File preview
Biomedical
Cyber-‐Physical
Systems
You
Can
Bet
Your
Life
On
NSF
CPS
PI
mee>ng
2011-‐08-‐01
Patrick
Lincoln
Computer
Science
Laboratory
SRI
Interna>onal
Outline
• Future-‐present
robo>cs
– Augmen>ng
human
skills,
safety,
and
experiences
• Safety
cases
for
robo>c
systems
– Evidence-‐based
cer>fica>on
for
life-‐cri>cal
systems
• Future-‐present
biology
– Augmen>ng
human
health,
produc>vity,
and
environment
• Safety
cases
for
biological
systems
– Evidence-‐based
cer>fica>on
for
environment-‐cri>cal
biological
systems
Future-‐Present
Robo>cs
Augmen>ng
human
skills,
safety,
and
experiences
Example:
Telepresence
Surgical
Robo>cs
Origins
of
Remote
Manipula>on
Robo>cs
• Leonardo
da
Vinci
1464
• Human-‐shape
automaton
• Designed
to
raise
arms,
open
visor,
etc.
• Used
cables
and
pullies
to
actuate
• Designs
lost
for
500
years
– Rediscovered
1950
Remote
manipula>on
of
hazardous
materials
• Robert
Heinlein’s
1942
science
fic>on
“Waldo”
• Raymond
Goertz
(Argonne
Na>onal
Lab)
and
others
developed
Master-‐Slave
Manipulators
“Waldos”
for
radioac>ve
handling
in
1950s
Origins
Teleopera>on
of
Virtual
Systems
• Brooks
at
University
of
North
Carolina
at
Chapel
Hill
1988,
1990
SRI
Telepresence
Surgery
• Phil
Green’s
team
at
SRI
created
world’s
1st
complete
telepresence
surgical
systems
in
1980s
and
early
1990s
– Primarily
funded
by
DARPA
for
remote
military
surgery
– Built
on
NIH
funded
experiments
at
SRI
and
Stanford
University
– Also
built
on
NASA
funding
for
remote
teleopera>on
in
space
• NASA
Flight
Telerobo>c
Servicer
(1980s)
– Dexterous
minimally
invasive
surgical
tools – Intui>ve
user
interface
• Successful
demonstra>ons,
though
no
long-‐range
on-‐ bablefield
(let
alone
in-‐space)
deployment
• SRI
has
many
patents
issued
worldwide
for
the
key
components
(now
licensed
to
Intui>ve
Surgical)
The
Basic
Approach
• Human
operator
puts
hands
on
master
controllers
• Master
system
uses
forward
kinema>cs
to
compute
desired
pose
of
end
effector
• Master
computer
communicates
to
slave
control
computer
over
a
digital
network
• Slave
computer
applies
inverse
kinema>cs
to
compute
required
robot
arm
and
wrist
angles
• Live
stereo
video
is
fed
back
to
operator
• (op>onal)
Sensed
forces
on
slave
effectors
communicated
back
through
similar
system,
providing
hap>c
feedback
Other
Pioneers
in
Robo>c
Surgery
• Russel
Taylor
at
IBM
Watson
Research
Center
and
Mark
Talamini
at
Johns
Hopkins
developed
the
Laparoscopic
Assistant
Robot
• Hari
Das
at
JPL
NASA-‐funded
Robot
Assisted
Microsurgery
(RAMS)
• Yulan
Wang
at
UC
Santa
Barbara
developed
a
robo>c
system
Zues
NASA-‐funded
SBIR
seeded
Computer
Mo>on
Inc.
– Computer
Mo>on
acquired
by
Intui>ve
Surgical
in
2003
• Ken
Salisbury
at
MIT
developed
innova>ve
hap>cs
systems
– Later
he
joined
Intui>ve
Surgical,
now
Stanford
professor
• Brian
Davies
at
Imperial
College
PROBOT
• Plus
several
other
academic
and
industrial
efforts
Intui>ve
Surgical
• Spun
out
from
SRI
in
1996
– Large
porjolio
of
SRI
patents
and
prototypes
– Entrepreneurs
John
Fruend,
Dr.
Frederick
Moll,
and
Roberge
Younge
– Several
SRI
staff
members,
including
current
CEO
Gary
Guthart
– Venture
funding
from
Mayfield,
Sierra,
and
Morgan
Stanley
Forming
a
Venture:
Intui>ve
Surgical
• SRI
spun
out
Intui>ve
Surgical
in
1996
• ISRG
Refined
SRI
system
into
“Lenny”
1997
• Created
daVinci
robot
1998
• First
robo>c-‐assisted
heart
bypass
1998
• First
bea>ng-‐heart
robo>c-‐
assisted
heart
bypass
1999
• IPO
in
April
2000
• FDA
approval
in
2003
• ISRG
market
cap
today:
$15B
Nurses
at
bedside,
surgeon
a
few
steps
away
Concept
of
Opera>ons
Impact
of
Telepresence
Surgery
• Many
types
of
surgery
improved:
– Urology,
Gynecology,
Cardiothoracic,
General
Surgery,
Colorectal,
Head
&
Neck,
Pediatric
• ~2,000
installed
daVinci
robots
installed
• Nearing
one
million
surgeries
total
• Direct
benefits:
#1
treatment
op>on
for
prostate
and
gynecological
cancer
+
Reduced
risk
of
infec>on
+
Less
pain
and
scarring
+
Less
blood
loss
and
less
need
for
blood
transfusions
+
Shorter
hospital
stay
(2-‐5
days
less
for
cardiac)
+
Faster
recovery
and
return
to
normal
ac>vi>es
– Note:
Capital
cost
$1+M
per
robot,
$1+K
consumables
Example
Impact
on
Cardio
Bypass
• • • • • • • • • • No
sternotomy
No
8-‐10”
cut
through
chest
No
cuts
through
sternum
No
cracking
of
ribs
Shorter
>me
on
table
Shorter
recovery
>me
Less
blood
loss
Less
pain
and
scarring
Quicker
return
to
normal
ac>vi>es
Less
morbidity
Abstrac>on
Enables
Purng
a
computer
between
surgeon
and
pa>ent
enables
certain
advantages
• Scaling
up
or
down
• Virtually
altering
or
stopping
mo>on
Safety
cases
for
robo>c
systems
Evidence-‐based
cer>fica>on
for
life-‐cri>cal
systems
Next
Ques>on:
How
Assured?
• Original
system
used
unreliable
transport
network
• Sotware
and
hardware
originally
constructed
using
standard
engineering
prac>ces
– Not
bad,
but
not
perfect
• Engineering
cannot
aim
for
perfec>on
99%
yes.
99.999%
yes.
100%
no.
• What
level
of
assurance
is
appropriate
for
this
type
of
system?
See:
Medical
Devices
and
Public
Health,
2011
• Approvals
require
extensive
documenta>on,
laborious
tes>ng,
rigorous
science,
expert
review.
This
enables
principled
approval
of
new
things
– For
drugs,
not
devices
FDA
Approvals
and
Clearances
• Medical
devices
are
cleared,
not
approved,
through
the
510(k)
process
– 510(k)
arises
from
1976
congressional
authorizing
legisla>on
– Main
topic
of
510(k):
“substan>al
equivalence”
to
Defini1on
of
Substan1al
Equivalence
in
1990
Safe
Medical
Device
Amendments
A.
For
purposes
of
determina>ons
of
substan>al
equivalence
.
.
.
the
term
“substan>ally
equivalent”
or
“substan>al
equivalence”
means,
with
respect
to
a
device
being
compared
to
a
predicate
device,
that
the
device
has
the
same
intended
use
as
the
predicate
device
and
that
[FDA]
by
order
has
found
that
the
device
–
(i)
has
the
same
technological
characteris>cs
as
the
predicate
device,
or
(ii)
has
different
technological
characteris>cs
and
the
informa>on
submibed
that
the
device
is
substan>ally
equivalent
to
the
predicate
device
contains
informa>on,
including
clinical
data
if
deemed
necessary
by
FDA,
that
demonstrates
that
the
device
is
as
safe
and
effec>ve
as
a
legally
marketed
device
and
does
not
raise
different
ques1ons
of
safety
and
efficacy
than
the
predicate
device.
B.
For
purposes
of
subparagraph
(A),
the
term
“different
technological
characteris>cs”
means,
with
respect
to
a
device
being
compared
to
a
predicate
device,
that
there
is
a
significant
change
in
the
materials,…
Ensuring
Safety
and
Effec>veness
vs.
Promo>ng
New
Innova>ve
Medical
Devices
• 1997
FDA
Moderniza>on
act
– Directs
FDA
to
require
“least
burdensome”
level
of
scien>fic
evidence
for
manufacturers
to
assert
substan>al
equivalence
• FDA
abemp>ng
to
foster
innova>on,
but
balance
need
for
safety
and
evidence
of
effec>veness
Mathema>cian’s
Issues
With
510(k)
• Base
case:
no
reason
to
assume
everything
used
before
1976
is
safe
and
effec>ve
• Induc1on
case:
broad
defini>on
of
substan>ally
equivalent
may
mean
devices
with
really
new,
novel
technology
cleared
without
rigorous
evidence
of
safety
and
effec>veness
Example
Challenges
in
Verifica>on
that
CPS
biomedical
systems
meet
their
requirements
• • • • • • • • Ethical
tes>ng
of
the
unproven
on
human
subjects
Interoperable
devices,
inter-‐device
interference
Composability
Lifecycle
and
maintenance
issues
Metrics
and
measurement
Malicious
aback
Hybrid
(discrete
and
analog)
control
Regulatory
staffing
(vs
peer
review)
Current
FDA
efforts
are
making
progress
on
some
of
these
challenges,
such
as
assurance
case
frameworks
A
Way
Forward,
How
You
Can
Help
• Create
new
approval
procedure
for
de
novo
medical
devices,
and
for
new
technologies
for
equivalents
+
Evidence-‐based
medicine,
formal
methods
+
Expand
#
of
applica>ons
that
cite
clinical
evidence
• Like
the
safety
cases
for
avionics
and
other
industries,
enable
reasonable
procedures
and
prac>ces
based
on
rigorous
scien>fic
principles
• Enable
post-‐market
monitoring
of
safety
and
effec>veness
+
Many
in
the
Cyber-‐Physical-‐Systems
community
could
be
very
helpful
to
this
process
+
Many
in
the
HCSS
/
CyberTrust
communi>es
could
be
helpful
in
ensuring
privacy
and
security
Looking
to
Other
Industries:
Consider
Fly-‐By-‐Wire
• What
computer
would
you
feel
comfortable
purng
between
the
pilot
and
the
wings
of
the
aircrat
you
will
fly
home
on?
– Digital
fly-‐by-‐wire
avionics
is
now
commonplace
• Classic
goal
of
nine-‐nines
in
avionics
– One
system
failure
in
a
billion
hours
of
use
– Prac>cally
untestable:
>1000
planes
flying
>100
years
– What
evidence
other
than
tes>ng
should
be
gathered
for
a
new
aircrat
type?
– Led
by
NASA
and
FAA,
standards
and
prac>ces
for
safety
cases
exist
and
are
in
regular
use
Can
We
Show
Medical
Robots
Operate
Within
Specified
Parameters
Despite
Faults?
• Latency,
Speed,
Responsiveness,
Accuracy,
etc.
Leverage
ancient
history
of
high-‐assurance
machines
• Byzan>ne
fault-‐tolerance
machines:
NASA
and
SRI’s
SIFT,
Allied’s
MAFT,
Draper’s
FTP,
Vienna
MARS,
AIPS
• Fundamental
academic
work
in
distributed
systems
And
their
formal
analysis
• Reduc>on
of
ques>ons
of
interest
to
symbolic
calcula>on:
EHDM,
PVS,
ACL
Much
high-‐quality
research
and
development
in
academia
and
industry,
including
much
performed
or
funded
by
speakers
and
abendees
here
at
the
NSF
CPS
mee>ng
Prac>cality
of
Assured
Surgical
Robo>cs?
• Recent
advances
in
formal
methods
make
prac>cal
the
analysis
of
complex
CPS
systems
such
as
medical
robots
• Example
project:
SimCheck
– Safety,
Reliability,
and
Resilience
of
M7
slave
unit
– Matlab
Simulink
models
of
robot
and
control
system
– PVS
and
Yices
used
to
analyze
proper>es
of
models
– Natarajan
Shankar,
John
Rushby,
Sam
Owre,
Bruno
Dutertre
– Supported
by
NASA
Coopera>ve
Agreement
NNX08AY53A
and
NSF
Grant
CSR-‐EHCS(CPS)-‐0834810
• Other
example
projects
at
Berkeley,
UPenn,
MIT,…
– Including
speakers
today
Next
Steps
• Can
the
lessons
learned
here
and
tools
developed
help
analyze
infusion
pumps,
insulin
pumps,
heart
monitors,
pacemakers,
and
other
new
medical
devices?
• Can
we
build
a
tool
bus
to
integrate
many
analysis
engines
for
designing
high-‐assurance
cyber-‐physical
biomedical
systems?
• What
kind
of
assurance
case
can
we
build
for
such
devices?
• What
kind
of
architecture
(with
sotware
health
management)
yields
the
strongest
assurance
case?
Future-‐Present
Biology
Augmen>ng
human
health,
produc>vity,
and
environment
Future
Direc>ons
for
Biomedical
CPS
• Small
assays
• Fast
assays
• Precise
biochemical
actua>on
(Synthe>c
Biology)
Future
Direc>ons
for
Biomedical
CPS
Extremely
Small
Assays
• Today
many
assays
are
performed
on
large
popula>ons
of
cells,
averages
are
reported
• Move
to
single
cell
assays
– Flow
cytometry
(Herzenbergs,
Stanford)
• 15-‐color
cell
sorter
– Nanoliter
PCR
(Farris,
SRI)
• Single-‐cell-‐content
PCR
– Nanowire
voltmeter
(Lieber,
Harvard)
• 30
simultaneous
electrical
readings
on
single
cell
Future
Direc>ons
for
Biomedical
CPS
Extremely
Fast
Assays
• Today
assays
are
performed
over
hours
or
days
• Tomorrow
can
we
move
to
real-‐>me
assays?
– Real-‐>me
(outpa>ent
in
clinic)
blood
assays
• Can
we
tell
if
pa>ent
was
exposed
to
pathogen,
toxin,
or
radia>on
from
a
blood
sample,
before
they
leave
the
clinic?
– Dialysis-‐like
control
systems
• Can
we
enable
more
sensing
and
>ghter
controls,
enabling
dialysis-‐like
treatment
of
sepsis,
rapidly
mi>gate
shock,
etc?
– Embedded
medical
devices
• Can
we
enable
long-‐term
implantable
medical
devices
to
sense
and
actuate
to
improve
health
and
wellness?
• Insulin
pumps,
pacemakers,
and
others
Example
Enabler:
Really
Really
Rapid
PCR
Greg
Faris,
SRI
• Laser
hea>ng
of
nanoliter
droplets
allows
extremely
fast
polymerase
chain
reac>on
(PCR)
amplifica>on
of
DNA
and
RNA
• One
of
fastest
PCR
methods
>1000
PCR-‐base-‐pair
cycles
per
minute
40
amplifica>on
cycles
of
a
186
base
pair
amplicon
in
370
s
• Amplifica>on
of
the
contents
of
single
cell
demonstrated
PCR
Products
in
Droplet
Array
Real
Time
PCR
in
Single
Droplet
Laser
Hea>ng
of
Droplet
H.
Kim,
S.
Dixit,
C.
J.
Green,
and
G.
W.
Faris,
“Nanodroplet
real-‐>me
PCR
system
with
laser
assisted
hea>ng,”
Opt.
Express
17,
218-‐227
(2009).
H.
Kim,
S.
Vishniakou,
and
G.
W.
Faris,
“Petri
dish
PCR:
laser-‐heated
reac>ons
in
nanoliter
droplet
arrays,”
Lab
Chip
9,
1230-‐1235
(2009).
Precise
Biological
Actua>on:
Synthe>c
Biology
Defini1on
of
Synthe1c
Biology:
the
design
and
construc1on
of
new
biological
parts,
devices,
and
systems,
and
the
re-‐design
of
exis1ng,
natural
biological
systems
for
useful
purposes
Synthe>c
Biology
is
a
new
approach
to
engineering
biology,
with
an
emphasis
on
technologies
to
write
DNA.
Founda>onal
work,
including
the
standardiza>on
of
DNA-‐encoded
parts
and
devices,
enables
them
to
be
combined
to
create
programs
to
control
cells.
Costs
of
Synthe>c
Biology
• The
longest
synthesized
DNA
sequence
has
been
growing
on
a
rapid
exponen>al
curve
– It
will
likely
slow
as
the
u>lity
of
many
megabase
sequence
synthesis
is
limited
by
design
tools
• More
importantly,
the
cost
of
DNA
sequencing
is
now
low
and
con>nues
to
drop
exponen>ally
• Also,
the
cost
of
DNA
synthesis
con>nues
to
drop,
though
somewhat
more
slowly
Moore’s
Law
&
Carlson
Curves
The
Cost
of
Fablines
• The
cost
of
produc>on
for
chips
(especially
the
capital
required
for
a
fab)
is
rising
– Though
not
rising
as
fast
as
in
the
past
– Astounding
capital
commitment
is
required
(>$5B)
• The
cost
of
produc>on
for
biology
is
falling
Emerging
Synthe>c
Biology
Community
• Synthe>c
Biology
1.0,
2.0,
3.0,
4.0,
5.0
– Led
by
Tom
Knight,
Drew
Endy,
and
Randy
Rhetberg
• Growing
the
community
from
the
bobom
up
– Already
great
interna>onal
interest
Safety
cases
for
biological
systems
• Evidence-‐based
cer>fica>on
for
environment-‐ cri>cal
biological
systems
Assessing
Risks
of
Synthe>c
Biology
• Presiden>al
Commission
for
the
Study
of
Bioethical
Issues
recommenda>on:
– Risk
Assessment
Prior
to
Field
Release
– See:
“NEW
DIRECTIONS
The
Ethics
of
Synthe>c
Biology
and
Emerging
Technologies”
December
2010
• Risk
Assessment
Prior
to
Field
Release
– Reasonable
risk
assessment
should
be
carried
out,
under
the
Na>onal
Environmental
Policy
Act
or
other
applicable
law,
prior
to
field
release
of
research
organisms
or
commercial
products
involving
synthe>c
biology
technology.
This
assessment
should
include,
as
appropriate,
plans
for
staging
introduc>on
or
release
from
contained
laboratory
serngs.
Excep>ons
in
limited
cases
could
be
considered,
for
example,
in
emergency
circumstances
or
following
a
finding
of
substan1al
equivalence
to
approved
products
Risk Assessment Prior to Field Release and Substantial Equivalence Determination
How
do
we
go
about
this?
Living
systems
are
wickedly
complicated
Our
knowledge
is
extremely
limited
Our
ability
to
accurately
model
and
predict
behaviors
of
a
given
organism
is
extremely
limited
• Our
ability
to
accurately
predict
changes
in
systems,
such
as
DNA
muta>on,
is
extremely
limited
• • • •
Rigorous
Abstract
Methods
Are
Needed
To:
• Accommodate
conven>onal
types
of
discrete
reasoning
based
on
experimenta>on
• Unambiguously
define
a
model
and
allowable
reasoning
steps
• Provide
predic>ve
power
for
genera>ng
testable
hypotheses
A
Way
Forward,
How
You
Can
Help
• Create
new
analysis
methods
for
de
novo
biological
devices,
and
for
new
technologies
for
equivalents
+
Evidence-‐based
synthe>c
biology,
formal
methods,
pathway
logic,
pathway
tools
• Like
the
safety
cases
for
avionics
and
other
industries,
enable
reasonable
procedures
and
prac>ces
based
on
rigorous
scien>fic
principles
• Enable
post-‐release
monitoring
of
gene>cally
modified
and
synthe>c
organisms
+
Can
we
close
the
gap
that
exists
in
design
tools
in
this
domain?
+
Many
in
the
Cyber-‐Physical-‐Systems
community
could
be
very
helpful
to
this
process
+
Many
in
the
HCSS
/
CyberTrust
communi>es
could
be
helpful
in
ensuring
privacy
and
security
The
End
Cyber-‐Physical
Systems
You
Can
Bet
Your
Life
On
NSF
CPS
PI
mee>ng
2011-‐08-‐01
Patrick
Lincoln
Computer
Science
Laboratory
SRI
Interna>onal
Outline
• Future-‐present
robo>cs
– Augmen>ng
human
skills,
safety,
and
experiences
• Safety
cases
for
robo>c
systems
– Evidence-‐based
cer>fica>on
for
life-‐cri>cal
systems
• Future-‐present
biology
– Augmen>ng
human
health,
produc>vity,
and
environment
• Safety
cases
for
biological
systems
– Evidence-‐based
cer>fica>on
for
environment-‐cri>cal
biological
systems
Future-‐Present
Robo>cs
Augmen>ng
human
skills,
safety,
and
experiences
Example:
Telepresence
Surgical
Robo>cs
Origins
of
Remote
Manipula>on
Robo>cs
• Leonardo
da
Vinci
1464
• Human-‐shape
automaton
• Designed
to
raise
arms,
open
visor,
etc.
• Used
cables
and
pullies
to
actuate
• Designs
lost
for
500
years
– Rediscovered
1950
Remote
manipula>on
of
hazardous
materials
• Robert
Heinlein’s
1942
science
fic>on
“Waldo”
• Raymond
Goertz
(Argonne
Na>onal
Lab)
and
others
developed
Master-‐Slave
Manipulators
“Waldos”
for
radioac>ve
handling
in
1950s
Origins
Teleopera>on
of
Virtual
Systems
• Brooks
at
University
of
North
Carolina
at
Chapel
Hill
1988,
1990
SRI
Telepresence
Surgery
• Phil
Green’s
team
at
SRI
created
world’s
1st
complete
telepresence
surgical
systems
in
1980s
and
early
1990s
– Primarily
funded
by
DARPA
for
remote
military
surgery
– Built
on
NIH
funded
experiments
at
SRI
and
Stanford
University
– Also
built
on
NASA
funding
for
remote
teleopera>on
in
space
• NASA
Flight
Telerobo>c
Servicer
(1980s)
– Dexterous
minimally
invasive
surgical
tools – Intui>ve
user
interface
• Successful
demonstra>ons,
though
no
long-‐range
on-‐ bablefield
(let
alone
in-‐space)
deployment
• SRI
has
many
patents
issued
worldwide
for
the
key
components
(now
licensed
to
Intui>ve
Surgical)
The
Basic
Approach
• Human
operator
puts
hands
on
master
controllers
• Master
system
uses
forward
kinema>cs
to
compute
desired
pose
of
end
effector
• Master
computer
communicates
to
slave
control
computer
over
a
digital
network
• Slave
computer
applies
inverse
kinema>cs
to
compute
required
robot
arm
and
wrist
angles
• Live
stereo
video
is
fed
back
to
operator
• (op>onal)
Sensed
forces
on
slave
effectors
communicated
back
through
similar
system,
providing
hap>c
feedback
Other
Pioneers
in
Robo>c
Surgery
• Russel
Taylor
at
IBM
Watson
Research
Center
and
Mark
Talamini
at
Johns
Hopkins
developed
the
Laparoscopic
Assistant
Robot
• Hari
Das
at
JPL
NASA-‐funded
Robot
Assisted
Microsurgery
(RAMS)
• Yulan
Wang
at
UC
Santa
Barbara
developed
a
robo>c
system
Zues
NASA-‐funded
SBIR
seeded
Computer
Mo>on
Inc.
– Computer
Mo>on
acquired
by
Intui>ve
Surgical
in
2003
• Ken
Salisbury
at
MIT
developed
innova>ve
hap>cs
systems
– Later
he
joined
Intui>ve
Surgical,
now
Stanford
professor
• Brian
Davies
at
Imperial
College
PROBOT
• Plus
several
other
academic
and
industrial
efforts
Intui>ve
Surgical
• Spun
out
from
SRI
in
1996
– Large
porjolio
of
SRI
patents
and
prototypes
– Entrepreneurs
John
Fruend,
Dr.
Frederick
Moll,
and
Roberge
Younge
– Several
SRI
staff
members,
including
current
CEO
Gary
Guthart
– Venture
funding
from
Mayfield,
Sierra,
and
Morgan
Stanley
Forming
a
Venture:
Intui>ve
Surgical
• SRI
spun
out
Intui>ve
Surgical
in
1996
• ISRG
Refined
SRI
system
into
“Lenny”
1997
• Created
daVinci
robot
1998
• First
robo>c-‐assisted
heart
bypass
1998
• First
bea>ng-‐heart
robo>c-‐
assisted
heart
bypass
1999
• IPO
in
April
2000
• FDA
approval
in
2003
• ISRG
market
cap
today:
$15B
Nurses
at
bedside,
surgeon
a
few
steps
away
Concept
of
Opera>ons
Impact
of
Telepresence
Surgery
• Many
types
of
surgery
improved:
– Urology,
Gynecology,
Cardiothoracic,
General
Surgery,
Colorectal,
Head
&
Neck,
Pediatric
• ~2,000
installed
daVinci
robots
installed
• Nearing
one
million
surgeries
total
• Direct
benefits:
#1
treatment
op>on
for
prostate
and
gynecological
cancer
+
Reduced
risk
of
infec>on
+
Less
pain
and
scarring
+
Less
blood
loss
and
less
need
for
blood
transfusions
+
Shorter
hospital
stay
(2-‐5
days
less
for
cardiac)
+
Faster
recovery
and
return
to
normal
ac>vi>es
– Note:
Capital
cost
$1+M
per
robot,
$1+K
consumables
Example
Impact
on
Cardio
Bypass
• • • • • • • • • • No
sternotomy
No
8-‐10”
cut
through
chest
No
cuts
through
sternum
No
cracking
of
ribs
Shorter
>me
on
table
Shorter
recovery
>me
Less
blood
loss
Less
pain
and
scarring
Quicker
return
to
normal
ac>vi>es
Less
morbidity
Abstrac>on
Enables
Purng
a
computer
between
surgeon
and
pa>ent
enables
certain
advantages
• Scaling
up
or
down
• Virtually
altering
or
stopping
mo>on
Safety
cases
for
robo>c
systems
Evidence-‐based
cer>fica>on
for
life-‐cri>cal
systems
Next
Ques>on:
How
Assured?
• Original
system
used
unreliable
transport
network
• Sotware
and
hardware
originally
constructed
using
standard
engineering
prac>ces
– Not
bad,
but
not
perfect
• Engineering
cannot
aim
for
perfec>on
99%
yes.
99.999%
yes.
100%
no.
• What
level
of
assurance
is
appropriate
for
this
type
of
system?
See:
Medical
Devices
and
Public
Health,
2011
• Approvals
require
extensive
documenta>on,
laborious
tes>ng,
rigorous
science,
expert
review.
This
enables
principled
approval
of
new
things
– For
drugs,
not
devices
FDA
Approvals
and
Clearances
• Medical
devices
are
cleared,
not
approved,
through
the
510(k)
process
– 510(k)
arises
from
1976
congressional
authorizing
legisla>on
– Main
topic
of
510(k):
“substan>al
equivalence”
to
Defini1on
of
Substan1al
Equivalence
in
1990
Safe
Medical
Device
Amendments
A.
For
purposes
of
determina>ons
of
substan>al
equivalence
.
.
.
the
term
“substan>ally
equivalent”
or
“substan>al
equivalence”
means,
with
respect
to
a
device
being
compared
to
a
predicate
device,
that
the
device
has
the
same
intended
use
as
the
predicate
device
and
that
[FDA]
by
order
has
found
that
the
device
–
(i)
has
the
same
technological
characteris>cs
as
the
predicate
device,
or
(ii)
has
different
technological
characteris>cs
and
the
informa>on
submibed
that
the
device
is
substan>ally
equivalent
to
the
predicate
device
contains
informa>on,
including
clinical
data
if
deemed
necessary
by
FDA,
that
demonstrates
that
the
device
is
as
safe
and
effec>ve
as
a
legally
marketed
device
and
does
not
raise
different
ques1ons
of
safety
and
efficacy
than
the
predicate
device.
B.
For
purposes
of
subparagraph
(A),
the
term
“different
technological
characteris>cs”
means,
with
respect
to
a
device
being
compared
to
a
predicate
device,
that
there
is
a
significant
change
in
the
materials,…
Ensuring
Safety
and
Effec>veness
vs.
Promo>ng
New
Innova>ve
Medical
Devices
• 1997
FDA
Moderniza>on
act
– Directs
FDA
to
require
“least
burdensome”
level
of
scien>fic
evidence
for
manufacturers
to
assert
substan>al
equivalence
• FDA
abemp>ng
to
foster
innova>on,
but
balance
need
for
safety
and
evidence
of
effec>veness
Mathema>cian’s
Issues
With
510(k)
• Base
case:
no
reason
to
assume
everything
used
before
1976
is
safe
and
effec>ve
• Induc1on
case:
broad
defini>on
of
substan>ally
equivalent
may
mean
devices
with
really
new,
novel
technology
cleared
without
rigorous
evidence
of
safety
and
effec>veness
Example
Challenges
in
Verifica>on
that
CPS
biomedical
systems
meet
their
requirements
• • • • • • • • Ethical
tes>ng
of
the
unproven
on
human
subjects
Interoperable
devices,
inter-‐device
interference
Composability
Lifecycle
and
maintenance
issues
Metrics
and
measurement
Malicious
aback
Hybrid
(discrete
and
analog)
control
Regulatory
staffing
(vs
peer
review)
Current
FDA
efforts
are
making
progress
on
some
of
these
challenges,
such
as
assurance
case
frameworks
A
Way
Forward,
How
You
Can
Help
• Create
new
approval
procedure
for
de
novo
medical
devices,
and
for
new
technologies
for
equivalents
+
Evidence-‐based
medicine,
formal
methods
+
Expand
#
of
applica>ons
that
cite
clinical
evidence
• Like
the
safety
cases
for
avionics
and
other
industries,
enable
reasonable
procedures
and
prac>ces
based
on
rigorous
scien>fic
principles
• Enable
post-‐market
monitoring
of
safety
and
effec>veness
+
Many
in
the
Cyber-‐Physical-‐Systems
community
could
be
very
helpful
to
this
process
+
Many
in
the
HCSS
/
CyberTrust
communi>es
could
be
helpful
in
ensuring
privacy
and
security
Looking
to
Other
Industries:
Consider
Fly-‐By-‐Wire
• What
computer
would
you
feel
comfortable
purng
between
the
pilot
and
the
wings
of
the
aircrat
you
will
fly
home
on?
– Digital
fly-‐by-‐wire
avionics
is
now
commonplace
• Classic
goal
of
nine-‐nines
in
avionics
– One
system
failure
in
a
billion
hours
of
use
– Prac>cally
untestable:
>1000
planes
flying
>100
years
– What
evidence
other
than
tes>ng
should
be
gathered
for
a
new
aircrat
type?
– Led
by
NASA
and
FAA,
standards
and
prac>ces
for
safety
cases
exist
and
are
in
regular
use
Can
We
Show
Medical
Robots
Operate
Within
Specified
Parameters
Despite
Faults?
• Latency,
Speed,
Responsiveness,
Accuracy,
etc.
Leverage
ancient
history
of
high-‐assurance
machines
• Byzan>ne
fault-‐tolerance
machines:
NASA
and
SRI’s
SIFT,
Allied’s
MAFT,
Draper’s
FTP,
Vienna
MARS,
AIPS
• Fundamental
academic
work
in
distributed
systems
And
their
formal
analysis
• Reduc>on
of
ques>ons
of
interest
to
symbolic
calcula>on:
EHDM,
PVS,
ACL
Much
high-‐quality
research
and
development
in
academia
and
industry,
including
much
performed
or
funded
by
speakers
and
abendees
here
at
the
NSF
CPS
mee>ng
Prac>cality
of
Assured
Surgical
Robo>cs?
• Recent
advances
in
formal
methods
make
prac>cal
the
analysis
of
complex
CPS
systems
such
as
medical
robots
• Example
project:
SimCheck
– Safety,
Reliability,
and
Resilience
of
M7
slave
unit
– Matlab
Simulink
models
of
robot
and
control
system
– PVS
and
Yices
used
to
analyze
proper>es
of
models
– Natarajan
Shankar,
John
Rushby,
Sam
Owre,
Bruno
Dutertre
– Supported
by
NASA
Coopera>ve
Agreement
NNX08AY53A
and
NSF
Grant
CSR-‐EHCS(CPS)-‐0834810
• Other
example
projects
at
Berkeley,
UPenn,
MIT,…
– Including
speakers
today
Next
Steps
• Can
the
lessons
learned
here
and
tools
developed
help
analyze
infusion
pumps,
insulin
pumps,
heart
monitors,
pacemakers,
and
other
new
medical
devices?
• Can
we
build
a
tool
bus
to
integrate
many
analysis
engines
for
designing
high-‐assurance
cyber-‐physical
biomedical
systems?
• What
kind
of
assurance
case
can
we
build
for
such
devices?
• What
kind
of
architecture
(with
sotware
health
management)
yields
the
strongest
assurance
case?
Future-‐Present
Biology
Augmen>ng
human
health,
produc>vity,
and
environment
Future
Direc>ons
for
Biomedical
CPS
• Small
assays
• Fast
assays
• Precise
biochemical
actua>on
(Synthe>c
Biology)
Future
Direc>ons
for
Biomedical
CPS
Extremely
Small
Assays
• Today
many
assays
are
performed
on
large
popula>ons
of
cells,
averages
are
reported
• Move
to
single
cell
assays
– Flow
cytometry
(Herzenbergs,
Stanford)
• 15-‐color
cell
sorter
– Nanoliter
PCR
(Farris,
SRI)
• Single-‐cell-‐content
PCR
– Nanowire
voltmeter
(Lieber,
Harvard)
• 30
simultaneous
electrical
readings
on
single
cell
Future
Direc>ons
for
Biomedical
CPS
Extremely
Fast
Assays
• Today
assays
are
performed
over
hours
or
days
• Tomorrow
can
we
move
to
real-‐>me
assays?
– Real-‐>me
(outpa>ent
in
clinic)
blood
assays
• Can
we
tell
if
pa>ent
was
exposed
to
pathogen,
toxin,
or
radia>on
from
a
blood
sample,
before
they
leave
the
clinic?
– Dialysis-‐like
control
systems
• Can
we
enable
more
sensing
and
>ghter
controls,
enabling
dialysis-‐like
treatment
of
sepsis,
rapidly
mi>gate
shock,
etc?
– Embedded
medical
devices
• Can
we
enable
long-‐term
implantable
medical
devices
to
sense
and
actuate
to
improve
health
and
wellness?
• Insulin
pumps,
pacemakers,
and
others
Example
Enabler:
Really
Really
Rapid
PCR
Greg
Faris,
SRI
• Laser
hea>ng
of
nanoliter
droplets
allows
extremely
fast
polymerase
chain
reac>on
(PCR)
amplifica>on
of
DNA
and
RNA
• One
of
fastest
PCR
methods
>1000
PCR-‐base-‐pair
cycles
per
minute
40
amplifica>on
cycles
of
a
186
base
pair
amplicon
in
370
s
• Amplifica>on
of
the
contents
of
single
cell
demonstrated
PCR
Products
in
Droplet
Array
Real
Time
PCR
in
Single
Droplet
Laser
Hea>ng
of
Droplet
H.
Kim,
S.
Dixit,
C.
J.
Green,
and
G.
W.
Faris,
“Nanodroplet
real-‐>me
PCR
system
with
laser
assisted
hea>ng,”
Opt.
Express
17,
218-‐227
(2009).
H.
Kim,
S.
Vishniakou,
and
G.
W.
Faris,
“Petri
dish
PCR:
laser-‐heated
reac>ons
in
nanoliter
droplet
arrays,”
Lab
Chip
9,
1230-‐1235
(2009).
Precise
Biological
Actua>on:
Synthe>c
Biology
Defini1on
of
Synthe1c
Biology:
the
design
and
construc1on
of
new
biological
parts,
devices,
and
systems,
and
the
re-‐design
of
exis1ng,
natural
biological
systems
for
useful
purposes
Synthe>c
Biology
is
a
new
approach
to
engineering
biology,
with
an
emphasis
on
technologies
to
write
DNA.
Founda>onal
work,
including
the
standardiza>on
of
DNA-‐encoded
parts
and
devices,
enables
them
to
be
combined
to
create
programs
to
control
cells.
Costs
of
Synthe>c
Biology
• The
longest
synthesized
DNA
sequence
has
been
growing
on
a
rapid
exponen>al
curve
– It
will
likely
slow
as
the
u>lity
of
many
megabase
sequence
synthesis
is
limited
by
design
tools
• More
importantly,
the
cost
of
DNA
sequencing
is
now
low
and
con>nues
to
drop
exponen>ally
• Also,
the
cost
of
DNA
synthesis
con>nues
to
drop,
though
somewhat
more
slowly
Moore’s
Law
&
Carlson
Curves
The
Cost
of
Fablines
• The
cost
of
produc>on
for
chips
(especially
the
capital
required
for
a
fab)
is
rising
– Though
not
rising
as
fast
as
in
the
past
– Astounding
capital
commitment
is
required
(>$5B)
• The
cost
of
produc>on
for
biology
is
falling
Emerging
Synthe>c
Biology
Community
• Synthe>c
Biology
1.0,
2.0,
3.0,
4.0,
5.0
– Led
by
Tom
Knight,
Drew
Endy,
and
Randy
Rhetberg
• Growing
the
community
from
the
bobom
up
– Already
great
interna>onal
interest
Safety
cases
for
biological
systems
• Evidence-‐based
cer>fica>on
for
environment-‐ cri>cal
biological
systems
Assessing
Risks
of
Synthe>c
Biology
• Presiden>al
Commission
for
the
Study
of
Bioethical
Issues
recommenda>on:
– Risk
Assessment
Prior
to
Field
Release
– See:
“NEW
DIRECTIONS
The
Ethics
of
Synthe>c
Biology
and
Emerging
Technologies”
December
2010
• Risk
Assessment
Prior
to
Field
Release
– Reasonable
risk
assessment
should
be
carried
out,
under
the
Na>onal
Environmental
Policy
Act
or
other
applicable
law,
prior
to
field
release
of
research
organisms
or
commercial
products
involving
synthe>c
biology
technology.
This
assessment
should
include,
as
appropriate,
plans
for
staging
introduc>on
or
release
from
contained
laboratory
serngs.
Excep>ons
in
limited
cases
could
be
considered,
for
example,
in
emergency
circumstances
or
following
a
finding
of
substan1al
equivalence
to
approved
products
Risk Assessment Prior to Field Release and Substantial Equivalence Determination
How
do
we
go
about
this?
Living
systems
are
wickedly
complicated
Our
knowledge
is
extremely
limited
Our
ability
to
accurately
model
and
predict
behaviors
of
a
given
organism
is
extremely
limited
• Our
ability
to
accurately
predict
changes
in
systems,
such
as
DNA
muta>on,
is
extremely
limited
• • • •
Rigorous
Abstract
Methods
Are
Needed
To:
• Accommodate
conven>onal
types
of
discrete
reasoning
based
on
experimenta>on
• Unambiguously
define
a
model
and
allowable
reasoning
steps
• Provide
predic>ve
power
for
genera>ng
testable
hypotheses
A
Way
Forward,
How
You
Can
Help
• Create
new
analysis
methods
for
de
novo
biological
devices,
and
for
new
technologies
for
equivalents
+
Evidence-‐based
synthe>c
biology,
formal
methods,
pathway
logic,
pathway
tools
• Like
the
safety
cases
for
avionics
and
other
industries,
enable
reasonable
procedures
and
prac>ces
based
on
rigorous
scien>fic
principles
• Enable
post-‐release
monitoring
of
gene>cally
modified
and
synthe>c
organisms
+
Can
we
close
the
gap
that
exists
in
design
tools
in
this
domain?
+
Many
in
the
Cyber-‐Physical-‐Systems
community
could
be
very
helpful
to
this
process
+
Many
in
the
HCSS
/
CyberTrust
communi>es
could
be
helpful
in
ensuring
privacy
and
security
The
End