Download Unit Verification: The CARA Experience

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Transcript 
4
Arnab Ray, Rance Cleaveland: Unit Verification: The CARA Experience
For reasons of patient safety the CARA also checks the
integrity of the blood-pressure data it collects. This “corroboration process” involves checking values delivered by either
the arterial or pulse wave to those obtained via the cuff. If the
blood pressures are within an acceptable range of difference,
they are said to be corroborated, else they are are not corroborated. If an available source does not corroborate with the cuff
pressure, then the care-giver is prompted and presented with
the option of overriding and using the uncorroborated source
for the control algorithm. If the care-giver does not want to
override then the next priority source is sought to be corroborated. If that too cannot be corroborated then the software
proceeds using the cuff pressure as the control pressure.
Once a blood-pressure source has been selected the data
it collects is used as input to the PID control algorithm. This
algorithm checks whether the current blood pressure is below
the target value or not. If it is below then it sets an appropriate
pump-control voltage. If the target blood pressure value has
been attained or exceeded then the control voltage is set to
zero, meaning that the infusion ceases.
The care-giver can reset the target blood-pressure value
by entering new input parameters, after which the PID algorithm restarts. But this entering of new values cannot be
done unless all the components are working properly: any
error prevents the care-giver from entering new input parameters.
Re-corroboration of blood pressure sources takes place
every 30 minutes, except that when a new source becomes
available that has a higher priority than the source currently
being used, corroboration of the new source is attempted immediately. Corroboration is also stalled when an override question is pending. Once corroborated, a source will continue to
be used until the next re-corroboration cycle or until a higherpriority source becomes corroborated. All sources are monitored continually, and appropriate action is taken immediately
in case a source is lost. Thus, while a care-giver may have to
wait up to 30 minutes to detect that a corroborated source
has become uncorroborated, an immediate action (alarm and
state change) occurs if a corroborated source is lost.
When the blood pressure of all sources becomes zero,
alarms are sounded, and after waiting for specified periods
of time the software goes back to manual mode. A care-giver
can also return the system to manual mode by pressing the
appropriate button.
3 Modeling Preliminaries
In this section we describe the basic mathematical machinery used in our modeling and analysis of the CARA system.
Before discussing the theory, however, we note that the following characteristics are important in the selection of an appropriate framework.
Real time. The CARA system includes a number of timing
constraints. To be maximally useful, a modeling notation
should include support for these.
Component interaction. The CARA system includes many
components that interact either directly with one another
or with the environment. To model CARA effectively, a
modeling notation needs to support a flexible notion of
component interaction.
Subsystem analysis. To cope with state explosion our unitverification approach requires being able to isolate subsystems within a larger system. An appropriate modeling notation should therefore make it easy to treat system
modules independently.
3.1 Discrete-Time Labeled Transition Systems
The basic semantic framework used in our modeling is discretetime labeled transition systems. To define these we first introduce the following.
Definition 1. A set is a set of visible actions if is is nonempty and does not contain or .
In what follows visible-action sets will correspond to the atomic
interactions users will employ to build system models. The
distinguished elements and correspond to the internal action and clock-tick (or idling) action. For notational convenience, given a visible-action set we define:
We sometimes call the set an action set and as
a controllable-action set (the reason for the latter being that
in many settings, actions in this set can be “controlled” to a
certain extent by a system environment).
Discrete-time labeled transition systems are defined as
follows.
Definition 2. A discrete-time labeled transition system (DTLTS)
is a tuple "!#$%&'()+* where:
1.
2.
3.
4.
!
is a set of states;
is a visible-action set (cf. Def. 1);
,-&/.0!213 14! is the transition relation, and
( )
5 ! is the start state.
A DTLTS 6!#7&'()+* satisfies the maximal-progress prop
(99
erty if for every ( such that ( ,-&8(9 for some (9 , (;,: &8
for any (99 .
A DTLTS <!#$%&=( ) * encodes the operational behavior of
a real-time system. States may be seen as “configurations” the
system may enter, while actions represent interactions with
the system’s environment that can cause state changes. The
transition relation records which state changes may occur:
if <(>?(9* 5 ,-& then a transition from state ( to (9 may
take place whenever action ? is enabled. Generally speaking,
is always enabled; other actions may require “permission”
from the environment in order to be enabled. Also, transitions
except those labeled by are assumed to be instantaneous.
Related documents
VistA Imaging System Background Processor User Manual
VistA Imaging System Background Processor User Manual
Master`s Thesis
Master`s Thesis
Extensible Hierarchical Tactic Construction in a Logical Framework *
Extensible Hierarchical Tactic Construction in a Logical Framework *
Heat pump compressor crankcase low differential temperature
Heat pump compressor crankcase low differential temperature
ANSI-C Bounded Model Checker User Manual
ANSI-C Bounded Model Checker User Manual
TIG Brush`
TIG Brush`
Temporal Debugging: Automating Time Travel Debugging with URDB
Temporal Debugging: Automating Time Travel Debugging with URDB
CPU Workload Analysis In Real-Time Operating Systems
CPU Workload Analysis In Real-Time Operating Systems
Introduction - University of Toronto Scarborough
Introduction - University of Toronto Scarborough
IMITATOR User Manual - LSV
IMITATOR User Manual - LSV
Genemed
Genemed
Palert P Wave Alarm System User Manual
Palert P Wave Alarm System User Manual
User`s Manual
User`s Manual
test
test
Design of a Hands-on Course in Networked Control Systems
Design of a Hands-on Course in Networked Control Systems
Embedded Multitasking with small - innovated
Embedded Multitasking with small - innovated
STeP The Stanford Temporal Prover Educational Release USER`S
STeP The Stanford Temporal Prover Educational Release USER`S
TECHNICAL MANUAL
TECHNICAL MANUAL
Evans Visual Sky Photometer User Manual
Evans Visual Sky Photometer User Manual
TwoTowers 5.1 User Manual
TwoTowers 5.1 User Manual
RECORD OF ORAL HEARING
RECORD OF ORAL HEARING
m9 DECT m9 DECT Administrator Guide
m9 DECT m9 DECT Administrator Guide