System and method for recovering from transient faults in an implantable medical device

US 7,483,744 B2
Filed: 05/05/2005
Issued: 01/27/2009
Est. Priority Date: 05/05/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A fault recovery system for an implantable medical device, comprising:

a primary controller for controlling the operation of the device;

fault monitoring circuitry;

a reset controller for managing a reset process after detection of a fault by the fault monitoring circuitry;

wherein, upon detection of a fault, the reset controller is configured to signal the primary controller to halt operation and to activate a fail-safe subsystem for delivering therapy;

wherein the reset controller is further configured to signal the primary controller to validate its operation with a self-test and to deactivate the fail-safe subsystem if the primary controller is validated; and

a system-reset monitor for detecting system resets caused by non-recoverable and persistent faults, wherein a reset count maintained by the system-reset monitor is incremented when an internal reset generated by the fault monitoring circuitry occurs and intermittently decremented.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is disclosed for system fault recovery by an implantable medical device which employs a global fault response. The system enables the device to consistently recover from transient faults while maintaining a history of the reason for the device fault. Upon detection of a fault, the primary controller of the device signals a reset controller which then issues a reset command. All sub-systems of the primary device controller are then reset together rather than resetting individual sub-systems independently to ensure deterministic behavior.

46 Citations

View as Search Results

18 Claims

1. A fault recovery system for an implantable medical device, comprising:
- a primary controller for controlling the operation of the device;
  
  fault monitoring circuitry;
  
  a reset controller for managing a reset process after detection of a fault by the fault monitoring circuitry;
  
  wherein, upon detection of a fault, the reset controller is configured to signal the primary controller to halt operation and to activate a fail-safe subsystem for delivering therapy;
  
  wherein the reset controller is further configured to signal the primary controller to validate its operation with a self-test and to deactivate the fail-safe subsystem if the primary controller is validated; and
  
  a system-reset monitor for detecting system resets caused by non-recoverable and persistent faults, wherein a reset count maintained by the system-reset monitor is incremented when an internal reset generated by the fault monitoring circuitry occurs and intermittently decremented.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1 wherein the fault monitoring circuitry includes a watchdog timer.
  - 3. The system of claim 1 wherein the fault monitoring circuitry includes a clock deviation monitor.
  - 4. The system of claim 1 wherein the fault monitoring circuitry includes circuitry for detecting memory errors.
  - 5. The system of claim 1 wherein, upon detection of a fault, the reset controller is configured to signal the primary controller to initiate logging of possible causes of the fault.
  - 6. The system of claim 5 wherein an input signifying a fault event is provided to reset controller when a fault is detected by either the primary controller or the fault monitoring circuit.
  - 7. The system of claim 1 wherein, upon detection of a fault, a pending reset signal is raised by the reset controller to initiate logging of the cause of the pending reset by the primary controller.
  - 8. The system of claim 1 wherein the reset count is decremented by one count after expiration of a specified time period until the reset count is zero.
  - 9. The system of claim 1 wherein a non-recoverable or persistent fault is detected when a specified number of internal resets occur within the specified time period such that the system-reset monitor inhibits further attempts to restart the primary system and allows the fail-safe backup system to maintain therapy indefinitely without interruption.
  - 10. The system of claim 1 wherein the system-reset monitor logs recent resets in a FIFO buffer and further wherein as the reset count is decremented, the oldest logged event is deleted, and external resets clear the entire buffer.
  - 11. The system of claim 1 wherein the system-reset monitor is disabled once it has tripped to prevent subsequent internal resets from overwriting data and is re-enabled with an external reset.

12. A fault recovery system for an implantable medical device, comprising:
- a primary controller for controlling the operation of the device;
  
  fault monitoring circuitry;
  
  a reset controller for managing a reset process after detection of a fault by the fault monitoring circuitry;
  
  wherein, upon detection of a fault, the reset controller is configured to signal the primary controller to halt operation and to activate a fail-safe subsystem for delivering therapy;
  
  wherein the reset controller is further configured to signal the primary controller to validate its operation with a self-test and to deactivate the fail-safe subsystem if the primary controller is validated; and
  
  ,a thread monitor for monitoring program behavior in the primary controller by detecting extended thread execution time and thread sequence anomalies, wherein a thread is defined as one of several paths of execution inside a single process or context.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12 wherein each thread is allocated an identifier ID and a time limit in processor cycles at compile time, which information is used to configure the thread monitor at the beginning of the thread execution.
  - 14. The system of claim 13 wherein a thread start signal which includes the thread'"'"'s ID and time limit is stored in the thread monitor when a thread is started by the system software.
  - 15. The system of claim 14 wherein the thread monitor is notified that execution of the thread has completed when it receives a thread stop signal which also includes the thread'"'"'s ID.
  - 16. The system of claim 15 wherein a reset request signal is raised if the thread stop signal is not received before the time limit expires or if the start and stop ID'"'"'s are mismatched.
  - 17. The system of claim 15 wherein the thread monitor returns the most recent start ID, stop ID, time limit, and remaining time in response to a status signal received from the system software in order to provide a context to allow thread interruption.
  - 18. The system of claim 14 wherein a reset request signal is raised if the start and stop ID'"'"'s are mismatched.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cardiac Pacemakers Incorporated (Boston Scientific Corporation)
Original Assignee
Cardiac Pacemakers Incorporated (Boston Scientific Corporation)
Inventors
Hoyme, Kenneth P., Linder, William J., Elliott, Lynn S., Doshi, Hiten J., Stubbs, Scott, Sowder, Conrad L.
Primary Examiner(s)
SCHAETZLE, KENNEDY

Application Number

US11/123,246
Publication Number

US 20060253163A1
Time in Patent Office

1,363 Days
Field of Search

607/27
US Class Current

607/27
CPC Class Codes

A61N 1/3706 Pacemaker parameters stimul...

System and method for recovering from transient faults in an implantable medical device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for recovering from transient faults in an implantable medical device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links