1. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 The portable insulin pump Developing a dependability specification for the insulin pump

2. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 2 Dependability attributes l Availability The pump should have a high level of availability but the nature of diabetes is such that continuous availability is unnecessary l Reliability Intermittent demands for service are made on the system l Safety The key safety requirements are that the operation of the system should never result in a very low level of blood sugar. A fail-safe position is for no insulin to be delivered l Security Not really applicable in this case

3. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 3 System availability l In specifying the availability, issues that must be considered are: The machine does not have to be continuously available as failure to deliver insulin on a single occasion (say) is not a problem However, no insulin delivery over a few hours would have an effect on the patient’s health The machine software can be reset by switching it on and off hence recovery from software errors is possible without compromising the usefulness of the system Hardware failures can only be repaired by return to the manufacturer. This means, in practice, a loss of availability of at least 3 days

4. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 4 Availability l A general specification of availability suggests that the machine should not have to be returned to the manufacturer more than once every year years (this repair time dominates everything else) so System availability = 727/730 *100 = 0.99 l It is much harder to specify the software availability as the demands are intermittent. In this case, you would subsume availability under reliability

5. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 5 Reliability metric l Demands on the system are intermittent (several times per hour) and the system must be able to respond to these demands l In this case, the most appropriate metric is therefore Probability of Failure on Demand l Other metrics Short transactions so MTTF not appropriate Insufficient number of demands for ROCOF to be appropriate

6. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 6 System failures l Transient failures can be repaired by user actions such as resetting or recalibrating the machine. For these types of failure, a relatively low value of POFOD (say 0.002) may be acceptable. This means that one failure may occur in every 500 demands made on the machine. This is approximately once every 3.5 days. l Permanent failures require the machine to be repaired by the manufacturer. The probability of this type of failure should be much lower. Roughly once a year is the minimum figure so POFOD should be no more than 0.00002.

7. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 7 System hazard analysis l Physical hazards Hazards that result from some physical failure of the system l Electrical hazards Hazards that result from some electrical failure of the system l Biological hazards Hazards that result from some system failure that interferes with biological processes

8. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 8 l insulin overdose or underdose (biological) l power failure (electrical) l machine interferes electrically with other medical equipment such as a heart pacemaker (electrical) l parts of machine break off in patient’s body(physical) l infection caused by introduction of machine (biol.) l allergic reaction to the materials or insulin used in the machine (biol). Insulin system hazards

9. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 9 Risk analysis example

10. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 10 Software-related hazards l Only insulin overdose and insulin underdose are software related hazards l The other hazards are related to the hardware and physical design of the machine l Insulin underdose and insulin overdose can be the result of errors made by the software in computing the dose required

11. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 11 Software problems l Arithmetic error Some arithmetic computation causes a representation failure (overflow or underflow) Specification may state that arithmetic error must be detected and an exception handler included for each arithmetic error. The action to be taken for these errors should be defined l Algorithmic error Difficult to detect anomalous situation May use ‘realism’ checks on the computed dose of insulin

12. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 12 Insulin pump fault tree

13. ©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 13 General dependability requirements SR1: The system shall not deliver a single dose of insulin that is greater than a specified maximum dose for a system user. SR2: The system shall not deliver a daily cumulative dose of insulin that is greater than a specified maximum for a system user. SR3: The system shall include a hardware diagnostic facility that should be executed at least 4 times per hour. SR4: The system shall include an exception handler for all of the exceptions that are identified in Table 3. SR5: The audible alarm shall be sounded when any hardware anomaly is discovered and a diagnostic message as defined in Table 4 should be displayed.