Jiang Jiang,Yongxiang Xia,Sheng Xu,Hui-Liang Shen,Jiajing Wu

DOI: https://doi.org/10.1063/1.5139254

2020-01-01

Abstract:Cyber-physical systems (CPSs) are integrations of information technology and physical systems, which are more and more significant in society. As a typical example of CPSs, smart grids integrate many advanced devices and information technologies to form a safer and more efficient power system. However, interconnection with the cyber network makes the system more complex, so that the robustness assessment of CPSs becomes more difficult. This paper proposes a new CPS model from a complex network perspective. We try to consider the real dynamics of cyber and physical parts and the asymmetric interdependency between them. Simulation results show that coupling with the communication network makes better robustness of power system. But since the influences between the power and communication networks are asymmetric, the system parameters play an important role to determine the robustness of the whole system.

Jiang,Hui-Liang Shen,Yongxiang Xia,Herbert H. C. Iu

DOI: https://doi.org/10.1109/iscas51556.2021.9401252

2021-01-01

Abstract:In the modern society, physical infrastructure and information technology are inseparable. The concept of cyber-physical systems (CPSs) is then proposed and has been widely concerned by researchers in recent years. Various models have been introduced to meet the actual needs. In one type of those models, the physical part and the cyber part are coupled and influence each other. The cyber part monitors and controls the physical part, but at the same time it may also bring certain harm; the fault in one part may also be transmitted to the other and affect the performance of the counterpart. Here, this paper introduces an asymmetric interdependent model and studies how the coupling pattern of CPSs affects the system robustness. In addition, the coupling pattern of CPSs is optimized by using the simulated annealing (SA) algorithm to reduce the performance loss. The results of this paper may find applications in the future CPS planning.

Andrew Y. -Z. Ou,Yu Jiang,Po-Liang Wu,Lui Sha,Richard B. Berlin

DOI: https://doi.org/10.1109/smc.2016.7844922

2016-01-01

Abstract:In a medical environment such as Intensive Care Unit, there are many possible reasons to cause errors, and one important reason is the effect of human intellectual tasks. In this paper, we first provide five categories of generic intellectual tasks of humans, where tasks among each category may lead to potential medical errors. Then, we present an integrated modeling framework to model a medical Cyber-Physical-Human System (CPHSystem) and use UPPAAL as the foundation to integrate and verify the whole medical CPHSystem design models. When designing a medical CPHSystem, developers need to consider whether the system design can mitigate the errors caused by these tasks or not. With a verified and comprehensive model, we can design a more accurate and acceptable system. We use a cardiac arrest resuscitation guidance and navigation system (CAR-GNSystem) as the motivation example for such medical CPHSystem modeling. Experimental results show that the CPHSystem models help determine system design flaws and can mitigate the potential medical errors caused by the human intellectual tasks.

Andrew Y.-Z. Ou,Yu Jiang,Po-Liang Wu,Lui Sha,Richard B. Berlin Jr

DOI: https://doi.org/10.1007/s10916-016-0614-2

IF: 4.92

2016-01-01

Journal of Medical Systems

Abstract:In a medical environment such as Intensive Care Unit, there are many possible reasons to cause errors, and one important reason is the effect of human intellectual tasks. When designing an interactive healthcare system such as medical Cyber-Physical-Human Systems (CPHSystems), it is important to consider whether the system design can mitigate the errors caused by these tasks or not. In this paper, we first introduce five categories of generic intellectual tasks of humans, where tasks among each category may lead to potential medical errors. Then, we present an integrated modeling framework to model a medical CPHSystem and use UPPAAL as the foundation to integrate and verify the whole medical CPHSystem design models. With a verified and comprehensive model capturing the human intellectual tasks effects, we can design a more accurate and acceptable system. We use a cardiac arrest resuscitation guidance and navigation system (CAR-GNSystem) for such medical CPHSystem modeling. Experimental results show that the CPHSystem models help determine system design flaws and can mitigate the potential medical errors caused by the human intellectual tasks.

Lei Bu,Tian Zhang,Xin Chen,Linzhang Wang,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/3229783.3229793

2018-01-01

Abstract:By combining communication, computation, and control (3C), Cyber-Physical Systems (CPS)0tightly couple the physical world with the cyber-world, to enable more applications, enhance performance, increase dependability and etc. Among these goals, as CPS are widely used in the safety-critical area, guaranteeing the basic dependability/safety is after all the prerequisite and often the top concern. However, the behavior of CPS is extremely complex. First of all, due to the existence of both discrete control modes transition and continuous real-time behavior in CPS, the behavior of CPS is a complex hybrid state space, which is difficult to understand and handle. Secondly, most CPS applications are working in the open environment and acquiring real-time data from the environment intensively to adjust their own behavior. The dynamic environment makes the behavior space more complex to reason. When a system is too complex to analyze directly, building an abstract model of the system and then conducting analysis on the model to answer questions about the original system is an important and widely-used method. Meanwhile, a reasonable model also plays important roles in the phase of specification, design, development, testing, monitoring and so on. Therefore, it is an important topic of investigating how model-based methods can be applied in the context of CPS to increase the quality and dependability of the system. During the past decade, our research group at Nanjing University has devoted a lot of efforts into this mission. We conducted comprehensive research in a wide spectrum of CPS including model-driven design, verification, control, monitoring, and testing. In this paper, we will make a general review of the progress we made on these directions recently.

Chunhui Guo,Zhicheng Fu,Zhenyu Zhang,Shangping Ren,Lui Sha

DOI: https://doi.org/10.48550/arXiv.1811.08064

2018-11-20

Software Engineering

Abstract:Improving effectiveness and safety of patient care is an ultimate objective for medical cyber-physical systems. A recent study shows that the patients' death rate can be reduced by computerizing medical guidelines. Most existing medical guideline models are validated and/or verified based on the assumption that all necessary medical resources needed for a patient care are always available. However, the reality is that some medical resources, such as special medical equipment or medical specialists, can be temporarily unavailable for an individual patient. In such cases, safety properties validated and/or verified in existing medical guideline models without considering medical resource availability may not hold any more. The paper argues that considering medical resource availability is essential in building verifiably correct executable medical guidelines. We present an approach to explicitly and separately model medical resource availability and automatically integrate resource availability models into an existing statechart-based computerized medical guideline model. This approach requires minimal change in existing medical guideline models to take into consideration of medical resource availability in validating and verifying medical guideline models. A simplified stroke scenario is used as a case study to investigate the effectiveness and validity of our approach.

Yan Zhang,Jin Shi,Tian Zhang,Xiangwei Liu,Zhuzhong Qian

DOI: https://doi.org/10.1016/j.pmcj.2015.07.008

IF: 3.848

2015-01-01

Pervasive and Mobile Computing

Abstract:Cyber–Physical Systems (CPS) are hybrid, safety-critical systems. For finding safety or security hazard in the design phase, modeling for CPS and checking their properties become very important. We focus on the compatibility, i.e., two systems can work together, and behavioral nonexistent consistency, i.e., forbidden behaviors do not occur in a system. Hybrid interface automata (HIA), which extend from interface automata and is not input-enabled, are introduced to model CPS. The compatibility of HIA is checked under an optimistic approach, which means if there is an environment in which two HIA cannot reach an illegal location, namely, at the location one cannot accept the input send by the other, they are compatible. Based on a scenario that specifies forbidden behaviors, behavioral nonexistent consistency is boundedly checked by transforming it to an unconstrained dynamic programming, and solving the programming by a genetic algorithm. The method can directly apply to nonlinear hybrid model. It relaxes a restriction on the form of the system dynamic in traditional algorithms. An experiment and simulation validate our algorithms.

Tao Li,Feng Tan,Qixin Wang,Lei Bu,Jian-nong Cao,Xue Liu

DOI: https://doi.org/10.1109/iccps.2012.10

IF: 5.3

2013-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Hybrid systems model checking is a great success in guaranteeing the safety of computerized control cyber-physical systems (CPS). However, when applying hybrid systems model checking to Medical Device Plug-and-Play(MDPnP) CPS, we encounter two challenges due to the complexity of human body: i) there are no good offline differential equation based models for many human body parameters, ii) the complexity of human body can result in many variables, complicating the system model. In an attempt to address the challenges, we propose to alter the traditional approach of offline hybrid systems model checking of time-unbounded (i.e., long-run) future behavior to online hybrid systems model checking of time-bounded (i.e., short-run) future behavior. According to this proposal, online model checking runs as a real-time task to prevent faults. To meet the real-time requirements, certain design patterns must be followed, which brings up the co-design issue. We propose two sets of system co-design patterns for hard real-time and soft real-time respectively. To evaluate our proposals, a case study on laser tracheotomy MDPnP is carried out. The study shows the necessity of online model checking. Furthermore, test results based on real-world human subject trace show the feasibility and effectiveness of our proposed co-design.

Tao Li,Feng Tan,Qixin Wang,Lei Bu

2014-01-01

Abstract:Hybrid systems model checking is a great success in guaranteeing the safety of computerized control cyber-physical systems (CPS). However, when applying hybrid systems model checking to Medical Device Plug-and-Play (MDPnP) CPS, we encounter two challenges due to the complexity of human body: i) there are no good offline differential equation based models for many human body parameters; ii) the complexity of human body can result in many variables, complicating the system model. In an attempt to address the challenges, we propose to alter the traditional approach of offline hybrid systems model checking of time-unbounded (i.e., infinite-horizon, a.k.a., long-run) future behavior to online hybrid systems model checking of time-bounded (i.e., finite-horizon, a.k.a., short-run) future behavior. According to this proposal, online model checking runs as a real-time task to prevent faults. To meet the real-time requirements, certain design patterns must be followed, which brings up the co-design issue. We propose two sets of system co-design patterns for hard real-time and soft real-time respectively. To evaluate our proposals, a case study on laser tracheotomy MDPnP is carried out. The study shows the necessity of online model checking. Furthermore, test results based on real-world human subject trace show the feasibility and effectiveness of our proposed co-design.

Lei Bu,Qixin Wang,Xin Chen,Linzhang Wang,Tian Zhang,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/2000367.2000368

2011-01-01

Abstract:Many Cyber-Physical Systems (CPS) are highly nondeterministic. This often makes it impractical to model and predict the complete system behavior. To address this problem, we propose that instead of offline modeling and verification, many CPS systems should be modeled and verified online, and we shall focus on the system's time-bounded behavior in short-run future , which is more describable and predictable. Meanwhile, as the system model is generated/updated online, the verification has to be fast. It is meaningless to tell an online model is unsafe when it is already out-dated. To demonstrate the feasibility of our proposal, we study two cases of our ongoing projects, one on the modeling and verification of a train control system, and the other on a Medical Device Plug-and-Play (MDPnP) application. Both cases are about safety-critical CPS systems. Through these two cases, we exemplify how to build online models that describe the time-bounded short-run behavior of CPS systems; and we show that fast online modeling and verification is possible.

Georgios Bakirtzis,Garrett L. Ward,Christopher J. Deloglos,Carl R. Elks,Barry M. Horowitz,Cody H. Fleming

DOI: https://doi.org/10.1109/DSN-S50200.2020.00021

2020-05-01

Abstract:Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can intentionally trigger accidents. By implementing security assessment tools for modeling languages we are better able to address threats earlier in the system's lifecycle and, therefore, assure their safe and secure behavior in their eventual deployment. We posit that cyber-physical systems security modeling is practiced insufficiently because it is still addressed similarly to information technology systems.

Cryptography and Security,Systems and Control

Chunhui Guo,Zhicheng Fu,Zhenyu Zhang,Shangping Ren,Lui Sha

DOI: https://doi.org/10.48550/arXiv.1811.08061

2018-11-20

Software Engineering

Abstract:Improving patient care safety is an ultimate objective for medical cyber-physical systems. A recent study shows that the patients' death rate is significantly reduced by computerizing medical best practice guidelines. Recent data also show that some morbidity and mortality in emergency care are directly caused by delayed or interrupted treatment due to lack of medical resources. However, medical guidelines usually do not provide guidance on medical resource demands and how to manage potential unexpected delays in resource availability. If medical resources are temporarily unavailable, safety properties in existing executable medical guideline models may fail which may cause increased risk to patients under care. The paper presents a separately model and jointly verify (SMJV) architecture to separately model medical resource available times and relationships and jointly verify safety properties of existing medical best practice guideline models with resource models being integrated in. The SMJV architecture allows medical staff to effectively manage medical resource demands and unexpected resource availability delays during emergency care. The separated modeling approach also allows different domain professionals to make independent model modifications, facilitates the management of frequent resource availability changes, and enables resource statechart reuse in multiple medical guideline models. A simplified stroke scenario is used as a case study to investigate the effectiveness and validity of the SMJV architecture. The case study indicates that the SMJV architecture is able to identify unsafe properties caused by unexpected resource delays.

Georgios Bakirtzis,Christina Vasilakopoulou,Cody H. Fleming

DOI: https://doi.org/10.4204/EPTCS.333.9

2021-01-26

Abstract:Assuring the correct behavior of cyber-physical systems requires significant modeling effort, particularly during early stages of the engineering and design process when a system is not yet available for testing or verification of proper behavior. A primary motivation for `getting things right' in these early design stages is that altering the design is significantly less costly and more effective than when hardware and software have already been developed. Engineering cyber-physical systems requires the construction of several different types of models, each representing a different view, which include stakeholder requirements, system behavior, and the system architecture. Furthermore, each of these models can be represented at different levels of abstraction. Formal reasoning has improved the precision and expanded the available types of analysis in assuring correctness of requirements, behaviors, and architectures. However, each is usually modeled in distinct formalisms and corresponding tools. Currently, this disparity means that a system designer must manually check that the different models are in agreement. Manually editing and checking models is error prone, time consuming, and sensitive to any changes in the design of the models themselves. Wiring diagrams and related theory provide a means for formally organizing these different but related modeling views, resulting in a compositional modeling language for cyber-physical systems. Such a categorical language can make concrete the relationship between different model views, thereby managing complexity, allowing hierarchical decomposition of system models, and formally proving consistency between models.

Systems and Control

Maryam Rahmaniheris,Yu Jiang,Lui Sha

DOI: https://doi.org/10.48550/arXiv.1610.06895

2016-10-21

Computers and Society

Abstract:Clinical guidance systems have been widely adopted to help medical staffs to avoid preventable medical errors such as delay in diagnosis, treatment or untended deviations from best practice guidelines. However, because patient condition changes rapidly and medical staffs are usually overloaded in acute care setting, how to ensure the correctness of the system reaction to those rapid changes and managing interaction with physicians remains challenging. In this paper, we propose a domain-specific model-driven design approach to address these challenges for designing clinical guidance systems. Firstly, we translate the relevant medical knowledge described in generic literature and different best practice guidelines into a set of executable and indirectly verifiable finite state machine models. We introduce an organ-centric paradigm to construct clinical models, and also develop a physician model to track physician-system interactions and deviations. Secondly, for verification of the compositional system model, we translate the model into timed automata, based on which, we formalize a set of clinical and system safety requirements as computation tree logic(CTL) formulas and use the UPPAAL model checking tool to formally verify those requirements. In this way, the correctness of the model can be mathematically proved. Finally, we can automatically generate the executable code from the verified model using the corresponding code generation tools for finite state machine. For evaluation, we apply the approach to the design of clinical guidance systems for cardiac arrest. The generated code can be deployed and interact with existing guidance systems.

Chunhui Guo,Shangping Ren,Yu Jiang,Po-Liang Wu,Lui Sha,Richard B. Berlin

DOI: https://doi.org/10.1109/iccps.2016.7479121

2016-01-01

Abstract:Improving effectiveness and safety of patient care is an ultimate objective for medical cyber- physical systems. However, the existing medical best practice guidelines in hospital handbooks are often lengthy and difficult for medical staff to remember and apply clinically. Statechart is a widely used model in designing complex systems and enables rapid prototyping and clinical validation with medical doctors. However, clinical validation is often not adequate for guaranteeing the correctness and safety of medical cyber-physical systems, and formal verification is required. The paper presents an approach that transforms medical best practice guidelines to verifiable statechart models and supports both clinical validation in collaboration with medical doctors and formal verification. In particular, we use an open source statechart tool Yakindu to model best practice guidelines and use the statechart to interact with doctors for validating the model correctness. The statechart model is then automatically transformed to a verifiable formal model, such as timed automata, so that existing formal verification tool, such as UPPAAL, can be used to verify required safety properties. The approach also provides the ability to trace back to the paths in the statechart model (Yakindu model) when a specific property in its associated formal model (UPPAAL model) fails. A cardiac arrest scenario is used as a case study to validate the proposed approach. The tool is available on our website www.cs.iit.edu/~code/software/Y2U.

Chunhui Guo,Zhicheng Fu,Zhenyu Zhang,Shangping Ren,Lui Sha

DOI: https://doi.org/10.48550/arXiv.1811.00694

2018-11-02

Software Engineering

Abstract:Improving patient care safety is an ultimate objective for medical cyber-physical systems. A recent study shows that the patients' death rate can be significantly reduced by computerizing medical best practice guidelines. To facilitate the development of computerized medical best practice guidelines, statecharts are often used as a modeling tool because of their high resemblances to disease and treatment models and their capabilities to provide rapid prototyping and simulation for clinical validations. However, some implementations of statecharts, such as Yakindu statecharts, are priority-based and have synchronous execution semantics which makes it difficult to model certain functionalities that are essential in modeling medical guidelines, such as two-way communications and configurable execution orders. Rather than introducing new statechart elements or changing the statechart implementation's underline semantics, we use existing basic statechart elements to design model patterns for the commonly occurring issues. In particular, we show the design of model patterns for two-way communications and configurable execution orders and formally prove the correctness of these model patterns. We further use a simplified airway laser surgery scenario as a case study to demonstrate how the developed model patterns address the two-way communication and configurable execution order issues and their impact on validation and verification of medical safety properties.

Wenhua Yang,Chang Xu,Minxue Pan,Xiaoxing Ma,Jian Lu

DOI: https://doi.org/10.1145/3093894

IF: 5.3

2018-01-01

ACM Transactions on Internet Technology

Abstract:Cyber-Physical Systems (CPS) intrinsically combine hardware and physical systems with software and network, which are together creating complex and correlated interactions. CPS applications often experience uncertainty in interacting with environment through unreliable sensors. They can be faulty and exhibit runtime errors if developers have not considered environmental interaction uncertainty adequately. Existing work in verifying CPS applications ignores interaction uncertainty and thus may overlook uncertainty-related faults. To improve verification accuracy, in this article we propose a novel approach to verifying CPS applications with explicit modeling of uncertainty arisen in the interaction between them and the environment. Our approach builds an Interactive State Machine network for a CPS application and models interaction uncertainty by error ranges and distributions. Then it encodes both the application and uncertainty models to Satisfiability Modulo Theories (SMT) formula to leverage SMT solvers searching for counterexamples that represent application failures. The precision of uncertainty model can affect the verification results. However, it may be difficult to model interaction uncertainty precisely enough at the beginning, because of the uncontrollable noise of sensors and insufficient data sample size. To further improve the accuracy of the verification results, we propose an approach to identifying and calibrating imprecise uncertainty models. We exploit the inconsistency between the counterexamples’ estimate and actual occurrence probabilities to identify possible imprecision in uncertainty models, and the calibration of imprecise models is to minimize the inconsistency, which is reduced to a Search-Based Software Engineering problem. We experimentally evaluated our verification and calibration approaches with real-world CPS applications, and the experimental results confirmed their effectiveness and efficiency.

Zhangtan Li,Liang Cheng,Yang Zhang,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-030-86130-8_10

2021-01-01

Abstract:The Medical Cyber-Physical System (MCPS) holds the promise of reducing human errors and optimizing healthcare by integrating medical devices, applications and network. MCPS utilizes high-level supervisory and low-level communication middleware to enable medical devices to interoperate efficiently. Despite the benefits provided by MCPS, the integration of clinical information also brings new threats for the clinical data. In this paper, we performed a study on security and safety risks in MCPS's networks. We systematically analyzed different attack surfaces on MCPS's networks based on misuse and abuse of clinical data. We successfully performed end-to-end attacks based on OpenICE, a popular MCPS prototype, and demonstrated the clinical risks of these attacks and the design flaws in OpenICE. We further proposed a Topic-based access control model with Break-The-Glass feature to provide fine-grained access control for clinical data. We implemented the model in two MCPS prototypes, and evaluated its effectiveness and efficiency.

Wenyan Song,Jing Li,Hao Li,Xinguo Ming

DOI: https://doi.org/10.1016/j.asoc.2019.105918

IF: 8.7

2019-01-01

Applied Soft Computing

Abstract:Medical devices play a critical role in care and treatment. The human-related failures can significantly affect the safety of patients in clinical use of medical devices. This study develops a comprehensive risk assessment model for identification and evaluation of failures which may occur in the clinical use of medical devices. First, the “Swiss cheese” model and SHEL model (the acronym of software, hardware, environment, and liveware) are integrated to comprehensively identify the potential human errors. Then, a new failure mode and effects analysis (FMEA) approach improved by rough set theory and grey relational analysis is developed to assess the risk of the identified failures. The proposed method integrates the strengths of the “Swiss cheese” and SHEL model in identifying human failures from both the vertical and horizontal perspectives of the system, and the advantages of the improved FMEA approach in flexibly manipulating vague information in risk evaluation without much priori information. Finally, the proposed method is applied in clinical use of respirator to verify its efficiency and effectiveness.

Zhicheng Fu,Chunhui Guo,Zhenyu Zhang,Shangping Ren,Yu Jiang,Lui Sha

DOI: https://doi.org/10.1109/iceccs.2017.20

2017-01-01

Abstract:As technology advances, medical devices are playing increasingly more important roles in patient care. Unfortunately, based on the U.S. Food and Drug Administration (FDA) data, medical device recalls are at an all time high. One of the major causes of the recalls is due to defective software. In fact, one in every three medical devices that use software for operation has been recalled because of failures in the software itself. Unlike traditional software, software-based medical devices have specific domain fault modes, and these fault modes have been not addressed in software design literature, such as dosage calculation fault. In this paper, we first present a process that collects software-related medical device recalls from the FDA database. Collecting all software-related medical device recalls is an effort that needs the support and contributions from a large research, industrial, and medical community, To facility such effort, we have developed a web-based platform for different users to contribute and share new software-related medical device recalls into the collection. Second, we analyze one hundred software-related recalls that we have collected from the FDA database. Our analysis reveals that there are four major categories of software failures in medical device recalls and implicit assumptions made by medical device manufacturers are among one of the leading causes in medical device recalls. Last, we present an approach for implicit assumption management in medical cyber-physical system designs.