Fully implantable medical devices (IMDs), such as cardiac rhythm management (CRM) devices, are expected to function reliably and autonomously over an extended time period. CRM devices include pacemakers, which manage bradycardia by delivering pacing stimuli to restore normal sinus rhythm, and implantable cardioverter defibrillators (ICDs), which treat tachycardia through high-energy cardioversion, defibrillation shocks, or anti-tachycardia pacing.
Ensuring continuity of life-sustaining therapy in these devices, such as providing endocardial electrical stimuli in response to sensed cardiac arrhythmias, is critical. IMDs operate in real time on an event driven basis. Different event types must be processed, including asynchronous sensing tasks and reporting requests, and periodic therapy functions, such as cardiac pacing, that require an IMD to process interrupts on a tightly controlled timeline. Although disruption of asynchronous event processing can be tolerated to some extent, unexpected interruption or cessation of core periodic therapeutic function is unacceptable.
Core IMD operations have increasingly been supplemented with ancillary functions, such as physiometric and environmental monitoring. The wider range of functions, though, challenges robust IMD operation. IMD architectures have been migrating towards a programmable control model that utilizes a microprocessor with memory store, which enables functional expansion through built-in or downloaded programming. As well, increases in onboard memory have enabled tracking of more data types, while radio frequency (RF) telemetry has increased bandwidth for data exchange and improved reporting frequency.
These changes to IMD functionality have increased the risk of malfunction or failure due to design or programmatic errors and other faults. Conventional IMD design places primary reliance on a uniprocessor operating on a shared pool of memory under programmed control. Multithreaded operation is increasingly available to support periodic and asynchronous operations. Multithreading, however, creates the risk that problems in one execution thread, including system-on-chip (SOC) process faults, firmware design flaws, and runtime errors, such as single-event upsets, cross thread execution, memory corruption, and process deadlock, could adversely affect other, possibly critical core, functions.
As a result, timely IMD recovery is crucial. One conventional approach employs monitoring programs, known as watchdog timers, often implemented as hardware timing devices. Executing processes must regularly issue a service pulse. The absence of a service pulse implies a fault condition, which will trigger a system reset. In a multithreaded environment, the watchdog timer service interval is set to exceed the longest expected execution thread and thereby avoid false detection of long running execution threads. An overlong service interval, however, can miss detection of cross thread execution, instruction missequencing, and similar errors. Conventional solutions fail to resolve this problem.