• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:

    公开号:AU2010202353A1
    申请号:U2010202353
    申请日:2010-06-07
    公开日:2011-02-10
    发明作者:Mati Amit;Yitzhack Schwartz
    申请人:Biosense Webster Inc;
    IPC主号:G06F9-50
    专利说明:
    AUSTRALIA Patents Act 1990 ORIGINAL COMPLETE SPECIFICATION INVENTION TITLE: PREVENTING DISRUPTIVE COMPUTER EVENTS DURING MEDICAL PROCEDURES The following statement is a full description of this invention, including the best method of performing it known to us:- -2 PREVENTING DISRUPTIVE COMPUTER EVENTS DURING MEDICAL PROCEDURES BACKGROUND OF THE INVENTION FIELD OF THE INVENTION 5 100011 This invention relates to computer-assisted medical procedures. More particularly, this invention relates to techniques for preventing disruptive computer events during the performance of computer-assisted medical procedures. DESCRIPTION OF THE RELATED ART 10 [00021 The meanings of certain acronyms and abbreviations used herein are given in Table 1. Table I - Acronyms and Abbreviations CD Compact Disc CPU Central Processing Unit CT Computed Tomography MR Magnetic Resonance USB Universal Serial Bus [00031 Most modem general purpose computers and many special purpose 15 computers are controlled by multitasking operating systems. Versions of Unix® and Microsoft Windows@ operating systems are widely used examples. The task schedulers of these operating systems may concurrently queue dozens of processes having differing priorities. Some system or kernel processes may generate interrupts asynchronously or perform other actions that preempt various computer resources to 20 the detriment of other processes executing at the application level. Examples of such processes include standard utilities, networking activities, firewall and antivirus functions. [00041 Attempts to alter existing event-driven operating system priorities are known. For example U.S. Patent No. 6,931,553, issued to Plante et al. discloses 25 selectively enabling general purpose events that would wake a machine from a sleep 07106/10.va 18672 speci.doc.2 - 3 state, only when the operating system wants particular devices associated with the wake to be able to notify the operating system that a wake event has occurred. [00051 Another approach is taken in U.S. Patent No. 7,451,454, issued to 5 Chen et al. An event mechanism is implemented in a multiprocessor or hyper threading computer architecture, allowing one physical or logical processor to engage in normal processing while directing special event operations to another physical or logical processor. In one embodiment, a timer is set and a polling function is called at the end of each of a plurality of time intervals. The polling 10 function is performed by a first processor. If the polling function results in a positive result, the results of the polling function are processed with a second processor. BRIEF SUMMARY [00061 In one mechanism of action, asynchronous hardware interrupts 15 generated by various computer resources and external devices may preempt execution of a medically important process. Indeed, this behavior, caused by a combination of computer activities, may cause the computer to become functionally unavailable to a medical process controlling an external medical device or medical procedure for unacceptably long time intervals, and without regard to the criticality 20 of the ongoing medical operation, particularly in regard to realtime and near realtime computer operations that assist the performance of medical procedures on living subjects. [0007] Disclosed embodiments of the invention, provide an easily 25 accessible, standardized software switch that will increase the efficiency and reliability of protecting critical application, such as but not limited to active medical applications, controlling transportation system, from disruptive computer events. This switch renders unnecessary ad hoc techniques such as batch files and scripts to configure the computer's operation in order to prevent disturbances to the operation. 30 To simplify the description, all the description will use the example of medical application. 07/06/10,va 18672 speci.doc,3 -4 [00081 An embodiment of the invention provides a computer-implemented system for process control having two operating modes: normal mode and active procedure mode, with automatic transition between them. In normal mode, the 5 operating system, firewall and anti-virus are fully operational. When entering a time critical phase of a process, a process control application signals the operating system and utilities, whereupon transition to active procedure mode automatically occurs, in which access by the system services and by other applications to the resources of the computer is selectively limited in favor of the process control application. Upon 10 completion of the procedure, the system automatically returns to normal mode. [00091 An embodiment of the invention provides a system and method of preventing disruptive computer events in a medical computing system, which is carried out by applying a medical instrument to a living subject to perform a medical 15 procedure thereon; controlling the medical instrument using a medical application executing on a computing device by intercommunicating signals between the computing device and the medical instrument. During a time-noncritical phase of the medical procedure, the computing device is operated in a first mode in which system services and applications other than the medical application are allowed access to 20 resources of the computing device under control of the operating system. The method is further carried out by making a determination that the medical procedure has entered a time-critical phase, and thereupon automatically transitioning the computing device from the first mode to a second mode of operation in which the access by the system services and by other applications to the resources of the 25 computing device is selectively limited in favor of the medical application. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS [00101 For a better understanding of the present invention, reference is made to the detailed description of the invention, by way of example, which is to be read in 30 conjunction with the following drawings, wherein like elements are given like reference numerals, and wherein: 07/06/10,va 18672 speci.doc.4 -5 [00111 Fig. l is a pictorial illustration of a system for performing a time sensitive medical procedure, which is constructed and operative in accordance with a disclosed embodiment of the invention; [00121 Fig. 2 is a pictorial illustration of a system 10 that is adapted for 5 performing a time-sensitive cardiovascular medical procedure, in accordance with a disclosed embodiment of the invention; [00131 Fig. 3 is a block diagram of a positioning processor in the system shown in Fig. 2, in accordance with a disclosed embodiment of the invention; and [00141 Fig. 4 is a state diagram illustrating operating modes of the system 10 shown in Fig. 2, in accordance with a disclosed embodiment of the invention. DETAILED DESCRIPTION [00151 In the following description, numerous specific details are set forth in order to provide a thorough understanding of the various principles of the present 15 invention. It will be apparent to one skilled in the art, however, that not all these details are necessrily always needed for practicing the present invention. In this instance, well-known circuits, control logic, and the details of computer program instructions for conventional algorithms and processes have not been shown in detail in order not to obscure the general concepts unnecessarily. 20 [00161 Software programming code, which embodies aspects of the present invention, is typically maintained in permanent storage, such as a computer readable medium. In a client/server environment, such software programming code may be stored on a client or a server. The software programming code may be embodied on 25 any of a variety of known tangible media for use with a data processing system, such as a diskette, hard drive, or CD-ROM. The code may be distributed on such media, or may be distributed to users from the memory or storage of one computer system over a network of some type to storage devices on other computer systems for use by users of such other systems. 30 07/06/10,va 18672 spcci.doc.5 -6 System Architecture [0017] Turning now to the drawings, reference is initially made to Fig. 1, which is a pictorial illustration of a system 7 for performing a time-sensitive medical procedure, which is constructed and operative in accordance with a disclosed 5 embodiment of the invention. A medical device 2 is applied to a living subject 8. The medical device 2 communicates either via either a direct link, or via a data network 3 with a computing device 4, having a display 5. An operator 6 interacts with the medical device 2 via the computing device 4, typically using a graphical interface presented on the display 5 to control the medical device 2. The medical device 2 10 could be adapted to several medical procedures, such as CT and MR scanning, minimally invasive surgical procedures, remotely controlled robotic surgery, and the like. All of these may require uninterrupted execution of medical software on the computing device 4 to assure a successful outcome. 15 [00181 Reference is now made to Fig. 2, which is a pictorial illustration of a more specialized cardiac catheterization system 10 that is adapted for performing time-sensitive cardiovascular medical procedures, and which is operative for carrying out the present invention. The system 10, depicted in Fig. 2 by way of example and not of limitation, is capable of detecting areas of abnormal electrical 20 activity and performing ablative procedures on a heart 12 of a living subject. Alternatively or additionally, the principles of the present invention may similarly be applied in other types of computer-controlled medical diagnostic and therapeutic systems, or to any other control system, including, but not limited to traffic control or power station operations, all of which involve control of some external device by a 25 computer process. [00191 The system 10 comprises a conventional cardiac catheter 14, having one or more sensing or ablation electrodes (not shown). The catheter 14 is percutaneously inserted by an operator 16, who is typically a physician, through the 30 patient's vascular system into a chamber or vascular structure of the heart. The operator 16 brings the catheter's distal tip 18 into contact with the heart wall at a target site that is to be evaluated. Electrical activation maps are then prepared, 07/06/lOva 18672 speci.doc,6 -7 according to the methods disclosed in the above-noted U.S. Patent Nos. 6,226,542, and 6,301,496, and in commonly assigned U.S. Patent No. 6,892,091, whose disclosure is herein incorporated by reference. 5 [00201 Areas determined to be abnormal by evaluation of the electrical activation maps can be ablated by application of thermal energy, e.g., by passage of radiofrequency electrical current through wires in the catheter to one or more electrodes at the distal tip 18, which apply the radiofrequency energy to the myocardium. The energy is absorbed in the tissue, heating it to a point (typically 10 about 50 0 C) at which it permanently loses its electrical excitability. When successful, this procedure creates non-conducting lesions in the cardiac tissue, which disrupt the abnormal electrical pathway causing the arrhythmia. [00211 A brief presentation of some details of certain elements of the 15 system 10 will assist in appreciation of the time-criticality of the catheterization procedure shown in Fig. 2. The catheter 14 typically comprises a handle 20, having suitable controls on the handle to enable the operator 16 to steer, position and orient the distal end of the catheter as desired for the ablation. To aid the operator 16, the distal portion of the catheter 14 contains position sensors (not shown) that provide 20 signals to a positioning processor 22, located in a console 24. The console 24 typically contains an ablation power generator 25. The catheter 14 may be adapted to conduct ablative energy to the heart using any known ablation technique, e.g., radiofrequency energy, ultrasound energy, and laser energy. Such methods are disclosed in commonly assigned U.S. Patent Nos. 6,814,733, 6,997,924, 25 and 7,156,816, which are herein incorporated by reference. [00221 The positioning processor 22 is an element of a positioning system 26 that measures location and orientation coordinates of the catheter 14. Its continuous operation is essential to patient safety while the catheter is within the 30 heart, and to assure a successful completion of the medical procedure. In some applications the positioning processor 22 may be operably connected to a data 07/06/10.va 18672 spcci.doc.7 -8 network 3 1, which could be a local area network or wide area network, for example the Internet. The network 31 can be a wired or wireless network. [00231 In one embodiment, the positioning system 26 comprises a magnetic 5 position tracking system that determines the position and orientation of the catheter 14. The positioning system 26 generates magnetic fields in a predefined working volume its vicinity and senses these fields at the catheter. The positioning system 26 typically comprises a set of external radiators, such as field generating coils 28, which are located in fixed, known positions external to the patient. The 10 coils 28 generate fields, typically electromagnetic fields, in the vicinity of the heart 12. [00241 In an alternative embodiment, a radiator in the catheter 14, such as a coil, generates electromagnetic fields, which are received by sensors (not shown) 15 outside the patient's body. [00251 Some position tracking systems that may be used for this purpose are described, for example, in the above-noted U.S. Patents 6,690,963, and in commonly assigned U.S. Patent Nos. 6,618,612 and 6,332,089, and U.S. Patent Application 20 Publications 2004/0147920, and 2004/0068178, whose disclosures are all incorporated herein by reference. Although the positioning system 26 shown in Fig. 2 uses magnetic fields, the methods described below may be implemented using any other suitable positioning system, such as systems based on electromagnetic fields, acoustic or ultrasonic measurements. The positioning system 26 may be realized as 25 the CARTO@ XP EP Navigation and Ablation System, available from Biosense Webster, Inc., 3333 Diamond Canyon Road, Diamond Bar, CA 91765. [00261 As noted above, the catheter 14 is coupled to the console 24, which enables the operator 16 to observe and regulate the functions of the catheter 14. 30 Console 24 includes a processor, preferably a computer with appropriate signal processing circuits. The processor is coupled to drive a monitor 29. The signal processing circuits typically receive, amplify, filter and digitize signals from the 07/06/10,va 18672 speci.doc,8 -9 catheter 14, including signals generated by the sensors 33, 35 and a plurality of sensing electrodes 37. The digitized signals are received and used by the console 24 to compute the position and orientation of the catheter 14 and to analyze the electrical signals from the electrodes. The information derived from this analysis is 5 used to generate an electrophysiological map of at least a portion of the heart 12 or structures such as the pulmonary venous ostia, for diagnostic purposes such as locating an arrhythmogenic area in the heart 12 or to facilitate therapeutic ablation. [00271 Typically, the system 10 includes other elements, which are not 10 shown in the figures for the sake of simplicity. For example, the system 10 may include an electrocardiogram (ECG) monitor, coupled to receive signals from one or more body surface electrodes, so as to provide an ECG synchronization signal to the console 24. As mentioned above, the system 10 typically also includes a reference position sensor, either on an externally-applied reference patch attached to the 15 exterior of the subject's body, or on an internally-placed catheter, which is inserted into the heart 12 maintained in a fixed position relative to the heart 12. By comparing the position of the catheter 14 to that of the reference catheter, the coordinates of catheter 14 are accurately determined relative to the heart 12, irrespective of heart motion. 20 Positioning Processor [00281 Reference is now made to Fig. 3, which is a block diagram of the positioning processor 22 (Fig. 2), which is constructed and operative in accordance with a disclosed embodiment of the invention. The positioning processor 22 is 25 programmed with suitable application and operating system software for carrying out the functions described hereinbelow. Thus, although the positioning processor 22 is shown as comprising a number of separate functional blocks, these blocks are not necessarily separate physical entities, but rather represent different computing tasks or data objects stored in a memory that is accessible to the processor. The positioning 30 processor 22 may comprise a single processor, or multiple processors. The positioning processor 22 comprises conventional computer hardware 33, including a central processing unit (CPU), and memory, which stores data objects and programs 07/06/10,va 18672 speci.doc.9 - 10 hereinafter described. These conventional elements are not shown in the interest of simplicity of presentation. [00291 The hardware 33 is controlled by an operating system 35, which in 5 the current embodiment is Windows XP Embedded. However, any version of the Microsoft Windows operating system may be used up to the Windows@ XP operating system. The operating system 35 comprises a hardware abstraction layer 37, which closely interacts with the hardware 33, with kernel mode drivers 39, and with the Windows microkernel 41. The operating system 35 also includes a large 10 number of system services 43, including many system management facilities. An application program interface 45 relates the services 43 to a desktop shell 47, and any number of application programs 49. One application program is medical program 51, which may include foreground and background processes. Its execution as perceived by a human user 53 must be continuous. A group of security applications 55 utilizes 15 the application program interface 45. The group includes a firewall 57, antivirus program 59, and antispyware program 61. [00301 Reference is again made to Fig. 2. Normally, the positioning processor 22 executes many functions in addition to computing the position of the 20 catheter 14 is configured to permit standard software packages to operate and to be updated automatically, via a network, and also to connect automatically to other computers and accessories as necessary. If an update or connection occurs during a medical procedure, however, it may have a disruptive, or even dangerous, effect. In addition to competition in the Windows scheduler among the medical program 51 25 and application programs 49 (Fig. 3), examples of potentially harmful interfering events include: [00311 Automatic updates of time zones, e.g., transitions between summer and winter times and data transitions; 100321 Automatic updates of dates; 30 [00331 Automatic update of anti-virus software; [00341 Automatic activation of anti-virus or spyware removal software; 07/06/10.va 18672 speci.doc.10 - II [00351 Automatic connection of external applications when connecting drives, such as USB or DVD drives; [00361 Automatic system upgrades; and [00371 Automatic operating system background activities 5 relating to antivirus applications, disk cleanup, and software upgrades, i.e., upgrades to the antivirus database. [00381 Such events could slow down the medical program 51, degrade the performance, of the medical program 51 e.g., by slowing the user interface when 10 updating a presentation. Indeed, such events could result in a perceived stoppage of the medical program 51, and could cause essential medical data to be compromised or lost. They constitute safety and efficiency hazards, which could be mitigated simply by isolating the dedicated workstation or computerized system from the network 31. In many applications, however, connectivity with the network 31 is 15 often advantageous and sometimes obligatory. [00391 In embodiments of the invention, the positioning processor 22 has at least two modes of operation: (1) a default normal mode, and (2) a protective mode, referred to as "active medical procedure mode" when a medical procedure is active. 20 Other operating modes include a remote access mode for maintenance, and a remote access mode, used in telemedicine, in which real-time information is supplied to a remote physician. Transition between these modes of operation is generally automatic. However, under some circumstances, however, the transition may be operator-initiated. 25 [00401 In normal mode, the operating system, firewall and anti-virus programs are fully operational. When initiating a medical procedure, the medical program 51 signals the operating system and the application programs 49 that a time critical phase of the medical procedure has begun, causing the system to undergo a state transition from normal mode to active medical procedure mode. The transition 30 occurs rapidly. For example, the transition typically takes less than one second using current versions of CT and X-ray systems. Such transitions are typically required whenever a scan begins and ends. An indication, for example an icon indicating 07/06/10.va 18672 speci.doc.I I - 12 "dedicated protected medical procedure" may also appear on the computer desktop to alert medical personnel that the system 10 is operating in active medical procedure mode. Once the medical program 51 recognizes that the medical procedure has ended, it initiates another state transition from active medical procedure mode to 5 normal mode. [00411 During typical normal operation the firewall and anti-virus programs are operational, and full connectivity to the network is allowed. Furthermore, the processor may execute system code having high priority or having critical sections, 10 including reading CD and USB memory. In active medical procedure mode, no new network connections can be established. Newly connected USB memory is inaccessible, and only the most essential computer resources may be allocated to functions other than the medical program 51 itself. 15 [00421 Companies manufacturing operating systems and utilities, such as anti-virus and firewall tools for use in the system 10 may be required to recognize state transitions between the modes of operation and to support active medical procedure mode. In this latter mode, the potentially harmful events listed above are blocked. The operating system optimizes (and typically minimizes) background 20 activities in order to maximally allocate resources to the medical program 51. The medical program 51 continuously notifies the operating system of its status throughout the medical procedure, for example by a system call or a message. Upon completion of the medical procedure, the system switches from active medical procedure mode back to normal mode. 25 [00431 Reference is now made to Fig. 4, which is a state diagram illustrating the operating modes of the system shown in Fig. 2, in accordance with a disclosed embodiment of the invention. Operation is initiated at state 63, at which time an immediate state transition to one of the system mode states, typically, state 65, in 30 which the system is operating in normal mode. A transition may occur from state 65 to state 67, during which the system is controlled remotely for purposes of system maintenance. When released, a transition occurs in which the system reverts to 07/06/10.va 18672 speci.doc.12 - 13 state 65. When a medical procedure is in progress, a transition to state 69 occurs, in which the system operates in active medical procedure mode. This transition may be operator-initiated, or can occur programmatically, e.g., induced by operation of the medical program 51 (Fig. 3). Additionally or alternatively the transition from state 65 5 to state 69 may be induced by a control signal from a medical device, such as the catheter 14 (Fig. 2), for example, when the catheter 14 is first connected into the system. When a time-critical phase of the medical procedure is complete, a reversion to state 65 occurs, either at the instance of the operator, or automatically. 10 Implementation [00441 Table 2 summarizes the functionality of the positioning processor 22 (Fig. 3) in each of the modes of operation: Table 2 Functionality Active Medical Procedure Mode Functionality Object Store: File System Divide the disk to system, application and data objects. Lock the system and the application areas from update. Avoid locking the data areas. Registry Divide the registry to system, application and data areas. Lock from update the system and the application areas. Avoid locking the data areas. Device drivers Disable installing and updating of any device driver. Services Lock some of the system services. e.g., indexing service, defragmentation service, garbage collection services. Operate some of the services in special modes and limit the allocated resources such as memory and CPU time File system commit mode Support file system commit mode as implemented in Windows XP Embedded. Network stack: File sharing Lock all file sharing except the files requested by application. Socket management Enable only predefine list of applications to open a socket. 07/06/10.va 18672 spcci.doc.13 - 14 Security Elements: Firewall Minimize the application operation. Antivirus Verify that these application maximal CPU Antispyware resources will be defined to known percentage. System Configuration: User management Prevent updates Control panel applet System time User interface: Popup dialogs & notifications Prevent user interaction, except the predefine Capture user input application list. Play sound Alt Control Del Enable configuration if this command access to Sleep mode the user or capture by application. soft power off Power off Send interrupt to the application that enable turning off HW device control. [0045] Essentially, when operating in active medical procedure mode, the medical program 51 has an enhanced ability to control system resource allocation. Variants of active medical procedure mode are possible, among which the degree of 5 control of system resources differs, For example, there are differences among "CT Active Mode", "MRI Active Mode", "Remote Control Mode" and "Remote Maintenance Mode", where in some cases certain legal requirements must be satisfied. 10 Object Store File System [0046] To implement the file system aspect, divide the disk into system, application and data areas. The system and the application areas are locked in order to prevent updates. The file system driver is modified so as to include an additional 15 attribute that specifies whether a file or directory is locked. Normally the lock is disabled in normal mode and enabled in active medical procedure mode. For example, when the lock is enabled for a directory, the permissions for all files in the directory and its subdirectories are read/execute only. 07/06/1O.va 18672 speci.doc.14 - 15 Registry [00471 The registry is divided into system, application and data areas or keys. The system and the application areas of the registry are locked in order to prevent updates. 5 [00481 The file registry subsystem driver is modified so as to recognize an additional attribute that specifies whether a registry key is locked. Normally the lock is disabled in normal mode and enabled in active medical procedure mode. Each registry sub-tree should include a key having this attribute. In active medical 10 procedure mode locked registry sub-trees are read-only as to all keys, values and data. Device Drivers [00491 It is possible to specify whether the system configuration is locked, 15 and cannot be changed; and if the auto plug-and-play functionality is enabled. In active medical procedure mode, the system configuration is typically locked, and plug and play functionality disabled. In normal mode, both are usually enabled. For example, in active medical procedure mode it is no longer possible to enable, disable, or reconfigure device drivers, e.g., display adapters, USB devices, network adapters, 20 imaging devices, pointing devices, modems, monitors, and various motherboard resources such as memory access controllers. In normal mode such operations may be permitted according to governing security policies, for example by changing access permissions according to the system state. 25 System Services [00501 In normal mode a number of services are typically enabled in the Windows operating system. It is desirable in active medical procedure mode to selectively disable these. This is accomplished by assigning a service attribute to each system service that specifies its status as locked or unlocked in each mode of 30 operation. For example, indexing and defragmentation services are specified as unlocked in normal mode and locked in active medical procedure mode. Locked 07/06/1Ova 18672 speci.doc,15 - 16 services are disabled until the system returns to normal mode, whereupon they are unlocked, and return to their previous status. Thus, if a particular service were disabled in normal mode, it remains disabled in active medical procedure mode and continues to be disabled when normal mode is restored. 5 [00511 It is also possible to assign the service attribute to permit services to operate, but with limited resource allocation. This is desirable, for example, with garbage collection service. Such services can be controlled using a special parameter, which takes on an appropriate effective value, according to whether the operation 10 mode is normal mode or active medical procedure mode. The following are examples of such parameters: "Priority"; "Cache mode enabled"; "Wireless transmitting power". The limiting resource allocation applies to such services as CPU, disk access, memory, network, etc. The special parameters specify the maximum resource allocation for each mode of operation. 15 File System Commit Mode [0052] File system commit mode is implemented in Windows XP Embedded and may be exploited in some embodiments of the present invention. Support of this mode is desirable to enable protection of the application software (e.g., from viruses) 20 and protection of critical application data including configuration. When part of the storage is on flash-disk, use of file system commit mode reduces physical write operations and increases the flash-disk reliability. Network stack 25 File Sharing [00531 In normal mode, a user can generally specify the sharing property of files and directories. In active medical procedure mode it is possible to prevent the user from changing sharing properties, except for sharing required by the medical program 51, which is privileged to override sharing locks. This may be implemented 07/06/1O,va 18672 speci.doc. 16 - 17 by duplicating sharing definitions in the different modes of operation. Upon returning to normal mode, the ability is automatically restored. Sockets 5 [00541 Typically a firewall offers one configuration. In embodiments of the invention a user is enabled to specify different configurations, which automatically come into force when the operation mode undergoes transitions between normal mode and active medical procedure mode. Typically in active medical procedure mode the firewall is reconfigured such that only a predefined group of applications 10 are privileged to establish new network connections by opening a socket. Security Elements Limitation of Application Activities [00551 Referring again to Fig. 3, each of the security applications 55 has a 15 configuration that differs in normal mode from that in active medical procedure mode. The following are examples: [00561 Firewall: A mode-specific configuration is loaded for the firewall 57 upon a transition event between normal mode and active medical procedure mode, and the configuration existing immediately prior to the transition is saved. Once 20 loaded, the mode-specific configuration cannot be changed until the next transition occurs. This arrangement enables all definitions to be cached for efficient access, e.g., saving data using an efficient hashing table. [0057] Antivirus Program: In active medical procedure mode, the antivirus 25 program 59 is disabled from scheduled activations, e.g., updates from a server, scheduled scans. For newly connected device, e.g., a newly connected USB flash memory, the antivirus program is modified with a suitable call back function that enables the medical program 51 to control the activities of the antivirus program. In order for the antivirus program to operate in this manner, suitable hooks are required 30 to be provided by its developer. 07/06/10,va 18672 speci.doc.17 - 18 [00581 If a scheduled scan is attempted by the antivirus program 59, the control response issued by the medical program 51 may be one of the following: deny connectivity, accept the scan request, and accept incomplete scan, according to the current mode of operation. 5 [00591 In embodiments in which the antivirus program 59 is not entirely disabled, it is additionally configured such that in active medical procedure mode scan errors are returned directly to the medical program 51, which determines the required action. For example, in active medical procedure mode a pop-up window, 10 routinely generated in normal mode, might be distracting to the operator and therefore may be unacceptable. [00601 An aspect of the configuration of the antivirus program is a limitation to scan different sets of predefined files in different operating nodes. A list of such 15 files is activated at each mode transition. [00611 In active medical procedure mode, the antispyware program 61 is optionally disabled automatically. [00621 In active medical procedure mode, Resource-specific quotas of 20 computer hardware resources are assigned to the security applications 55, to be shared among the firewall 57 antivirus program 59. They are also shared with the antispyware program 61 in embodiments in which the antispyware program 61 remains enabled. Examples include collective quotas for CPU utilization, disk access, and physical memory. These limits are tailored to the configuration of the 25 positioning processor 22 (Fig. 3) and the medical program 51 in order to assure that adequate resources are available for the medical program 51. When the quotas would be exceeded, activities by the security applications 55 are automatically limited. For instance, network access requests via the firewall 57 and scans to be performed by the antivirus program 59 are delayed until resources become available, or there is a 30 transition to normal mode. 07/06/1Ova 18672 speci.doc.18 - 19 System Configuration [00631 In active medical procedure mode updates to the system configuration are disallowed. The following system configuration elements are locked when a transition to active medical procedure mode occurs: 5 [00641 User management. There is no ability to add, change, and delete users or to change user configurations, even for members of the administrative group. [00651 Control panel applet. Parameters relating to the Windows control 10 panel cannot be changed. [00661 System time - In active medical procedure mode the system time and date cannot be altered. Time changes, e.g., switching between summer and winter times, or correction of the system clock, e.g., by coordination with a time server, are 15 delayed until returning to normal mode. This can be accomplished by raising an error when time functions are called. User Interface [00671 The following interactions between the user and applications are 20 modified in active medical procedure mode and restored to their default values in normal mode: [00681 Except with a predefined set of applications, user interaction with application programs 49 (Fig. 3) is prevented in active medical procedure mode. 25 [00691 Configuration of all the application programs 49 except the predefined set is blocked during active medical procedure mode. [00701 All the application programs 49 except the predefined set are blocked from exercising control of the hardware 33 (Fig. 3), including any peripherals. For 30 example, applications are blocked from changing the display resolution, and enabling or disabling hardware ports. This may be accomplished by sending an interrupt to selected ones of the application programs 49 that, when handled, blocks disables any 0 7 /06/10.va 18672 speci.doc.19 - 20 control or access to the hardware 33 that could be exercised by the application programs. Implementing this feature may require modification of the application code in some cases. Other applications may be simply starved of computer resources, which is faster and less expensive of resources than closing them completely. 5 [00711 Even with respect to the predefined set of application programs 49, user activities are limited in active medical procedure mode. In Microsoft Windows, the ability to interact with a popup or with an icon in the notification area depends on a callback function. The callback function is given a mode-specific configuration. In active medical procedure mode, distracting pop-up displays in the notification area 10 are blocked. When interaction is required, the callback should be able to automatically supply a response. In normal mode, the callback function assumes its default configuration. 100721 Capture user input - The system 10 can be configured dynamically, 15 such that a specific application captures all user inputs automatically. [00731 All applications that generate audible indicators are given mode specific configurations that modify or mute the sounds during active medical procedure mode. For example, applications running in the background are typically 20 prevented from emitting sounds during active medical procedure mode. [00741 In active medical procedure mode the keyboard interrupts generated by the "alt-control-del" key combination, the keys invoking "sleep mode", and "soft power off", and "log-off' are modified, so that they are received only by a specific 25 application, such as the medical program 51. [00751 It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations 30 and sub-combinations of the various features described hereinabove, as well as variations and modifications thereof that are not in the prior art, which would occur to persons skilled in the art upon reading the foregoing description. 07/06/10,va 18672 speci.doc.20 -21 100761 Throughout this specification and the claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" and "comprising", will be understood to imply the inclusion of a stated integer or step or group of integers or steps but not the exclusion of any other integer or step or 5 group of integers or steps. [00771 The reference to any prior art in this specification is not, and should not be taken as, an acknowledgment or any form or suggestion that the prior art forms part of the common general knowledge in Australia. 10 07/06/10.va 18672 speci.doc.21
    权利要求:
    Claims (28)
    [1] 1. A method of preventing disruptive computer events in a computing system, comprising: 5 executing a process for controlling an external device, the process having a time-noncritical phase and a time-critical phase; controlling the process using a process control application executing on a computing device managed by an operating system by intercommunicating signals between the computing device and the external device; 10 during the time-noncritical phase, operating the computing device in a plurality of operating modes including a first mode in which system services and applications other than the process control application are allowed access to resources of the computing device under control of the operating system and a second mode; making a determination that the process has entered the time-critical phase; and 15 responsively to the determination, automatically transitioning the computing device from the first mode to the second mode in which the access by the system services and by other applications to the resources of the computing device is selectively limited in favor of the process control application. 20
    [2] 2. The method according to claim 1, wherein the operating system has a plurality of system functions that have respective behaviors in the plurality of operating modes.
    [3] 3. The method according to claim 2, wherein the plurality of operating modes 25 further comprises a third mode for remotely controlling the computing device, and a fourth mode for performing remote maintenance on the computing device.
    [4] 4. The method according to claim 1, wherein the computing device further comprises a file system having storage objects residing therein, and wherein 30 automatically transitioning the computing device comprises selectively disallowing updates of the storage objects in the file system. 07/06/l0,va 18672 speci.doc.22 -23
    [5] 5. The method according to claim 4, wherein the storage objects comprise a registry having system keys for use by the operating system, application keys for use by the other applications, and data keys, and wherein selectively disabling updates of the storage objects comprises locking the system keys and the application keys of the 5 registry to prevent updates therein while avoiding locking the data keys of the registry.
    [6] 6. The method according to claim 4, wherein portions of the storage objects in the file system are classified as system objects for access thereof by the operating 10 system, application objects for access thereof by the other applications, and data objects, the storage objects further comprising device drivers, and wherein at least a portion of the storage objects have sharing attributes that determine sharability with other computing devices, wherein selectively disabling updates of the storage objects comprises: 15 locking the system objects and application objects of the file system to prevent updates thereof while avoiding locking the data objects of the file system; preventing updating of the device drivers; and preventing modification of the sharing attributes of the storage objects. 20
    [7] 7. The method according to claim 1, wherein the computing device is linked to a data network via sockets, the method further comprising allowing only a predefined network-privileged set of the other applications to establish a new connection via the data network. 25
    [8] 8. The method according to claim 7, wherein allowing only a predefined network-privileged set of the other applications to establish a new connection comprises preventing an opening of the sockets.
    [9] 9. The method according to claim 1, wherein a security application group 30 comprises at least one of a firewall, an antivirus program, and an antispyware program, the firewall having a current configuration further comprising limiting 0 7 /06/10,va 18672 speci.doc.23 - 24 collective usage of hardware resources of the computing device by the security application group to a predefined security group maximum.
    [10] 10. The method according to claim 9, wherein automatically transitioning the 5 computing device further comprises disabling scheduled scans and updates of the antivirus program.
    [11] 11. The method according to claim 9, wherein automatically transitioning the computing device further comprises blocking updates of a configuration of the 10 computing device and disabling the antispyware program.
    [12] 12. The method according to claim 11, wherein user directives are entered via a user management interface, a control panel applet, and a time management interface, and wherein blocking updates of the configuration of the computing device 15 comprises: storing the current configuration of the firewall and thereafter preventing modifications thereof; disabling scheduled activations of the antivirus program; preventing access to the user management interface; 20 preventing access to the time management interface; and preventing access to the control panel applet.
    [13] 13. The method according to claim 12, wherein the configuration of the computing device is responsive to a task management interface, and to keyboard 25 generated interrupts, wherein blocking updates of the configuration of the computing device further comprises preventing ones of the keyboard-generated interrupts that invoke the task management interface, induce a sleep mode of operation of the computing device, and disconnect power to the computing device from being received by all the other applications except a second predefined set of the other 30 applications. 0 7 /06/10,va l8672 speci.doc,24 - 25
    [14] 14. A method of preventing disruptive computer events in a medical computing system, comprising: applying a medical instrument to a living subject to perform a medical procedure thereon, the medical procedure having a time-noncritical phase and a time 5 critical phase; controlling the medical instrument using a medical application executing on a computing device managed by an operating system by intercommunicating signals between the computing device and the medical instrument; during the time-noncritical phase, operating the computing device in a first 10 mode in which system services and applications other than the medical application are allowed access to resources of the computing device under control of the operating system; making a determination that the medical procedure has entered the time-critical phase; and 15 responsively to the determination, automatically transitioning the computing device from the first mode to a second mode in which the access by the system services and by other applications to the resources of the computing device is selectively limited in favor of the medical application. 20
    [15] 15. A medical system of preventing disruptive computer events in a medical computing system, comprising: a medical instrument applicable to a living subject to perform a medical procedure thereon, the medical procedure having a time-noncritical phase and a time critical phase; and 25 a computing device managed by an operating system for controlling the medical instrument using a medical application executing on the computing device by intercommunicating signals between the computing device and the medical instrument, the computing device operative during the time-noncritical phase, in a first mode in which system services and applications other than the medical 30 application are allowed access to resources of the computing device under control of the operating system, the computing device cooperative with the medical instrument for making a determination that the medical procedure has entered the time-critical 07/06/10,va 18672 speci.doc.25 - 26 phase, and responsively to the determination, the computing device adapted for automatically transitioning from the first mode to a second mode in which the access by the system services and by other applications to the resources of the computing device is selectively limited in favor of the medical application. 5
    [16] 16. The medical system according to claim 15, wherein making a determination comprises sending an indication from the medical application to the operating system. 10
    [17] 17. The medical system according to claim 15, wherein the computing device further comprises a file system having storage objects residing therein, and wherein automatically transitioning comprises selectively disallowing updates of the storage objects in the file system. 15
    [18] 18. The medical system according to claim 17, wherein the storage objects comprise a registry having system keys for use by the operating system, application keys for use by the other applications, and data keys, and wherein selectively disabling updates of the storage objects comprises locking the system keys and the application keys of the registry to prevent updates therein while avoiding locking the 20 data keys of the registry.
    [19] 19. The medical system according to claim 17, wherein portions of the storage objects in the file system are classified as system objects for access thereof by the operating system, application objects for access thereof by the other applications, and 25 data objects, the storage objects further comprising device drivers, and wherein at least a portion of the storage objects have sharing attributes that determine sharability with other computing devices, wherein selectively disabling updates of the storage objects comprises: locking the system objects and application objects of the file system to prevent 30 updates thereof while avoiding locking the data objects of the file system; preventing updating of the device drivers; and preventing modification of the sharing attributes of the storage objects. 07/06/10,va 18672 spci.doc,26 -27
    [20] 20. The medical system according to claim 15, wherein the computing device is linked to a data network via sockets, the method further comprising allowing only a predefined network-privileged set of the other applications to establish a new 5 connection via the data network.
    [21] 21. The medical system according to claim 20, wherein allowing only a predefined network-privileged set of the other applications to establish a new connection comprises preventing an opening of the sockets. 10
    [22] 22. The medical system according to claim 15, wherein a security application group comprises at least one of a firewall, an antivirus program, and an antispyware program, the firewall having a current configuration further comprising limiting collective usage of hardware resources of the computing device by the security 15 application group to a predefined security group maximum.
    [23] 23. The medical system according to claim 22, wherein automatically transitioning further comprises disabling scheduled scans and updates of the antivirus program. 20
    [24] 24. The medical system according to claim 22, wherein automatically transitioning further comprises blocking updates of a configuration of the computing device and disabling the antispyware program.
    [25] 25 25. The medical system according to claim 24, wherein user directives are entered via a user management interface, a control panel applet, and a time management interface, and wherein blocking updates of the configuration of the computing device comprises: storing the current configuration of the firewall and thereafter preventing 30 modifications thereof; disabling scheduled activations of the antivirus program; preventing access to the user management interface; 07/06/IOva 18672 speci.doc.27 - 28 preventing access to the time management interface; and preventing access to the control panel applet.
    [26] 26. The medical system according to claim 25, wherein the configuration of the 5 computing device is responsive to a task management interface, and to keyboard generated interrupts, wherein blocking updates of the configuration of the computing device further comprises preventing ones of the keyboard-generated interrupts that invoke the task management interface, induce a sleep mode of operation of the computing device, and disconnect power to the computing device from being 10 received by all the other applications except a second predefined set of the other applications.
    [27] 27. A method of preventing disruptive computer events in a computing system, substantially as described herein with reference to the accompanying drawings. 15
    [28] 28. A medical system of preventing disruptive computer events in a medical computing system, substantially as described herein with reference to the accompanying drawings. 07/06/10,va 18672 speci.doc.28
    类似技术:
    公开号 | 公开日 | 专利标题
    AU2010202353B2|2014-09-04|Preventing disruptive computer events during medical procedures
    JP4865177B2|2012-02-01|Behavior of trust status on computing platforms
    JP5249450B2|2013-07-31|Protection agent and privileged mode
    JP3582348B2|2004-10-27|Surgical equipment
    US6915420B2|2005-07-05|Method for creating and protecting a back-up operating system within existing storage that is not hidden during operation
    KR101600134B1|2016-03-04|Device controller with connectable touch user interface
    US8533845B2|2013-09-10|Method and apparatus for controlling operating system access to configuration settings
    EP1022655B1|2008-01-02|Computer with bootable secure program
    EP2101871B1|2015-05-27|Programming a medical device with a general purpose instrument
    JP2004342099A|2004-12-02|Blocking of processing restriction based on address
    JP4579547B2|2010-11-10|Embedded processor with direct connection of security device for superior security
    TW200842646A|2008-11-01|Protecting operating-system resources
    TW200805971A|2008-01-16|Method for confirming identity of a master node selected to control I/O fabric configuration in a multi-host environment
    US20070275694A1|2007-11-29|Controlling Communications Performed by an Information Processing Apparatus
    WO2005064458A1|2005-07-14|Methods and apparatus for externally controlling a software application to create new application behavior
    EP2080093B1|2017-06-14|Trusted platform module management system and method
    JP5382450B2|2014-01-08|Access control apparatus, method and information recording medium
    JP2007148805A|2007-06-14|Information processor, information processing method and program
    EP0980545A1|2000-02-23|Network desktop management security system and method
    CN109313693A|2019-02-05|For the admissions control of accidental memory access program instruction
    US20070226800A1|2007-09-27|Method and system for denying pestware direct drive access
    US7577988B2|2009-08-18|Methods and apparatus for facilitating execution of context sharing applications in an environment with a less than fully enabled context manager
    JP4724066B2|2011-07-13|Method and computer for making magnetic disk device accessible
    同族专利:
    公开号 | 公开日
    EP2280344A1|2011-02-02|
    US20110022191A1|2011-01-27|
    JP2011028751A|2011-02-10|
    JP5714252B2|2015-05-07|
    CN101963920B|2016-04-13|
    CA2710733A1|2011-01-23|
    AU2010202353B2|2014-09-04|
    CN101963920A|2011-02-02|
    EP2280344B1|2017-01-18|
    CA2710733C|2019-02-26|
    IL206219D0|2010-12-30|
    US8606377B2|2013-12-10|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US6690963B2|1995-01-24|2004-02-10|Biosense, Inc.|System for determining the location and orientation of an invasive medical instrument|
    EP0891152B1|1996-02-15|2003-11-26|Biosense, Inc.|Independently positionable transducers for location system|
    EP0910300B1|1996-02-15|2003-12-03|Biosense, Inc.|Site marking probe|
    JPH10283204A|1997-04-04|1998-10-23|Konica Corp|Multi-task processing method, multi-task processor and recording medium recording task|
    US6301496B1|1998-07-24|2001-10-09|Biosense, Inc.|Vector mapping of three-dimensionally reconstructed intrabody organs and method of display|
    US6226542B1|1998-07-24|2001-05-01|Biosense, Inc.|Three-dimensional reconstruction of intrabody organs|
    DE19911988C2|1999-03-17|2003-07-31|Siemens Ag|Medical magnetic resonance system|
    US6892091B1|2000-02-18|2005-05-10|Biosense, Inc.|Catheter, method and apparatus for generating an electrical map of a chamber of the heart|
    US6957432B2|2000-03-21|2005-10-18|Microsoft Corporation|Real-time scheduler|
    US6931553B1|2000-04-20|2005-08-16|Microsoft Corporation|Preventing general purpose event interrupt storms in a computer system|
    US6851058B1|2000-07-26|2005-02-01|Networks Associates Technology, Inc.|Priority-based virus scanning with priorities based at least in part on heuristic prediction of scanning risk|
    US6584356B2|2001-01-05|2003-06-24|Medtronic, Inc.|Downloadable software support in a pacemaker|
    US7188367B1|2001-03-30|2007-03-06|Moafee, Inc.|Virus scanning prioritization using pre-processor checking|
    US7058975B2|2001-12-14|2006-06-06|Mcafee, Inc.|Method and system for delayed write scanning for detecting computer malwares|
    US6814733B2|2002-01-31|2004-11-09|Biosense, Inc.|Radio frequency pulmonary vein isolation|
    US6997924B2|2002-09-17|2006-02-14|Biosense Inc.|Laser pulmonary vein isolation|
    US20040068178A1|2002-09-17|2004-04-08|Assaf Govari|High-gradient recursive locating system|
    US7306593B2|2002-10-21|2007-12-11|Biosense, Inc.|Prediction and assessment of ablation of cardiac tissue|
    US7156816B2|2002-11-26|2007-01-02|Biosense, Inc.|Ultrasound pulmonary vein isolation|
    US20040255167A1|2003-04-28|2004-12-16|Knight James Michael|Method and system for remote network security management|
    WO2005099334A2|2004-03-31|2005-10-27|Intel Corporation|Event handling mechanism|
    US20060058658A1|2004-09-13|2006-03-16|Siemens Medical Solutions Usa, Inc.|Communications between co-located operating systems for medical diagnostic ultrasound and other systems|
    US20060090169A1|2004-09-29|2006-04-27|International Business Machines Corporation|Process to not disturb a user when performing critical activities|
    JP4369484B2|2005-01-13|2009-11-18|パナソニック株式会社|Device operation control apparatus and method|
    WO2009095812A1|2008-01-28|2009-08-06|Nxp B.V.|Dual operating systems on a single processor|
    TW201010665A|2008-06-05|2010-03-16|Alcon Res Ltd|Wireless network and methods of wireless communication for ophthalmic surgical consoles|ES2670420T3|2006-07-07|2018-05-30|F. Hoffmann-La Roche Ag|Fluid management device and its operating methods|
    WO2012120078A2|2011-03-08|2012-09-13|Gambro Lundia Ab|Method, control module, apparatus and system for transferring data|
    DE102012201785A1|2012-02-07|2013-08-08|Siemens Aktiengesellschaft|Method for automatically updating a control and processing program|
    US8898654B2|2012-08-29|2014-11-25|Microsoft Corporation|Secure firmware updates|
    US9218178B2|2012-08-29|2015-12-22|Microsoft Technology Licensing, Llc|Secure firmware updates|
    WO2014099501A1|2012-12-20|2014-06-26|Volcano Corporation|Resource management in a multi-modality medical system|
    US9898584B2|2013-03-15|2018-02-20|Abbott Medical Optics Inc.|System and method for providing a common medical device architecture|
    FR3004274A1|2013-04-09|2014-10-10|Krono Safe|METHOD OF PERFORMING TASKS IN A CRITICAL TIME-REAL SYSTEM|
    US10025905B2|2013-09-03|2018-07-17|Qualcomm Incorporated|Communication device resource allocation based on medical data criticality and resource status|
    DE102014105916A1|2014-04-28|2015-10-29|B. Braun Avitum Ag|Data processing and communication device for recording patient data in therapy-free time|
    EP3113054B1|2015-07-01|2019-09-04|Roche Diabetes Care GmbH|A portable device and a method for collecting and processing continuous monitoring data indicative of an analyte in a bodily fluid, a medical system and a computer program product|
    US10101872B2|2015-09-17|2018-10-16|Hewlett-Packard Development Company, L.P.|Operating system events of a kiosk device|
    CN109388419B|2018-10-17|2022-02-18|阳光电源股份有限公司|Photovoltaic power station equipment software upgrading system, method and device|
    WO2021195414A1|2020-03-27|2021-09-30|Jubilant Pharma Holdings Inc.|Radiopharmaceutical dispensing system|
    法律状态:
    2015-01-22| FGA| Letters patent sealed or granted (standard patent)|
    2021-01-07| MK14| Patent ceased section 143(a) (annual fees not paid) or expired|
    优先权:
    申请号 | 申请日 | 专利标题
    US12/507,981||2009-07-23||
    US12/507,981|US8606377B2|2009-07-23|2009-07-23|Preventing disruptive computer events during medical procedures|
    [返回顶部]