Fully implantable medical devices (IMDs) function autonomously through preprogrammed control over an extended time period. Ensuring continuity of function in IMDs, particularly life-sustaining therapy, is essential, such as in cardiac rhythm management (CRM) devices that provide endocardial electrical stimuli in response to sensed cardiac arrhythmias. Pacemakers, for instance, manage bradycardia by delivering pacing stimuli to restore normal sinus rhythm. Similarly, implantable cardioverter defibrillators (ICDs) treat tachycardia through high-energy cardioversion, defibrillation shocks, or anti-tachycardia pacing.
IMD internal architectures have continually evolved in pace with advances in microprocessor design. IMD architectures, in general, have migrated towards a programmable control model that utilize a central microprocessor to perform a range of functions built-in or downloaded. In addition, increases in onboard memory capacity have enabled tracking of a wider range of data, while radio frequency (RF) telemetry has provided increased bandwidth for data exchange and improved reporting frequency. Moreover, core therapeutic life-sustaining functionality has increasingly been supplemented with ancillary non-critical functions, such as routine physiometric and environmental monitoring.
The increase in IMD functionality has also increased the risk of failure due to programmatic and design errors or faults. General reliance is placed on a uniprocessor operating on a shared pool of memory under programmed control of different functions. Such reliance leaves open the risk that errors in one function could propagate to other, possibly critical, functions, including static errors, such as memory corruption, and runtime errors, such as process deadlock. Device reset is frequently the only recourse, but has many side effects, such as possible loss of some stored data, temporary interruption in therapy, and potential inability to return to full service due to the effects of the initial fault.
Conventional non-redundant IMD architectures focus on operation resumption and not error or fault containment. For instance, U.S. Pat. No. 6,584,356, issued Jan. 5, 2001, to Wassmund et al., discloses downloadable software support in a pacemaker, which includes modular features that control device operation and therapy functionality. The IMD employs a preemptive real time operating system with a scheduling mechanism that uses a priority inheritance protocol. Preemptive scheduling provides facilities to prevent process deadlock and unbounded priority inversion. Modular features can be added as downloadable software that is loaded into random access memory and provided access to the full range of functions available to existing firmware functions. Notwithstanding, the device lacks provisions to protect existing features against aberrant programmatic behaviors and teaches away from isolating errors or faults by persisting modular feature state in non-volatile storage to facilitate device reset in response to operational bugs.