Safety medical system

FIELD OF INVENTION

The invention relates to a system for safely carry out a medical treatment, such as, but not limited to, dialysis treatment.

STATE OF THE ART

A medical system must carry out a treatment to a patient in a secure or safe manner. The risk may come from the hardware or the software. The medical system may therefore include a security architecture. Some medical systems comprise safety device such as monitoring devices or redundant devices in order to ensure the safety of the patient during the treatment. But such safety devices may be expensive and/or difficult to manage.

The present disclosure describes several features that are inexpensive and easy to implement or use.

GENERAL DESCRIPTION OF THE DISCLOSURE

This general description is provided to introduce a selection of disclosures in a simplified form that are further described below in the Detailed Description. This general description is not intended to necessarily identify key features or essential features of the claimed subject matter, nor is it intended as an aid in determining the scope of the claimed subject matter.

The present document discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway in fluidic communication with the patient body,

• A first group of occluding devices and a second group of occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines),

• A first processor operatively connected to a first group of occluding device actuators in such a manner to open or close at least one of the first group of occluding devices,

• A second processor operatively connected to a second group of occluding device actuators in such a manner to open or close at least one of the second group of occluding devices, and

• A pump configured to move the fluid trough the fluidic pathway;

At least one occluding devices of the first group and at least one occluding device of the second group of occluding devices may be arranged upstream to the pump and at least one occluding devices of the first group and at least one occluding device of the second group of occluding devices may be arranged downstream to the pump.

The present document also discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway in fluidic communication with the patient body,

• A first group of occluding devices and a second group of occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines),

• A first processor operatively coupled to the first group of occluding device,

• A second processor operatively coupled to the second group of occluding device, and

• A pump configured to move the fluid trough the fluidic pathway;

At least one occluding devices of the first group and at least one occluding device of the second group may be arranged upstream to the pump and at least one occluding devices of the first group and at least one occluding device of the second group may be arranged downstream to the pump.

The present document also discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway in fluidic communication with the patient body including a first and a second bag,

• A first group of occluding devices and a second group of occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines),

• A first processor operatively coupled to the first group of occluding device, and

• A second processor operatively coupled to the second group of occluding device, The first group of occluding devices and the second group of occluding devices may be arranged in such a manner to be able to close the fluidic pathway between the first bag and the patient and to be able to close the fluidic pathway between the second bag and the patient.

The present document also discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway in fluidic communication with the patient body including a first and a second bag,

• A first group of occluding devices and a second group of occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines),

• A first processor operatively coupled to the first group of occluding devices, • A second processor operatively coupled to the second group of occluding devices, and

• A pump configured to move the fluid trough the fluidic pathway;

The first group of occluding devices and the second group of occluding devices may be arranged in such a manner to be able to close the fluidic pathway between the first bag and the patient and to be able to close the fluidic pathway between the second bag and the patient.

The present document also discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway including a patient line, a fill line, and a drain line,

• A first group of occluding devices and a second group of occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines),

• A first processor operatively coupled to the first group of occluding devices, and

• A second processor operatively coupled to the second group of occluding devices, and

• A pump configured to move the fluid trough the fluidic pathway;

The first group of occluding devices and the second group of occluding devices may be arranged in such a manner to be able to close the fluidic pathway between the fill line and the patient line and to be able to close the fluidic pathway between the drain line and the patient line.

The present document also discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway including a patient line, a fill line, and a drain line;

• A first group of occluding devices and a second group of occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines);

• A first processor operatively coupled to the first group of occluding devices; and

• A second processor operatively coupled to the second group of occluding devices, and

• A pump configured to move the fluid trough the fluidic pathway;

The first group of occluding devices may comprise at least two occluding devices arranged to be able to respectively occlude the patient line from the fill line and from the drain line; and Wherein the second group of occluding devices may comprise at least two occluding devices arranged to be able to respectively occlude the patient line from the fill line and from the drain line. The present document also discloses a medical system for moving a fluid to and/or from a patient comprising:

• A fluidic pathway including a patient line, a fill line having a dialysate bag, and a drain line having a drain bag,

• A first group of occluding devices and a second group of occluding devices each including at least two occluding devices configured to occlude the fluidic pathway (preferentially at different locations, for example on different fluidic lines),

• A first processor operatively coupled to the first group of occluding devices, and

• A second processor operatively coupled to the second group of occluding devices, and

• A pump configured to move the fluid trough the fluidic pathway;

The first group of occluding devices and the second group of occluding devices may be arranged to be able to close the fluidic pathway between the dialysate bag and the patient and to be able to close the fluidic pathway between the drain bag and the patient in such a manner if one of said two processors is failed, the other processor may be able to control the occluding devices in order to occlude the fluidic pathway between the patient and drain bag and between the patient and the dialysate bag.

All previous aspects of the disclosure may comprise the following optional feature.

According to various embodiments, the medical system may be a dialysis system, for example a peritoneal dialysis system. The medical system may further comprise a fill line which may have a dialysate solution bag, a drain line which may have a drain bag, and a patient line which may be connected to the patient body, for example to the peritoneal cavity of the patient or other part of the patient body. A first of the at least two occluding devices of the first group may be arranged on the fill line. A first of the at least two occluding devices of the second group may be arranged on the drain line.

According to various embodiments, the pump may be configured to move the fluid from the fill line to the patient line and from the patient line to the drain line. The pump may be a peristaltic pump. The pump may include a rotary motor and the fluidic pathway and the pump may be arranged to allow the fluid to be moved from the fill line to the patient line and/or from the patient line to the drain line by a unidirectional rotation of the pump rotary motor. The pump may include an inlet port connected to the fill line and to the patient line. The pump may include a single inlet port connected to the fill line and to the patient line. The pump may include an outlet port connected to the drain line and to the patient line. The pump may include a single outlet port connected to the drain line and to the patient line. The patient line may include a fluidic connection to the inlet port and to the outlet port. The inlet port and the outlet port may be distinct from each other. The patient line orthe part of the patient line connected to (or in fluidic connection with) the inlet port may include a second of the at least two occluding devices of the second group. The patient line or the part of the patient line connected to (or in fluidic connection with) the outlet port may include a second of the at least two occluding devices of the first group. The fill line may be only connected to inlet port. The drain line may be only connected to outlet port.

According to various embodiments, at least one of the occluding devices may include an actuator connected to its dedicated processor. The actuator of first group may be supplied by a power supply which is different from the power supply of the actuator of second group.

The advantages of this system are that:

• Even if one of the two processors fails, the other processor may be able to control the (its) occlusion device (s) in order to keep the patient in safe state.

• The patient can be put in security by two distinct processors.

• The patient can be made safe in two distinct ways.

• Each occlusion device opens or closes its own fluid line and/or each occlusion device is controlled by a single processor, so that redundant devices are not required while ensuring patient safety.

The present document also discloses a watchdog system for a medical system comprising:

• A main control unit of the medical system including an operating system and medical application,

• A second control unit of the medical system, and

• An electronic monitoring circuit configured to be able to detect a failure of at least one of the main control unit and the second control unit,

The main control unit, the second control unit and the electronic monitoring circuit may be operatively coupled for example by wire connection.

The second control unit may be configured to define or to generate or to create or to initiate or to launch a time window (also called triggering window) during which the main control unit must send a signal to the electronic monitoring circuit. The second control unit may be configured to send a signal related to the time window to at least one of the main control unit and the electronic monitoring circuit. The signal related to the time window may include a start signal and/or an end signal. The signal may be a toggle up or a toggle down.

The main control unit may be configured to send a signal to the electronic monitoring circuit depending on the signal related to the time window. The signal may be a toggle up or a toggle down. The electronic monitoring circuit may be configured to receive the signal related to the time window of the second control unit and the signal of the main control unit. The electronic monitoring circuit may be configured to receive the signal related to the time window sent by the second control unit and the signal sent by the main control unit. Based on the signals received by the electronic monitoring circuit, the electronic monitoring circuit may be configured to output a failure signal. The signal may be a toggle up or a toggle down.

The main control unit may be configured to send its signal (to the electronic monitoring circuit) during the time window. If the electronic monitoring circuit receives the signal of the main control unit outside the time window, the electronic monitoring circuit may be configured to output a failure signal. If the electronic monitoring circuit doesn’t receive the signal of the main control unit during the time window, the electronic monitoring circuit may be configured to output a failure signal. If the main control unit doesn’t send the signal (to the electronic monitoring circuit) during the time window, the electronic monitoring circuit may be configured to output a failure signal.

The watchdog system for a medical system may further comprise a third control unit operatively coupled to at least one of the main control unit, the second control unit, and the electronic monitoring circuit. The second control unit may be configured to send the signal related to the time window to the third control unit. The third control unit may be configured to receive or to read or to monitor the signal related to the time window sent by the second control unit. The third control unit may be configured to compare the signal related to the time window to a predetermined signal. The third control unit may be configured to output a failure signal based on the signal received, for example only based on the signal related to the time window and the predetermined signal.

The watchdog system may include at least one of:

• a first communication signal line configured to connect between the main control unit and the second control unit;

• A second communication signal line configured to connect between the main control unit and the electronic monitoring circuit;

• A third communication signal line configured to connect between the second control unit and the electronic monitoring circuit;

The second control unit may be configured to send the time window to the main control unit and to the electronic monitoring circuit via the first communication signal line and the third communication signal line, respectively. The first communication signal line and the third communication signal line may be in electronic communication. The main control unit may be configured to send the signal to the electronic monitoring circuit via the second communication signal line. The operating system may be a third-party operating system which may be not real time operating system. The operating system may comprise a software of Unknown Provenance (SOUP), an Off-The-Shelf Software (OTS) and/or a Commercial Off-The-Shelf Software (COTS). The operating system may be configured to support the medical application. The main control unit may be configured to run a protective software of the medical application.

The main control unit may synchronize the signal with the time window in order to send the signal during a time period defined by the time windows. The synchronization may be performed at each time window received by the main control unit.

According to various embodiments, the electronic monitoring circuit may include a logical operation circuit configured to output the failure signal based on a logical operation result of the signal of the main control unit and the time window. The electronic monitoring circuit may be configured to verify or to check that the signal (of the main control unit) only toggles during a time period of (or corresponding to) the time window. The electronic monitoring circuit may be configured to verify orto check that the signal (of the main control unit) changes state substantially between the rising edge and the falling edge of triggering windows.

The main control unit, the second control unit, the third control unit and/or the electronic monitoring circuit may be distinct devices and/or may be separated from each other.

According to various embodiments, the system may be configured to interrupt the treatment in case of unsafe state. The unsafe state may be detected by the watchdog system based on the signal of at least one of the electronic monitoring circuit, the main control unit, the second control unit, and the third control unit. The operating system may be configured to control a GUI device. The main, second and/or third control unit may be configured to control a heating system or a valve actuator or a pumping device of the medical system

The medical system may further comprise a housing in which is arranged at least two of the main control unit, the second control unit, the third control unit, and the electronic monitoring circuit, the main control unit, the second control unit, the third control unit, and the electronic monitoring circuit may be all arranged in the housing.

According to various embodiments, when the electronic monitoring circuit has detected a failure (e.g., based on the signal and the triggering window), the electronic monitoring circuit can be configured to send a master failure signal that puts certain elements of the medical system in a safe state for the patient. For example, the pumping device may be powered down (e.g., via a relay), the heating system may be powered down (e.g., via a relay), and/or the valves in communication with the patient may be set to a closed position (e.g., via a control unit (the first, second or third)).

The present document also discloses a medical system for carrying out a treatment to a patient including:

• A first processor configured to run a third-party operating system (or a boot loader software, or an open source OS, or a commercial OS) and a medical software;

• A second processor separated from the first processor;

• A watchdog module separated from the first and the second processors and configured to be able to interrupt an unsafe state or to enter in safe state (for example put the medical system in a safe state) or to detect a failure (for example of the medical system or one of processors,...);

The second processor may be configured to define or to generate or to create or to initiate or to launch a triggering window and/or to send the triggering window (for example a signal related to a triggering window or time window) to the first processor and to the watchdog module. The first processor may be configured:

- to read or to receive the triggering window signal, and/or

- to generate a signal (for example a feeding signal) for example depending on the triggering window (for example during the triggering window), and/or

- to send the signal to the watchdog module, for example depending on the triggering window (for example during the triggering window), for example to feed the watchdog module within the triggering window.

According to various embodiments, the watchdog module may be configured to output a failure signal based on the signal and the triggering window. For example, if the watchdog module is not fed within the triggering window. The watchdog module may be configured to compare the signal and the triggering windows, and/or determine if the signal has been sent on time for example within the triggering window, and/or determine if the first processor has fed the watchdog on time for example within the triggering window.

The medical system may include:

• a first communication signal line configured to connect between the first processor and the second processor;

• A second communication signal line configured to connect between the first processor and the watchdog module; A third communication signal line configured to connect between the second processor and the watchdog module;

The second processor may be configured to send the triggering window to the first processor and to the watchdog module via the first communication signal line and the third communication signal line, respectively. The first communication signal line and the third communication signal line may be in electronic communication. The first processor may be configured to send the signal to the watchdog module via the second communication signal line.

According to various embodiments, the third-party OS may be not a real time operating system. The third-party operating system may comprise a software of Unknown Provenance (SOUP), an Off-The-Shelf Software (OTS) and/or a Commercial Off-The-Shelf Software (COTS). The third- party OS may be configured to support or run the medical software. The first processor may be configured to run a protective software of the medical system.

The first processor may synchronize the signal with the triggering window in order to send the signal during a time period defined by the triggering windows. The synchronization may be performed at each triggering window received by the first processor.

According to various embodiments, the watchdog module may include a logical operation circuit configured to output the failure signal based on a logical operation result of the signal and the triggering window. The watchdog may be configured to verify or to check that the signal only toggles during a time period of (or corresponding to) the triggering window. The watchdog may be configured to verify or to check that the signal changes state substantially between the rising edge and the falling edge of triggering windows.

According to various embodiments, the medical system may further include a third processor separated from the first and the second processors and from the watchdog module configured to be able to interrupt an unsafe state. The second processor may be configured to send the triggering window to the third processor and/or the third processor is configured to read or to receive the triggering window. The third processor may monitor or check the triggering window (for example its form or its features) according to a predetermine triggering window (for example its form or its features).

The system may be configured to interrupt the treatment in case of unsafe state. The third-party operating system may be configured to control a GUI device. The first, second and/or third processor may be configured to control a heating system or a valve actuator or a pumping device of the medical system The medical system may further comprise a housing in which is arranged at least two of the first processor, the second processor, the third processor and the watchdog module. The first processor, the second processor, the third processor, and the watchdog module may be all arranged in the housing.

According to various embodiments, when the watchdog module has detected a failure (e.g., based on the signal and the triggering window), the watchdog module can be configured to send a master failure signal that puts certain elements of the medical system in a safe state for the patient. For example, the pumping device may be powered down (e.g., via a relay or transistor, ...), the heating system may be powered down (e.g., via a relay or transistor, ...), and/or the valves in communication with the patient may be set to a closed position (e.g., via a processor (the first, second or third)).

The present document also discloses an electronic monitoring module including:

• A sequential logic circuit,

• A first processor configured to send a signal to the sequential logic circuit, and

• A second processor configured to send a trigger signal to the sequential logic circuit.

The sequential logic circuit may be configured to be able to interrupt an unsafe state of at least one of the first and second processor and/or to send a failure signal to at least one of the first and second processor.

According to various embodiments, the electronic monitoring module may include at least one of:

• A first group of flip-flop circuit each comprising a first input connected to the second processor and a second input connected to the first processor

• A second group of flip-flop circuit each comprising a third input connected to the first processor and a fourth input connected to the second processor, and

• An assembly of logic gate.

The first input may be a D input. The second input may be a CP input. The third input may be a D input. The fourth input may be a CP input.

The first group of flip-flop circuit may comprise (for example only) two flip-flop circuits. The Q outputs of both flip-flop circuits may be connected to a logic gate (for example of the assembly of logic gate). The second group of flip-flop circuit may comprise (for example only) two flip-flop circuits. The Q outputs of both flip-flop circuits may be connected to a logic gate (for example of the assembly of logic gate). The assembly of logic gate may include at least one of the AND gate, OR gate, NAND gate, NOR gate, XOR gate, and XNOR gate.

The advantages of this system are that:

- the watchdog may be similar to a windowed watchdog, but it can be used with a non-real time OS.

- the third-party OS (which may be a SOUP) and the medical application may be run by the same processor.

- the triggering window or time window may be adjustable by modifying the signal parameters in the second processor (e.g. the frequency).

- the watchdog may be an electronic circuit that controls a part of the hardware of the system without software.

The watchdog may be used independently of the type of OS (third party OS, SOUP, real time OS, non-real time OS,...)

LIST OF FIGURES

The present invention will be better understood at the light of the following detailed description which contains non-limiting examples illustrated by the following figures:

Figure 1 illustrates a processor operatively connected to several components.

Figure 2 illustrates several processors operatively connected to components.

Figure 3 illustrates an embodiment of a medical system.

Figures 4a and 4b illustrate another embodiment of a medical system.

Figures 5 and 6 illustrate an embodiment of a medical system.

Figure 7 illustrates an electronic embodiment using a watchdog module.

Figure 8 illustrates a flowchart used by a watchdog module.

Figures 9 and 10 illustrate an electronic monitoring circuit.

Figures 11 , 12, 13 and 14 shows a first processor signal (304), a second processor signal (300) and a watchdog signal (308)

LIST OF ELEMENTS

1 Patient

2 Medical system

3 Operable linkages 10 First processor

11 Memory device

12 Input device

13 Output device

14 First element or group of elements

15 Second element or group of elements

16 Third element or group of elements

17 Fourth element or group of elements

18 Fifth element or group of elements

20 Second processor

30 Third processor

40 Fourth processor

50 Fifth processor

51 First supply bag

52 Second supply bag

53 Third supply bag

54 Pressure sensor

55 Pumping device

56 Air sensor

57 Upstream line

58 Downstream line

59 Temp, sensor

60 Heating device

61 First occluding device

62 Second occluding device

63 Third occluding device

64 Fourth occluding device

65 Fifth occluding device

66 Sixth occluding device

67 Seventh occluding device

68 Eighth occluding device

69 Drain bag

70 Patient line

71 Processor A

72 Processor B

100 Medical system

101 Disposable part 102 Reusable part / apparatus

104 Bag (Drain bag)

105 Bag (Fresh solution)

106 Cassette

110 Processor

111 Screen (device for example tablet with a touch screen)

112 Other element such as button

113 Sensor

114 Actuator

115 Other elements connected to the processor and operatively and removably coupled to the disposable part

116 Watch d og syste m

150 Medical system

151 First processor

152 Second processor

153 Third processor

154 Third-party software

155 Medical software

156 Watchdog module

160 Generate or send a signal related to time window

161 Check time window

162 Synchronization

163 Send signal

164 Check the signals

165 Failure signal

200 Watchdog system or medical system

201 First processor or main control unit

20T Signal sent by or of the first processor or main control unit

202 Second processor or second control unit

202' Signal sent by or of the second processor or second control unit

203 Logical operation circuit

204 Output signal

210 First flip-flop circuit or element

211 First input or D-input

212 Second input or CP-input

213 Output 220 Second flip-flop circuit or element

221 First input or D-input

222 Second input or CP-input

223 Output

230 third flip-flop circuit or element

231 First input or D-input

232 Second input or CP-input

233 Output

240 Fourth flip-flop circuit or element

241 First input or D-input

242 Second input or CP-input

243 Output

250 Fifth flip-flop circuit or element

251 First input or D-input

252 Second input or CP-input

253 Output

260 Logic gate

261 Logic gate

262 Logic gate

263 Logic gate

264 Logic gate

265 First input

266 Second input

300 Second processor signal

301 Triggering window or time window

302 Open the window I rising edge

303 Close the window I falling edge

304 First processor signal

305 Toggle up

306 Toggle down

307 Watchdog signal

308 Master failure signal

DETAILED DESCRIPTION

In the following detailed description, reference is made to the accompanying drawings that form a part hereof, and in which are shown by way of illustration several embodiments of devices, systems and methods. It is to be understood that other embodiments are contemplated and may be made without departing from the scope or spirit of the present disclosure. The following detailed description, therefore, is not to be taken in a limiting sense.

All scientific and technical terms used herein have meanings commonly used in the art unless otherwise specified. The definitions provided herein are to facilitate understanding of certain terms used frequently herein and are not meant to limit the scope of the present disclosure.

As used in this specification and the appended claims, the singular forms "a", "an", and "the" encompass embodiments having plural referents, unless the content clearly dictates otherwise.

As used in this specification and the appended claims, any direction referred to herein, such as "top", "bottom", "left", "right", "upper", "lower", and other directions or orientations are described herein for clarity in reference to the figures and are not intended to be limiting of an actual device or system. Devices and systems described herein may be used in a number of directions and orientations.

As used herein, "have", "having", "include", "including", "comprise", "comprising" or the like are used in their open ended sense, and generally mean "including, but not limited to.

As used herein, "at least one of A, B, and C", "at least one of A, B or C", "selected from the group consisting of A, B, C, and combinations thereof or the like are used in their open ended sense including " only A, or only B, or only C, or any combination of A, B and C" unless the content clearly dictates otherwise.

As used in this specification and the appended claims, the term "or" is generally employed in its sense including "and/or" unless the content clearly dictates otherwise.

As used herein, the term “microprocessor” or “processor” is a broad term and is used in its ordinary sense, including, without limitation, a computer system or processor designed to perform arithmetic and logic operations using logic circuitry that responds to and processes the basic instructions that drive a computer.

The disclosure relates to all medical systems suitable for performing treatment for a patient. A portion of this document focuses on one dialysis system, but the entire disclosure cannot be limited to that system.

According to various embodiments, as shown by Fig. 1 , the medical system (2) may include at least one of a processor (10), a memory device (11), an input device (12), an output device (13). At least one of the memory device, the input device, and the output device may be operatively coupled to the processor, for example by an operable linkage (3). The operable linkage may comprise a conductive trace (for example on a printed circuit), a wire link and/or a wireless link. The processor may be a micro-controller.

The memory device may include various types of computer-readable storage media and/or systems in the form of one or more higher speed memory units, such as read-only memory (ROM), random-access memory (RAM), dynamic RAM (DRAM), Double-Data-Rate DRAM (DDRAM), synchronous DRAM (SDRAM), static RAM (SRAM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, polymer memory such as ferroelectric polymer memory, ovonic memory, phase change or ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS) memory, magnetic or optical cards, an array of devices such as Redundant Array of Independent Disks (RAID) drives, solid state memory devices (e.g., USB memory, solid state drives (SSD) and any other type of storage media suitable for storing information. In addition, the memory device may include various types of computer-readable storage media in the form of one or more lower speed memory units, including an internal (or external) hard disk drive (HDD), a magnetic floppy disk drive (FDD), and an optical disk drive to read from or write to a removable optical disk (e.g., a CD-ROM or DVD), a solid state drive (SSD), and/or the like.

The input device (12) may comprise at least one of a keyboard, a button, a touch screen, and an electronic port (such as an USB port, ...), ... The output device (13) may comprise at least one of a pumping device, an actuator (for example of an occlusion device, or a relay), a display device, a touch screen, a warmer device, and an electronic port (such as an USB port,. ..), ...

According to various embodiments, as shown by Fig. 2, the medical system may comprise several processors (two or more), each element (input, output, and/or memory devise) may be operatively coupled to a (e.g. dedicated) processor. For example, a first element or group of elements may be operatively coupled to a first processor via an operable linkage (3), a second element or group of elements may be operatively coupled to a second processor via an operable linkage (3), a third element or group of elements may be operatively coupled to a third processor via an operable linkage (3), a fourth element or group of elements may be operatively coupled to a fourth processor via an operable linkage (3), and a fifth element or group of elements may be operatively coupled to a fifth processor via an operable linkage (3). In order to reduce the cost, the number of processors may be limited, nevertheless in order to ensure the patient safety, the medical device may comprise a minimum number of processors. At least two processors may be operatively coupled therebetween via an operable linkage (3) in order to send, to share, to receive, to read, to listen, a signal, to run, and/or to launch a process. For example, the third processor may send a signal which may be read, listened, received by the first and the second processor (To simplify the description, the document does not differentiate between the terms "read", "listen" and "receive").

For example, the first processor may be the main processor, which may run at least one of the operating system, the medical application, the protective application. The first processor may control at least one of the display, the button, the touch screen, the second processor may control a heating device, the third processor may control a pumping device, the fourth processor may control a first group of occluding device, and the fifth processor may control a second group of occluding device (which may be different from the first group).

According to various embodiments, the medical system may include a process initiated in the event of a failure. This process may be referred to as a "master failure". The master failure may be initiated to ensure patient safety. For example, the master failure may stop the heating device (for example by switching off heating device), stop the pumping device (for example by switching off pump/motor power), and/or close the occluding device. The master failure may be launched or triggered by at least one of a processor and a watchdog. The master failure may act on relays for example to power off the pumping device and/orthe heating device and/or prompt a processor to run a process.

According to various embodiments, the medical system (2) may include at least one fluid circuit which may be in fluid communication to the patient body.

As shown by Fig. 3, in a simple embodiment, the medical system (2) may include at least one of a pumping device (55), a supply bag (51), a drain bag (69), and a fluidic pathway configured to allow a fluidic communication between the patient body (1) and at least one of the supply bag (51) and the drain bag (69).

The pumping device (55) may comprise a peristaltic pump and may run in forward direction (first direction) or reverse direction (second direction) (which is opposite to the forward direction (first direction)). The fluidic pathway may comprise at least one occluding device (61 , 66) configured to open or close a part of the fluidic pathway. The occluding device may comprise at least one of a valve and a clamp. The occluding device may comprise or be operatively coupled to at least one valve actuator. The medical device may further include at least one processor configured to control or to be operatively coupled to at least one of one or more occluding device and it (e.g. dedicated) actuator. According to various embodiments, the pumping device may be configured to move a first volume of fluid from the supply bag (51) to the patient and a second volume of fluid from the patient (1) to the drain bag (69). But it may be difficult to monitor the first and the second volume moved by the pumping device (55). Indeed, the medical system may favour the flow from the supply bag to the patient over the other or vice versa.

In case where the embodiment is a peritoneal dialysis system, during a fill stage, the medical system may be configured to run the pump in forward direction to move the dialysate solution initially stored in the supply bag (51) to the patient body (1) and to open the (supply) occluding device (61) and close the (drain) occluding device (66). During a drain stage, the medical system may be configured to run the pump in reverse direction to move the dialysate solution stored in the patient body (1) to the drain bag (69) and to open the (drain) occluding device (66) and close the (supply) occluding device (61). But in this embodiment, an important volume of spent dialysate solution is stored in the fluidic pathway after a drain stage. And if the dialysis treatment comprises a succession of repeated cycle comprising successively a fill stage and a drain stage, the patient body will receive an important volume of spent dialysate solution (which may increase the infection hazard or reduce treatment effectiveness). In addition, as explained above, the actual volume of fluid displaced may be different from the expected volume of fluid displaced. Therefore, it may be preferable to use the pump in only one direction to fill and drain the peritoneal cavity.

According to various embodiments as shown by Fig. 4a, the medical system may include similar element of the embodiment of Fig. 3. Nevertheless, the fluidic pathway may be different. In this embodiment, the pumping device preferentially runs in forward direction (for example in case of peritoneal treatment: during the fill stage and the drain stage). Hence, the medical system may be configured to run the pump in forward direction to move the solution initially stored in the supply bag (51) to the patient body (1) and to open a first and seventh occluding device (61 , 67) and close a sixth and fourth occluding device (66, 64). Furthermore, the medical system may be configured to run the pump in forward direction to move the solution stored in the patient body (1) to the drain bag (69) and to open the sixth and fourth occluding device (66, 64) and close the first and seventh occluding device (61 , 67).

The fluidic pathway may comprise an upstream line (57) and a downstream line (58). The fluidic pathway may comprise a patient line (70). The upstream line (57) is configured to enable a flow of fluid from a source (Supply bag or patient, ...) to the pumping device (55). The downstream line (58) is configured to enable a flow of fluid from the pumping device (55) to the destination (drain bag or patient, ...). The medical system may further comprise at least one of a pressure sensor (54), air sensor (56) and other sensor. In case of failure detected by a sensor, the medical system may temporarily run the pumping device in reverse direction.

A pressure sensor (54) may measure the fluid pressure located or flowing in the downstream line (57). A pressure sensor (54) may measure the fluid pressure located or flowing in the patient line (70). A pressure sensor (54) may measure the fluid pressure located or flowing in the upstream line (58).

According to various embodiments as shown by Fig. 4b, the medical system further comprise two distinct processors (71 , 72) configured to respectively control and/or monitor a first group of occluding devices and a second group of occluding devices. For example, the processor A (71) may be configured to control the first occluding device (61) and the seventh occluding device (67) while the processor B (72) may be configured to control the fourth occluding device (64) and the sixth occluding device (66). This safety architecture allows to ensure that the lines in fluidic communication with the patient are closed even if one of two processors fails.

According to various embodiments, the first group of occluding devices (61 , 67) may be exclusively controlled by the processor A (71) and the second group of occluding devices (64, 66) may be exclusively controlled by the processor B (72).

Each occluding device may comprise a dedicated actuator exclusively connected to its dedicated processor. Hence, (e.g., during the treatment) each occluding device may be independently opened or closed. For example, the first occluding device may be closed by the processor A and the seventh occluding device (67) may be opened by the processor A and vice versa. And the fourth occluding device may be closed by the processor B and the sixth occluding device (66) may be opened by the processor B and vice versa.

For example, if the processor A fails, the processor B (72) is able to close the fourth occluding device (64) to prevent flowing the fluid from the supply bag (51) to the patient and to close the sixth occluding device (66) to prevent fluid flow from the drain bag (69) to the patient. If the pumping device (55) includes a peristaltic pump having roller(s) for compressing of a flexible tube, the pumping device may be configured to also prevent fluid flow from the supply bag (51) to the patient, when the pump is inactive.

For example, if the processor B fails, the processor A (71) is able to close the first occluding device (61) to prevent flowing the fluid from the supply bag (51) to the patient and to close the seventh occluding device (67) to prevent fluid flow from the drain bag (69) to the patient. If the pumping device (55) includes a peristaltic pump having roller for compressing of a flexible tube, the pumping device may be configured to also prevent fluid flow from the drain bag (69) to the patient, when the pump is inactive.

According to various embodiments, as shown by Fig. 5, the medical system may include similar element of the embodiment of Fig. 4. In this embodiment, the medical system may include additional supply bag (52, 53). Each supply bag (51 , 52, 53) or line may comprise its own I dedicated occluding device (61 , 62, 63).

The medical system may include a heating device (60) configured to heat the fluid injected to the patient at a predetermined temperature. The heating device may be controlled by another processor. An air sensor (56) may be arranged upstream from the patient to detect any air bubble which flows with the liquid solution (for example a dialysate solution).

According to various embodiments, the medical system may include at least one of a reusable part and a disposable part. The disposable part may include the elements which must be discarded after a predetermined number of uses, for example, after a single use. The working life of the disposable part may directly depend on the number of treatments. These elements may be the elements which have been wetted by a solution for example a dialysate solution or blood, for example, a part of a fluid circuit. The disposable part may include at least one of a tube, a connector, a port, a cassette, a valve, ... The reusable part may include the expensive elements for example sensor, electronic part, screen, actuator of the valve or of pump, processor, memory, ... The reusable part may be successively used with several disposable parts. The reusable part may comprise components which may be replaced when the components are too worn, become broken or after a predetermined period of time, but much longer than a single treatment. The change of the reusable part may depend on the component wear.

According to various embodiments as shown by Fig. 6, the medical system (100) may include a disposable part (101) and a reusable part (102) (also called apparatus). The disposable part (101) may comprise at least one of a bag (104, 105), a tube and a cassette (106). The reusable part (102) may comprise at least one of one or more processors (1 10), one or more screens (11 1), other elements (1 12) such as one or more buttons, one or more sensors (113), one or more actuators (114) and other elements (1 15). The elements (110, 1 11 , 112, 113, 1 14, 115) may be arranged into the housing of the reusable part. The screen (111) may be touch screen and may be removably coupled to the housing comprising the other elements of the reusable part (102). All or a part of the elements (111 , 112, 1 13, 1 14, 115) may be connected or operatively coupled to one or more processors in order to control or monitor the treatment. The medical system may further include a watchdog system connected to at least one element (110, 111 , 112, 113, 1 14, 115) of the medical system. The processor (1 10) may execute computer-executable instructions stored in a memory of the system. Some elements of the reusable part (1 13, 114, 1 15) may be adapted and intended to be operatively (and/or removably) coupled to the disposable part (101), for example the cassette (106).

According to various embodiments, the medical system may comprise one or more cassettes which define at least a part of the fluidic circuit. A cassette is preferentially a part of the disposable part. The cassette may include at least one of a rigid frame, one or more port, a fluid cavity, one or more flexible membrane adapted to cover the fluid cavity. The flexible membrane may comprise a coupling area adapted to be operatively coupled with a valve actuator (or occluding device) and/or a measurement area adapted to be operatively coupled with a sensor of the reusable part of the system. The membrane may comprise a valve portion adapted to close and open the fluidic circuit. A lug/head of the valve actuator of the reusable part of the system may push the valve portion against the rigid part (for example the internal wall of the cavity of the rigid frame) in order to close the fluidic circuit. The membrane (in particular the coupling area) may be formed/molded/structured so as to have a determined shape such as a clip element adapted to be removably coupled to a head of a valve actuator (not show).

According to various embodiments, the cassette may comprise one or more flexible tube secured in the cassette by a frame. The valve actuator may be a pinch valve actuator comprising a lug configured to pinch the flexible tube through the cassette.

According to various embodiments, the cassette may comprise a part of the pumping device. The pumping device may comprise a peristaltic pump. In this case, the cassette may include a flexible tube in fluid communication with a first fluid pathway and a second fluid pathway of the cassette via dedicated ports. The flexible tube is intended to be pressed by at least two rollers of the pump against a rigid wall for example a part of the rigid frame of the cassette. When the pump is inactive, each roller may occlude the flexible tube as an occluding device. The cassette may further comprise a roller assembly including at least two rollers, a roller support device, a coupling device intended to be operatively coupled with a pump actuator of the reusable part of the system.

According to various embodiments, the roller assembly is movably (by rotation) disposed into a cavity of the rigid frame of the cassette. The roller assembly comprises at least two rollers maintained by at least one support. A shaft which is a part of the pumping device (pump actuator) of the reusable part. The shaft is intended to actuate the roller assembly. In this embodiment, the roller support may comprise a through hole in which the shaft of the pumping device is intended to be inserted when the cassette is loaded in the reusable part. The roller may be drive by friction and/or may comprise a coupling device (coupled with the roller support) such as lug and hole or toothed gear. When the cassette is fully loaded the pump part of the cassette is operatively coupled to the pump actuator of the reusable part. The roller may be movable relative to its support, for example when the shaft of the pump actuator is inserted into the roller support, the external wall of the shaft pushes the roller, urging the roller in direction of the peripheral end of the support.

According to various embodiments, the apparatus (reusable part) may include a housing in which is arranged components for controlling a dialysis treatment. For example: a processor, a valve actuator, a sensor, at last a part of a pumping device.

To ensure the security of the patient, the medical system may include a security architecture. For this purpose, the medical system may include a watchdog module configured to monitor the medical system and detect a failure. The watchdog module (or electronic monitoring circuit) may be arranged inside of the medical system (e.g. inside of the housing). The watchdog module may be configured to monitor the proper operation of a processor running third-party software.

A third-party software may be advantageously added to a medical system to reduce the development cost of the software of the medical system. This third-party software may include at least one of: a third-party operating system.

Off-The-Shelf Software (OTS Software): A generally available software component, used by a medical device manufacturer for which the manufacturer cannot claim complete software life cycle control.

Commercial Off-The-Shelf Software (COTS Software): OTS software that comes from a commercial supplier.

Software of Unknown Provenance (SOUP Software): Software component that is already developed and widely available, and that has not been developed, to be integrated into the medical system (also known as "Off-The-Shelf Software"), or previously developed software for which adequate records of the development process are not available.

The watchdog module may be configured to be able to interrupt an unsafe state or to enter in safe state (for example put the medical system in a safe state) or to detect a failure (for example of the medical system or one of processors,...). For this end, the watchdog module may set some elements of the medical system in a safe state forthe patient. For example, the watchdog module may: power down (e.g. via a relay) the pumping device, the heater device, the valve device, ... or send a signal to a processor to stop the heating, the pumping or to close the valve, ... or reboot the system, ...

According to various embodiments as shown by Fig. 7, the medical system (150) may include at least one of:

• A first processor (151),

• A second processor (152) separated from the first processor, and

• A watchdog module (155) separated from the first and the second processors.

The first processor (151) may be the main processor. The first processor may run at least one of a third-party software (154) and a medical software (155). The third-party software (154) may comprise third-party operating system (e.g. Linux), a software of Unknown Provenance (SOUP), an Off-The-Shelf Software (OTS) and/or a Commercial Off-The-Shelf Software (COTS). The third- party software may be configured to support or run or communicate with the medical software. The first processor may be configured to run a protective software of the medical system. The third-party OS may be not a real time operating system, so a standard windowed watchdog cannot be effective.

The OS may be configured to control at least one of the user interfaces such as screen, touch screen, button, USB port,... The medical software may be configured to carry out the medical treatment, for example it may control, monitor or communicate with component of the apparatus (e.g. sensor, actuator, heating element...) and/or with other processor or micro-controller which may control, monitor or communicate with component(s) of the apparatus (e.g. sensor, actuator, heating element...)

The first processor (151) may be operatively coupled to at least one of the watchdog module (156) and the second processor (152). The medical system may further include a third processor (153) operatively coupled to at least one of the first processor (151), the second processor (152), and the watchdog module (156). For example, the medical system may include:

• A first communication signal line configured to connect between the first processor and the second processor;

• A second communication signal line configured to connect between the first processor and the watchdog module;

• A third communication signal line configured to connect between the second processor and the watchdog module;

According to various embodiments as shown by Fig. 8, the second processor (152) may be configured to generate a triggering window (or time window) and/or to send the triggering window (for example a signal related to a triggering window or time window) (160) to the first processor and to the watchdog module. The first processor may be configured to (162, 163): read or to receive the triggering window signal, and/or generate a signal (for example a feeding signal) for example depending on the triggering window (for example during the triggering window), and/or send the signal to the watchdog module, for example depending on the triggering window (for example during the triggering window), for example to feed the watchdog module within the triggering window, and/or synchronize its signal with time window or signal related to the time window.

The first processor may synchronize the signal with the triggering window in order to send the signal during a time period defined by the triggering windows. The synchronization may be performed at each triggering window received by the first processor.

According to various embodiments, the second processor may be configured to send the triggering window to the first processor and to the watchdog module via the first communication signal line and the third communication signal line, respectively. The first processor may be configured to send the signal to the watchdog module via the second communication signal line.

The watchdog module may be configured to check the signal of the first processor (151) and of the second processor (152). The watchdog module may be configured to output a failure signal (165) based on the signal and the triggering window. For example, if the watchdog module is not fed within the triggering window. The watchdog module may be configured to compare the signal and the triggering windows, and/or determine if the signal has been sent on time for example within the triggering window, and/or determine if the first processor has fed the watchdog on time for example within the triggering window. At least one of the first processor (151), the second processor (152), the third processor (153) and the watchdog module (156) may be configured to launch a “master failure” as disclose above.

When the watchdog module has detected a failure (e.g., based on the signal and the triggering window), the watchdog module can be configured to send a master failure signal that puts certain elements of the medical system in a safe state for the patient. For example, the pumping device may be powered down (e.g., via a relay), the heating system may be powered down (e.g., via a relay), and/or the valves in communication with the patient may be set to a closed position (e.g., via a processor (the first, second or third)).

The watchdog module may include a logical operation circuit configured to output the failure signal based on a logical operation result of the signal and the triggering window. The watchdog may be configured to verify or to check that the signal only toggles during a time period of (or corresponding to) the triggering window. The watchdog may be configured to verify or to check that the signal changes state substantially between the rising edge and the falling edge of triggering windows.

As disclosed above, the medical system may further include a third processor separated from the first and the second processors and from the watchdog module configured to be able to interrupt an unsafe state. The second processor may be configured to send the triggering window to the third processor and/orthe third processor is configured to read orto receive the triggering window. The third processor may monitor or check the triggering window (for example its form or its features) according to a predetermined triggering window (for example its form or its features).

The first, second and/or third processor may be configured to control a heating system or a valve actuator or a pumping device of the medical system. For example, the third processor may comprise two distinct processors each configured to control a group of occluding devices. The second processor may be configured to control the heating system, The first processor may be configured to control the pumping device and/or to monitor the sensor.

The medical system may further comprise a housing in which is arranged at least two of the first processor, the second processor, the third processor and the watchdog module. The first processor, the second processor, the third processor, and the watchdog module may be all arranged in the housing.

According to various embodiments, the watchdog may include an electronic circuit which may include a logical operation circuit configured to output the failure signal based on a logical operation result of received signal.

According to various embodiments as shown by FIG. 9, the medical system (200) may comprise a first processor (also called main control unit) (201) and a second processor (also called second control unit) (202) operatively coupled (for example connected) to a logical operation circuit (203) configured to output a signal (204) based on the received signal of the first and second processor. For example, the sequential logic circuit may be configured to be able to interrupt a failure state of at least one of the first and second processor and/or to send a failure signal to at least one of the first and second processor.

According to various embodiments as shown by Fig. 10, the medical system (200) may include a logical operation circuit (203) which may comprise an assembly of flip-flop circuit and an assembly of logic gate. For example, the logical operation circuit may include a first group of flip-flop circuits which may include:

• A first flip-flop circuit (210) having a first input (for example D input) (211) connected to the second processor (202) and a second input (for example a CP input) (212) connected to the first processor (201), and

• A second flip-flop circuit (220) having a first input (for example D input) (221) connected to the second processor (202) and a second input (for example a CP input) (222) connected to the first processor (201).

According to various embodiments, a logic gate (260) is arranged between the first processor

(201) and the second input (222) of the second flip-flop circuit (220). The logic gate (260) may be configured to invert the signal sent by the first processor (201). For example, the logic gate (260) may be NAND gate.

The output (213, 223) of the first flip-flop (210) and of the second flip-flop (220) may be each respectively connected to an input of a logic gate (261). For example, the logic gate (261) may be NAND gate.

The first group of flip-flop and the logic gate (261) may be configured to verify that the signal sent by the first processor (201) only toggles during the time window (or trigger window) sent by the second processor (202). For example, when the signal related to the time window is substantially equal to 1 , the first flip-flop circuit verifies the rising edge (of the first processor signal) and the second flip-flop (212) verifies the falling edge (of the first processor signal) (for example thanks to the inverter (260).

According to various embodiments, the logical operation circuit may further include a second group of flip-flop circuit which may include:

• A third flip-flop circuit (230) having a first input (for example D input) (231) connected to the first processor (201) and a second input (for example a CP input) (232) connected to the second processor (202), and

• A fourth flip-flop circuit (240) having a first input (for example D input) (241) connected to the first processor (201) and a second input (for example a CP input) (242) connected to the second processor (202).

According to various embodiments, a logic gate (262) is arranged between the second processor

(202) and the second input (242) of the second flip-flop circuit (240). The logic gate (262) may be configured to invert the signal sent by the second processor (202). For example, the logic gate (262) may be NAND gate. The output of the third flip-flop (230) and of the fourth flip-flop (240) may be each respectively connected to an input of a logic gate (263). For example, the logic gate (263) may be XNOR gate.

The second group of flip-flop and the logic gate (263) may be configured to verify that the signal sent by the first processor (201) change state substantially during the time window (or trigger window) sent by the second processor (202), for example, between the rising edge and the falling edge of the time window. The third flip-flop may be configured to verify that the rising edge of the first processor signal occurs during the time window. The fourth flip-flop may be configured to verify that the falling edge of the first processor signal occurs during the time window.

According to various embodiments, the logical operation circuit may further include a fifth flip-flop circuit (250) having a first input (for example D input) (251) configured to receive a signal from the first or second group of flip-flop and a second input (for example a CP input) (252) connected to the second processor (202). For example, the first input (251) is connected to an output of the logic gate (263). The fifth flip-flop circuit (250) may be intended to eliminate the transient effects between the rising edge of the signal related to the time window and the toggles of first processor signal.

According to various embodiments, at least one of the first, second, third, fourth and fifth flip-flop may comprise a SR flip-flop, a D flip-flop, T flip-flop, or JK flip-flop. For example, at least one of the first, second, third, fourth and fifth flip-flop may be a D flip-flop.

According to various embodiments, the logical operation circuit may further include a logic gate (264) having a first input configured to receive a signal from the first group of flip-flop and a second input configured to receive a signal from the second group of flip-flop or from the fifth flip-flop. For example, the first input may be connected to an output of the logic gate (261) and the second input may be connected to an output of the fifth flip-flop circuit (250). The logic gate (264) may be an OR gate. The logic gate allows providing the output signal (204) which may be a “master failure signal” as disclosed above.

The assembly of logic gate may include at least one of the AND gate, OR gate, NAND gate, NOR gate, XOR gate, and XNOR gate.

For example, FIGS. 11 , 12, 13 and 14 show chronograms of watchdog operation with the first processor signal (304), the second processor signal (300) and the watchdog signal (308). As long the first processor signal (304) toggles in the triggering window (301), the master failure is deactivated. If the first processor signal (304) stops at top level (FIGS. 12 and 13) or stops toggle, the master failure signal (308) is enabled. Depending on the electronic monitoring circuit, the masterfailure signal (308) may be launched aftertwo pulses of the second processor signal (FIG.

13). In this case the launch time (309) of the master failure must be considered. Hence, it has a direct impact on the frequency of the triggering window. The manufacture orthe second processor may determine the frequency of the triggering window depending on the launch time of the master failure. The launch time of the master failure is taken into account to determine the frequency of the triggering window. If the first processor signal (304) toggles out of the triggering window (FIG.

14), the master failure signal (308) is (directly / simultaneously / instantly) enabled.