa-
ration: heartbeats can’t follow one another with vanishingly
small delays. In other words, there exists m > 0 such that
p> m. Similarly, there’s a maximum delay between
two heartbeats, call it B. Now, we seek a vector φR5s.t.
=φp(ttp)+ φL3·
|{z }
W ant
ζ > 0
Now |δ|is upper bounded by p3·(2B)2since each element
is the difference of intervals shorter than B. Also, tt
m > 0. So choose φL3= (φz,1, φz ,2, φz,3)>0 element-
wise. (6) is satisfied if the following stronger inequality is
satisfied, which can be achieved by an appropriate choice of
5.2 Vector Timing Correlation
It has been clinically observed that a depolarization wave
originating in the ventricles (as produced during VT for ex-
ample) will in general produce a different EGM morphology
than a wave originating in the atria (as produced during
SVT) [3]. See Fig. 9. A morphology discriminator mea-
sures the correlation between the morphology of the current
EGM and that of a stored template EGM acquired during
normal sinus rhythm. If the correlation is above a pre-set
threshold for a minimum number of beats, then this is an
indication that the current arrhythmia is supraventricular
in origin. Otherwise, it might be of ventricular origin.
NSR Template
Ventricular Origin
NSR Template
Atrial Origin
Figure 9: EGMs of different origin have different mor-
phologies. The correlation of an EGM with respect to a
stored EGM template is used to determine the origin.
Calculate VTC IDLE
W indowEnds &new <th?
~⌫ Circulate(~⌫ ,1)
t, µ, , 0,w 1
R1 R2i
t== i·Ts?
µ µ+s(t)
w 1
W indowEnds &new th?
~⌫ Circulate(~⌫ ,1)
t, µ, , 0,w 1
Figure 10: VTC calculation. iTsis the sampling time
for the ith fiducial point, i= 1,...,8.R21,...,R28are
the corresponding resets. For clarity of the figure, 8
transitions are represented on the same edge.
Boston Scientific’s implementation of a morphology discrim-
inator is called Vector and Timing Correlation (VTC). VTC
first samples 8 fiducial points si, i = 1,...,8 on the current
EGM sat pre-defined time instants. Let sm,i be the corre-
sponding points on the template EGM. The correlation is
then calculated as [3]
ρnew =(8 Pisism,i (Pisi)(Pism,i))2
(8 Pis2
i(Pisi)2)(8 Pis2
m,i (Pism,i)2)
Note that smis a constant for the purposes of this calcu-
lation: it does not change during an execution of VTC. If
3 out of the last 10 calculated correlation values exceed the
threshold, then SVT is decided and therapy is withheld.
The system of Fig. 10 implements the VTC discriminator.
As before, tis a local clock. µaccumulates the values of the
current EGM, αaccumulates the product sism,i,βaccumu-
lates s2
i. State wis an auxiliary state we need to establish
the STORMED property. ~ν is a 10D binary vector: νi=1
if the ith correlation value fell below the threshold, and is
+1 otherwise. L3is the state of HT CF I : the guard condi-
tion L3th indicates that all its entries have values less
than the tachycardia threshold, which is when HV T C starts
computing. W indowEnds indicates the ‘end’ of an EGM,
measured as a window around the peak sensed by HSense.
Lemma 5.2. HV T C is STORMED.
Proof. Separability obtains by observing that a uniform
minimum time passes between beats and between samples.
TISG is immediate. O-minimality is established by observ-
ing that all sets and functions are definable in Lexp.ED
holds because the state space is bounded. We now show
monotonicity. The state of the system is x= (t, µ, α, β, ~ν, w)T
R4+10+1. Let φ= (φc, φµ, φα, φβ, φ1,...,φ10 , φw)TR15 be
the corresponding vector. For flows in mode CalculateVTC,
we seek a φand ε > 0 such that φ·(t+τt, 0,γ(t+τ) +
γt) = φcτ+φw(γτ )εpτ2+γ2τ2, which is equivalent to
φcφwγεp1 + γ2. Reset monotonicity for resets R1,
R2, R3 provides three more constraints on φand ε:
(R1)φ·(t, µ, α, β, ν2ν1, ν3ν2,...,1ν10 ,1w)
φi(νi+1 νi)
+φw(1 w)W ant
(R2)φ·(tt, s, ssm, s2,0,1w)
=φµs+φαssm+φβs2+φw(1 w)W ant
φi(νi+1 νi)
+φw(1 w)W ant
where ν11 := 1 in R1 and ν11 := 1 in R3. Combine R1
and R3 by choosing φ1=. . . =φ10 =φµ=φα=φβ= 0:
(R1,3)φct+φw(1 w)ζ
(R2)φw(1 w)ζ
Now note that when a reset occurs, 0 < w 1γTs:= wm
where Tsis the smallest sampling period, and that t10B,
B= the maximum peak-to-peak interval, so (R2),(R1,3)
can be jointly satisfied if φc10B+φw(1 wm)ζ. The
2 boxed equations can be jointly satisfied.
5.3 Stability discrimination
Stability refers to the variability of the peak-to-peak cycle
length. A rhythm with large variability (above a pre-defined
threshold) is said to be unstable, and is called stable other-
wise. The Stability discriminator is used to distinguish be-
tween atrial fibrillation, which is usually unstable, and VT,
which is usually stable.
The Stability discriminator shown in Fig. 11 simply cal-
culates the variance of the cycle length over a fixed pe-
riod called a Duration (measured in seconds). Let DL 0
be the Duration length. The events DurationB egins? and
DurationEnds? indicate the transitions of a simple system
that measures the lapse of one Duration (not shown here).
State tis a clock, L1accumulates the sum of interval lengths
(and will be used to compute the average length), L2accu-
mulates the squares of interval lengths, and κis a counter
that counts the number of accumulated beats. σ2is assigned
the value of the variance given by 1
Lemma 5.3. HS tab is STORMED.
The proof is in the Appendix.
Now that each system was shown to be STORMED, it re-
mains to establish that their parallel composition is STORMED.
This result does not hold in general - Thm. 6.1 gives condi-
tions under which parallel composition respects the STORMED
2 1
t 0
L2 L2+t2
L1 L1+t
Figure 11: Stability discriminator.
property. Intuitively, we require that whenever a sub-collection
of the systems jumps, the remaining systems that did not
jump are separated from all of their respective guards by a
uniform distance. This is a requirement that can be shown
to hold for our systems by modeling various minimal delays
in the systems’ operation. We may now state:
Theorem 5.1. Consider the collection of systems HCA ,
HIC D =HSense ||HDetectionAlgo where the latter is the par-
allel composition of the discriminator systems. This collec-
tion satisfies the hypotheses of Thm. 6.1 (Section 6) and
therefore the parallel system HCA ||HI CD is STORMED and
has a finite bisimulation.
The results in this section and the next apply to STORMED
systems in general, including those with time-unbounded
operation. We write [m] = {1,...,m}. Given hybrid sys-
tems H1,...,Hmin this section, xi, Gi, θi, . . . etc refer to
a state, guard, flow . . . of system Hi,im. We show
that the parallel composition of SHS is still a SHS. Re-
call that θ`(t;x) is the flow starting at (`, x). Given hy-
brid systems H1,...,Hm, their parallel composition H=
H1||. . . ||Hmis defined in the usual way: H.X = ΠiXi,
H.L = ΠiLi,H.H0= ΠiHi
0,Inv(`) = ΠiInvi(`i), θ`(x, t) =
`1(x1, t)(t),...,θm
`m(xm, t)(t)]T. The system jumps if any
of its subsystems jumps, so its guard sets are of the form
A1×. . . ×Amwhere for at least one i,Aiis a guard of Hi,
and for the rest Aj=Xj. When a guard of a subsystem
is satisfied, the state of that subsystem is reset according to
its reset map. The guards are made disjoint to avoid non-
determinism. A system His deterministic if to every initial
state (`, x), Hproduces a unique trajectory starting there.
In general His not separable: indeed for any candidate value
of dmin, one could find a transition (i, j ) of Hdue to, say, a
jump of H1, s.t. at that moment x2is closer than dmin to
one of its own guards, say G2
(j2,k2). This causes Hto further
jump jkwithout having traveled the requisite minimum
distance, thus violating the separability of Rij(Gij ) and Gjk .
Therefore we need to impose an extra condition on minimum
separability across sub-systems.
Theorem 6.1. Let Σi= (Hi,A, φi, bi,, bi,+, di
min, εi, ζ i),
i= 1,...,m be deterministic SHS defined using the same
underlying o-minimal structure, and where each state space
Xiis bounded by BXi.
Define parallel composition Σ=(H,A, φ, b, b+, dmin, ε, ζ)
where H=H1||. . . ||Hm,φ= (φ1,...,φm)TRmn ,bi,=
infxXφ·x,bi,+= supxXφ·x,ε= min(miniεi,miniζi
ζ= miniζiand
dmin = min
iI,j [m]\Idij
Assume that the following Collection Separability condi-
tion holds: for all i, j m, 6=jthere exists dij
min >0s.t.
if xXis in the reachable set of Hand xiGi
e0e0Ejthen d(xj, Gj
e0)) > dij
min for all e0Ejwhere
Ejis the edge set of Σjand Gj
e0is a guard of Σjon edge
e0Ej. Then Σis STORMED.
Proof. (S) In H, let y= (y1,...,ym) = Re((x1,...,xm))
and assume that it was H1that caused the jump. Thus
yj=xj, j > 1. Write e= (`, `0). By Collection Separability,
d(yj, Gj
ej)> d1j
min for all j > 1, ejEj, and by separability
of H1d(y1, G1
e1)> d1
min for all e1E1. So by d(y, G`0,`00 )>
min,minj >1d1j
min)> dmin for any guard leading out of
`0, and we have separability. The argument can be repeated
for any subset I[m] of systems jumping simultaneously.
(T): The Hflow θ`(t;x) is TISG because the component
flows θi
`i(t;xi) are TISG.
(O) The cartesian product of definable sets is definable, so
the system His o-minimal.
(RM) First we show that resets of Hare monotonic, then
that the flows of Hare monotonic. Let p, q Lbe two
modes of H,p6=q.
Case 1: Hjumps pp. So any subsystem Hieither jumped
pipior didn’t jump at all. If x+=x, then (RM)
is satisfied. Else, define φ:= (φ1,...,φm)Rn·m, where
φiis the φvector of system Hi. Then φ·(x+x) =
PiKφi·(xi,+xi,), where K[m] is the set of indices
of sub-systems that jumped with xi,6=xi,+. Note that K
depends on x, x+. For all x, x+pairs (and so for all K)
PiKζimini[m]ζi:= ζ > 0. So by (RM) for each Hi,
φ·(x+x) = X
ζiζ > 0
Thus (RM) is satisfied.
Case 2: Hjumps pq. At least one syb-system Hijumped
piqi6=pi. Then φ·(x+x) = Pi[m]φi·(xi,+xi,) =
PiKφi·(xi,+xi,), where K=K=K6=[m] and
K=is the index set of subsystems that jumped pipi
with xi,+6=xi,, and K6=is the index set of subsystems
that jumped piqi6=piwith xi,+6=xi,. Subsys-
tems that didn’t jump or jumped without changing their
continuous state don’t contribute to the sum. Note that
K=, K6=depend on x, x+. So we have φ·(x+x)
PiK6=εi||xi,+xi,|| +PiK=ζi.
For all Xi,||xi,+xi,|| ≤ BXifor all xi,, xi,+Xi.
Therefore ζi||xi,+xi,||
BXiζifor all iK. So
( min
i[m]εi)||xi,+xi,+|| +X
BXi||xi,+xi,|| ≥
( min
i[m]εi)||xi,+xi,|| +X
( min
Let ε:= min(miniεi,miniζi
BXi). Then
ε||xi,+xi,|| ≥ ε||x+x||
So Hhas monotonic resets.
The flows of Hare also monotonic along φ. Indeed for any
qL,φ·(θq(t+τ;x)θq(t;x)) = Pm
i=1 φi·(θi
qi(t;xi)) Piεi||(θi
qi(t;xi))|| ≥ ε||(θq(t+
(ED) By Prop. 2.1.
In general it is not possible to compute the reach sets re-
quired in Alg. 1 exactly unless the underlying o-minimal
theory is decidable. The HICD ||HC A closed loop is defin-
able in Lexp, and the latter is not known to be decidable.
The authors in [21] proposed approximating the flows and
resets by polynomial flows and resets in the decidable the-
ory LR. However, the approximation process is typically
iterative and requires manual intervention, or is restricted
to subclasses of STORMED systems [21].
Here we show that if an approximate reachability tool with
definable over-approximations is available for the continuous
dynamics, it can be used in Algo 1 (instead of exact reach-
ability) to yield a finite simulation (rather than a bisimu-
lation). Intuitively, the additional intersections of approxi-
mate reach sets with blocks of Q/ do not destroy finite-
ness of the procedure. Since we only have a simulation,
counter-examples on the abstraction should be validated in
a CEGAR-like fashion.
Lemma 7.1. Let Σ=(H, . . .)be a SHS and and equiv-
alence relation on X. For any mode `of H, its dynamical
sub-system Dwith state space X=H.X and flow θ`admits
a finite simulation S`that respects , returned by Alg. 1.
The proof is in the Appendix. Let F
t(P) := `S`Lwhere
P=X/ .Fε
trefines all the S`’s, and it is a finite simula-
tion of Hby itself w.r.t. the continuous transition τ
. It is
clear that F
t(·) is idempotent: F
t(P)) = F
Theorem 7.1. Let Hbe a STORMED hybrid system, and
Pbe a finite definable partition of its state space. Define
t(P),i0, Wi+1 =F
t(Fd(Wi)) (7)
Then there exists UNs.t. WU+1 =WUand F
t(WU)is a
simulation of Hby itself.
Proof. By Lemma 10 of [27] there exists a uniform bound
Uon the number of discrete transitions of any execution of
the STORMED system H, so Fd(Wk) = Wkfor all kU.
Moreover WU+1 =F
t(Fd(WU)) = F
t(WU) and WU+2 =
t(Fd(WU+1)) = F
t(WU+1) = F
t(WU)) = F
t(WU) =
WU+1, so the iterations reach a fixed point. The fact that
t(WU) is a simulation then yields the desired result.
7.1 Example: SpaceEx reachable sets
Lemma 7.1 required that the over-approximation sets R
be definable for every xand t(see proof). In practice,
we need to show that the over-approximation actually com-
puted by the reachability tool (which may not be the full
ball R
t(x)) is definable. In this section we show that the
over-approximations computed by SpaceEx [8] are defin-
able. Given the set XRnand finite V ⊂ Rn, parameter
λ[0,1] a time step δ > 0, and (i, j )E, SpaceEx over-
approximates Rij(X) by K(V, X ) := Rij(T HV(X)Gij )
Inv(j) and R
λδ(X) by [8]:
λ(X, δ) = (1 λ)XeδA X
(X, δ)(1 λ)E
(X, δ)) (8)
where T HV(X) := {xRn| ∧~a∈V ~a ·xρ(~a, X)}is
the template hull of Xand ρits support function, E+
2(A2X), E
=2(A2eδAX)), is the Minkowski
sum, S= [−|x1|,|x1|]×. . . ×[−|xn|,|xn|] is the box hull
with |xi|:= max{|xi|s.t. x= (x1,...,xn)S}.
Theorem 7.2. For all definable polytopes XRn, the sets
K(V, X)and λ(X , δ)is definable are Lexp.
Proof. Let S, Y Rnbe two definable sets in some o-
minimal structure A. Let λRand let Abe a real matrix.
Then the following sets are also o-minimal: λS,AS,SY,
SY,SY,T HV(S) and S. Now the result follows
by noting that K(V, X) and Ωλ(X, δ ) are constructed by
composing the above definability-preserving operations.
In this paper, we presented the first formalization of a hy-
brid system model of the human heart and ICD closed loop
and showed that it admits a finite bisimulation, and that
definable approximate reachability yields a finite simulation
for STORMED systems.
[1] R. Alur, T. A. Henzinger, G. Lafferriere, and G. J.
Pappas. Discrete abstractions of hybrid systems.
Proceedings of the IEEE, 88(2), 2000.
[2] E. Bartocci, F. Corradini, M. D. Berardini,
E. Entcheva, S. Smolka, and R. Grosu. Modeling and
simulation of cardiac tissue using hybrid I/O
automata. Th. Com. Sci., 410(33), 2009.
[3] Boston Scientific Corporation. The Compass -
Technical Guide to Boston Scientific Cardiac Rhythm
Management Products. Device Documentation, 2007.
[4] T. Brihaye and C. Michaux. On the expressiveness
and decidability of o-minimal hybrid systems. Journal
of Complexity, 21(4):447 – 478, 2005.
[5] F. Cameron, G. Fainekos, D. Maahs, and
S. Sankaranarayanan. Towards a verified artificial
pancreas: Challenges and solutions for runtime
verification. In E. Bartocci and R. Majumdar, editors,
Runtime Verification, volume 9333 of Lecture Notes in
Computer Science, pages 3–17. Springer International
Publishing, 2015.
[6] T. Chen, M. Diciolla, M. Kwiatkowska, and
A. Mereacre. Quantitative verification of implantable
cardiac pacemakers over hybrid heart models.
Information and Computation, 236:87 – 101, 2014.
[7] D. D. Correa de Sa, N. Thompson,
J. Stinnett-Donnelly, P. Znojkiewicz, N. Habel, J. G.
Muller, J. H. Bates, J. S. Buzas, and P. S. Spector.
Electrogram fractionation. Circ Arrhythm
Electrophysiol, 55:909 – 916, Dec 2011.
[8] G. Frehse, C. L. Guernic, A. Donze, S. Cotton,
R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang,
and O. Maler. Spaceex: Scalable verification of hybrid
systems. In Proceedings of the 23d CAV, 2011.
[9] M. R. Gold et al. Prospective comparison of
discrimination algorithms to prevent inappropriate
ICD therapy: Primary results of the Rhythm ID
Going Head to Head Trial . Heart Rhythm, 9(3):370 –
377, 2012.
[10] R. Grosu, S. A. Smolka, F. Corradini, A. Wasilewska,
E. Entcheva, and E. Bartocci. Learning and detecting
emergent behavior in networks of cardiac myocytes.
Commun. ACM, 52(3):97–105, Mar. 2009.
[11] R. Hood. The EP Lab. Accessed 10/20/2015.
[12] Z. Huang, C. Fan, A. Mereacre, S. Mitra, and
M. Kwiatkowska. Invariant verification of nonlinear
hybrid automata networks of cardiac cells. In A. Biere
and R. Bloem, editors, CAV. 2014.
[13] M. A. Islam, A. Murthy, A. Girard, S. A. Smolka, and
R. Grosu. Compositionality results for cardiac cell
dynamics. HSCC, 2014.
[14] Z. Jiang, M. Pajic, S. Moarref, R. Alur, and
R. Mangharam. Modeling and Verification of a Dual
Chamber Implantable Pacemaker. Tools and
Algorithms for the Construction and Analysis of
Systems, 7214:188–203, 2012.
[15] R. Klabunde. Cardiovascular electrophysiology
concepts. Lippincott-Williams, 2 edition, 2011.
[16] S. Kong, S. Gao, W. Chen, and E. Clarke. dreach:
delta-reachability analysis for hybrid systems. In
C. Baier and C. Tinelli, editors, TACAS, volume 9035
of Lecture Notes in Computer Science. 2015.
[17] G. Lafferriere, G. J. Pappas, and S. Sastry. O-minimal
hybrid systems. Mathematics of Control, Signals and
Systems, 13(1):1–21, 2000.
[18] D. Mery and N. K. Singh. Pacemaker’s Functional
Behaviors in Event-B. Research report, INRIA, 2009.
[19] A. J. Moss et al. Reduction in inappropriate therapy
and mortality through icd programming. New England
Journal of Medicine, 367(24):2275–2283, 2012.
[20] M. Pajic, Z. Jiang, I. Lee, O. Sokolsky, and
R. Mangharam. Safety-critical medical device
development using the upp2sf model translation tool.
ACM Trans. Embed. Comput. Syst., 13(4), 2014.
[21] P. Prabhakar, V. Vladimerou, M. Viswanathan, and
G. E. Dullerud. Verifying tolerant systems using
polynomial approximations. In RTSS, 2009.
[22] M. Rosenqvist, T. Beyer, M. Block, K. Dulk,
J. Minten, and F. Lindemans. Adverse Events with
Transvenous Implantable Cardioverter-Defibrillators:
A Prospective Multi-center Study. Circulation, 1998.
[23] P. S. Spector. Visible EP. Accessed 10/20/2015.
[24] P. S. Spector, N. Habel, B. E. Sobel, and J. H. Bates.
Emergence of complex behavior: An interactive model
of cardiac excitation provides a powerful tool for
understanding electric propagation. Circulation:
Arrhythmia and Electrophysiology, 4(4):586–591, 2011.
[25] P. Tabuada. Verification and Control of Hybrid
Systems . Springer, 2008.
[26] K. Ten Tusscher, R. Hren, and A. V. Panfilov.
Organization of ventricular fibrillation in the human
heart. Circulation Research, 100(12):87–101, 2007.
[27] V. Vladimerou, P. Prabhakar, M. Viswanathan, and
G. Dullerud. Stormed hybrid systems. In Automata,
Languages and Programming. 2008.
Proof of Lemma 5.3.
Proof. We show the resets are monotonic - the other prop-
erties are immediate. The state is x= (t, L2, L1, κ, σ2)T.
The self-transition ACCUMULATE ACCUMULATE is
initiated by VEvent (ventricular peak). At reset time, 0
tDL, we have that φ·(0 t, t2, t, 1,0)T≥ −φ1DL +
W ant
The transition ACCUMULATE FINALIZE, initiated at
the end of Duration, saves the value of the variance in σ2.
This reset produces the constraint φ5((L2L2
1))|. But the quantity in absolute value is
itself a variance and so is positive, therefore the constraint is
simply φ5ε, compatible with the previous inequality.
Proof of Lemma 7.1.
Proof. This follows the lines of the elegant proof of [4] as
formulated in [25] and generalizes it to set-valued maps.
(The fact that using an approximate P ost operator yields
a simulation is a special case of a more general result on
transition systems but we prove it here for completeness.
Also note that this result holds for o-minimal systems [17]
generally, not just STORMED systems).
First observe that using approximate reachability on a sys-
tem His tantamount to replacing Hwith a system Hεwhose
flows and reset maps are set-valued εover-approximations
of the flows and resets of H(but is otherwise unchanged).
Therefore define the dynamical system Dεwith state space
Xand whose flow Θ : R×Rn2Rnis a set-valued εover-
approximation of θ`: Θ(t;x) = {yRn| ||yθ(t;x)||2
2}. Let P:= X/ be the partition induced by . It follows
from the definability of θand ||·||2that Θ is definable. Given
P∈ P, let Z(P) = Θ1(P) := {(x, t)|Θ(x, t)P6=∅}.
Then Z(P) is definable because Pand Θ are definable. Let
Zx(P) = {t|(x, t)Z(P)} ⊂ Rbe the fiber of Zover x.
The number of connected components of Zx(P) equals the
number of times that Θ(x, t) intersects P. Now it follows
from [25] Thm.7.11 that there exists a uniform upper bound
on the number of connected components of Zx(P), indepen-
dent of x. Let that bound be VP. Thus Θ(x, t) visits Pat
the most VPtimes, regardless of x. Since there is a finite
number of blocks P∈ P, then Θ(x, t) visits any block Pa
maximum of V:= maxP(VP) times.
Thus we can associate to each xXa finite number of finite
strings q(x) = (`1, `2,...,`i1,b
`i, `i+1,...,`s), where `i,b
P. Each q(x) gives the sequence of blocks that Θ(x, t) visits
(with repetition), and in which b
`iis the block containing
x. There may be more than one such string because the
set Θ(x, t) might intersect more than one block of Pat a
time. The length of q(x) is thus uniformly upper-bounded by
V·|P|, so there’s a finite number of different strings q(x). Let
Q(x) be the set of such strings associated to x, and let Q=
xQ(x). Then Qis the state space of the finite transition
system K= (Q,{∗},,Q0) whose transition relation is
`1. . . b
`i. . . `s
`1. . . b
`i+1 . . . `s
`1. . . `s1b
`1. . . `s1b
It is clear that Kis non-deterministic and simulates Dbut
is not a bisimulation because of the over-approximation pro-
duced by Θ.
... UPenn [16] UPenn [1] Oxford-NL Cell [9] UoA-NL Cell [24] Proposed Timed Automata (TA) [16] and linear Hybrid Automata (HA) models [1] of cells have been developed by University of Pennsylvania researchers and they have combined these models with TA based path models. ese models primarily target formal veri cation [1,14,16]. ...
... UPenn [16] UPenn [1] Oxford-NL Cell [9] UoA-NL Cell [24] Proposed Timed Automata (TA) [16] and linear Hybrid Automata (HA) models [1] of cells have been developed by University of Pennsylvania researchers and they have combined these models with TA based path models. ese models primarily target formal veri cation [1,14,16]. ...
... UPenn [16] UPenn [1] Oxford-NL Cell [9] UoA-NL Cell [24] Proposed Timed Automata (TA) [16] and linear Hybrid Automata (HA) models [1] of cells have been developed by University of Pennsylvania researchers and they have combined these models with TA based path models. ese models primarily target formal veri cation [1,14,16]. In contrast, the Stonybrook [23] cell model is based on HA and provides excellent dynamic response. ...
Full-text available
Models of the cardiac conduction system are usually at two extremes: (1) high fidelity models with excellent precision but lacking a real-time response for emulation (hardware in the loop simulation); or (2) models amenable for emulation, but that do not exhibit appropriate dynamic response, which is necessary for arrhythmia susceptibility. We introduce two abstractions to remedy the situation. The first abstraction is a new cell model, which is a semi-linear hybrid automata. The proposed model is as computationally efficient as current state-of-the-art cell models amenable for emulation. Yet, unlike these models, it is also able to capture the dynamic response of the cardiac cell like the higher-fidelity models. The second abstraction is the use of smooth-tokens to develop a new path model, connecting cells, which is efficient in terms of memory consumption. Moreover, the memory requirements of the path model can be statically bounded and are invariant to the emulation step size. Results show that the proposed semi-linear abstraction for the cell reduces the execution time by up to 44%. Furthermore, the smooth-tokens based path model reduces the memory consumption by 40 times when compared to existing path models. This paves the way for the emulation of complex cardiac conduction systems, using hardware code-generators.
... A second use of heart models is in the testing and verification of cardiac medical devices. For example, a model of an Implantable Cardioverter Defibrillator (ICD; an ICD stops fatal tachycardias) may be composed with a model of cardiac electrophysiology, and properties of the ICD may then be tested or even verified in some cases [2]. ...
... Rechability analysis can be used to study which parameter values lead to phenomena that can be formulated as invariants. Also, recent work [2] shows that this heart model, composed with an ICD model, admits finite bisimulations, which opens the way to the development of model checkers for more complex properties. In the meantime, the high-dimensionality of the model and its complexity (see Section 5) suggest that stochastic falsification will play a prominent role at first. ...
Full-text available
Implantable cardiac devices like pacemakers and defibrillators are life-saving medical devices. To verify their functionality, there is a need for heart models that can simulate interesting phenomena and are relatively computationally tractable. In this benchmark we implement a model of the electrical activity in excitable cardiac tissue as a network of nonlinear hybrid automata. The model has previously been shown to simulate fast arrhythmias. The hybrid automata are arranged in a square n-by-n grid and communicate via their voltages. Our Matlab implementation allows the user to specify any size of model $n$, thus rendering it ideal for benchmarking purposes since we can study tool efficiency as a function of size. We expect the model to be used to analyze parameter ranges and network connectivity that lead to dangerous heart conditions. It can also be connected to device models for device verification.
Conference Paper
Virtual heart models have been proposed for closed loop validation of safety-critical embedded medical devices, such as pacemakers. These models must react in real-time to off-the-shelf medical devices. Real-time performance can be obtained by implementing models in computer hardware, and methods of compiling classes of Hybrid Automata (HA) onto FPGA have been developed. Models of ventricular cardiac cell electrophysiology have been described using HA which capture the complex nonlinear behavior of biological systems. However, many models that have been used for closed-loop validation of pacemakers are highly abstract and do not capture important characteristics of the dynamic rate response. We developed a new HA model of cardiac cells which captures dynamic behavior and we implemented the model in hardware. This potentially enables modeling the heart with over 1 million dynamic cells, making the approach ideal for closed loop testing of medical devices.
Conference Paper
Full-text available
We present what we believe to be the first formal verification of a biologically realistic (nonlinear ODE) model of a neural circuit in a multicellular organism: Tap Withdrawal (TW) in C. Elegans, the common roundworm. TW is a reflexive behavior exhibited by C. Elegans in response to vibrating the surface on which it is moving; the neural circuit underlying this response is the subject of this investigation. Specially, we perform reach-tube-based reachability analysis on the TW circuit model of Wicks et al. (1996) to estimate key model parameters. Underlying our approach is the use of Fan and Mitra’s recently developed technique for automatically computing local discrepancy (convergence and divergence rates) of general nonlinear systems.
Full-text available
The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this paper, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We present detailed models of different components of the pacemaker based on the algorithm descriptions from Boston Scientific. We formalize basic safety requirements based on specifications from Boston Scientific as well as additional physiological knowledge. The most critical potential safety violation for a pacemaker is that it may lead the closed-loop system into an undesirable pattern (for example, Tachycardia). Modern pacemakers are implemented with termination algorithms to prevent such conditions. We show how to identify these conditions and check correctness of corresponding termination algorithms by augmenting the basic models with monitors for detecting undesirable patterns. Along with emerging tools for code generation from UPPAAL models, this effort enables model driven design and certification of software for medical devices.
Conference Paper
Full-text available
The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this study, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed models of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. We then define the state space of the closed-loop system based on its heart rate and developed a heart model which can non-deterministically cover the whole state space. For verification, we first specify unsafe regions within the state space and verify the closed-loop system against corresponding safety requirements. As stronger assertions are attempted, the closed-loop unsafe state may result from healthy open-loop heart conditions. Such unsafe transitions are investigated with two clinical cases of Pacemaker Mediated Tachycardia and their corresponding correction algorithms in the pacemaker. Along with emerging tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.
Full-text available
Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41&percnt; of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.
Conference Paper
Full-text available
By appealing to the small-gain theorem of one of the authors (Girard), we show that the 13-variable sodium-channel component of the 67-variable IMW cardiac-cell model (Iyer-Mazhari-Winslow) can be replaced by an approximately bi-similar, 2-variable HH-type (Hodgkin-Huxley) abstraction. We show that this substitution of (approximately) equals for equals is safe in the sense that the approximation error between sodium-channel models is not amplified by the feedback-loop context in which it is placed. To prove this feedback-compositionality result, we exhibit quadratic-polynomial, exponentially decaying bisimulation functions between the IMW and HH-type sodium channels, and also for the IMW-based context in which these sodium-channel models are placed. These functions allow us to quantify the overall error introduced by the sodium-channel abstraction and subsequent substitution in the IMW model. To automate computation of the bisimulation functions, we employ the SOSTOOLS optimization toolbox. Our experimental results validate our analytical findings. To the best of our knowledge, this is the first application of δ-bisimilar, feedback-assisting, compositional reasoning in biological systems.
Conference Paper
dReach is a bounded reachability analysis tool for nonlinear hybrid systems. It encodes reachability problems of hybrid systems to first-order formulas over real numbers, which are solved by delta-decision procedures in the SMT solver dReach. In this way, dReach is able to handle a wide range of highly nonlinear hybrid systems. It has scaled well on various realistic models from biomedical and robotics applications.
Conference Paper
Verification algorithms for networks of nonlinear hybrid automata (HA) can aid us understand and control biological processes such as cardiac arrhythmia, formation of memory, and genetic regulation. We present an algorithm for over-approximating reach sets of networks of nonlinear HA which can be used for sound and relatively complete invariant checking. First, it uses automatically computed input-to-state discrepancy functions for the individual automata modules in the network \(\mathcal{A}\) for constructing a low-dimensional model \(\mathcal{M}\). Simulations of both \(\mathcal{A}\) and \(\mathcal{M}\) are then used to compute the reach tubes for \(\mathcal{A}\). These techniques enable us to handle a challenging verification problem involving a network of cardiac cells, where each cell has four continuous variables and 29 locations. Our prototype tool can check bounded-time invariants for networks with 5 cells (20 continuous variables, 295 locations) typically in less than 15 minutes for up to reasonable time horizons. From the computed reach tubes we can infer biologically relevant properties of the network from a set of initial states.
Background: A newly developed classification system relates adverse events to the surgical procedure or the function of the implantable defibrillator. Methods and results: Adverse events were monitored during prospective clinical evaluation of the Medtronic model 7219 Jewel ICD and were classified according to the definitions of the ISO 14155 standard for device clinical trials into 3 groups: severe and mild device-related and severe non-device-related adverse events. In addition, events were related to the surgical procedure, treatment with the device, or cardiac function. Seven hundred seventy-eight patients were followed up for an average of 4.0 months after ICD implantation. In total, 356 adverse events were observed in 259 patients. At 1, 3, and 12 months after ICD implantation, 99%, 98%, and 97% of the patients, respectively, survived; 95%, 93%, and 92%, respectively, were free of surgical reintervention; and 79%, 68%, and 51%, respectively, were free of any adverse event. Twenty patients died: 6 deaths were related to the surgical procedure, 12 deaths were considered unrelated to ICD treatment, and 2 patients died of an unknown cause. Of 111 nonlethal severe adverse device effects, 47 required surgical intervention, 19 times for correction of a dislodged lead. Inappropriate delivery of therapy was observed 128 times in 111 patients, and the events were typically resolved by reprogramming or drug adjustment. Nine of these required rehospitalization. Conclusions: Approximately 50% of patients experience an adverse event within the first year after ICD implantation. The observed adverse event rate depends on the definitions and the prospective monitoring. The incidence of inappropriate therapy emphasizes the need for improved detection algorithms and for quality-of-life evaluations, especially when considering ICD treatment in high-risk but arrhythmia-free patients.
We develop a model-based framework which supports approximate quantitative verification of implantable cardiac pacemaker models over hybrid heart models. The framework is based on hybrid input-output automata and can be instantiated with user-specified pacemaker and heart models. For the specifications, we identify two property patterns which are tailored to the verification of pacemakers: “can the pacemaker maintain a normal heart behaviour?” and “what is the energy level of the battery after t time units?”. We implement the framework in Simulink based on the discrete-time simulation semantics and endow it with a range of basic and advanced quantitative property checks. The advanced property checks include the correction of pacemaker mediated Tachycardia and how the noise on sensor leads influences the pacing level. We demonstrate the usefulness of the framework for safety assurance of pacemaker software by instantiating it with two hybrid heart models and verifying a number of correctness properties with encouraging experimental results.
Hybrid systems describe the interaction of software, modeled by finite-state systems such as finite-state machines, with the physical world, described by infinite-state systems such as differential equations. Verification and Control of Hybrid Systems provides a unique systematic exposition of several classes of hybrid systems, admitting symbolic models along with the relationships between them. The text outlines several key verification and control synthesis results for hybrid systems, guided by the concept of bisimulation, and illustrated by numerous examples. The book is divided into four parts: Part I presents basic concepts centered on a notion of system that is general enough to describe finite-state, infinite-state, and hybrid systems. Part II discusses the ways in which systems relate to other systems, such as behavioral inclusion/equivalence and simulation/bisimulation, using these relationships to study verification and control synthesis problems for finite-state systems. Part III draws inspiration from timed automata to present several classes of hybrid systems, with richer continuous dynamics, that can be related to finite-state symbolic systems. Once such relationships are established, verification and control synthesis problems for these hybrid systems can be immediately solved by resorting to the techniques described in Part II for finite-state systems. Part IV follows the same strategy by generalizing simulation/bisimulation relationships to approximate simulation/bisimulation relationships that can be used for a wider class of hybrid systems. This comprehensive treatment will appeal to researchers, engineers, computer scientists, and graduate students in the areas of formal methods, verification, model checking, and control and will undoubtedly inspire further study of the specialized literature. © Springer Science+Business Media, LLC 2009. All rights reserved.