A Hybrid Automata Approach for Monitoring the Patient in the Loop in Artificial Pancreas Systems

The use of automated insulin delivery systems has become a reality for people with type 1 diabetes (T1D), with several hybrid systems already on the market. One of the particularities of this technology is that the patient is in the loop. People with T1D are the plant to control and also a plant operator, because they may have to provide information to the control loop. The most immediate information provided by patients that affects performance and safety are the announcement of meals and exercise. Therefore, to ensure safety and performance, the human factor impact needs to be addressed by designing fault monitoring strategies. In this paper, a monitoring system is developed to diagnose potential patient modes and faults. The monitoring system is based on the residual generation of a bank of observers. To that aim, a linear parameter varying (LPV) polytopic representation of the system is adopted and a bank of Kalman filters is designed using linear matrix inequalities (LMI). The system uncertainty is propagated using a zonotopic-set representation, which allows determining confidence bounds for each of the observer outputs and residuals. For the detection of modes, a hybrid automaton model is generated and diagnosis is performed by interpreting the events and transitions within the automaton. The developed system is tested in simulation, showing the potential benefits of using the proposed approach for artificial pancreas systems.


Introduction
Type 1 diabetes (T1D) is a serious metabolic disease characterized by an autoimmune destruction of the insulin-producing β-cells in the pancreas and subsequent insulin deficiency. Insulin is a hormone that allows glucose uptake from the blood into cells, either to be used as fuel or stored for future use. Low levels of insulin inevitably lead to high blood glucose (BG) concentrations, known as hyperglycemia, which can also lead to long-term complications [1,2]. Current therapies are based on administering exogenous insulin using devices such as insulin pumps or pens [3,4].
Artificial pancreas (AP) is a closed-loop (CL) system in which insulin is delivered automatically by adjusting a pump's insulin infusion rate depending on continuous glucose monitor (CGM) readings [5]. CGM sensors measure glucose subcutaneously and provide an estimate of current BG levels. Many different control strategies for AP are available in the literature [5][6][7]. AP systems have been an important focus of research and discussion over the last years, with a multitude of clinical trials being conducted world-wide [8]. There is clinical evidence that suggests that using an AP is safe, robust, and efficacious for people with T1D when compared to traditional open-loop therapy [7,8].
However, AP technology is not exempt of risks during operation [9]. It is especially critical to take into account the concept of patient-in-the-loop in the design phase for this kind of technology [10], because ultimately, patients will wear and operate APs. Patients will have to provide inputs, maintain the system, and ideally undertake training before using any AP. Therefore, the patient will play a significant role in any configuration-a clear example is the Medtronic MiniMed 670G AP [11]. Undoubtedly, research is trying to find solutions that reduce the impact of patient behaviors and decisions. Therefore, any developed AP must implement fault tolerant control (FTC) strategies to mitigate faults and ensure and maintain stability, performance, and safety for the patient.
In the context of FTC research for AP systems, most of the literature is focused on fault detection (FD) and fault identification (FI) for either the CGM [12,13] or insulin pumps [14][15][16][17]. Only few tackle the issue of how the patient-in-the-loop affects the system and what potential faults may arise from it [9]. Developed strategies to detect specific patient behaviors exist, however, they were not developed for safety but as ad-hoc approaches for control. Most of the approaches involving the patient estimate the glucose rate of appearance to allow AP to operate without meal announcement [18][19][20][21][22][23]. Other strategies try to detect when patients exercise and modify or adapt their control strategy accordingly [24,25]. In any case, the roads being followed are either hybrid systems, which rely on patient input, or fully CL systems. The patient-in-the-loop paradigm links both approaches allowing fully CL systems to operate, but also to rely on contrasted patient input information to enhance performance and safety. Hence, patient modes and inputs should be monitored and potential faults must be uncovered for fully CL systems that may from time to time may use patient information. Here, a patient operational mode is defined by its significantly different system dynamics, for example the increased insulin sensitivity during aerobic exercise. Additionally, patient inputs are considered as any action that the patient can perform with direct implications to BG control.
The aim of this work is to provide robust and safe solutions to deal with the patientin-the-loop in AP systems. In the context of diabetes and AP systems, the patient should be considered as part of the control loop [26]. Depending on the system configuration, the patient may have to take the role of an actuator or a sensor, besides being the plant to control. Specifically, the subjects will be considered actuators performing the control action of eating the recommended carbohydrates (CHO) [27] or informing about meal consumption or exercise. It is known that patient information can be erroneous, for example, studies show that patients have significant estimation errors when counting CHO [28]. Therefore, the detection and monitoring of patient modes can be used to help the control system in maintaining performance and safety despite patient faults. Considering the patient-in-the-loop, the monitoring of system modes can be aided by the feed-forward information provided by the patient. That information is inherently affected by uncertainty and must be checked to exclude any possible fault.
The implemented approach is a model-based FD system and can work with any kind of hybrid or fully CL control architecture that announces meals and/or uses insulin and/or CHO as a control action. The physiology of a person with T1D is subjected to highly nonlinear phenomena. A way of extending traditional linear system theory to nonlinear systems is by means of the linear varying parameter (LPV) paradigm [29]. Here, this approach will be used for modeling T1D subjects. Then, we design a bank of polytopic Kalman filters by solving the dual of the linear quadratic control (LQC) problem and imposing constraints on the system stability and performance by using linear matrix inequalities (LMI). Dealing with system uncertainties in model-based approaches is known to be an important factor. In this work, we use a deterministic approach using zonotopes to build interval observers (IO). The resulting bank of IO will be used to generate a set of residual signals online. A hybrid automaton (HA) is built based on a configuration of normal and faulty patient modes. Transitions between modes are done by analyzing the patient input events and checking the residuals consistency. This paper is organized as follows: Section 2 presents the problem formulation and briefly describes the control system. Section 3 describes the patient monitoring system. Section 4 describes the modeling process of a T1D patient. Section 5 is focused on the residual generation by designing IO. In Section 6, in-silico benchmarks are proposed to evaluate the monitoring system. Finally, Sections 7 and 8 include the discussion and conclusions from this work.

Problem Statement
The Spanish consortium on artificial pancreas and diabetes technology (eSCAPE) has developed a multivariable hybrid AP system for the regulation of glucose to cope with the two disturbances that have the biggest effect on BG, meals, and exercise. The system uses both insulin and CHO as control actions to maintain BG in the euglycemic range 70-140 mg/dL. The insulin feedback loop is based on a proportional-derivative (PD) controller with insulin feedback (IFB) that integrates a safety layer with insulin-on-board (IOB) constraints and sliding mode reference conditioning (SMRC) [30,31]. The second feedback loop uses a predictive PD controller with a quantization system that encourages the patient to consume CHO if there is danger of hypoglycemia [27]. Both control loops are coordinated by using coupled carbohydrates-on-board (COB) inhibition signals that ensure that insulin and CHO control actions are effective and not mutually counteracted.
The system has recently been upgraded with additional modules to enhance performance and safety when exercise is announced. If patients announce exercise, a feed-forward controller will adapt the insulin gains and, if required, the consumption of a snack will be suggested [32]. Furthermore, we included an adaptive IOB system to enhance postprandial control [33]. This control system has already been tested in clinical trials against meals and exercise and has showed promising results [34][35][36]. The overall control strategy is depicted in Figure 1 and is the control system that will be used in this work.  Figure 1. Multivariable hybrid AP. The black blocks and signals are elements from the insulin feedback loop, the blue from the CHO feedback loop, the red from the feed-forward exercise control, the violet is the IOB adaptive algorithm and the orange block is the patient to control.
This system is a hybrid AP where the patient takes fundamental roles. We want to address the patient-in-the-loop situation that arises when using patients as an operator and as the plant to control. In this configuration, patients play a sensor role when announcing meals and exercise. They also play an actuator role when the CHO controller suggests rescue CHO. Therefore, patients can introduce errors into the system that could eventually lead to faults. We consider patient-in-the-loop faults as poorly estimated meal boluses, when patients do not follow the CHO controller recommendations, or when the dynamical plant is behaving in an unexpected manner.

Materials and Methods
In this work, we develop a system for the detection of patient modes by using the scheme proposed in [37] based on creating a HA model that presents as many states as patient modes. For mode detection, we will generate a set of residual signals. Checking at every time instant which residuals are consistent with the current mode, we can detect the change of mode. Residuals will be generated by using a bank of zonotopic Kalman filters.

Hybrid Automaton
The HA has been developed based on [37]. The idea behind using an HA is to mimic real patient operational modes and transitions. Using this approach, the HA is defined by the following components, Q is the set of modes. Each of the modes q i ∈ Q represents an operational mode of the patient. The set of modes is constituted by nominal and faulty operational modes, i.e., Q = Q N ∪ Q F . Particularly, we consider three nominal operational modes and three faulty modes, see Figure 2; 2.
X ⊆ R n x defines the state space of the system on each of the modes x(k) ∈ X , where x(k) is the state space vector. U ⊆ R n u and Y ⊆ R n y define the continuous input and output spaces. In this work, the input space includes both insulin, rescue CHO and meal inputs, and the output space only considers the CGM measurements. G defines the set of discrete time state functions and H is the set of discrete time output functions; 3.
This set of events can be split into spontaneous mode switching events Σ S , input events Σ C and fault events Σ F . Spontaneous switching events are unknown events that may produce transitions between modes in the real patient. For example, an unannounced meal may lead to a spontaneous transition to the meal operational mode, even if that event (eating) is unknown to the system. Input events are defined by patient actions, such as announcing meals or exercise. Fault events are defined by checking the consistency of the residuals and the ending transitioning mode; 4. F is the set of possible faults. For each faulty mode q i ∈ Q F the system has a specific f i ∈ F , which is associated with a fault event Σ F ; 5.
T : Q × Σ → Q is the transition function. Transitions from one mode q i to another mode q j are labeled by an event σ ∈ Σ. Transitions labeled as σ f ∈ Σ F indicate that the transition is a faulty transition.
The HA operational modes and transitions for the patient are presented in Figure 2. Three automata modes define the normal operation for the system. These modes were selected for its differentiated dynamics and significance during operation. Transitions between and to these modes are labeled Σ S ∪ Σ C = {σ 1 , σ 2 , . . . , σ 13 } and include input patient information about meals and exercise, and events triggered by the consistency of residuals. Transitions to faulty modes are possible depending on the current operation mode. The set Σ F = {σ f 1 , σ f 2 , . . . , σ f 7 } represent the fault events. Some of these faults may be structural (faults in the actuator) such as not eating rescue CHO or injecting inappropriate boluses for meals.

Online Diagnoser
The online diagnoser is responsible of the mode change detection within the HA. At every sampling time k, the patient observable events Σ C and the generated residuals are processed and used by the hybrid diagnosis to detect specific modes or faults. Patient-inthe-loop faults are detected when a triggered transition leads to one of the faulty modes, see Figure 2.
Normal Operation The consistency of the residuals is checked at every sampling time against the designed thresholds. A potential mode change is detected if the residuals violate any of the thresholds. Then, a binary signature vector (F) is generated and checked with the admissible rows of the fault signature matrix (FSM). The FSM is a binary matrix that displays the signatures required to move from one automaton mode to another. A signature is used to describe a configuration of symptoms that may lead to a transition. Each of the rows of the FSM are related to each of the possible automaton transitions T . Hence, the FSM has as many rows as possible events σ (n σ = 20) and as many columns as existing automaton modes (n m = 6).
This can be viewed as having a total of n m different subsets of FSMs for each of the HA modes. For example, the FSM associated to the mode q 1 is as follows The FSM q1 will only be used when the current HA mode is q 1 . Then, the binary signature vector F 1×n m is constructed at every sampling time. Elements f i of F are computed as where i = 1, · · · , n m indicates the binary residual generated by the appropriate observers for the current operation mode at time instant k, M ≤ n o accounts for possible residual combinations that may be used to generate the binary signal, n o is the total number of observers, t l r i and t u r i are the lower and upper interval residual bands generated by the i-th zonotopic observer. Essentially, if the observer predicted band does not include the zero residual, then the real system behavior cannot be explained and a fault is triggered by that residual signal. The vector F is then compared element-wise to each of the rows of the appropriate FSM q i . If the signature F is not matched by any of the rows of the particular FSM q i , then transition detection is not possible and the HA stays at the current mode.

Observable Events Processing
Using a binary transition and fault detection system might not be enough for detection if several signatures have the same binary combination, i.e., they are not isolable. For that reason, the transitions may be aided with external information, such as input events, the sign of the residuals and by the value and trend of the measured variables. In this work, the system makes use of patient information, if available, such as meal/exercise announcements. Particularly, we consider the following transitions based on the FSM and patient information:

1.
Meal and Postprandial Mode Detection: Transitions between the meal/postprandial mode (q 1 ) and the resting/fasting mode (q 3 ) happen when in normal operation. If meals are announced, the system can instantly switch to the meal/postprandial mode and if in a designed period of 15 min the meal observer does not explain the system behavior, a transition to the meal faulty mode (q 6 ) will be triggered. In the situation where both meal and rest residuals are consistent, the system returns to the resting/fasting operational mode.

2.
Altered Sensitivity Periods Detection: Transitions σ 1 , σ 2 , σ 5 , and σ 6 to and from the changed insulin sensitivity mode (q 2 ) are considered. Similarly to σ 4 , the transition events σ 1 and σ 6 are activated if the altered sensitivity residual is consistent with the observations. In this approach, an altered sensitivity period is caused when performing aerobic physical activity. Then, if exercise is announced, a transition to the q 2 mode can instantly happen if the altered sensitivity residuals are consistent. Transition events σ 2 and σ 5 are triggered if the meal or the rest residuals consistency are valid and the altered insulin sensitivity residual is not. If the consistency of both residuals generated by the meal and rest observers are satisfied, then the binary FSM cannot tell which transition to execute. In such a case, prior patient inputs can be used to decide if a transition needs to be made. If the residual from the altered sensitivity observer is no longer consistent, the residual with minimum absolute value is picked as the next transition event to be processed.

3.
Misestimated Meals Detection: The AP used in this work requires patients to announce meals. Announcing a meal means that the patient needs to provide two inputs: (1) the time when the meal is going to be consumed and (2) the quantity of CHO in grams of that meal. The detection of a misestimated meal (q 6 ) involves the transition events σ 9 , σ 10 , σ f 3 and σ f 4 . Transition towards q 6 is possible through events σ f 3 and σ f 4 . If a meal is not announced while being on mode q 3 and the rest observer is not consistent, then the CGM signal is checked. If CGM is higher than 160 mg/dL and the trend for the last 30 min is positive, a transition to mode q 6 happens. Contrarily, if the meal is announced, then transition event σ f 3 might be triggered when in mode q 1 , if the meal observer is not consistent.

4.
Missed Rescue Carbohydrates Detection: Two types of rescue CHO are considered: (1) feed-forward rescue CHO when exercise is announced and (2) rescue CHO suggested by the feedback controller. This control action is a source of potential patient-inthe-loop faults in free living conditions. Patients may forget to consume the suggested CHO or they will simply not consume them for other physiological reasons, such as weight gain. Transitions to the faulty rescue CHO mode (q 4 ) are expected through events σ f 6 or σ f 7 , which are only checked when the controller triggers a recommendation of CHO. Transitions σ 8 , σ 11 and σ 13 return the HA to normal operational modes, respectively to q 2 , q 1 and q 3 . These transitions are exclusive, meaning that if any of the meal, rest or altered sensitivity observer residuals are consistent, a transition to any of the aforementioned normal operation modes will be triggered.

Modeling of T1D Patients
In this section, the model used for the design of observers is presented. Several dynamical models are available in the literature to describe normal and impaired glucose metabolism in humans. One of the early models and most likely the most used is the socalled minimal model [38], which only consists of three state variables and is able to capture some of the underlying glucose dynamics. Since then, many other models have appeared such as the more complex Food and Drug Administration (FDA) accepted UVA/Padova T1D Simulator [39]. Selecting a model for the design of observers is crucial and one has to trade off precision and complexity with simplicity and usability. Particularly, complex glucose models may present observability issues because only one variable is measured. For that reason, we use a modified version of the Hovorka nonlinear model [40], which is of intermediate complexity [41].

The Reduced Hovorka Model
The model used in this work is a reduced version of the nonlinear Hovorka model [40] as proposed in [42]. Figure 3 shows the whole block diagram of both model versions. It is a compartmental model with four main sub-systems: carbohydrate absorption, subcutaneous insulin absorption, insulin action on glucose uptake and removal, and the BG dynamics.

Insulin subsystem
Carbohydrate absorption Insulin action Glucose subsystem The simplified model excludes the states I(t), x 2 (t) and x 3 (t). By doing this reduction, not only have we decreased the system complexity, but most importantly we have improved the structural behavior of the overall model. Notice the new direct connections from node S 2 to Q 1 and Q 2 . Those connections greatly simplify any observability issues since more relations between different states are considered. The removed states define insulin dynamics and are described byİ The reduced model is obtained by considering the steady state value of the removed states into the rest of the equations. One can easily obtain the following steady state relations which leads to Plugging these equations into the original Hovorka model and removing the aforementioned states leads to the final model where u(t) is the exogenous insulin infusion (basal and bolus), Q 1 and Q 2 are the masses of glucose in the accessible and non-accessible (not measurable) compartments, respectively, S 1 and S 2 define the insulin absorption rate dynamics and F R and F c 01 are defined as The original Hovorka model assumes that the compartment G represents the measurable glucose concentration and defines it as G(t) = Q 1 (t)/V g . However, one can use any other CGM model available in the literature.
The glucose absorption sub-system can be defined separately aṡ where U g is the rate of carbohydrate absorption, d(t) is the input meal content in grams and D 1 and D 2 are glucose compartments. If meals are considered in the model, the state vector is simply extended with states D 1 and D 2 .

Model Parameters and Individualization
For the purpose of state estimation, we use the model constants and mean parameter values presented in [40] and summarized in Table 1.

Parameter
Value Description The model is firstly individualized by the patient's weight. The patient weight alters the insulin sensitivity parameters and the available glucose and insulin distribution volumes. However, this might not be sufficient to characterize highly varying patients and therefore model predictions will be inherently erroneous. To address this individualization issue, the insulin sensitivity parameters are adapted based on the fasting patient glucose and basal infusion rate. Then, a new tuning parameter η is introduced and obtained by solving the steady state of the original model were f(S 1 , S 2 , x 1 , x 2 , x 3 , I, Q 2 , η) represents the non-linear model equations and η is a factor that multiplies the insulin sensitivity S f IT , S f ID and S f IE terms.

Linear Parameter Varying Model
LPV systems are linear time varying systems whose state-space system matrices depend on a vector of varying parameters. These parameters can be estimated online or measured. Then, the continuous system representation is given bẏ where A(Φ(t)) ∈ R n x ×n x , B(Φ(t)) ∈ R n x ×n u , C(Φ(t)) ∈ R n y ×n x and D(Φ(t)) ∈ R n y ×n u are the system state space matrices that depend on the varying time-dependent vector Φ(t) ∈ R l . The vector of varying parameters Φ(t) depends at the same time on some measurable signals ρ ∈ R n Φ , referred to as scheduling variables, that can be estimated using an appropriate scheduling function where p : R l → R n Φ is a continuous mapping. If the vector of scheduling variables depend on some internal variables, such as internal states, the system is called quasi-LPV [43]. In this work, the system is strictly proper, with input and output matrices being invariant B(Φ(t)) = B, C(Φ(t)) = C and D(Φ(t)) = 0. Particularly, the reduced Hovorka nonlinear model can be transformed into the LPV representation (12) using the nonlinear embedding approach proposed in [43]. This approach is based on embedding the system nonlinearities inside the scheduling parameters of the LPV model. Then, the following state space matrices are obtained for the reduced Hovorka model in LPV form with the following output equation y(t) = Q 2 (t)/V g measurable from the CGM sensor.
The following terms have constant values (15) and the nonlinearities can be embedded in the following terms Furthermore, if measurements of Φ are available, and its admissible range of operation is known where Φ i and Φ i are the lower and upper bounds of each element in Φ, then we can put the parameter vector Φ into polytopic form [44,45] where N = {1, . . . , 2 n Φ }. This transformation is known as the bounding box method, because Φ is the convex hull generated by vertex ω i . Hence, a polytopic representation of the system is obtained by the state space matrices defined at the different vertex of the convex hull Using this approach, the system (12) can be represented as a weighting function of the system matrices at the polytope verticeṡ where µ(i) are the membership functions. Basically, at any given time instant the state space system description is obtained by a linear interpolation of the system matrices at the polytope vertices. The weighting function is defined as in [46] with where j = 1, . . . , n Φ and each element of the vector Φ is known and varies in a known interval Φ j (k) ∈ Φ j , Φ j . The scheduling variables for the reduced Hovorka model can be defined as leading to four linear time invariant (LTI) systems that will conform the vertices of the polytope. Notice that this representation is not unique and other scheduling variables can be chosen depending on the model. The operational range for these variables is attached in Table 2. The original continuous time system can be discretized using a number of discretization methods. In this work, we use the zero order hold approach with a sampling time of 5 min, which is a common measurement rate provided by CGM devices. Then, the continuous polytopic system (20) takes the following discrete-time representation where A d,i (Φ) ∈ R n x ×n x , B d,i (Φ) ∈ R n x ×n u , C d,i (Φ) ∈ R n y ×n x and D d,i (Φ) ∈ R n y ×n u are the discretized state space matrices for the i-th vertex.

Residual Generation
The AP systems are characterized by having few sensors and actuators. Therefore, to monitor the system and patient state, observers are designed for the purpose of generating residuals. However, only little information is available for AP systems. In most cases, the only information available from sensors is the CGM glucose measurements. To tackle this limitation, the design of a robust state estimator for residual generation has been considered in this section.

Design Method
Residual generation is based on the state estimation using the polytopic LPV model (26) by means of a Kalman filter of the following form werex ∈ R n x are the estimated states and L(Φ) ∈ R n x ×n y is the observer gain defined as and L i are the observer gains for each one of the systems at the vertices of the polytope. Prior to the observer design, the observability property is checked. A total of 2 n Φ observability matrices are generated, for each one of the vertex polytopic representations . . .
then, the system is observable if each observability matrix is of full rank, i.e., rank(O) = n x . The observer gain can be designed by solving the associated LQC dual problem [47]. Given the system description (26), tuning matrices Q = Q T = H T H ≥ 0, R = R T > 0 and the performance bound γ. Then, the observer gains for the polytopic system are obtained by finding Υ and W i through the solution of the following LMI minimization problem subject to where q = 0 and r = 1 are the center and radius of a unitary circle respectively and I n x is the identity matrix of size n x . Note that constraints (33) are not mandatory to solve the original LQC problem [47]. However, they guarantee the stability of the observer system. In this paper, the process disturbances (ω ∈ R n x ) and measurement noise (υ ∈ R n y ) are unknown but assumed to be bounded and represented by zonotopes where c ω and c υ are the centers of the process disturbances and measurement noise zonotopes, with the generator matrices being R ω ∈ R n x ×n x and R υ ∈ R n y ×n y . Then, according to [48] the polytopic observer in (27) can be converted into a zonotopic state estimation observer by computing the center and the generator matrix of the state observer, i.e., X = c x , R x , at every single step as follows with L being defined in Equation (28) and where E ω and E v are the distribution matrices of the state disturbance and measurement noise vectors, respectively.

The Bank of Observers
The bank of interval zonotopic observers is designed to generate appropriate residual signals. The residual signals have to be sensitive to specific mode changes. Therefore, several observers based on variations of the reduced Hovorka model have been considered. Each of the observers tackle one specific mode of operation. A total of four different observers have been designed (n o = 4): 1.
Meal observer: Observer designed to track meal and postprandial periods for announced meals. It allows the system to detect faults in meal estimations and erroneous boluses. It includes the whole Hovorka model with two extended states related to CHO consumption. Its state space vector is defined by The CHO model time constant t maxG is set to 40 min as in [40]; 2.
Resting and fasting observer: Observer designed to track night and in-between disturbances periods. Its state space vector is defined by We assume that sleeping periods are characterized by having no disturbances affecting the system and/or the effect of previous disturbances is small. For this reason, the observer is designed considering only insulin inputs. Consistent estimations should be provided by this observer during periods similar to steady state periods, i.e., resting or fasting periods; 3.
Altered insulin sensitivity observer: Observer designed to track periods with increased sensitivity, for example during aerobic exercise sessions. The model parameter η has been increased by a trial and error procedure to match simulated aerobic exercise sessions based on clinical results [32]. Its state space vector is defined by Rescue carbohydrates observer: Observer designed to detect a specific patient-in-the-loop control action. The presented control approach uses CHO as a counter-regulatory action to prevent hypoglycemia. This observer takes the insulin and CHO controller actions as its inputs. The goal of the observer is to monitor the adherence of the patient to the rescue CHO. Its state space vector is defined by The CHO model time constant t maxG is set to 20 min as in [27].
Each of the designed observers return a full state space interval estimationx 1 ,x 2 , . . .x n o . Then, using those estimations, the interval residuals are computed based on the state bounding zonotopeX (k) with the following residual center (c r ) and generator matrix R r Hence, the FD test is based on checking the following condition A fault (or change of mode) is triggered when 0 is not included in the zonotope < c r (k) R r (k) >. To reduce the computational burden, condition (42) can be simplified to check whether or not 0 is included in a box enclosing the zonotope 0 / ∈< c r (k) b(R r (k)) > (43) where b(R r (k)) = diag(||R r (k)|| 1 ) and || · || 1 is the element by element absolute value operator. Then, the zonotopic interval upper and lower bands used for FD in the FSM in Equation (3) are defined as The overall method scheme of the fault diagnosis system is shown in Figure 4. The observer design problem is solved offline and the observer gains are obtained. For the online observer iterations, a continuous-discrete approach can be used. With this approach the a priori state estimation is obtained by integrating the original non-linear model, for example using the ode45 function from Matlab. Then, the polytopic observer gain is found by interpolation using (28). Residuals are then generated for each of the observers and fed to the signature analysis module.

In Silico Benchmarks
To test the robustness and precision of the monitoring system, two in silico benchmarks have been developed. Each of the benchmarks were designed to check the proper behavior of the system and its ability to detect different patient-in-the-loop modes and faults. All simulations have been executed with Matlab R2019a using an AMD Ryzen 3800× 3.9 GHz processor with 32 GB of RAM.
The FDA accepted UVa/Padova T1D Simulator (v3.2) [49] was used to evaluate the strategy. All of the benchmarks share some scenario settings, which include a virtual cohort of 10 adult patients. Scenarios last 4 days and 3 mixed meals of 60, 80, and 70 grams are included each day at 8:00, 13:00, and 21:00, respectively. Intra-subject variability in insulin absorption was included by assuming a ±30% in parameters (k d , k a1 , k a2 ), and variability in insulin sensitivity was modeled by a sinusoidal pattern in parameters (V mx , k p3 ) [50]. The first scenario is designed to evaluate performance when only meal disturbances appear. The second scenario includes one session of aerobic exercise of heavy intensity (60% VO 2max ) during the second scenario day at 18:00 for a total duration of 50 min. Exercise was included into the simulation by using a previous developed model, which was fit to clinical data, that increases insulin sensitivity [32,51].

Patient Mode Detection
Scenarios 1 and 2 were used to perform four complete simulations, which consider different patient-in-the-loop faults. The simulations have the following characteristics: (1) scenario 1 without faults, (2) scenario 2 without faults, (3) scenario 1 with patient misestimated meals, and (4) scenario 2 with misestimated meals and missed rescue CHO. In total, 480 meals were consumed and 20 exercise sessions were performed across all simulations. Faults were introduced in a total of 160 meals, with over-and underestimations of ±60%, and feed-forward rescue CHO were also simulated with patient-in-the-loop faults in 10 occasions.
Meals were correctly detected in 461 occasions out of the total 480 meals across all simulations, resulting in a high sensitivity of 96.0%. Transitions towards the meal mode q 1 were triggered by the announcements and validated by the meal residual observer, resulting in a detection time from the start of the event of 13 min, while the average time in meal and postprandial period was 158 min. All exercise sessions were correctly detected without false positives/negatives. The effect of exercise is known to last during the following hours after an exercise session, this is also reflected in the time the system remained on mode q 2 of 328 min. Rest periods were considered as the periods in-between meals, without periods where exercise happened, or during night. No detection time for these periods is provided since there is no possible definition of when these events started, average time in this period was 328 min.
Transitions to faulty modes only happened in simulations 3 and 4. Faults in the consumption of rescue CHO, leading to transitions towards mode q 4 , were recorded from simulation 4. A total of 10 missed rescue CHO consumption events were considered at the instant of exercise announcement at 17:40 of simulation day 2. The HA correctly detected 8 of these faulty events and was also able to transition afterwards to the q 2 mode. Two of the faulty events were not detected and the HA automaton directly transitioned to the altered insulin sensitivity mode q 2 , indicating a exercise. Misestimated meals were correctly detected in 73 occasions with a sensitivity of 45.6%. No transitions to state q 5 happened. Table 3 shows the detection performance of the proposed approach for the aggregated four simulations. Figures 5-9 showcase a simulation portion (from 39 to 55 simulation hours) for the adult patient 10. Exercise starts at time instant 42 h and feed-forward CHO are suggested at 39 h and 40 min. In this, case the patient does not consume the recommended amount of CHO and the system transitions to a faulty CHO state. Notice, that the system does not know if the patient has consumed or not the suggested rescue CHO. Afterwards, the system transitions to the exercise state and remains in that state for the following hours. This is an expected behavior of the system due to the modified insulin sensitivity that last several hours after the end of exercise. Then, at time instant 45 h the patient consumes a meal but the HA state remains at exercise. That is a normal behavior due to the intertwined disturbance effects on the residuals.

Example of Controller Reconfiguration
This section provides insights regarding the benefits of using the proposed HA model for the detection of patient-in-the-loop faults and controller reconfiguration. Particularly, we focus on the case of announced exercise. When people using an AP announce exercise, the feed-forward control can be applied in advance to mitigate the risk of exercise induced hypoglycemia. The AP used in this work has an embedded feed-forward controller for exercise [32]. This block may degrade performance if triggered by an exercise announcement from the patient, but no physical activity is performed afterwards. To test the benefits of controller reconfiguration, we use scenario 1, which does not include exercise, and assume exercise at 16:00 during the second simulation day.    The actions triggered by the feed-forward block are: (1) suggestion of feed-forward CHO, (2) basal insulin reduction, (3) reduction of the next insulin bolus, and (4) decrease of the insulin controller aggressivity (lower controller gains for the next 6 h after the ending of the exercise session). Controller reconfiguration happens if there is a mode detection change to mode q 5 in a timely manner and the CGM is higher than 150 mg/dL. We assume exercise is announced 20 min prior to the start [32] and we let the system monitor the patient until 20 min after the supposed start of exercise. If the H A k is in a normal operational mode and there is no mode change detection to q 2 or a mode transition to q 5 happens in that period of time, then the controller resumes its original tuning and assumes that the patient is not exercising even though there was an announcement. 40 42   Table 4 shows the glycemic results when comparing the strategies with (AP+HA column) and without (AP column) controller reconfiguration when faults in exercise announcement happen. Figures 10 and 11 show the CGM trajectories and insulin infusions for each case. The patient announces exercise at time instant 39 h and 40 min (day 2, 15:40). The patient is supposed to start exercising at 40 h (day 2, 16:00) and have dinner at 45 h (day 2, 21:00). Results show that reconfiguration allows for early insulin infusion to start the following meal with lower BG and allows for better and tighter BG control during the postprandial period following an exercise session.
Controller reconfiguration allowed for a tighter and better BG control during and after the false exercise session and also for the next postprandial period. Overall, time in range 70-180 mg/dL significantly increased from 38.3 (34.3, 47.5)% to 62.0 (58.4, 71.5)% and the mean CGM was also reduced from 211.7 (172.4, 231.9) mg/dL to 154.9 (121.0, 206.3) mg/dL. The risk of hyperglycemia was also minimized as reflected by the time ranges above 180 mg/dL, and no risk of hypoglycemia was observed. Insulin infusion was resumed earlier upon mode detection as shown in Figure 11, allowing lower BG at the start of the second day dinner. Postprandial control was specially improved in the reconfigured controller, mainly due to the restored insulin bolus previously mitigated by the exercise feedforward actions.  The results are median (interquartile range) during the time period between the 40th and 51th simulation hours. * p value < 0.01 (Wilcoxon signed rank test). AP refers to the system without controller reconfiguration and AP+HA refers to the system with controller reconfiguration.

Discussion
The patient-in-the-loop concept is fundamental for any diabetes treatment. Patients play essential roles within the treatment, from being the plant to control to actuate as an operator. This is the case for both OL and CL insulin therapies, and significantly more important in OL strategies where patients have more responsibility. Errors introduced by patients may compromise the performance and stability of treatments and patients may put themselves at risk. To minimize patient-in-the-loop faults, tools that monitor and detect those behaviors are needed. Detection of faults may allow CL controllers to take additional corrective actions to minimize the impact of the fault on the system performance. However, not all patient-in-the-loop faults might be easy to respond to. In any situation, monitoring systems will allow the collection of patient data that could be used to individualize the tuning of controllers or identify when faults are most likely to happen. Additionally, the detection of patient-in-the-loop faults with minimal impact during CL operation can be hard. CL systems are designed to reduce variability of the controlled variable and for disturbance rejection. Therefore, faults that have a small impact on the system and on BG concentration might be counteracted by the CL system itself and not detected as a fault. This is the case of misestimated meals in hybrid AP settings. In the case of OL therapies, this issue should be of less importance, allowing for more accurate detection.
To tackle this issue, we proposed a methodology based on a HA model. Even though the results we obtained were satisfactory and promising, our study suffered from several limitations. The first one is related to the data used to classify patient modes and faults. We used a simulation environment to stress the system and check its robustness and performance in several proof-of-concept examples. Certain limitations exist when trying to replicate real patient-in-the-loop faults in a simulation environment. BG trajectories may significantly vary depending on what the patient is performing, which may fall under normal operation. For example, postprandial periods where the patient is mostly in a sedentary state may differ from periods where the patient engages in slow walks. In any situation, these should not be detected as different patient states since there is no abnormality in the system. Real free-living condition data is still needed to assess the performance and detection capabilities of the proposed approach.
In this approach, we used a bank of interval zonotopic Kalman filters for the purpose of generating residuals. There are limitations to this approach due to the fact of using an approximate model and limited measurements. Particularly, the altered sensitivity observer has been designed to detect decreases in BG caused by aerobic exercise. Other types of exercise may have different effects on insulin sensitivity, requiring additional observers. Other factors such as illness, stress, menstruation cycle, sleep apnea, or some medications can also lead to important physiological changes, including changes in insulin sensitivity [52,53]. Therefore, the system is assumed to be working under normal operation for the detection of aerobic exercise. The major limitation of using a bank of observers is the need to build many different observers for the detection of the multitude of factors encountered in free living conditions. We used a reduced glucoregulatory model to relax the problem of observability of linear systems when only one measurement is available, but many states have to be estimated. Even though we only used the observers as a mean to generate residuals, the information from the observers could also be used to estimate other physiological parameters, such as the rates of glucose absorption.
We used the basic AP configuration, which only includes a CGM and an insulin pump. This was decided because even though there are studies using additional signals (such as using heart rate monitors, energy expenditure information and galvanic skin responses) these additional signals mean that the user (the patient) will have to wear additional sensors. Thus, although this could be of benefit for better detection performance, it also means that there is an increased risk of faults because more devices are used. Ultimately, the CGM and an insulin pump are always required devices for any AP operation. The proposed approach has two goals: (1) provide information for the AP in real time, and (2) provide information for long term decision making. By classifying patient errors, we believe that the system can be fine-tuned to maximize performance and minimize the risk of hypoglycemia due to patient actions. The developed approach could also work with different AP configurations, for example, AP systems with additional control signals such as glucagon [54]. This holds true because the developed approach is model-based, and by adding extra control actions the real model (the patient) retains the same dynamics. However, notice that this may require a re-tuning of the approach since not all possible modes have been considered, for example, faults regarding glucagon. The system performance may be compromised if used with other treatment options such as cadaveric islet or stem-cell derived islet transplantation. This also holds true when using the proposed approach for very specific sub-cohorts of people with T1D. All approaches that may modify the open-loop dynamics of the patient will require a model check for the proposed system to work.
Automated insulin delivery systems are still under research and improvement, with few systems such as the Medtronic 670 G and newer 780 G available on the market [55]. The most common AP uses the so-called subcutaneous route to sense glucose and deliver insulin. Non-physiological routes inevitably create non-physiological delays that are nonexistent in the healthy endogenous beta cells when sensing glucose and secreting insulin [56]. The major limiting factor of the subcutaneous route is related to the absorption of fast or ultra-fast insulin analogues. Most of these insulin formulations start actuating 10-15 min after their injection with a maximum peak of action between 1 and 2 h [57]. One of the consequences of this is the fact that most AP systems are rather conservative in insulin delivery to avoid overdoses of insulin, which may lead to hypoglycemia. As new insulins come to the market with faster profiles, the AP systems should be able to better control blood glucose due to a lowered delay of the control action effect. For example, newer formulations of insulin Aspart such as AT247, IAsp and FIAsp still have an approximate onset of exposure of 5 min [58][59][60]. On the other hand, CGM sensors have gradually improved their accuracy and some models can already be used as non-adjunctive, such as de Dexcom G6 [61]. Delays in blood glucose sensing by CGMs have been acknowledged for a long time [62]. Newer models already reported MARD < 10%, however, delays between plasma insulin and measured CGM glucose concentrations are still in the range of 5-10 min [61]. CGM technology provides close to continuous flux of glucose readings, generally between 1 and 5 min. Although this measurement sampling rate is much slower compared to how fast the healthy endogenous beta cells sense glucose, it is fast enough to control blood glucose since the dynamics of the overall system are much slower.
Current AP systems will certainly improve their performance if the delays associated with the subcutaneous route are reduced [56]. Especially, in situations where fast disturbances affect the system, for example for postprandial control [63]. Recent clinical trial outcomes of AP systems suggest that night periods are better controlled compared to traditional therapies [8], while day periods remain a challenge. This is caused by the absence of disturbances, mainly meals, during nights. Therefore, controlling postprandial periods is still difficult for AP systems even with the newest improved algorithms. Improving the absorption of insulin analogues will most likely allow for better control of postprandial periods than improving the already tested algorithms. The proposed approach should be able to accommodate improvements for newer insulin formulations and CGM systems since it is model-based. Theoretically, these improvements are equivalent to changing the time constants of the insulin and glucose sub-systems change. Then, the proposed approach would require including these new time constants in the models used. Clearly, the model change will have to be validated and the system performance assessed again.
Detection performance should be analyzed in depth before performing controller reconfiguration. While some patient-in-the-loop faults might be easier to detect with high accuracy, others might show higher rate of FP and FN. The results presented in this paper showed that detecting faults in CHO control actions can be accurately performed, while detecting errors in meal estimation is harder. The detection of meal misestimations is especially critical for the case of FP events, where controller reconfiguration could be triggered erroneously. This is something that must be taken into consideration when designing the FTC strategy. Detecting faults of people with type 1 diabetes is a complex task. Unfortunately, to discriminate different faults, the use of different observers is required. Nevertheless, the HA model is not restricted to work with observers. Residuals can be generated in a multitude of ways. In this work we used a bank of observers for the generation of residuals. However, any other methodology for the residual generation can be used and incorporated into the HA model.

Conclusions
A methodology to monitor patient-in-the-loop modes and faults has been presented. The system is built around a HA model that replicate patient's real life operation modes. Transitions between different modes allow for the identification of key operational modes and faults. The diagnoser is responsible for mode recognition by using a group of indicators generated from a set of residuals for every mode. A bank of interval zonotopic Kalman filters was constructed for the residual generation, allowing the system to have confidence bounds on the state estimation and residual generation.
Several proof of concept simulated benchmarks were done using challenging scenarios. The results suggest that mode and patient-in-the-loop faults can be detected in real time. Next, the information resulting from this study could be used as a tool to reconfigure CL controllers, monitor the system continuously and classify patient-in-the-loop behaviors. The exploration of these areas will be part of future research. Moreover, the adaptation of the LPV Hovorka reduced model to represent glycemic dynamics will be investigated.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript: