Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Runtime Verification forInterconnected Medical Devices
Martin Leucker Malte Schmitz Danilo à Tellinghusenleucker,schmitz,[email protected]
Institute for Software Engineering and Programming Languages,University of Lübeck, Germany
7th International Symposium on Leveraging Applications ofFormal Methods, Verification and Validation
Outline
1. Interconnection of Medical Devices
2. Runtime Verification for Medical Devices
3. Device ModelerRisk Analysis through Contract Enforcement
4. Swiss Army KnifeInterconnection Debugging Tool
Leucker, Schmitz, Tellinghusen ISoLA 2016 2
Operation Room 1956
Leucker, Schmitz, Tellinghusen ISoLA 2016 3
Operation Room 2016
Leucker, Schmitz, Tellinghusen ISoLA 2016 4
Safe Interconnection of Medical Devices
Upcoming IEEE 11073-SDC standardI Interconnect medical devices
in the operation room.
I Dynamic interconnection of devicesfrom different manufacturers.
I Devices announce themselves in networkwith an interface description.
Leucker, Schmitz, Tellinghusen ISoLA 2016 5
IEEE 11073-SDC
Open Surgical Communication Protocol (OSCP)
Source: Martin Kasparick, Stefan Schlichting, Frank Golatowski, Dirk Timmermann:New IEEE 11073 standards for interoperable, networked point-of-care Medical Devices. EMBC 2015
Leucker, Schmitz, Tellinghusen ISoLA 2016 6
IEEE 11073-10207
Semantic Interoperable Domain Information & Service Model
Source: Martin Kasparick, Stefan Schlichting, Frank Golatowski, Dirk Timmermann:New IEEE 11073 standards for interoperable, networked point-of-care Medical Devices. EMBC 2015
Leucker, Schmitz, Tellinghusen ISoLA 2016 7
§
Risk Analysis
: Contract Enforcement
I European Medical Device Directive demandsexecution of risk management.
I How to do risk management fordynamic interconnection?
Embedded monitors check at runtime thatI the device itself andI other devices controlling it
satisfy the interface description.
Leucker, Schmitz, Tellinghusen ISoLA 2016 8
§
Risk Analysis: Contract Enforcement
I European Medical Device Directive demandsexecution of risk management.
I How to do risk management fordynamic interconnection?
Embedded monitors check at runtime thatI the device itself andI other devices controlling it
satisfy the interface description.
Leucker, Schmitz, Tellinghusen ISoLA 2016 8
Our Tools
Leucker, Schmitz, Tellinghusen ISoLA 2016 9
Our Tools
Device Modeler
I Model the device containment treeincluding constraints for metrics
I Generate network interface codeincluding runtime monitors
Swiss Army Knife
I Debug devices in networkand manipulate them through SCO
I Specify constraints for metricsand execute monitors checking those
Leucker, Schmitz, Tellinghusen ISoLA 2016 10
Specifying Temporal Properties
I Specify temporal behavior of metric’sobserved value, invocation state, . . .
I Smart Assertion Logic for Temporal Logic(SALT, Bauer, Leucker, Streit 2006) . . .
I Impartial Anticipation using LTL3 Semantics(Bauer, Leucker, Schallhart 2011)
Example
assert "brightness.value < 70"until "readiness_state.value = 'READY'"
Leucker, Schmitz, Tellinghusen ISoLA 2016 11
OSCP Device Modeler Workbench
Leucker, Schmitz, Tellinghusen ISoLA 2016 12
OSCP Device Modeler Workbench
Leucker, Schmitz, Tellinghusen ISoLA 2016 12
OSCP Device Modeler
Leucker, Schmitz, Tellinghusen ISoLA 2016 13
OSCP Device Architecture
Leucker, Schmitz, Tellinghusen ISoLA 2016 14
OSCP Device Monitoring
Leucker, Schmitz, Tellinghusen ISoLA 2016 15
OSCP Device Monitoring
Leucker, Schmitz, Tellinghusen ISoLA 2016 16
OSCP Device Monitoring
Leucker, Schmitz, Tellinghusen ISoLA 2016 17
OSCP Swiss Army Knife
Leucker, Schmitz, Tellinghusen ISoLA 2016 18
OSCP Swiss Army Knife
I Discover all active devices in network
I Show interface description
I Show current values
I Allow manipulation through service model
I Allow attachment of monitors
Leucker, Schmitz, Tellinghusen ISoLA 2016 19
Monitor Injection in Swiss Army Knife
OSCLib
Network
Entry
GUI
Value Monitor MonitorGUI
invoke command
observe update
register callback update
Leucker, Schmitz, Tellinghusen ISoLA 2016 20
Demo
DemoLeucker, Schmitz, Tellinghusen ISoLA 2016 21
Conclusion
I IEEE 11073-SDC is upcoming standard for interconnection ofmedical point-of-care devices.
I Devices announce their interface to the local network.I Monitors can be attached to devices’ metrics.I Monitors enforce own device and remote controlling device
to satisfy the interface description.I Swiss Army Knife discovers devices.I Swiss Army Knife manipulates devices’ states.
Leucker, Schmitz, Tellinghusen ISoLA 2016 22