Guidelines for medical alarm system software design
advertisement
Altran Italia | Technology Review # 08 Guidelines for medical alarm system software design The methods presented in this article have been developed as general guidance to develop alarm system architecture in a medical electrical system. 1. Introduction: Pasquale Sessa ABSTRACT: The kidneys are responsible for filtering waste products from the blood. The dialysis is a procedure to replace the renal (kidney) function through Haemodialysis machine in people who suffer from end stage renal disease. Haemodialysis machine provide the fluids of dialysis for the cleaning of the patient’s blood and removal of excess fluid. One aspect to take care in the development of a dialysis machine is the alarm system. Alarm systems are important for safe and efficient operation of many technical systems. However, it is vital that the design of the alarms and the alarm system matches the conditions and needs of the human operator. During treatment multiple alarm can occur but we must ensure that the alarm must be accurate, intuitive, and provide alerts which are readily interpreted. Audible alarms serve multiple functions in medical equipment, not the least of which is that they protect manufacturers against liability. This article is offered as to facilitate the improvement of alarm design; on the other hand give some tips to develop alarm uniformity. In order to accomplish this, it is necessary to approach the management of alarm troubleshooting in a systematic manner. The title of the article refers to the IEC 60601-1-8, a comprehensive international standard that specifies basic safety and essential performance requirements and tests for alarm systems in medical equipment. Medical equipment manufacturers usually develop proprietary alarms for their products. Efforts to harmonize alarm systems in medical equipment had been moving slowly over the last decade. As device makers continue to integrate more functions into each piece of medical equipment, they must also incorporate more types of warning sounds. 16 What defines a visual alarm? It’s a good question. However, this changed in 2003 when international standard IEC 60601-1-8 was issued. Although compliance is voluntary, it is expected that many medical equipment manufacturers will eventually move toward adopting this standard. In not following its guidance, manufacturers risk liability issues, but even more, they risk missing out on sales to larger institutions that may soon begin to require compliance to IEC 60601-1-8. The definitions of “alarm system” and “alarm condition” in IEC 60601-1-8 are not really tight enough to exclude an information message, since it is still to indicate a potential hazard. It appears the scope statement (clause 1.1) that the decision to use an “alarm system” is up to the manufacturer. Some particular standards specify that an alarm must be provided, also there are some Manufacturing Details Design (MDD) essential requirements that specifically reference alarms. In all other cases the risk management process will decide if an alarm is needed. Just for additional justification, although nowhere stated, the principle of IEC 60601-1-8 alarms is to bring the users attention to the equipment generating the alarm, in an environment where there may be many medical devices or where the user may have their attention on other things. In your case the user is already sitting in front of the device, looking at the screen, and has just made a change in setting that might trigger the message. Thus, there is no need to try and grab the user’s attention to your device, such as by providing a lamp, audible sound etc. So perhaps an improved definition of an “alarm system” in IEC 60601-1-8 would indicate that such systems are specifically intended to get the user’s attention from a distance, through the use of audible and visual signals. The IEC 60601-1-8 is a collateral standard. It applies to all medical electrical devices that provide audible or visual signals to reduce risk. For the standard the alarms are any signal to prevent an harm. The IEC 60601-1-8 allows to modify the design or eliminate some requirements. Altran Italia | Technology Review # 08 Why create a standard for alarms? Identified problems included difficulty in identifying the source of an alarm, alarms being too loud and distracting, and high rates of false-positive or negative alarm conditions. The safety is improved, through improved perception (understanding) by clinicians. If the user understand the urgency and cause, quicker action is taken. It is should be emphasized that lower priority alarms are not unnecessarily distracting or disturbing. The designer determines the priority of the condition being monitored by the medical equipment. Any signal that is intended to alert users to a potentially harmful condition or situation so that action can be taken to prevent harm is an alarm signal. The equipment designer is responsible for gauging when an alarm should trigger. In such cases, clause 201.3.1 requires that at minimum a visual alarm must be generated. A visual alarm is not necessary for alarm systems that are worn, such a paging receiver. Whether audible or other type of signals are required is determined by risk analysis. What are the situations that make alert the user to? Any situations dangerous for patient health or used to indicate the quality of the treatment. The alarms can be divided into two macro types: physiological and technical alarms. The physiological class type contains all alarm conditions when a dialysis parameter value is out of permitted range, exceeds a threshold and is dangerous for the health of the patient. The machine control arterial pressure that is the pressure in the arterial blood line between your needle and the blood pump. It is always negative because the pump is pulling the blood from the needle. If the machine is trying to pull blood from you faster than the needle can give it, an alarm will activate (high arterial pressure). This alarm will stop the blood pump and close the venous line clamp. In this example we show the definition of the physiological alarm but is evident the haemodialysis machine state after the alarm activation. Alarms that cause the blood pump to stop should be managed as quickly as possible, because if the blood is stagnant in the tubing for too long, it will clot. Excessive clotting in the blood tubing may result in needing to change the entire blood tubing set, which is a time-consuming procedure. The monitor parameters are different such as high heart rate, low exhaled tidal volume (Ventilator) etc. and the machine alarm state depends from there. To classify the alarms clearly is necessary define some attributes that following I want to deal. Instead the technical alarms are failure of essential performance also during single fault condition or mechanical failure resulting in a hazard or processing error (in safety related). Anyway in both classes we need to define other attribute to define clearly the alarms. When we develop the software part of the dialysis system we must remember that is needed to interact clearly with the hardware and mechanical parts of the system and comply with the regulation the machine state at the alarm activation is a safe state in the shortest possible time. However, in some applications such as medical equipment, a person’s life may depend upon the audible warning sound. In all cases, the equipment designer should consider the desired characteristics of the audible alarm at the initial design planning phase to obtain satisfactory performance and avoid costly redesign. The first characteristic for a designer to consider is the type of sound such as a continuous, intermittent, or specialty sound. Other critical criteria include sound level, frequency, current draw, quality, mounting configuration, cost, and availability. Even in this case the standard IEC 60601-1-8 comes to the rescue, defined visual and audible alarm characteristics. 2. Methods: Determining Priority Inadequate configuration and use of the alarm systems lead to unnecessary alarms on the one hand and also result in critical situations not detected on the other hand. Therefore, a higher general awareness, and increased knowledge, of healthcare providers regarding the function of the alarm system is of interest. Determining serious injury of the patient, probably could understand the exactly classification of visual alarm of the medical device. For determining serious injury we start to study the typical symptoms and sign of patient. In the chronic renal therapy typical symptoms and signs of injury are: - Breath - Nausea - First use syndrome - Feel hot - Feel funny - Restless - Headache probably these list of sign required immediate first aid to prevent serious injury and to mitigate the serious injury the machine raises an alarm. IEC 606011-8 gives guidance on whether a patient’s condition should be assigned a high, medium or low priority. This guidance is based on the potential result of a failure to respond to the cause of the alarm condition and how fast the potential harm could happen to the patient. The alarm signals priority is the following: - low priority: operator awareness required; - medium priority: prompt operator response required; - high priority: immediate operator response required; - reminder signal: if alarms are inactive; - information signal: other than above and unlikely to be covered by the standard. 17 Altran Italia | Technology Review # 08 IEC 60601-1-8 defines the different priority in the clause 201.1.2. The risk analysis determines the priority of the condition based on severity and immediacy of required action. The standard does not specify whether or not there should be alarms. The circumstances which require alarms is not specified in the standard. Is not defined the allocation of priorities alarms for specific alarm conditions or the technology that generates alarm signal. be classified as following: a- Onset of potential harm refers to when an injury occurs and not to when it is manifested; b- Having the potential for the event to develop within a period of time not usually sufficient for manual corrective action; c- Having the potential for the event to develop within a period of time usually sufficient for manual corrective action; d- Having the potential for the event to develop within an unspecified time greater than that given under “prompt”. In the following Table 1 the values present in the cells represent an example of alarm priority table that follows the previous (a) , (b), (c), (d) reasons: Onset of potential harm Figure 1. Interface of dialysis system. In the interface of the dialysis system figure (see Figure 1) all the interface are shown graphically. One higherlevel interface is the graphical user interface used by the medical staff supervising the dialysis process. The user interface allows for the setting of the operational values, e.g. dialysis fluid temperature and dialysis process characteristics, and provides accurate information about the system operation. Especially in case of alarm situations, the system should provide up-to-date information and allow for quick and accurate operation. Finally, the second higherlevel supports the interaction with medical information systems. This allow for the downloading of the patient information, including patient specific settings of the dialysis parameters. A first point of view of the alarms classification we should distinguish between the alarms of the dialysis fluid circuit and the extra-corporal circuit. In this case we separate circuits, because extra-corporal circuit is more highly prioritized for patient safety than the dialysis fluid. This choice is correct because during the alarms condition related to the fluid the machine goes in bypass state, safe state of the patient. But however an information signal may also be used to indicate the potential result of failure to respond in case of delayed or prompt or immediate potential harm of the patient. The potential result of failure to respond of the nurse could Potential result of failure to respond Immediate (b) (within seconds to a couple of minutes) Prompt (c) Delayed (d) (at least several (many minutes to many minutes to hours) have elapsed) Death or irreversible injury HIGH (a) MEDIUM MEDIUM Reversible injury HIGH MEDIUM LOW Minor injury or discomfort HIGH MEDIUM LOW Table 1. Example Alarm Priority Table. It is possible to study different alarm priority table, based only choosing for comparison the operating time of the nurse. In this case the table could be the following: Onset of potential harm Potential result of failure to respond Immediate (within seconds to a couple of minutes) Prompt Delayed (at least several (many minutes to many minutes to hours) have elapsed) Death or irreversible injury HIGH MEDIUM MEDIUM Reversible injury HIGH MEDIUM LOW Minor injury or discomfort HIGH MEDIUM LOW Table 2. Example Alarm Priority Table. 18 Altran Italia | Technology Review # 08 The cell of the table represent the different alarm class decided. For each alarm class is defined a rule and the color to apply by the user interface (the color property is indicated in the Table 2). Another general rule could be that each alarm must be classified depending on the countermeasures applied by the machine (machine actions) after triggering that specific alarm without considering connected/related alarms. The conditions which may cause “irreversible injuries” that could continue after the machine action is applied will be classified high priority, because only the operator response can stop injuries. Onset of potential harm refers to when an injury occurs and not when it is manifested. The standard ISO 3864-2:2004 (ANSI Z535.4-2002) is used to decide the design of safety signs for products but also as a starting point for the classification of the alarm. This standard declare that the classification of the alarms depends of severity of harm: - death or serious injury; - moderate or minor injury. Serious injuries typically have one or more of the following characteristics: • result in permanent loss of function or significant disfigurement; • requires substantial and prolonged medical treatment; • involves considerable pain and suffering over long periods of time. Examples of serious injuries include amputations, severe burns, and loss or impairment of vision or hearing. The standard use, the meaning of the different hazard severity panels as following: - danger - indicates a hazard with a high level of risk which, if not avoided, will result in death or serious injury; - warning – indicates a hazard with a medium level of risk which, if not avoided, could result in death or serious injury; - caution – indicates a hazard with a low level of risk which, if not avoided, could result in minor or moderate injury. Alarm category Indicator colour Flashing frequency High priority Red 1,4 Hz to 2,8 Hz 20% to 60% on Medium priority Yellow 0,4Hz to 0,8 Hz 20% to 60% on Low priority Cyan or yellow Constant (on) 100% on Duty Cycle (on/off time) Table 3. Alarm Indicator Light. Where does the alarm indicate/annunciate? The standard specifies that the alarm indicate could be as following: • local (at device); • distributed (remote from device); • hardwired (e.g. hall way lights, nurse call); • RF (e.g. pagers, mobiles). In some cases may be both local and distributed. The important thing to underline is that only the risk analysis determines who needs to bealerted and locations they are likely to be. The typical signal word selection process referring to ISO 3864-2:2004 is summarized in the following figure 2: 2.1. Visual alarm signal characteristics Visual alarm signals must at minimum alert the user to the presence and cause of an alarm condition and their priority according 201.3.2.1. Colour and other specific characteristics for visual alarms are in Table 3. Figure 2. Signal Word Selection Process. 19 Altran Italia | Technology Review # 08 The Clause 201.3.2.2 requires that where the visual alarm is required to assure the operator will know which device or part of the device requires attention, the following characteristics must be provided: - Indicate the priority of the highest active alarm; - Perceived correctly from at least 4m away. This indicator is necessary for alarm system that are intended to be located in the proximity of the other alarm systems. The standard requires that visual alarms may be generated on displays and visual alarm “locator” light or symbol identifies the specific alarm (LED next to text, graphics display, etc.). Also defines that the light/symbol used to define the low priority and high priority may be perceived correctly from 1m away or the operator’s position (if defined). On visual alarm are some notes to specify: • Determining that a visual alarm will be correctly perceived is based on: - 20/20 vision; - viewpoint is operator’s position (if defined) or 30° cone from center of and horizontal to display or other visual indicator; - ambient light from 100 through 1,500 lx. • It is acceptable to have a single visual alarm indicator if it meets all applicable requirements. The guidance on visual signals advices to not use flashing text, because is difficult to read so should avoid. In case of the black text on white background or white text on black background the use of flashing text is allowed. We are needed of the audible and visual alarm system above all: - when alarm system is in proximity of other alarm system (i.e. in ER); - not needed when worn (i.e. pager); - as dictated by risk analysis. The work involving human-machine interaction is complex, but is essential in the medical device development. In fact there is no doubt that there is a need for major research and development efforts for medical device alarm systems to ensure easy human-machine interaction to improve user greater satisfaction. The entire chain, starting with the selection of appropriate alarm settings for a patient, continuing with the signal acquisition and ending with the communication of the alarm message, needs to be carefully examined. The IEC 60601-1-6 (Usability) should be used when designing and must be used to validate visual signals: - meaning will be understood; - priority will be recognized; - location and required action will be understood. 20 Finally, it is important to acknowledge that nurses are the best monitors. Providing them with the right tools, such as mobile decision support systems or personalized alarms, has high potential to improve their situational awareness and efficacy, thereby improving patient safety. Special care should be taken to avoid replacing experienced nurses with a combination of less experienced healthcare providers and additional patient monitoring equipment. 2.2. Audible alarm Characteristic How seen before the first step is to assign the priority of the condition that is being monitored by the medical equipment then some characteristic requirements must be followed for the audible alarm. IEC 60601-1-8 gives guidance on whether a condition should be assigned a high, medium, or low priority. Audible alarm signals may be: - prioritized and meet the characteristics defined in clause 201.3.3.1 to 201.3.3.3; - generated by other means (i.e. voice synthesized), but these must be validated through application of 60601-1-6 (e.g. by clinical usability testing). An important note is that the alarm system for high or medium priority alarm conditions that are not intended/likely to be continuously attended by an operator in normal use should generate auditory alarm signals. For this consideration we understand that visual alarms are not adequate alone and many times an audible alarms in more than one location may be required. The audible alarm requirements is defined in the clause 201.3.3.1 that requires: - sounds are priority encoded; - higher priority alarms must convey a higher sense of urgency; - validated (e.g. clinical usability testing) or follows standard; - may provide means to store a set of auditory alarm signals in any alarm preset. The clause also defines the characteristics for defined set of audible alarms, represented in the following tables (see Table 4): Altran Italia | Technology Review # 08 Characteristic Value PULSE FREQUENCY(f0) 150 Hz to 1,000 Hz Number of harmonic components in the range 300 Hz to 4000 Hz x Not applicable Not applicable INTERBURST INTERVAL (b, c) (td) 2.5 s to 15.0 s 2.5 s to 30.0 s >15 s or no repeat Difference in amplitude between any two PULSES Maximum 10 db Maximum 10 db Maximum 10 db Minimum of 4 Effective PULSE duration (td) HIGH PRIORITY 75 ms to 200 ms MEDIUM and LOW PRIORITY 125 ms to 250 ms RISE TIME (tr) 10% - 20% of td FALL TIME(a) (tf) tf < ts – tr NOTE: The relative sound pressure level of the harmonic components should be within 15 dB above or below amplitude at the PULSE FREQUENCY a - Prevents overlap of PULSES HIGH PRIORITY SIGNAL MEDIUM PRIORITY SIGNAL LOW PRIORITY SIGNAL (d) Number of PULSES in BURST (a,e) 10 3 1 or 2 Between 1st and 2nd PULSE x y Where x shall be a value between 50 ms and 125 ms Where y shall be a value between 125 ms and 250 ms The variation of x and y within a BURST shall be +- 5 % MEDIUM PRIORITY td+y shall be greater than or equal to HIGH PRIORITY td+x a-See also Table 3 for characteristics of the PULSE b-Unless otherwise specified in a particular standard for a particular MEDICAL ELECTRICAL EQUIPMENT Table 4. Frequency and pulse alarm characteristics Characteristic Between 9th and 10th PULSE y Between 2nd and 3rd PULSE x y Not applicable Between 3rd and 4th PULSE 2x+td Not applicable Not applicable Between 4th and 5th PULSE x Not applicable Not applicable Between 5th and 6th PULSE 0.35 s to 1.30 s Not applicable Not applicable Between 6th and 7th PULSE x Not applicable Not applicable Between 7th and 8th PULSE x Not applicable Not applicable Between 8th and 9th PULSE 2x+td Not applicable Not applicable Between 9th and 10th PULSE x Not applicable Not applicable c-Manufacturers are encouraged to use the longest INTERBURST INTERVAL consistent with the risk analysis. Writers of particular standards are encouraged to consider the longest appropriate INTERBURST the auditory ALARM SIGNAL for the particular ALARM SYSTEM application. Long INTERBURST INTERVAL can under certain conditions negatively affect the ability to correctly discern, in a timely manner, the source of the ALARM CONDITION. d-The generation of the auditory component of a LOW PRIORITY ALARM CONDITION is optional. e-Unless inactivated by the OPERATOR, MEDIUM PRIORITY and LOW PRIORITY auditory ALARM SIGNALS shall complete at least one BURST, and HIGH PRIORITY auditory ALARM SIGNALS shall complete at least half of one BURST. Table 5. Signal time alarm characteristics. 21 Altran Italia | Technology Review # 08 Clause 201.3.3.2 has minimal requirements regarding sound pressure: - lower priority alarms may not be louder than higher priority alarms; - no requirements for minimum or maximum sound pressure level: • 45 > 85 dB is generally reasonable; • should be based on background noise in use environment (documented analysis in RMF). The audible alarm signals requirements in the time domain listed in IEC 60601-1-8 could be represented as following: Figure 3. Representation of the signal in the time domain. In the following table is the IFU content: Description ALARM SIGNAL GENERATION DELAY OF DISTRIBUTED ALARM SYSTEM, maximum time or time to TECHNICAL Clause or subclause 201.4.2 b) ALARM CONDITION ALARM SIGNAL GENERATION DELAY, mean 201.4.1 ALARM SIGNAL GENERATION DELAY, statistics of distribution 201.4.1 ALARM CONDITION DELAY, mean time 201.4.1 ALARM CONDITION DELAY, statistics of distribution 201.4.1 ALARM CONDITION log after power down 201.12 b) ALARM CONDITION log after power failure 201.12 c) ALARM CONDITION, grouping 201.1.1 ALARM CONDITION, priority of each 201.1.2 Table 6. Relationship alarm argument with clause or subclause. Figure 3a. Example of the signal. Just for clarification but in this article does not deepen the discourse the clause 6 of the standard highlights some rules to consider and to clarify in the instruction for use: • overview of alarm system; • description of every possible alarm and, as appropriate for the user, how it is determined; • inherent delays; • expected operator position; • how and when to verify alarm functionality; • caution against setting extreme limits. 22 To end the overview of the audible alarm characteristic by standard is important to add some notes on melodies and Annex EEE. Meaning of melody is required to be consistent with the underlying alarm condition or equipment category and may be used only to indicate the defined conditions. Melodies other than those defined are acceptable if they cannot be confused with the defined melodies, or the defined alarm signals. The standard defines generic melody for general use as following: Cause Any Low Priority ec Table 7. Generic melody. Altran Italia | Technology Review # 08 The characters c,d,e,f,g,a,d,C refer to relative musical pitches and C is one octave above c. An examples of the different melody are represented in the following table: Cause Medium Priority High Priority General ccc ccc–cc Cardiac ceg ceg–gC Artificial perfusion c f# c c f# c – c f# Ventilation caf caf–af Oxygen Cba Cba–gf Temp/Energy delivery cde cde–fg Drug or fluid delivery Cdg Cdg- Cd Equipment or supply failure Ccc Ccc–Cc Table 8. Alarms melody musical pitches. All pulses and bursts shall comply with the timing and volume requirements of list element a) of 201.3.3.1. The melodies may be sounded in different keys or octaves if the absolute frequency of “c” lies between 150 Hz and 500 Hz. The “General” burst may be used for any auditory Alarm signal in any alarm system. A High priority alarm signal is generated with the five pulses shown, repeated once, for a total of 10 pulses. There two type of exception on some technical alarms and a information signals. Audible alarms need not comply with the requirements of clause 201.3 if they are technical alarms for indicating: - power system failure; - alarm system failure. Information signals are up to design team and are not regulated by the standard other than that it is not possible to confuse them with alarm signals. IEC 60601-1-8 requires that an individual sound pulse must have a fundamental frequency (musically known as pitch) somewhere between 150 to 1000 Hz, and there must be at least four harmonic sounds from 300 to 4000 Hz as we can see in the following figure 4 : Figure 4. Example of an audible sound that is compliance to standards. The IEC 60601-2-16/ IEC 60601-1-8 standards impose some constraints on the sound pulses that build up an alarm sound, in terms of length, duration, rise/fall time, spectral content and sound power. We not expand on the frequency speech in this article, but say that the sound of the alarm requires testing to be compliant to IEC 60601-1-8. According the standard the audio file (high, medium, low) from a spectral point of view, must be a minimum of 4 pulse harmonics in the range from 300 Hz to 4kHz, the fundamental frequency of the pulses must lie between 150 Hz and 1kHz, and the 4 harmonics must have an amplitude between +/- 15 dB from the fundamental. 3. A Software approach of intelligent alarm system The clause 201.2 describes intelligent alarm as: • alarms threshold changes over time; • determines an alarm condition (multiple variables, algorithms, fuzzy logic, etc.); • generates signals for multiple conditions of equal priority (ranking, effect on signal generation, etc.); • changes delays (in recognition of or generation of alarm); • changes alarm signal characteristics (volume, pitch, etc.); The intelligent alarm system is a quite complex piece of software and are characterized by a higher degree of different functionality. It determines the different alarm condition and manages the different condition to raise an alarm. It has a graphical user interface to a dialysis machine and is able to describe generic information data using different kinds of widgets. Essentially the three major software subsystems are the General User Interface (GUI), the Control System, and the Protective System (see figure 5). 23 Altran Italia | Technology Review # 08 Figure 6. Sequence diagram of the Control Sequence. Figure 5. Component Diagram of intelligent alarm subsystem. The principal responsibilities of the GUI is to get user input (nurse) and to resend data and alarms. Also sends the treatment data and state of the machine at the control system and protective subsystem this allows to set protective and control mode in the correct states/modes. The control system supervises the value set by the user according to the treatment selected for the time being and is responsible for maintaining/sending the correct values of the machine to the other subsystem (coordinator). The control system and GUI collaboration is a tight-loop process control system that allow to the machine to change state and evolve. The responsible for detecting any hazard situation is the protective system. The protective subsystem, checks the set values and the current treatment values permitted in case of the patient might be hurt ensure the safe condition. It runs on a own tasks or process and is supposed to be as separate from the other parts of the system as possible. When detecting a hazard, the protective system raises an alarm and engages a process of returning the system to a safe-state. The protective logic many time is redundant to ensure greater degree of security that is required by standard. Usually, the safe-state is stopping the blood flow or dialysis-fluid flow. The documented structure of the system is no more fine-grained than this and to do any change impact analysis, extensive knowledge of the source code is required. To achieve this requirements the application architecture will be executed in pseudo parallel. The device: - collects the data; - normalizes it using the normalizer parameter; - calculates the new set values using the control algorithm parameter (as described in clause 201.2). The sequence control is implemented using periodic object pattern (see figure 6). 24 The protect system monitoring process independently from other subsystem. If we think at the alarm monitoring process as a device that is monitoring by a second device (like supervisor), the Alarm Detector Device becomes a single atomic module, which is configured with a number of device-specific alarm situations has arisen. If it identifies an alarm situation, it invokes the associated Alarm Handler which then takes care of the alarm. The alarm detector device also is part of hierarchy of devices. If we want to obtain major abstraction on the Device/Control relations, the Alarm Detector Device represents a specialization of the Device archetype. Components of the Alarm Detector Device archetype is responsible for monitoring the sub devices and make sure the value read from the sensors are within the alarm threshold value set to the Alarm Detector Device. When threshold limits are crossed an Alarm Handler component is invoked. The Alarm Handler is the archetype responsible for responding to alarms by returning the haemodialysis machine to a safe-state or by addressing the cause of the alarm. Components are used to parameterize the Alarm Detector Device components (see figure 7). Figure 7. Class Diagram of dialysis archetypes and their relation. Altran Italia | Technology Review # 08 The control system may utilize Alarm Detector Device to detect problem situations. Assuming this type of architecture the protective subsystem is modeled as a device hierarchy. In this case the entities related to the hardware are modeled and complete system is easily interchangeable. Also is possible to define different controlling algorithm for every device. The device becomes either a leaf device or a logical device. Each controlling algorithm with a normalize represent a parameterized leaf device while more sub devices with the controlling algorithm and the normalizer object represents a logical device. The device archetype stores the information relations and configuration about controlling algorithm while the controlling algorithm performs calculation for setting values of sub output device. The controlling algorithm gets values from input sub devices and the control receives the value from encapsulated device. So the computation is done in a separate archetype, which is used to parameterize device components. The object Normalizer is used to bring or make into the same units values different units of measurement. Also a normalization archetype is used to parameterize the device components and as interface for the different input values. The previous archetype may use to model the application architecture of a haemodialysis machine (see figure 8). is through interfaces to the lowest layer. This type of architecture is based pseudo parallel execution of the functionality. In the first step the device collects the data then the normalizer makes different units of measurement uniform, at last the new treatment set value using algorithm (see figure 6). The alarm devices is used from the control system to detect alarm condition. The protective system could be seen as a group of alarm devices with different type of configuration. The process of alarm detect run periodically and the message to the control system of a new calculation of the set value is sent periodically (see figure 9). Figure 9. Alarm Handler sequence diagram. Figure 8. Example haemodialysis Application Architecture. This point of view represents the system with a layered view. The GUI subsystem is represented with Haemodialysis Machine (HDF) treatment, while the remains other components is in dashed region (Protective System in red, Control System in blue, Control Hardware System in azure). The access to the device 25 Altran Italia | Technology Review # 08 CONCLUSIONS GLOSSARY Starting from the requirements the evaluation of the software architecture is complicate without know the context of the application. In this paper first we tried to explain the salient features of IEC 60601-18. Then specified general requirements is given one software development that follows the object 606011-8. In this article treated only some aspects of the IEC 60601-1-8, highlighting some of the architectural design of a haemodialysis system. The aim is to optimize the driving software quality requirements are maintainability, reusability, safety, demonstrability during architectural design. In the other hand provides some background to our experience. The software maintainability is difficult to evidence, but if the architecture easily incorporates new requirements. Also the code is atomic when needed corrects the defects and to study unit test. Finally testing the causes the maintainability of the software developed is complete and reached high performance. Starting from the study of the reference standard the safety and demonstrability are conditions of the IEC 60601-1-8. The device archetype used to developed can be used again to add new functionality with slight modification. The parameterization of the normalizer and controlling algorithm reduces the implementation time and increases the software reusability. The multi-layer architecture used makes simplest the reuse of lines of code with different device and technology. There is no doubt that the software architecture with these requirements will add cost, but is always easy to change the design cycles of medical equipment. Also essential performance of medical electrical equipment and medical electrical systems that implement using these architecture is most efficiently. In the long run the manufacturer will gain a competitive advantage over their competitors and the time to improve new complete and safe features reduces. Haemodialysis: is a Renal replacement therapy used to treat advanced and permanent kidney failure. The principle of Haemodialysis is to filter waste products from the blood and to restore normal constituents to it, involving diffusion of solutes across a semipermeable membrane, where the dialysate is flowing in the opposite direction to blood flow in the extracorporeal circuit. Clause: in this use is smallest grammatical unit that can express a complete standard. More complex standard may contain multiple clauses, including clauses contained within clauses. MDD: manufacturing Details Design describe the definitions for manufacturing or mechanical design choices. Also MDD is a roadmap or a strategic approach as a manufacturing information of design and noun informally refers to a plan or convention for the construction of an object or a system. LED: is a representation of 2 states (On/Off), in this case we are referring to GUI LEDs that are used as indicator lamps in many devices and are increasingly used for other lighting. ER: in the USA represent Emergency Room in hospitals. Pager: a pager (often called a beeper) is a simple personal telecommunications device for short alarm messages. IFU: the act of using; the application or employment of something for a purpose, the word is an abbreviation to indications for use. API: an application programming interface (API) is a particular set of rules (‘code’) and specifications that software programs can follow to communicate with each other. Periodic Object Pattern: a description of an objectoriented design technique which names, abstracts and identifies aspects of a design structure that are useful for creating an object-oriented design. An object has an internal state and provides a set of services and sometimes, the set value of the object ‘A’ may depend on the set value of object ‘B’. Whenever ‘B’ changes, ‘A’ should recompute its state to remain in Sync with ‘B’. 26 Altran Italia | Technology Review # 08 Biography Pasquale Sessa, tectures: adopting and evolving a product-line approach, May 1999 [8]. I. Jacobson, M. Christerson, P. Jonsson, G. Övergaard, Objectoriented software engineering. A use case approach, Addison-Wesley, 1992. since November 2008 works at Altran Italia for the Energy Industries Life Sciences (EILiS) Division. He has been working as software and application technology in the field of biomedical with the Gambro Group since 2006 to present. The engage as a consultant on behalf of the Research and Development department of this leader biomedical company led him to specialize increasingly in the management of complex biomedical projects and their staffs at international levels. He is graduated in Electronic engineering in 2003, University of Naples, with a master research investigated the automatic construction of multimedia serial devices. He have experience in: software development and design for embedded system and in the last two years is also developer of Human interface. He is a electronic engineer expert informatics and automatic measurement, interested in the construction and implementation of a novel experimental protocol in the biomedical field. BIBLIOGRAPHY [1]. IEC 60601-1-8 Ed. 1.0 b:2005, Medical electrical equipment - Part 1-8: General requirements for safety - Collateral Standard: General requirements, equipment and medical electrical systems Standard IEC 60601-1-8, 2006 [2]. ISO 3864-2:2004, Graphical symbols - Safety colours and safety signs - Part 2: Design principles for product safety labels Standard ISO 3864-2:2004 [3]. The International Organization for Standardization http://www.iso.org [4]. Dan O’Brien, Outside Sales Engineer, Mallory Sonalert Products, Inc.Using Audible Alarms in Medical Equipment (IEC 60601-1-8) [5]. Wirfs-Brock, B. Wilkerson, L. Wiener, Designing Object-Oriented Software, Prentice Hall, 1990. [6]. J. Rumbaugh, M. Blaha, W. Premerlani, F. Eddy, W. Lorensen Object-oriented modeling and design, Prentice Hall, 1991 [7]. Jan Bosch Design and use of software archi- 27
