2015 FDA Mangharam

Prof.
Rahul Mangharam
Director, Real-Time & Embedded Systems Lab
Dept. Electrical & Systems Engineering
Dept. Computer & Information Science
University of Pennsylvania
rahulm@seas.upenn.edu
1990-2000: 600,000 cardiac devices recalled.

41% of recalls due to software issues
2008-12: 15% of all the medical device recalls (Class I, II & III) due to software
Scenario 1
Scenario 2
Pacemaker
Scenario 3
Vout
Refractory
Time
Rest ERP RRP Rest
node
path
Rest ERP
RRP Rest
Vout
Refractory
Time
node
Node
Path Automata
Automata
Pacemaker Model
Basic Dual Chamber timing cycles
Five basic timing cycles
AVI: Atrioventricular Interval
PVARP: Postventricular Atrial Refractory Period
VRP: Ventricular Refractory Period
LRI: Lower Rate Interval
URI: Upper Rate Interval
The UPPAAL model of the closed-loop system
Abstraction
Heart
H0
H1
Refinement
H2
H3
H4
No
Model
Checker
Pacemaker
Yes
Valid?
Simulink model
No
Yes
Ambiguous?
Counterexamples
Safe?
No
Yes
Physician
Physiological
requirements
System Safe
Bug found
MBD Toolchain: UPP2SF Model translation

UPPAAL Stateflow Generated code
The goal is to integrate:
Property
checking
UPPAAL
model
System modeling
Verification
UPP2SF
Verification
Model-based WCET analysis
Simulation
Code generation
Simulink
Simulation
Stateflow
model
Simulation
RTWEC
HDL Coder
C/C++ Code
VHDL/Verilog
Code
Testing
11
Platform
Testing
Pacemaker Case Study Extracted Stateflow Model

of the Closed-loop Systems
AVI
LRI
URI
PVARP
VRP
Eng
12
12
Generated C Code
Listing 1. bitsForTID0 definition
struct {
uint_T is_AVI:3;
uint_T is_LRI:2;
uint_T is_PVARP:2;
uint_T is_VRP:2;
uint_T is_URI:2;
uint_T is_active_AVI:1;
uint_T is_active_LRI:1;
uint_T is_active_PVARP:1;
uint_T is_active_VRP:1;
uint_T is_active_URI:1;
uint_T is_active_Eng:1;
uint_T is_Eng:1;
uint_T URI_ex:1;
} bitsForTID0;
Listing 5. broadcast_tt() procedure
static void broadcast_tt(void) {
int16_T sf_previousEvent;
sf_previousEvent = _sfEvent_;
_sfEvent_ = event_tt;
c1_ChartName();
_sfEvent_ = sf_previousEvent;
}
Listing 2. Rt_OneStep procedure

detect active inputs;
for each of the input events {
if EventName is active
{
sf_previousEvent = _sfEvent_;
_sfEvent_ = EventName;
c1_ChartName();
_sfEvent_ = sf_previousEvent;
}
}
update the outputs;
update the input events states;
Listing 3. cl_ChartName() procedure
increase counters for _sfEvent_;

for each parallel state {
processState();
}
Listing 4. processState() procedure

if (rtDWork.bitsForTID0.is_active_NAME != 0){
switch (rtDWork.bitsForTID0.is_NAME) {
case SubStateName1:
/* the loop below is - checkTrans();*/
for all transitions in ex. order {
if transition enabled {
execution transition actions;
reset corresponding temporal counters;
update rtDWork.bitsForTID0.is_NAME;
break for
}
}
break;
case SubStateName2:
checkTrans();
break;
...
default:
rtDWork.bitsForTID0.is_NAME=NoActiveChild;
break;
}
}
14
Heart Model Assembly

(Heart Model)
HDL Generation
(Model Code)
FPGA Synthesis
(Code Hardware)
Heart Model Assembly

(Heart Model)
HDL Generation
(Model Code)
FPGA Synthesis
(Code Hardware)
Pacemaker Verification System

Winner, World Embedded Software Competition, Korea 2012
Winner, SEAS Senior Design 2012
18
Let our heart catch bugs

before your heart does.
Logic Verification
Heart
Pacemaker
Nondeterministic
Logic
Model
Interpolation
Software Testing
Deterministic
VHM
HDL Coder
Platform
Implementation
Heart-on-Chip
Automatic
Model Translation
Stateflow
Chart
Simulink Real-time
Workshop
C Code
implementation
Published in: IEEE ECRTS10, EMBC10, Proceedings of IEEE11, ICCPS11,

EMBC11, TACAS12, RTAS12, STTT13, BMES14, Frontiers of EDA15
From Patient-specific data to Patient-specific models for Closed-loop Device Certification
Model-based Clinical Trials
Physiological Monitors for Model Training

Timing
Constraints for
Heart Condition
1
Timing
Constraints for
Heart Condition
2
Timing
Constraints for
Heart Condition
N
Perturb parameters within constraints
Real Patient-Specific
Heart Models
Synthetic
Heart Model Library
4
Closed-loop Device Testing
H1
H2
H3
Real Patient Heart Models
Tools for Clinical Data Capture

and Annotation from
multiple devices
H4
H5
H6
H7
H8
Hn-1 Hn
Generate Synthetic Heart Models
Integrated Functional and

Formal Physiological
Modeling Framework
Model Translation tools for

Simulation-based Training,
Tuning and Testing
Implantable Cardiac Device
Complete Population/Parameter Analysis
Platforms and Tools for

Automated Closed-loop
Device Testing
Analytical Tool-chain
for Population-based
Device Safety Analysis
NSF Frontiers CyberHeart $4.2M. Starting May 2015-2020.

2015 FDA Mangharam

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2015 FDA Mangharam

Uploaded by

Copyright:

Available Formats

Prof.

1990-2000: 600,000 cardiac devices recalled.

The UPPAAL model of the closed-loop system

MBD Toolchain: UPP2SF Model translation

Pacemaker Case Study Extracted Stateflow Model

Listing 2. Rt_OneStep procedure

Listing 3. cl_ChartName() procedure

increase counters for _sfEvent_;

Listing 4. processState() procedure

Heart Model Assembly

Heart Model Assembly

Pacemaker Verification System

Let our heart catch bugs

Published in: IEEE ECRTS10, EMBC10, Proceedings of IEEE11, ICCPS11,

From Patient-specific data to Patient-specific models for Closed-loop Device Certification

Model-based Clinical Trials

Physiological Monitors for Model Training

Perturb parameters within constraints

Real Patient Heart Models

Tools for Clinical Data Capture

Generate Synthetic Heart Models

Integrated Functional and

Model Translation tools for

Implantable Cardiac Device

Complete Population/Parameter Analysis

Platforms and Tools for

NSF Frontiers CyberHeart $4.2M. Starting May 2015-2020.

You might also like