Embed Size (px)
Citation preview
Spatio-Temporal Hybrid Automata for Safe Cyber-PhysicalSystems: A Medical Case Study∗
Ayan Banerjee and Sandeep K.S. GuptaIMPACT Lab,Arizona State University, Tempe, Az
{abanerj3,sandeep.gupta}@asu.edu
ABSTRACTInteractions between the computing units and the physical envi-ronment in Cyber-Physical Systems (CPSes) are considered to ver-ify safety properties, i.e. ensuring the un-intentional side-effectsof cyber-physical interactions are within desired limits. A Linear1 space dimension Spatio-Temporal Hybrid Automata (L1STHA)is defined to capture the effects of the interactions, in both timeand space. Aggregate effects of interactions due to concurrent op-erations in the computing entities are expressed as a set of inter-dependent partial differential equations associated with dedicatedmodes of the L1STHA model. A time and space bound L1STHAreachability analysis algorithm is proposed for safety verification,which provides reachable states of the L1STHA with an arbitraryaccuracy ε. The runtime of the algorithm depends on the requestedaccuracy. The usage of the L1STHA modeling and analysis isdemonstrated for medical CPSes such as infusion pumps.
Categories and Subject DescriptorsF.1.1 [Computation by Abstract Devices]: Models of Computa-tion—Automata
1. INTRODUCTIONCyber-Physical Systems (CPSes), where computing units inter-
act with the physical environment for either control of the envi-ronment or driving computation are becoming increasingly preva-lent in the society, especially in healthcare systems such as infusionpumps [16]. CPSes by definition are safety critical, requiring safetyverification before their deployment [26]. As such the need for for-mal verification to theoretically prove the safety of CPS operationsis well recognized [20]. This paper deals with formal modeling andverification of CPS operations.
An important aspect of the CPSes is the seamless and complexinteractions among the computing units and the physical environ-ment, referred to as cyber-physical interactions. Such interactions
∗This research was funded in part by NSF grants CNS-0831544,CNS-1231590, and IIS- 1116385. Special thanks to OSEL at FDAfor providing infusion pump models.
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.ICCPS’13, April 8-11, 2013, Philadelphia, PA, USA.Copyright 2013 ACM 978-1-4503-1996-6/13/04. . . $15.00..
can often be an unwanted or unintentional result of computing op-erations and may cause hazards to the environment. Examples existin the medical domain, where heat generated from a pulse oximetercan burn the human skin especially in infants [14] or the chemother-apy drugs may kill normal cells apart from the cancer cells [16]. Itis therefore imperative that a CPS maintains the detrimental effectsof such interactions within desired limits to ensure safe operations.
Many CPSes, are further distributed in nature, i.e. they com-prise of network of medical devices controlled through the wirelesschannel for example multi-channel infusion pumps. The distributednodes often perform concurrent operations; thus causing aggrega-tion of the detrimental impact on the environment from multiplenodes. For example, concurrent infusions in multi-channel infu-sion pump control systems have accumulated drug effects on cer-tain parts of the body depending on the site of infusion from the twochannels [16]. Thus, aggregate interactions require proper charac-terization to ensure the CPSes’ safety.
A major aspect in the modeling of such interactions is to capturethe continuous dynamics in the environment, which includes thehuman physiology [4]. These dynamics can be spatio-temporal innature. For example, the drug concentration in human blood due tothe operation of an infusion pump can continuously vary both withtime and space [16]. Figure 1 shows the drug concentration fora two-channel infusion pump obtained by simulating the diffusiondynamics suggested in [16]. The glucose concentration depicted bygrey solid curves in Figure 1, show spatial variation which changesover time. The figure also shows aggregate effects of interaction attime t = 500s as a result of concurrent infusion. Formal models forCPSes should thus capture four salient features: 1) discrete timebehavior of the computing nodes; 2) continuous dynamics of thephysical environment; 3) spatio-temporal variation of the continu-ous physical parameters; and 4) aggregate effects due to concurrentoperations of networked computing nodes.
Traditionally, hybrid automata [19, 23] are used for capturingboth discrete and continuous behavior of a system. However, cur-rent tools to model a hybrid automata such as PHaver or SpaceEx [10],and HybridSAL [27], only consider one dimensional variation ofparameters, generally over time, and are hence insufficient for mod-eling the spatio-temporal variation of physical parameters in CPSes.Safety analysis of hybrid automata generally involve reachabilitystudy of the state trajectories to analyze whether the designated setsof unsafe states are reached with progression in time. However, forCPSes reachability study should evaluate state trajectories in bothtime and space. To this effect, researchers have considered spatialnetwork of hybrid automata to capture the spatial propagation ofphysical parameters across the human body [6, 11, 22, 28].
Spatial networks of hybrid automata discretize the space as a gridand statically allocate hybrid systems at specific points. Thus, theydepend on fixed spatial boundaries to setup the network. However,
0 5 10 15 20 25 30 35 40 45 50 0
20
40
60
80
100
120
140
160
180
200
0 5 10 15 20 25 30 35 40 45 50 0
20
40
60
80
100
120
140
160
180
200
0 5 10 15 20 25 30 35 40 45 50 0
20
40
60
80
100
120
140
160
180
200
0 5 10 15 20 25 30 35 40 45 50 0
20
40
60
80
100
120
140
160
180
200 G
luco
se C
on
cen
trat
ion
mg
/dl
X-axis Coordinate
Basal mode
Correction bolus mode
Braking mode
Temporal execution
Spatial execution
Temporal discrete transition
Spatial discrete transitions
Time = 0s Time = 100s Time = 500s Time = 1000s
Aggregate effects
Lines indicating boundaries of invariant sets
Variation of the glucose concentration or level over space. Note that at each space point it also varies over time
Projection of glucose concentrations of individual channels. Aggregate effect occurs only when both channels have glucose concentration > 20mg/dl
Figure 1: Example execution of the L1STHA model of a multi-channel infusion pump, for 1000 s and over a 50 mm spatial region.
most of the physical dynamics in the human body are Free Bound-ary Problems [9] where the boundary conditions in space causesthe spatial extent of interactions to expand. For example, the drugconcentration due to infusion at a given time is maximum at thesite of infusion and gradually decreases as we move away from thesite. A point in space, which has a negligible concentration at timet1, can have a considerably higher concentration at a later time t2.Thus, a space point, which was not considered in the analysis sinceit was outside the boundary, will be ignored by a spatial networkof hybrid automata, even if at a later time it has considerable con-centration. Thus, they also fail to accurately model the aggregateeffects due to concurrent operations in networked computing units.
Modeling aggregate effects in CPSes, requires new dynamic equa-tions in the formal model. For example, the coefficients of the equa-tion governing the temperature rise in the human tissue changeswhen there are multiple heat sources (sensors) [5, 24, 25]. Thus,a single formal specification is necessary for the network, whereaggregate effects can be expressed with new dynamic equations.Hilbertean transforms [8] have also been used to specify CPSesformally. However, to the best of our knowledge, no formal verifi-cation of safety has been performed using Hilbertean transform.
Computationally tractable reachability analysis of a hybrid au-tomata is only possible to date for affine dynamics in one dimen-sion [19, 23], specifically due to existence of closed form solu-tions of the differential equations involved. For the most com-monly occurring form of spatio-temporal dynamics, linear secondorder partial differential equations (PDEs) as observed in Penne’sbioheat equation [21] or infusion pump diffusion dynamics [16],there exists no closed form solution even for a single spatial di-mension. Hence, traditional method for reachability analysis withzonotopes [12] do not apply. For temporal dynamics without closedform solutions, a time bounded reachability analysis is proposedin [17]. This paper takes a similar approach and proposes a novelbounded time and space reachability analysis for spatio-temporalhybrid automata, where the interactions are represented as linearsecond order PDEs with one space dimension. Specifically thepaper makes the following contributions:
1. Defines a Linear 1-space dimension Spatio-Temporal HybridAutomata (L1STHA) capturing the aggregate spatio-temporaldynamics of cyber-physical interactions in CPSes;
2. Develops a bounded time and space reachability analysis ofL1STHA models enabling safety verification of CPSes basedon their spatio-temporal behavior.
3. Applies the reachability analysis technique to medical CPSes
Discrete Controller
1l 2l ml
m – modes
Physical System
n –system properties
1v 2v nvV
Spatio-Temporal Dynamics 2
1 1 1 12
V VA B CV u
t x2
2 2 2 22
V VA B C V u
t x
2
2m m m m
V VA B C V u
t x
Control information to change physical dynamics
Physical processes Variation of system
properties over space and time
Control algorithm
configuration Observable system properties
Figure 2: Assumed system model for Cyber-Physical Systems.
specifically infusion pumps for safety analysis.
In the next section, we discuss some preliminary ideas, an overviewof our approach and the infusion pump example used in this paper.
2. PRELIMINARIES AND APPROACHOur system model of CPSes consists of a computing unit as a
controller of the physical environment (Figure 2). The controllertakes feedback from the physical environment and makes a decisionon the control information, which is transmitted to the actuator. Thecontrol algorithm has m modes of operation, (l1,l2,. . .,lm), each witha different control policy. The physical system can be representedusing n continuous variables or physical parameters, which varyaccording to a second order PDE. In this paper, we restrict thesePDEs to one space dimension x.
Each continuous variable can assume a value from the real set ata given time and space point. The vector v formed by the valuesof each continuous variable is called a continuous state. The con-tinuous state space is a subset V of Rn and consists of all possiblecontinuous states. A state is a tuple (l, v), consisting of a mode land a continuous state v [13].
In this theory, we assume that the continuous state space is com-pact. That is each subset J of the continuous state space has acontinuous interior denoted by J�, an open set (e.g., 0 < x < 10),and a boundary denoted as J� given by boundary conditions (e.g.x = 0, x = 10). The set J = J� ∪ J� (e.g. 0 ≤ x ≤ 10). The entirecontinuous state space V , is partitioned into a collection of poly-hedral subsets J = {J1, J2, . . .} such that: a)
⋃∀Ji∈J Ji = V , and b)
J�i⋂
J�j = ∅ for i , j. Each polyhedron subset is called a cell and
is a non-empty set of real numbers. Further, two cells are called ad-jacent if the cells Ji and J j intersect in an n-dimensional facet. Twocells are connected if there is a sequence of adjacent cells betweenthe two.
Hausdorff distance, dH(P,Q), between two sets P and Q is themaximum distance, computed using l∞ norm, of any point in P toits corresponding closest point in Q [15].
The main advantage of considering Hausdorff distance is that a δneighborhood of a continuous state v in Rn, denoted by Bδ(v), com-puted using l∞ norm, is a hypercube of side length 2δ. The set ofvertices of a neighborhood Bδ(v) is denoted by Vert(Bδ(v)). This isillustrated in Figure 4, where δ neighborhood of a continuous stateP in two dimension is a square of side length 2δ. This immenselysimplifies the computation of convex hull of a set of continuousstate required for reachability analysis [2].
Ji
Ji C
iv j
vWest East
Tangents
Figure 3: Unit outwardnormal vector from setJi at continuous states viand v j.
A unit outward normal vector nfrom a continuous state vi on J�iis a vector of unit length normalto the tangent on J�i at vi point-ing towards complement of Ji,JC
i . Note that the notion of out-ward direction encompasses mul-tiple directions in the coordinatespace. As shown in Figure 3,both the west at vi and east at v jdirections are pointing away fromthe set Ji. The dot product ofthe temporal or spatial variationof any variable vi with the unitvector n denoted by ∂vi
∂t
⊙n or
∂2vi∂x2
⊙n, is the amount of varia-
tion in the direction from set Ji to JCi . This notion is useful for
capturing the transition between L1STHA modes.The image of any continuous state v, over time t and space x,
denoted by Dt,x(v) is the computation of the solution of the linear1-space dimensional second order PDE, for a time t and space x,with v as the initial condition.Overview of Approach: The STHA expresses the variation of con-tinuous variables of a CPS according to a control logic specified inthe operating modes. In our approach, we first define the L1STHAas discussed in Section 1, and then define its execution logic, whichformalizes how the L1STHA operates in space and time. The exe-cution is governed by a linear 2nd order PDE.
The reachability analysis of L1STHA is the method of approxi-mating the states that can occur during the execution of the L1STHAin space and time from a given initial state (defined later), or inother words estimating the reach set. This involves computing theimage of an initial state using the solution of the PDE (Figure 4). Tothis effect, we first consider an L1STHA with only a single modeand develop the algorithm to estimate its reach set (Section 5.3).
The reach set of a single mode L1STHA is computed using thefollowing steps (marked in Figure 4): a) we first find a suitablediscretization of time and space that guarantees that the error incomputing the image of the PDE is within the desired accuracyε, b) we then consider a δ neighborhood of v0 of the initial state{l0, v(0)}, Bδ(v(0)), c) the image of the vertices of the neighborhood,Vert(Bδ(v(0))), is then computed using the PDE for a given timeand space, d) γ neighborhood of each point in the image is con-sidered, resulting in a new set of vertices, d) the convex hull [2],of the new set of vertices gives γ approximation of the reach set.As shown later in the formulation γ and δ are related linearly toε. The same algorithm is applicable for estimating the reach set ofmulti-mode L1STHA (Section 6). The only difference is that in the
Inv0
δ neighborhood (b)
Approximate trajectory (a)
Convex Hull
v0
Inv0 C complement
of Inv0
transition
0,0 Q2 = (δ,-δ)
Q3= (δ,δ) Q4= (- δ,δ)
Q1 = (-δ,-δ)
Q6= -δ,-gδ P dH (P,Q6) = max(δ-0,gδ-0) = δ
Q5= (fδ,gδ) dH (P,Q5) = max(fδ-0,gδ-0) < δ
0<f,g < 1 dH is the Hausdorff distance
1 2 3 4 5 6, , , , , ( )Q Q Q Q Q Q B P
Reach set = neighborhood (d)
vert2
vert1 vert4
vert3
Dtx(vert1) (c)
Figure 4: Overview of reach set computation methodology.
process of computing the images of vertices the reachability anal-ysis algorithm keeps track of the transitions made by the L1STHAinto different modes. For safety analysis, a subset of continuousstates is designated as unsafe. If the computed reach set intersectsthe unsafe set, the CPS is deemed unsafe.Safety in CPSes: Safety of CPSes in the medical domain is de-fined as the avoidance of unwanted hazards to the human body dueto the cyber-physical interactions. Such a definition is generic andis applicable to CPSes in general. Hazards can be of several typesas listed in ISO 60601 standard for medical electrical equipments.In this paper, we consider physiological hazards due to drug over-dose by infusion pumps.
Example 1. Drug infusion: Infusion pumps operate in a closeloop with a networked controller to keep the drug concentration inthe human blood within recommended limits. The infusion pumphas three modes: a) basal, where infusion rate is I0, b) braking,where infusion rate is a fraction f of I0, and c) correction bolus,where infusion rate is incremented by Ib. Diffusion dynamics of thedrug is spatio-temporal in nature and can be modeled using multi-dimensional PDE Equation 1 [16].
∂d∂t
= 5(D 5 d) + Γ(dB(t) − d) − λd, (1)
where d(x, t) is the tissue drug concentration at time t and distancex from the infusion site, D is the diffusion coefficient of the blood, Γ
is the blood to tissue drug transfer coefficient, and dB(t) is the pre-scribed infusion rate at time t, and λ is the drug decay coefficient.A control algorithm in the infusion pump samples Equation 1 andadjusts the infusion levels so as to achieve the desired physiologicaleffects while avoiding hazards such as hyperglycemia.
3. LINEAR 1-D SPACE SPATIO TEMPORALHYBRID AUTOMATA
The L1STHA expresses the variation of physical parameters ac-cording to a discrete control algorithm of the computing units inthe CPS. A L1STHA is defined as follows:
Definition 1. L1STHA: It is a tuple {n,m,L, Inv, A, B,C, u,Re},
• n is the number of continuous variables in the variable set V,
• L is a set of m modes {l1, l2, . . . lm},
• Inv : L → 2J is the invariant set, which maps each mode toa set of cells such that:
v1
v2
Inv1
Inv2
Continuous Variables = v1 , v2
Continuous State Space 1 2 2 ( , )if v v InvMode Mode
1 2 1( , )v v Inv1 2 2( , )v v Inv
1 2 1 ( , )if v v Inv
Trajectory( )
Trajectory( ) with different A,B,C, and u
211 12 1 11 12 1 11 12 1 1
2
21 22 2 21 22 2 21 22 2 2
, , ,
, , ,
A A v B B v C C v u
A A v B B v C C v ut x
1 1
2
Re( )
Re( ) 0
v e
v
1
2 2
Re( ) 0
Re( )
v
v e
2R
1l 2l
1l
2l
Figure 5: Conceptual illustration of L1STHA with two modesl1 and l2 and two continuous variables v1 and v2.
– for each l ∈ L the cells in Inv(l) are all connected,
– for any two different modes {li, l j} ∈ L, Inv�(li)⋂
Inv�(l j) =
∅,
–⋃∀i∈{1...m} Inv(li) = V,
• A : L→ Rn×n, maps a mode to an n × n real valued matrix,
• B : L→ Rn×n, maps a mode to an n × n real valued matrix,
• C : L→ Rn×n, maps a mode to an n × n real valued matrix,
• u : L→ Rn, maps a mode to an n × 1 real valued vector,
• Re : L×V → Rn is a reset function that sets initial conditionsof the variables in V at each mode li ∈ L.
Associated with the definition of L1STHA is the definition of itstrajectory that relates the variables A,B,C, and u.
Definition 2. Trajectory: The trajectory of an L1STHA with ncontinuous variables for time t ∈ R and within a region s ⊂ R at amode li ∈ L is defined as the 1-D space spatio-temporal mappingη : [0,T ] × S → Rn such that:
• η(t, x) for t ∈ [0,T ] and x ∈ S follows the PDE:
A(li)∂η(t, x)∂t
= B(li)∂2η(t, x)∂x2 + C(li)η(t, x) + u(li), (2)
where A(li), B(li), C(li), and u(li) are for a mode li;
• and η(t, x) ∈ Invi ∀t ∈ [0,T ] and x ∈ S .
The duration of the trajectory at a given spatial coordinate x is de-noted by η|x.dur and its spatial range at a given time t is denoted byη|t.range. A trajectory ends if at any space or time point the con-tinuous variables cross invariant set boundaries. Figure 5 shows aconceptual view of a L1STHA. It has two modes l1 and l2. Eachmode is associated with an invariant set, a subset in the real spaceR2. The invariants are used to determine transitions between modes(discussed later). Each mode has a reset function (assigning ofconstant values (e1,e2)), which reflects the effect of control oper-ation on the continuous variables “whenever" or “wherever" theL1STHA first enters a mode. In each mode the trajectory is a linear1-space dimensional PDE, with different values of A,B,C, and u.L1STHA is applied in Example 1 as follows:
Example 2. Infusion Pump: The L1STHA model for the infu-sion pump is shown in Figure 6. The L1STHA model has threemodes in the set L - a) correction bolus mode, b) braking mode,and c) basal infusion mode. The L1STHA is initially at the basalinfusion mode l0. The continuous variable for the L1STHA model
1 01
1
1Re( ) ,
1, ,
,
20{ [0, ]}
B
d If
A B D
C u d
Inv dk
1 01
1
Re( )
1, ,
,
20 120{ [ , ]}
B
d I
A B D
C u d
Inv dk k
1 01 1
1
Re( )
1, ,
,
120 180{ [ , ]}
b
B
d I I
A B D
C u d
Inv dk k
Braking Basal Correction Bolus
Single channel infusion pump L1STHA model
1 01{ }, {Braking, Basal, Correction Bolus}, infusion increment
for drug 1, = Basal infusion rate of drug 1.b
V d I
I
L
1 20 /d k
1 20 /d k
1 120 /d k
1 120 /d k
Figure 6: The L1STHA model of single channel infusion pump.
of infusion pump is the blood glucose concentration in the blood,which varies over space and time. The L1STHA is in: a) the basalinfusion mode if the blood glucose concentration is within 20 mg/dland 120 mg/dl with infusion rate I0, b) the correction bolus model1, if the blood glucose concentration is greater than 120 mg/dl withinfusion rate (Ib + I0) and c) the braking mode l2, if the blood glu-cose concentration is below 20 mg/dl with infusion rate I0/ f . Thus,the Inv set consists of the mappings {Inv(l0) = ([20/k, 120/k])},{Inv(l1) = ([120/k,∞])}, and {Inv(l2) = ([0, 20/k])}. Here k isa constant factor that converts blood glucose concentration to in-sulin concentration. Such linear relationship is suggested by theBergman Minimal Model [1]. It can be seen that the invariant map-ping Inv satisfies the conditions in Definition 1. In each mode, thereset function Re represents the decision of the control algorithm toincrease or decrease the infusion rate whenever the L1STHA entersthe mode. The A,B,C, and u values can be derived from the diffu-sion Equation 1 and the trajectory Definition 2 as A = 1, B = D,C = −Γ − λ, and u = Γdb(t).
With this definition of L1STHA we can also characterize aggre-gate effects as shown in the following example.
Example 3. Multi-channel Infusion with aggregate effects:Infusion pumps used in chemotherapy [16], often have multiplechannels of infusion leading to aggregate effects of drugs. If weconsider a region of the body at a fairly large distance from thesite of infusion of a drug, the concentration decreases to negligi-ble amounts (below a low threshold) at a given time according toEquation 1. However, over time the concentration at that regionmay increase to such an extent that it cannot be ignored. In case ofa two channel infusion this phenomenon can happen for both thedrugs at a given region. In that case the effective concentration ofdrug is a non-trivial combination of the dynamics of the individualdrugs. Specifically, the drug concentration also follows Equation 1but with modified parameters and conditions. To capture this ag-gregate effects, we first consider L1STHA models similar to Exam-ple 2, for the individual drugs with concentration d1 and d2. TheL1STHA of the mutli-channel pump has a mode set which is theCartesian product of the mode sets of the individual L1STHA mod-els. If we consider that the low threshold is 20/k mg/dl, then aggre-gate effects can only occur when (d1, d2) ∈ ([20,∞], [20,∞]) i.e.,when the individual L1STHA models are either in basal or correc-tion bolus modes. Hence of the nine possible modes that can occurdue to the Cartesian product only four are aggregate effect modes(Figure 7). The aggregate effect can be modeled by introducing anew variable d3 to all the modes. In modes without aggregate ef-fects d3 = 0, while in modes with aggregate effects d3 follows a newPDE with new parameters D3, Γ3, λ3, and dB3 as suggested by [16].The transition to the aggregate effect modes can only occur if bothd1 > 20/k and d2 > 20/k. The equation expressing the aggregateeffect has to be specified to the L1STHA, its execution will deter-
Correction Bolus 1 + Braking 2 Aggregate Correction Bolus 1 + Correction Bolus 2
1 01 1
2 02 3
1
2
1 1 1 1
2 2 2 2
1 2
Re( )
1Re( ) , Re( ) 0
,0,01,0,0
0,1,0 , 0, ,0 ,
0,0,0 0,0,0
,0,0
0, ,0 ,
0,0,1 0
120 180 20{ [ , ], [0, ]}
b
B
B
d I I
d I df
D
A B D
d
C u d
Inv d dk k k
1 01 1
2 02 2
3 1 2
1
2
3
1 1 1 1
2 2 2 2
3 3 3 3
1
Re( )
Re( )
Re( ) max( ( , ), ( , ))
,0,01,0,0
0,1,0 , 0, ,0 ,
0,0,1 0,0,
,0,0
0, ,0 ,
0,0,
120{ [ ,
b
b
b b
B
B
B
d I I
d I I
d d t x d t x
D
A B D
D
d
C u d
d
Inv dk
2
180 120 180], [ , ]}d
k k k
Multi channel Infusion pump formal model
{Braking1, Basal1, Correction Bolus1} {Braking2, Basal2, Correction Bolus2}L
Nine states out of which four are aggregate effect states
{Correction Bolus 1 + Correction Bolus2, Correction Bolus 1 + Basal 2,
Basal 1 + Correction Bolus 2, Basal 1 + Basal 2}
aggrL
1 2 3{ , , }V d d d
Figure 7: The normal and aggregate effect modes in theL1STHA model of multi-channel infusion pumps.
mine when and where the aggregate effect occurs and with whatintensity. Note that this condition is spatio-temporal in nature andunlike spatial networks of hybrid automata, impose no restrictionon the space or time at which aggregate effects can occur.
The analysis of L1STHA models requires solution to the differen-tial equations, which depend on initial and boundary conditions andgovern mode transitions.
4. L1STHA EXECUTION MODELThe definition of L1STHA is not complete and useful unless we
define its execution and discrete transition. Figure 1 shows a sim-ulation of the multi-channel infusion pump L1STHA following theexecution model to be discussed in this section. The figure showsthree modes of operation of the infusion pump: basal, correctionand braking. The plots show the trajectory, solution of Equation 1,with respect to space at given times (0s, 100s, 500s, and 1000s). Itis to be noted that we define the L1STHA execution model with atime bound T and a space bound S .
Definition 3. Initial State: The initial state of a L1STHA at agiven spatial coordinate x ∈ S , is {l0, v0} such that continuous statev0,x ∈ Inv0 and η(0, x) = v0,x.
As shown in the graph with time = 0s in Figure 1, initial state atthe space point x = 15mm is the value of the glucose concentration,which is 10 mg/dl.
Definition 4. Initial Configuration: The initial configurationof a L1STHA is the function η(0, .) : x→ Rn, and x ∈ S .
The initial configuration is the spatial variation of the glucose con-centration at time t = 0s as shown by the thick gray line in Fig. 1.
Definition 5. Mode Boundary: The mode boundary for anymode l ∈ L at a time t is the boundary of a spatial region sl suchthat η(t, x) ∈ Invl, ∀x ∈ sl.
As time progresses the L1STHA is at different modes at differentspatial regions. If we consider the time t = 500s, then the spatialregions from 0mm to 9 mm and 42mm to 50mm are in brakingmode, while 9mm to 42mm is in basal infusion mode. Hence, eachmode has a spatial boundary at a given time called mode boundarywhile sl for a mode l is the spatial region in which the L1STHA isin mode l. Note that the mode boundary shifts as time progresses.
Definition 6. Boundary State: The boundary state of a model0 at a given time t ∈ [0,T ], is a continuous state vt,x0 ∈ Inv0 suchthat η(t, x0) = vt,x0 , where x0 is in the mode boundary of l0.
The value of the glucose concentration at the mode boundary ata given time is the boundary state at that time. For t = 500s theboundary state of the aggregate basal mode is with glucose con-centration 78.4 mg/dl.
Definition 7. Temporal Execution: A temporal execution αt
of a L1STHA at a given spatial coordinate x ∈ S from an initialstate (l0, v0,x) ∈ L × Rn, is a concatenation of trajectories at x,αt = η0|xη1|x . . . where:
• η0(0, x) = v0,x,
• ηk(0, x) = Re(ηk−1(ηk−1|x.dur, x)), and
• αt.dur =∑
i ηi|x.dur,
where ηk is the trajectory defined at a mode lk ∈ L, Re(.) is the resetfunction (Definition 1), and αt.dur represents the duration of thetemporal trajectory. ηk |x is the trajectory at a given space point xfor a mode lk.
A temporal execution is the variation of a continuous variable at agiven space coordinate over time, as shown by the chain-dot linesin Figure 1. During the execution there can be transitions to dif-ferent modes with changes in the dynamic equations. The firstcondition in the definition states that the execution starts from aninitial state, the second condition shows the concatenation, whereηk−1|x.dur denotes the time that the trajectory crossed the boundaryof the invariant set for mode lk−1 at space x.
Definition 8. Spatial Execution: A spatial execution αs of aL1STHA at a given time t ∈ [0,T ] from a boundary state (l0, vt,x0 ) ⊂L × Rn is a concatenation of trajectories at time t, αs = η0|
tη1|t . . .
where:
• η0(t, x0) = vt,x0 ,
• ηk(t, x0) = Re(ηk−1(t, ηk−1|t.range)), and
• αs.range =⋃
i ηi|t.range,
where ηk is the trajectory defined at a mode lk ∈ L, and αs.rangerepresents the range of the spatial execution. ηk |
t is the trajectoryat a given time t for a mode lk.
A spatial execution is the variation of the continuous variables overspace at a given time as shown by the thick gray lines in the fourdifferent graphs. At different times the spatial execution changes(Figure 1).
Definition 9. Temporal Discrete Transition: A temporal dis-crete transition at a given space point x from mode li to l j occurs ata continuous state vt′ ,x at a time t′, whenever vt′ ,x ∈ Inv�i
⋂Inv�j ,
where vt′ ,x = limt→t′
vt,x and vt,x ∈ Inv�i for t ∈ [t′ − τ, t′]: τ > 0.
Temporal transition at a given space coordinate x occurs at a timet′ if as the time approaches t′, the continuous state approaches theboundary of the invariant set of a mode li. The L1STHA transitsto the state l j if the invariant sets are connected and the continuousstate approaches the intersection of the boundaries of the invariantsets of li and l j. An example is shown in Figure 1, where the glu-cose concentration crosses invariant set boundaries from basal tocorrection bolus mode as time progresses (chain and dot line).
Definition 10. Spatial Discrete Transition: A spatial discretetransition at a give time t from the mode li to l j occurs at a continu-ous state vt,x′ at a spatial coordinate x′, wherever vt,x′ ∈ Inv�i
⋂Inv�j ,
where vt,x′ = limx→x′
vt,x′ and vt,x′ ∈ Inv�i for x ∈ [x − s, x] for some
s > 0.
Spatial transition at a given time occurs similar to a temporal tran-sition when the spatial execution crosses invariant set boundariesas shown in the leftmost graphs in Figure 1.
It is to be noted that in this theory we consider every transition tobe deterministic and transversal. A deterministic transition meansthat at any time or space point the L1STHA from a given mode canonly transit to a unique mode. This also guarantees that at a fixedtime and space point the L1STHA is at an unique mode. Further,a transversal transition is assumed. This means that if there is atransition from Inv0 to Inv1 at state vt,x, then the dot product of thetime or space differential of the continuous variables with the out-ward normal unit vector on Inv�0 at vt,x is greater than zero [7]. Amathematically rigorous definition is given in Appendix [3]. Thisassumption prevents zeno behavior [18], where in a very smallamount of time there are infinite transitions. A L1STHA, whereevery transition is deterministic and transversal is called a Deter-ministic Transversal L1STHA (DTL1STHA).
4.1 Defining the ε reach set of a DTL1STHAThe reach set of DTL1STHA from a given initial configuration
V0 is the set of continuous states reached by a spatial or tempo-ral execution originating from the continuous state of any initialstate in the configuration V0 at some time t and some spatial co-ordinate x. If we bound the time and space of the analysis to Tand S , then space and time bound reach set is denoted by RTS (V0).The reachability analysis of DTL1STHA involves determining theε approximation of this reach set, which is defined as follows.
Definition 11. ε reach set of DTL1STHA: Given an ε > 0 aset of continuous states M of a DTL1STHA starting from an ini-tial configuration V0 ⊂ R
n over a time duration of T and within aspatial region S , is called an ε reach set if:
• RTS (V0) ⊆ M, and dH(RTS (V0),M) ≤ ε.
Thus, in simpler terms for any continuous state v in the RTS (V0),there exists a point in M such that it is greater than v by at mostε. As we will discuss, the reachability analysis algorithm computesan over approximation of the ε reach set for a given δ > 0 neigh-borhood of the initial configuration V0. To this effect, it is requiredto solve the PDE as discussed in the next section.
4.2 Solving the PDEFor the ease of representation let us consider that there is only
one continuous variable i.e., n = 1. In that case, the matrices A, B,and C and the vector u will reduce to singleton a, b, c, and u. Inorder to compute the reachable states of the DTL1STHA, we needto have the capability to solve the PDE 2. The initial conditions forsolving this PDE is given by - η(0, x) = Ib∀x ∈ S , where Ib is a con-stant. It is to be noted that we will solve this PDE as a free boundaryproblem. This assumption comes from the observations in variousmedical device examples. In Example 2, as time progresses the ef-fect of insulin spreads further away from the site of infusion. Atany given position the insulin concentration increases with time.Thus, there exists no space point where the insulin concentrationstays steady. Hence, we consider this problem as a free boundaryproblem, where the boundary at which the minimum insulin con-centration is observed moves away from the site of infusion withsome velocity. However, at the site of the infusion the flow rate of
drug is constant. This condition is given by - −b ∂η(t,x)∂x = I0, where
I0 is a constant.Given these initial and boundary conditions we solve the free
boundary PDE. We first take a Laplace transform of the PDE onthe time domain. This results in an ordinary 2nd order differentialequation, which can be solved using standard methods. InverseLaplace transform is then applied to the solved equation to obtainthe final solution of the PDE. The inverse Laplace transform doesnot have a closed form solution. At best we could represent it usingerror functions as shown in Equation 3.
η(t, x) = Ib +I0
(√
4bc)[e−√
cb xer f c(
x√4 b
a t−
√ca
t) (3)
−e√
cb xer f c(
x√4 b
a t+
√ca
t)]
An elaborate solution with matrices is provided in Appendix [3]. Inthis theory, we compute the value of η(t, x) from Equation 3 usingerror function tables. With this assumption let us determine the εreach set for a single mode DTL1STHA.
5. TIME AND SPACE BOUNDED ε REACHSET OF A SINGLE MODE DTL1STHA
We want to find out the ε reach set of a single mode DTL1STHAfrom an initial configuration V0 by sampling the time with inter-val hx at a space point x and the space with grid size ht at a giventime. To bound the error of discretization to ε, we need to find ht
and hx such that from any sampled state η(t, x) the trajectory re-mains within the ε neighborhood, Bε(η(t, x)), before the next sam-pled state is considered.
To ensure this the following two conditions must satisfy,
maxτ∈[0,hx]
(η(t + τ, x) − η(t, x)) < ε, (4)
maxs∈[0,ht]
(η(t, x + s) − η(t, x)) < ε (5)
we take the maximum entry if η is a vector. We first consider thetime differential of η and use Equation 2 to obtain -
maxτ∈[t,t+hx]
(∂η(τ, x)∂τ
) ≤ba
maxτ∈[t,t+hx]
(∂2η(τ, x)∂x2 )+(
ca
) maxτ∈[t,t+hx]
(η(τ, x))+(ua
)
(6)We need to express maxτ∈[t,t+hx](
∂2η(τ,x)∂x2 ) and the term maxτ∈[t,t+hx](η(τ, x))
in terms of the mode invariants so that they can have fixed valuesduring a trajectory evaluation at any space or time. The absolutemax of the term maxτ∈[t,t+hx](η(τ, x)) in a given mode is the maxi-mum value that η can take while staying in the mode. This meansthat maxτ∈[t,t+hx](η(τ, x)) = ηmax = maxt∈T,x∈S Inv0.
To find the maximum of the double differentiation we express itusing the standard Taylor series expansion as follows:
∂2η(t, x)∂x2 =
2η(x) − η(x + ht) − η(x − ht)h2
t(7)
The maximum value of this term is 2(ηmax−ηmin)h2
t, where ηmin = mint∈T,x∈S Inv0.
Similarly from Equation 5 we can derive the maximum value of thespatial variation. Substituting Equations 7 and 6 in Equations 4 and5 we get Equations 8 and 9, which can be simultaneously solved toget hx and ht (full derivation shown in Appendix [3]).
ba
2(ηmax − ηmin)h2
thx +
caηmaxhx +
ua
hx = ε/2 (8)
ab (ηmax − ηmin)h2
t
2hx−
cbηminh2
t /2 −ub
h2t /2 = ε/2 (9)
Note that we select ht and hx such that the trajectory betweensampled states is within ε/2 neighborhood, which is a stricter as-sumption than required. This will help us to ensure that the ap-proximate reach set computed from a δ neighborhood of the initialconfiguration is within an ε boundary of the actual reach set. Wenow define a methodology to compute the ε reach set from an initialconfiguration V0.
Lemma 5.1. A bounded ε > 0 reach set RTS (V0, ε) of a one modeDTL1STHA from an initial configuration V0 ⊂ Inv0 from time [0,T ]and within space S can be determined as -
RTS (V0, ε) =
β−1⋃k=0
κ−1⋃j=−(κ−1)
Bε(η(khx, (x0 + jht))), (10)
where β = T/hx, κ = S/(2ht), x0 is the origin of the coordinatesystem, and hx and ht are derived from Equations 8 and 9. The sethas the following properties:
i) limε→0
RTS (V0, ε) = RTS (V0) and
ii) It contains the ε/2 neighborhood of RTS (V0) i.e,⋃z∈RTS (V0)
Bε/2(z) ⊆ RTS (V0, ε) . (11)
The lemma states that to compute the ε reach set, we first consider adiscrete space point x0+ jht at a discrete time khx. The trajectory forthe single mode DTL1STHA is then computed at this space pointand time step. It is then over-approximated by constructing a hy-percube of ε side length with the state η(khx, (x0 + jht)) at its center.This over approximation is done for each time and space point, upto the maximum time T and the space bound S . The ε reach setis then the union of all the resulting hypercubes. A reach set com-puted in such a method has two properties: a) as ε tends to zero theset approaches the actual reach set from the initial configurationV0, and b) the set encompasses the ε/2 neighborhood of the actualreach set. Proofs of these claims are provided in Appendix [3].
5.1 ε reach set for a set of initial configura-tions
We now extend Lemma 5.1 to consider a set of initial configura-tions which are within a δ neighborhood of the initial configurationV0, Bδ(V0). We first show that there exists a δ > 0 such that thereach set starting from the set Bδ(V0) is contained in the ε reach setcomputed using Lemma 5.1.
Lemma 5.2. Given an ε > 0, an initial configuration V0 of aDTL1STHA, a time interval [0,T] and a spatial region S, there ex-ists a δ > 0 such that,
RTS (Bδ(V0)) ⊆ RTS (V0, ε), (12)
where RTS (Bδ(V0)) is the reachable set starting from the set Bδ(V0)up to a time T and space boundary S. In particular we will showthat, δ = ε/2H for H = (1 + 2√
4bc).
Lemma proof is in Appendix [3]. Next we extend Lemma 5.2 toconsider γ approximation of the reachable states starting from a δneighborhood of the initial configuration, RTS (Bδ(V0), γ). We canfind a γ such that RTS (Bδ(V0), γ) is also within RTS (V0, ε).
Lemma 5.3. Given an ε > 0, an initial configuration V0 of asingle mode DTL1STHA, a time interval T , and a spatial region
S, there exists a δ > 0 and a γ > 0 such that, RTS (Bδ(V0), γ) ⊆RTS (V0, ε). In particular we show that, RTS (V0) ⊆ RTS (Bε/(4H)(V0), ε/4) ⊆RTS (V0, ε).
Lemma proof in Appendix [3]. Thus, if we compute the ε reach setfollowing Lemma 5.1, then we also over approximate the reach setfrom a ε/(4H) neighborhood of the initial configuration V0 by ε/4.In our reachability analysis algorithm we will thus use Lemma 5.1to compute the reach set and we will get a γ = ε/4 approximationof the reach set from a δ = ε/(4H) neighborhood of initial configu-ration V0.
5.2 Determining exit condition from an invari-ant set
Since we are over approximating the reach set at any time andspace point by discretization, there can be a chance to ignore theexit point of a trajectory from an invariant set. We show that, fora given ε > 0, we can always find a δ > 0, hx and ht such that nosuch exit conditions are ignored.
Lemma 5.4. Given a DTL1STHA, an initial state {l0, v0}, if thetrajectory η(t, x) exits the invariant set Inv0 at time t1 < T andspace point x1 ∈ S , then for all small enough δ > 0 there existssome hx and ht such that, Bδ(η( jhx, kht)) is outside Inv0 for some jand k.
Proof: Let us consider that vt1 ,x1 lies at the boundary Inv�0 ofDTL1STHA. Since the solution of the PDE in Equation 2 is continu-ous over space and time, there exists a boundary Br(vt1 ,x1 ), 0 < r <ε such that for every point in the neighborhood the deterministictransverse temporal or spatial transition condition holds (Defini-tions 9 and 10). This means that for all states v ∈ Br(vt1 ,x1 ) ∩ Inv�0 ,v⊙
n > 0 and ∂2v∂x2
⊙n > 0, i.e., the dot product of the rate of
change of the state over time or space with the unit normal vector nat v in the direction outward of Inv0 is greater than 0. This indicatesthat there is a tendency of the state to exit Inv0 at any subsequentspace or time increment. To capture this transition, we need to finda hx and ht such that a state in Br(vt1 ,x1 ) is captured in the reachset computation. Let us consider hx and ht from Equations 8 and9 by replacing the right hand side by ε/4G, where G = ε/r > 1.From Lemma 5.3 we know that the reach set computation methodin Lemma 5.1 will result in the ε/(8G) = r/8 approximation of thereach set from a ε/(8GH) = r/(8H) neighborhood of vt1 ,x1 . Hence,Lemma 5.1 will find a point in Br(vt1 ,x1 ) and at some t = jhx andx = kht, Bδ(vt,x) exits Inv0.
Given this guarantee that there exists an ht and hx such that alltransitions are captured by the reach set computation technique ofLemma 5.1 let us device an algorithm for computing the reach setfor a single mode DTL1STHA.
5.3 Algorithm for ε reach set of a single modeDTL1STHA
The inputs to the algorithm are: i) a single mode DTL1STHADΣ, ii) an initial configuration V0, iii) an invariant set Inv, iii) theparameter ε, iv) a parameter α, v) the time bound T , and vi) thespace bound S . The algorithm outputs the set of reachable states,the time and space at which DTL1STHA exits the invariant set Invand γ and δ parameters of Lemma 5.3.
Algorithm 1 first considers a δ boundary of the initial configura-tion V0 and computes the reachable states that are either within Invor are in InvC , where InvC is the complement set of Inv,. Note thatif a set of reachable state intersects with both Inv and InvC then itmeans that at the given space and time DTL1STHA is in two dif-ferent modes which is not feasible. However, since the computedreachable states are an ε approximation such infeasible cases may
occur during execution of the algorithm. But from Lemma 5.4 weknow that there exists a δ and a γ for which such infeasible casesdo not occur. Hence, if such an infeasible case occurs the algorithmupdates the values of γ and δ such that the reach set is either withinInv or InvC .
The algorithm increments time in steps of hx. For time t = 0, thealgorithm starts with Bδ(V0) and computes its image for differentspace points starting from x = 0, to x = S in steps of ht. After eachcomputation of image the algorithm checks whether the image iswithin Inv. If it is not within Inv there can be two cases: a) it iswithin InvC , in that case the algorithm terminates and the reachableset is the image of Bδ(V0) at the current time and space location,and b) it is not within InvC , in that case the algorithm returns anempty set as the reachable state, updates the parameters γ and δ bymultiplying the previous values with α and restarts the computationat t = 0 and x = 0. If the image is within Inv for all x ∈ S , the algo-rithm then increments t by hx. It then computes the image of Bδ(V0)at x = 0, and t = t + hx. The computation of images with respect tospatial dimension is again repeated till t < T . The pseudocode ofAlgorithm 1 is available in Appendix [3].
Algorithm 1 (Rset,t,x) = CalcReach(DΣ,Inv,V0,T,S,ε,α)1: while reach set is empty do2: Compute the hx and ht from Equations 8 and 9;3: while t ≤ T do4: Start from x = 0; Set Pc = V0;5: Set the image of PC , Dt,x(Pc) = Pc;6: while x ≤ S do7: Increment space by ht8: Dt,x(Pc) = Compute the image at x from Dt,x−ht (Pc);9: if (Current image is neither in Inv nor InvC) then
10: return null set, restart computation with γ = αγand δ = αδ;
11: else if (Current image in InvC or in Inv) then12: Rset = Rset
⋃Dt,x(Pc);
13: return (Rset,Dt,x(Pc), t, x, γ, δ);14: end if15: end while16: Increment time by hx17: Repeat the image computation technique and check for
invariant crossing (lines 9 - 14) for the next time;18: end while19: end while
Image Computation: Let us consider that the current reach setis Dt,x(Pc) (Algorithm 1) starting from a δ neighborhood of Pc,Bδ(Pc), computed as discussed in Section 2. The set Dt+hx ,x(Pc)or Dt,x+ht (Pc) is computed from the set Dtx(Pc) by exploiting thepolyhedral structure of Bδ(Pc). The algorithm first considers theset of vertices Vert(t, x) of the image Dtx(Pc). Then for each ver-tex vert(t, x) ∈ Vert(t, x), vert(t + hx, x) or vert(t, x + ht) is com-puted using the solution of the dynamic Equation 3. Hence the setVert(t + hx, x) or Vert(t, x + ht) can be computed from Vert(t, x).The image Dt+hx ,x(Pc) or Dt,x+ht (Pc) can then be computed from theconvex hull of the set of vertices in Vert(t + hx, x) or Vert(t, x + ht),respectively. To obtain a γ approximation of the reachable states wehave to take γ boundaries of the convex hull. Instead we can takeγ boundaries of the vertices in Vert(t + hx, x) or Vert(t, x + ht) andthen take the convex hull of the vertices of the boundaries. Lemma5.5 shows that the two approaches produce identical results.
Lemma 5.5. If H is the convex hull of the set⋃
v∈V Vert(Bγ(v))then it is the closed γ neighborhood of the convex hull of the set V.
The proof of Lemma 5.5 is given in Appendix [3].We will now show that Algorithm 1 terminates in a finite number
of steps and gives the RTS (Bδ(V0), γ) as output.
Theorem 5.6. Given the input (DΣ, Inv,V0,T, S , ε, α), Algorithm1 terminates in a finite number of steps and outputs the set RTS (Bδ(V0), γ).
Proof: The algorithm terminates whenever the current time isgreater than T and the current space point is outside S . Since thetime and space points increment in fixed steps the algorithm termi-nates in a finite number of steps for these conditions. If the algo-rithm terminates at time T and at space limit S, then from Lemma5.3, there exists a δ1 and a γ1 such that RTS (Bδ(V0), γ) is a subsetof Rset, since the reach set is computed following Lemma 5.1.
However, if the ε reach set intersects both Inv and InvC then thealgorithm restarts computation with reduced δ and γ. This has thepotential of running into infinite loops with δ and γ reducing toarbitrarily small value.
If there exists a time t1 < T or a space point x1 ∈ S such that,the trajectory moves to InvC then from Lemma 5.4 there exists aδ1 > 0 such that Bδ1 (η( jhx, kht)) ⊂ InvC for some j and k. Hencethe algorithm will stop at ta = jhx and at space location xa = kht.For this ta and xa, from Lemma 5.3 there exists a γ2 and δ2 suchthat Rta xa (Bδ2 (V0), γ2) is a subset of Rset returned by Algorithm 1.
Now if t f = min(ta,T ) and x f = min(xa, S ), and δ = min(δ1, δ2)and γ = min(γ1, γ2), the algorithm does terminate and outputs theε reach set.
6. ALGORITHM FOR ε REACH SET OF MUL-TIPLE MODE DTL1STHA
Lemma 5.4, the resulting Algorithm 1, along with the assump-tion that the transitions are all deterministic and transversal can beused to augment Algorithm 1 to use it for multi-mode DTL1STHA.Using Algorithm 1 an updated reachable set can be obtained ontransition, which can intersect multiple invariant sets of differentmodes. However, a DTL1STHA can only transit to one mode. Weprove subsequently, that by proper adjustment of δ and γ parame-ters it is possible to obtain an ε reach set using Algorithm 1 suchthat the reach set intersects only a single invariant set on transition.
In this regard, we need to find the time t and the spatial locationx at which a transition takes place and the value of the trajectoryη(t, x) at the transition point. In the next lemma we show that it ispossible to approximate the time of transition and the value of thetrajectory.
Lemma 6.1. Given that at t < T and x < S the trajectoryη(t, x) ∈ Inv�0 satisfies deterministic transversal transition condi-tions, there exists a δ > 0 such that B2δ(η(t, x)) ⊂ Inv0 ∪ Inv1 andalso there exists ∆t and ∆x such that:
1. η(τ, x) ∈ Inv�1 for τ ∈ [t, t + ∆t] and x ∈ [x, x + ∆x]
2.⋃
η∈F R[t,t+∆t],[x,x+∆x](η) ⊂ Inv�1 , where, F = Bδ(η(t, x))∩Inv�0∩Inv�1 .
Lemma 6.1 gives a methodology to over-approximate η(t, x) if itsatisfies the deterministic transversal transition condition. It takesa similar approach as Lemma 5.4 to estimate the state at the timet and space x of transition. It approximates the state η(t, x) by in-tersecting δ neighborhood of η(t, x) with the Inv0 and Inv1. Thelemma further states that if the reach set from Bδ(η(t, x)) ∩ Inv�0 ∩Inv�1 is computed for an appropriate ∆t time interval and ∆x spaceinterval then the reach set lies within Inv1. The proof of the lemmais given in Appendix [3].
Given an appropriate δ > 0 from Lemma 6.1, an appropriate δ0neighborhood of V0 can also be found as guaranteed by Lemma 5.4,which ensures that the ε reach set computed following Lemma 5.1lies within Inv1.
Lemma 6.2. If the reachable states during a deterministic trans-verse transition at time t1 and space location x1 is within a δ neigh-borhood of η(t1, x1), there exists a δ0 such that Dt1 ,x1 (Bδ0 (V0)) ⊂Bδ(η(t1, x1)) and Dt1 ,x1 (Bδ0 (V0))∩Inv0∩Inv1 is an over-approximationof η(t1, x1), where Dt1 ,x1 (Bδ0 (V0)) is the reach set computed by Al-gorithm 1.
Lemma 6.2 states that if for δ > 0 a transition is detected by com-puting the reach set using Lemma 5.1, as in Algorithm 1, a cor-responding δ0 boundary of the initial configuration can be found.Lemma 6.2 can then be used in arithmetic induction to prove that ifthe reach set for any transition k is computed following Lemma 6.1then a δ0 can always be found such that Algorithm 1 can captureit. The associated lemma and its proof is given in Appendix [3].This allows us to use Algorithm 1 with some changes for comput-ing reach set of multi-mode DTL1STHA. The changes include aTransition function that can output the new mode, and the newinitial configuration to be used for each transition. Further, if theTransition algorithm fails to find the new mode, then Lemma 6.2allows it to reduce the value of δ0 and restart the overall compu-tation with an increased assurance of finding the new mode in thenext iteration.
The reachability analysis algorithm for multi-mode DTL1STHAtakes as input: a) DTL1STHA DΣ, b) initial mode l0, c) the initialconfiguration V0, d) the time bound T , e) the space bound S , f) theapproximation parameter ε, and g) the parameter α used to adjust δand γ. It outputs the reach set Rset. The algorithm has the followingsimple steps:a) From an initial state it starts computing the reach set followingAlgorithm 1. On computation of reach set the algorithm checkswhether it is within the invariant set of the current mode.b) Whenever a reach set computed is not within the invariant set,the Transition algorithm is called. Transition algorithm checkswhether the reach set is within a unique Invi. If it is within anunique Invi the algorithm returns the reach set, the new mode, andthe new initial configuration for the mode. If not then the algorithmrecalculates δ and γ and returns an empty reach set.c) If Transition returns a valid transition then the algorithm re-sumes its computation from the new initial configuration and thenew mode and the current time and space point.d) Else it restarts the computation at time t = 0 and space x = 0 withthe new values of δ and γ. The full pseudocode for the Transitionalgorithm is available in Appendix [3].
The reachability algorithm for multi-mode DTL1STHA is givenin Appendix [3]. The multi-mode reachability analysis algorithmhas the same exit condition as Algorithm 1. In Theorem 5.6 wehave already proved that Algorithm 1 terminates in finite time andoutputs ε reach set. Hence, Theorem 5.6 is also a proof that themulti-mode reachability analysis algorithm terminates in finite time.The number of times the multi-mode reachability analysis algo-rithm executes the Transition algorithm is O( T
hx
Sht
logα(δ)), sincethere are two loops for time and space and each can be reiterated atthe max logα(δ) times. This is because the algorithm starts with ahigh α and progresses by dividing α by a factor d.
7. INFUSION PUMP SAFETY VERIFICA-TION
The infusion pump DTL1STHA models are as described in Ex-amples 2 and 3. In this paper, we only show the reachability analy-sis of the multi-channel infusion case.
To perform the safety analysis of the infusion pump using thereachability analysis algorithm, we considered five control param-eters of the pump: 1) control input delay, the time taken to transmitthe control input from the controller to the infusion pump, 2) set
point, the drug concentration that is required to be maintained (dB),3) basal value, the infusion rate when the pump is in basal stateIb, 4) sampling interval, the time interval at which the controllersamples the spatio-temporal model, and 5) infusion increment, themaximum amount by which the controller can increment the infu-sion rate I0. A setting of the infusion pump is a tuple with numericvalues assigned to the above five parameters. The reachability anal-ysis as discussed in Section 6 was performed on every setting ofthe model. The safety threshold of glucose concentration was set at180 mg/dl. Whenever the reach set in any setting has a state withglucose concentration greater than 180mg/dl it is considered un-safe. The safe settings of the infusion pump determined using theabove-mentioned method is shown in Figure 8. Figure 8 shows the2-D projection of the 5-D graph generated from the analysis proce-dure. The control input delay was varied from 10 to 100 seconds,the infusion increment step from 100 to 1000 ug/min, the set pointfrom 100 to 1000 ug/l, the basal value from 600 to 1000 ug/min,and sampling interval from 5 to 25 s. In each of the figure showingany two parameters, the unshaded regions are the unsafe settings,where the glucose concentration exceeded 180 mg/dl. The shadedregions are safe for the assumed values of the control parameters.The graphs are reflective of the control action of the infusion pump.For example, in the left most graph, for low control input delay andlow infusion increments we see that the infusion pump is unsafe.This is due to the fact that many infusion increments are made ata high frequency leading to unstable behavior of the pump. Wealso observe that pump settings with higher control input delaysand lower infusion increments are safer. However, if the incre-ments are too high, that also leads to unsafe configurations. Notethat we have several islands in the graphs, which are indicative ofsome optimal control input delay (delay not too high) and infusionincrement (increment not too low) pair that leads to safe infusionpumps. The graphs also show hypoglycemia cases with glucoselevel lower than 40 mg/dl if a configuration fall within the regionbounded by dashed lines. A configuration is safe from both hyperand hypo-glycemia if it lies in the region bounded by solid line anddoes not fall within the region bounded by dashed lines.
8. CONCLUSIONSIn this paper, we propose a novel linear 1-space dimensional
spatio-temporal hybrid automata that can capture the spatio-temporalaggregate cyber-physical interactions. We also proposed a time andspace bounded reachability analysis technique for DTL1STHA toestimate the reach set with arbitrary estimation error ε. The com-plexity of the algorithm depends on the parameter ε and is higherfor lower ε. We used the DTL1STHA modeling and reachabilityanalysis on infusion pump control systems and showed the safe andunsafe conditions of the pump operation. In future we will extendthe reachability analysis algorithm to multi dimensional space.
9. REFERENCES[1] K. A. Aalborg, K. E. Andersen, and M. Hjbjerre. A Bayesian
Approach to Bergman’s Minimal Model. In in: C.M. Bishop,B.J. Frey (Eds.), Proceedings of the Ninth InternationalWorkshop on Artificial Intelligence,, 2003.
[2] H. Alt, J. Blomer, and H. Wagener. Approximation of convexpolygons. In M. Paterson, editor, Automata, Languages andProgramming, volume 443 of Lecture Notes in ComputerScience, pages 703–716. Springer Berlin / Heidelberg, 1990.
[3] A. Banerjee and S. K. S. Gupta. Appendix for ICCPS 2013.http://impact.asu.edu/BanerjeeICCPSApp.pdf.
[4] A. Banerjee and S. K. S. Gupta. Your mobility can beinjurious to your health: Analyzing pervasive health
600 700 800 900 1000 100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100 100
200
300
400
500
600
700
800
900
1000
In
fusi
on
rat
e In
crem
ent
Step
(u
g/m
in)
5 10 15 20 25 100
200
300
400
500
600
700
800
900
1000
Sample Interval (s)
Set
Po
int
(ug
/min
)
Bolus (ug/min) Control Input Delay (s)
Infu
sio
n r
ate
Incr
emen
t St
ep (
ug
/min
)
Dru
g C
on
cen
trat
ion
Direction of increasing parameter value No Hyperglycemia Hypoglycemia
Figure 8: Safe and unsafe initial configurations of the infusion pump.
monitoring systems under dynamic context changes. In IEEEInternational Conference on Pervasive Computing andCommunications (PerCom),, pages 39 –47, march 2012.
[5] A. Banerjee, S. Kandula, T. Mukherjee, and S. K. S. Gupta.Band-aide: A tool for cyber-physical oriented analysis anddesign of body area networks and devices. ACM Trans.Embed. Comput. Syst., 11(S2):49:1–49:29, aug 2012.
[6] E. Bartocci, F. Corradini, M. R. Di Berardini, E. Entcheva,R. Grosu, and S. A. Smolka. Spatial Networks of Hybrid I/OAutomata for Modeling Excitable Tissue. Electronic Notes inTheoretical Computer Science (ENTCS’08), 194(3):51–67.
[7] D. Bleecker and G. Csordas. Basic Partial DifferentialEquations. Chapman and Hall, 1995.
[8] M. C. Bujorianu. An integrated specification logic forcyber-physical systems. In ICECCS 2009, pages 291–300.
[9] C. Cortazar, M. Elgueta, and J. D. Rossi. A nonlocaldiffusion equation whose solutions develop a free boundary.Annales Henri Poincare, 6:269–281, 2005.
[10] G. Frehse. Phaver: Algorithmic verification of hybridsystems past hytech. In HSCC, pages 258–273, 2005.
[11] R. Ghosh and C. Tomlin. A query-based technique forinterpreting reachable sets for hybrid automaton models ofprotein feedback signaling. In Proceedings of the AmericanControl Conference, pages 4417–4422, June 2005.
[12] A. Girard and C. Guernic. Zonotope/hyperplane intersectionfor hybrid systems reachability analysis. In Proceedings ofthe 11th international workshop on Hybrid Systems:Computation and Control, HSCC ’08, pages 215–228,Berlin, Heidelberg, 2008. Springer-Verlag.
[13] S. Graf and W. Zhang, editors. Automated Technology forVerification and Analysis, 4th International Symposium,ATVA 2006, Beijing, China, October 23-26, 2006, volume4218 of Lecture Notes in Computer Science. Springer, 2006.
[14] D. G. M. Greenhalgh, M. B. R. Lawless, B. B. Chew, W. A.Crone, M. E. Fein, and T. L. M. Palmieri. Temperaturethreshold for burn injury: An oximeter safety study. Journalof Burn Care and Rehabilitation, 25(5):411–415, 2004.
[15] N. Grégoire and M. Bouillot. Hausdorff distance betweenconvex polygons.http://cgm.cs.mcgill.ca/ godfried/teaching/cg-projects/98/normand/main.html.
[16] T. L. Jackson and H. M. Byrne. A mathematical model tostudy the effects of drug resistance and vasculature on theresponse of solid tumors to chemotherapy. MathematicalBiosciences, 164(1):17 – 38, 2000.
[17] K.-D. Kim, S. Mitra, and P. R. Kumar. Bounded ε-reach set
computation of a class of deterministic and transversal linearhybrid automata. CoRR, abs/1205.3426, 2012.
[18] A. Lamperski and A. Ames. On the existence of zenobehavior in hybrid systems with non-isolated zeno equilibria.In Decision and Control, 2008. CDC 2008. 47th IEEEConference on, pages 2776 –2781, dec. 2008.
[19] J. Lee, S. Bohacek, J. Hespanha, and K. Obraczka. Modelingcommunication networks with hybrid systems. Networking,IEEE/ACM Transactions on, 15(3):630–643, June 2007.
[20] NSF. Program solicitation.http://www.nsf.gov/pubs/2011/nsf11516/nsf11516.htm.
[21] H. H. Pennes. Analysis of tissue and arterial bloodtemperature in the resting human forearm. In Journal ofApplied Physiology, volume 1.1, pages 93–122, 1948.
[22] A. Schafer and M. John. Conceptional Modeling andAnalysis of Spatio-Temporal Processes in BiomolecularSystems. In S. Link and M. Kirchberg, editors, SixthAsia-Pacific Conference on Conceptual Modelling (APCCM2009), volume 96 of CRPIT, pages 39–48, Wellington, NewZealand, 2009.
[23] C. Sinem, E. Mustafa, and K. T. John. Lifetime analysis of asensor network with hybrid automata modelling. In WSNA’02: Proceedings of the 1st ACM international workshop onWireless sensor networks and applications, pages 98–104,New York, NY, USA.
[24] Q. Tang, N. Tummala, S. K. S. Gupta, and L. Schwiebert.Communication scheduling to minimize thermal effects ofimplanted biosensor networks in homogeneous tissue.Biomedical Engineering, IEEE Transactions on,52(7):1285–1294, July 2005.
[25] Q. Tang, N. Tummala, S. K. S. Gupta, and L. Schwiebert.TARA: thermal-aware routing algorithm for implantedsensor networks. Lecture Notes in Computer Science,3560:206–217, 2005.
[26] The Networking Information Technology Research andDevelopment Program. Different definition of cyber physicalsystems.
[27] A. Tiwari. Hybridsal relational abstracter. In P. Madhusudanand S. Seshia, editors, Computer Aided Verification, volume7358 of Lecture Notes in Computer Science, pages 725–731.Springer Berlin Heidelberg, 2012.
[28] Q. Yong, W. Ying-Jie, and J. Li-Min. Hybrid cellularautomata model for railway transportation system and itsimplementation on GIS. In Intelligent Vehicles Symposium,pages 543 – 546, June 2003.
