543661

research-article2014

DSTXXX10.1177/1932296814543661Journal of Diabetes Science and TechnologyBequette

Review Article

Fault Detection and Safety in Closed-Loop Artificial Pancreas Systems

Journal of Diabetes Science and Technology 2014, Vol. 8(6) 1204­–1214 © 2014 Diabetes Technology Society Reprints and permissions: sagepub.com/journalsPermissions.nav DOI: 10.1177/1932296814543661 dst.sagepub.com

B. Wayne Bequette, PhD1

Abstract Continuous subcutaneous insulin infusion pumps and continuous glucose monitors enable individuals with type 1 diabetes to achieve tighter blood glucose control and are critical components in a closed-loop artificial pancreas. Insulin infusion sets can fail and continuous glucose monitor sensor signals can suffer from a variety of anomalies, including signal dropout and pressure-induced sensor attenuations. In addition to hardware-based failures, software and human-induced errors can cause safety-related problems. Techniques for fault detection, safety analyses, and remote monitoring techniques that have been applied in other industries and applications, such as chemical process plants and commercial aircraft, are discussed and placed in the context of a closed-loop artificial pancreas. Keywords algorithms, artificial pancreas, fault detection, infusion set failure, sensor anomaly, safety

Prelude This article is an outgrowth of a presentation titled “Algorithms to Detect Glucose Sensor and Infusion Pump Anomalies” at the NIDDK-sponsored workshop on Innovations Towards an Artificial Pancreas, held in Bethesda, Maryland, on April 9-10, 2013. The goals of that presentation were to review fault detection algorithms used in other industries, such as air travel and chemical processing and manufacturing, and suggest how lessons learned in these other application areas might be relevant to closed-loop artificial pancreas development. The primary goals of this article are largely the same, with additional citations to ongoing efforts in the broader field of safety science as well as the artificial pancreas.

Background and Motivation Advanced automated systems that include measurement devices (sensors) and actuators (eg, valves, pumps, motors) have helped lead to more efficient and safe manufacturing processes and commercial transportation vehicles and systems. An important consideration in any of these processes or systems is the response or actions that need to be taken when 1 or more components fail; this, of course, requires that the “faults” be detected. For a closed-loop artificial pancreas there is an initial body of research that has been conducted to handle sensor and pump-related anomalies. An objective of this article is to provide an overview of fault detection algorithms that have been applied in other critical industries, and place these in the context of faults that can arise in a closedloop artificial pancreas.

The structure of the article follows. First, we provide an overview of possible artificial pancreas (AP) faults, followed by a review of chemical process and commercial aircraft fault detection and safety. We then review developments in fault detection and safety science in general followed by specific applications of AP fault detection algorithms. Finally, we discuss the possible connections between safety and remote monitoring techniques used in the chemical process and aviation industries, and those that can possibly be used in the context of the closed-loop AP.

Artificial Pancreas: Overview of Potential Faults/Failures An AP is composed of at least 3 major components: (1) a continuous glucose monitor (CGM; sensor), (2) a continuous insulin infusion pump (actuator), and (3) a controller with an embedded algorithm that uses the glucose sensor reading to output a signal to the insulin infusion pump. Each of these components can be faulty. The most obvious is the infusion pump, which can fail to deliver the commanded amount of insulin due to blockages or leakage back to the infusion site; see Figure 1 for an example of an infusion set failure.1 The 1

Rensselaer Polytechnic Institute, Troy, NY, USA

Corresponding Author: B. Wayne Bequette, PhD, Department of Chemical and Biological Engineering and Center for Automation Technologies and Systems, Rensselaer Polytechnic Institute, 110 Eighth St, Troy, NY 12180-3590, USA. Email: [email protected]

Bequette

Figure 1.  Glucose concentration and insulin infusion during the life of an insulin infusion set. “Set Failure” indicates the likely start of the failure, since the boluses that follow fail to reduced the glucose level. Figure reproduced from Baysal et al1 with permission of the American Automatic Control Council.

continuous glucose sensor can fail to provide satisfactory information due to miscalibration, fouling (slow sensor signal attenuation), dislodging of the sensor from underneath the skin, or pressure-induced sensor attenuations (resulting in rapid, but intermittent, signal degradation; see Figure 2 for an example1). Also, there can be communication losses between the sensor and controller or the controller and pump. Furthermore, the control device can lose power or the operating system can “crash.” In addition, errors can be humaninduced—for example, the individual may provide an incorrect estimate of the number of carbohydrates in at meal (if using meal announcement), not announce the meal at all, or announce the meal and not consume it. The general systems engineering methodology for detecting these events is known as fault detection.

Chemical Process Systems Complex chemical manufacturing processes are composed of a large number of pieces of equipment for the reactions, heat exchange, and separations necessary to produce products; this includes pumps and compressors to move fluids between pieces of equipment, and many sensors and actuators to operate these processes. An example process and instrumentation diagram for a typical process unit (1 of many in a petroleum refinery) is shown in Figure 3.2 The numerous measurements present opportunities and challenges related to fault detection and safety. On one hand, some of the sensor readings are redundant, being related through known material and energy balance relationships; this analytical redundancy allows the use of data reconciliation techniques to reconcile measurement errors, as well as fault detection

1205

Figure 2.  Illustration of a pressure-induced sensor attenuation. Several consecutive attenuations are characterized by rapid, nonphysiologic decreases with first-order behavior. Figure reproduced from Baysal et al1 with permission of the American Automatic Control Council.

algorithms to detect the failure of sensors and/or actuators. On the other hand, the shear number of sensors increases the likelihood of 1 or more failing or being miscalibrated. Usually, there is a control room where operators monitor and control several similar units simultaneously; a typical control room is shown in Figure 4.3 When process variables are outside an expected range, alarms are activated (using sounds and flashing icons) to warn operators to take action. The advantages and challenges of fault detection and safety in a chemical process plant are summarized in Table 1. Overall, the chemical process industry has a good safety record. Major disasters in the chemical process industries are often due to a sequence of events rather than any single factor. The well-known release of methyl isocyanate (MIC) at the Union Carbide plant in Bhopal, India in 1984 occurred largely because of a number of bad management and operating decisions, in addition to actions of a disgruntled employee; details are in the appendix. The explosion that occurred at the BP Texas City refinery in 2005 was due to miscommunication, failure to meet blowdown drum safety standards, miscalibrated and nonfunctioning sensors and alarms, a history of violating proper startup operating procedures, and poor siting of temporary office trailers; details of this accident are also in the appendix. The assurance of chemical process safety is based on a number of factors. First of all, there is redundancy in components that can fail; primary examples include bypass lines around control valves, and additional pumps that are started up when 1 fails. Also, the proper state of a failure is chosen— for example, a fuel gas valve to a furnace is designed to failclosed, while a cooling water valve to a reactor to remove heat is designed to fail-open. There are also pressure relief valves that release gases to a flare header/tower before a vessel becomes overpressurized. The automation and control

1206

Journal of Diabetes Science and Technology 8(6)

Recycle Compressor

CC

purge Hydrogen, Methane

cooling water Hydrogen

open

PC

FC

TC

TC

TC

Toluene

cooling water

PC

CW

Flash

Reactor fuel gas

quench

PC

PC

CH4

Benzene product

CC

LC

TC

FC

TC TC

LC

Stabilizer

FC

LC

Benzene Column

Recycle Toluene

FC

CW

Recycle Column

LC

LC

LC

LC steam

Diphenyl steam

steam

Figure 3.  Toulene hydrodealkylation (HDA) process and instrumentation diagram.2 Illustrates the many unit operations (reactors, heat exchangers, separation columns), and measurements and manipulated inputs (control valves) available in a typical chemical process.

Finally, it is important to discuss industry regulation. Process equipment must meet certain codes—ASME standards for vessel design, for example. The Environmental Protection Agency (EPA) regulates emissions to the atmosphere. In the event of a catastrophic failure the Chemical Safety Board (CSB) immediately investigates and prepares a detailed report; this often leads to significant changes in chemical process design and operation.

Aircraft Systems Figure 4.  Typical control room for a chemical manufacturing processes.3 Image courtesy of TBC Consoles, all rights reserved.

system usually has lower level control loops that remain active even if there are problems with higher-level optimization and control strategies.

Commercial aircraft have advanced control systems, with a significant number of sensors and actuators (see, eg, Figure 5).4 Since many models of the same aircraft are produced, a significant effort into detailed mathematical modeling and control system design are easily justified since the cost is spread across numerous identical aircraft. Expert pilots receive extensive training on simulators, and are tested on a

1207

Bequette Table 1.  Chemical Process Applications of Fault Detection and Safety. Strengths/advantages Fundamental models available, based on material and energy balances and thermodynamic and kinetic relationships Many sensors and actuators, redundancy On-site staff to maintain all equipment and controllers Expert operators, trained for potential problems Smart sensors that can detect and compensate for artifacts Remote monitoring by experts, particularly for expensive equipment such as compressors and turbines

Weaknesses/challenges Uncertain parameter values in models Many potential faults in actuators, sensors, and digital controllers Dynamics more uncertain Incremental sensors difficult to justify economically Each plant is different, requiring different models and control strategies Difficult to identify root causes of alarms

Figure 5.  Boeing 787 aircraft schematic to illustrate the large number of components, including multiple engines, and the control (cockpit) layout. Control surfaces include aileron (25), outboard flap (28), flaperon (29), inboard spoilers (30), rudder (50).4

large number of fault scenarios. The strengths and weaknesses of aircraft are summarized in Table 2. The commercial air traffic industry has an outstanding safety record, with a fatal accident occurring fewer than 1 every 4.7 million flights, for 78 major world airlines.5 There are certainly numerous reasons for this outstanding safety record. One is that this is a heavily regulated industry where safety is the highest priority. Air traffic control is a hierarchical system, with the regulating agencies at the top, and an air traffic control system as the next layer.

Aircraft are built with physical and analytical redundancy. For example, there are generally 3 to 6 flight control computers. Also, important control surfaces have multiple actuators, in case one actuator fails. Furthermore, there are redundant sensors, such as altitude.6 Unless an engine is lost during takeoff, an aircraft can generally be flown safely on one engine. An example of a case where a pilot (Captain Sullenberger) was able to land safely (on the Hudson River) after the loss of both engines on takeoff, US Airways 1549 in January 2009, is discussed in

1208

Journal of Diabetes Science and Technology 8(6)

Table 2.  Aircraft and Air Transportation Fault Detection and Safety.

Table 3.  Closed-Loop Artificial Pancreas Fault Detection and Safety.

Strengths/advantages

Weaknesses/challenges

Advantages/strengths

Low tolerance for failure Fundamental knowledge of dynamics Costs spread among numerous aircraft Expert pilots in control, trained for many disaster scenarios (via simulation) Individual components well characterized and monitored (eg, turbines) Amazing safety record

Flights cost more More delayed flights    

Individuals have experience with Highly uncertain models and “human in the loop” control parameters Advanced pump technology No on-site experts in control algorithms, sensors, actuators Understanding of insulin Many types of “events” onboard (IOB) Motivation for better glucose Sensor calibration uncertainty control

   

the appendix. An example of when a sensor failure led to loss of an aircraft is with Air France flight 447 in July 2009, when the icing of pitot tubes (speed sensor) led to the disengagement of the automated flight control system. As detailed in the appendix, the pilots were not able to keep the proper speed of the aircraft, and were confused about the aircraft orientation. Finally, the crash of Asiana flight 214 (again presented in the appendix) in San Francisco in July 2013 occurred partially because a pilot assumed that the plane was under automatic speed control when it was not. It is important to note that the majority of fatal accidents occur during takeoff (20%) and landing (36%), while an additional 12% occur before takeoff (while parked, towed, during taxi phase). The above analysis has focused on the control strategies for any particular aircraft. A major reason, however, for the outstanding safety record of the air traffic industry, is the air traffic control structure. Air traffic controllers are responsible for keeping proper distances between aircraft that are taking off and landing, as well as those that are at cruising altitude. Radar provides continuous feedback of the location and speed of aircraft within the region controlled by a particular air traffic controller. Finally, in the event of a disaster or near-disaster, the National Transportation Safety Board (NTSB) performs a detailed investigation, including analysis of data from socalled black boxes as well as cockpit communications, data from aircraft engines, and so on. Again, the results of these investigations will often lead to recommendations for new procedures and operating protocols.

Closed-Loop Artificial Pancreas A closed-loop AP differs significantly from chemical process manufacturing and air traffic control in a number of ways. A primary difference is in the number of sensors and actuators, since a basic closed-loop AP can be developed with a single sensor (CGM) and actuator (insulin pump); generally it is easier to design controllers for single-input, single-output systems than for multivariable systems. On the other hand, physiological systems are more difficult to mathematically

Weaknesses/challenges

model than physical and chemical systems. Also, physiological systems are much more variable, with both intra- and intersubject variability. Another major challenge is that subcutaneous insulin pharmacokinetics and pharmacodynamics inherently limit the possible dynamic performance of glucose when manipulating insulin. It should be noted, however, that there are many chemical process systems that operate with such a time scale, or often with much longer timescales. The advantages and challenges of fault detection and safety in a closed-loop AP are shown in Table 3.

Fault Detection Algorithms and Safety Science Fault detection is a well-established area of dynamic systems and control. Frank7 and Isermann8 provide reviews of fault detection, with selected applications, of quantitative modelbased fault detection and diagnosis techniques. Much of the fault detection literature alludes to controller performance under failure. While often not directly discussed, an important performance attribute is safety. Venkatasubramanian9 provides a nice perspective on systemic failures, using examples from financial (Enron, Madoff), pharmaceutical (recall of inhalers), electric power grid (northeast blackout of 2003), and the mining and chemical process industries. Leveson10 presents a new accident model for engineering safer systems, and Leveson and Stephanopoulos11 provide a controlinspired approach to process safety. Most disasters occur due to a number of causes and not any individual event; Leveson and Stephanopoulos11 argue that too often the focus on disaster analysis is on the chain of events that lead to the disaster, whereas the overarching cause was systemic, and the risk was increasing over a period of time. That is, too often the accident is viewed as some unfortunate sequence of independent events that happened to occur at a point in time, rather than understanding that systemically, the “accident was waiting to happen” due to the increasing risk over time. Alarm fatigue occurs when an individual is faced alarms that occur too frequently and are either ignored or incorrect action is taken in response to the alarm. Shivers et al12 provide a comprehensive overview of alarm fatigue with CGM

1209

Bequette devices, focused primarily on open-loop (manual) control; they also provide a review of general health care alarm systems and note that alarm fatigue in hospitals has been linked to over 200 patient deaths over an 8-year period. Alarm “flooding” is a common problem in complex chemical plants, where a control room may have tens or hundreds of alarms, of various degrees of importance, activated simultaneously—particularly during process upset conditions. Laberge et al13 describe these problems and a new alarm tracker summary display that led to fewer false responses from the operators.

Artificial-Pancreas-Related Anomalies and Failures Infusion Set Failures Heinemann and Krinelke14 refer to insulin infusion sets as the “Achilles heel” of continuous insulin infusion, since they are a frequent source of problems. Cope et al15 performed a 10-year Food and Drug Administration (FDA) retrospective study of adverse events in adolescents using insulin pump technology; of the 1674 reported incidents identified there were 987 (61.9%) reports with patient problems of hyperglycemia, and 46.6% of these indicated that the patient had ketoacidosis. Insulin infusion set failure and infection of infusion site are the most frequent events according to a report of pump malfunctions recorded between 2001 and 2004 in 376 pumps used by patients treated with continuous subcutaneous insulin infusion therapy in Brittany.16 Patel et al17 performed a trial comparing steel and Teflon catheters and found that both had a 64% failure rate after 7 days of wear. Heinemann et al18 discuss the Patel et al studies in their commentary on the need for better insulin infusion sets. Vega-Hernandez et al19 develop a model-based approach to detect pump over- or underdelivery of insulin, assuming that insulin boluses are given at mealtime. The in silico model of Hovorka et al20 is used to simulate to fault-related scenarios: (A) 40% overdosing and 5% parameter variation and (B) 40% underdosing and 5% parameter variation. For both scenarios, the proposed observer-based strategy detects actuator faults based on large differences between the estimated and measured subcutaneous glucose values. VegaHernandez et al21 further consider 10% variations in parameters, with meal content and timing variations of 15% and 15 minutes, respectively. Rojas et al22 use bivariate classification, principal component analysis (PCA) and a combined approach to detect simulated faults in 10 subjects. Cameron et al23 use an interactive multiple model (IMM) approach to detect 27 set failures in 120 weeks of outpatient data; the infusion sets, on average, failed after 5.3 days. Cameron et al24 use a threshold-based approach (using an alarm silencing period) to detect 80% of set failures, with a false positive rate of 0.3/day. Herrero

et al25 use an interval analysis based technique to detect faults in simulation studies involving 10 scenarios on 10 subjects. Baysal et al,1 in a retrospective analysis of the Patel et al17 data using real-time algorithms, found that a modelbased approach had a median time to detection of 181 minutes, and a glucose value at detection of 277 mg/dl.

Continuous Glucose Sensor Anomalies Faults associated with continuous glucose sensors can include the slow degradation of signals due to fouling, intermittent loss of signal due to communication dropouts, and intermittent degradation of signals due to a pressure-induced sensor attenuation (PISA). A PISA can occur when an individual rolls over on their sensor. Helton et al26,27 provide a physiological basis for the sensor attenuations. Mensh et al28 perform a detailed study by placing 4 sensors on individuals without diabetes overnight, and using video to determine their sleeping position. While the median sensor values were relatively constant, individual readings would occasionally rapidly attenuate; this attenuation was directly correlated to the sleeping position. CGM signals due to a PISA tend to attenuate for roughly 15-30 minutes before returning to near “pre-attenuation” values. Baysal et al1,29 develop a rule-based method, based on CGM signals processed by a Kalman filter, specifically applicable to overnight conditions, when PISAs are most likely to occur. The real-time PISA detection technique was tested on over 1125 nights of outpatient data from a predictive low-glucose suspend trial; 88.34% of the PISAs were successfully detected by the algorithm, and the percentage of false detections could be reduced to 1.70% by altering the algorithm parameters.29

Fail-Safe Behavior Safety must the highest level priority of any closed-loop AP system. Control valves in a chemical process are designed to either fail-open or fail-closed depending on the valve service. Since the greatest short-term danger in a closed-loop AP is hypoglycemia, any loss of CGM signal or control computation failure should result in either zero insulin infusion, or a reversion to the basal delivery rate, in addition to the activation of alarms. The long-term pharmacodynamics effect of insulin makes insulin onboard (IOB) an important consideration in any control algorithm. IOB is explicitly used in most model-based AP algorithms;30 Revert et al31 also show how IOB can be added as a constraint to any form of control algorithm. Indeed, consideration of IOB and current glucose state could determine whether an insulin delivery system should revert to basal or to zero-infusion. Human factors are an important consideration in any system design, whether under manual or closed-loop operation. Schaeffer32 provides a nice discussion of the role of human factors in medical device design, with a focus on the design and

1210

Journal of Diabetes Science and Technology 8(6)

development of an insulin pump. In the sections that follow we focus on fault detection algorithms as part of an AP system.

Stress Faults Exercise and stress, while not AP faults per se, have major impacts on insulin sensitivity and blood glucose levels. Finan et al33 use PCA of CGM, insulin infusion, and recorded meal data to detect “stress days” (when prednisone was given), with 89% classification accuracy.

that drives cardiac pacemakers contains over 80 000 lines of code and that some hospital infusion pumps contain over 170 000 lines of code. Picton et al38 note that proprietary data and communication protocols of diabetes devices have made the integration of these components challenging. They report that IEEE standards for glucose meters have been approved, and that standards for insulin pumps and CGM are under development.

Remote Monitoring Chemical Processes and Commercial Aircraft

Multiple Faults 34

Facchinetti et al present a model-based method, using insulin infusion and CGM signals, that detects faults when the CGM predictions fall outside confidence intervals; a limitation is that it assumes overnight operation with no meals for exercise. This approach is extended by del Favero et al35 to include meal announcement during the daytime. Major challenges to glucose control include meals (unannounced in particular) and exercise, but these should be viewed more as disturbances, particularly since they occur on a frequent basis. There are numerous other possible disturbances (and faults) that occur on an infrequent basis, and estimation and fault detection algorithms could be developed for those specific cases. It should be clear that very infrequent or unlikely events cannot (or should not) be explicitly detected, but could be flagged as an unknown event. For example, Buckingham36 reports the case of a patient that accidently drilled a hole in her thumb with a drill bit, and the rapid decrease in the CGM reading enabled her to avoid hypoglycemia; it is unlikely that it would be worth the time and effort to develop an algorithm to explicitly detect a “drill bit through the thumb” fault.

Software-Related Failures While much of the discussion in this article has involved hardware failures, it is worth discussing the possibility of software related failures. Certainly, at the turn of the century there was much concern about the so-called Y2K problem, where the transition from the 1999 to 2000 could lead to problems due to the due of the last 2 digits (99 to 00) in the date field of many software systems. Fortunately, the tremendous focus on this issue resulted in minimal systemwide problems. A problem with the operating system on Apple iPhones caused wake-up alarms to fail to activate on the morning of January 1, 2011, causing thousands of people throughout the world to miss airline flights and otherwise important appointments. Welsh et al37 provide an overview of the engineering aspects of software for insulin infusion pumps, and include a risk analysis of the hazards associated with insulin pumps under current manual operation. They note that the software

Remote monitoring has been used in chemical process plants, power plants and aircraft for safety and performance monitoring. General Electric combustion turbines have a number of sensors that are monitored at a central site in Atlanta that includes monitoring of systems from over 1600 power plants.39 Maggiore and Kinney40 provide an overview of the Airplane Health Management (AHM) system by Boeing that collects in-flight information and relays it to the ground in real time. The 3 types of decision support include (1) realtime fault management, (2) custom alerting and analysis, and (3) performance monitoring. The fault management system communicates in-flight faults to the ground and diagnoses them in real time, and the custom alerting and analysis system can deliver alerts and notifications through the internet, fax, email, text, and pagers. Performance monitoring results are available within hours and can be used by airlines to reduce fuel consumption and improve operation.

Artificial Pancreas Remote monitoring is being used in a number of outpatient AP clinical trials41-43 and the 2014 ATTD had a debate about the potential of remote monitoring of AP devices.44,45 Place et al41 provide an overview and report web monitoring results from 3 clinical trials using the DiAs web monitoring tool, which is based on the DiAs platform presented by KeithHynes et al.46 Dassau et al47 report the development of a safety system for hypoglycemia prevention with several layers, including user alarms at the lowest level, followed by emails and text messages to caregivers, and finally a call to a call center with GPS coordinates. The use of this safety system, within the context of a clinical trial, is reported by Harvey et al.48

Discussion So what are the most appropriate analogies between chemical process and aircraft safety and the safety of a closed-loop AP? The most dangerous times occur during start-ups and shut-downs during chemical plant operation, and during takeoffs and landings with aircraft. The start-up/shut-down of a chemical process is probably most analogous to the

1211

Bequette insertion of a new infusion set and/or CGM (along with the sensor calibration); with current sensor technology, there is a “break-in” period of at least 2 hours, so an AP must be in “open-loop” during this time period. The takeoff and landings of aircraft are probably most analogous to meals and exercise, which cause the most “stress” for an AP; aircraft certainly have the advantage that both of these events are “announced” and the dynamic behavior is well described (major disturbances would include wind gusts). We have also seen airplane disasters occur because the pilot(s) assumed that the autopilot (automatic controller) was functioning, when the system was actually under manual (open-loop) control. Similar problems could develop with an AP if an individual assumes that the controller is closed, when, either due to a component failure or being accidentally switched to manual mode, the insulin delivery is in manual mode. We have seen that accidents/incidents in the chemical process and air transportation industries usually involve human error. In some cases a human is so accustomed to the automatic control system that it can be difficult to detect and compensate for failures/faults; is there potential for this to occur with an AP as well? The number of people directly impacted by an AP incident is low, compared with the tens and hundreds impacted by chemical process and aircraft accidents, unless the individual with an AP is piloting a plane or operating a chemical process plant—and even then there are other safety measures and pilots or operators available to take control. In addition, there is increasing awareness that “near misses” should be given a high level of scrutiny, since there was some luck involved in the near miss not becoming an actual accident. In the context of the AP, this would indicate that there be a method of analyzing situations where hypo- or hyperglycemic events occurred even if there was no “disastrous” outcome; that is, there should be a greater focus on certain individuals that may be struggling more with these events. In addition to more “tutoring,” perhaps a higher degree of remote monitoring (through error/warning messages to health care providers, etc) can be provided for specific individuals. The types of faults that are most likely to cause short-term safety problems include extreme positive sensor bias (sensor reading higher than the actual glucose value), which would cause too much insulin to be delivered and resulting in a danger of hypoglycemia, and a false meal announcement, which could result in a large meal bolus and again resulting in a danger of hypoglycemia. On the other side, a large negative sensor bias (sensor reading lower than the actual glucose value) combined with an infusion set failure could lead to extreme hyperglycemia for a period of time. We have also seen that the important role of government regulation, including extensive accident investigation and reporting. In the case of the US chemical process industry this is the CSB, and with US aircraft it is the NTSB. With medical devices the regulating agency is the FDA. The AP

clinical trials conducted in the US have involved the development of investigational device exemptions (IDEs), and all trials have a Data and Safety Monitoring Board (DSMB) responsible for reviewing all unanticipated problems and serious device experiences.

Summary Methods to ensure the safe operation of a closed-loop AP have been placed in the context of safety in the chemical process and commercial air traffic industries. Primary advantages to assuring safety in these other industries include highly trained operators, continuously available maintenance staff, sophisticated alarms and control panels, and redundancy in fault susceptible equipment; engineering specialists are also available to analyze complex problems, and tuning technicians can retune malfunctioning controllers. An individual with a closed-loop AP has roles in operations and maintenance, in addition to serving as the “system” being controlled.

Appendix Examples of Chemical Process and Aircraft Disasters Chemical Process Disasters Bhopal, 1984. A large number of events over different time scales led to the well-known Bhopal Union Carbide disaster involving the release of methyl isocyanate (MIC) in 1984.49 First, the original plant constructed in the 1960s was simply a blending plant, located in an area with little human population. Over the years the population of Bhopal grew tremendously, with a number of slums growing up around the plant. In the 1970s the local authorities were against an expansion of the plant to produce pesticides, but were overruled by central government authorities. Thus, a full-scale manufacturing plant was located next to a dense population of slums as well as a short distance from downtown and the central train station. It is widely accepted that the disaster was initiated by the deliberate addition of water to an MIC storage tank by a disgruntled employee with a goal of contaminating a batch of product; this resulted in an exothermic reaction that lead to a rapid increase in temperature and pressure and the release of deadly MIC gas to the atmosphere. What may be less appreciated is that a number of safety systems that could have prevented this release were not in operation. For one, the refrigerant that could have been used to cool the storage tank had been removed from the system. Second, the caustic scrubbing unit that could have removed the toxic gas was shut down. Finally, the flare system that could have combusted the gas was also shut down; all of the equipment shutdowns were management decisions. Thus, while a deliberate act initiated the problem, the lack of appropriate operating safety systems led to the ultimate disaster. It should be noted

1212 that the chemical process has been redesigned using inherently safer design techniques that minimize the amount of MIC on-site at any time. Texas City, 2005. In this case, an isomerization unit was being restarted. The unit had a number of failing and miscalibrated sensors and alarms, and proper start-up protocols were not followed. Also, there was miscommunication between operators at shift change, and there was inadequate supervision available. A separation column became overfilled, because of lack of knowledge of actual liquid level in the tower. A heavy, hot liquid was then sent to a local flash drum—with the resulting heavy vapor being released to the atmosphere. This vapor was ignited when a truck engine backfired, causing an explosion that destroyed several trailers next the unit, and killing 15 workers. An investigation revealed that there was a plant history of safety violations and that one of the problems was due to the reward structure for plant managers, who would typically be in the position for only 1 or 2 years before being promoted to other positions in the company. Also, there was a history of violating the unit start-up procedure during many previous start-ups over a 5-year period. Start-ups and shut-downs are the most dangerous times, with an incident rate 10 times that of normal steady-state operation.50 Aircraft Disasters US Airways Flight 1549, January 15, 2009. Perhaps the most well-known successful response to a fault that occurred during takeoff was the landing of US Airways flight 1549 on the Hudson River on January 15, 2009.51 After taking off from La Guardia, the aircraft hit a flock of geese, disabling both engines; Captain Chesley B. Sullenberger III quickly recognized that the plane could not be safely brought into any NYC area airports and that the Hudson River was his only option. Fortunately, ferries and other boats were able to rescue all 155 people on the plane. It should be noted that there are design standards for bird strikes, including the ingestion of birds into engines, that depend on the stage of flight and number and size of birds.52 Air France Flight 447, June 2009. There are several wellknown situations, however, where a failure led to an accident. Air France flight 447, from Rio de Janeiro to Paris in June 2009 suffered icing in the pitot tubes, which are used to indicate the air speed.53 The fault detection system automatically switched the control system from automatic to manual mode, placing the pilots in control of air speed. The low airspeed caused a stall situation and the pilots failed to react appropriately; indeed, it was not clear that they understood the stall alarm. One of the pilots continued to erroneously point the nose of the plane upward, when it should have been downward to increase air speed. Also, the joysticks used by the left and right pilots operate independently, so if the right pilot moves the stick it is not felt by the left pilot. There was

Journal of Diabetes Science and Technology 8(6) even a period of time when both pilots were attempting to control the same actuator, with 1 pilot trying to drop the nose while the other continued to raise it; this causes an “averaging” of the control actions. Also, during this time the commanding pilot was taking a rest break because of the long duration of the flight. He was called into the cockpit to assist with troubleshooting, but did not take control himself; had he done this, he would have most likely noticed that the actuator was not in the correct position.54 Asiana Flight 214, July 2013. Another recent crash occurred during the landing of Asiana flight 214 in San Francisco in July 2013. The pilots, in error, thought that the airspeed control system was in automatic mode when it was not, which allowed the plane to come in too low and at too slow of an airspeed, undershooting the runway and hitting the sea wall.55 Abbreviations AP, artificial pancreas; ASME, American Society for Mechanical Engineering; CGM, continuous glucose monitor; CSB, Chemical Safety Board; DSMB, Data and Safety Monitoring Board; EPA, Environmental Protection Agency; FDA, Food and Drug Administration; GPS, global positioning system; IDE, investigational device exemption; IMM, interactive multiple model; IOB, insulin onboard; MIC, methyl isocyanate; NIDDK, National Institute of Diabetes and Diabetes and Kidney Disease; NTSB, National Transportation Safety Board; PCA, principal components analysis; PISA, pressure-induced sensor attenuation.

Declaration of Conflicting Interests The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Partial support for this work has been provided by grants from National Institute of Diabetes and Digestive and Kidney Diseases (R01DK085591-03 and R01DK102188-01), and JDRF (22-2013266 and 22-2011-647).

References 1. Baysal N, Cameron F, Buckingham BA, Wilson DM, Bequette BW. Detecting sensor and insulin infusion set anomalies in an artificial pancreas. In: Proceedings of the 2013 American Control Conference. Washington, DC; 2013:2935-2939. 2. Bequette BW. Process Control. Modeling, Design and Simulation. Upper Saddle River, NJ: Prentice Hall; 2003. 3. Industrial process control. Available at: http://www.tb-cconsoles.com/Industries.html. Accessed March 22, 2014. 4. Boeing 787 schematic diagram. Available at: http://www .aerospaceweb.org/aircraft/jetliner/b787/b787_schem_02.gif. Assessed March 22, 2014. 5. Plane crash information. Available at: http://www.plane-crashinfo.com. 6. Wheeler TJ, Seiler P, Packard AK, Balas GK. Performance analysis of fault detection systems based on analytically

Bequette redundant linear time-invariant dynamics. In: Proceedings of the 2011 American Control Conference. San Francisco, CA; 2011:214-219. 7. Frank PM. Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy—a survey and some new results. Automatica. 1990;26(3):459-474. 8. Isermann R. Model-based fault-detection and diagnosis—status and applications. Annu Rev Control. 2005;29:71-85. 9. Venkatasubramanian V. Systemic failures: challenges and opportunities in risk management in complex systems. AIChE J. 2011;57(1):2-9. 10. Leveson NG. A new accident model for engineering safer systems. Safety Sci. 2004;42:237-270. 11. Leveson NG, Stephanopoulos G. A system-theoretic, con trol-inspired view and approach to process safety. AIChE J. 2014;60(1):2-14. 12. Shivers JP, Mackowiak L, Anhalt H, Zisser H. “Turn it off!”: diabetes device alarm fatigue considerations for the present and the future. J Diabetes Sci Technol. 2013;7(3):789-794. 13. Laberge JC, Bullemer P, Tolsma M, Vernon D, Resising C. Addressing alarm flood situations in the process industries through alarm summary display design and alarm response strategy. Int J Ind Ergonomics. 2014;44:395-406. 14. Heinemann L, Krinelke L. Insulin infusion set: the Achilles heel of continuous subcutaneous insulin infusion. J Diabetes Sci Technol. 2012;6(4):954-964. 15. Cope JU, Morrison AE, Samuels-Reid J. Adolescent use of insulin and patient-controlled analgesia pump technology: a 10-year FDA retrospective study of adverse events. Pediatrics. 2008;121(5);e1133-e1138. 16. Guilhem I, Leguerrier AM, Lecordier F, Poirier JY, Maugendre D. Technical risks with subcutaneous insulin infusion. Diabetes Metab. 2006;32:279-284. 17. Patel PJ, Benasi K, Ferrari G, et al. Randomized trial of infusion set function: steel versus Teflon. Diabetes Technol Ther. 2014;16(1):15-19. 18. Heinemann L, Walsh J, Roberts R. We need more research and better designs for insulin infusion sets. J Diabetes Sci Technol. 2014;8(4):199-202. 19. Vega-Hernandez O, Campos-Cornejo F, Campos-Delgado DU, Espinoza-Trejo DR. Increasing security in an artificial páncreas: diagnosis of actuator faults. In: 2009 Pan American Health Care Exchanges (PACHE). Mexico City, Mexico; 2009:137-142. 20. Hovorka R, Canonico V, Chassin LJ, et al. Nonlinear model predictive control of glucose concentration in subjects with type 1 diabetes. Physiol Meas. 2004;25:905-920. 21. Vega-Hernandez O, Campos-Delgado DU, Espinoza-Trejo DR. Actuator fault tolerant control for an artificial pancreas. In: 6th International Conference on Electrical Engineering, Computing Science and Automatic Control. Toluca, Mexico; 2009:1-6. 22. Rojas R, Garcia-Gabin W, Bequette BW. Mean glucose slope—principal component analysis classification to detect insulin infusion set failure. In: Preprints of the 18th IFAC World Congress. Milan; 2011:14127-14132. 23. Cameron F, Bequette BW, Wilson DW, Buckingham BA. Detecting insulin infusion set failure. Paper presented at: Advanced Technologies & Treatments for Diabetes; 2012; Barcelona, Spain.

1213 24. Cameron F, Buckingham BA, Wilson DM, Bequette BW. Extending threshold based detection of infusion set failures. Paper presented at: Diabetes Technology Meeting; 2012; Bethesda, MD. 25. Herrero P, Calm R, Veh J, et al. Robust fault detection system for insulin pump therapy using continuous glucose monitoring. J Diabetes Sci Technol. 2012;6(5):1131-1141. 26. Helton KL, Ratner BD, Wisniewski NA. Biomechanics of the sensor-tissue interface—effects of motion, pressure, and design on sensor performance and the foreign body response—part I: theoretical framework. J Diabetes Sci Technol. 2011;5(3):632-646. 27. Helton KL, Ratner BD, Wisniewski NA. Biomechanics of the sensor-tissue interface—effects of motion, pressure, and design on sensor performance and the foreign body response— part ii: examples and application. J Diabetes Sci Technol. 2011;5(3):647-656. 28. Mensh BD, Wisniewski NA, Neil BM, Burnett DR. Susceptibility of interstitial continuous glucose monitor performance to sleeping position. J Diabetes Sci Technol. 2013;7(4):863-870. 29. Baysal N, Cameron F, Buckingham BA, et al. A novel method to detect pressure-induced sensor attenuations (PISA) in an artificial pancreas. J Diabetes Sci Technol. 2014. 30. Bequette BW. Challenges and progress in the develop ment of a closed-loop artificial pancreas. Annu Rev Control. 2012;36:255-266. 31. Revert A, Garelli F, Pico J, et al. Safety auxiliary feedback element for the artificial pancreas in type 1 diabetes. IEEE Trans Biomed Eng. 2013;60(8):2113-2122. 32. Schaeffer NE. The role of human factors in the design and development of an insulin pump. J Diabetes Sci Technol. 2012;6(2):260-264. 33. Finan DA, Zisser H, Jovanovič L, Bevier WC, Seborg DE. Automatic detection of stress states in type 1 diabetes subjects in ambulatory conditions. Ind Eng Chem Res. 2010;49(17): 7843-7848. 34. Facchinetti A, del Favero S, Sparacino G, Cobelli C. An online failure detection method of the glucose sensor-insulin pump system: improved overnight safety of type-1 diabetic subjects. IEEE Trans Biomed Eng. 2013;60(2):406-416. 35. del Favero S, Monaro M, Facchinetti A, Tagliavini A, Sparacino G, Cobelli C. Real-time detection of glucose sensor and insulin pump faults in an artificial pancreas. Paper presented at: International Federation of Automatic Control World Congress; 2014; South Africa. 36. Buckingham BA. Clinical overview of continuous glucose monitoring. J Diabetes Sci Technol. 2008;2(2):300-306. 37. Welsh JB, Vargas S, Williams G, Moberg S. Designing the modern pump: engineering aspects of continuous subcutaneous insulin infusion software. Diabetes Technol Ther. 2010;12(S1):S37-S42. 38. Picton PE, Yeung M, Hamming N, Desborough L, Dassau E, Cafazzo JA. Advancement of the artificial pancreas through the development of interoperability standards. J Diabetes Sci Technol. 2013;7(4):1066-1070. 39. Lacey S. How GE’s industrial internet is reshaping thermal power generation. Greentech Media; July 16, 2013. Available at: http://www.greentechmedia.com/articles/read/How-GEsIndustrial-Internet-is-Reshaping-Thermal-Power-Generation. Accessed March 13, 2014.

1214 40. Maggiore JB, Kinney DS. Monitoring real-time environmental performance. Aero Q. 2009;3:22-25. Available at: http://www. boeing.com/commercial/aeromagazine/articles/qtr_03_09/ pdfs/AERO_Q309_article07.pdf. Accessed March 13, 2014. Brochure providing overview of the system available at: http:// www.boeing.com/assets/pdf/commercial/aviationservices/brochures/Airplane_Health_Management.pdf. 41. Place J, Robert A, Ben Brahim N, et al. DiAs web monitoring: a real-time remote monitoring system designed for artificial pancreas outpatient trials. J Diabetes Sci Technol. 2013;7(6): 1427-1435. 42. Kovatchev BP, Renard E, Cobelli C, et al. Feasibility of outpatient fully integrated closed-loop control: first studies of wearable artificial pancreas. Diabetes Care. 2013;36(7):1851-1858. 43. Lanzola G, Scarpellini S, Di Palma F, et al. Monitoring artificial pancreas trials through agent-based technologies: a case report. J Diabetes Sci Technol. 2014;8(2):216-224. 44. Atlas E. Do we need a remote monitoring system in the product? Paper presented at: CONS 7th ATTD; February 2014; Vienna. 45. Danne T. Do we need a remote monitoring system in the product? Paper presented at: PRO 7th ATTD; February 2014; Vienna. 46. Keith-Hynes P, Guerlain S, Mize B, et al. DiAs user interface: a patient-centric interface for mobile artificial pancreas systems. J Diabetes Sci Technol. 2013;7(6):1416-1426. 47. Dassau E, Jovanovic L, Doyle FJ III, Zisser HC. Enhanced 911/global position system wizard: a telemedicine application for the prevention of severe hypoglycemia—monitor, alert, and locate. J Diabetes Sci Technol. 2009;3(6):1501-1506. 48. Harvey RA, Dassau E, Zisser H, Seborg DE, Jovanovic L, Doyle FJ III. Design of the health monitoring system for the

Journal of Diabetes Science and Technology 8(6) artificial pancreas: low glucose prediction module. J Diabetes Sci Technol. 2012;6(6):1345-1354. 49. Fischer MJ. Union Carbide’s Bhopal incident: a retrospective. J Risk Uncertainty. 1996;12:257-269. 50. CSB report on Texas City explosion. U.S. Chemical Safety and Hazard Investigation Board. Investigation report: refinery explosion and fire, BP Texas City, Texas. Report no. 200504-I-TX. March 2007. Available at: http://www.csb.gov/ assets/1/19/csbfinalreportbp.pdf. Accessed February 24, 2014. 51. NTSB. Aircraft accident report loss of thrust in both engines after encountering a flock of birds and subsequent ditching on the Hudson River, US Airways flight 1549, Airbus A320-214, N106US, Weehawken, New Jersey, January 15, 2009 NTSB number AAR-10/03 NTIS number PB2010-910403 Available at: http://www.ntsb.gov/news/events/2010/hudson_river_ny/. Accessed March 13, 2014. 52. Skylibrary. Aircraft certification for bird strike risk (2014). Available at: http://www.skybrary.aero/index.php/Aircraft-_ Certification_for_Bird_Strike_Risk. Accessed March 17, 2014. 53. BEA report. Safety investigation following the accident on 1st June 2009 to the Airbus A300-203, flight AF 447. Available at: http://www.bea.aero/fr/enquetes/vol.af.447/note05juillet-2012.en.pdf. Accessed March 10, 2014. 54. Wise J. What really happened aboard Air France 447. Available at: http://www.popularmechanics.com/technology/aviation/crashes/what-really-happened-aboard-air-france447-6611877-2. Accessed March 16, 2014. 55. Peterson B. What we have learned so far from the Asiana flight 214 investigation. Popular Mechanics. 2013. Available at: http://www.popularmechanics.com/technology/aviation/crashes/what-weve-learned-so-far-from-the-asiana-flight214-investigation-16264162.