IMPLEMENTACIÓN DE BASE DE DATOS

To ensure robustness of protocol-driven behaviors, we integrate hybrid system be- havior models with physiological models in closed-loop analysis and verify the safety requirements, e.g., whether the relevant physiological metrics are kept within the safe zone. To address the aforementioned challenges associated with using physiological models, we design an analysis process that leverages clinical knowledge about phys- iological parameters and states. Although some physiological parameters and states can not be feasibly measured on every patient in the hospital, their ranges of val- ues and statistical distributions over a particular patient population may be derived from clinical studies [106, 76, 155, 138, 158]. The information on the distributions of parameters enables generating “virtual subjects”, each of which is an instantiation of model parameters [75]. A physiological model, together with its virtual subjects,

constitute a testbed for “virtual” clinical trials (also called in silico trials in some

literature) to evaluate treatment methods.

Model-based virtual clinical trials have been used to test therapy strategies in a number of medical applications, e.g., cardiac pacemakers [129], glucose control [63], and pain management [14]. The analysis techniques can be broadly categorized into two classes: numerical simulation and formal verification.

Numerical simulation is widely used in model-based testing of clinical proce- dures [183, 277]. Many simulation tools exist, e.g., Matlab/Simulink. The main limitation is that simulation can only sample finite points in the space of parame- ters and initial states. Therefore, passing simulation evaluation does not guarantee safety over the entire population that maps to the continuous regions in the space of physiological parameters and initial states.

Formal verification is the process of checking whether a system satisfies given properties. Model checking is an automatic formal verification technique [60]. Fig- ure 3.1 shows the general workflow of model checking. The system is described in a formal modeling language, e.g., PROMELA [115] or timed automata [11]. The

System Model

Specifications

Model Checker All Properties _{Are Satisfied}

Counter Example

Model Revision

Figure 3.1: The general workflow of model checking.

specifications include a set of properties written in logical formulas, e.g., the Linear Temporal Logic (LTL) [262]. A model checker, e.g., SPIN [115] or UPPAAL [160], exhaustively checks the properties along all possible execution paths of the system model, and it either generates a counterexample with a particular execution path that violates some of the properties or reports that all properties are satisfied. The counter example can guide revisions of the system design. A practical challenge in model checking stems from the state space explosion problem: The size of the state space grows exponentially with the size of the system [196]. Numerous techniques have been proposed to tackle this challenge [9, 141].

Model checking has emerged as a powerful technique with successful applications to many practical problems [24] and has recently been applied to medical applica- tions [130, 129, 14, 57]. A significant portion of existing medical device verification work focuses on verifying cardiac pacemakers [130, 129, 57], where physiological mod- els are represented as linear timing functions with observable states. Arney et al. propose a technique to simulate and verify patient controlled analgesia algorithms using a linear, observable physiological model. A key design assumption in their

Hybrid System

Discrete Samples of Physiological Parameters &

Initial States Numerical

Simulation

Ranges of Physiological Parameters & Initial States Formal Verification Rule-Based Protocol

Safe?

No

Safe?

Yes

Yes

Yes

No

Figure 3.2: An iterative model-based analysis framework to evaluate, improve, and verify protocol-driven behaviors.

approach is that a “fail safe” mode exists, i.e., the system can always fall back to a pre-determined safe action such as stopping infusion. This assumption does not universally apply to all physiological systems. Verifying physiological systems that contain nonlinear dynamics, uncertain parameters and initiate states with no default safe mode remains a challenging problem.

We propose an iterative model-based analysis approach to evaluate, improve, and verify the safety of protocol-driven behaviors using physiological models that may contain nonlinearities, unidentifiable parameters, and unknown initial states. Figure 3.2 presents an overview of the framework. Our approach integrates numerical

simulation and formal verification by harnessing their relative strengths in analyzing physiological models. In our framework, a rule-based protocol is first evaluated in simulation on a set of virtual subjects. Simulation allows fast prototyping, and it is particularly useful at efficiently ruling out improper protocol designs during the early development stages: A protocol that is unsafe even for sample virtual subjects during finite-time simulation is unlike to be safe to be tested on humans. If a protocol fails simulation test, the simulated trajectories may provide insights into how the protocol design can be improved. After the simulation test, successful candidate protocols are further evaluated in formal verification. The key point is that verification provides safety guarantees with respect to model uncertainties: If a protocol is safe on certain regions of parameters and initial states, then it is safe for any patient that maps into those regions, even though the exact individual parameters and initial states may not be identifiable. The cost is that formal verification can be much more computationally expensive than simulation.