runtime verification for [3pt] interconnected medical devices · 2016. 12. 2. · ieee 11073-10207...

Runtime Verification forInterconnected Medical Devices

Martin Leucker Malte Schmitz Danilo à Tellinghusenleucker,schmitz,tellinghusen@isp.uni-luebeck.de

Institute for Software Engineering and Programming Languages,University of Lübeck, Germany

7th International Symposium on Leveraging Applications ofFormal Methods, Verification and Validation

Outline

1. Interconnection of Medical Devices

2. Runtime Verification for Medical Devices

3. Device ModelerRisk Analysis through Contract Enforcement

4. Swiss Army KnifeInterconnection Debugging Tool

Leucker, Schmitz, Tellinghusen ISoLA 2016 2

Operation Room 1956

Leucker, Schmitz, Tellinghusen ISoLA 2016 3

Operation Room 2016

Leucker, Schmitz, Tellinghusen ISoLA 2016 4

Safe Interconnection of Medical Devices

Upcoming IEEE 11073-SDC standardI Interconnect medical devices

in the operation room.

I Dynamic interconnection of devicesfrom different manufacturers.

I Devices announce themselves in networkwith an interface description.

Leucker, Schmitz, Tellinghusen ISoLA 2016 5

IEEE 11073-SDC

Open Surgical Communication Protocol (OSCP)

Source: Martin Kasparick, Stefan Schlichting, Frank Golatowski, Dirk Timmermann:New IEEE 11073 standards for interoperable, networked point-of-care Medical Devices. EMBC 2015

Leucker, Schmitz, Tellinghusen ISoLA 2016 6

IEEE 11073-10207

Semantic Interoperable Domain Information & Service Model

Source: Martin Kasparick, Stefan Schlichting, Frank Golatowski, Dirk Timmermann:New IEEE 11073 standards for interoperable, networked point-of-care Medical Devices. EMBC 2015

Leucker, Schmitz, Tellinghusen ISoLA 2016 7

§

Risk Analysis

: Contract Enforcement

I European Medical Device Directive demandsexecution of risk management.

I How to do risk management fordynamic interconnection?

Embedded monitors check at runtime thatI the device itself andI other devices controlling it

satisfy the interface description.

Leucker, Schmitz, Tellinghusen ISoLA 2016 8

§

Risk Analysis: Contract Enforcement

I European Medical Device Directive demandsexecution of risk management.

I How to do risk management fordynamic interconnection?

Embedded monitors check at runtime thatI the device itself andI other devices controlling it

satisfy the interface description.

Leucker, Schmitz, Tellinghusen ISoLA 2016 8

Our Tools

Leucker, Schmitz, Tellinghusen ISoLA 2016 9

Our Tools

Device Modeler

I Model the device containment treeincluding constraints for metrics

I Generate network interface codeincluding runtime monitors

Swiss Army Knife

I Debug devices in networkand manipulate them through SCO

I Specify constraints for metricsand execute monitors checking those

Leucker, Schmitz, Tellinghusen ISoLA 2016 10

Specifying Temporal Properties

I Specify temporal behavior of metric’sobserved value, invocation state, . . .

I Smart Assertion Logic for Temporal Logic(SALT, Bauer, Leucker, Streit 2006) . . .

I Impartial Anticipation using LTL3 Semantics(Bauer, Leucker, Schallhart 2011)

Example

assert "brightness.value < 70"until "readiness_state.value = 'READY'"

Leucker, Schmitz, Tellinghusen ISoLA 2016 11

OSCP Device Modeler Workbench

Leucker, Schmitz, Tellinghusen ISoLA 2016 12

OSCP Device Modeler Workbench

Leucker, Schmitz, Tellinghusen ISoLA 2016 12

OSCP Device Modeler

Leucker, Schmitz, Tellinghusen ISoLA 2016 13

OSCP Device Architecture

Leucker, Schmitz, Tellinghusen ISoLA 2016 14

OSCP Device Monitoring

Leucker, Schmitz, Tellinghusen ISoLA 2016 15

OSCP Device Monitoring

Leucker, Schmitz, Tellinghusen ISoLA 2016 16

OSCP Device Monitoring

Leucker, Schmitz, Tellinghusen ISoLA 2016 17

OSCP Swiss Army Knife

Leucker, Schmitz, Tellinghusen ISoLA 2016 18

OSCP Swiss Army Knife

I Discover all active devices in network

I Show interface description

I Show current values

I Allow manipulation through service model

I Allow attachment of monitors

Leucker, Schmitz, Tellinghusen ISoLA 2016 19

Monitor Injection in Swiss Army Knife

OSCLib

Network

Entry

GUI

Value Monitor MonitorGUI

invoke command

observe update

register callback update

Leucker, Schmitz, Tellinghusen ISoLA 2016 20

Demo

DemoLeucker, Schmitz, Tellinghusen ISoLA 2016 21

Conclusion

I IEEE 11073-SDC is upcoming standard for interconnection ofmedical point-of-care devices.

I Devices announce their interface to the local network.I Monitors can be attached to devices’ metrics.I Monitors enforce own device and remote controlling device

to satisfy the interface description.I Swiss Army Knife discovers devices.I Swiss Army Knife manipulates devices’ states.

Leucker, Schmitz, Tellinghusen ISoLA 2016 22