Article

The Challenges of High-Confidence Medical Device Software

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Bringing new safety-critical medical devices to market faces several major challenges, but modeling and formal methods can facilitate this process from early system requirements verification to platform-level testing to late-stage clinical trials.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Closed-loop medical devices are lifecritical and in a feedback loop with the organ they effect. The software works autonomously but needs to give confidence in its ability to work correctly [6]. Certification in the form of validation and verification is imperative [7]. ...
... Software in pacemakers and defibrillators often have 80,000-100,000 lines of code and it is estimated 10,000 implanted defibrillators are installed monthly in the US, taking the predicted number of implants in 2019 to be over 1 million [6]. It is essential to secure these implanted devices, as they can potentially put a patient in a lifeendangering situation. ...
Thesis
Full-text available
Increased medical device complexity gives rise to more design errors found in the software of these devices and higher recalls and dangers to patients using such devices. This paper looks at an epilepsy optrode designed and created by the Controlling Abnormal Network Dynamics using Optogenetics (CANDO) team and a conducted formal verification on the device. A formal specification was made based on a verification model created in VDM from source code given. Formal proofs were completed to show correctness of generated Proof Obligations from Overture based on the formal model. Of 190 proof obligations, 144 were shown to be correct while 3 were shown to have the same counter example. Many of these proofs demonstrated issues with the Overture proof obligation tool. In the original source code, some design errors were discovered such as uncalled states, erroneous transitions and lack of termination of the finite state machine (FSM) loop.
... A model of pacemaker is described in papers [16,19,22,. Other authors apply model verification [15,16,18,19,22,36,[38][39][40][41][42]44,46,[48][49][50][51][52][54][55][56][57]59,[61][62][63][64][65]65,[65][66][67] and model validation [16,38,47,58,59,66,68,69]. The pacemaker software is validated in papers [22,47,56,59,65,65], while papers [18,34,43,44,47,56,66,70] contribute to develop a new step that consists in translating the model into machine code. The infusion pump case study is modelled [20,21,, verified [20, 21, 71, 73-82, 84, 86, 87, 90, 91, 95-97, 101-104] and validated [71-73, 78, 83, 88, 92, 103, 105] by using different tools 12 S. BONFANTI ET AL. and languages. ...
... A model of pacemaker is described in papers [16,19,22,. Other authors apply model verification [15,16,18,19,22,36,[38][39][40][41][42]44,46,[48][49][50][51][52][54][55][56][57]59,[61][62][63][64][65]65,[65][66][67] and model validation [16,38,47,58,59,66,68,69]. The pacemaker software is validated in papers [22,47,56,59,65,65], while papers [18,34,43,44,47,56,66,70] contribute to develop a new step that consists in translating the model into machine code. The infusion pump case study is modelled [20,21,, verified [20, 21, 71, 73-82, 84, 86, 87, 90, 91, 95-97, 101-104] and validated [71-73, 78, 83, 88, 92, 103, 105] by using different tools 12 S. BONFANTI ET AL. and languages. ...
Article
Full-text available
The use of formal methods is often recommended to guarantee the provision of necessary services and to assess the correctness of critical properties, such as functional safety, cybersecurity, and reliability, in medical and health care devices. In the past, several formal and rigorous methods have been proposed and consequently applied for trustworthy development of medical software and systems. In this paper, we perform a systematic literature review on the available state of the art in this domain. We collect the relevant literature on the use of formal methods for modeling, design, development, verification, and validation of software-intensive medical systems. We apply standard systematic literature review techniques and run several queries in well-known repositories to obtain information that can be useful for people who are either already working in this field or planning to start. Our study covers both quantitative and qualitative aspects of the subject.
... UPenn [16] UPenn [1] Oxford-NL Cell [9] UoA-NL Cell [24] Proposed Timed Automata (TA) [16] and linear Hybrid Automata (HA) models [1] of cells have been developed by University of Pennsylvania researchers and they have combined these models with TA based path models. ese models primarily target formal veri cation [1,14,16]. In contrast, the Stonybrook [23] cell model is based on HA and provides excellent dynamic response. ...
... While the paper focused on validating the cardiac pacemaker, our work using idea of smooth tokens enables emulation of diverse CPS, especially those comprising of many interacting concurrent components. Our work can aid emulation of other types of human organs such as the gastrointestinal system (GI-system), the motor cortex, and arti cial pancreas [14]. Related examples in other CPS applications may include autonomous vehicles with speci c algorithms for car following or an airport baggage handling system involving a complex network of conveyors and bag routing algorithms. ...
Article
Full-text available
Models of the cardiac conduction system are usually at two extremes: (1) high fidelity models with excellent precision but lacking a real-time response for emulation (hardware in the loop simulation); or (2) models amenable for emulation, but that do not exhibit appropriate dynamic response, which is necessary for arrhythmia susceptibility. We introduce two abstractions to remedy the situation. The first abstraction is a new cell model, which is a semi-linear hybrid automata. The proposed model is as computationally efficient as current state-of-the-art cell models amenable for emulation. Yet, unlike these models, it is also able to capture the dynamic response of the cardiac cell like the higher-fidelity models. The second abstraction is the use of smooth-tokens to develop a new path model, connecting cells, which is efficient in terms of memory consumption. Moreover, the memory requirements of the path model can be statically bounded and are invariant to the emulation step size. Results show that the proposed semi-linear abstraction for the cell reduces the execution time by up to 44%. Furthermore, the smooth-tokens based path model reduces the memory consumption by 40 times when compared to existing path models. This paves the way for the emulation of complex cardiac conduction systems, using hardware code-generators.
... presented an end-to-end model-based approach to medical device software development for an infusion pump [9]. Jiang et al. presented a model-based verification of cardiac pacemaker as an example of closedloop device [10]. ...
... Recently there are emerging computermodels enable early verification for implantable device software such as timed automata based EP heart model which developed by researchers at University of Pennsylvania. Timed automata a mathematical technique that explore all potential executions of the heart model and device software against specified requirements (Jiang, Abbas, Jang, and Mangharam, 2016). This paper identifies who is responsible for certifying and regulating software-based medical devices, it also discusses the software verification and validation process. ...
Technical Report
Full-text available
Medical device software flaws potentially pose high risks to patients. Medical device software has to be controlled and validated through formal bodies or organisations. Software engineering method-ologies and processes must be utilised in order to guarantee the safety of medical device software. These methodologies and processes must consider the life-cycle development models, software development plans, potential hazards, risks analysis, and software verification and validation processes. This paper identifies regulatory bodies who certify and control medical device software in EU and US regions. The paper also discusses the regulatory requirements by these bodies and process of certifying medical device software.
Chapter
Quality is a major concern in Medical Device Manufacturing (MDM). Conformance with prevailing regulatory standards is of profound importance in MDM. Due to critical nature and dependability of the domain, development of Workflow management information systems (WMIS) that truly depict the domain concepts along with the associated quality and regulatory parameters could be a challenging task. A Medical Device (MD) is not considered acceptable unless a documented conformance evidence is provided which supports the adequacy of the medical product to be used for its intended purpose. Therefore, WMIS for these manufacturing setups must provide an argumentative linkage between the development processes and corresponding regulatory requirements. In this paper, we have proposed a UML Profile Architecture for development of WMIS for medical device manufacturing setups. A case study from MD industry is included to discuss the benefit and applicability of the proposed methodology in detail.
Article
Full-text available
Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.
Conference Paper
Full-text available
Healthcare costs in the US are among the highest in the world. Widespread chronic diseases such as diabetes constitute a significant cause of rising healthcare costs. Despite the increased need for smart healthcare systems that monitor patients' body balance, there is no coherent theory that facilitates the design and optimization of efficient and robust cyber physical systems. In this paper, we propose a mathematical model for capturing the dynamics of blood glucose characteristics (e.g., time dependent fractal behavior) observed in real world measurements via fractional calculus concepts. Building on our time dependent fractal model, we propose a novel mathematical model as well as hardware architecture for an artificial pancreas that relies on solving a constrained multi-fractal optimal control problem for regulating insulin injection. We verify the accuracy of our mathematical model by comparing it to conventional nonfractal models using real world measurements and showing that the nonlinear optimal controller based on fractal calculus concepts is superior to nonfractal controllers. We also verified the feasibility of in silico realization of the proposed optimal control algorithm by prototyping on FPGA platform.
Conference Paper
Full-text available
Managing cardiac disease and abnormal heart rate variability remain challenging problems with an enormous economic and psychological impact worldwide. Consequently, the purpose of this paper is to introduce a fractal approach to pacemaker design based on the constrained finite horizon optimal control problem. This is achieved by modeling the heart rate dynamics via fractional differential equations. Also, by using calculus of variations, we show that the constrained finite horizon optimal control problem can be reduced to solving a linear system. Finally, we discuss the hardware complexity involved in the practical implementation of fractal controllers. Keywords -Cyber-physical systems, fractional calculus, optimal control, model predictive control, fractal behavior, non-stationary behavior, heart rate variability.
Article
Full-text available
The design of bug-free and safe medical device software is challenging, especially in complex implantable devices that control and actuate organs in unanticipated contexts. Safety recalls of pacemakers and implantable cardioverter defibrillators between 1990 and 2000 affected over 600 000 devices. Of these, 200 000 or 41% were due to firmware issues and their effect continues to increase in frequency. There is currently no formal methodology or open experimental platform to test and verify the correct operation of medical device software within the closed-loop context of the patient. To this effect, a real-time virtual heart model (VHM) has been developed to model the electrophysiological operation of the functioning and malfunctioning (i.e., during arrhythmia) heart. By extracting the timing properties of the heart and pacemaker device, we present a methodology to construct a timed-automata model for functional and formal testing and verification of the closed-loop system. The VHM's capability of generating clinically relevant response has been validated for a variety of common arrhythmias. Based on a set of requirements, we describe a closed-loop testing environment that allows for interactive and physiologically relevant model-based test generation for basic pacemaker device operations such as maintaining the heart rate, atrial-ventricle synchrony, and complex conditions such as pacemaker-mediated tachycardia. This system is a step toward a testing and verification approach for medical cyber-physical systems with the patient in the loop.
Article
Full-text available
Patients with reduced left ventricular function after myocardial infarction are at risk for life-threatening ventricular arrhythmias. This randomized trial was designed to evaluate the effect of an implantable defibrillator on survival in such patients. Over the course of four years, we enrolled 1232 patients with a prior myocardial infarction and a left ventricular ejection fraction of 0.30 or less. Patients were randomly assigned in a 3:2 ratio to receive an implantable defibrillator (742 patients) or conventional medical therapy (490 patients). Invasive electrophysiological testing for risk stratification was not required. Death from any cause was the end point. The clinical characteristics at base line and the prevalence of medication use at the time of the last follow-up visit were similar in the two treatment groups. During an average follow-up of 20 months, the mortality rates were 19.8 percent in the conventional-therapy group and 14.2 percent in the defibrillator group. The hazard ratio for the risk of death from any cause in the defibrillator group as compared with the conventional-therapy group was 0.69 (95 percent confidence interval, 0.51 to 0.93; P=0.016). The effect of defibrillator therapy on survival was similar in subgroup analyses stratified according to age, sex, ejection fraction, New York Heart Association class, and the QRS interval. In patients with a prior myocardial infarction and advanced left ventricular dysfunction, prophylactic implantation of a defibrillator improves survival and should be considered as a recommended therapy.
Book
This book on modelling the electrical activity of the heart is an attempt to describe continuum based modelling of cardiac electrical activity from the cell level to the body surface (the forward problem), and back again (the inverse problem). Background anatomy and physiology is covered briefly to provide a suitable context for understanding the detailed modelling that is presented herein. The questions of what is mathematical modelling and why one would want to use mathematical modelling are addressed to give some perspective to the philosophy behind our approach. Our view of mathematical modelling is broad - it is not simply about obtaining a solution to a set of mathematical equations, but includes some material on aspects such as experimental and clinical validation. © 2005 by World Scientific Publishing Co. Pte. Ltd. All rights reserved.
Article
Modern cardiovascular research has increasingly recognized that heart models and simulation can help interpret an array of experimental data and dissect important mechanisms and interrelationships, with developments rooted in the iterative interaction between modeling and experimentation. This article reviews the progress made in simulating cardiac electrical behavior at the level of the organ and, specifically, in the development of models of ventricular arrhythmias and fibrillation, as well as their termination (defibrillation). The ability to construct multiscale models of ventricular arrhythmias, representing integrative behavior from the molecule to the entire organ, has enabled mechanistic inquiry into the dynamics of ventricular arrhythmias in the diseased myocardium, in understanding drug-induced proarrhythmia, and in the development of new modalities for defibrillation, to name a few. In this article, we also review the initial use of ventricular models of arrhythmia in personalized diagnosis, treatment planning, and prevention of sudden cardiac death. Implementing individualized cardiac simulations at the patient bedside is poised to become one of the most thrilling examples of computational science and engineering approaches in translational medicine. For further resources related to this article, please visit the WIREs website. Conflict of interest: The authors have declared no conflicts of interest for this article.
Senior Systems/Software Engineer
  • L Paul
  • Us Jones
  • Fda
Paul L. Jones. Senior Systems/Software Engineer, Office of Science and Engineering Laboratories, US FDA. Personal communication, 2010.
  • E M Clarke
  • O Grumberg
E.M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.
  • L M Friedman
  • C D Furberg
L. M. Friedman and C. D. Furberg and D. L. DeMets. Fundamentals of Clinical Trials. Springer, 2010.
Senior Systems/Software Engineer, Office of Science and Engineering Laboratories, US FDA
  • Paul L Jones
Paul L. Jones. Senior Systems/Software Engineer, Office of Science and Engineering Laboratories, US FDA. Personal communication, 2010.