The ALS Con-Tel II system is a complex system that allows clinical monitoring in the home of the patient, and is comprised of two structural elements:
- ALS Con-Tel II: a home electromedical device.
- ALS Gate: a dedicated Web portal used to consult and assess captured clinical parameters.
ALS Con-Tel II
This is an active medical device which depends on a power source for operation, and is used either alone or in combination with other medical devices.
Its main feature is to provide physicians or healthcare professionals with all information concerning analysis, early diagnosis, monitoring or treatment of clin- ical conditions, health, diseases, or birth defects.
Certification
For medical devices, there are legislative provisions dictating that technologies should be designed, built, maintained and operated effectively, efficiently and – most of all – safely.
ALS Con-Tel II is built to the requirements of the laws and directives in force, and is provided with the EC051 mark (complete Quality Assurance System)(Fig. 1).
Reference Framework – System Standards
- UNI EN ISO 9001 (2000) Quality Management Systems – Requirements - UNI CEI EN ISO 13485 (2002) Quality Management Systems – Special
Requirements for Enforcement of UNI EN ISO 9001
- UNI EN ISO 9000 (2000) Quality Management Systems – Fundamentals and Terminology
Reference Framework – Product Standards
- EN 60601-1 General Safety Standards 12 - 1998
- CEI EN 60601-1-4 General Requirements - Programmable Electrical Medical Systems
- UNI EN 865 2000 Pulse Oxymeters - Special Requirements
- CEI EN 60601-1-2:1993 Medical Electrical Equipment – Part 1 General Safety Requirements 2 – Collateral Standard: Electromagnetic Compatibility- Requirements and Testing
- CEI EN 60601-1-2:2001 Medical Electrical Equipment – Part 1-2 General Safety
C. Guglielmetti, M. Gaiani
Requirements Collateral Standard: Electromagnetic Compatibility- Requirements and Testing
- UNI CEI EN ISO 14971 Application of Risk Management to Medical Devices - EN 980 Graphical Symbols for Use in the Labelling of Medical Devices - EN 1041 Information Supplied by the Manufacturer with Medical Devices Reference Framework – Laws
- 93/42/EEC Council Directive concerning Medical Devices. Council of European Communities
- 89/336 EEC Electromagnetic Compatibility
- Legislative Decree No. 46 dated 24.02.1997 Implementation of Council Directive No. 93/42/EEC dated 14
thJune 1993 concerning Medical Devices
- Presidential Decree No. 224 dated 24.05.1988 Liability for Damages Due to Defective Products
- Legislative Decree No. 115 dated 17/3/1995 General Product Safety
The risk analysis for this device was performed according to the criteria as set forth in Standard EN 14971.
Because of its characteristics, “it is not a life-saving device, and it may not be used for emergency”.
Features
ALS Con-Tel II is a modular medical device which makes it possible to quantita- tively and non-invasively assess oxygen saturation in arterial haemoglobin. It also
World-wide
LevelEuropean
National
Old system
New system
Other fieldsISO International Standard
Organisation
Electrotechnicaland electronic field
IEC
International Electrotechnical Commission
CEN Comité Européen de Normalisation CENELEC
Comité Européen de Normalisation Electrotechnique
UNI Ente Nazionale Italiano di Unificazione
Company Quality System (IMQ)
EC mark Medical devices CEI
Comitato Elettrotecnico Italiano
Fig. 1.
Company Quality System requirements for manufacture and control
has additional features which make it able to capture and store instrumental parameters from medical devices and external sensors.
The input data from external devices and the data captured by the integrated oxymeter card are not processed before they are saved on the hard disk. Clinical parameters are captured by EC-marked devices through a protocol supplied by the manufacturer.
Through its simple and user-friendly graphics interface which can be managed entirely from the touch-screen monitor, ALS Con-Tel II has a number of addition- al features enabling:
• transfer of stored information to a dedicated Web portal through either a PSTN line or a LAN – either by means of an automatic process or on demand
• exchange of subsequent clinical information, such as notices and answers to customised questionnaires
• multilingual modes (Italian, English, French, Spanish, German)
• scheduled events, as indicated by a diary and a notice advising the patient that the deadline for acquisitions is approaching.
Security
Software securities make sure that:
• the data to be transmitted are correct
• the data retrieved from memory upon sending are actually the desired ones
• the system will not crash, because it can manage errors in the input fields com- pleted by the user
• selection by touching the corresponding area in the screen with a finger is unequivocally identifiable by means of colours that are in contrast with the background
• a number of menus, which are accessible from a password-protected window, allow the installer to have access to serial port configuration features, assign- ing one of the listed devices to each of them.
The software is protected by routines which prevent any human or hardware input errors from causing a crash in the system, that would make the medical device unserviceable.
The operating system makes it possible to detect and therefore handle any hardware failures with messages and warnings; connection errors are possible, although serial ports are marked by numbers identifying them unequivocally.
Any voltage drops due to events resulting in the device suddenly switching off will cause no damage. The device will restart automatically. Once voltage has been restored and the device has been restarted, failed or incomplete data sent to the dedicated Web portal will be automatically restarted, and open tasks will be completed.
Technical Characteristics (Fig. 2) Data Transmission
- By telephone (PSTN): 56K Modem
- By LAN (Local Area Network): RJ45 Ethernet connector (10/100 Ethernet card)
Connection of External Medical Devices - No. 4 RS 232 female serial ports - No. 2 USB 1.1 ports
- No. 1 dedicated pulse oxymeter sensor port - No. 1 PS2/external keyboard connector Motherboard
- PC 104 card, VIA Eden ESP 700D 733 MhZ CPU Mass Storage
- 2.5” 20 Gbyte HDD - 128 Mbyte RAM - 512 Kbyte ROM Type of Monitor
- Touch-screen monitor – TFT 10.4” backlighted LCD – graphic resolution from 640 x 480 to 1024 x 768
Operating System
- Totally preinstalled and configured embedded XP
2 1
L
L
L B A
C D A
1 1
B
30 C
D
1 1 1 1
L
+
LVDS primary channel connector:
14-pin MOLEX 53047-1410
COM1 connector:
TOP-YANG 23110-2201002N or equivalent (10-pin dual row 2 mm pitch) LPT connector:
TOP-YANG 23128-2201002N or equivalent (28-pin dual row 2 mm pitch)
COM2 connector:
TOP-YANG 23110-2201002N or equivalent (10-pin dual row 2 mm pitch) LVDS secondary
channel connector:
10-pin MOLEX 53047-1010
CRT connector:
10-pin MOLEX 53047-1010
USB connector:
8-pin MOLEX 53047-0810
FAN connector:
3-pin MOLEX 53047-0310
Audio connector:
4-pin MOLEX 53047-0410
POWER connector:
PHOENIX CONTACT 1881477 PS2 interface for
keyboard and mouse on a connector:
TOP-YANG 23110-2201002N or equivalent (10-pin dual row 2 mm pitch) HD connector:
NUVAL TMA44T or equivalent (44-pin dual row 2 mm pitch) LCD Voltage selector:
(+3.3 V or +5 V):
2.5 mm pitch jumper
PC-104 + BUS
ETHERNET connector:
MOLEX 87332-0820
PC-104 + BUS
Fig. 2.
Motherboard technical characteristics
Application Software
- Developed under Visual Basic 6 (Microsoft environment) with fully visual interface design features and event-driven language
Output Data Format
- The connection between the device and the dedicated Web portal is through a SOAP connection (XML format) over TCP-IP
ALS Gate
This is a dedicated Web portal which was developed using new Microsoft technol- ogy that made it possible to create a very customisable application, which could not have been easily developed using traditional technologies.
The main core of the application is a totally configurable information manage- ment system. The system makes it possible to define the characteristics of each individual piece of information, and how it shall be displayed. All modules in the application rely on this core to organise the information to be managed.
Since this is a Web application, it ensures accessibility to users who are spread throughout the territory, as well as access through multiple platforms (PCs, PocketPCs, UMTS, etc.) (Fig. 3).
Security
As the application runs in a Web environment, security is ensured by the 128-bit SSL encryption protocol. All Internet communications between client and server travel
Fig. 3.
The ALS Gate system
over a HTTPS (HyperText Transfer Protocol over Secure Socket Layer) protocol, which is a secure version of the HTTP protocol that is commonly adopted for Internet browsing.
In order to better understand this significant factor – i.e., security – for man- agement of clinical parameters, it is important to correctly divide application security from infrastructural security.
Application Security
Application security was planned and implemented in the analysis and develop- ment phases in order to ensure integrity and protection of treated data.
Each user is assigned a pair of personal identification numbers:
• a Login code
• a Password code
These codes are generated through algorithms ensuring that they are unique and unrepeatable for all health care facilities.
Each examination is unequivocally matched by the personal identification num- bers of the user who owns the data, and stored in daily files. For security reasons, the application receiving requests to send examinations (Web server) is resident on an appropriate server, which is separate from the server managing report filing.
Encrypted daily files containing reports are stored in a Data server rather than the Web server, in different folders. Encryption of daily files is maintained throughout the filing period.
Examinations are displayed through a browser using the SSL protocol, which integrates symmetrical private-key encryption.
Infrastructural Security
As far as infrastructural security is concerned, all possible hardware and software measures were taken to ensure continuous service provision and protection from attacks by ill-intentioned persons and/or from indirect attacks, such as viruses.
This architecture provides for segregation of the Application Service from the Data Management Service. This segmentation makes it possible not only to phys- ically isolate the two machines, but also to increase service redundancy.
When a hardware or software failure occurs, in view of the selectivity of pro- vided services, the architecture will definitely be more easily and quickly restored.
This also enables faster failure analysis and recovery.
Splitting services makes it possible to isolate and limit connections between Web services and DataBase services as much as possible, thus reducing exposure to the risk of programmatic and non-programmatic attacks.
A further security level is the possibility of isolating the dedicated servers for the two different services – which will be analysed below – in two separate sub- nets, which will be connected exclusively through routers, and where traffic can be regulated through a firewall.
Application Service
This Web service responds to “user requests” (connections through the Web or
devices) in various ways, and with various data formats and types of formatting.
The Application service finally shows the user a Web browser-based Web interface which makes it possible to interact by consulting or entering data into the system.
The Application service implements a Web server which makes it possible to implement (SSL) encryption certificates through the HTTP protocol in order to encrypt the data which are transported over a HTTP protocol. In this type of set- up, sensitive data (username, password, patient data, etc.) are protected. This pro- tocol protects communication from wiretapping/eavesdropping by generating a different encryption key for each individual transmission; this key is used to encrypt the data being transmitted in both directions. Upon every subsequent connection, a new encryption key will be generated, thus making any previous attempts to decrypt messages useless. This method is used, for instance, by elec- tronic commerce sites to prevent wiretapping/eavesdropping of credit card num- bers or any other personal data sent to the Web server.
Data Management Service
This service makes it possible to manage multilingual and multiapplication data- bases; services enabling multiple connections to these databases; services manag-
Fig. 4.
Data management server
ing database filing based on backup and disaster recovery planning; and, finally, services managing database access security on a user level (Fig. 4).
Microsoft SQL Server 2000 implements all these services in a suite and a man- agement console which is optimised for Microsoft operating systems.
In Fig. 4, attention is focussed on the division between the two levels of the service being provided.
The two levels also correspond to two Virtual LANs (VLANs) which are isolat- ed, except for accesses, that are regulated by routers enabling connection on an IP address control and connection port level. The DMZ (or demilitarised) VLAN, where the application server is located, is the network that is exposed to the Internet, which is accessed by web clients through the HTTPS (HTTP - SSL) pro- tocol. Given its forced exposure to the Internet, and the high risk involved in this,
Fig. 5.