A Formal Verification Methodology for DDD Mode Pacemaker Control Programs

Sana Shuja,Sudarshan K Srinivasan,Dharmakeerthi Nawarathna,Shaista Jabeen

doi:10.1155/2015/939028

Sana Shuja, Sudarshan K Srinivasan + Show 2 more

Open Access

https://doi.org/10.1155/2015/939028

Copy DOI

Abstract

Pacemakers are safety-critical devices whose faulty behaviors can cause harm or even death. Often these faulty behaviors are caused due to bugs in programs used for digital control of pacemakers. We present a formal verification methodology that can be used to check the correctness of object code programs that implement the safety-critical control functions of DDD mode pacemakers. Our methodology is based on the theory of Well-Founded Equivalence Bisimulation (WEB) refinement, where both formal specifications and implementation are treated as transition systems. We develop a simple and general formal specification for DDD mode pacemakers. We also develop correctness proof obligations that can be applied to validate object code programs used for pacemaker control. Using our methodology, we were able to verify a control program with millions of transitions against the simple specification with only 10 transitions. Our method also found several bugs during the verification process.

Highlights

The heart generates electrical signals to induce heartbeat
We have developed a methodology for checking the functional correctness of DDD mode pacemaker controllers
Our methodology is targeted at the object code of the controller, which directly corresponds to the processor instructions executed by the microcontroller embedded in the device

Summary

Introduction

The heart’s electrical system can become defective due to aging or other causes, leading to a slower heart rate (bradycardia) Such ailments can be treated using pacemakers, which are implantable medical devices that generate the electrical signals required to keep the heartbeat at a healthy rate. With pacemakers being safety-critical, bugs in the control program cannot be tolerated Medical devices such as pacemakers are very prone to software errors due to the complex control algorithms that they use [3]. The sinoatrial (SA) node, a set of specialized tissues located on the right atrium, is responsible for generating periodic electrical pulses. These electrical pulses contract the walls of the atria pushing the blood to the ventricles. The leads sense the atrium for the atrial sense (AS: the electrical pulse that contracts the walls of the atria) and sense the ventricle for ventricle

Objectives

Results

Conclusion