Prof. Dr. Mr. Matthias Wagner -Chairman, High Integrity Systems(Masters)
TEAM PARTNERS: B.RAVI KUMAR MOHAMMED SARFARAZ KHAN (MSK) RISHU SETH SOHAM KULKARNI MOHAMMAD TARIQUE ABDULLAH
•What is diabetes?•Short and long term consequences of diabetes
no insulin production insufficient insulin production resistance to insulin‟s effectsNo insulin to move glucose from blood into cells: high blood glucose means:fuel loss. cells starveshort and long-term complications
• People with diabetes cannot make their owninsulin, a hormone that is normally secreted by thepancreas. Insulin is essential to metabolise sugar andhence generate energy• Currently most diabetics inject insulin 2 or moretimes per day, with the dose injected based onreadings of their blood sugar level• However, this results in artificial blood sugarfluctuations as it does not reflect the on-demandinsulin production of the pancreas
• UnsafeA very low level of sugar (arbitrarily, we will call this 3 units) isdangerous and can result in hypoglaecemia which can result in adiabetic coma and ultimately death.• SafeBetween 3 units and about 7 units, the levels of sugar are „safe‟ andare comparable to those in people without diabetes. This is the idealband.• UndesirableAbove 7 units of insulin is undesirable but high levels are notdangerous in the short-term. Continuous high-levels however canresult in long-term side-effects.
• Simulation of an Automated InsulationPump which would check glucose levels atregular intervals and inject the requiredinsulin
•Design validationChecking the design to ensure that hazards do notarise or that they can be handled without causing anaccident.•Code validationTesting the system to check the conformance of thecode to its specification and to check that the code is atrue implementation of the design.•Run-time validationDesigning safety checks while the system is inoperation to ensure that it does not reach an unsafestate.
• System testing of the software has to rely onsimulators for the sensor and the insulin deliverycomponents.• Test for normal operation using an operationalprofile. Can be constructed using data gatheredfrom existing diabetics• Testing has to include situations where rate ofchange of glucose is very fast and very slowTest for exceptions using the simulator
• A personal insulin pump is an external device thatmimics the function of the pancreas• It uses an embedded sensor to measure the bloodsugar level at periodic intervals and then injectsinsulin to maintain the blood sugar at a „normal‟level.
“Insulin pump therapy is considered as a treatmentoption for people with Type1 diabetes for whommultiple dose insulin therapy has failed and whohave the commitment and competence to use CSIItherapy effectively”Feb 2003
• Availability-It is important that the system should be available to deliver insulinwhen required• Reliability-It is important that the system performs reliably and delivers thecorrect amount of insulin to compensate for the current level ofblood sugar• Safety-A system failure that resulted in excessive doses of insulin beingdelivered could threaten the life of the user
• Data flow model of software-controlled insulinpump
• Using readings from the embedded sensor, thesystem automatically measures the level of glucosein the sufferer‟s body• Consecutive readings are compared and, if theyindicate that the level of glucose is rising (see nextslide) then insulin is injected to counteract this rise• The ideal situation is a consistent level of sugarthat is within some „safe‟ band
Level of sugar is increasing Reading in unsafe band No injection. Reading in safe band Inject only if the rate of increase is constant orincreasing. If constant, inject standard amount; ifincreasing, compute amount based on increase. Reading in unsafe band Inject constant amount if rate of increase is constant ordecreasing. Inject computed amount if rate of increase is increasing
Basal rates changed half hourly Adjusted in 0.05 unit increments Temporary basal feature Boluses calculated on BG level, CHO, insulinsensitivity, active insulin Boluses -immediate or protracted Can be adjusted in 0.1unit increments
Provide adjustable, constant, SQ insulininfusion via a small plastic cannula which isleft in place under the skin for several days. Are a pager-sized device which is worn on theoutside of the body
Safe state is a shutdown state where no insulin isdelivered If hazard arises,shutting down the system will prevent anaccident Software may be included to detect and preventhazards such as power failure Consider only hazards arising from software failure Arithmetic error The insulin dose is computed incorrectlybecause of some failure of the computer arithmetic Algorithmic error The dose computation algorithm is incorrect
insulin overdose or underdose (biological) power failure (electrical) machine interferes electrically with other medicalequipment such as a heart pacemaker (electrical) parts of machine break off in patient‟sbody(physical) infection caused by introduction of machine (biol.) allergic reaction to the materials or insulin used inthe machine (biol).
Predicates included in the program indicatingconditions which should hold at that point. May be based on pre-computed limits e.g.number of insulin pump increments inmaximum dose. Used in formal program inspections or may bepre-processed into safety checks that areexecuted when the system is in operation.
Safety proofs are intended to show that thesystem cannot reach in unsafe state Weaker than correctness proofs which mustshow that the system code conforms to itsspecification Generally based on proof by contradiction Assume that an unsafe state can be reached Show that this is contradicted by the program code
Fairly recent technology Generally fairly easy to use Requires close patient involvement More thinking and monitoring than insulin bysyringe 300,000 users worldwide
Open loop: user gathers sugar data and adjustsflow rates for activity, diet, other changes insugar Closed loop: the device checks sugar andadjusts insulin infusion
Difficult to control diabetes Active lifestyle/no time for injections Committed to tight glucose control Able to recognize and manage problems withdevice Willing to monitor sugars closely and adjustinsulin and diet
Blood sugar level is higher than it should be,for no apparent reason. Failure of sugar to respond when bolus dosegiven
Out of insulin? Is the pump leaking? Is the connection between the tubing and thepump cartridge tight? Is the hub connection cracked? Can you smell insulin anywhere? (hint: Insulinsmells like Band Aids) Can you see insulin drip from the end of theinfusion set if you disconnect and do a bolus?
Lack of problem with device. Tissue abnormality Redness/pain/heat Hard tissue/scarring Kinked cannula Old site Improper depth/too near muscle/wrong angle Air in line Tube disconnected