Content uploaded by Houssam Abbas

Author content

All content in this area was uploaded by Houssam Abbas on Jan 22, 2016

Content may be subject to copyright.

Model Checking Implantable Cardioverter Deﬁbrillators

Houssam Abbas, Kuk Jin Jang, Zhihao Jiang, Rahul Mangharam

Department of Electrical and Systems Engineering

University of Pennsylvania, Philadelphia, PA, USA

{habbas, jangkj, zhihaoj, rahulm}@seas.upenn.edu

ABSTRACT

Ventricular Fibrillation is a disorganized electrical excita-

tion of the heart that results in inadequate blood ﬂow to

the body. It usually ends in death within seconds. The

most common way to treat the symptoms of ﬁbrillation is

to implant a medical device, known as an Implantable Car-

dioverter Deﬁbrillator (ICD), in the patient’s body. Model-

based veriﬁcation can supply rigorous proofs of safety and

eﬃcacy. In this paper, we build a hybrid system model

of the human heart+ICD closed loop, and show it to be a

STORMED system, a class of o-minimal hybrid systems that

admit ﬁnite bisimulations. In general, it may not be possi-

ble to compute the bisimulation. We show that approximate

reachability can yield a ﬁnite simulation for STORMED sys-

tems, which improves on the existing veriﬁcation procedure.

In the process, we show that certain compositions respect

the STORMED property. Thus it is possible to model check

important formal properties of ICDs in a closed loop with

the heart, such as delayed therapy, missed therapy, or inap-

propriately administered therapy. The results of this paper

are theoretical and motivate the creation of concrete model

checking procedures for STORMED systems.

1. INTRODUCTION

Implantable Cardioverter Deﬁbrillators (ICDs) are life-saving

medical devices. An ICD is implanted under the shoulder,

and connects directly to the heart muscle though two elec-

trodes and continuously measures the heart’s rhythm (Fig.

1). If it detects a potentially fatal accelerated rhythm known

as Ventricular Tachycardia (VT), the ICD delivers a high-

energy electric shock or sequence of pulses through the elec-

trodes to reset the heart’s electrical activity. Without this

therapy, the VT can be fatal within seconds of onset. In the

US alone, 10,000 people receive an ICD every month. Stud-

ies have presented evidence that patients implanted with

ICDs have a mortality rate reduced by up to 31% [19].

Unfortunately, ICDs suﬀer from a high rate of inappropri-

ate therapy due to poor detection of the current rhythm

on the part of the ICD. In particular, a class of rhythms

Shock

Coils

Right Ventricular Electrode

Left Atrium

Left Ventricle

Right Atrium

Right Ventricle

ICD

Can (Shock)

Electrode

Atrial

Signal

Ventricular

Signal

Shock

Signal

Atrial

Sensed Event (AS)

Ventricular

Sensed Event (VS)

AS AS

VS VS

Right Atrium

Electrode

Sense

Therapy

Figure 1: ICD connected to a human heart via two

electrodes. The ICD monitors three electrical signals

(known as electrograms) traversing the heart muscle.

known as SupraVentricular Tachycardias (SVTs) can fool

the detection algorithms. Inappropriate shocks increase pa-

tient stress, reduce their quality of life, and are linked to

increased morbidity [22]. Depending on the particular ICD

and its settings, the rates of inappropriate therapy can range

from 46% to 62% of all delivered therapy episodes [9]. Cur-

rent practice for ICD veriﬁcation relies heavily on testing

and software cycle reviews. With the advent of computer

models of the human heart, Model-Based Design (MBD) can

supply rigorous evidence of safety and eﬃcacy. This paper

presents hybrid system models of the human heart and of

the common modules of ICDs currently on the market, and

shows that the closed loop formed by these models is for-

mally veriﬁable. The objective is to develop model checkers

for ICDs to further their MBD process.

No work exists on ICD veriﬁcation. Earlier work on veriﬁ-

cation of medical devices (formal or otherwise) focuses on

pacemakers. In [14] the authors developed timed automata

models of the whole heart+pacemaker loop which allows ver-

iﬁcation of LTL properties. In [6] the authors perform prob-

abilistic testing of Hybrid I/O automata models of heart and

pacemaker. However, they can not be symbolically veriﬁed.

Later work on pacemakers [18] develops a formalized cellu-

lar automata (CA) model of the heart and uses Event-B for

expressing its properties, and in [12] invariants of pacemaker

and cardiac cells are veriﬁed. The ICD algorithms are more

complex than a pacemaker’s: an ICD measures the timing of

events, but also measures and processes the morphology of

arXiv:1512.08083v1 [cs.SY] 26 Dec 2015

SA

AV

RVA

Ventricles

Atria

Atrial Electrode

Ventricular Electrode

Sinoatrial

(SA) Node

Atrioventricular

(AV) Node

Right Ventricular

Apex (RVA)

Cellular Automata Model

Human Heart

Blanking

Period

Peak Tracking

Dynamic Sensitivity

Adjustment

(Exponential Decay)

ICD Sensing ICD

Detection

Three Consecutive

Fast Intervals

(TCFI)

Stability

Vector Timing

Correlation

(VTC)

Other

Discriminators

LeftRight

Input:

Electrogram

Waveforms

Output:

Event

Waveforms

Figure 2: The whole heart is modeled as a 2D mesh of cells (Section 3). The ICD electrodes are shown in the right

atrium and ventricle. The electrogram signals measured through the electrodes are processed by the sensing module

(ICD Sensing, see Section 4). The detection algorithm (Section 5) determines the current rhythm using the processed

signal (ICD Detection).

the electrical signal in the heart to distinguish many types of

arrhythmias. Thus, we need three models for ICD veriﬁca-

tion: a timing and voltage model of the heart, a model of the

ICD’s algorithms, and a model for voltage measurement by

the ICD electrodes. This takes the model out of the realm

of timed automata and into hybrid automata proper. More

generally, approaches to approximate veriﬁcation of similar

hybrid systems include falsiﬁcation of general Metric Tem-

poral Logic properties [5] and δ-reachability [16].

The ﬁrst contribution of this paper is to develop a hybrid

system model of the heart, the ICD measurement process,

and of the algorithmic components of ICDs from most ma-

jor manufacturers on the market (Fig. 2). We show that

the composition of these three models admits a ﬁnite bisim-

ulation [1]. The ICD models presented here are the ﬁrst

formalization of ICD operation to the best of our knowl-

edge.

To establish this result we use the theory of STORMED hy-

brid systems [27], a class of hybrid systems that have ﬁnite

bisimulations. Our second contribution is two general results

for STORMED systems. First we prove that parallel com-

positions of STORMED systems yield STORMED systems.

Secondly, we show that any deﬁnable over-approximate reach

tubes can replace the exact trajectories of a STORMED sys-

tem, yielding a system that still admits a ﬁnite simulation

(but no longer a bisimulation). Finally, we show that the

reach sets computed by the reachability tool SpaceEx [8] (a

widely used and scalable reachability tool) are deﬁnable and

so can be used to build the simulation. Thus SpaceEx can

be used as part of a model checker for STORMED systems.

Our interest in not simply in a particular manufacturer’s

arrhythmia detection algorithm: rather, we are interested

in those components that are common to most of them,

thus making our results relevant to them. The compo-

nents we model or some variation on them are included in

the ICDs of Boston Scientiﬁc, Medtronic, Saint-Jude Med-

ical and Biotronik. This is the ﬁrst example of a practical

STORMED system that the authors are aware of.

Organization. Section 2 covers some preliminaries on hy-

brid systems. Sections 3 presents the heart model, and

Sections 4-5 model the ICD. Sections 6 and 7 prove gen-

eral results on STORMED systems: namely that a deﬁn-

Algorithm 1 Computing a bismimulation respecting ∼

Require: Transition system T= (Q, Σ,−→, Q0), equiva-

lence relation ∼.

Set S=Q/ ∼

while ∃P, P 0∈ S and σ∈Σ s.t. ∅ 6=P0∩P ostσ(P)6=P0

do

Set S=S \ {P0} ∪ {P0∩P ostσ(P), P 0\P ostσ(P)}

end while

Return S

able over-approximation of the ﬂows such as that computed

by SpaceEx preserves ﬁniteness of the simulation, and that

compositions of STORMED systems are STORMED.

2. HYBRID SYSTEMS AND SIMULATIONS

This section presents fairly standard deﬁnitions on hybrid

systems and their simulations [1]. It also deﬁnes STORMED

hybrid systems, which admit ﬁnite bisimulations [27].

2.1 Transition and hybrid systems

Deﬁnition 2.1. Atransition system T= (Q, Σ,−→, Q0)

consists of a set of states Q, a set of events Σ, a transi-

tion relation −→⊂ Q×Σ×Q, a set of initial states Q0. We

write qσ

−→ q0to denote a transition element (q, σ, q0)∈−→.

Given P⊂Q, we deﬁne P ostσ(P) := {q0| ∃q∈P.q σ

−→ q0}

Given an equivalence relation ∼on Q, the quotient system

T/ ∼is T / ∼= (Q/ ∼,{∗},−→∼, Q0/∼)where [q]∗

−→∼[q0]

iﬀ qσ

−→ q0for some σ∈Σ. Here [q]is the equivalence class

of qand Q/ ∼is the set of equivalence classes of ∼.

Deﬁnition 2.2. Given two transition systems T1and T2

with the same state space Q, a simulation relation from T1

to T2is a relation S ⊂ Q×Qsuch that for all (q1, q2)∈

S, if q1

σ

−→1q0

1, there exists a q0

2∈Qs.t. q2

σ

−→2q0

2and

(q0

1, q0

2)∈ S. A bisimulation relation between T1and T2is

both a simulation relation from T1to T2and from T2to T1.

The bisimulation Bis said to respect ∼if (q, q0)∈ B =⇒

q∼q0. The following algorithm, if it terminates, yields a

ﬁnite bisimulation for Tthat respects the given equivalence

relation [1]. Moreover, it is the coarsest bisimulation (with

respect to inclusion) that respects ∼. Given a set of atomic

propositions AP , if ∼is s.t. q∼q0iﬀ both states sat-

isfy exactly the same set of atomic propositions, then model

checking temporal logic properties can be done on the ﬁnite

bisimulation instead of the possibly inﬁnite T.

Deﬁnition 2.3. Ahybrid automaton is a tuple

H= (X, L, H0,{f`}, I nv, E, {Rij }(i,j)∈E,{Gij }(i,j )∈E)

where X⊂Rnis the continuous state space equipped with

the Euclidian norm k·k,L⊂Nis a ﬁnite set of modes,

H0⊂X×Lis an initial set, {f`}`∈Ldetermine the contin-

uous evolutions with unique solutions, Inv :L→2Xdeﬁnes

the invariants for every mode, E⊂L2is a set of discrete

transitions, Gij ⊂Xis guard set for the transitions (so H

transitions i→jwhen x∈Gij), Rij :X→Xis an edge-

speciﬁc reset function.

Set H=L×X. Given (`, x0)∈H, the ﬂow θ`(; x0) : R+→

Rnis the solution to the IVP ˙x(t) = f`(x(t)),x(0) = x0.

The associated transition system is TH= (H, E ∪ {τ},−→

, H0) with −→= (Se∈E

e

−→)∪τ

−→ where (i, x)e

−→ (j, y) iﬀ e=

(i, j), x ∈Gij , y =Rij (x) and (i, x)τ

−→ (j, y) iﬀ i=jand

there exists a ﬂow θi(·;x) of Hand t≥0 s.t. θi(t;x) = y

and ∀t0≤t,θi(t0;x)∈Inv(i). For a set P⊂H,P|Xdenotes

its projection onto X, and P|Lits projection onto L.

Deﬁnition 2.4. [Reachability] Let Hbe a hybrid system

with hybrid state space H,I= [0, b)⊂[0,+∞)be a (possibly

unbounded) interval, t∈I, and > 0. The -approximate

continuous reachability operator,R

t: 2H→2His given by

R

t(P) = {(i, x)∈X|∃x0∈P|X, t ≥0.||θi(t;x0)−x|| ≤ }

where P={i} × W,W⊂Inv(i). Deﬁne also R

I(P) =

∪t∈IR

t(P). The (exact) discrete reachability operator is:

Rd(P) = ∪j:(i,j)∈ERij (P∩Gij )

For a hybrid system, P ostσcomputes the forward reach sets,

and is implemented by R0

[0,∞)and Rd. Algorithm 1, applied

to TH, implements the following iteration, in which Ft(P)

is the coarsest bisimulation with respect to τ

−→1respecting

the partition P, and Fd(P) := {(h1, h2)|(h1

e

−→ h0

1) =⇒

(∃e0∈E, h0

2.h2

e0

−→ h0

2∧h0

1≡Ph0

2)} ∩ P [27]:

W0=Ft(Q/ ∼),∀i≥0, Wi+1 =Ft(Fd(Wi)) (1)

This iteration (equivalently, Alg. 1) does not necessarily ter-

minate for hybrid systems because the reach set might in-

tersect a given block of Q/ ∼an inﬁnite number of times

(see [17] for an example). The class of systems introduced

in the next section has the property that Algorithm 1 does

terminate for it and returns a ﬁnite S.

2.2 O-minimality and STORMED systems

We give a very brief introduction to o-minimal structures.

A more detailed introduction can be found in [17] and ref-

erences therein. We are interested in sets and functions

in Rnthat enjoy certain ﬁniteness properties, called order-

minimal sets (o-minimal). These are deﬁned inside struc-

tures A= (R, <, +,−,·,exp, . . .). The subsets Y⊂Rn

we are interested in are those that are deﬁnable using ﬁrst-

order formulas ϕ:Y={(a1,...,an)∈Rn|ϕ(a1,...,an)}.

(First-order formulas use the boolean connectives and the

1I.e., Ftonly considers the continuous transition relation.

Namely, it is a bisimulation of Tc

H:= (Q/ ∼,{∗},τ

−→, Q0/∼).

quantiﬁers ∃,∀). The atomic propositions from which the

formulas are recursively built allow only the operations of

the structure Aon the real variables and constants, and the

relations of Aand equality. For example 2x−3.6y < 3z

and x=yare valid atomic propositions of the structure

LR= (R, <, +,−,·), while cosh(x)<3zis not because cosh

is not in the structure. These structures are already suf-

ﬁcient to describe a set of dynamics rich enough for our

purposes and for various classes of linear systems.

Deﬁnition 2.5. A theory of (R, . . .)is o-minimal if the

only deﬁnable subsets of Rare ﬁnite unions of points and

(possibly unbounded) intervals. A function f:x7→ f(x)is

o-minimal if its graph {(x, y)|y=f(x)}is a deﬁnable set.

We use the terms o-minimal and deﬁnable interchangeably,

and they refer to Lexp = (R, <, +,−,·,exp) which is known

to be o-minimal. The dot product between x, y ∈Rnis

denoted x·y, and d(Y, S ) = inf{ky−sk | (y, s)∈Y×S}.

Deﬁnition 2.6. [27]. A STORMED hybrid system (SHS)

Σis a tuple (H,A, φ, b−, b+, dmin, , ζ )where His a hybrid

automaton, Ais an o-minimal structure, dmin, , ζ are pos-

itive reals, b−, b+∈Rand φ∈Xsuch that:

(S) The system is dmin-separable, meaning that for any

e= (`, `0)∈Eand `00 6=`0,d(Re(G(`,`0)), G(`0,`00))> dmin 2

(T) The ﬂows (i.e., the solutions of the ODEs) are Time-

Independent with the Semi-Group property (TISG), meaning

that for any `∈L, x ∈X, the ﬂow θ`starting at (`, x)sat-

isﬁes: 1) θ`(0; x) = x, 2) for every t, t0≥0,θ`(t+t0;x) =

θ`(t0;θ`(t;x))

(O) All the sets and functions of Hare deﬁnable in the o-

minimal structure A

(RM) The resets and ﬂows are monotonic with respect to

the same vector φ, meaning that

1) (Flow monotonicity) for all `∈L,x∈Xand t, τ ≥0,

φ·(θ`(t+τ;x)−θ`(t;x)) ≥||θ`(t+τ;x)−θ`(t;x)||, and

2) (Reset monotonicity) for any edge (`, `0)∈Eand any

x−, x+∈Xs.t. x+=R`,`0(x−),

1. if `=`0, then either x−=x+or φ·(x+−x−)≥ζ

2. if `6=`0, then φ·(x+−x−)≥||x+−x−||

(ED) Ends are Delimited: for all e∈Ewe have φ·x∈

(b−, b+)for all x∈Ge

Intuitively, the above conditions imply the trajectories of the

system always move a minimum distance along φwhether

ﬂowing or jumping, which guarantees that no area of the

state space will be visited inﬁnitely often. This is at the

root of the ﬁniteness properties of STORMED systems. The

following result justiﬁes the interest in STORMED systems:

they admit ﬁnite bisimulations.

Theorem 2.1. [27] Let Hbe a STORMED hybrid system,

2The original deﬁnition of separability [27] required the

guards themselves to be separated, which is insuﬃcient to

guarantee that if Hﬂows, it ﬂows a uniform minimum dis-

tance along φ. Indeed assume the guards are separated. If

x∈G(`,`0)and y=R(`,`0)(x), it can be that y∈G(`0,`00 )

and thus a jump happens, even though G(`,`0)and G(`0,`00)

are separated. Therefore we need d(y, G`0,`00 )> dmin for

all y∈Re(Ge), which is the condition we use in Def. 2.6.

The properties of SHS, in particular the existence of ﬁnite

bisimulation, are therefore preserved by this change.

˙

t=0

V T/SV T ?

End

Figure 3: When the ICD makes a VT/SVT decision,

all systems transition to mode End.

and let Pbe an o-minimal partition of its hybrid state space.

Then Hadmits a ﬁnite bisimulation that respects P.

We need the following result in what follows.

Proposition 2.1. If the state space Xof a hybrid automa-

ton His bounded, then its guards have delimited ends.

Proof. For all guard sets Gand all x∈G,||φ·x|| ≤ ||φ|| ·

||x|| ≤ ||φ||.max{||x||, x ∈X}<∞.

3. HEART MODEL

For the veriﬁcation of ICDs, we adopt the cellular automata

(CA)-based heart model developed in [24],[7]. This model

lies in-between high spatial ﬁdelity but slow to compute

PDE-based whole heart models [26], and low spatial ﬁdelity

but very fast-to-compute automata-based models [20]. PDE-

based models are not currently amenable to formal veriﬁca-

tion, both theoretically and practically. Models based on

ionic currents [13] might be more accurate but are likely to

be more computationally expensive. Timed automata mod-

els can not simulate the electrograms needed for ICD veriﬁ-

cation. CA-based models are appealing due to their intuitive

correspondence with the heart’s anatomy and function and

their relative computational simplicity. CA-based models

were used in [18],[2] and [6]. This paper’s model also has the

important advantage of forming the basis of software used

to train electrophysiologists, and allows interactive simula-

tion of surgical procedures like ablation [23]. In particular,

it can simulate ﬁbrillation and other tachycardias.

This paper’s automata:All hybrid automata in this paper

have the whole state space as invariants and transitions are

urgent (taken immediately when the guard is enabled). We

also observe that, as will be seen in Section 5, i) the ICD

will always reach a decision of VT or SVT in ﬁnite time, ii)

at which point it resets its controlled (software) variables so

new values are computed for the next arrhythmia episode.

So while the heart can beat indeﬁnitely, for the purposes

of ICD veriﬁcation, there’s a uniform upper bound on the

length of time of any execution. Let D≥0 be this duration

(Dis on the order of 30sec depending on device settings).

Also, the electrogram (EGM) voltage signal shas upper and

lower bounds sand s. Therefore, every mode of every au-

tomaton in what follows has a transition to mode End shown

in Fig. 3. We don’t show these transitions in the automata

ﬁgures to avoid congestion.

3.1 Cellular automata model

The heart has two upper chambers called the atria and two

lower chambers called the ventricles (Fig. 1) The synchro-

nized contractions of the heart are driven by electrical activ-

ity. Under normal conditions, the SinoAtrial (SA) node (a

tissue in the right atrium) spontaneously depolarizes, pro-

Phase 4

V(i, j)>V

th?

Phase 0 Phase 1

Phase 2

Upstroke 2

Phase 3 - ERP

Phase 3 - RRP

˙

V(i, j)=0

˙

t=1

˙

tp=0

˙

V(i, j)=a(i, j)|V

˙

t=1

˙

tp=0

˙

V(i, j)=d2,(d2<d)

˙

t=1

˙

tp=0

ttp>D

Ph1?

tp t

ttp>PD?

V(i, j)>V

max?

tp t

V(i, j)Vmin?

V(i, j)Vth

V(i, j)Vth,2?

tp t

V(i, j)=b, (b>0)

˙

t=1

tp=0

˙

V(i, j)=a(i, j)|V

˙

t=1

˙

tp=0

˙

V(i, j)=d(d>0)

˙

t=1

˙

tp=0

˙

V(i, j)=g, (g>0)

˙

t=1

˙

tp=0

V(i, j)Vmax,2?

tp t

Figure 4: Hybrid model Hcof one cell of the heart

model. AP ﬁgure from [11]. Vth,2> Vth ,Vmax,2< Vmax

ducing an electrical wave that propagates to the atria and

then down to the ventricles (Fig.2) In this model, the my-

ocardium (heart’s muscle) is treated as a 2D surface (so it

has no depth), and discretized into cells, which are simply

regions of the myocardium (Fig. 2). Thus we end up with

N2cells in a square N-by-Ngrid. A cell’s voltage changes

in reaction to current ﬂow from neighboring cells, and in re-

sponse to its own ion movements across the cell membrane.

This results in an Action Potential (AP).

Fig. 4 shows how the AP is generated by a given cell [15]:

in its quiescent mode (Phase 4), a cell (i, j) in the grid has

a cross-membrane voltage V(i, j, t) equal to Vmin <0. As it

gathers charge, V(i, j, t) increases until it exceeds a thresh-

old voltage Vth. In Phase 0, the voltage then experiences a

very fast increase (Phase 0), called the upstroke, to a level

Vmax >0, after which it decreases (Phase 1) to a plateau

(Phase 2). It stays at the plateau level for a certain amount

of time PD then decreases linearly to below Vth (Phase 3 -

ERP). Once below Vth it is said to be in the Relative Re-

fractory Period (Phase 3 - RRP) . In Phase 3 - RRP, the cell

can be depolarized a second time, albeit at a higher thresh-

old Vth,2, slower and to a lower plateau level Vmax,2< Vmax

(Upstroke 2). Otherwise, when the voltage reaches Vmin

again, the cell enters the quiescent stage again. This model

is suitable for both pacemaker and non-pacemaker cells, the

main diﬀerences being in the duration of the plateau (virtu-

ally non-existent for pacemaker cells), and the duration of

phases 0 and 4 (both are shorter for pacemaker cells).

In Fig. 4, V(i, j )∈Rdenotes the voltage in cell (i, j) of

the grid, and V= (V(1,1),...,V(N2, N 2))Tin RN2groups

the cross-membrane voltages of all cells in the heart. The

whole heart model HCA is the parallel composition of these

N2single-cell models. The (i, j)th cell’s voltage at time t

in Phase 4 depends on that of its neighbors and its own as

follows [24]

˙

V(i, j, t) = 1

Rh

[V(i−1, j, t) + V(i+ 1, j, t)−2V(i, j, t)]

+1

Rv

[V(i, j −1, t) + V(i, j + 1, t)−2V(i, j, t)]

=a(i, j)TV(t), a(i, j )∈RN2(2)

where Rh,Rvare conduction constants that can vary across

the myocardium. Thus Vevolves according to a linear ODE

˙

V=AV where Ais the matrix whose rows are the a(i, j).

The two states tand tpare clocks. Clock tpkeeps track of

the value of the last discrete jump. We will use this arrange-

ment in all our models: it avoids resetting the clocks which

preserves Reset Monotonicity.

ICDs observe the electrical activity through three channels

(Fig. 1). Each signal is called an electrogram (EGM) signal.

The signal read on a channel is given by [7]:

s(t) = 1

KX

i,j 1

||pi,j −p0|| −1

||pi,j −p1||˙

V(i, j, t) (3)

where k·k is the Euclidian norm, p0and p1are the electrodes’

positions and pi,j is the position of the (i, j )th cell on the

2D myocardium (p0, p1, pi,j ∈R2). Positions p0, p1should

be chosen diﬀerent from pi,j to avoid inﬁnities.

Extensions. The Action Potential Duration (APD) resti-

tution mechanism of heart cells as modeled in [24] can be

included in this model without changing its formal proper-

ties. More detailed APD restitution models exist [10]. Also,

note that cell topology (the way cells are connected to each

other) is not a factor in determining the STORMED prop-

erty, so other topologies than a rectangular mesh may be

used.

We now state and prove the main result of this section.

Theorem 3.1. Let HCA be the whole heart cellular automa-

ton model obtained by parallel composition of N2models Hc

with state vector x= [V, t, tp, s]∈RN2×R3. Assume that

all executions of the system have a duration of D≥0. Then

HCA is STORMED.

Proof. We verify each property of STORMED. In this and

all the proofs that follow, the approach is the same: (ED)

holds by Prop. 2.1 because our state spaces are bounded. Af-

ter establishing properties (S),(T) and (O), we draw up the

constraints on φand εimposed by reset and ﬂow monotonic-

ity (property (RM)). Then we argue that these constraints

can be solved for φand ε. Often there is more than one

solution and we just point to one.

(S) Separability holds because Vmin < Vth < Vth,2< Vmax,2<

Vmax and P D > 0, DP h1>0. For example, on transition

Phase 4 →Phase 0,V(i, j ) = Vth, which is separated from

the next guard {V(i, j)> Vmax }by |Vmax −Vth|.

(T) All ﬂows are linear or exponential and thus are TISG.

(O) The ﬂows, resets and guard sets are all deﬁnable in Lexp.

In particular the ﬂow of ˙

V=AV is exponential with real

exponent, and sis a sum of exponentials and linear terms.

(RM) We seek a vector φ= (φV, φt, φp, φs)T∈RN2+3 such

that resets and ﬂows are monotonic along φ. Only transi-

tions p→q6=pare to be found in HCA , during which only

tpis reset. Always, t+

p=t≥t−

p, thus the reset is indeed

monotonic as can be seen by choosing any ε > 0 and φp> ε.

Monotonic ﬂows: φmust also be such that in all modes:

φ·(θ`(t+τ;x)−θ`(t;x)) ≥ε||θ`(t+τ;x)−θ`(t;x)||

Decomposing, we want

φV·(V(t+τ)−V(t)) + φtτ+φp·0 (4)

+φs·(s(x, t +τ)−s(x, t)) ≥ε||θ`(x, t +τ)−θ`(x, t)||

Peak Tracking Blanking

ttpblankingP er iod ?

tp t

Exponential Decay

decT h := Th

o⇤exp{eF

TC ⇤t}

y:= |s|;˙

eF = 0; ˙

Th =0

˙

t=1

˙

tp=0

˙

Th =0

˙

t=1

˙

tp=0

˙

Th =0

˙

t=1

˙

tp=0

Th =max{minT h, decT h}

eF (1

3)⇤ln{minT h

Th }

Th,Th

0 minT h

t, tp 0

˙y== 0 ^¨y<0?

yM y

f 1

(yTh)^

(ttpMinDecP)?

tp t

yM 0

f 0

ttpMinTP ^f== 1?

eF (1/3)⇤ln{minT h

Th }

Th,Th

o (3/4) ⇤yM

tp t

Figure 5: HS ense. States not shown in a mode have a 0

derivative, e.g., ˙

eF = 0 in all modes.

Seconds (ms)

9100 9200 9300 9400 9500 9600 9700 9800 9900 10000

Amplitude (mV)

0

50

100

150

200

250

300

350

400

450

500 Ventricular Signal

Signal

Event

Threshold

Threshold Minimum

Blanking Period

Blanking

Period Threshold

Minimum Threshold

Figure 6: Example of dynamic threshold adjustment in

ICD sensing algorithm. The shown signal is rectiﬁed.

Now note that all ﬂows have bounded derivatives in every

bounded duration of ﬂow and are thus Lipschitz. Let LVbe

the Lipshitz constant of V(t) and Lsthat of s(t). Then on

the LHS of the above inequality we have φV·(V(t+τ)−

V(t)) + φs·(s(t+τ)−s(t)) ≥ −φVLVτ−φsLsτ. On the

RHS we have ε(LVτ+Lsτ+τ)≥ε(||V(t+τ)−V(t)|| +

||s(t+τ)−s(t)||+τ)≥ε(||θ`(x, t +τ)−θ`(x, t)||) Thus (4)

is satisﬁed if the stronger inequality

−φVLVτ−φsLsτ+φtτ≥ε(LVτ+Lsτ+τ)

is satisﬁed. But this can be achieved by, for example, choos-

ing φV=φs= 0 and φt≥ε(LV+Ls+ 1).

(ED) Our system has bounded state spaces: Vand sare

voltages typically in the range [−80,60] mV and tp≤t≤D.

So (ED) holds by Lemma 2.1.

4. ICD SENSING

Sensing is the process by which cardiac signals smeasured

through the leads of the ICD are converted to cardiac tim-

ing events. The ICD sensing algorithm is a threshold-based

algorithm which declares events when the signal exceeds a

dynamically-adjusted threshold T h.

Fig. 5 shows the model HS ense of the sensing algorithm,

and Fig. 6 illustrates its operation. The sensing takes place

on the rectiﬁed EGM signal y=|s|. After an event is

declared at the current threshold value (y(t)≥T h(t) in

Fig. 5), the algorithm tracks the signal in order to measure

the next peak’s amplitude (Peak Tracking). For a duration

M inT P (min tracking period) the latest peak is saved in

yM. A variable findicates that a peak was found. Af-

ter a peak is found (f== 1) and after the end of the

tracking period, the algorithm enters a ﬁxed Blanking Pe-

riod (Blanking), during which additional events are ignored.

On the transition to Blanking, T h and T h0are set to 3/4

the current value of yMand the exponential factor of de-

cay is updated (eF = (−1/3) ∗ln minT h

T H ). At the end of

the blanking period, the algorithm then transitions to the

Exponential Decay mode in which T h decays exponentially

from T h0to a minimum level (Exponential Decay): T h(t) =

max(minT h, T h0·exp(−(eF /T C)t)). The algorithm stays

in the Exponential Decay mode for at least a sampling pe-

riod of M inDecP . Correspondingly, there is a de facto Max-

imum Decay Period M axDecP after which the system tran-

sitions again to PeakTracking since the signal yis bound

to exceed the minimum threshold minT h. Diﬀerent manu-

facturers may use a step-wise decay instead of exponential,

but the principle is the same. Local peak detection is mod-

eled via the ˙y= 0 ∧¨y < 0 transition. While y=|s|is

non-diﬀerentiable at 0, the peak will occur away from 0, as

shown in Fig. 6. The other states in Fig. 5 are t, tp(clocks).

minT h and T C are constant parameters.

Theorem 4.1. HS ense is STORMED.

Proof. (S) By deﬁnition, we only need to consider transi-

tions between diﬀerent modes to establish separability. For

all such transitions, there is a minimum dwell time in the

mode before taking the transition, namely M inT P in Peak-

Tracking, Blanking P eriod in Blanking, and M inDecP in

mode ExponentialDecay. So the system is separable since

there is a uniform minimum ﬂow before jumping.

(T) Flows are either constant, (piece-wise) linear, or piece-

wise linear and exponential (in the case of yand its deriva-

tives) and therefore are TISG.

(O) All the ﬂows, resets and guard sets are deﬁnable in

Lexp. (The absolute value and max functions can be broken

down into boolean disjunctions of deﬁnable functions, and

t7→ ln(t) is o-minimal by o-minimality of exp).

(RM) The state is x= (t, tp, y, yM, f, T h, T h0, eF )∈R8,

and let φ= (φt, φp, φy, φm, φf, φT h, φ0, φeF ) be the corre-

sponding φvector. Recall that the EGM voltage s, and so

y=|s|, is upper-bounded by VM.

ExponentialDecay →PeakTracking. Only tp, yMand

fare modiﬁed, so monotonicity produces the constraint

φp(t−tp)+φm(0−yM)+φf(0 −1) W ant

≥ε(|t−tp|+|yM|+1).

We require the stronger constraint to hold:

φtMinDecP −φmVM−φf

W ant

≥ε(MaxDecP +VM+ 1)

PeakTracking →PeakTracking. Only yMand fare

reset. Algebraic manipulation yields −2VMφm+φf

W ant

≥ζ

PeakTracking →Blanking.tp, eF, T h and T h0are reset,

so we get

φp(t−tp) + φeF (−(1/3) ln(minT h/T h)−eF )

+φT h(3yM/4−T h) + φ0(3yM/4−T h0)

≥ε(|t−tp|+| − 1

3ln( minT h

T h )−eF |

+|3yM

4−T h|+|3yM

4−T h0|)

T h is lower-bounded by minTh at all times, and it is nat-

urally upper-bounded by VMas the threshold should never

exceed the largest possible attainable voltage. By the same

token, 0 ≤eF ≤(1/3) ln(VM/minT h). Then we want the

stronger inequality

φpM inT P +φeF (0 −(1/3) ln(VM/minT h)

+φT h(−VM) + φ0(−VM)

≥ε(M axT P +|1

3ln( VM

T h )|+|VM|+|VM|)

Blanking →ExponentialDecay. Only tpis reset and

therefore we want, φp(t−tp)≥ε(|t−tp|), thus the transition

yields φp≥ε.

The above equations can be simultaneously satisﬁed. The

simplest thing would be to set all φterms that appear above

to 0 except for φt, φpwhich are calculated accordingly.

The ﬂows can be shown to be monotonic along the same φ

and with the same ε. For example, in mode ExponentialDe-

cay, only t, y and T h ﬂow. Making use of the VMbound on y,

we get the constraint φtτ−2VMφy+φTh (T h(t+τ)−T h(t)) ≥

ε(τ+2VM+|T h(t+τ)−T h(t)|), which yields φt≥ε,φy≤ −ε

and φT h ≥ε. Similarly for the rest.

5. ARRHYTHMIA DETECTION

Ventricular Tachycardia (VT) is an example of a tachycardia

originating in the ventricles, in which the ventricles sponta-

neously beat at a very high rate. If the VT is sustained,

or degenerates into Ventricular Fibrillation (VF), it can be

fatal. A tachycardia that originates above the ventricles is

referred to as a SupraVentricular Tachycardia (SVT) and is

a diseased but non-fatal condition. In what follows, we will

refer to sustained VT and VF together as VT. The ICD’s

main task is to discriminate VT from SVT and deliver ther-

apy to the former only.

Most VT/SVT detection algorithms found in ICDs today

are composed of individual discriminators. A discrimina-

tor is a software function whose task is to decide whether

the current arrhythmia is SVT or VT. No one discrimi-

nator can fully distinguish between SVT and VT. Thus a

detection algorithm is often a decision tree built using a

number of discriminators running in parallel. The detec-

tion algorithm of Boston Scientiﬁc is shown in Fig. 7 [3].

We have modeled each discriminator in this detection al-

gorithm as a STORMED hybrid system. The algorithm

itself is then a hybrid system. The ICD system is thus

HICD =HSense||HDetection−Algo where HDetection−Algo

is the parallel composition of the discriminator sys-

tems. In what follows, we present three of these discrimina-

tors we modeled, which are found in most ICDs and model

them as hybrid systems, and prove they are STORMED.

5.1 Three Consecutive Fast Intervals

Our ﬁrst module simply detects whether three consecutive

fast intervals have occurred, where ‘fast’ means the interval

length, measured between 2 consecutive peaks on the EGM

signal, is shorter than some pre-set amount. See Fig. 8.

States tand tpare clocks as before. The vector L3is three-

dimensional, and stores the values of the last three intervals.

The event VEvent? is shorthand for the transition y(t)≥T h

being taken by the HSense automaton. In other words, it

indicates a ventricular event. Then L3gets reset to L+

3=

VT Duration

V rate>A rate

by at least 10bpm

VTC

Correlated

A-fib Rate=TRUE

& V rate unstable

VT#

SVT#

Yes

Yes

Yes

No

No

No

RhythmID

Initial Detection

VF Duration

Last 10

Ventricular

intervals

8/10 intervals faster

than VT threshold

!

8/10 intervals faster

than VF threshold

!

VT#

Yes

Yes

No No

Figure 7: Boston Scientiﬁc’s detection algorithm

˙

t=1

˙

tp=0

˙

L3=0

VEvent?

tp t

L3 Circulate(L3,t)

Figure 8: Three Consecutive Fast Intervals HT CF I

(z1, z2, z3)+:= Circulate(L3, t −tp) where

L+

3=

z2

z3

t−tp

=

010

001

000

L3+

0

0

t−tp

(5)

Lemma 5.1. HT C F I is STORMED.

Proof. We show that the reset are monotonic - the other

properties are easily checked. For reset monotonicity, we

invoke the fact that there is a minimum beat-to-beat sepa-

ration: heartbeats can’t follow one another with vanishingly

small delays. In other words, there exists m > 0 such that

t−t−

p> m. Similarly, there’s a maximum delay between

two heartbeats, call it B. Now, we seek a vector φ∈R5s.t.

φ·

t−t

t−tp

L+

3−L3

=φp(t−tp)+ φL3·

z2−z1

z3−z2

t−tp−z3

|{z }

δ

W ant

≥ζ > 0

(6)

Now |δ|is upper bounded by p3·(2B)2since each element

is the diﬀerence of intervals shorter than B. Also, t−t−

p>

m > 0. So choose φL3= (φz,1, φz ,2, φz,3)>0 element-

wise. (6) is satisﬁed if the following stronger inequality is

satisﬁed, which can be achieved by an appropriate choice of

φz,i:φpm≥ζ+√12B2P3

1φz,i

5.2 Vector Timing Correlation

It has been clinically observed that a depolarization wave

originating in the ventricles (as produced during VT for ex-

ample) will in general produce a diﬀerent EGM morphology

than a wave originating in the atria (as produced during

SVT) [3]. See Fig. 9. A morphology discriminator mea-

sures the correlation between the morphology of the current

EGM and that of a stored template EGM acquired during

normal sinus rhythm. If the correlation is above a pre-set

threshold for a minimum number of beats, then this is an

indication that the current arrhythmia is supraventricular

in origin. Otherwise, it might be of ventricular origin.

NSR Template

Ventricular Origin

Electrogram

NSR Template

Atrial Origin

Electrogram

Figure 9: EGMs of diﬀerent origin have diﬀerent mor-

phologies. The correlation of an EGM with respect to a

stored EGM template is used to determine the origin.

Calculate VTC IDLE

˙

t=1

˙µ=˙↵=˙

=0

˙⇢=0

˙w=,(⌧1)

W indowEnds &⇢new <th?

~⌫ Circulate(~⌫ ,1)

t, µ, ↵, 0,w 1

DurationEnds?

L3th?

R1 R2i

R3

˙

t=0

˙µ=˙↵=˙

=0

˙⇢=0

˙w=0

t== i·Ts?

µ µ+s(t)

↵ ↵+s(t)sm(t)

+s(t)2

w 1

W indowEnds &⇢new th?

~⌫ Circulate(~⌫ ,1)

t, µ, ↵, 0,w 1

Figure 10: VTC calculation. iTsis the sampling time

for the ith ﬁducial point, i= 1,...,8.R21,...,R28are

the corresponding resets. For clarity of the ﬁgure, 8

transitions are represented on the same edge.

Boston Scientiﬁc’s implementation of a morphology discrim-

inator is called Vector and Timing Correlation (VTC). VTC

ﬁrst samples 8 ﬁducial points si, i = 1,...,8 on the current

EGM sat pre-deﬁned time instants. Let sm,i be the corre-

sponding points on the template EGM. The correlation is

then calculated as [3]

ρnew =(8 Pisism,i −(Pisi)(Pism,i))2

(8 Pis2

i−(Pisi)2)(8 Pis2

m,i −(Pism,i)2)

Note that smis a constant for the purposes of this calcu-

lation: it does not change during an execution of VTC. If

3 out of the last 10 calculated correlation values exceed the

threshold, then SVT is decided and therapy is withheld.

The system of Fig. 10 implements the VTC discriminator.

As before, tis a local clock. µaccumulates the values of the

current EGM, αaccumulates the product sism,i,βaccumu-

lates s2

i. State wis an auxiliary state we need to establish

the STORMED property. ~ν is a 10D binary vector: νi=−1

if the ith correlation value fell below the threshold, and is

+1 otherwise. L3is the state of HT CF I : the guard condi-

tion L3≤th indicates that all its entries have values less

than the tachycardia threshold, which is when HV T C starts

computing. W indowEnds indicates the ‘end’ of an EGM,

measured as a window around the peak sensed by HSense.

Lemma 5.2. HV T C is STORMED.

Proof. Separability obtains by observing that a uniform

minimum time passes between beats and between samples.

TISG is immediate. O-minimality is established by observ-

ing that all sets and functions are deﬁnable in Lexp.ED

holds because the state space is bounded. We now show

monotonicity. The state of the system is x= (t, µ, α, β, ~ν, w)T∈

R4+10+1. Let φ= (φc, φµ, φα, φβ, φ1,...,φ10 , φw)T∈R15 be

the corresponding vector. For ﬂows in mode CalculateVTC,

we seek a φand ε > 0 such that φ·(t+τ−t, 0,−γ(t+τ) +

γt) = φcτ+φw(−γτ )≥εpτ2+γ2τ2, which is equivalent to

φc−φwγ≥εp1 + γ2. Reset monotonicity for resets R1,

R2, R3 provides three more constraints on φand ε:

(R1)φ·(−t, −µ, −α, −β, ν2−ν1, ν3−ν2,...,−1−ν10 ,1−w)

=−φct−φµµ−φαα−φββ+

10

X

i=1

φi(νi+1 −νi)

+φw(1 −w)W ant

≥ζ

(R2)φ·(t−t, s, ssm, s2,0,1−w)

=φµs+φαssm+φβs2+φw(1 −w)W ant

≥ζ

(R3)−φct−φµµ−φαα−φββ+

10

X

i=1

φi(νi+1 −νi)

+φw(1 −w)W ant

≥ζ

where ν11 := −1 in R1 and ν11 := 1 in R3. Combine R1

and R3 by choosing φ1=. . . =φ10 =φµ=φα=φβ= 0:

(R1,3)−φct+φw(1 −w)≥ζ

(R2)φw(1 −w)≥ζ

Now note that when a reset occurs, 0 < w ≤1−γTs:= wm

where Tsis the smallest sampling period, and that t≤10B,

B= the maximum peak-to-peak interval, so (R2),(R1,3)

can be jointly satisﬁed if −φc10B+φw(1 −wm)≥ζ. The

2 boxed equations can be jointly satisﬁed.

5.3 Stability discrimination

Stability refers to the variability of the peak-to-peak cycle

length. A rhythm with large variability (above a pre-deﬁned

threshold) is said to be unstable, and is called stable other-

wise. The Stability discriminator is used to distinguish be-

tween atrial ﬁbrillation, which is usually unstable, and VT,

which is usually stable.

The Stability discriminator shown in Fig. 11 simply cal-

culates the variance of the cycle length over a ﬁxed pe-

riod called a Duration (measured in seconds). Let DL ≥0

be the Duration length. The events DurationB egins? and

DurationEnds? indicate the transitions of a simple system

that measures the lapse of one Duration (not shown here).

State tis a clock, L1accumulates the sum of interval lengths

(and will be used to compute the average length), L2accu-

mulates the squares of interval lengths, and κis a counter

that counts the number of accumulated beats. σ2is assigned

the value of the variance given by 1

κ[L2−L2

1/κ]

Lemma 5.3. HS tab is STORMED.

The proof is in the Appendix.

Now that each system was shown to be STORMED, it re-

mains to establish that their parallel composition is STORMED.

This result does not hold in general - Thm. 6.1 gives condi-

tions under which parallel composition respects the STORMED

Accumulate

˙

t=1

˙

L2=˙

L1=˙=

2=0

Idle

Finalize

˙

t=1

˙

L2=˙

L1=˙=

2=0

DurationBegins?

DurationEnds?

2 1

[L2L2

1/]

˙

t=1

˙

L2=˙

L1=˙=

2=0

VEvent?

t 0

L2 L2+t2

L1 L1+t

+1

Figure 11: Stability discriminator.

property. Intuitively, we require that whenever a sub-collection

of the systems jumps, the remaining systems that did not

jump are separated from all of their respective guards by a

uniform distance. This is a requirement that can be shown

to hold for our systems by modeling various minimal delays

in the systems’ operation. We may now state:

Theorem 5.1. Consider the collection of systems HCA ,

HIC D =HSense ||HDetection−Algo where the latter is the par-

allel composition of the discriminator systems. This collec-

tion satisﬁes the hypotheses of Thm. 6.1 (Section 6) and

therefore the parallel system HCA ||HI CD is STORMED and

has a ﬁnite bisimulation.

6. COMPOSING STORMED SYSTEMS

The results in this section and the next apply to STORMED

systems in general, including those with time-unbounded

operation. We write [m] = {1,...,m}. Given hybrid sys-

tems H1,...,Hmin this section, xi, Gi, θi, . . . etc refer to

a state, guard, ﬂow . . . of system Hi,i≤m. We show

that the parallel composition of SHS is still a SHS. Re-

call that θ`(t;x) is the ﬂow starting at (`, x). Given hy-

brid systems H1,...,Hm, their parallel composition H=

H1||. . . ||Hmis deﬁned in the usual way: H.X = ΠiXi,

H.L = ΠiLi,H.H0= ΠiHi

0,Inv(`) = ΠiInvi(`i), θ`(x, t) =

[θ1

`1(x1, t)(t),...,θm

`m(xm, t)(t)]T. The system jumps if any

of its subsystems jumps, so its guard sets are of the form

A1×. . . ×Amwhere for at least one i,Aiis a guard of Hi,

and for the rest Aj=Xj. When a guard of a subsystem

is satisﬁed, the state of that subsystem is reset according to

its reset map. The guards are made disjoint to avoid non-

determinism. A system His deterministic if to every initial

state (`, x), Hproduces a unique trajectory starting there.

In general His not separable: indeed for any candidate value

of dmin, one could ﬁnd a transition (i, j ) of Hdue to, say, a

jump of H1, s.t. at that moment x2is closer than dmin to

one of its own guards, say G2

(j2,k2). This causes Hto further

jump j→kwithout having traveled the requisite minimum

distance, thus violating the separability of Rij(Gij ) and Gjk .

Therefore we need to impose an extra condition on minimum

separability across sub-systems.

Theorem 6.1. Let Σi= (Hi,A, φi, bi,−, bi,+, di

min, εi, ζ i),

i= 1,...,m be deterministic SHS deﬁned using the same

underlying o-minimal structure, and where each state space

Xiis bounded by BXi.

Deﬁne parallel composition Σ=(H,A, φ, b−, b+, dmin, ε, ζ)

where H=H1||. . . ||Hm,φ= (φ1,...,φm)T∈Rmn ,bi,−=

infx∈Xφ·x,bi,+= supx∈Xφ·x,ε= min(miniεi,miniζi

BXi),

ζ= miniζiand

dmin = min

I⊂[m](min

i∈Idi

min,min

i∈I,j ∈[m]\Idij

min)

Assume that the following Collection Separability condi-

tion holds: for all i, j ≤m, 6=jthere exists dij

min >0s.t.

if x∈Xis in the reachable set of Hand xi∈Gi

e∧xj/∈

Gj

e0∀e0∈Ejthen d(xj, Gj

e0)) > dij

min for all e0∈Ejwhere

Ejis the edge set of Σjand Gj

e0is a guard of Σjon edge

e0∈Ej. Then Σis STORMED.

Proof. (S) In H, let y= (y1,...,ym) = Re((x1,...,xm))

and assume that it was H1that caused the jump. Thus

yj=xj, j > 1. Write e= (`, `0). By Collection Separability,

d(yj, Gj

ej)> d1j

min for all j > 1, ej∈Ej, and by separability

of H1d(y1, G1

e1)> d1

min for all e1∈E1. So by d(y, G`0,`00 )>

min(d1

min,minj >1d1j

min)> dmin for any guard leading out of

`0, and we have separability. The argument can be repeated

for any subset I⊂[m] of systems jumping simultaneously.

(T): The Hﬂow θ`(t;x) is TISG because the component

ﬂows θi

`i(t;xi) are TISG.

(O) The cartesian product of deﬁnable sets is deﬁnable, so

the system His o-minimal.

(RM) First we show that resets of Hare monotonic, then

that the ﬂows of Hare monotonic. Let p, q ∈Lbe two

modes of H,p6=q.

Case 1: Hjumps p→p. So any subsystem Hieither jumped

pi→pior didn’t jump at all. If x+=x−, then (RM)

is satisﬁed. Else, deﬁne φ:= (φ1,...,φm)∈Rn·m, where

φiis the φvector of system Hi. Then φ·(x+−x−) =

Pi∈Kφi·(xi,+−xi,−), where K⊂[m] is the set of indices

of sub-systems that jumped with xi,−6=xi,+. Note that K

depends on x−, x+. For all x−, x+pairs (and so for all K)

Pi∈Kζi≥mini∈[m]ζi:= ζ > 0. So by (RM) for each Hi,

φ·(x+−x−) = X

i∈K

φi·(xi,+−xi,−)≥X

i∈K

ζi≥ζ > 0

Thus (RM) is satisﬁed.

Case 2: Hjumps p→q. At least one syb-system Hijumped

pi→qi6=pi. Then φ·(x+−x−) = Pi∈[m]φi·(xi,+−xi,−) =

Pi∈Kφi·(xi,+−xi,−), where K=K=∪K6=⊂[m] and

K=is the index set of subsystems that jumped pi→pi

with xi,+6=xi,−, and K6=is the index set of subsystems

that jumped pi→qi6=piwith xi,+6=xi,−. Subsys-

tems that didn’t jump or jumped without changing their

continuous state don’t contribute to the sum. Note that

K=, K6=depend on x−, x+. So we have φ·(x+−x−)≥

Pi∈K6=εi||xi,+−xi,−|| +Pi∈K=ζi.

For all Xi,||xi,+−xi,−|| ≤ BXifor all xi,−, xi,+∈Xi.

Therefore ζi||xi,+−xi,−||

BXi≤ζifor all i∈K. So

φ·(x+−x−)≥

X

i∈K6=

( min

i∈[m]εi)||xi,+−xi,+|| +X

i∈K=

ζi

BXi||xi,+−xi,−|| ≥

X

i∈K6=

( min

i∈[m]εi)||xi,+−xi,−|| +X

i∈K=

( min

i∈[m]

ζi

BXi

)||xi,+−xi,−||

Let ε:= min(miniεi,miniζi

BXi). Then

φ·(x+−x−)≥X

i∈K

ε||xi,+−xi,−|| ≥ ε||x+−x−||

So Hhas monotonic resets.

The ﬂows of Hare also monotonic along φ. Indeed for any

q∈L,φ·(θq(t+τ;x)−θq(t;x)) = Pm

i=1 φi·(θi

qi(t+τ;xi)−

θi

qi(t;xi)) ≥Piεi||(θi

qi(t+τ;xi)−θi

qi(t;xi))|| ≥ ε||(θq(t+

τ;x)−θq(t;x))||

(ED) By Prop. 2.1.

7. FINITE SIMULATION FOR STORMED

SYSTEMS

In general it is not possible to compute the reach sets re-

quired in Alg. 1 exactly unless the underlying o-minimal

theory is decidable. The HICD ||HC A closed loop is deﬁn-

able in Lexp, and the latter is not known to be decidable.

The authors in [21] proposed approximating the ﬂows and

resets by polynomial ﬂows and resets in the decidable the-

ory LR. However, the approximation process is typically

iterative and requires manual intervention, or is restricted

to subclasses of STORMED systems [21].

Here we show that if an approximate reachability tool with

deﬁnable over-approximations is available for the continuous

dynamics, it can be used in Algo 1 (instead of exact reach-

ability) to yield a ﬁnite simulation (rather than a bisimu-

lation). Intuitively, the additional intersections of approxi-

mate reach sets with blocks of Q/ ∼do not destroy ﬁnite-

ness of the procedure. Since we only have a simulation,

counter-examples on the abstraction should be validated in

a CEGAR-like fashion.

Lemma 7.1. Let Σ=(H, . . .)be a SHS and ∼and equiv-

alence relation on X. For any mode `of H, its dynamical

sub-system Dwith state space X=H.X and ﬂow θ`admits

a ﬁnite simulation S`that respects ∼, returned by Alg. 1.

The proof is in the Appendix. Let F

t(P) := ∩`S`∈Lwhere

P=X/ ∼.Fε

treﬁnes all the S`’s, and it is a ﬁnite simula-

tion of Hby itself w.r.t. the continuous transition τ

−→. It is

clear that F

t(·) is idempotent: F

t(F

t(P)) = F

t(P)

Theorem 7.1. Let Hbe a STORMED hybrid system, and

Pbe a ﬁnite deﬁnable partition of its state space. Deﬁne

W0=F

t(P),∀i≥0, Wi+1 =F

t(Fd(Wi)) (7)

Then there exists U∈Ns.t. WU+1 =WUand F

t(WU)is a

simulation of Hby itself.

Proof. By Lemma 10 of [27] there exists a uniform bound

Uon the number of discrete transitions of any execution of

the STORMED system H, so Fd(Wk) = Wkfor all k≥U.

Moreover WU+1 =F

t(Fd(WU)) = F

t(WU) and WU+2 =

F

t(Fd(WU+1)) = F

t(WU+1) = F

t(F

t(WU)) = F

t(WU) =

WU+1, so the iterations reach a ﬁxed point. The fact that

F

t(WU) is a simulation then yields the desired result.

7.1 Example: SpaceEx reachable sets

Lemma 7.1 required that the over-approximation sets R

t({x})

be deﬁnable for every xand t(see proof). In practice,

we need to show that the over-approximation actually com-

puted by the reachability tool (which may not be the full

ball R

t(x)) is deﬁnable. In this section we show that the

over-approximations computed by SpaceEx [8] are deﬁn-

able. Given the set X⊂Rnand ﬁnite V ⊂ Rn, parameter

λ∈[0,1] a time step δ > 0, and (i, j )∈E, SpaceEx over-

approximates Rij(X) by K(V, X ) := Rij(T HV(X)∩Gij )∩

Inv(j) and R

λδ(X) by [8]:

Ωλ(X, δ) = (1 −λ)X⊕eδA X

⊕(λE+

Ω(X, δ)∩(1 −λ)E−

Ω(X, δ)) (8)

where T HV(X) := {x∈Rn| ∧~a∈V ~a ·x≤ρ(~a, X)}is

the template hull of Xand ρits support function, E+

Ω=

(Φ2(A2X), E−

Ω=(Φ2(A2eδAX)), ⊕is the Minkowski

sum, S= [−|x1|,|x1|]×. . . ×[−|xn|,|xn|] is the box hull

with |xi|:= max{|xi|s.t. x= (x1,...,xn)∈S}.

Theorem 7.2. For all deﬁnable polytopes X⊂Rn, the sets

K(V, X)and Ωλ(X , δ)is deﬁnable are Lexp.

Proof. Let S, Y ⊂Rnbe two deﬁnable sets in some o-

minimal structure A. Let λ∈Rand let Abe a real matrix.

Then the following sets are also o-minimal: λS,AS,S∩Y,

S⊕Y,S∩Y,T HV(S) and S. Now the result follows

by noting that K(V, X) and Ωλ(X, δ ) are constructed by

composing the above deﬁnability-preserving operations.

8. CONCLUSION

In this paper, we presented the ﬁrst formalization of a hy-

brid system model of the human heart and ICD closed loop

and showed that it admits a ﬁnite bisimulation, and that

deﬁnable approximate reachability yields a ﬁnite simulation

for STORMED systems.

9. REFERENCES

[1] R. Alur, T. A. Henzinger, G. Laﬀerriere, and G. J.

Pappas. Discrete abstractions of hybrid systems.

Proceedings of the IEEE, 88(2), 2000.

[2] E. Bartocci, F. Corradini, M. D. Berardini,

E. Entcheva, S. Smolka, and R. Grosu. Modeling and

simulation of cardiac tissue using hybrid I/O

automata. Th. Com. Sci., 410(33), 2009.

[3] Boston Scientiﬁc Corporation. The Compass -

Technical Guide to Boston Scientiﬁc Cardiac Rhythm

Management Products. Device Documentation, 2007.

[4] T. Brihaye and C. Michaux. On the expressiveness

and decidability of o-minimal hybrid systems. Journal

of Complexity, 21(4):447 – 478, 2005.

[5] F. Cameron, G. Fainekos, D. Maahs, and

S. Sankaranarayanan. Towards a veriﬁed artiﬁcial

pancreas: Challenges and solutions for runtime

veriﬁcation. In E. Bartocci and R. Majumdar, editors,

Runtime Veriﬁcation, volume 9333 of Lecture Notes in

Computer Science, pages 3–17. Springer International

Publishing, 2015.

[6] T. Chen, M. Diciolla, M. Kwiatkowska, and

A. Mereacre. Quantitative veriﬁcation of implantable

cardiac pacemakers over hybrid heart models.

Information and Computation, 236:87 – 101, 2014.

[7] D. D. Correa de Sa, N. Thompson,

J. Stinnett-Donnelly, P. Znojkiewicz, N. Habel, J. G.

Muller, J. H. Bates, J. S. Buzas, and P. S. Spector.

Electrogram fractionation. Circ Arrhythm

Electrophysiol, 55:909 – 916, Dec 2011.

[8] G. Frehse, C. L. Guernic, A. Donze, S. Cotton,

R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang,

and O. Maler. Spaceex: Scalable veriﬁcation of hybrid

systems. In Proceedings of the 23d CAV, 2011.

[9] M. R. Gold et al. Prospective comparison of

discrimination algorithms to prevent inappropriate

ICD therapy: Primary results of the Rhythm ID

Going Head to Head Trial . Heart Rhythm, 9(3):370 –

377, 2012.

[10] R. Grosu, S. A. Smolka, F. Corradini, A. Wasilewska,

E. Entcheva, and E. Bartocci. Learning and detecting

emergent behavior in networks of cardiac myocytes.

Commun. ACM, 52(3):97–105, Mar. 2009.

[11] R. Hood. The EP Lab. Accessed 10/20/2015.

[12] Z. Huang, C. Fan, A. Mereacre, S. Mitra, and

M. Kwiatkowska. Invariant veriﬁcation of nonlinear

hybrid automata networks of cardiac cells. In A. Biere

and R. Bloem, editors, CAV. 2014.

[13] M. A. Islam, A. Murthy, A. Girard, S. A. Smolka, and

R. Grosu. Compositionality results for cardiac cell

dynamics. HSCC, 2014.

[14] Z. Jiang, M. Pajic, S. Moarref, R. Alur, and

R. Mangharam. Modeling and Veriﬁcation of a Dual

Chamber Implantable Pacemaker. Tools and

Algorithms for the Construction and Analysis of

Systems, 7214:188–203, 2012.

[15] R. Klabunde. Cardiovascular electrophysiology

concepts. Lippincott-Williams, 2 edition, 2011.

[16] S. Kong, S. Gao, W. Chen, and E. Clarke. dreach:

delta-reachability analysis for hybrid systems. In

C. Baier and C. Tinelli, editors, TACAS, volume 9035

of Lecture Notes in Computer Science. 2015.

[17] G. Laﬀerriere, G. J. Pappas, and S. Sastry. O-minimal

hybrid systems. Mathematics of Control, Signals and

Systems, 13(1):1–21, 2000.

[18] D. Mery and N. K. Singh. Pacemaker’s Functional

Behaviors in Event-B. Research report, INRIA, 2009.

[19] A. J. Moss et al. Reduction in inappropriate therapy

and mortality through icd programming. New England

Journal of Medicine, 367(24):2275–2283, 2012.

[20] M. Pajic, Z. Jiang, I. Lee, O. Sokolsky, and

R. Mangharam. Safety-critical medical device

development using the upp2sf model translation tool.

ACM Trans. Embed. Comput. Syst., 13(4), 2014.

[21] P. Prabhakar, V. Vladimerou, M. Viswanathan, and

G. E. Dullerud. Verifying tolerant systems using

polynomial approximations. In RTSS, 2009.

[22] M. Rosenqvist, T. Beyer, M. Block, K. Dulk,

J. Minten, and F. Lindemans. Adverse Events with

Transvenous Implantable Cardioverter-Deﬁbrillators:

A Prospective Multi-center Study. Circulation, 1998.

[23] P. S. Spector. Visible EP. Accessed 10/20/2015.

[24] P. S. Spector, N. Habel, B. E. Sobel, and J. H. Bates.

Emergence of complex behavior: An interactive model

of cardiac excitation provides a powerful tool for

understanding electric propagation. Circulation:

Arrhythmia and Electrophysiology, 4(4):586–591, 2011.

[25] P. Tabuada. Veriﬁcation and Control of Hybrid

Systems . Springer, 2008.

[26] K. Ten Tusscher, R. Hren, and A. V. Panﬁlov.

Organization of ventricular ﬁbrillation in the human

heart. Circulation Research, 100(12):87–101, 2007.

[27] V. Vladimerou, P. Prabhakar, M. Viswanathan, and

G. Dullerud. Stormed hybrid systems. In Automata,

Languages and Programming. 2008.

APPENDIX

Proof of Lemma 5.3.

Proof. We show the resets are monotonic - the other prop-

erties are immediate. The state is x= (t, L2, L1, κ, σ2)T.

The self-transition ACCUMULATE →ACCUMULATE is

initiated by VEvent (ventricular peak). At reset time, 0 ≤

t≤DL, we have that φ·(0 −t, t2, t, 1,0)T≥ −φ1DL +

φ4

W ant

≥ζ.

The transition ACCUMULATE →FINALIZE, initiated at

the end of Duration, saves the value of the variance in σ2.

This reset produces the constraint φ5((L2−L2

1/κ)/κ)≥

ε|((L2−L2

1/κ)/κ)|. But the quantity in absolute value is

itself a variance and so is positive, therefore the constraint is

simply φ5≥ε, compatible with the previous inequality.

Proof of Lemma 7.1.

Proof. This follows the lines of the elegant proof of [4] as

formulated in [25] and generalizes it to set-valued maps.

(The fact that using an approximate P ost operator yields

a simulation is a special case of a more general result on

transition systems but we prove it here for completeness.

Also note that this result holds for o-minimal systems [17]

generally, not just STORMED systems).

First observe that using approximate reachability on a sys-

tem His tantamount to replacing Hwith a system Hεwhose

ﬂows and reset maps are set-valued εover-approximations

of the ﬂows and resets of H(but is otherwise unchanged).

Therefore deﬁne the dynamical system Dεwith state space

Xand whose ﬂow Θ : R×Rn→2Rnis a set-valued εover-

approximation of θ`: Θ(t;x) = {y∈Rn| ||y−θ(t;x)||2≤

2}. Let P:= X/ ∼be the partition induced by ∼. It follows

from the deﬁnability of θand ||·||2that Θ is deﬁnable. Given

P∈ P, let Z(P) = Θ−1(P) := {(x, t)|Θ(x, t)∩P6=∅}.

Then Z(P) is deﬁnable because Pand Θ are deﬁnable. Let

Zx(P) = {t|(x, t)∈Z(P)} ⊂ Rbe the ﬁber of Zover x.

The number of connected components of Zx(P) equals the

number of times that Θ(x, t) intersects P. Now it follows

from [25] Thm.7.11 that there exists a uniform upper bound

on the number of connected components of Zx(P), indepen-

dent of x. Let that bound be VP. Thus Θ(x, t) visits Pat

the most VPtimes, regardless of x. Since there is a ﬁnite

number of blocks P∈ P, then Θ(x, t) visits any block Pa

maximum of V:= maxP(VP) times.

Thus we can associate to each x∈Xa ﬁnite number of ﬁnite

strings q(x) = (`1, `2,...,`i−1,b

`i, `i+1,...,`s), where `i,b

`i∈

P. Each q(x) gives the sequence of blocks that Θ(x, t) visits

(with repetition), and in which b

`iis the block containing

x. There may be more than one such string because the

set Θ(x, t) might intersect more than one block of Pat a

time. The length of q(x) is thus uniformly upper-bounded by

V·|P|, so there’s a ﬁnite number of diﬀerent strings q(x). Let

Q(x) be the set of such strings associated to x, and let Q=

∪xQ(x). Then Qis the state space of the ﬁnite transition

system K= (Q,{∗},−→,Q0) whose transition relation is

•`1. . . b

`i. . . `s

∗

−→ `1. . . b

`i+1 . . . `s

•`1. . . `s−1b

`s

∗

−→ `1. . . `s−1b

`s

It is clear that Kis non-deterministic and simulates Dbut

is not a bisimulation because of the over-approximation pro-

duced by Θ.