Real-Time and Embedded Systems Lab (mLAB)

Closed-loop Verification of Medical Devices With Model Abstraction and Refinement

Zhihao Jiang et al. — Wed, 08 May 2013 20:05:36 PDT

The design and implementation of software for medical devices is challenging due to their closed-loop interaction with the patient, which is a stochastic physical environment. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and closed-loop analysis. The biggest challenge is to balance the complexity and fidelity of the environment model, while preserving the safety and efficacy properties. In this effort, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed timed automata model of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. A manual Counter-Example-Guided Abstraction and Refinement (CEGAR) framework has been adapted to balance model complexity and fidelity. The heart is modeled using timed automata based on the physiology of heart. The model is gradually abstracted with timed simulation to preserve properties, and refined when spurious counter-examples are found. To demonstrate the closed-loop nature of the problem, we investigated two clinical cases of Pacemaker Mediated Tachycardia and verified their corresponding correction algorithms in the pacemaker. Along with our tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.

Event-based Green Scheduling of Radiant Systems in Buildings

Truong X. Nghiem et al. — Thu, 21 Mar 2013 12:14:04 PDT

This paper looks at the problem of peak power demand reduction for intermittent operation of radiant systems in buildings. Uncoordinated operation of the circulation pumps of a multi-zone hydronic radiant system can cause temporally correlated electricity demand surges when multiple pumps are activated simultaneously. Under a demand-based electricity pricing policy, this uncoordinated behavior can result in high electricity costs and expensive system operation. We have previously presented Green Scheduling with the periodic scheduling approach for reducing the peak power demand of electric radiant heating systems while maintaining indoor thermal comfort. This paper develops an event-based state feedback scheduling strategy that, unlike periodic scheduling, directly takes into account the disturbances and is thus more suitable for building systems. The effectiveness of the new strategy is demonstrated through simulation in MATLAB.

Networked Realization of Discrete-Time Controllers

Fei Miao et al. — Thu, 21 Mar 2013 12:07:23 PDT

We study the problem of mapping discrete-time linear controllers into potentially higher order linear controllers with predefined structural constraints. Our work has been motivated by the Wireless Control Network (WCN) architecture, where the network itself behaves as a distributed, structured dynamical compensator. We make connections to model reduction theory to derive a method for the controller embedding based on minimization of the H∞-norm of the error system. This allows us to frame the problem as synthesis of optimal structured linear controllers, which enables the utilization of design-time iterative procedures for systems’ approximation. Finally, we illustrate the use of the mapping procedure by embedding PID controllers into the WCN substrate, and show how to reduce the computation overhead of the approximation procedure.

Heart-on-a-Chip: A Closed-loop Testing Platform for Implantable Pacemakers

Zhihao Jiang et al. — Fri, 15 Mar 2013 19:40:49 PDT

Implantable cardiac pacemakers restore normal heart rhythm by delivering external electrical pacing to the heart. The pacemaker software is life-critical as the timing of the pulses determine its ability to control the heart rate. Recalls due to software issues have been on the rise with the increasing complexity of pacing algorithms. Open-loop testing remains the primary approach to evaluate the safety of pacemaker software. While this tests how the pacemaker responds to stimulus, it cannot reveal pacemaker malfunctions which drive the heart into an unsafe state over multiple cycles. To evaluate the safety and efficacy of pacemaker software we have developed a heart model to generate different heart conditions and interact with real pacemakers. In this paper, we introduce the closed-loop testing platform which consists of a programmable hardware implementation of the heart that can interact with a commercial pacemaker in closed-loop. The heart-on-a-chip implementation is automatically generated from the Virtual Heart Model in Simulink which models different heart conditions. We describe a case study of Endless Loop Tachycardia to demonstrate potential closed-loop pacemaker malfunctions which inappropriately increase the heart rate. The test platform is part of our model-based design framework for verification and testing of medical devices with the patient--in-the-loop.

ProtoDrive: An Experimental Platform for Electric Vehicle Energy Scheduling and Control

Stephanie Diaz et al. — Tue, 18 Dec 2012 09:44:56 PST

Robust Architectures for Embedded Wireless Network Control and Actuation

Miroslav Pajic et al. — Sun, 21 Oct 2012 13:38:12 PDT

Networked Cyber-Physical Systems are fundamentally constrained by the tight coupling and closed-loop control of physical processes. To address actuation in such closed-loop wireless control systems there is a strong need to re-think the communication architectures and protocols for reliability, coordination and control. We introduce the Embedded Virtual Machine (EVM), a programming abstraction where controller tasks with their control and timing properties are maintained across physical node boundaries and functionality is capable of migrating to the most competent set of physical controllers. In the context of process and discrete control, an EVM is the distributed runtime system that dynamically selects primary-backup sets of controllers given spatial and temporal constraints of the underlying wireless network. EVM-based algorithms allow network control algorithms to operate seamlessly over less reliable wireless networks with topological changes. They introduce new capabilities such as predictable outcomes during sensor/actuator failure, adaptation to mode changes and runtime optimization of resource consumption. An automated design flow from Simulink to platform-independent domain specific languages, and subsequently, to platform-dependent code generation is presented. Through case studies in discrete and process control we demonstrate the capabilities of EVM-based wireless network control systems.

Model-Driven Safety Analysis of Closed-Loop Medical Systems

Miroslav Pajic et al. — Sun, 21 Oct 2012 13:24:39 PDT

In modern hospitals, patients are treated using a wide array of medical devices that are increasingly interacting with each other over the network, thus offering a perfect example of a cyber-physical system. We study the safety of a medical device system for the physiologic closed-loop control of drug infusion. The main contribution of the paper is the verification approach for the safety properties of closed-loop medical device systems. We demonstrate, using a case study, that the approach can be applied to a system of clinical importance. Our method combines simulation-based analysis of a detailed model of the system that contains continuous patient dynamics with model checking of a more abstract timed automata model. We show that the relationship between the two models preserves the crucial aspect of the timing behavior that ensures the conservativeness of the safety analysis. We also describe system design that can provide open-loop safety under network failure.

MLE+: A Tool for Integrated Design and Deployment of Energy Efficient Building Controls

Willy Bernal et al. — Fri, 12 Oct 2012 07:25:49 PDT

We present MLE+, a tool for energy-efficient building automation design, co-simulation and analysis. The tool leverages the high-fidelity building simulation capabilities of EnergyPlus and the scientific computation and design capabilities of Matlab for controller design. MLE+ facilitates integrated building simulation and controller formulation with integrated support for system identification, control design, optimization, simulation analysis and communication between software applications and building equipment. It provides streamlined workflows, a graphical front-end, and debugging support to help control engineers eliminate design and programming errors and take informed decisions early in the design stage, leading to fewer iterations in the building automation development cycle. We show through an example and two case studies how MLE+ can be used for designing energy-efficient control algorithms for both simulated buildings in EnergyPlus and real building equipment via BACnet.

Real-time Heart Model for Implantable Cardiac Device Validation and Verification

Zhihao Jiang et al. — Mon, 20 Aug 2012 14:07:06 PDT

Designing bug-free medical device software is challenging, especially in complex implantable devices that may be used in unanticipated contexts. Safety recalls of pacemakers and implantable cardioverter defibrillators due to firmware problems between 1990 and 2000 affected over 200, 000 devices. This encompasses 41% of the devices recalled and continues to increase in frequency. There is currently no formal methodology or open experimental platform to validate and verify the correct operation of medical device software. To this effect, a real-time Virtual Heart Model (VHM) has been developed to model the electrophysiological operation of the functioning (i.e. during normal sinus rhythm) and malfunctioning (i.e. during arrhythmia) heart. We present a methodology to construct a timed-automata model by extracting timing properties of the heart. The platform employs functional and formal interfaces for validation and verification of implantable cardiac devices. We demonstrate the VHM is capable of generating clinically-relevant response to intrinsic (i.e. premature stimuli) and external (i.e. artificial pacemaker) signals for a variety of common arrhythmias. By connecting the VHM with a pacemaker model, we are able to pace and synchronize the heart during the onset of irregular heart rhythms. The VHM has also been implemented on a hardware platform for closed-loop experimentation with existing and virtual medical devices. This integrated functional and formal device design approach has potential to help expedite medical device certification for safe operation.

AUTOPLUG: An Architecture for Remote Electronic Controller Unit Diagnostics in Automotive Systems

Yash Vardhan Pant et al. — Tue, 05 Jun 2012 11:57:42 PDT

In 2010, over 20.3 million vehicles were recalled. Software issues related to automotive controls such as cruise control, anti-lock braking system, traction control and stability control, account for an increasingly large percentage of the overall vehicles recalled. There is a need for new and scalable methods to evaluate automotive controls in a realistic and open setting. We have developed AutoPlug, an automotive Electronic Controller Unit (ECU) architecture between the vehicle and a Remote Diagnostics Center to diagnose, test, update and verify controls software. Within the vehicle, we evaluate observerbased runtime diagnostic schemes and introduce a framework for remote management of vehicle recalls. The diagnostics scheme deals with both real-time and non-real time faults, and we introduce a decision function to detect and isolate faults in a system with modeling uncertainties. We also evaluate the applicability of “Opportunistic Diagnostics”, where the observerbased diagnostics are scheduled in the ECU’s RTOS only when there is slack available in the system. This aperiodic diagnostics scheme performs similar to the standard, periodic diagnostics scheme under reasonable assumptions. This approach works on existing ECUs and does not interfere with current task sets. The overall framework integrates in-vehicle and remote diagnostics and serves to make vehicle recalls management a less reactive and cost-intensive procedure.

Green Scheduling of Control Systems for Peak Demand Reduction

Truong X. Nghiem et al. — Sat, 02 Jun 2012 19:27:37 PDT

Building systems such as heating, air quality control and refrigeration operate independently of each other and frequently result in temporally correlated energy demand surges. As peak power prices are 200-400 times that of the nominal rate, this uncoordinated activity is both expensive and operationally inefficient. We present an approach to fine-grained coordination of energy demand by scheduling the control systems within a constrained peak while ensuring custom climate environments are facilitated. The peak constraint is minimized for energy efficiency, while we provide feasibility conditions for the constraint to be realizable by a scheduling policy for the control systems. The physical systems are then coordinated by the scheduling controller so as both the peak constraint and the climate/safety constraint are satisfied. We also introduce a simple scheduling approach called lazy scheduling. The proposed control and scheduling strategy is implemented in simulation examples from small to large scales, which show that it can achieve significant peak demand reduction while being efficient and scalable.

Green Scheduling for Energy-Efficient Operation of Multiple Chiller Plants

Madhur Behl et al. — Sat, 02 Jun 2012 19:27:35 PDT

In large building systems, such as a university campus, the air-conditioning systems are commonly served by chiller plants, which contribute a large fraction of the total electricity consumption of the campuses. The power consumption of a chiller is highly affected by its Coefficient of Performance (COP), which is optimal when the chiller is operated at or near full load.

For a chiller plant, its overall COP can be optimized by utilizing a Thermal Energy Storage (TES) and switching its operation between COP-optimal charging and discharging modes. However, uncoordinated mode switchings of chiller plants may cause temporally-correlated high electricity demand when multiple plants are charging their TES concurrently.

In this technical report, a Green Scheduling approach, proposed in our previous work, is used to schedule the chiller plants to reduce their peak aggregate power demand while ensuring safe operation of the TES. We present a scheduling algorithm based on backward reach set computation of the TES dynamics. The proposed algorithm is demonstrated in a numerical simulation in Matlab to be effective for reducing the peak power demand and the overall electricity cost.

Green Scheduling for Radiant Systems in Buildings

Truong X. Nghiem et al. — Wed, 21 Mar 2012 10:08:02 PDT

In this report we look at the problem of peak power reduction for buildings with electric radiant floor heating systems. Uncoordinated operation of a multi-zone radiant floor heating system can result in temporally correlated electricity demand surges or peaks in the building’s electricity consumption. As peak power prices are 200-400 times that of the nominal rate, this uncoordinated activity can result in high electricity costs and expensive system operation. We have previously presented green scheduling as an approach for reducing the aggregate peak power consumption in buildings while ensuring that indoor thermal comfort is always maintained. This report extends the theoretical results for general affine dynamical systems and applies them to electric radiant floor heating systems. The potential of the proposed method in reducing the peak power demand is demonstrated for a small-scale system through simulation in EnergyPlus and for a large-scale system through simulation in Matlab.

From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study

Miroslav Pajic et al. — Fri, 02 Mar 2012 13:50:09 PST

Model-Driven Design (MDD) of cyber-physical systems advocates for design procedures that start with formal modeling of the real-time system, followed by the model’s verification at an early stage. The verified model must then be translated to a more detailed model for simulation-based testing and finally translated into executable code in a physical implementation. As later stages build on the same core model, it is essential that models used earlier in the pipeline are valid approximations of the more detailed models developed downstream. The focus of this effort is on the design and development of a model translation tool, UPP2SF, and how it integrates system modeling, verification, model-based WCET analysis, simulation, code generation and testing into an MDD based framework. UPP2SF facilitates automatic conversion of verified timed automata-based models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the design rules to ensure the conversion is correct, efficient and applicable to a large class of models. We show how the tool enables MDD of an implantable cardiac pacemaker. We demonstrate that UPP2SF preserves behaviors of the pacemaker model from UPPAAL to Stateflow. The resultant Stateflow chart is automatically converted into C and tested on a hardware platform for a set of requirements.

Closing the Loop: A Simple Distributed Method for Control over Wireless Networks

Miroslav Pajic et al. — Fri, 02 Mar 2012 13:29:51 PST

We present a distributed scheme used for control over a network of wireless nodes. As opposed to traditional networked control schemes where the nodes simply route information to and from a dedicated controller (perhaps performing some encoding along the way), our approach, Wireless Control Network (WCN), treats the network itself as the controller. In other words, the computation of the control law is done in a fully distributed way inside the network. We extend the basic WCN strategy, where at each time-step, each node updates its internal state to be a linear combination of the states of the nodes in its neighborhood. This causes the entire network to behave as a linear dynamical system, with sparsity constraints imposed by the network topology. We demonstrate that with observer style updates, the WCN's robustness to link failures is substantially improved. Furthermore, we show how to design a WCN that can maintain stability even in cases of node failures. We also address the problem of WCN synthesis with guaranteed optimal performance of the plant, with respect to standard cost functions. We extend the synthesis procedure to deal with continuous-time plants and demonstrate how the WCN can be used on a practical, industrial application, using a process-in-the-loop setup with real hardware.

Modeling and Verification of a Dual Chamber Implantable Pacemaker

Zhihao Jiang et al. — Mon, 13 Feb 2012 10:09:33 PST

The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safety-critical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this study, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed models of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. We then define the state space of the closed-loop system based on its heart rate and developed a heart model which can non-deterministically cover the whole state space. For verification, we first specify unsafe regions within the state space and verify the closed-loop system against corresponding safety requirements. As stronger assertions are attempted, the closed-loop unsafe state may result from healthy open-loop heart conditions. Such unsafe transitions are investigated with two clinical cases of Pacemaker Mediated Tachycardia and their corresponding correction algorithms in the pacemaker. Along with emerging tools for code generation from UPPAAL models, this effort enables model-driven design and certification of software for medical devices.

A Simple Distributed Method for Control over Wireless Networks

Miroslav Pajic et al. — Thu, 09 Feb 2012 18:17:51 PST

We present a distributed scheme used for control over wireless networks. In our previous work, we introduced the concept of a Wireless Control Network (WCN), where the network itself, with no centralized node, acts as the controller. In this work, we show how the WCN can be modified to include observer style updates which substantially improves robustness of the closed-loop system to link failures. In addition, we analyze how the WCN simplifies extraction of the communication and computation schedules and enables system compositionality and scalability.

Network Synthesis for Dynamical System Stabilization

Miroslav Pajic et al. — Wed, 07 Dec 2011 13:29:29 PST

We present our recent results in the area of distributed control over wireless networks. In our previous work, we introduced the concept of a Wireless Control Network (WCN), where the network acts as a decentralized structured controller. In this case, the network is not used only as a communication medium (as in traditional control paradigms), but instead as a fully distributed computational substrate. We show that the dynamics of the plant dictate the types of network topologies that can be used to stabilize the system. Finally, we describe how to obtain a stabilizing configuration for the WCN if the topological conditions are satisfied.

Green Scheduling: Scheduling of Control Systems for Peak Power Reduction

Truong Nghiem et al. — Thu, 17 Nov 2011 14:35:08 PST

Heating, cooling and air quality control systems within buildings and datacenters operate independently of each other and frequently result in temporally correlated energy demand surges. As peak power prices are 200-400 times that of the nominal rate, this uncoordinated activity is both expensive and operationally inefficient. While several approaches for load shifting and model predictive control have been proposed, we present an alternative approach to fine-grained coordination of energy demand by scheduling energy consuming control systems within a constrained peak power while ensuring custom climate environments are facilitated. Unlike traditional real-time scheduling theory, where the execution time and hence the schedule are a function of the system variables only, control system execution (i.e. when energy is supplied to the system) are a function of the environmental variables and the plant dynamics. To this effect, we propose a geometric interpretation of the system dynamics, where a scheduling policy is represented as a hybrid automaton and the scheduling problem is presented as designing a hybrid automaton. Tasks are constructed by extracting the temporal parameters of the system dynamics. We provide feasibility conditions and a lazy scheduling approach to reduce the peak power for a set of control systems. The proposed model is intuitive, scalable and effective for the large class of systems whose state-time profile can be linearly approximated.

Anytime Algorithms for GPU Architectures

Rahul Mangharam et al. — Thu, 17 Nov 2011 14:35:03 PST

Most algorithms are run-to-completion and provide one answer upon completion and no answer if interrupted before completion. On the other hand, anytime algorithms have a monotonic increasing utility with the length of execution time. Our investigation focuses on the development of time-bounded anytime algorithms on Graphics Processing Units (GPUs) to trade-off the quality of output with execution time. Given a time-varying workload, the algorithm continually measures its progress and the remaining contract time to decide its execution pathway and select system resources required to maximize the quality of the result. To exploit the quality-time tradeoff, the focus is on the construction, instrumentation, on-line measurement and decision making of algorithms capable of efficiently managing GPU resources. We demonstrate this with a Parallel A* routing algorithm on a CUDA-enabled GPU. The algorithm execution time and resource usage is described in terms of CUDA kernels constructed at design-time. At runtime, the algorithm selects a subset of kernels and composes them to maximize the quality for the remaining contract time. We demonstrate the feedback-control between the GPU-CPU to achieve controllable computation tardiness by throttling request admissions and the processing precision. As a case study, we have implemented AutoMatrix, a GPU-based vehicle traffic simulator for real-time congestion management which scales up to 16 million vehicles on a US street map. This is an early effort to enable imprecise and approximate real-time computation on parallel architectures for stream-based timebounded applications such as traffic congestion prediction and route allocation for large transportation networks.