6/22/01 1

Case Study: Computer Assisted Resuscitation Algorithm (CARA)

SystemInsup Lee

Department of Computer and Information Science University of Pennsylvania

6/22/01

6/22/01

2

SDRL & RTGUniversity of Pennsylvania

People

• Alwyn Goodloe (Penn)• Dr. Jitka Stribna (Penn)• Jiaxiang Zhou (Penn)• Prof. Insup Lee (Penn)• Dr. Oleg Sokolsky (Penn)• Prof. Elsa Gunter (NJIT)

6/22/01

3

SDRL & RTGUniversity of Pennsylvania

Goals of CARA case study

• Facilitate the development of reliable and robust (current and future) CARA systems

• Use the state-of-the-art formal methods and techniques – Requirement capture and analyzer, model

checker, equivalance checker, test generator, etc)

– Evaluate the effectiveness of tools– Development of domain specific framework and

methodology

6/22/01

4

SDRL & RTGUniversity of Pennsylvania

Embedded Systems

• Difficulties– Increasing complexity– Decentralized– Safety critical– Resource constrained

• Non-functional: power, size, etc.

• Development of reliable and robust embedded software

• Increased development cost implies greater emphasis on reuse …

6/22/01

5

SDRL & RTGUniversity of Pennsylvania

Properties of embedded systems

• Adherence to safety-critical properties • Meeting timing constraints• Satisfaction of resource constraints• Confinement of resource accesses• Supporting fault tolerance• Domain specific requirements

6/22/01

6

SDRL & RTGUniversity of Pennsylvania

Progress to date

• Translated parts of informal requirements to EFSM (Extended Finite State Machines)

• Our analysis of the requirements (3/19/01) and Questions/Answers (1/24/01) generated 29 questions of the following types:– Identifying Inconsistencies (4)– Identifying Incompleteness (10)– Clarification of specific terms (15)

6/22/01

7

SDRL & RTGUniversity of Pennsylvania

Sample Questions

• Clarifications of specific term– What is an infusate (Req16)

• Infusate is the ‘stuff’ usually a saline solution that is being pumped into the person

• Identifying Incompleteness– Is hardware setting on pump active in Auto-

Control mode? What happens if the user meddles with the hardware flow knob in Auto-Control mode?

• The computer can take control of the pumping rate and thus lock out the hardware flow knob. The pump can still be shut off though.

6/22/01

8

SDRL & RTGUniversity of Pennsylvania

Sample Questions (Cntd.)

• Identifying Inconsistencies– There were several exchanges requesting

clarification on the fact that the requirements indicate that a beat-to-beat source is lost after 3 minutes (Req42 and 43), but the Q/A document says it should be 2 minutes (Q120).

6/22/01

9

SDRL & RTGUniversity of Pennsylvania

Overall System

• Pump– The hardware

• Cara system– The software

• Environment– The user

• Patient– The object

6/22/01

10

SDRL & RTGUniversity of Pennsylvania

Overall System Structure

PumpHardware

CaraSystem

Environment

Patient

Pump StatusCurrent modeBP valueBP sourceFlow RateInfused VolumeNotation messages*Alarms messages*Dialog boxes*

Dialog Box Buttons*Air AlarmOcc Alarm

Hardware flow setting

Control Voltage#2 (SysGRD)#6 (Ext_Speed_control)

AirOkOccOkBack EMFPump wires

Back

6/22/01

11

SDRL & RTGUniversity of Pennsylvania

The Cara System

• Component– Pump Monitor– Blood Pressure Detector– Control Algorithm– Display/Alarm

6/22/01

12

SDRL & RTGUniversity of Pennsylvania

PumpMonitor

Algorithm

Display/Alarm

BloodPressureDetector

ResetAlarmsModeInfusedVolumeFlowRatePumpingPollingFailureExit A/C

Start A/CTerminate A/CSet BP

BP SourceBP ValueBP Alarms*

CuffOverrideCorroboration Override

GotoManualBP SourceBP Value

PluggedInAirOkOccOkImpedanceContinuityBackEMF

Back

6/22/01

13

SDRL & RTGUniversity of Pennsylvania

Pump Monitor

• Signal from Pump hardware– Plugged-in

• Whether the pump is plugged in is the pre-condition of the Cara system. Whenever the monitor finds the pump is not plugged in, it will trigger the alarm system and the Cara will revert back to “Manual mode”

– back EMF• Monitors the voltage of the pump

– Air Ok line• Monitors the infused liquid for presence of air

bubbles– Occlusion line

• Monitors whether an occlusion fault is found– Wire-continuity

• Checks continuity of all lines connecting the pump

6/22/01

14

SDRL & RTGUniversity of Pennsylvania

AirOk Monitor backEMF MonitorOccOk Monitor

Plug-In Monitor Wire-Continuity Monitor

Pump Monitor

6/22/01

15

SDRL & RTGUniversity of Pennsylvania

State Flow to Check Plugged-in

Check Pump/Plugged In

Check Pump/Unplugged In

Monitor the pump connector &&Pump is plugged in-> PluggedIn:= true

when pump is unplugged in-> PluggedIn := false

When Pump is plugged in-> PluggedIn := true

Back

6/22/01

16

SDRL & RTGUniversity of Pennsylvania

BP Detector

• Read BP– Read & Check Cuff Pressure– Read & Check Beat-to-Beat BP

• Select BP Source– Several sources: cuff pressure, arterial line,pulse wave

transmission, etc)– Select control BP

• Corroborate BP– Corroboration Algorithm– Re-Corroboration

• Monitor BP Level– Check with BP Set Point– Check BP falls

6/22/01

17

SDRL & RTGUniversity of Pennsylvania

Read B2BRead &

Validate CuffData

Read B2B BP

B2B SourceLost

SourceSelect

Initial AutoControl

Read BP

CorroborationAlgorithm

ReCorroborationAlgorithm

Check if BPfallen too low

CheckpointsReachedin time

Corroborate Monitor BP Level

NoBPAfter3MinCuffInvalidCuffNotAvailableLossCBPLossnCBP

90SecXOutrangeLossCBPLossnCBP

CorrroborationOverride

BPvalue

InitCuffOverride GotoManualInitCuffNotAvailable

GotoManualXSourceLostSource

CorroborationFailureSource

FailEdToGet60FailedToSPFallingBP

BPFallenTooLow

Initialize & Select

6/22/01

18

SDRL & RTGUniversity of Pennsylvania

BP Source Selection

Wait

Select the highest Prioritycorroborated source available

X

Use X As control Source

Select highest prioritycorroborated source

available (Y)

LossCBP ==1

Y exists

-> X :=Y

Y doesn't exist-> gotoManual :=1

Corroboratenew Source

with X

1

Higher PrioritySource becomesavailable

finishedInitCorrob == 0

Mode == Auto-control &&FinishedInitCorrbo ==1

1-> Source := X

LossCBP==0Back

6/22/01

19

SDRL & RTGUniversity of Pennsylvania

Control Algorithm

• Pump-control Algorithm– Computes drive voltage for the pump– Consists of some modes

• Polling-control Algorithm– Checks the pumping rate by polling the back

EMF line– Computes flow rate, cumulative volume &

impedance value and send them to display– Checks impedance of the infused liquid

6/22/01

20

SDRL & RTGUniversity of Pennsylvania

Pump-Control Algorithm

Operational

Manual-ready

Auto-Control mode

Auto-Control Initialization

Manual mode

Wait

default

The LSTAT is powered on

PluggedIn == true-> mode := waitLogging

PluggedIn == true && AirOk == true &&OccOk == true && backEMF > 0 &&Continuity == true && The hardware flow setting is working-> mode := Manual

PluggedIn == true &&Pumping == true &&OccOk == true &&-> statusOk := true

Start A/C == true-> Initial the pump flow rate 4l/hr &&inflate the cuff pressure

40 <= BPvalue <=150-> mode := Auto-Control Calculate the drive voltage

PluggedIn == false ||AirOk == false ||OccOk == false ||Continuity == false ||Pumping == false ||GotoManual == true-> Exita/c := true mode == Manual Logging

No polling reading ||PluggedIn == false ||AirOk == false ||OccOk == false ||Continuity == false ||Pumping == false ||GotoManual == true||("Terminate" button && "Yes" button both pressed)-> Exita/c := true mode == Manual Logging

"Terminate" button &&"No" button both pressed

6/22/01

21

SDRL & RTGUniversity of Pennsylvania

Polling-Control Algorithm

Wait

Keep Checking

Check Back EMF

default

PluggedIn == true && back EMF checked-> t:=0, d(t):=1, Pumping:=true, check impedance values tmp:=flow_rate, k:=1, FlowRate:=tmp, 1minFlag:=ture, logging

PluggedIn == false || no EMF checked-> Pumpping := false

PluggedIn == true && mode == Manual-> t2:=0, d(t2):=1, tmp:=flow_rate, k:=1 minFlag:=true, checking back EMF logging

PluggedIn==true &&back EMF checked && t2>=60-> t:=0, t2:=0, K;=0, tmp:=0 5secFlag:=true, 1minFlag:=true FlowRate:=tmp/k, get impedance logging

PluggedIn == true &&mode == Manual && t>=5-> t:=0, tmp:=tmp+flow_rate k:=k+1, 5secFlag:=true get impedance value

PluggedIn == true && back EMF checked&& t>=5 && t2<60 &&flow_rate >=KVO-> t:=0, k:=k+1, tmp:=tmp+flow_rate, 5secFlag:=true, get impedance

PluggedIn==true &&back EMF checked && t2>=60-> t:=0, t2:=0, K;=0, tmp:=0 5secFlag:=true, 1minFlag:=true FlowRate:=tmp/k, get impedance logging

Check Plugged-In

Check Impedance

impedance checked ok->t :=0, t2:=0, K;=1 tmp:=flow_rate Pumping :=true get impedance logging

(PluggedIn == true && Pollingrequest faliled) || flow_rate==0-> t:=0, k:=0 logging

PluggedIn == false->Pumping :=false

PluggedIn == true->Pumping :=true

k>3-> t:=0, k:=0, Pumping:=false

t==1 && k<=3-> t:=0, k:=k+1,

Exit

Exit a/c == true Exit a/c == trueExit a/c == true

Back

6/22/01

22

SDRL & RTGUniversity of Pennsylvania

Display/Alarm

• Message Display– Pump status

• Pump mode• Unexpected status

– Pumping data• Flow rate• Cumulative volume

– Override windows

• Alarm– Alarm messages

• Alarm type• Directions to fix alarm

– Audible alarms

6/22/01

23

SDRL & RTGUniversity of Pennsylvania

ALARMS SM

PUMP STATUS SM

ALGORITHMMODES SM

DATA DISPLAY SM

OVERRIDEWINDOW SM

DISPLAYSM

DISPLAY/ALARMS SM

6/22/01

24

SDRL & RTGUniversity of Pennsylvania

Alarm State Machine

No Alarms

Display Pump ALarm Message;Sound Pump Alarm

Display Alarm Messages;Sound Alarms

Alarms == 1-> Initiate Alarms

Alarms ==0 &&ResetAlarms ==1-> Reset alarms

PumpAlarm ==1-> Display pump alarm

PumpAlarm ==0 &&ResetAlarms ==1-> Reset Pump Alarm

Redisplay with new alarms-> Silence & Sound

-> Silence & Sound

Back

6/22/01

25

SDRL & RTGUniversity of Pennsylvania

Preliminary Plan• Understand informal requirements (tech report): Aug ‘01

– Translate informal requirements to EFSM– Identify assumptions on four subsystems: environment, patient, pump

hardware, CARA systems– Failure modes: detection and handling

• Check consistency of EFSM (paper): Nov ’01– Completeness (of events and conditions)– Complete treatment of failures

• Identify and verify safety properties: Jan ’02– Extract safety properties from hazard analysis document– Talk to designer

• Other possibilities– Timing modeling and analysis– Reliability modeling and analysis– Generate tests– Code generation

• API, hardware spec., what control algorithms • Simulator/emulator (?)

6/22/01

26

SDRL & RTGUniversity of Pennsylvania

Announcements

• 14th IEEE Symposium on computer-based medical systems (CBMS), NIH, Bethesda, July 26-27. www.cvial.ttu.edu/conferences/cbms2001

• Web page– www.cis.upenn.edu/hasten/cara (two part: public

and password)