Description

The invention is related to a medical device, in particular a medical infusion pump, according to claim 1 .

Functional security in medical devices is achieved by means of the architecture of the employed hardware and specific hardware components. For example, a multiprocessor hardware architecture is commonly used, wherein a primary and a secondary microprocessor communicating and controlling one another might be used as disclosed for example in US 7,527,052. These microprocessors and their surroundings (e.g. memories and interfaces) are standard components that do not include safety mechanisms such that, for example, a transient error of the microprocessor core or of a memory component can cause calculation errors, a display defect or more severe failures of the medical device such as a software crash and thus might have a serious impact on a patient who is treated using the medical device.

It is an object of the invention to improve the safety of medical devices. According to the invention, a medical device is provided that comprises a safety certified controller for controlling components of the medical device whose correct operation is relevant with respect to the medical condition of the patient.

In particular, the safety certified controller is a pre-certified safety microcontroller (microprocessor) having e.g. integrated embedded hardware diagnostics for addressing a multitude of functional safety concerns. These controllers in particular use continuously operating hardware-based safety mechanisms for monitoring components of the microcontroller such as the microcontroller's CPU, a flash memory, an SRAM memory, a power supply and/or clocks in order to ensure accurate software execution. The CPU may comprise a dual core lockstep safety mechanism. A compare module may be provided confirming that the outputs of the two CPU cores are identical (e.g. on a cycle-by-cycle basis).

For addressing embedded flash memory and SRAM integrity, the safety certified controller may incorporate error-correcting code (ECC) technology that encodes data in a way that enables detection of corruption and allows correction of single-bit errors such that the operation of the medical device can continue uninterrupted. Further, built-in self-test (BIST) engines may be incorporated into the safety certified controller to provide robust diagnostic testing on the CPU and the memories of the controller even when the controller is not running code. Integrating functions as a dual-core lockstep CPU, an ECC logic for embedded memories, and an automated BIST engine into the controller may greatly simplify and reduce the complexity and the development time needed to design and certify safety electronic systems for the medical industry. For example, the medical device comprises safe island hardware for diagnostics of the safety certified controller, the safe island hardware comprising e.g. an enhanced system bus, a vectored interrupt module, a memory, a CPU and/or power, clock, reset and safety modules.

According to an embodiment of the invention, the safety certified controller is a (e.g. single chip) microcontroller certified according to SIL3 (safety integrity level 3) of the IEC 61508 standard. SIL3 certified microcontrollers provide e.g. a very low probability of failure. For example, in continuous mode of operation of the medical device (e.g. a medical infusion device), the safety integrity level 3 provides a probability of dangerous failure per hour between 10 ^"8 and 10 ^"7 .

The IEC 61508 standard is specifically concerned with functional safety of devices, wherein this standard is a generic and not a medical specific standard. It applies to electrical and/or electronic and/or programmable electronic technologies irrespective of their application. The IEC 61508 standard is not mandatory for the certification of medical devices. However, the principles of the IEC 61508 standard are implemented in the standard IEC 60601 -1 , which is a harmonized standard for medical electrical equipment recognized by public health authorities in most countries. The IEC 60601 -1 conformity standard consists of collateral standards designated IEC 60601 -1 -xx. In addition, specific standards denominated IEC 60601 -2-xx exist to amend or clarify the basic standards as they relate to various types of electrical equipment used in the treatment of patients (e.g. IEC 60601 -2-24 for infusion pumps). The Third edition of the IEC 60601 -1 standard requires a risk management file and process conforming to ISO 14971 , the international standard for Application of Risk Management to Medical Devices.

For the software development processes, the Third edition of the IEC 60601 -1 standard requires that software must be developed conforming to IEC 62304, the international standard for medical devices software lifecycle processes. Because IEC 62304 does not address functional safety, it doesn't define numerical values for acceptable failure rates. Conformity to IEC 62304 thus does not imply a certain safety integrity level (SIL).

The safety certified controller of the medical device according to the invention may further comprise a safety real time operating system (safety RTOS). The RTOS is a safe system and may be compatible with medical certification (e.g. with US FDA medical certification) and in particular the IEC 60601 -1 standard.

According to another embodiment of the invention, some of the components of the safety certified controller are provided in duplicate for redundancy. That is, in addition to a first, main version of these components a second, redundant version is provided (e.g. arranged on the same chip). In particular, the safety certified controller comprises a dual core in lock-step with CPU fault execution detection.

The components of the medical device controlled by the safety certified controller may comprise a motion generating device and/or at least one sensor. The motion generating device, for example, is an electric motor for driving an actuator of the medical device (e.g. a pump finger of a peristaltic pump or a linearly movable component of a syringe pump).

Moreover, the medical device may comprise an application processor (e.g. a single core processor) separate from the safety certified controller, the application processor comprising software that permits a user to operate the medical device and/or an external device (e.g. a multichannel infusion system, in particular a large multichannel infusion system or an external communication network such as a hospital network) to communicate with the medical device. For example, if the medical device is a medical infusion pump, the application processor may comprise medical infusion application code, i.e. software permitting the user of the medical pump to input commands and monitor parameters of the infusion process. Similar to the safety certified controller, the application processor may run a safety RTOS. Further, in case the medical device is a medical infusion pump, the application processor may be a Medical Infusion Application Controller (MIAC) permitting e.g. keeping medical protocols and/or controlling and/or programming of a drug infusion dose.

The medical device according to the invention may further comprise a user interface controller for managing a physical interface (e.g. a display or a keyboard) to the user, the user interface controller being configured to communicate with the application processor and may also be operated using a safety RTOS.

Moreover, the medical device according to the invention may comprise a (e.g. state safe) failure controller for monitoring the safety certified controller, wherein the failure controller is configured to restrict the functionality of the medical device. For example, the failure controller is configured to disable a component of the medical device if the failure controller detects a failure of the safety certified controller. In particular, the failure controller might disable one of the components controlled by the safety certified controller.

A signaling unit might be provided interacting with the safety certified controller, the signaling unit being configured for generating an alarm signal if the failure controller detects a failure of the safety certified controller. For example, the signaling unit comprises a failsafe optical and/or acoustic unit for generating the alarm signal. Further, a capacitor (in particular a super capacitor) may be provided for storing electrical energy for supplying the failure controller in case of battery failure.

The safety certified controller together with the failure controller may realize a functional safety controller. This functional safety controller provides enhanced safety, wherein also the combination of the safety certified controller and the failure controller (i.e. not only the safety certified controller) may be configured according to SIL3 of the IEC 61508 standard. The fail safe controller in particular is a hardware or hard coded logic or microcoded device which e.g. does not contain software. Thus, the functional safety controller (and e.g. the medical device as a whole) may provide a probability of dangerous failure per hour between 10 ^~8 and 10- ⁷ . Further, a watchdog component may be provided for monitoring the operation of the application processor. In case of a severe failure during the operation of the application processor the application processor (e.g. an applicative software running on the application processor) signals the failure to the watchdog component. The watchdog component, in turn, transmits a signal to the fail safe controller (failure controller) in order to force the medical device to assume a safe state. For example, an output port of the watchdog component is connected to an input port of the fail safe controller via a fail activation bus, wherein the fail bus might also be used by other components (such as the safety certified microcontroller) for signaling fault signals to the fail safe controller.

As already mentioned above, the medical device may be a medical infusion pump, wherein the components controlled by the safety certified controller may comprise a motor and/or a sensor (e.g. for detecting the presence of air in the pumped infusion liquid). For example, the failure controller is configured to stop the motor if a failure of the safety certified controller is detected. For this, the medical device comprises a dedicated motor stop control line (e.g. a special line separate from other communication line of the safety certified controller) via which the failure controller communicates a signal causing the motor to stop.

The medical pump may be a homecare infusion pump, an ambulatory and/or body worn pump (including e.g. an insulin pump, a specific neonatal pump, an MRI (magnetic resonance imaging) compliance pump, a hyperbaric chamber compliance pump, a mobile or transportable pump, a standalone or stationary multichannel and/or stackable infusion pump. The infusion pump may include a peristaltic pump (e.g. using a tubing-set or a cassette-set) for larger pump volumes or a syringe pump for smaller pump volumes. Further, the infusion pump may use different type of infusion such as continuous infusion, intermittent infusion, patient-controlled infusion (e.g. PCA - Patient Controlled Analgesia), enteral nutrition or parenteral nutrition.

The functional safety controller formed by the safety certified controller and the failure controller implement the required safety functions for achieving or maintaining a safe state with respect to the drug infusion and the necessary safety integrity for the required safety function. In case of an abnormal behavior, a minor technical or a catastrophic failure, the safety architecture provided by the functional safety controller may set the medical pump in a failsafe state, e.g. the infusion is stopped immediately, an audible and/or visible alarm is generated (e.g. even is the main battery is out of service or discharged using the above mentioned capacitor). It is noted that two points may be relevant regarding the functional safety of operation of medical devices and more particularly of infusion pumps. The first point is covered in the above-mentioned basic safety standard IEC 60601 -1 edition 3 concerning single fault compliance: that is, no single cause of failure should cause the pump to silently fail to operate correctly. The pump should at least stop pumping and make at least an audible error indication (fail safe condition)

The second point is covered in IEC 60601 -2-24 (which is a specific standard for infusion pumps as also already mentioned above) concerning essential requirements, which are:

• Flow rate accuracy

• Protection against unintended bolus volumes and occlusion

• Alarm signals of high priority including e.g. an end of infusion alarm, an occlusion alarm and/or an air- in-line alarm

Single fault compliance and functional safety measures must be applied in priority to the essential requirements, wherein e.g. a risk analysis (covered with ISO 14971 standard) will determine additional measures to be applied on the remaining functions.

In addition, infusions pumps provide additional safety measures used to enhance the functional safety:

• Batteries, so that the pump can operate if the battery power fails or the pump is unplugged,

• A drug library with customizable programmable limits for individual drugs that helps to avoid medication errors,

• Mechanisms to avoid uncontrolled flow of drugs in large volume pumps (e.g. in combination with a free flow clamp) and/or e.g. in syringe pumps (e.g. piston-brake),

• an internal electronic log of the last (e.g. the last several thousand) therapy events (e.g. tagged with the time and date from the pump's clock, wherein erasing the log may be protected by a security code, specifically to detect staff abuse of the pump or patient, the infusion pump can be configured to display only a small subset of features during operation, e.g. in order to prevent tampering by patients, untrained staff and visitors.

Embodiments of the invention are discussed hereinafter with reference to the drawing, which shows a block diagram of a medical device according to the invention. More particularly, the Figure shows a block diagram of a medical device in the form of a medical infusion pump 1 (e.g. a peristaltic or a syringe pump). Some of the components of the medical pump 1 are crucial for the operation of the medical pump 1 and thus for the safety of a patient to whom a drug is supplied by means of the medical pump 1 . For example, among those crucial components, the medical pump 1 comprises at least one actuator 1 1 (e.g. a pusher for pushing the syringe shaft in case of a syringe pump) driven by at least one electric motor 12 (i.e. a motion generating device). Further, the pump 1 comprises at least one sensor 13 (e.g. for monitoring the pumping rate or detecting the presence of air in the pumped liquid).

The operation of the motor 12 and of the sensor 13 is controlled via a safety certified controller in the form of a SIL3 certified microcontroller 21 (e.g. running infusion delivery software code), i.e. a microcontroller that realizes the SIL3 security mechanisms according to the IEC 61508 standard as set forth above. The SIL3 certified microcontroller 21 forms part of a functional safety controller in the form of a functional safety delivery controller unit 2 of medical pump 1 . The functional safety delivery controller unit 2 further comprises a failure controller in the form of a fail safe controller 22. The fail safe controller 22 is in communication with the certified microcontroller 21 and is configured for monitoring the certified microcontroller 21 , i.e. the fail safe controller 22 is configured to detect a failure of the certified microcontroller 21 during the operation of the pump 1 . The SIL3 certified microcontroller 21 may run a safety real time operating system. In order to improve the functional safety, the fail safe controller in particular is a hardware or hard coded logic or microcoded device which e.g. does not contain software.

The fail safe controller 22 may further be directly connected to the motor 12 via a dedicated control line 121 . This direct connection to the motor 12 permits the fail safe controller 22 to interrupt the operation of the motor 12 and thus of the actuator 1 1 if a failure of the certified microcontroller 21 is detected. Further, the functional safety delivery controller unit 2 may comprise a signaling unit 23 having an optical unit 231 (comprising e.g. a failsafe LED) and an acoustic unit 232 (e.g. comprising a buzzer). In case a failure of the certified microcontroller 21 is detected, the fail safe controller 22 activates the signaling unit 23 in order to generate an optical and/or acoustic alarm signal (using the optical unit 231 and the acoustic unit 232, respectively).

Moreover, the fail safe controller 22 is equipped with an independent safety logic and watchdog technology unit 221 . Also, the functional safety delivery controller unit 2 comprises a super capacitor 24 for storing electric energy and the supplying electric energy to the fail safe controller 22. Thus, in case of a breakdown of the main power supply to the medical pump 1 , its operation at least for a certain period of time may be maintained using the electric energy stored in the capacitor 24 in case of battery failure. For example, the super capacitor 24 is configured to activate the optical unit 231 and the acoustic unit 232 for at least 120s even if a main battery of the medical device is not working and an external power supply is not available. Of course, other storage devices such as a rechargeable battery may be used instead of capacitor 24.

The functional safety delivery controller unit 2 together with the actuator 1 1 , the motor 12 and the sensor 13 form a patient safety zone 20 of the medical pump 1 .

In addition to the certified microcontroller 21 the medical pump 1 comprises a separate application controller in the form of an application processor 3 arranged outside the patient safety zone 20, i.e. without being monitored by the fail safe controller 22. Communicating with the SIL3 certified microcontroller 21 the application processor 3 provides an interface between the medical pump 1 and a user (e.g. a nurse or a doctor) and/or another device external to the medical pump 1 . In particular, the application processor 3 comprises medical infusion application code, e.g. permitting the user of medical pump 1 to input commands and monitor parameters of the infusion process. Similar to the SIL3 certified microcontroller 21 and the fail safe controller 22, the application processor may run a safety RTOS. In particular, all of the software programs used by components of the medical pump 1 are safe programs that e.g. comply with the IEC 62304 standard.

Moreover, the application processor 3 is connected to a watchdog component 34, wherein the application processor 3 transmits a failure signal to the watchdog component 34 in case of a severe (catastrophic) failure during the execution of an applicative program. The watchdog component 34, in turn, is connected to a (shared) fail activation line (bus) 25 for signaling a failure during the operation of the application processor 3 to the fail safe controller 22 (by transmitting a failure signal). The fail safe controller 22 upon receipt of the failure signal will force the medical pump 1 to assume a safe state, e.g. the operation of the motor 12 may be interrupted and/or an acoustic and/or optical signal may be generated as described above. The watchdog component 34 shares the fail activation bus 25 with the SIL3 certified microcontroller 21 that similarly may use the fail activation bus 25 for transmitting a failure signal to the fail safe controller 22 if a severe failure occurs during the operation of the SIL3 certified microcontroller 21 . Further, the application processor 3 communicates with a user interface controller in the form of a user-machine interface controller 31 configured for managing a user-machine interface (human-machine-interface) such as a display or a keyboard. Also, the application processor 3 communicates with at least one input/output interface 32 for allowing the medical pump 1 to communicate with external devices (e.g. an external communication network such as a hospital network). The input/output interface 32 may be configured for wired and/or wireless communication.

The medical pump 1 further comprises an alarm generating unit 33 (different from the signaling unit 23 of the functional safety delivery controller unit 2) complying with the IEC 60601 -1 -8 standard for generating an optical and/or acoustic alarm signal if the application processor 3 detects a failure. In case a failure of the alarm generating unit 33 or of a severe failure, the application processor 3 may notify the fail safe controller 22 (which may then interrupt the operation of the motor 12). The application processor 3, the user-machine interface controller 31 , the input/output interface 32 and the alarm generating unit 33 form part of a medical infusion application control unit 30 of the medical pump 1 .

Moreover, the medical pump 1 comprises a power supply controller 40 via which power of an external main power supply is fed to the medical pump 1 . The power supply controller 40 comprises a rechargeable (main) battery 41 (different from the storage capacitor 24) that stores electrical power that can be supplied to the pump 1 if an external power supply is not available. Power from battery 41 is supplied via a power supply block 42 of the power supply controller 40.

Reference signs

1 medical pump

2 functional safety delivery controller unit

3 application processor

1 1 actuator

12 motor

13 sensor

21 SIL3 certified microcontroller

22 fail safe controller

23 signaling unit

24 storage capacitor

25 fail activation line

30 medical infusion application control unit

31 user-machine interface controller 31

32 input/output interface

33 alarm generating unit

34 watch dog component

40 power supply controller

41 battery

42 power supply block

121 dedicated control line

221 independent safety unit logic and watchdog technology unit

231 optical unit

232 acoustic unit