Ventricular fibrillation and atrial fibrillation are common and dangerous medical conditions that cause the electrical activity of the human heart to become unsynchronized. Loss of synchronization may impair the natural ability of the heart to contract and pump blood throughout the body. Medical personnel treat fibrillation by using a defibrillator system to apply a relatively large electrical charge to the heart via defibrillator electrodes. If successful, the charge overcomes the unsynchronized electrical activity and gives the natural pacing function of the heart an opportunity to recapture the heart and reestablish a normal sinus rhythm.
Some defibrillator systems incorporate a number of functional modules. These modules may include, for example, a therapy module that controls the defibrillator electrodes, a user interface module that receives input and presents output to medical personnel, and a patient parameters module that obtains information from the patient. Each module typically incorporates an embedded microprocessor that executes software for controlling the operation of the module.
Abnormal operation of the embedded microprocessor or software that controls a module can be hazardous to the patient. For example, a malfunction in the user interface module may cause the defibrillator to deliver electrical shocks to the patient when no therapy was requested by an operator. Inappropriately delivered shocks can be painful or harmful to the patient.
To reduce the risk of abnormal processor or software operation, some defibrillators incorporate a conventional watchdog timer that resets the processor in a module if the processor functions abnormally. The watchdog timer requires a handshake from the processor at a prescribed time to validate proper operation of the processor. The processor contains a watchdog timer process manager that verifies that the expected processes have performed normally by examining whether the processes have properly “checked in” during a particular time interval and, if so, outputs a handshake signal to the watchdog timer. If the watchdog timer does not detect the handshake signal within the prescribed time, the watchdog timer places the processor in a reset state to reinitialize the processor to a known safe state and inhibits the therapy module from inadvertently delivering an electrical shock to the patient via the defibrillator electrodes.
The watchdog timer is typically implemented as an over-limit watchdog timer that resets the processor after a maximum prescribed time has elapsed without a handshake from the watchdog timer process manager. While this approach improves the reliability of the defibrillator, some safety guidelines require an additional degree of hazard mitigation. For example, the Technischer Überwachungsverein (TUV) (Technical Inspection Association) safety guidelines require the use of a windowed watchdog timer (WWDT) that resets the processor not only after a maximum elapsed time without a handshake, but also after receiving a handshake before a minimum elapsed time.