Discrete-Continuous Stochastic Model of Insulin Pump Functioning for Health IoT System Using Erlang Phase Method Anastasiia Strielkina1[0000-0002-7760-7367], Serhiy Volochiy2 and Vyacheslav Kharchenko1[0000-0001-5352-077X] 1 National Aerospace University n.a. Zhukovsky “Kharkiv Aviation Institute”, Kharkiv, Ukraine 2 Lviv Polytechnic National University, Lviv, Ukraine {a.strielkina, v.kharchenko}@csn.khai.edu, volochiy.s@lp.edu.ua Abstract. The presented paper deals with exponentially growing technology – Internet of Things (IoT) in the field of the healthcare and medicine providing. The goal of the paper is to develop and research a discrete-continuous stochas- tic model (DCSM) of a functional behavior of a networked healthcare device (in this case – an insulin pump) in a form of a structural automaton model (SAM) using the Erlang phase method. It is spoken in the brief details about the networked insulin pump behavior with a description of the functional proce- dures, indicators and parameters of functionality and safety are given. Much at- tention is aimed to the development process of the DCSM using exponential and Erlang’s distribution laws, description of basic events and structure of a state vector, development of the SAM’s. The procedures of validation of the developed models for the exponential and Erlang’s distribution laws are pre- sented and include three research cases to check the relevance of the obtained results. Keywords: Discrete-Continuous Stochastic Model, Erlang Distribution, Func- tional Behavior, Insulin pump, Internet of Things, Structural Automaton Model. 1 Introduction 1.1 Motivation Nowadays, Internet of Things (IoT) is an exponentially growing technology through- out the world. About 50 billion devices will be connected to the Internet and the IoT market will reach about $1.7 trillion by 2020 [1, 2]. IoT systems can be met in any field of humans’ life: sport, education, retail, infrastructure, transport and healthcare. The last one can cause a new scientific revolution within IT and medical fields. Ac- cording to the statistics of the World Healthcare Organization presented in 2016 [3], about 8.5% of the world population had high blood glucose in 2014. The networked insulin pump can be placed in an inconspicuous place under the patient’s clothes, so a patient can carry out and control the injection of insulin with a special console or 2 smartphone. According to FDA [4], insulin pump is the most common medical de- vice, and only in 2017, with more than 1.1 million registered cases of medical device malfunctions, about 127.000 are associated with the functioning of insulin pumps. Safety ensuring of such systems typically involves processes such as defining re- quirements for system components, threat analysis, risk assessment, analysis of types and consequences of failures, identifying complex interactions between components and scenarios of functional behavior of these components. Complete information on the reaction of components of the critical system is very important, as the behavior of such a system as a whole should be predictable. Such systems are characterized by a high number of failures in the execution of procedures due to the dynamism of influ- encing factors, and hardware and software malfunctions through multicomponent and multilevel. Therefore, the behavior of the system should be adaptive to both the changing conditions of operation and the failure of the system. 1.2 Related Works Analysis There are some researches describing healthcare IoT systems, the problems and pos- sibilities of their functioning, issues of ensuring functional safety and cybersecurity, etc., and papers related to r the modeling of functional behavior of any other systems. The paper [5] is aimed to investigate the mechanisms for detecting cyber threats in wireless insulin pumps. Moreover, the authors focused on the description of models of anomalous functional behavior of the pump (basal and bolus overdose). The authors of [6] provided three examples for improving the quality of healthcare IoT systems. One of them is research and ensuring safety at the level of end-use de- vices (sensors). The justification for the using of discrete-continuous stochastic processes for the healthcare IoT systems modeling was presented in [7]. Accordingly, in the IoT infra- structure due to the large number of end-use devices and their characteristics, it is assumed that all flows of events are the simplest, and the process occurring in the IoT system is stochastic with discrete states and continuous time. The set of discrete- continuous stochastic models (DCSM) of model’s behavior of the healthcare IoT infrastructure for assessing the functional safety and cybersecurity was presented in [8]. In terms of this study is an important the cardinality of a set , only if F > 1 (i.e., the healthcare IoT system has several functional states). The authors of [9] presented a DCSM of the guard signaling complexes in the form of a structural automaton model (SAM), that describes functional behavior, for using with the software ASNA [10]. All these papers deal with an exponential distribution law. Actuality of researches related to increasing the degree of sufficiency of models of fault-tolerant systems is determined by State standard of Ukraine [11]. It says that exponential distribution, as a one-parameter function, is a crude model for describing durations of fault-tolerant operation, and it gives serious methodical errors in forecasting values of reliability factors. The approach to solving this problem via Erlang distribution law is described in publications by D. R. Koks, V. L. Smit [12, 13], L. Klejnrok [14] etc. 3 The study of the healthcare functioning systems efficiency in the structure of the Internet of things requires the development of their mathematical models, which take into account the factors listed above. Failure to take account of them can be detri- mental to human life. However, the development of such models is a scientific prob- lem to be solved. 1.3 Objectives, Approach and Structure of the Paper In this paper, the aim is to develop a model of the process of functioning of the insulin pump functioning for health IoT system in order to determine the probability of its effectiveness Рr.e.(t). It should be noted that since the duration of all process proce- dures in the model will be represented by the exponential distribution law, the result- ing value of the efficiency indicator will be limit. And it can be either in an upper or a lower side. Therefore, it is necessary to make a check on which side is the resulting limit value of the efficiency indicator by using the Erlang phase method. The object of research is the insulin pump that operates in the IoT environment. The indicator of the insulin pump using effectiveness is a probability a successful execution of the task (of all necessary procedures occurred in the pump) for the determined time. We differ functionality and reliability related behavior of the device. This paper, first of all, attends to functional behavior considering states when failures are occurred. The remainder of the paper is conducted as follows. The section 2 presents a brief description of the insulin pump structure, a sequence of procedures occurring in the insulin pump and indicators and parameters of functionality. The section 3 presents a development process of the DCSM of real states that includes definition of assump- tions to the model, description of basic events, development of a SAM and its valida- tion. The section 3 presents a modification of the developed model using the Erlang phase method and its validation followed by conclusion remarks and description of future research directions. 2 Analysis of an Insulin Pump Behavior 2.1 A Structure of the Insulin Pump With accordance to [15, 16], Fig. 1 illustrates a generalized structure of the insulin pump that operates in the IoT infrastructure. Respectively, the basic components are: • End-user (patient), which is the "bearer" of the pump. • A healthcare organization to which the data are sent and who decides on further treatment of the patient. • Cloud tools through which communication between the patient and the medical organization occurs. • The insulin pump consisting of a wireless module for communicating with the patient and the medical device, the controller, the drug reservoir, the injection mechanism, the power supply and the interface for communication with the user. 4 Fig. 1. A list of indicators and parameters of functionality of the insulin pump behavior. The data from the blood sugar sensor are sent to the blood sugar analysis and insulin requirement computation what is carried out by integrated technical possibilities and tools of the insulin pump and/or sends to the Cloud servers via the Internet gateway for further processing, storage, and visualization [17]. The user interface is necessary for visualizing the processes that take place in the pump both in text and audio form, and to change the settings. The pump controller is required to program the settings for bolus and basal injections in accordance with the prescriptions of the healthcare au- thority. The delivery mechanism is used to administer insulin to the patient. In turn, the insulin is taken from the reservoir. 2.2 Procedures that Form the Pump’s Behavior On the basis of the analysis of the main functions and the principle of the functioning of the insulin pump, a list of procedures that will serve as the basis for determining the basic events necessary for the development of the SAM is formulated: Procedure 1. POST – after switching on the insulin pump; Procedure 2. Blood analysis test – after successful POST; Procedure 3. Data transfer to healthcare authority – after suc- cessful blood analysis test, i.e., if the test is not obtained, then the data are not trans- mitted; after the procedure of injection; Procedure 4. Administration set checking – after transferring data to the healthcare authority; there is a check whether the main elements are connected to the pump (injection kit, reservoir, tubes, etc.); Procedure 5. Pouring of the pump – after a successful administration set check; Procedure 6. Checking the poured pump – after successful pump pouring; Procedure 7. Drug exist- ence checking – after successful checking the poured pump; Procedure 8. Receiving data from the health authority – after the successful data transferring to the healthcare authority and after successful checking for drugs existence; Procedure 9. Drugs con- formity checking – after drug existence and data receiving checks, if the data were not received than the drugs are compared with the previous doctor’s assignment; Proce- dure 10. Basal dose checking – after successful drug conformity check; Procedure 11. Bolus dose checking – after successful drug conformity and basal dose checks; Pro- 5 cedure 12. Basal dose concentration checking – after successful basal and bolus doses checks; Procedure 13. Bolus dose concentration checking – after successful basal and bolus doses and basal dose volume checks; Procedure 14. Basal dose volume check- ing – after successful basal and bolus doses concentration checks; Procedure 15. Bo- lus dose volume checking – after successful basal and bolus doses concentration and basal dose volume checks; Procedure 16. Basal injection speed checking – after suc- cessful basal and bolus doses volume checks; Procedure 17. Bolus injection speed checking – after successful basal and bolus doses volume and basal speed injection checks; Procedure 18. Settings changing (recovery) – after not successful basal and bolus injection settings checks. Procedure 19. Basal injection – after successful off all injection settings checks; Procedure 20. Bolus injection – during basal injection; Pro- cedure 21. Reservoir checking – during basal and bolus injection; Procedure 22. Switching off the device – after successful completion of all procedures or after a critical refusal due to non-execution of a certain procedure. Each procedure ends either successfully or not. 2.3 Functional Parameters and Indicators of the Pump’s Behavior Procedures During developing of the model of functional behavior of the insulin pump, its com- position and separate components should be described using the corresponding indi- cators and parameters of functionality, namely: the planned number of possible (re- peated) POST’s – 2; probability of successful POST – Psst, blood analysis test – Pao, data transferring – Pdt, administration set availability and operability capacity check- ing – Pce, pouring the pump – Ppp, the poured pump сhecking – Pcp, drug existence checking – Pdc, receiving data from the healthcare authority – Pda, drugs conformity checking – Pcd, basal dose checking – Pbd, bolus dose checking – Pbld, basal dose con- centration checking – Pbc, bolus dose concentration checking – Pblc, basal dose volume checking – Pbv, bolus dose volume checking – Pblv, basal injection speed checking – Pbs, bolus injection speed checking – Pbls, changing of settings (recovery) – Prs, basal injection – Pin, reservoir fullness during injection – Pr.c., bolus injection – Pbl, switch- ing off the device – Psu; average duration of POST – Ts.t., switching off the device – Tp.d., blood analysis test – Tb.a., data transferring to healthcare authority – Td.t., admin- istration set availability and operability capacity checking – Tc.e., сhecking of the poured pump – Tc.p., pouring the pump – Tp.p., drug existence checking – Td.c., receiv- ing data from the healthcare authority – Td.a., drugs conformity checking – Tc.d., basal dose checking – Tb.d., bolus dose checking – Tbl.d., basal dose concentration checking – Tb.c., bolus dose concentration checking – Tbl.c., basal dose volume checking – Tb.v., bolus dose volume checking – Tbl.v., basal injection speed checking – Tb.s., bolus injec- tion speed checking – Tbl.s., changing of settings (recovery) – Tr.c., basal injection – Tin, bolus injection – Tbl, reservoir fullness during injection checking – Trc. Average durations of each procedure are taken from the technical specifications of insulin pump manufacturers. In fact, performing of each procedure in the fault- tolerant systems (in this case, in healthcare systems) is not absolutely successful, the probability of the successful completion of any procedure is P<1. 6 3 Development of Discrete-Continuous Stochastic Model of Real States Development of the discrete-continuous stochastic model (DCSM) is performed in accordance with the methodologies described in [18]. This methodology involves: determining the basic events of the functional behavior of the research object; compil- ing a list of indicators and parameters of functionality (Section 2.3), which should be taken into account in the DCSM; forming a state vector (assigning a component to the state vector in accordance with the requirements for the adequacy degree of the mod- el); developing a reference graph of states; developing of a structural automaton mod- el (SAM), including its verification; validation of DCSM. In more details the process of DCSM development of the insulin pump functional behavior was described in [19]. 3.1 Assumptions to the Model Development During the development of the DCSM several assumptions and the hypothesis were made: • Procedures 1, 2, 5, 7, 9-18, 22 have the fixed durations; however, in the developed model, these procedures are presented as continuous random variables with an ex- ponential distribution law; and the values of these durations are taken as average values of random variables. • Duration of procedures 3, 4, 6, 8, 19-21 are continuous random variables; and the values of these durations are taken as average values of random variables; since the real distribution laws for the durations of these procedures are currently unknown, then during the development of the model adopted the traditional hypothesis of the exponential distribution law. Note that the results of the model’s analysis with such hypotheses have a limit value [20]. • Taken into account that the durations of the procedures have different values - hours, minutes, seconds; therefore, the model assumes that the duration of the pro- cedure 22 (under the condition of critical failure) in a few seconds is equal to 0. • Procedures 19, 20, 21 in reality occur in parallel; the model used assumptions about their consistent execution. Since the average duration of procedures 20 is much less than the average duration of the procedure 19, and the average duration of the procedure 21 is equal to the procedure 19, their values are taken to be 0. • The probability of performing procedure 22 is equal 1. The substantiation of the hypotheses and assumptions clarifies the information on the degree of the developed model adequacy. 3.2 Definition of Basic Events During the SAM development it is necessary to take into account all the procedures and processes that occur during the operation of the insulin pump. Procedures are characterized by events beginning (BP), ending and average duration values. End-of- 7 procedure (EP) events are accepted for basic events (BE). Non-compliance events, as well as procedures with an average duration value of 0, are presented as coincident base events (CBE). For the system under study, a description of the events has been made, in accordance with the list of procedures in Section 2.2, which are: BE1: EP the first POST; CBE2: EP switching off; BE3: EP the second POST; BE4: EP blood analysis test; BE5: EP data transferring to the healthcare authority; BE6: EP admin- istration set checking; BE7: EP the pump pouring; BE8: EP the poured pump check- ing; CBE9: EP switching off; BE10: EP drug existence checking; BE11: EP data from the healthcare authority receiving; BE12: EP drugs conformity checking; CBE13: EP switching off; BE14: EP basal dose checking; CBE15: EP switching off; BE16: EP bolus dose checking; CBE17: EP switching off; BE18: EP basal dose concentration checking; CBE19: EP switching off; BE20: EP bolus dose concentration checking; CBE21: EP switching off; BE22: EP basal dose volume checking; CBE23: EP switch- ing off; BE24: EP bolus dose volume checking; CBE25: EP switching off; BE26: EP basal injection speed checking; CBE27: EP switching off; BE28: EP bolus injection speed checking; CBE29: EP switching off; BE30: EP settings changing (recovery); BE31: EP basal injection; CBE32: EP bolus injection; CBE33: EP reservoir fullness checking during injection; CBE34: EP injection ending; BE35: EP data transferring of injections results to the healthcare authority; BE36: EP switching off. It should be noted that the coincident base events CBE15, CBE17, CBE19, CBE21, CBE23, CBE25, CBE27 and CBE29 occur only when the model does not provide recovery procedures. 3.3 Structural Automaton Model Development The initial data for developing of a reference graph are: basic events (BE), indicators and parameters of functionality, state vector. The technique of its development was described in [18]. The fragment of list of indicators and parameters of functionality of the insulin pump behavior is shown in Fig. 2. Fig. 2. A list of indicators and parameters of functionality of the insulin pump behavior. 8 The initial value state vector of functional behavior model of the insulin pump using is represented in Fig. 3. Formalized representation of the conditions for a successful execution of the task has the following form (V6 = 0). The full description of the state vector values was presented in [19]. Fig. 3. The initial value of the state vector and the condition of successful execution of the task. Formalized representation of the object of investigation in the form of SAM using software ASNA is show in Fig. 4. Fig. 4. The SAM of functional behavior of the insulin pump. After development of SAM it is necessary to verify it to be sure that developed model using software ASNA constructs the graph of states and transitions correctly. In this paper the verification was conducted using testing graph of states and transitions, whose function is performed by the reference graph of states. The DCSM of function- al behavior of insulin pump is presented in the form of the graph of states and transi- tions and has the following parameters: 209 states and 553 transitions for the system without recoveries і 466 states and 872 transitions for the system with recoveries. 9 3.4 Validation of the Developed Model The aim of validation procedure is to check the relevance of a qualitative representa- tion of the change nature in the value of the performance indicator, which has the developer of the model, with the dependencies obtained using the developed DCSM. Two models have been developed: the first model does not take into account the pro- cedure of recovery the device's operability, and in the second one it is taken into ac- count. Task 1 for Validation. It is necessary to check whether the nature of the depend- ency depends on the probability of not performing the task in the interval from zero to the end of its decline. Initial Values. The calculations are performed for the following initial values of indicators: probabilities of successful execution of procedures have next values: Рr.e. = 0.99999; 0.95; 0.9. Expected Results. Dependence begins with the probability of not performing the task is equal to 1. This value should be kept for some time. This time defines the total duration of execution of all procedures, which corresponds to the condition in which the task can be performed. It was taken into account that the duration of all proce- dures is fixed, and the random nature of the process determines the probability of a successful execution of each of the procedures. Since the developed model assumes that the duration of procedures is random variables with exponential distribution law, the average value of which is equal to the duration of the procedure, it is important that the nature of the dependence is close to real. That is, the decline of dependence should begin after reaching the observation time for the total duration of all proce- dures. Obtained Results. The obtained results of models 1 and 2 presented in Fig. 5. The conducted research on tasks 1 and 2 corresponds to curves 1, 3, 5 and 2, 4, 6, respec- tively. The research on task 3 corresponds to curves 1 and 2 for Рr.e. = 0.99999, curves 3 and 4 for Рr.e. = 0.95, curves 5 and 6 for Рr.e. = 0.9. The duration of successful com- pletion of all procedures is 4200 seconds. Dependence of the not execution of the task begins with 500 seconds. Fig. 5. The obtained results for the research case 1. 10 Conclusion on Task 1. The nature of the dependence on the above interval of time does not correspond to the expected. Therefore, it is proposed to improve the DCSM with the aim of replacing the exponential distribution law with the Erlang distribution law. This improvement is realized by modification of the SAM. The method of modi- fication is presented in [21]. The ASNA software solves the system linear homogeneous differential equations, which is presented in the form of probabilities of staying in the states. If, for the ob- tained graph of states and transitions, a system of linear homogeneous differential Kolmogorov-Chapman equations is formed, then the determined value of the efficien- cy indicator is bounded. This is due to the fact that the Kolmogorov-Chapman equa- tions represent the duration of procedures by the exponential distribution law. How- ever, this value may be upper or lower boundary. To answer this question, it is needed to have a model in which all or some of the duration of the procedures will be pre- sented by another distribution law. 4 Development of the Insulin Pump Functional Behavior Model Using the Erlang Phase Method The Section 3 shows the developed insulin pump behavior model, in which the dura- tion of all procedures is represented by an exponential distribution law. This model yields an indicator of efficiency. However, this value may be upper bound or lower boundary. To solve this issue, it is needed to create a model of insulin pump function- al behavior, in which part of the procedures will be presented by the Erlang distribu- tion law. The choice of procedures and their number should be such as to see the difference between the value of the efficiency indicator obtained when using the Erlang distribu- tion law for the duration of a certain part of the procedures model and the value of the efficiency indicator obtained when using in the model of the exponential distribution law for the duration of all procedures. A noticeable difference between the values of efficiency indicators gives the repre- sentation of the duration of the first, second, third and fifth insulin pump procedures according to the Erlang distribution law. The method of using the Erlang distribution law in discrete-continuous stochastic behavior models is described in [21], based on the method of stages [14]. According to this method, it is enough to modify the components of the SAM to develop the model. To do this, it is necessary for each selected procedure to form a chain of ficti- tious states that differ in the number of states and formulas for determining the inten- sity of transitions from state to state. 4.1 Modification of the SAM Using the Erlang Phase Method Each of the selected procedures gives an alternative continuation of the process, when presented in the state graph. For each alternative continuation of the process, a chain of fictitious states is formed, despite the fact that these chains should be exactly the 11 same. If there are two alternatives, then two symbols for the order of the Erlang dis- tribution law - E1 and E2 are introduced to the list of indicators of functionality and parameters. If there are three alternatives, then three symbols E1, E2 and E3 are intro- duced etc. To form each chain, the state vector is introduced with its own component, called "The current value of the fictitious transition to the chain of the first (second, third, etc.) alternative". The initial value for each component is zero. 4.2 Additional Components in the State Vector The number of additional components of the state vector is determined by the number of alternative process extensions that arise at the time the completion of each separate task is completed. Duration of each separate task should be submitted according to the Erlang distribution law of the appropriate order. Because each separate task has alter- nate extensions, two additional components are added to the model in the state vector V11 and V12, which are required to display the current value of the fictitious transi- tion for each chain in the procedure. The initial values are V11=0 and V12=0 that means that the object of research in the model is represented by the real state. The current component value varies from 1 to E, where E is the order of the Erlang distribution law for the procedure, that is, the number of fictitious states in the chain. 4.3 Changes in the SAM Components In accordance with the above procedures, it is necessary to identify the components of the CAM that need to be modified that should be changed. Each procedure corre- sponds to a certain base event and one or more situations in which it occurs. Making changes to the SAM is as follows. The logical expression of each alternative, where a certain BE occurs, is supple- mented by additional three logical expressions that form fictitious states. Logical Expression 1. This expression is needed to identify the current state and initiate the formation of a chain of fictitious states. Modification of this expression is as follows. The components (E> 1) are introduced to recognize that the order of the Erlang distribution law is greater than 1 (the exponential law is not used); for the first and second alternatives, the logical expressions have the following form: (V11 = 0) AND (V12 = 0). The formula for calculating transition intensity (FCTI) is supplemented by the fac- tor E for the invariance of the average value of the duration of the procedure when the order of the Erlang distribution law E [14]. The rules of component modification of state vector (RCMSV) for the first and second alternatives are: V11:=1 and V12:=1 accordingly. Logical Expression 2. This expression is necessary to initiate the formation of the following fictitious states of the chain (except the last). Modification of this expres- sion is as follows. The components (E> 1) are introduced to recognize that the order 12 of the Erlang distribution law is greater than 1 (the exponential law is not used); for the first and second alternatives, the logical expressions have the following form: ((V11>0) AND (V11<(Е-1))) AND (V12=0) і (V11=0) AND ((V12>0) AND (V12<(Е-1))). The FCTI is the same as for the logical expression 1. The RCMSV for the first and second alternatives are: V11:= V11+1 and V12:= V12+1 accordingly. Logical Expression 3. This expression is necessary to initiate the formation of the last states of the chain of fictitious states, that is, the transition to the corresponding real state. Modification of this expression is as follows. The components (E> 1) are introduced to recognize that the order of the Erlang distribution law is greater than 1 (the exponential law is not used); for the first and second alternatives, the logical ex- pressions have the following form: (V11=(Е-1)) AND (V12=0) і (V11=0) AND (V12=(Е-1)). The FCTI is the same as for the logical expressions 1 and 2. The RCMSV for the first and second alternatives are: V11:= 0 and V12:=0 accordingly. A fragment of the results of amending to the SAM is presented in Table 1. Based on the results of the changes, the SAM is introduced into the ASNA soft- ware, which generates a graph of states and transitions. In order to make sure that the modified SAM is built correctly, it should also be verified. The data in Table 2 should be used to validate models before using them. 4.4 Validation of the Changed Model The aim of validation procedure is to check the relevance of a qualitative representa- tion of the change nature in the value of the performance indicator, which has the developer of the model, with the dependencies obtained using the modified DCSM. Two models have been developed: there are assumptions about the exponential distri- bution law in the first model and the Erlang distribution law of the given order in the second model. Task 2 for Validation. It is necessary to determine what is the limiting value of the task non-performing probability for a model with an exponential distribution law - upper or lower. Initial Values. The calculations are performed for the following initial values of indicators and parameters: probabilities of successful execution of all procedures have next values: Рr.e. = 0.95; the orders of the Erlang distribution law E - 1 (exponential law); 2; 5; 10. Expected Results. For the research case 2, the limiting value of the task non- performing probability under the exponential distribution law is lower. Obtained Results. The obtained results in the form of dependencies of the re- search case 2 for the Erlang distribution law of the different orders (in this study, E= 1, 2, 5, 10) are presented in Fig. 6. 13 Table 1. The updated SAM fragment using the Erlang phase method. BE Description of situations where basic events occur FCTI RCMSV BЕ1 (Е=1) AND (V1=0) Psst*(1/Ts.t.) V1:=1 (Е=1) AND (V1=0) (1-Psst)*(1/Ts.t.)| V1:=2; V6:=3 (Е>1) AND (V1=0) AND (V11=0) AND (V12=0) Е*Psst*(1/Ts.t.) V11:=1 (Е>1) AND (V1=0) AND ((V11>0) AND (V11<(Е-1))) AND Е*Psst*(1/Ts.t.) V11:=V11+1 (V12=0) (Е>1) AND (V1=0) AND (V11=(Е-1)) AND (V12=0) Е*Psst*(1/Ts.t.) V1:=1; V11:=0 Е*(1- (Е>1) AND (V1=0) AND (V11=0) AND (V12=0) V12:=1 Psst)*(1/Ts.t.) (Е>1) AND (V1=0) AND (V11=0) AND ((V12>0) AND (V12<(Е- Е*(1- V12:=V12+1 1))) Psst)*(1/Ts.t.) Е*(1- V1:=2; V6:=3; (Е>1) AND (V1=0) AND (V11=0) AND (V12=(Е-1)) Psst)*(1/Ts.t.) V12:=0 BЕ2 (Е=1) AND (V1=2) AND (V6=3) Psst*(1/Ts.t.) V1:=3; V6:=1 (Е=1) AND (V1=2) AND (V6=3) (1-Psst)*(1/Ts.t.) V1:=4; V6:=2 (Е>1) AND (V1=2) AND (V6=3) AND (V11=0) AND (V12=0) Е*Psst*(1/Ts.t.) V11:=1 (Е>1) AND (V1=2) AND (V6=3) AND ((V11>0) AND (V11<(Е- Е*Psst*(1/Ts.t.) V11:=V11+1 1))) AND (V12=0) (Е>1) AND (V1=2) AND (V6=3) AND (V11=(Е-1)) AND V1:=3; V6:=1; Е*Psst*(1/Ts.t.) (V12=0) V11:=0 Е*(1- (Е>1) AND (V1=2) AND (V6=3) AND (V11=0) AND (V12=0) V12:=1 Psst)*(1/Ts.t.) (Е>1) AND (V1=2) AND (V6=3) AND (V11=0) AND ((V12>0) Е*(1- V12:=V12+1 AND (V12<(Е-1))) Psst)*(1/Ts.t.) (Е>1) AND (V1=2) AND (V6=3) AND (V11=0) AND (V12=(Е- Е*(1- V1:=4; V6:=2; 1)) Psst)*(1/Ts.t.) V12:=0 ………………………………………………………………………………………………… BE5 (Е=1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Pdt*(1/Td.t.) V2:=1 (Е=1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) (1-Pdt)*(1/Td.t.) V2:=2; V9:=2 AND (V9=0) (Е>1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Е*Pdt*(1/Td.t.) V11:=1 AND (V11=0) AND (V12=0) (Е>1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Е*Pdt*(1/Td.t.) V11:=V11+1 AND ((V11>0) AND (V11<(Е-1))) AND (V12=0) (Е>1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Е*Pdt*(1/Td.t.) V2:=1; V11:=0 AND (V11=(Е-1)) AND (V12=0) (Е>1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Е*(1- V12:=1 AND (V9=0) AND (V11=0) AND (V12=0) Pdt)*(1/Td.t.) (Е>1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Е*(1- V12:=V12+1 AND (V9=0) AND (V11=0) AND ((V12>0) AND (V12<(Е-1))) Pdt)*(1/Td.t.) (Е>1) AND ((V1=1) OR (V1=3)) AND (V2=0) AND (V3>=1) Е*(1- V2:=2; V9:=2; AND (V9=0) AND (V11=0) AND (V12=(Е-1)) Pdt)*(1/Td.t.) V12:=0 ………………………………………………………………………………………………… Table 2. Dimensions of the model in the form of a state graph and transitions for the different values of the Erlang distribution law. Order of Erlang distribution law, E Number of states Number of transitions 1 466 872 2 498 936 5 562 1064 10 682 1304 14 Fig. 6. The obtained results for the research case 2. Conclusion on Task 2. The obtained results under the research case 2 reflect the expected. Task 3 for Validation. It is necessary to check whether the model shows the typi- cal difference between the dependencies of value of the task non-performing probabil- ity from the observation interval using the exponential distribution law and the Erlang distribution law of the 2nd, 5th and 10th orders for the duration of the procedures. Expected Results. For the research case 3, the higher the order of the law, the later begins to fall the task non-performing probability. Obtained Results. The obtained results of the research case 3 for the Erlang distri- bution law of the different orders are presented in Fig. 7. Р(t) Е =5 Е =10 Е =1 Е =2 t, s Fig. 7. The obtained results for the research case 3. 15 Conclusion on Task 3. The analysis of the obtained results shows that the difference between the values of the task non-performing probability at a given interval of ob- servation, determined using the Erlang law and the exponential distribution law, in- creases with the increase of the order of the Erlang's law. In the conducted research cases, the direction of the dependence of the task non-performing probability to the limit value with the increase of the order of the distribution law of Erlang is seen. This is useful for the results accuracy, because in reality the duration of the procedures is fixed. 5 Conclusions and Future Work The discrete-continuous stochastic model of the functional behavior of the insulin pump in a form of the structural automaton model using the Erlang phase method was developed. The development process of the DCSM that includes definition of as- sumptions to the model, description of basic events and structure of a state vector, development of a SAM are presented. The validation procedure of the developed DCSM model with the exponential distribution law has been conducted. The results of this valida- tion did not met expectations, so the DCSM was updated using the Erlang phase method. The results show the limit value of the task non-performing probability. The obtained stationary values can be used for further safety modeling. Next steps of research will be dedicated to refine and decompose some of the pro- cedures occurring in the insulin pump. Besides, it would be interesting and important to research generalized model of system behavior considering different reasons of failures including ones caused by attacks on the device and IoT system as a whole [8,17]. References 1. Lund, D., MacGillivray, C.,Turner, V., Morales, M.: Worldwide and Regional Internet of Things (IoT) 2014–2020 Forecast: A Virtuous Circle of Proven Value and Demand, In: IDC, Framingham, (2014). 2. Understanding the Internet of Things (IoT). London: GSM Association, p. 14 (2014). 3. World Healthcare Organization, Global report on diabetes (2016). 4. Manufacturer and User Facility Device Experience Database - (MAUDE), www.fda.gov/ MedicalDevic- es/DeviceRegulationandGuidance/PostmarketRequirements/ReportingAdverseEvents /ucm127891.htm, last accessed 2019/03/15. 5. Hei, X., Du, X., Lin, S., Lee, I., Sokolsky, O.: Patient Infusion Pattern based Access Con- trol Schemes for Wireless Insulin Pump System, In: IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 11, pp. 3108-3121 (2015). DOI: 10.1109/tpds.2014.2370045. 6. Laplante, P., Kassab, M., Laplante, N., Voas, J.: Building Caring Healthcare Systems in the Internet of Things, In: IEEE Systems Journal, vol. 12, no. 3, pp. 3030-3037 (2018). DOI: 10.1109/jsyst.2017.2662602. 7. Strielkina, A., Uzun, D., Kharchenko, V.: Modelling of healthcare IoT using the queueing theory, In:2017 9th IEEE International Conference on Intelligent Data Acquisition and 16 Advanced Computing Systems: Technology and Applications (IDAACS) (2017). DOI: 10.1109/idaacs.2017.8095207. 8. Strielkina, A., Kharchenko, V., Uzun, D.: Availability models for healthcare IoT systems: Classification and research considering attacks on vulnerabilities, In: 2018 IEEE 9th Inter- national Conference on Dependable Systems, Services and Technologies (DESSERT), (2018). DOI: 10.1109/dessert.2018.8409099. 9. Volochiy, B., Zmysnyi, M., Ozirkovskyy, L., Onyschchenko, V., Salnyk, Y.: Improvement of fidelity of moving objects classification in guard signaling complexes with seismic sen- sors, In: Informatyka Automatyka Pomiary w Gospodarce i Ochronie Środowiska, vol. 8, no. 4, pp. 36-39 (2018). DOI: 10.5604/01.3001.0012.8025. 10. Volochiy, B., Mandziy. B., Ozirkovskyi, M.: Extending the Features of Software for Reli- ability Analysis of Fault-tolerant Systems, In: Computational problems of electrical engi- neering, vol. 2, no. 2, pp. 113-121 (2012). 11. State Standard of Ukraine 2862 – 94, Methods for calculating reliability factors, Kyiv, 17 p. (1994) (in Ukrainian). 12. Koks, D.R., Smit, V.L.: Queueing Theory. Moscow, Mir Publ., (1966) (in Russian). 13. Koks, D.R., Smit, V.L.: Renewal Theory, Moscow, Soviet Radio Publ., (1967) (in Rus- sian). 14. Klejnrok, L.: Queueing Systems. Vol. I: Theory, Moscow, Mashinostroenie Publ., (1979). (in Russian). 15. Y. Zhang, Y., Jones, P., Jetley, R.: A Hazard Analysis for a Generic Insulin Infusion Pump, In: Journal of Diabetes Science and Technology, vol. 4, no. 2, pp. 263-283 (2010). DOI: 10.1177/193229681000400207. 16. Chen, Y., Lawford, M., Wang, H., Wassyng, A.: Insulin Pump Software Certification, In: Foundations of Health Information Engineering and Systems, pp. 87-106 (2014). 17. Strielkina, A., Kharchenko, V., Uzun, D.: Availability Models of the Healthcare Internet of Things System Taking into Account Countermeasures Selection", In: Information and Communication Technologies in Education, Research, and Industrial Applications, pp. 220-242, (2019). DOI: 10.1007/978-3-030-13929-2_11. 18. Fedasyuk, D., Volochiy, S.: Method of developing the structural-automaton models of fault-tolerant systems, In: 2017 14th International Conference The Experience of Design- ing and Application of CAD Systems in Microelectronics (CADSM) (2017). DOI: 10.1109/cadsm.2017.7916076. 19. Strielkina, A., Volochiy, B.m Kharchenko, V.: Model of Functional Behavior of Healthcare Internet of Things Device, In: 2019 IEEE 10th International Conference on Dependable Systems, Services and Technologies (DESSERT) (2019). (in publish) 20. Martin, J.: Systems analysis for data transmission. Flatiron Pub. (1972). 21. Volochiy, S., Fedasyuk, D., Chopey, R.: Formalized development of the state transition graphs using the Erlang phase method, In: 2017 9th IEEE International Conference on In- telligent Data Acquisition and Advanced Computing Systems: Technology and Applica- tions (IDAACS) (2017). DOI: 10.1109/IDAACS.2017.8095255.