Trustworthy automated insulin delivery for artificial pancreas systems must simultaneously ensure model replaceability, physiological adaptability, and robustness against adversarial attacks. Method: GlucOS introduces the first closed-loop glucose regulation framework integrating formal verification (TLA+), human-in-the-loop defense, and real-human deployment. It employs a safety-driven architecture, real-time physiological modeling, and an open-source embedded software stack to guarantee algorithmic safety, actuator (insulin pump) safety, and end-to-end verifiability. Crucially, it pioneers full-cycle formal methods—from design and implementation to clinical deployment—enabling plug-and-play integration of arbitrary prediction models (including ML-based ones) while mitigating risks from malicious models, vulnerable pump drivers, and acute physiological disturbances. Results: In a clinical trial with seven human subjects, GlucOS achieved zero severe hypoglycemic events. Both simulation and in vivo results significantly outperformed baseline systems, establishing the first artificial pancreas that is provably safe, formally verifiable, and clinically deployable.

We present GlucOS, a novel system for trustworthy automated insulin delivery. Fundamentally, this paper is about a system we designed, implemented, and deployed on real humans and the lessons learned from our experiences. GlucOS combines algorithmic security, driver security, and end-to-end verification to protect against malicious ML models, vulnerable pump drivers, and drastic changes in human physiology. We use formal methods to prove correctness of critical components and incorporate humans as part of our defensive strategy. Our evaluation includes both a real-world deployment with seven individuals and results from simulation to show that our techniques generalize. Our results show that GlucOS maintains safety and improves glucose control even under attack conditions. This work demonstrates the potential for secure, personalized, automated healthcare systems. Our source code is open source.