Insulin Pump System Design



Similar documents
27 Formal Specification

The portable insulin pump. Developing a dependability. pump

The following information can be output as speech: status of the teacher / student connection. time markers of the timers.

A Methodology for Safety Critical Software Systems Planning

Applying Use Cases to Microcontroller Code Development. Chris Gilbert Cypress Semiconductor

Design of an Insulin Pump. Purpose of an Insulin Pump:

How to design an insulin pump

B. Braun Space GlucoseControl (SGC)

Architectural Design Structured Design. Xin Feng

Nicholas Mezei CSCI 6448 OOA&D Homework #3: Use Cases. Use Case Diagram: Home Security System. Alarm System

HAM841K ALARM CONTROL PANEL FOR COMMERCIAL AND RESIDENTIAL SECURITY SYSTEMS

NELSON VOLTAGE MONITOR INSTALLATION & PROGRAMMING MANUAL

AUTODIALLER / QUICKDIALLER - SA132

Controller Automation, Model II+

Design Document For Insulin Pump (Version 1.1)

Design and Implementation of an Accidental Fall Detection System for Elderly

MTS Power Products MIAMI FL ATS-22AG. Automatic Transfer Switch And Control PLC Operator s Manual

Developing software which should never compromise the overall safety of a system

Object Oriented Programming. Risk Management

ezsystem elab16m Project 1F: Alarm System (Full Project description)

INF-USB2 and SI-USB Quick Start Guide

B.IQ push button 3-5gang with room thermostat and display V2, flush-mounted x, x, x

SECTION 13XXX CONTROL DESCRIPTION (DICP Models NC, 412, 622, 826, 1030)

IMS Online Max. Clocking settings & warnings. Administrator Guide

Adding Pneumatic Preset Counter. Type 497. Continuously visible preset Integrated pneumatic reset 3 or 5-digit display Convenient button setting

Chapter 1- Introduction. Lecture 1

Programmable Logic Controllers Definition. Programmable Logic Controllers History

AUTOMATIC TRANSFER SWITCH CONTROL UNIT OPERATOR S MANUAL

LP Series Lighting Control Panel Programming Instructions

Software Requirements. Objectives

(Refer Slide Time: 00:01:16 min)

Software Engineering. System Modeling

WA Manager Alarming System Management Software Windows 98, NT, XP, 2000 User Guide

ELIXIR LOAD BALANCER 2

DC1100 & 1400 Energy Controllers. Satchwell DC1100 & DC1400 for energy-efficient temperature control in smaller buildings.

Digital Systems Based on Principles and Applications of Electrical Engineering/Rizzoni (McGraw Hill

Application of Android OS as Real-time Control Platform**

Model 5511 Filler Controller User s Manual Version 1.1 October 2011

OWNERS MANUAL. Status Monitor. for Windows 95, 98, ME, NT 4, 2000 & XP. SIGNALCRAFTERS TECH, INC.

How to Plan a Successful Load Testing Programme for today s websites

Software Requirements

Requirement Engineering

Infrared Digital Scouting Camera. User s Manual Pocket Camera

The Concept of State in System Theory

Regatta Master Watch_W012. Watch Instructions

oxigen system Slot.it oxigen timing RMS installation Dongle driver installation 1/ 11 Race Management Software

Operational Overview and Controls Guide

Sofware Requirements Engineeing

Software Requirements. Objectives. Topics covered

Industrial Process Automation (Exercise)

Gigabyte Management Console User s Guide (For ASPEED AST 2400 Chipset)

Elite 8D/Lite Version 8 Zone Controller. Arrowhead Alarm Products Ltd. Operating Guide. Proudly Designed and Manufactured in New Zealand

Automation and Systems Technology. LABCONTROL TFM/TPM User Manual TroxMConnect Operating Software. 1. Introduction Software Installation 2

Device Equivalence Evaluation Form

SMS Alarm Messenger. Setup Software Guide. SMSPro_Setup. Revision [Version 2.2]

Fig 3. PLC Relay Output

How To Test Automatically

Basics of VTune Performance Analyzer. Intel Software College. Objectives. VTune Performance Analyzer. Agenda

Elvey is a leading distributor of electronic security equipment in Africa. Our vision is to assist in the protection of people and property by

Programmable Logic Controllers

Real-Time Systems Prof. Dr. Rajib Mall Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

SOFTWARE DEVELOPMENT USING SPECIFICATION AND DESCRIPTION LANGUAGE REAL TIME

Timer Value IRQ IACK

EE 42/100 Lecture 24: Latches and Flip Flops. Rev B 4/21/2010 (2:04 PM) Prof. Ali M. Niknejad

Software Requirements. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 6 Slide 1

S3 Performance Monitor Operation

Creating the program. TIA Portal. SIMATIC Creating the program. Loading the block library. Deleting program block Main [OB1] Copying program blocks

How To Control A Car Alarm On A Car With A Remote Control System

REMOTE CONTROL MANUAL

3. Add an Event: Alarm Alarm 0 a. Add an Action: Set Variable i. Applies to: Self ii. Variable: time_left iii. Value: +1 iv. Check the Relative box

Let s put together a Manual Processor

How to Test a Combi Control Unit

KS3 Computing Group 1 Programme of Study hours per week

FASTEMS SOFTWARE. For maximum Performance

IP Box Camera ACM Ver Hardware User s Manual

OPERATING INSTRUCTIONS SECURITY SYSTEM KIT NO.: 08E51-EP American Honda Motor Co., Inc. - All Rights Reserved. 1

Chapter 1- Introduction. Lecture 1

Gigabyte Content Management System Console User s Guide. Version: 0.1

Project Development & Software Design

Event Log. Chapter 7 Event Log Event Log Management Excel Editing Create a New Event Log... 9

PRODUCT MANUAL IRSC. IRSC-Plus. Air-Conditioning controller ZN1CL-IRSC. Program version: 5.14 Manual edition: 5.14_a

Describe the Create Profile dialog box. Discuss the Update Profile dialog box.examine the Annotate Profile dialog box.

A Visualization System and Monitoring Tool to Measure Concurrency in MPICH Programs

New Supervisory Control and Data Acquisition (SCADA) Based Fault Isolation System for Low Voltage Distribution Systems

PROGRAMMABLE LOGIC CONTROLLERS Unit code: A/601/1625 QCF level: 4 Credit value: 15 OUTCOME 3 PART 1

Designing a Home Alarm using the UML. And implementing it using C++ and VxWorks

Development of a Simple Sound Activated Burglar Alarm System

WITURA CORPORATION SDN BHD

LiteKeeper 4 & 8 Programming Guide and User Manual

Discrete-Event Simulation

Ladder and Functional Block Programming

Insulin pump therapy aiming for better blood glucose control in people with type 1 diabetes

User Manual. Humidity-Temperature Chart Recorder. Model RH520

Lecture 2. Anis Koubaa

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Transcription:

Insulin Pump System Design Introduction The insulin pump system is a portable, automated insulin pump which is used by diabetics to administer insulin as and when they require it at regular, periodic intervals. This document illustrates the important design decisions that were made during the production of both the insulin pump software and the simulator. Approach to implementation The overall approach used to produce the insulin pump software was to emulate the hardware organisation by producing separate software objects (classes) for each distinguishable hardware object. Of all of these software objects the controller object is where the bulk of the computation within the system is carried. It is within the controller that the dose of insulin to be delivered is computed and where the self tests are performed. Working in together with the controller object there is a clock object which runs in a thread, constantly determining how much time has lapsed since the software was started or the timer was reset (which happens every 24 hours). Then periodically, at every interval specified the clock triggers certain events required to be performed by the system. In order to present information to the user, a software object called display is used to create a graphical user interface (GUI), the data is then presented to the user via text boxes positioned on the GUI. The remaining software objects model the peripheral hardware units, the software contained within these objects simply records the current state of the hardware unit and for the purpose of simulation, provides the functionality to change that state. Together the aforementioned objects combine to produce the working insulin pump system. However one other object is also provided, the simulator software object. This object runs in a thread parallel to the insulin pump software and provides the user with the functionality to perform a simulation of real-world events that would affect the pump software in differing manners. The simulator facilitates the testing process, making it quicker and easier to perform the necessary testing required in order to determine whether the insulin pump system is adequately safe.

Object Interaction Object classes Object classes, represented here in UML, detail the make up of the objects within the system. The objects are represented by three sections: 1. The name of the object class 2. The class attributes 3. The operations associated with the object class Controller Status RemainingInsulin maxdailydose maxsingledose mindose safemin safemax compdose cumulativedose reading0 reading1 reading2 changestate(state) setdose(dose) resetcumulativedose() updateclock(seconds) insulinreplaced() isdeliveryworking() setdeliveryworking(working) manualbuttonpressed() Display mode clocktextbox outputtextbox dosetextbox manualdeliverybutton changemodebutton Main(args) addnotify() displaydose() updateclock() Clock secondselapsed Run() displayoutput() Sensor sensorworking currentreading issensorworking() setsensorworking(working) getreading() setreading(bloodsugarlevel) PowerSupply batterylevelok isbatterylevelok() setbatterylevel() Simulator usersinput Run() NeedleAssembly needlepresent isneedlepresent() setneedlepresent() InsulinPump pumpworking quantitytodeliver ispumpworking() deliverinsulin() InsulinReservoir insulinpresent isinsulinpresent() replaceinsulin()

Object Interaction Sequence Diagrams In order to illustrate the sequence of object interactions that occurs in the insulin pump software the following sequence diagrams have been produced: Sequence of object interactions involved in the automatic delivery of insulin The diagram assumes that a reading has already been given to the Sensor object before the clock begins the sequence of interactions. :Clock Controller Sensor Display changestate(run) getreading() Compute and Deliver dose The final two sequences show how information that is intent to be output to the user is initially passed to the clock object where it is stored in a buffer. The contents of this buffer are then continually displayed to the user one after another for a period of five seconds each. Sequence of object interactions involved in the manual delivery of insulin ModeBut(event) Display Controller :Clock Administer InsulinBut(event) 5 seconds statechange(manual) Compute and Deliver dose

The diagram shows that after the user has switched the insulin pump system to the manual mode they must then input how much insulin they wish to administer, this is done so by pressing the AdministerInsulinBut button as many times as is required in a five second period. Algorithm to compute insulin dose When the insulin pump is in automatic mode, the software periodically determines (using the blood sugar level readings) the dose of insulin that should be administered to the user. This is the functionality provided by the insulin pump software that ensures the system is considered to be a safety critical system. Therefore it is advantageous to more closely examine the algorithm that performs this task and produce a safety argument, in order to determine it is adequately safe. Before the blood sugar level is read in, a safety check is performed to determine that the system status is correct and that the mode is set to Auto: if (mandeliverybutpressed == false) if (status!= ERROR && remaininginsulin >= maxsingledose && cumulativedose < maxdailydose) If these requirements are met then the blood sugar level can be read in: reading2 = Sensor.getReading(); Once the blood sugar level has been read in, the system must determine whether this level represents that the sugar level is too low, at a safe level or is too high. In order to do this the current reading is checked against the safe minimum and safe maximum blood levels defined. Check if sugar level is low: if (reading2 < safemin) if sugar level is safe: else if (reading2 >= safemin && reading2 <= safemax) or if sugar level is too high: else if (reading2 > safemax) Depending on the outcome of these tests, one of three execution paths is taken, they are:

Execution path if sugar level is low compdose = 0; alarm_on = true; status = WARNING; pumptimer.displayoutput("sugar Low"); If the blood sugar level is less than the safe minimum then the dose computed to be delivered is 0, the alarm is set to be activated, the status of the system is set to warning and the user is displayed a warning message reading Sugar Low. Execution path if sugar level is safe If the sugar level is deemed to be safe then the current reading is compared against the previous reading in order to determine whether, since the previous reading the blood sugar level is stable or falling, if it is then the dose computed to be administered is set to 0: if (reading2 <= reading1) compdose = 0; If this is not the case then the sugar level must be rising and a relative dose of insulin must be calculated to attempt to prevent any further increase in the sugar level: // If rate of increase is falling if ((reading2 - reading1) < (reading1 - reading0)) compdose = 0; // If rate of increase is increasing else if ((reading2 - reading1) >= (reading1 - reading0)) // If dose is rounded to zero, deliver the min dose if ((reading2 - reading1) / 4 == 0) //set the amount to deliver to the min dose compdose = mindose; else if ((reading2 - reading1) / 4 > 0) //Set the amount to deliver compdose = (reading2 - reading1) / 4;

Once it has been determined that an increase has occurred, the first test the software performs is to check whether the rate of increase is falling overall. If it is then the dose computed to be administered is set to 0. Otherwise, the software then proceeds to ensure that the rate is therefore increasing, if it is then a dose to be administered is computed depending on the severity of the increase. If the rate of increase is not severe enough to be rounded to higher number than 0 then the minimum dose is administered. Execution path if sugar level is too high If the sugar level is otherwise deemed to be too high the following code is executed: // If Sugar level increasing if (reading2 > reading1) // If dose is rounded to zero, deliver the min dose if ((reading2 - reading1) / 4 == 0) compdose = mindose; else if ((reading2 - reading1) / 4 > 0) //Set the amount to deliver compdose = (reading2 - reading1) / 4; // If the Sugar level is stable else if (reading2 == reading1) compdose = mindose; // If the Sugar level is falling else if (reading2 < reading1) // If rate of decrease increasing if ((reading2 - reading1) <= (reading1 - reading0)) compdose = 0; // If rate of decrease decreasing else compdose = mindose;

Again, the software determines whether the sugar level overall is increasing, decreasing or whether the level has remained stable. The dose is calculated in the same manner as it would be had the sugar level been safe, except when the sugar level high the software not only checks whether the sugar level is falling but also checks the rate at which it s falling. If the rate of decrease is increasing then the computed dose is set to 0 whereas if the rate of decrease is decreasing, the minimum dose of insulin is computed to be administered. Also if the sugar level is too high, the software computes that the minimum dose should be delivered if the level has remained stable. Safety of the algorithm Once the dose has been computed the system then must determine whether the dose calculated is safe, this is essential due to the critical nature of the software. In an attempt to prove to a satisfactory level that the insulin pump software is safe we can use the safety argument method of validation, in order to make certain that the insulin pump system cannot deliver an unsafe quantity of insulin. Therefore the section of code we must produce a safety argument for is the following: //IF STATEMENT: 1 //If max daily dose will be exceeded by the dose calculated if ((compdose + cumulativedose) > maxdailydose) //Alert the user and set status to Warning alarm_on = true; status = WARNING; dose = maxdailydose - cumulativedose; InsulinPump.deliverInsulin(dose); pumptimer.displayoutput("close to Max Daily Dose"); //Normal situation else if ((compdose + cumulativedose) < maxdailydose) //IF STATEMENT: 2 if (compdose <= maxsingledose) dose = compdose; InsulinPump.deliverInsulin(dose); //If the single dose computed is too high else dose = maxsingledose; InsulinPump.deliverInsulin(dose);

There are two pre-conditions that would make the system unsafe a) if the dose calculated to be delivered is greater than the maximum single dose value b) if the maximum daily dose was exceeded. Using the safety argument we must prove that the all the if-statement post conditions contradict the unsafe pre-condition: Safety Argument

Overdose administered InsulinPump.deliverInsulin(dose) dose > maxsingledose & (cumulativedose + dose) > maxdailydose Pre-condition for unsafe state or Contradiction Contradiction Not a complete Contradiction compdose <= maxsingledose & (compdose + cumulativedose) < maxdailydose dose = maxsingledose & (compdose + cumulativedose) < maxdailydose dose = (maxdailydose cumulativedose) compdose <= maxsingledose dose = maxsingledose (CompDose + cumulativedose) = maxdailydose dose = (maxdailydose cumulativedose) If statement: 2 then branch executed If statement: 2 else branch executed If statement: 1 not executed If statement: 1 then branch executed If statement: 1 else branch executed Results

The safety argument shows that the potentially unsafe state could be reached and potentially a user could be administered the maximum daily amount of insulin in one go. This would happen if this sequence of events were to occur: cumulativedose = 0 compdose computed to be a very high number If statement: 1 then branch executed dose = maxdailydose 0 InsulinPump.deliverInsulin(dose) maxdailydose delivered all at once Producing the safety argument has lead me to the conclusion that the insulin pump software (if implemented according to the Z specification provided) is unsafe for the aforementioned reason. The Z specification specifies that dose the dose should be administered as a post condition of If-statement: 1 (the requirement to administer the insulin at this point is modelled in the Z specification as dose!). In order to eliminate this safety error the point at which insulin is administered (dose!) would have to be moved in the specification. Java Code The Insulin Pump System Java code can be found at the following address: www.lancs.ac.uk/ug/mccarthb/insulinpump.zip

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information