A Review of Safety and Design Requirements of the Artificial Pancreas

As clinical studies with artificial pancreas systems for automated blood glucose control in patients with type 1 diabetes move to unsupervised real-life settings, product development will be a focus of companies over the coming years. Directions or requirements regarding safety in the design of an artificial pancreas are, however, lacking. This review aims to provide an overview and discussion of safety and design requirements of the artificial pancreas. We performed a structured literature search based on three search components—type 1 diabetes, artificial pancreas, and safety or design—and extended the discussion with our own experiences in developing artificial pancreas systems. The main hazards of the artificial pancreas are over- and under-dosing of insulin and, in case of a bi-hormonal system, of glucagon or other hormones. For each component of an artificial pancreas and for the complete system we identified safety issues related to these hazards and proposed control measures. Prerequisites that enable the control algorithms to provide safe closed-loop control are accurate and reliable input of glucose values, assured hormone delivery and an efficient user interface. In addition, the system configuration has important implications for safety, as close cooperation and data exchange between the different components is essential.


INTRODUCTION
For many patients with type 1 diabetes it is difficult to maintain normal blood glucose levels with the currently available therapies, which include multiple daily insulin injections or continuous subcutaneous insulin infusion with or without the use of a continuous glucose monitor. 6 These therapies are all patient-managed; the patient has to make treatment decisions multiple times per day to control his blood glucose and it requires a substantial commitment from the patient in order to reach treatment goals. Multiple factors affect blood glucose and both excessively high and low glucose levels have negative health effects. An artificial pancreas can assist the patient in overcoming these problems by taking over glucose control from the patient in certain situations or even 24 h per day.
The main components of an artificial pancreas are a continuous glucose monitor to assess blood glucose concentration, a set of glucose control algorithms to calculate the amount of insulin needed, and an infusion pump for insulin administration to lower blood glucose. Figure 1 shows a diagram of the artificial pancreas system as discussed in this review article. There is not just one artificial pancreas, as the implementation of these components can differ and more components can be added to the system. Over the past decade multiple research groups and companies have worked to develop artificial pancreas systems, with promising results in clinical studies. 23 At this moment, however, there is still no artificial pancreas system available on the market. The prototype systems that have been used in clinical studies are not yet suitable for daily and independent use by patients.
As clinical studies with artificial pancreas systems move to unsupervised real-life settings, product development will be a focus of companies over the coming years. A crucial aspect in the development and approval of medical devices is patient safety. Because the artificial pancreas aims to automate blood glucose control, which can lead to severe health damage in case of malfunction, its design must meet stringent safety requirements. Beside clinical safety requirements stated by the Food and Drug Administration (FDA), 72 there are currently no directions or requirements regarding safety in the design of an artificial pancreas. To promote patient safety and facilitate the development of artificial pancreas systems for daily use, this review aims to provide an overview and discussion of safety and design requirements of the artificial pancreas.

METHODS
A structured literature search was performed using PubMed after identification of the MeSH terms and free-text terms, for search in title and abstract, relating to the three search components: type 1 diabetes, artificial pancreas, safety or design. The search query was: ( 24,2016 and resulted in 187 articles, of which 19 articles were excluded based on the title and 16 on the abstract. The excluded articles were not about the artificial pancreas for treatment of type 1 diabetes, were not written in English or were news articles. The remaining articles were read to identify safety issues and design requirements for the artificial pancreas. Subsequently, reviews or other articles that did not add relevant findings or recommendations compared to more recent reviews, and clinical studies or in silico studies that assessed safety but without relevant findings were excluded (95 articles). In addition, 22 articles were selected from reference lists of included articles or the authors' personal databases. The discussion of the safety issues and design requirements was extended with our own experiences in developing artificial pancreas systems.

The Artificial Pancreas
The goal of an artificial pancreas is to achieve adequate mean blood glucose levels and stabilize blood glucose by limiting excursions, while limiting the occurrence of hypoglycemia and hyperglycemia. The adequacy of a patient's mean blood glucose levels is assessed with the glycated hemoglobin (HbA1c) level. The American Diabetes Association recommends a HbA1c level below 7% (53 mmol/mol) for adults with type 1 diabetes, which corresponds to a mean glucose value below 8.6 mmol/l. 1 To reach a mean glucose level below 8.6 mmol/l, intensive insulin therapy is required. However, for most patients it is difficult to anticipate changes in glucose, which is affected, among other things, by insulin dosage, meals and exercise under varying physical and environmental circumstances and it is not practical for patients to constantly monitor their glucose level and react on it. Furthermore, to avoid hypoglycemia, patients typically prefer slightly hyperglycemic glucose levels over low-normal values, 27 especially before the night or long-term activities. For an artificial pancreas it is possible to continuously monitor the glucose level and adjust insulin dosing, which enables glucose control toward low-normal values 24 h per day. FIGURE 1. Diagram of the artificial pancreas system containing the three main components, optionally other sensor(s), and alarms. The user is the patient who can interact with the whole system and, if included in the system, announce meals to the control algorithms, as represented by the dotted lines. Solid lines indicate signals and communication between the components. Dashed lines starting from the user represent physiologic measurements and the dashed line to the user indicates the pump action.
The main components-continuous glucose monitor, set of control algorithms, insulin pump-are part of each artificial pancreas system, but the degree of automated glucose control is different. The different systems described here are adopted from the FDA guidance for the development of artificial pancreas systems. 72 The first step toward fully closed-loop glucose control is a Threshold or Low-Glucose Suspend (LGS) system, which is patient-managed therapy. With this system the basal insulin infusion is reduced or suspended when the algorithmic blood glucose estimate reaches or approaches a low glucose value in order to prevent or reduce the severity of hypoglycemia. 9,48 The next step is a Control-to-Range (CTR) system. This system not only reduces the rate of insulin infusion in case of low glucose values, but also may increase insulin dosing if a high glucose value is reached or approached. Between the predetermined low and high glucose value the insulin infusion is not affected by the sensor glucose values. 29 Since the patient has to monitor his blood glucose, set basal insulin rates, and give pre-meal insulin boluses, glucose control with a CTR system is still supervised by the patient. The next logical step is a fully-automated Control-to-Target (CTT) system, which provides closed-loop glucose control by steering the glucose value towards a target level. With a CTT system patients do not have to monitor their blood glucose, but they may have to calibrate the continuous glucose monitor. In addition, hybrid CTT systems exist which are not fully closed-loop systems, because these systems require some input from the patient about meals. Both CTR and CTT systems can be insulin-only or bihormonal. A bi-hormonal artificial pancreas uses a second infusion pump to administer a second hormone such as amylin or glucagon as an additional means to control blood glucose levels. A gradual step toward continuous closed-loop glucose control is evening and overnight closed-loop control at home, which may already substantially impact glucose control as the night period can be hard to manage for patients. 42,44,52 In this review, the term artificial pancreas refers to glucose control systems that require minimal intervention by the patient. Therefore, LGS systems fall outside the scope of this review.

Regulatory Approval
Before patients can use an artificial pancreas in daily practice, the system has to be approved as a medical device by the applicable regulatory authority. For brevity, we only consider the regulatory approval in the United States (U.S.) and the European Union (E.U.). In the U.S. FDA approval is required and in the E.U. a Notified Body has to provide the CE-mark.
Numerous insulin pumps and continuous glucose monitors, and one LGS system are approved and available on the market in the U.S. and E.U. At this moment no CTR or CTT systems are approved worldwide.
For the European regulation of medical devices the artificial pancreas is classified in class IIb. Class IIa, IIb or III require that a Notified Body assesses that the medical device and its quality system are in conformity with the requirements of the Medical Device Directive, which concern safety of the patient and other persons and the intended performance of the device. The company is free to choose any of the around 70 Notified Bodies. All Notified Bodies are assessed by their national Competent Authority, usually (an agency within) the ministry of Health, to ensure that they remain qualified for issuing the CE-mark. Once a CE-mark is obtained for a medical device, the company can market the device in all countries of the E.U.
The FDA regulates artificial pancreas systems as class III device systems. 72 Class III is the highest medical device category and includes devices with high potential risk of injury and devices that are not found to be substantially equivalent to already marketed devices. Class III requires that the artificial pancreas developer submits a Premarket Approval (PMA) application. To get FDA approval, the PMA has to demonstrate that the artificial pancreas is safe and effective for its intended use. Generally, this will require data from clinical studies. Before a clinical study can be started, an Investigational Device Exemption (IDE) needs to be approved by the FDA.
In 2012, the FDA issued a guidance document with recommendations on the content of IDE and PMA applications for artificial pancreas systems. 72 This guidance document followed after the FDA appointed the artificial pancreas as a Critical Path Opportunity in 2006. The Critical Path Initiative of the FDA aims to transform medical product development and evaluation in the U.S. in order to facilitate pre-market approval and promote innovation. The need for such transformation is illustrated by the approval of a LGS system: the FDA approved this system in 2013, whereas CE-mark was already obtained in 2009. 65 Although the FDA guidance contains valuable information on how to demonstrate safety-especially on documentation and clinical evaluation-it does not cover design issues important for the safety of artificial pancreas systems.

Risk Management
Risk management is part of both the CE-marking and FDA approval process to ensure and demonstrate that the design of an artificial pancreas is safe. Risk management is also required for the production process and clinical studies. The international standard for risk management of medical devices is ISO 14971. This standard provides a framework to identify hazards associated with the medical device, estimate and evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of that control. Together with the user requirements, the risk management should form the basis of the design of an artificial pancreas and it has to be kept up to date during the whole product lifecycle to ensure safety for the patient.
Since the artificial pancreas is a combination of different components, potential hazards will depend on these components. For the artificial pancreas system as a whole, the main hazards are over-and under-dosing of insulin and also of glucagon or other hormones in case of a bi-hormonal system. These hazards may cause severe hypoglycemia, severe hyperglycemia or diabetic ketoacidosis. The clinical requirements for safety are that the incidence of these events should not be increased by the artificial pancreas. 18,72 Because of the combination of different components and glucose control algorithms within an artificial pancreas it may be difficult to assess safety of the composite system without significant clinical testing. Some of the particular risks known to be related to insulin pumps and continuous glucose monitors may be decreased, but also new safety issues related to network effects may emerge. 57,65 In silico simulation of the operation of the entire device network may be useful in uncovering potential safety issues and speeding regulatory approval. 16,21 Furthermore, an artificial pancreas is intended to be used by patients in daily life and not by health care professionals in a predictable environment. Therefore, user-related risks should be carefully evaluated and controlled. The safety issues and control measures described in this article, and summarized in Tables 1 and 2, should be considered in the risk management of an artificial pancreas.

Continuous Glucose Monitor
Accurate glucose measurements are essential for the safety and efficacy of the artificial pancreas. Since regular glucose input is needed for the control algorithms, a continuous glucose monitor has to be part of the artificial pancreas system. Although a variety of new technologies such as implantable glucose sensors are under development, at this moment only subcutaneous enzyme glucose sensors with a coupled trans-mitter for wireless data transmission are practical for this purpose. These sensors generate a current proportional to the local glucose concentration and through a calibration procedure this current is converted into an estimated blood glucose value. Although currently not approved as a blood glucose reference for insulin dosing, the accuracy and reliability of enzyme glucose sensors continues to improve. 58,69 Large positive sensor deviations from the true glucose value increase the risk of hypoglycemia, whereas sensor under readings increase the risk of hyperglycemia, because of inappropriate insulin delivery. 8,70 In addition, glucagon was less effective in the prevention of hypoglycemia when delivery was delayed because of positive sensor deviations in a bi-hormonal artificial pancreas study. 13 It is important to note that continuous glucose monitors produce a time series rather than a sequence of independent measurements. Although glucose sensor accuracy is often evaluated using the mean absolute relative difference (MARD) between sensor glucose values and paired reference glucose values, researchers have pointed out that MARD analysis underestimates the amount of useful information available within glucose sensor data. A recent assessment indicates that an MARD of <10% should be sufficient to use continuous glucose monitor values as a reference for manual insulin dosing. 40 Recent head-tohead comparison studies of currently available continuous glucose monitors found overall MARDs (SD) of 12.2 (12.0)% and 19.9 (20.5)% at home, 43 and of 12.3 (12.1)%, 10.8 (9.9)%, and 17.9 (15.8)% in an artificial pancreas study. 20 Although absolute relative differences around 12% are acceptable for closed-loop glucose control, the occurrence of large errors is problematic for safe glucose control. 46,76,77 Furthermore, the accuracy of enzyme glucose sensors is less during hypoglycemia compared to eu-and hyperglycemia. 43,46 Several factors contribute to sensor inaccuracy, of which the most known factors are discussed here. The first factor is calibration error. Calibration of the glucose sensor is negatively affected by incorrect estimation of the background current of a sensor, by the use of an inaccurate reference glucose measurement or if calibration takes place during low, high or rapidly changing glucose values. 15 A second factor is sensor delay, which is partly physiologic and partly inherent to the sensor itself and data processing. 15 Thirdly, both slow and transient sensor drift can lead to sensor inaccuracy. 8 Biofouling may reduce sensor output over time, whereas acute inflammation affects the accuracy during the hours after insertion of the sensor. 15 Pressure-induced sensor attenuation may reduce sensor readings for 15-30 min, which mainly occurs overnight. 8 As stated, the accuracy of currently available continuous glucose monitors differs and which sources of sensor error can be mitigated to increase accuracy and reduce the incidence of large errors will also be different. In general, we recommend that the overall MARD should be 15% or less with the sensors calibrated with self-monitored blood glucose (SMBG) values. 34 Glucose sensor performance has to be assessed both in the clinical research center and at home using standardized procedures and multiple analysis methods. 43 Evaluation of these results should result in identification of situations in which the accuracy is reduced and list the incidence of moderate (absolute relative difference ‡20%) and large (absolute relative difference ‡40%) sensor inaccuracies. Implications of these findings for safety of the glucose control have to be described together with appropriate measures to mitigate these risks.
Our personal recommendations for measures to reduce inaccuracies due to calibration error are: (1) base the decision to calibrate on the difference between a reference SMBG and the glucose sensor value and not on a predefined time period and (2) only allow calibration in case of euglycemia and stable glucose values or at least warn the user of the risk of a calibration error. The first measure is recommended because SMBGs have their own inaccuracy, both device and user related, that negatively influences sensor accuracy. 34,65,72 Calibration of an acceptable accurate sensor with a SMBG may lead to a decrease of sensor accuracy. Therefore, if a SMBG and sensor value are within each other's accepted error margins, recalibration should not be performed. If the SMBG and sensor value deviate from each other, it is necessary to take a second or even a third SMBG to reduce the probability that an erroneous SMBG is being used for calibration. The artificial pancreas software should be able to determine if one of the three performed SMBGs is an outlier and thus should not be used for calibration. In addition, the artificial pancreas should inform the patient when such a reference SMBG to assess agreement of the glucose sensor has to be performed, for example if a predetermined period (up to 24 h) after the last SMBG has passed and the glucose values are in the normal range and stable, or if two glucose sensors deviate from each other. Arguments to include two (or more) glucose sensors in the artificial pancreas system are discussed in the next paragraph. The second measure reduces the inaccuracy due to uncertain estimates of background current and sensor delay. These estimates should be based on careful evaluation of study results and be included in the calibration algorithm.
Both artificial pancreas systems with one glucose sensor 30,35,47,52,61,64 and systems with two glucose sensors 36,50,54,74 have been used in clinical studies. At this stage, there is no agreement on whether or not a second sensor is necessary for safety, or whether it is impractical to include a second sensor in the system. One reason to include a second sensor is that unnoticed inaccurate sensor readings may affect glucose control during a substantial period, as SMBGs may only be performed every 12 h (or even up to 48 h); this particularly affects the risk of hypoglycemia. 34,46,65 Averaging multiple sensors can improve accuracy and especially reduce large sensor errors, but may also pose the risk of including inaccurate sensor readings in the blood glucose estimate. 14,76 Also other (additional) strategies are possible to improve accuracy, such as selection of the most accurate sensor 15 and continuous detection of sensor deviations. 32,54 Secondly, if a sensor that is run out or has failed is replaced it takes hours before the measurements of the new sensor are stable and reasonably accurate, 15 in our experience even over 12 h. During these warm-up hours automated glucose control would not be possible if only one sensor is used, which affects safety. Thirdly, a second sensor provides a back-up in case of loss of communication with the other sensor. Communication aspects of the artificial pancreas system are discussed in ''Combining the Components'' section.
Apart from the mentioned measures, sensor accuracy can be improved with different software measures and a combination of measures will be required to address known factors that contribute to inaccuracy. 28 In any case, an artificial pancreas should contain measures that enable detection of sensor inaccuracies and failure. 8,18 Alarms should be given to the patient to check the glucose sensor in case of inaccuracies or the connection in case of lost communication, and to promptly replace the sensor if it fails. Persistent (more than 10-20 min) loss of sensor glucose values should result in safe transition to a fallback therapy, e.g. return to patient specific insulin basal rates. 8,53 Other Sensors Beside continuous glucose monitoring, other sensors (e.g. heart rate or skin impedance sensors) can be included in the artificial pancreas system with the aim to measure physiological parameters that (indirectly) affect or reflect glucose control. 73 In a review about physiological input for artificial pancreas system, Kudva et al. suggest to systematically determine efficacy and safety of including the various possible physiological parameters into glucose control algorithms. 45 For the physiological parameters that can be directly or indirectly measured with a sensor, not only safety of the adaptation of the control algorithms is important, but also safety issues regarding the measurement method itself have to be considered. Just as for the glucose sensor, accuracy is the main issue because this may lead to over or under correction of hormone delivery. Accuracy requirements will depend on how much influence the measured parameter can have on the control algorithms. The availability of the measurement, which may be affected by communication between devices or compliance of the patient, also needs to be assessed. It needs to be demonstrated that in cases where the measurement is not available, but the targeted physiological phenomenon does occur, closed-loop glucose control is still safe.
Besides meals, exercise is considered to be the main challenging perturbation of glucose control in daily life. 8,70 The influence of exercise on blood glucose depends on multiple factors related to the patient, the exercise and the environment and is therefore difficult to include in closed-loop glucose control. 19,45 Unannounced exercise was related to hypoglycemia in a clinical trial in twelve adolescents using closed-loop basal insulin delivery 24 and an in silico trial with 100 virtual patients receiving basal insulin infusion. 67 The authors from both studies indicate that exercise announcement well before exercise will be needed to reduce the insulin delivery in time to prevent exerciserelated hypoglycemia, because of the delayed action of subcutaneously infused insulin. Safety concerns of manual announcements to the artificial pancreas include compliance and the difficulty of knowing whether the patient actually did what he announced. Including a sensor to measure exercise will not enable reducing insulin infusion before exercise, but it can be used to reduce insulin infusion during and also after exercise, as exercise also influences glucose concentrations several hours after exercise. 22,45 Especially for exercise performed before the evening this may be an additional measure to reduce the risk of hypoglycemia. 51 Sensors that are being investigated to measure exercise for closed-loop glucose control include accelerometers, heart rate and temperature sensors. In general, a sensor to measure exercise should only be included into an artificial pancreas if it reduces the risk of hypoglycemia. 19

Glucose Control Algorithms
The brain of the artificial pancreas consists of the algorithms that control the patient's blood glucose concentration. This set of algorithms has to take over the glucose management from the patient and is the truly innovative component of the artificial pancreas. Therefore, research groups around the world have been focusing on the development of effective and safe glucose control algorithms. Many different control algorithms have been designed and evaluated, most of them being model predictive control, proportional-integral-derivative control, or fuzzy logic control. 23 Evaluation of control algorithms is now successfully moving from supervised clinical research centers, and supervised out-of-hospital settings to unsupervised overnight use. 70 Effective and safe automated glucose control during uncontrolled real-life situations, including irregular food intake, alcohol, stress, exercise and all kinds of spontaneous activities, will be the next step and challenge for the control algorithms.
The delayed action of subcutaneously infused insulin is the main difficulty for glucose control algorithms. Pharmacodynamic action of rapid-acting insulin peaks roughly around 90 min and action may persist up to 8 h. Insulin pharmacokinetics was found to have substantial variability between patients. 7 Furthermore, the insulin sensitivity of a patient may vary due to several factors, which act on different time scales (from hours to years). 33,45,68,75 Another aspect that has to be considered when designing control algorithms is the inaccuracy of the continuous glucose monitor, especially at lower and rapid changing blood glucose values.
Irrespective of the type of control, algorithms have to be developed using design requirements tailored to the target population, its environment and treatment goals. 23 At this moment, it is not possible to design algorithms that include all relevant situations and parameters that influence or are influenced by glucose concentration, insulin, and glucagon sensitivity. 45 Therefore, glucose control algorithms have to be responsive to changes in glucose trends and compensate for short term (timescale of hours) changes in insulin sensitivity at all times. The time interval at which the control algorithms determine the output should normally be on the order of 15 min, with each incoming glucose measurement being used to update the system estimate. Individualization of the control algorithms is needed to account for insulin sensitivity, but probably also for glucagon. 45 Strategies to estimate insulin sensitivity include amongst others patient's weight or total daily insulin need based on current treatment, which may be corrected for high HbA1c levels. 56,76 Individualization also implies that automatic adaptation of the individual parameter(s) is required during the course of closed-loop treatment with a time scale of days. Non-automatic adaptation introduces a risk of over-or under-dosing, since patients or health care providers may not (in time) notice the need for adaptation. Automatic adaptation can differ from relatively simple to advanced methods, but should consider the occurrence of hypo-and hyper-glycemic events since these are the precursors of severe adverse events. 8 Glucose swings typically result from over-dosing and are one sign of insufficient adaptation of the control algorithms to the patient. 79 In addition, glucose control algorithms should contain multiple specific measures to further mitigate the risk of hypoglycemia. 11,23 Options are to calculate the insulin-on-board to explicitly take the delayed action of insulin into account, to use algorithms that predict hypoglycemia and consequently reduce or stop insulin infusion, or to use pre-programmed basal insulin rates as the starting point for insulin delivery and only cautiously increase these if glucose values increase. 23,56,62,77 These measures are, however, not expected to be able to prevent hypoglycemia in all daily life situations, because of the prolonged action of insulin and only one-way control is possible with insulin. 34,63,76 To further mimic physiologic glucose control and mitigate the risk of hypoglycemia, the use of glucagon may become an important safety measure, 4,63,76 especially for fully automated systems for day and night closed-loop glucose control. For successful glucagon action, the insulinon-board should be taken into account, as high insulin levels at the time of glucagon delivery limits the effect of glucagon. 3,13 Moreover, it should not be possible that control algorithms deliver both insulin and glucagon at the same time. 78 Before glucagon can be widely used in the artificial pancreas, a glucagon formulation that is stable for at least a week should become available on the market and the effectiveness of repeated glucagon administration has to be assessed. 76 In a recently published study, Castle et al. demonstrated in eight adults with type 1 diabetes that glycogen stores and the hyperglycemic response were maintained after repeated glucagon administration. 12 At last, alarms should be given to recommend the patient to take carbohydrates in case hypoglycemia does occur. 23 Furthermore, glucose control algorithms can depend on manual announcements to indicate certain events. Meal announcements are often part of control algorithms, because this enables the delivery of an insulin bolus to minimize postprandial hyperglycemia. Although on average such systems resulted in higher amount of time in range compared to systems without meal announcement, these are not fully automated closed-loop systems and human errors can affect system safety. 23 Potential errors include forgetting announcements and incorrect carbohydrate estimation which is quite common due to its difficulty, 7 as well as different food intake than was announced. The associated risks have to be assessed for each system, as these will depend on the specific meal announcement strategy. 17,25,26,30 These strategies vary from carbohydrate counting 61 to a qualitative announcement of the size and type of meal, e.g. ''typical'' and ''dinner''. 64 Some final general requirements can be given for control algorithms. It should be possible to safely stop the glucose control for at least 15 min, for example for personal care and maintenance operations, such as replacing a glucose sensor or insulin cartridge. In case of maintenance operations, the glucose control should automatically stop and either automatically restart or prompt the patient to manually restart. In addition, it must be very clear for the patient whether the automated glucose control is functioning or not. 8 If a patient has to take over the glucose control in case of failure of one or more components, he must be able to see the insulin (and glucagon) delivery history. Furthermore, control algorithms should be able to handle a few missing sensor glucose values, as this is likely to occur, but should not determine control actions if no glucose values are available for more than a certain amount of time which will be dependent upon the control algorithm (typically 10-20 min). If no control actions can be determined by the control algorithms this should result in safe transition to a fallback therapy and alarms should warn the patient. 8

Infusion Pump
The infusion pump delivers the amount of insulin (or glucagon) prescribed by the control algorithms. To enable adequate glucose control with an artificial pancreas, this hormone delivery has to be accurate and reliable. At this moment, infusion pumps for subcutaneous insulin administration are used in artificial pancreas systems. Two subtypes are available: the traditional insulin pump that uses an infusion set with relatively long tubing and the patch pump that is directly adhered to the skin and includes a very short (not visible) infusion set. The traditional pumps can suffer from tubing issues, whereas patch pumps can have problems with adherence and the separate controller. 2 Compared to the previous described artificial pancreas components, little can be found about safety issues for infusion pumps in artificial pancreas systems. We did not find issues with the accuracy of insulin delivery for the artificial pancreas, but issues with infusion set failures and the delivery site are common in insulin pump therapy. 31 Infusion set kinking, occlusion, leakage or dislocation may result in underdelivery of insulin or glucagon. Furthermore, local tissue alterations, such as lipohypertrophy, edema, and fibrosis may further delay insulin action. 45 As problems with the hormone delivery can have serious consequences for a patient using an artificial pancreas, subcutaneous infusion needs to become more reliable through better understanding of the physiological processes and developing improved infusion sets. 31,53 At least the following two measures should be included in artificial pancreas systems to ensure safety with current infusion sets. First, to prevent clotting in the tube or catheter, a small 'maintenance' bolus should be given if no dose was given for a long period through that infusion set. 32 Second, timely detection of delivery failures is very important as these may stay unnoticed by the patient for a substantial period of time. 18,65 The software should be able to detect both obstructed delivery (by using feedback from the pump) and delivery without the expected effect on glucose concentration due to e.g. leakage, dislocation or local tissue alterations (based on control actions and feedback from glucose sensors). In case of such event the patient should be warned and instructed to take appropriate actions. Good fixation of the infusion set(s) is important, which can be facilitated by recommending appropriate infusion sets and instruction of the patient.
Additional safety measures should be included that prevent over-dosing due to various software or hardware failures. Feedback from the pump should be obtained when the delivery is finished indicating the status of the delivery and how many units have actually been delivered. If this response is not received in time, based on the calculated time that it should take, the system must determine the status of the insulin delivery by querying the pump, otherwise the insulinon-board cannot be correctly calculated. If the software is unable to reliably communicate with the pump then closed-loop control must cease and the system must revert to a safe mode of operation. A top safety layer should examine all insulin requests and block or reduce requests that the algorithm deems unsafe. Furthermore, maximum insulin (and glucagon) amounts that may be given per specific time periods should be defined based on the individual settings of the control algorithms. 30,72 In case such a maximum amount has been delivered by the pump, the current dosing should be stopped.
For bi-hormonal artificial pancreas systems, safety measures have to be taken that prevent switching of insulin and glucagon and thus delivery of the wrong hormone. Separate pumps for insulin and glucagon delivery have to be included in the system. These pumps should have separate drivers to reduce the chance of activating the wrong pump. Importantly, it should be impossible to place an insulin cartridge in the glucagon pump or vice versa by the design of the pump chambers. In addition, the connection between the cartridge and infusion set should be different for insulin and glucagon, for example by using Luer-lock and a proprietary connection. An extra measure is that the infusion sets for insulin and glucagon are distinguishable by color, marks or text. In that case the patient has additional visual information about which infusion set is for which hormone, which is especially useful for lengthy tubes, to assure for example that during flushing the right tube will be disconnected from the cannula.
Finally, the use of pre-filled insulin (and glucagon) cartridges is preferred. Compared to cartridges that have to be filled by the patient, this requires less human interaction which reduces the risk of errors.

Combining the Components
The different components of an artificial pancreas have to be combined to form one system. Close cooperation and data exchange between these components are essential. 72 If one of the main components or its communication is not working properly, the whole system is affected and the automated glucose control will be comprised or interrupted, which increases the risk of over-or under-dosing. To date, wearable artificial pancreas systems used in clinical studies are typically composed of commercially available continuous glucose monitors, insulin pumps and consumer electronics devices, such as a smartphone or tablet, that serve as the platform on which the control algorithms run. This platform also enables communication between the devices and acts as the interface between the system and the user. These separate devices used to construct an artificial pancreas system are as of yet not approved for this particular application. Combining components from different diabetes technology companies is a challenging task as proprietary data and communication protocols are common. 59 The reliability and security of wireless communication between the components and the accompanying power consumption are considered to be weak points of these artificial pancreas systems and should be solved to increase the safety for use in daily life. 23,41,69,71 Furthermore, using consumer electronics and its operating system as a medical device like the artificial pancreas raises regulatory questions about safety and reliability, for example about interference of other applications or operating system updates. 58 The type of configuration chosen has a significant effect upon performance and capabilities of the system. Various groups have pursued different system design philosophies. One approach is to attempt to minimize the risk of system failures by integrating the different components of the artificial pancreas system. 10,49 Fewer separate devices may reduce failures of communication, high power consumption due to wireless communication, unauthorized remote control or access to software, and use or storage of invalid data. 57 Other groups have chosen a modular approach to system design, which allows the various wirelessly connected components a degree of autonomy operation which is designed to support ''graceful degradation'' of the system in the event that one or more components or system links fail. 38 For each separate device using wireless communication the advantages and disadvantages regarding functionality and safety should be evaluated to determine if the risks are acceptable. Furthermore, communication directions and frequency, and data and system security measures should be carefully assessed. Recently, the Diabetes Technology Society released the Cybersecurity Standard for Connected Diabetes Devices, which aims to provide a framework for specifying the security requirements for these devices and how to independently assure that these are met. 39 The main requirements consider cryptography, secure and authorized communication with devices, and integrity protection of software and data. An important issue in this discussion is the communication with the glucose sensor(s), as this will likely be wireless using a radio transmitter. The transmitted radio waves do not travel well through water and thus communication can get lost if the body is between the transmitter and receiver. For the artificial pancreas that depends on glucose sensor values during all kind of activities and with different device wear positions, we believe this issue is an important safety constraint which has not yet received sufficient attention in research. The communication losses reported for studies under well controlled circumstances give an indication of the extent of this issue. 54,55 The associated risks and possible mitigation measures will have to be carefully investigated in clinical studies performed under controlled and uncontrolled real-life situations. It may turn out that wired communication (e.g. in combination with the infusion set) or improved wireless communication techniques are indicated.
The device(s) must be designed to have as low power consumption as possible. Battery life should ideally last several days to minimize battery change or charge, although for some systems overnight charging may be possible indicating that battery life of 18-24 h may be sufficient. If chargeable batteries are used, charging should be possible with a widely available connector and adaptor as people may forget to bring their charger. The same applies to replaceable batteries, these should be widely available. A second power consideration is that it has to be assured that simultaneous activation of multiple electronic components that use high power does not lead to tasks not being performed or a device shut down. This might for example be the case for wireless communication together with an active pump. Thirdly, data and settings essential for correct functioning of the control algorithms should be stored in a memory that is not af-fected by empty or changing batteries (non-volatile memory).
Dedicated operating system and software, developed and tested according to the standard IEC 62304, are typically used to ensure stable and safe functioning of each device. However, the FDA has recently indicated a willingness to consider permitting the use of consumer software such as operating systems for mobile devices such as smartphones. The potential safety issues, e.g. difficulties with software upgrades, of using such a solution will need to be carefully evaluated. Modular software design is recommended as it enables flexibility and facilitates testing and obtaining regulatory approval. 56 Redundancy of essential elements is a known strategy to increase safety in other processes or systems. 8 As discussed, this can be applied to the glucose monitoring, but another essential element is the processor. If the processor fails or becomes corrupted, this can be detected with a second 'safety processor' that checks or guards essential functions performed by the main processor. This safety processor should activate a safety mode in which the pumps are immediately stopped and the patient is warned with alarms. Moreover, the two processors should preferably be from different manufacturers, to reduce the chance of mutual software or hardware errors.

Alarms
Alarms are a mitigation measure for faults that are detected by the system but that cannot be solved by the system on its own. Alarms provided by the artificial pancreas or the accompanying remote monitoring application may warn the patient, her relatives, important others or health care providers. The risk reduction due to alarms depends on the effectiveness of the fault detection, how the alarm is given and the reaction of the warned person. A safety issue raised by the alarms itself is that if too many alarms occur, including less important and false alarms, the alarms may be ignored or incorrect action may be taken in response to the alarm. 8 To enhance safety provided by alarms, the system should contain only a restricted number of alarms, which are the important alarms that require action from the patient. As the artificial pancreas provides automated glucose control, low and high glucose values that can be solved by the system itself should not lead to alarms. In addition, multiple ways of giving an alarm should be included in the system, such as sound, speech, vibration and visual information, and it should be evaluated if each alarm is adequately noticed and understood by the user. Alarms given to others by a remote monitoring application should ideally not be part of the risk mitigation measures of the artificial pancreas; safety should not rely on other devices (including delays or failures in data transmission) and people beside the artificial pancreas and its user. 53,60 However, remote monitoring can be a valuable tool for safety in clinical trials and to gain knowledge about the treatment and device functioning, for example for parents and health care professionals, but also for device development or quality control. 58

User Aspects
The patient will have to use the artificial pancreas every day and it is therefore emphasized that user acceptance and interaction play an important role in the design of safe devices for diabetes treatment. 72,57,60,66 Although glucose control will be automated with an artificial pancreas, the patient has to perform daily maintenance to enable the system to function properly. There will be frequent interaction between the patient and the system, because of the need for SMBG input, sufficiently charged batteries and changes of infusion sets, cartridges and glucose sensors, and to react on alarms. Experienced technical difficulties and interruptions in daily living are considered to be a concern for the acceptance of artificial pancreas systems. 5 Several measures can be taken to improve the ease of use and acceptance of the system. This will reduce user errors and facilitate truly continuous use by the patients, which increases safety as interruption of the glucose control increases the chance of hypo-and hyperglycemia. For all aspects that require interaction with the user, the patient should be involved in the design using appropriate human factors methods such as usability studies. 66 Especially the user interface is important, which should be intuitive, guided by clear marks and text, and indicate the status of the different components and required actions. 37 Mechanical aspects such as device shape, size and connections should also be evaluated. Besides, psychosocial impact of the system needs to be assessed and considered in the different design phases. 5 The artificial pancreas will be worn during all kinds of activities, so it should ideally be weather-, play-and sport-proof. 72 Furthermore, the user manual and training of the patient can add to safe use of the artificial pancreas. Both have to focus on the maintenance actions and understanding and recognizing system failures including how to handle the possible alarms. The user manual should not be too extensive and the instruction should be tailored to the patient.

CONCLUSION
Compared to current diabetes treatment, the artificial pancreas holds promise but adds challenging safety issues because it combines several components into one system and takes over glucose control from the patient.
To design a safe artificial pancreas, the configuration and implementation of the different components should be directed by risk management. For safety issues that cannot be sufficiently solved by design, timely detection of faults is necessary to alarm the patient. Prerequisites that enable the control algorithms to provide safe closed-loop glucose control are accurate and reliable input of glucose values, assured hormone delivery and an efficient user interface.
Ongoing and future out-of-hospital and unsupervised studies will teach us more about the occurrence of safety issues and the effectiveness of mitigation measures, but the latter may first have to be demonstrated in controlled studies. 72 We should, however, remember that it is not possible to guarantee 100% safety and insisting on this will limit innovation, while patients and their families and health care providers are eagerly waiting for the artificial pancreas to become available on the market. Perfect should not become the enemy of good. Therefore, the goal should be to develop an artificial pancreas that is as safe as possible based on current knowledge and technical possibilities, for which direction is given in this review. As glucose control is an evolving process, corrective actions remain possible in case of failures as long as these situations are being noticed by the patient.
The establishment of registries to collect data on patients' clinical variables, device use and failures may contribute to post-market improvements in safety of artificial pancreas systems. Technological advancements that will likely contribute most to safety are faster acting insulins, more accurate glucose sensors and more reliable wireless communication.

OPEN ACCESS
This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.