18 Chapter 1 ■ Introduction

include physical size, responsiveness, power management, etc. The example of an

embedded system that I use is a software system to control a medical device.
2. An information system This is a system whose primary purpose is to manage
and provide access to a database of information. Issues in information systems
include security, usability, privacy, and maintaining data integrity. The example
of an information system that I use is a medical records system.
3. A sensor-based data collection system This is a system whose primary purpose
is to collect data from a set of sensors and process that data in some way. The
key requirements of such systems are reliability, even in hostile environmental
conditions, and maintainability. The example of a data collection system that
I use is a wilderness weather station.

I introduce each of these systems in this chapter, with more information about
each of them available on the Web.

1.3.1 An insulin pump control system

An insulin pump is a medical system that simulates the operation of the pancreas (an
internal organ). The software controlling this system is an embedded system, which
collects information from a sensor and controls a pump that delivers a controlled
dose of insulin to a user.
People who suffer from diabetes use the system. Diabetes is a relatively common
condition where the human pancreas is unable to produce sufficient quantities of a
hormone called insulin. Insulin metabolises glucose (sugar) in the blood. The con-
ventional treatment of diabetes involves regular injections of genetically engineered
insulin. Diabetics measure their blood sugar levels using an external meter and then
calculate the dose of insulin that they should inject.
The problem with this treatment is that the level of insulin required does not just
depend on the blood glucose level but also on the time of the last insulin injection.
This can lead to very low levels of blood glucose (if there is too much insulin) or very
high levels of blood sugar (if there is too little insulin). Low blood glucose is, in the
short term, a more serious condition as it can result in temporary brain malfunctioning
and, ultimately, unconsciousness and death. In the long term, however, continual high
levels of blood glucose can lead to eye damage, kidney damage, and heart problems.
Current advances in developing miniaturized sensors have meant that it is now pos-
sible to develop automated insulin delivery systems. These systems monitor blood sugar
levels and deliver an appropriate dose of insulin when required. Insulin delivery systems
like this already exist for the treatment of hospital patients. In the future, it may be pos-
sible for many diabetics to have such systems permanently attached to their bodies.
A software-controlled insulin delivery system might work by using a micro-
sensor embedded in the patient to measure some blood parameter that is proportional
to the sugar level. This is then sent to the pump controller. This controller computes
the sugar level and the amount of insulin that is needed. It then sends signals to a
miniaturized pump to deliver the insulin via a permanently attached needle.
 1.3 ■ Case studies 19

Insulin Reservoir

Needle
Pump Clock
Assembly

Sensor Controller Alarm

Display1 Display2

Figure 1.4 Insulin Power Supply

pump hardware

Blood Analyze Sensor Blood Compute Insulin

Sensor Reading Sugar Insulin Log

Insulin
Dose

Insulin Control Insulin Pump Compute Pump

Log Dose
Pump Pump Data Commands

Figure 1.4 shows the hardware components and organization of the insulin
Figure 1.5 Activity
model of the insulin pump. To understand the examples in this book, all you need to know is that the
pump blood sensor measures the electrical conductivity of the blood under different
conditions and that these values can be related to the blood sugar level. The
insulin pump delivers one unit of insulin in response to a single pulse from a con-
troller. Therefore, to deliver 10 units of insulin, the controller sends 10 pulses to
the pump. Figure 1.5 is a UML activity model that illustrates how the software
transforms an input blood sugar level to a sequence of commands that drive the
insulin pump.
Clearly, this is a safety-critical system. If the pump fails to operate or does not
operate correctly, then the user’s health may be damaged or they may fall into a
coma because their blood sugar levels are too high or too low. There are, therefore,
two essential high-level requirements that this system must meet:

1. The system shall be available to deliver insulin when required.

2. The system shall perform reliably and deliver the correct amount of insulin to
counteract the current level of blood sugar.
20 Chapter 1 ■ Introduction

MHC-PMS MHC-PMS MHC-PMS

Local Local Local

MHC-PMS Server

Figure 1.6 The Patient Database

organization of
the MHC-PMS

The system must therefore be designed and implemented to ensure that the sys-
tem always meets these requirements. More detailed requirements and discussions
of how to ensure that the system is safe are discussed in later chapters.

1.3.2 A patient information system for mental health care

A patient information system to support mental health care is a medical informa-
tion system that maintains information about patients suffering from mental
health problems and the treatments that they have received. Most mental health
patients do not require dedicated hospital treatment but need to attend specialist
clinics regularly where they can meet a doctor who has detailed knowledge of
their problems. To make it easier for patients to attend, these clinics are not just
run in hospitals. They may also be held in local medical practices or community
centers.
The MHC-PMS (Mental Health Care-Patient Management System) is an informa-
tion system that is intended for use in clinics. It makes use of a centralized database of
patient information but has also been designed to run on a PC, so that it may be accessed
and used from sites that do not have secure network connectivity. When the local sys-
tems have secure network access, they use patient information in the database but they
can download and use local copies of patient records when they are disconnected. The
system is not a complete medical records system so does not maintain information
about other medical conditions. However, it may interact and exchange data with other
clinical information systems. Figure 1.6 illustrates the organization of the MHC-PMS.
The MHC-PMS has two overall goals:

1. To generate management information that allows health service managers to

assess performance against local and government targets.
2. To provide medical staff with timely information to support the treatment of
patients.
 1.3 ■ Case studies 21

The nature of mental health problems is such that patients are often disorganized
so may miss appointments, deliberately or accidentally lose prescriptions and med-
ication, forget instructions, and make unreasonable demands on medical staff. They
may drop in on clinics unexpectedly. In a minority of cases, they may be a danger to
themselves or to other people. They may regularly change address or may be home-
less on a long-term or short-term basis. Where patients are dangerous, they may need
to be ‘sectioned’—confined to a secure hospital for treatment and observation.
Users of the system include clinical staff such as doctors, nurses, and health visi-
tors (nurses who visit people at home to check on their treatment). Nonmedical users
include receptionists who make appointments, medical records staff who maintain
the records system, and administrative staff who generate reports.
The system is used to record information about patients (name, address, age, next
of kin, etc.), consultations (date, doctor seen, subjective impressions of the patient,
etc.), conditions, and treatments. Reports are generated at regular intervals for med-
ical staff and health authority managers. Typically, reports for medical staff focus on
information about individual patients whereas management reports are anonymized
and are concerned with conditions, costs of treatment, etc.
The key features of the system are:

1. Individual care management Clinicians can create records for patients, edit the
information in the system, view patient history, etc. The system supports data
summaries so that doctors who have not previously met a patient can quickly
learn about the key problems and treatments that have been prescribed.
2. Patient monitoring The system regularly monitors the records of patients that
are involved in treatment and issues warnings if possible problems are detected.
Therefore, if a patient has not seen a doctor for some time, a warning may be
issued. One of the most important elements of the monitoring system is to keep
track of patients who have been sectioned and to ensure that the legally required
checks are carried out at the right time.
3. Administrative reporting The system generates monthly management reports
showing the number of patients treated at each clinic, the number of patients
who have entered and left the care system, number of patients sectioned, the
drugs prescribed and their costs, etc.

Two different laws affect the system. These are laws on data protection that govern
the confidentiality of personal information and mental health laws that govern the com-
pulsory detention of patients deemed to be a danger to themselves or others. Mental
health is unique in this respect as it is the only medical speciality that can recommend
the detention of patients against their will. This is subject to very strict legislative safe-
guards. One of the aims of the MHC-PMS is to ensure that staff always act in accor-
dance with the law and that their decisions are recorded for judicial review if necessary.
As in all medical systems, privacy is a critical system requirement. It is essential that
patient information is confidential and is never disclosed to anyone apart from author-
ized medical staff and the patient themselves. The MHC-PMS is also a safety-critical
22 Chapter 1 ■ Introduction

«system» «system»
Weather Station Data Management
and Archiving

«system»
Figure 1.7 The weather Station Maintenance
station’s environment

system. Some mental illnesses cause patients to become suicidal or a danger to other
people. Wherever possible, the system should warn medical staff about potentially sui-
cidal or dangerous patients.
The overall design of the system has to take into account privacy and safety
requirements. The system must be available when needed otherwise safety may be
compromised and it may be impossible to prescribe the correct medication to patients.
There is a potential conflict here—privacy is easiest to maintain when there is only a
single copy of the system data. However, to ensure availability in the event of server
failure or when disconnected from a network, multiple copies of the data should be
maintained. I discuss the trade-offs between these requirements in later chapters.

1.3.3 A wilderness weather station

To help monitor climate change and to improve the accuracy of weather forecasts in
remote areas, the government of a country with large areas of wilderness decides to
deploy several hundred weather stations in remote areas. These weather stations col-
lect data from a set of instruments that measure temperature and pressure, sunshine,
rainfall, wind speed, and wind direction.
Wilderness weather stations are part of a larger system (Figure 1.7), which is a
weather information system that collects data from weather stations and makes it
available to other systems for processing. The systems in Figure 1.7 are:

1. The weather station system This is responsible for collecting weather data,
carrying out some initial data processing, and transmitting it to the data manage-
ment system.
2. The data management and archiving system This system collects the data from
all of the wilderness weather stations, carries out data processing and analysis,
and archives the data in a form that can be retrieved by other systems, such as
weather forecasting systems.
3. The station maintenance system This system can communicate by satellite
with all wilderness weather stations to monitor the health of these systems and
provide reports of problems. It can update the embedded software in these
systems. In the event of system problems, this system can also be used to
remotely control a wilderness weather system.
 1.3 ■ Case studies 23

In Figure 1.7, I have used the UML package symbol to indicate that each system
is a collection of components and have identified the separate systems, using the
UML stereotype «system». The associations between the packages indicate there is
an exchange of information but, at this stage, there is no need to define them in any
more detail.
Each weather station includes a number of instruments that measure weather
parameters such as the wind speed and direction, the ground and air temperatures,
the barometric pressure, and the rainfall over a 24-hour period. Each of these instru-
ments is controlled by a software system that takes parameter readings periodically
and manages the data collected from the instruments.
The weather station system operates by collecting weather observations at fre-
quent intervals—for example, temperatures are measured every minute. However,
because the bandwidth to the satellite is relatively narrow, the weather station carries
out some local processing and aggregation of the data. It then transmits this aggre-
gated data when requested by the data collection system. If, for whatever reason, it is
impossible to make a connection, then the weather station maintains the data locally
until communication can be resumed.
Each weather station is battery-powered and must be entirely self-contained—there
are no external power or network cables available. All communications are through a rel-
atively slow-speed satellite link and the weather station must include some mechanism
(solar or wind power) to charge its batteries. As they are deployed in wilderness areas,
they are exposed to severe environmental conditions and may be damaged by animals.
The station software is therefore not just concerned with data collection. It must also:

1. Monitor the instruments, power, and communication hardware and report faults
to the management system.
2. Manage the system power, ensuring that batteries are charged whenever the
environmental conditions permit but also that generators are shut down in
potentially damaging weather conditions, such as high wind.
3. Allow for dynamic reconfiguration where parts of the software are replaced
with new versions and where backup instruments are switched into the system
in the event of system failure.

Because weather stations have to be self-contained and unattended, this means

that the software installed is complex, even though the data collection functionality
is fairly simple.