Presentation is loading. Please wait.

Presentation is loading. Please wait.

The embedded control software for a personal insulin pump

Published byBeverley Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "The embedded control software for a personal insulin pump"— Presentation transcript:

1 The embedded control software for a personal insulin pump
Case study: Insulin pump overview

2 Case study: Insulin pump overview
Medical systems More and more medical instruments now include embedded control software. These software systems are often critical systems as a patient’s life (or at least their health) may depend on the correct and timely functioning of these systems The systems themselves are often relatively small and are therefore understandable unlike, for example, industrial control systems Many safety-critical systems such as the control system for a chemical plant or a nuclear reactor, the control software on aircraft, etc. are not price sensitive. That is, they are part of larger installations that are very expensive and that are produced in relatively small numbers. Therefore, adding to the cost through redundant hardware and software is not usually a problem. Medical devices, on the other hand, are often mass-produced devices and so have to be price-sensitive. Furthermore, they are often portable devices and so are weight sensitive and power-sensitive. They are battery powered rather than mains powered. All of this has implications for the hardware and software. The chip count must be minimised as chips add weight, cost and power drain. There is unlikely to be scope for hardware replication and software redundancy. Case study: Insulin pump overview

3 Case study: Insulin pump overview
Diabetes People with diabetes cannot make their own insulin, a hormone that is normally secreted by the pancreas. Insulin is essential to metabolise sugar and hence generate energy Currently most diabetics inject insulin 2 or more times per day, with the dose injected based on readings of their blood sugar level However, this results in artificial blood sugar fluctuations as it does not reflect the on-demand insulin production of the pancreas Current practice for diabetes control relies on the sufferer measuring the level of glucose (sugar) in their blood then using their experience to judge how much insulin they should inject. They have to make predictions of how their future level of blood glucose will be affected by planned meals, exercise, etc. Failure to control blood sugar can result in a number of nasty side-effects such as blindness, kidney failure, heart disease and circulation problems. For reasons that are almost certainly related to current lifestyles, the number of diabetics in the population has increased significantly over the past few years. It has been estimated by the World Health Organisatation that: “Diabetes cases in adults will more than double globally from 143 million in 1997 to 300 million by 2025 largely because of dietary and other lifestyle factors. “ Case study: Insulin pump overview

4 A personal insulin pump
A personal insulin pump is an external device that mimics the function of the pancreas It uses an embedded sensor to measure the blood sugar level at periodic intervals and then injects insulin to maintain the blood sugar at a ‘normal’ level. I will draw on this example at various points in the course to illustrate aspects of critical systems engineering Personal insulin pumps are currently beyond the ‘state of the art’ although I believe that larger-scale devices of this type have been developed for use in hospitals. The key difficulty (I suspect) in developing such a system is that blood sugar sensors are invasive and there are probably problems with infections in developing such a system. In future, it may be possible to measure blood sugar level by looking at secretions on the skin and this would then make automated pumps possible. Personal insulin pumps are available but these are not ‘smart’ systems and they rely on users to make decisions about how much insulin to inject and when to inject it. To read more about them, see: Case study: Insulin pump overview

5 Insulin pump hardware schematic
The arrows in this diagram means that there is some communication between these components. The controller is a software component. In fact, as we shall see later, the system has two displays plus buttons that signal the controller to take certain actions. The pump delivers a single increment of insulin on receipt of a signal pulse from the controller. Therefore, to deliver 6 insulin increments, 6 pulses are sent to the pump unit. The pump unit includes a pressure sensor so that if the needle assembly is blocked then insulin delivery will be halted Case study: Insulin pump overview

6 Activity model of the personal insulin pump
Case study: Insulin pump overview

7 Case study: Insulin pump overview
Concept of operation Using readings from an embedded sensor, the system automatically measures the level of glucose in the sufferer’s body Consecutive readings are compared and, if they indicate that the level of glucose is rising (see next slide) then insulin is injected to counteract this rise The ideal situation is a consistent level of sugar that is within some ‘safe’ band Case study: Insulin pump overview

8 Case study: Insulin pump overview
Sugar levels Unsafe A very low level of sugar (arbitrarily, we will call this 3 units) is dangerous and can result in hypoglaecemia which can result in a diabetic coma and ultimately death. Safe Between 3 units and about 7 units, the levels of sugar are ‘safe’ and are comparable to those in people without diabetes. This is the ideal band. Undesirable Above 7 units of insulin is undesirable but high levels are not dangerous in the short-term. Continuous high-levels however can result in long-term side-effects. Case study: Insulin pump overview

9 Case study: Insulin pump overview
Insulin injection The decision when to apply insulin does NOT depend on the absolute level of glucose that is measured in the sufferer’s blood. The reason for this is that insulin does not act instantaneously and the change in sugar level does not simply depend on a single injection but also on previous injections. A more complex decision based on previous levels and rate of change of sugar level is used. Case study: Insulin pump overview

10 Case study: Insulin pump overview
Injection scenarios Level of sugar is in the unsafe band Do not inject insulin; Initiate warning for the sufferer. Level of sugar is falling Do not inject insulin if in safe band. Inject insulin if rate of change of level is decreasing. Level of sugar is stable Do not inject insulin if level is in the safe band; Inject insulin if level is in the undesirable band to bring down glucose level; Amount injected should be proportionate to the degree of undesirability ie inject more if level is 20 rather than 10. Case study: Insulin pump overview

11 Case study: Insulin pump overview
Injection scenarios Level of sugar is increasing Reading in unsafe band No injection. Reading in safe band Inject only if the rate of increase is constant or increasing. If constant, inject standard amount; if increasing, compute amount based on increase. Inject constant amount if rate of increase is constant or decreasing. Inject computed amount if rate of increase is increasing. Case study: Insulin pump overview

12 Case study: Insulin pump overview
Glucose measurements Sugar level Inject Undesirable area Inject Do not inject Do not inject The decision on whether or not to inject is dependent on whether the rate of change of sugar level is increasing or decreasing and the current sugar level. Insulin is injected if the rate of change of sugar level is increasing but not if the rate of change is decreasing and the level is in the safe zone. However, it is injected if the rate of change is decreasing and the level is in the undesirable zone. If the level is falling and the rate of change is increasing, no injection. If however, the rate of change is decreasing then an injection is made if the level is in the undesirable zone Safe area Do not inject Unsafe area t1 t2 t3 Time Case study: Insulin pump overview

13 Case study: Insulin pump overview
System specification Functional specification How to carry out the computation to determine if insulin should be administered Dependability specification Requirements to ensure safe operation of the pump Case study: Insulin pump overview

14 Functional requirements
If the reading is below the safe minimum, no insulin shall be delivered. If the reading is within the safe zone, then insulin is only delivered if the level of sugar is rising and the rate of increase of sugar level is increasing. If the reading is above the recommended level, insulin is delivered unless the level of blood sugar is falling and the rate of decrease of the blood sugar level is increasing. Case study: Insulin pump overview

15 Case study: Insulin pump overview
Formal specification Because of the complexity of the functional specification, there is considerable scope for misinterpretation This system is an example where formal specification can be used to define the insulin to be delivered in each case Case study: Insulin pump overview

16 Dependability specification
Availability The pump should have a high level of availability but the nature of diabetes is such that continuous availability is unnecessary Reliability Intermittent demands for service are made on the system Safety The key safety requirements are that the operation of the system should never result in a very low level of blood sugar. A fail-safe position is for no insulin to be delivered Security Not really applicable in this case Case study: Insulin pump overview

17 Case study: Insulin pump overview
System availability In specifying the availability, issues that must be considered are: The machine does not have to be continuously available as failure to deliver insulin on a single occasion (say) is not a problem However, no insulin delivery over a few hours would have an effect on the patient’s health The machine software can be reset by switching it on and off hence recovery from software errors is possible without compromising the usefulness of the system Hardware failures can only be repaired by return to the manufacturer. This means, in practice, a loss of availability of at least 3 days Case study: Insulin pump overview

18 Case study: Insulin pump overview
Availability A general specification of availability suggests that the machine should not have to be returned to the manufacturer more than once every year years (this repair time dominates everything else) so System availability = 727/730 *100 = 0.99 It is much harder to specify the software availability as the demands are intermittent. In this case, you would subsume availability under reliability Case study: Insulin pump overview

19 Case study: Insulin pump overview
Reliability metric Demands on the system are intermittent (several times per hour) and the system must be able to respond to these demands In this case, the most appropriate metric is therefore Probability of Failure on Demand Other metrics Short transactions so MTTF not appropriate Insufficient number of demands for ROCOF to be appropriate Case study: Insulin pump overview

20 Case study: Insulin pump overview
System failures Transient failures can be repaired by user actions such as resetting or recalibrating the machine. For these types of failure, a relatively low value of POFOD (say ) may be acceptable. This means that one failure may occur in every 500 demands made on the machine. This is approximately once every 3.5 days. Permanent failures require the machine to be repaired by the manufacturer. The probability of this type of failure should be much lower. Roughly once a year is the minimum figure so POFOD should be no more than Case study: Insulin pump overview

21 System hazard analysis
Physical hazards Hazards that result from some physical failure of the system Electrical hazards Hazards that result from some electrical failure of the system Biological hazards Hazards that result from some system failure that interferes with biological processes Case study: Insulin pump overview

22 Insulin system hazards
insulin overdose or underdose (biological) power failure (electrical) machine interferes electrically with other medical equipment such as a heart pacemaker (electrical) parts of machine break off in patient’s body(physical) infection caused by introduction of machine (biol.) allergic reaction to the materials or insulin used in the machine (biol). Case study: Insulin pump overview

23 Case study: Insulin pump overview
Risk analysis example Case study: Insulin pump overview

24 Software-related hazards
Only insulin overdose and insulin underdose are software related hazards The other hazards are related to the hardware and physical design of the machine Insulin underdose and insulin overdose can be the result of errors made by the software in computing the dose required Case study: Insulin pump overview

25 Case study: Insulin pump overview
Software problems Arithmetic error Some arithmetic computation causes a representation failure (overflow or underflow) Specification may state that arithmetic error must be detected and an exception handler included for each arithmetic error. The action to be taken for these errors should be defined Algorithmic error Difficult to detect anomalous situation May use ‘realism’ checks on the computed dose of insulin Case study: Insulin pump overview

26 Insulin pump fault tree

27 General dependability requirements
SR1: The system shall not deliver a single dose of insulin that is greater than a specified maximum dose for a system user. SR2: The system shall not deliver a daily cumulative dose of insulin that is greater than a specified maximum for a system user. SR3: The system shall include a hardware diagnostic facility that should be executed at least 4 times per hour. SR4: The system shall include an exception handler for all of the exceptions that are identified in Table 3. SR5: The audible alarm shall be sounded when any hardware anomaly is discovered and a diagnostic message as defined in Table 4 should be displayed. Case study: Insulin pump overview

28 Case study: Insulin pump overview
Safety proofs Safety proofs are intended to show that the system cannot reach in unsafe state Weaker than correctness proofs which must show that the system code conforms to its specification Generally based on proof by contradiction Assume that an unsafe state can be reached Show that this is contradicted by the program code Case study: Insulin pump overview

29 Insulin delivery system
Safe state is a shutdown state where no insulin is delivered If hazard arises,shutting down the system will prevent an accident Software may be included to detect and prevent hazards such as power failure Consider only hazards arising from software failure Arithmetic error The insulin dose is computed incorrectly because of some failure of the computer arithmetic Algorithmic error The dose computation algorithm is incorrect Case study: Insulin pump overview

30 Case study: Insulin pump overview
Arithmetic errors Use language exception handling mechanisms to trap errors as they arise Use explicit error checks for all errors which are identified Avoid error-prone arithmetic operations (multiply and divide). Replace with add and subtract Never use floating-point numbers Shut down system if exception detected (safe state) Case study: Insulin pump overview

31 Case study: Insulin pump overview
Algorithmic errors Harder to detect than arithmetic errors. System should always err on the side of safety Use reasonableness checks for the dose delivered based on previous dose and rate of dose change Set maximum delivery level in any specified time period If computed dose is very high, medical intervention may be necessary anyway because the patient may be ill Case study: Insulin pump overview

32 Case study: Insulin pump overview
Insulin delivery code Case study: Insulin pump overview

33 Informal safety argument
Case study: Insulin pump overview

34 Case study: Insulin pump overview
System testing System testing of the software has to rely on simulators for the sensor and the insulin delivery components. Test for normal operation using an operational profile. Can be constructed using data gathered from existing diabetics Testing has to include situations where rate of change of glucose is very fast and very slow Test for exceptions using the simulator Case study: Insulin pump overview

35 Case study: Insulin pump overview
Safety assertions Predicates included in the program indicating conditions which should hold at that point. May be based on pre-computed limits e.g. number of insulin pump increments in maximum dose. Used in formal program inspections or may be pre-processed into safety checks that are executed when the system is in operation. Case study: Insulin pump overview

36 Case study: Insulin pump overview
Safety assertions Case study: Insulin pump overview

Download ppt "The embedded control software for a personal insulin pump"

Similar presentations

©Ian Sommerville 2000CS 365 Critical Systems ValidationSlide 1 Chapter 21 Critical Systems Validation.

©Ian Sommerville 2000CS 365 Critical Systems ValidationSlide 1 Chapter 21 Critical Systems Validation.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.
Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.

Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Figures – Chapter 12.

Figures – Chapter 12.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
Critical Systems Specification

Critical Systems Specification
Modified from Sommerville’s originalsSoftware Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification.

Modified from Sommerville’s originalsSoftware Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification.
Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.

Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.

©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.
Soft. Eng. II, Spr. 2002Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 9 Title : Reliability Reading: I. Sommerville, Chap. 16, 17 and 18.

Soft. Eng. II, Spr. 2002Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 9 Title : Reliability Reading: I. Sommerville, Chap. 16, 17 and 18.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 9 Slide 1 Critical Systems Specification.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 9 Slide 1 Critical Systems Specification.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 10 Slide 1 Formal Specification.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 10 Slide 1 Formal Specification.
©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 An automated insulin pump.

©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 An automated insulin pump.
©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 The portable insulin pump Developing a dependability specification for the.

©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 The portable insulin pump Developing a dependability specification for the.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
CIS 376 Bruce R. Maxim UM-Dearborn

CIS 376 Bruce R. Maxim UM-Dearborn

Similar presentations

Ads by Google