A. Field of the Invention
This invention relates generally to the field of dialysis and machines for performing dialysis therapy. More particularly, the invention relates to a computer control system for a dialysis machine and a method of operation thereof in which a plurality of processors are provided which form a tightly coupled, symmetric multi-processing computing platform for the dialysis machine.
B. Related Art
Dialysis is a treatment for persons suffering from inadequate kidney function. A dialysis machine is an artificial kidney machine that treats the blood of a dialysis patient. Dialysis machines typically incorporate an extracorporeal blood circuit having a semipermeable dialyzer membrane. During dialysis therapy, blood from the patient is circulated through the extracorporeal circuit to the dialyzer membrane, where toxins and excess water are transported through the dialyzer membrane into a dialysate solution. The treated blood is then returned to the patient.
Dialysis machines also typically include a dialysate preparation system. This system prepares a dialysate solution by mixing concentrated chemicals (typically a mixture of sodium bicarbonate, an acid solution, and additional minerals and salts) with reverse-osmosis filtered water.
Current implementations of dialysis equipment have specific safety criteria that are required by regulatory agencies. One of these criteria is single-fault tolerance. Single-fault tolerance requires that no single point of failure of the instrumentation shall expose the patient to a hazardous condition. Historically, dialysis equipment have satisfied the criterion, in part, by designing in redundant components where indicated by risk management methodologies (e.g. hazard analysis etc.). The redundancy of components includes aspects of the computer or processor-based control system for the machine. Specifically, all dialysis machine implementations to date have incorporated a computer control system based on redundant processors which execute control and safety instructions in the form of computer code. Accordingly, redundant processors permit a remaining processor to continue operation of the dialysis machine if one of the redundant processors fails.
The failure of a processor or computer, for example, may be characterized as a Byzantine failure. The term “Byzantine” in the present document refers to a failure whose symptoms cannot be characterized. Stated differently, processor behavior during a Byzantine failure can be arbitrary and therefore potentially unsafe to the patient. As a result, two independent redundant processors may reduce the risk exposure to Byzantine failures when compared to a single processor implementation since the remaining processor may detect the malfunction and take control of the dialysis machine.
Error detection in a redundant processor architecture may therefore be provided by allowing the properly running processor to become a master and the faulty processor to become a slave. An example of a redundant processor computer control system for a dialysis machine is described in the patent of Rodney S. Kenley et al., U.S. Pat. No. 5,788,851, assigned to the assignee of the present invention, which is incorporated by reference herein. Two redundant processors, however, significantly increase an instrument's cost and complexity over a single processor design, which would be the design of choice but for the safety and redundancy requirements explained above. These increased costs include a redundant CPU board, a more complex backplane, additional software development, increased maintenance, and increased costs for servicing the machine. Furthermore, redundant processors may require separate dedicated CPU buses for each processor. As a result, a failure such as a bus lock-up condition is more likely on a system with two busses rather than one bus because a failure may occur on either bus. On the other hand, a failure on one processor may not affect the other processor if the busses are truly independent.
To reduce or eliminate the costs associated with a redundant processor controller, it is highly desirable to use a single processor design. A single processor design must, however, satisfy the same safety criterion as mentioned above, namely single-fault tolerance. Because a single processor alone has a single point of failure, i.e., the processor itself, another means must be used to detect Byzantine failures in the processor and provide for safe operation of the instrument regardless of a failure of the processor or the processor's board. A patent issued to Rosa et al. U.S. Pat. No. 5,618,441 ('441 patent), the contents of which are incorporated by reference, proposes a single microprocessor design for a dialysis machine. It is not known, however, whether a machine made in accordance with the '441 patent would meet the stringent redundancy requirements of European and domestic regulatory agencies, e.g., the Food and Drug Administration. Other prior references relating to control systems include U.S. Pat. No. 4,370,983 issued to Lichtenstein, U.S. Pat. No. 5,326,476 issued to Grogan et al., and U.S. Pat. No. 5,472,614 issued to Rossi.