Download presentation
Presentation is loading. Please wait.
Published byLoreen Ford Modified over 8 years ago
1
An insulin pump
2
Needle Assembly: Connected to pump. Component used to deliver insulin into the diabetic body.
3
An insulin pump Sensor: Measure the level of glucose in the user’s blood. The input from sensor is represented by reading? in the formal specification.
4
An insulin pump Pump: Pumps insulin from the reservoir to needle assembly. The value represents the dose in the formal specification.
5
An insulin pump Controller: Controls the entire system. Has on/off switch plus a button to set the amount to be delivered.
6
An insulin pump Alarm: Goes off if there is some problem. The value sent to the alarm is represented by alarm!
7
An insulin pump Displays: There are two displays. One ( reading1! ) displays the last measured blood sugar reading and the other ( reading1! ) displays status.
8
An insulin pump Clock: Provides the controller with the current time.
9
Insulin Pump Schema Insulin_Pump reading? : ℕ dose, cumulative_dose: ℕ r0, r1, r2: ℕ capacity: ℕ alarm!: (on, off) pump!: ℕ display1!, display2!: STRING dose ≤ capacity dose ≤ 5 cumulative_dose ≤ 50 capacity ≥ 40 display! = “” capacity ≤ 39 capacity ≥ 10 display! = “Insulin low” capacity ≤ 9 alarm! = on display! = “Insulin very low” r2 = reading?
10
Insulin Pump Schema Insulin_Pump reading? : ℕ dose, cumulative_dose: ℕ r0, r1, r2: ℕ capacity: ℕ alarm!: (on, off) pump!: ℕ display1!, display2!: STRING dose ≤ capacity dose ≤ 5 cumulative_dose ≤ 50 capacity ≥ 40 display! = “” capacity ≤ 39 capacity ≥ 10 display! = “Insulin low” capacity ≤ 9 alarm! = on display! = “Insulin very low” r2 = reading? State variables
11
Schema invariant Insulin Pump Schema Insulin_Pump reading? : ℕ dose, cumulative_dose: ℕ r0, r1, r2: ℕ capacity: ℕ alarm!: (on, off) pump!: ℕ display1!, display2!: STRING dose ≤ capacity dose ≤ 5 cumulative_dose ≤ 50 capacity ≥ 40 display! = “” capacity ≤ 39 capacity ≥ 10 display! = “Insulin low” capacity ≤ 9 alarm! = on display! = “Insulin very low” r2 = reading?
12
Insulin Pump Schema Insulin_Pump reading? : ℕ dose, cumulative_dose: ℕ r0, r1, r2: ℕ capacity: ℕ alarm!: (on, off) pump!: ℕ display1!, display2!: STRING dose ≤ capacity dose ≤ 5 cumulative_dose ≤ 50 capacity ≥ 40 display! = “” capacity ≤ 39 capacity ≥ 10 display! = “Insulin low” capacity ≤ 9 alarm! = on display! = “Insulin very low” r2 = reading? display1 shows the status of the insulin reservoir
13
Modelling the insulin pump The schema models the insulin pump as a number of state variables –reading? –dose, cumulative_dose –r0, r1, r2 –capacity –alarm! –pump! –display1!, display2!
14
Schema invariant Each Z schema has an invariant part which defines conditions that are always true For the insulin pump schema it is always true that –The dose must be less than or equal to the capacity of the insulin reservoir –No single dose may be more than 5 units of insulin and the total dose delivered in a time period must not exceed 50 units of insulin. This is a safety constraint. –display1! shows the status of the insulin reservoir.
15
The dosage computation The insulin pump computes the amount of insulin required by comparing the current reading with two previous readings If these suggest that blood glucose is rising then insulin is delivered Information about the total dose delivered is maintained to allow the safety check invariant to be applied Note that this invariant always applies - there is no need to repeat it in the dosage computation
16
Dosage Computation DOSAGE ∆ Insulin_Pump ( dose = 0 ∧ ((( r1 ≥ r0) (r2 = r1)) ∨ ((r1>r0) (r2 ≤ r1)) (( r1 (r0 – r1)))) dose = 4 (((r1 ≤ r0)) (r2 = r1)) ((r1 < r0 ) ((r1 – r2) ≤ (r0 – r1)))) dose = 4 * (r2 – r1) (((r1 ≤ r0)) (r2 > r1)) ((r1 > r0) ((r1 – r2) ≥ (r0 – r1)))) ) capacity’ = capacity – dose cumulative_dose’ = cumulative_dose + dose r0’ = r1 r1’ = r2
17
Calculate dose by comparing the current reading with previous two readings Dosage Computation DOSAGE ∆ Insulin_Pump ( dose = 0 ∧ ((( r1 ≥ r0) (r2 = r1)) ∨ ((r1>r0) (r2 ≤ r1)) (( r1 (r0 – r1)))) dose = 4 (((r1 ≤ r0)) (r2 = r1)) ((r1 < r0 ) ((r1 – r2) ≤ (r0 – r1)))) dose = 4 * (r2 – r1) (((r1 ≤ r0)) (r2 > r1)) ((r1 > r0) ((r1 – r2) ≥ (r0 – r1)))) ) capacity’ = capacity – dose cumulative_dose’ = cumulative_dose + dose r0’ = r1 r1’ = r2
18
Insulin is delivered if the rate of change is NOT decreasing. Dosage Computation DOSAGE ∆ Insulin_Pump ( dose = 0 ∧ ((( r1 ≥ r0) (r2 = r1)) ∨ ((r1>r0) (r2 ≤ r1)) (( r1 (r0 – r1)))) dose = 4 (((r1 ≤ r0)) (r2 = r1)) ((r1 < r0 ) ((r1 – r2) ≤ (r0 – r1)))) dose = 4 * (r2 – r1) (((r1 ≤ r0)) (r2 > r1)) ((r1 > r0) ((r1 – r2) ≥ (r0 – r1)))) ) capacity’ = capacity – dose cumulative_dose’ = cumulative_dose + dose r0’ = r1 r1’ = r2
19
Update state variables Dosage Computation DOSAGE ∆ Insulin_Pump ( dose = 0 ∧ ((( r1 ≥ r0) (r2 = r1)) ∨ ((r1>r0) (r2 ≤ r1)) (( r1 (r0 – r1)))) dose = 4 (((r1 ≤ r0)) (r2 = r1)) ((r1 < r0 ) ((r1 – r2) ≤ (r0 – r1)))) dose = 4 * (r2 – r1) (((r1 ≤ r0)) (r2 > r1)) ((r1 > r0) ((r1 – r2) ≥ (r0 – r1)))) ) capacity’ = capacity – dose cumulative_dose’ = cumulative_dose + dose r0’ = r1 r1’ = r2
20
Dosage Computation DOSAGE ∆ Insulin_Pump ( dose = 0 ∧ ((( r1 ≥ r0) (r2 = r1)) ∨ ((r1>r0) (r2 ≤ r1)) (( r1 (r0 – r1)))) dose = 4 (((r1 ≤ r0)) (r2 = r1)) ((r1 < r0 ) ((r1 – r2) ≤ (r0 – r1)))) dose = 4 * (r2 – r1) (((r1 ≤ r0)) (r2 > r1)) ((r1 > r0) ((r1 – r2) ≥ (r0 – r1)))) ) capacity’ = capacity – dose cumulative_dose’ = cumulative_dose + dose r0’ = r1 r1’ = r2 Invariant always applies – no need to repeat it again
21
Output schemas The output schemas model the system displays and the alarm that indicates some potentially dangerous condition The output displays show the dose computed and a warning message The alarm is activated if blood sugar is very low - this indicates that the user should eat something to increase their blood sugar level
22
Output schemas DISPLAY display2!’ = Nat_to_string(dose) (reading? < 3 display1!’ = “Sugar low” reading? > 30 display1!’ = “Sugar high” reading? ≥ 3 reading? ≤ 30 display1!’ = “OK” ∆ Insulin_Pump
23
Output schemas ALARM (reading? 30) alarm!’ = on (reading? ≥ 3 reading? ≤ 30 ) alarm!’ = off ∆ Insulin_Pump
24
Schema consistency It is important that schemas are consistent. Inconsistency suggests a problem with the system requirements The INSULIN_PUMP schema and the DISPLAY are inconsistent –display1! shows a warning message about the insulin reservoir (INSULIN_PUMP) –display1! Shows the state of the blood sugar (DISPLAY) This must be resolved before implementation of the system
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.