Medical device systems are a prime example of cyber-physical systems, featuring complex and close interaction of sophisticated treatment algorithms with the physical aspects of the system, and especially the patient whose safety is of the utmost concern. As such systems become increasingly complex, interconnected, and interoperating, the major challenge is how to ensure and improve the safety, security, and reliability of medical device cyber-physical systems.  

A report by NCO/NITRD on High-Confidence Medical Devices concludes the need for rationally designed high-confidence medical device cyber-physical systems for 21st century health care. In particular, the rapidly increasing use of software to control and interconnect medical devices makes the development and production of medical device software and systems a crucial issue, both for the U.S. economy and to ensure safe advances in health care delivery. This finding is in line with the conclusion of the report by the U.S. National Academy of Science on software for dependable systems that new techniques and methods are needed to build future software systems that meet dependability requirements for safety-critical systems.  

The following four observations motivate the project:

  1. there is a frequent need in clinical practice to assemble existing medical devices into new system configurations to match the need of patients with special circumstances--something not possible with today's stand alone devices,
  2. the introduction of network interfaces in medical devices and advances in medical device interoperability are likely to make it possible in the near future,
  3. there is a need to "close the loop" and enable feedback about the condition of the patient to the devices delivering therapy, and
  4. there is no procedure to reason about safety of these dynamically created systems. Based on these observations, we propose a new development paradigm that enables the effective design and implementation of medical device cyber-physical systems (MDCPS) while at the improving patient safety.

The central concept of the paradigm is the clinical scenario, a formal description of the architecture of the medical devices, interconnections, and personnel needed to execute the scenario as well as a description of the scenario workflow. To enable composition, evaluation, and assurance of safe and effective operation of a new clinical scenario, we aim to address the following fundamental challenges:  

Foundations for MDCPS development. Foundational challenges include (1) Distributed control and sensing in networked medical device systems for physiological closed-loop treatment; (2) Patient modeling; (3) Modeling of caregiver mental models, and (4) Modeling of operational procedures for medical device systems.

High-confidence MDCPS software development. To enable safe and effective composition based on clinical scenarios, the individual devices must be trusted; we will enable our high confidence device development by integrating formal model-based and component-based development.

MDCPS validation and certification. We will study collection of evidence for system safety arguments from all phases of the system development, including novel verification and validation techniques, as well as from extensive evaluation of our case studies in a clinical setting. We will also study quantification of trust in the collected evidence, and construction of assurance cases based on probabilistic reasoning.

Education of the next generation MDCPS engineers. Through a novel curriculum based around systems thinking and aggressive outreach and recruiting efforts, we aim to lay the foundation for the next generation of MDCPS engineers.

We have assembled a highly qualified, multidisciplinary, multi-institutional team with deep and complementary expertise from CIMIT/MGH, University of Pennsylvania Health System, University of Minnesota, and University of Pennsylvania.

We expect the project to have significant impact on the society at large. Novel design methods and certification techniques will significantly improve patient safety. The introduction of closed-loop scenarios in the clinical practice will reduce the burden that caregivers are currently facing and has the potential of reducing the overall costs of health care. Last but not least, our educational efforts and outreach activities will increase awareness of careers in the MDCPS area and help attract women and under-represented minorities to the field.

The project is supported by the NSF CPS program under the grant CNS-1035715. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the project team and do not necessarily reflect the views of the National Science Foundation.


Model-Driven Safety Analysis of Closed-Loop Medical Systems: We studied the safety of a medical device system for the physiologic closed-loop control of drug infusion. The main contribution is the verification approach for the safety properties of closed-loop medical device systems. We demonstrated, using a case study, that the approach can be applied to a system of clinical importance. Our method combines simulation-based analysis of a detailed model of the system that contains continuous patient dynamics with model checking of a more abstract timed automata model. We show that the relationship between the two models preserves the crucial aspect of the timing behavior that ensures the conservativeness of the safety analysis. We also describe system design that can provide open-loop safety under network failure. [link]

Safety-Assured Development of the GPCA Infusion Pump Software: We developed a safety-assured implementation of Patient-Controlled Analgesic (PCA) infusion pump software based on the generic PCA reference model provided by the U.S. Food and Drug Administration (FDA). The reference model was first translated into a network of timed automata. Its safety properties were then verified according to the set of generic safety requirements also provided by the FDA. Once the safety of the reference model was established, we automatically generated platform-independent code as its preliminary implementation. The code was then equipped with auxiliary facilities to interface with pump hardware and deployed onto a commercial PCA pump platform. Experiments show that the code worked correctly and effectively with the real pump. To validate the implementation with respect to the safety requirements, we also developed a testbed to check the consistency between the reference model and the code through conformance testing. Joint work with Paul Jones, Yi Zhang, and Raoul Jetley at the FDA. [link]

Smart Alarms: Multivariate Medical Alarm Integration for Post CABG Surgery Patients: We developed an algorithm that considers multiple vital signs when monitoring a post coronary artery bypass graft (post-CABG) surgery patient. The algorithm employs a Fuzzy Expert System to mimic the decision processes of nurses. In addition, it includes a Clinical Decision Support tool that uses Bayesian theory to display the possible CABG-related complications the patient might be undergoing at any point in time, as well as the most relevant risk factors. As a result, this multivariate approach decreases clinical alarms by an average of 59% with a standard deviation of 17% (sample of 32 patients, 1,451 hours of vital sign data). [link]