SBS - The Best Value in QMS software

5.5.3 - Software Unit Acceptance Criteria (Risk Control Measures)

A

andypatkinson

#1
Hi,

When it comes to verifying our software units that contain a RCM, we use unit tests to evaluate the RCM implementation (is it present and working as expected) and where we cannot test for it (for one resaon or another) we verify by code inspection.

Does anyone see any probem with this?

I have heard from other medical device SW developers ('around town') that because the example in the standard says:

NOTE Examples of acceptance criteria are:
? does the software code implement requirements including RISK CONTROL measures?


That code inspection / review is the only acceptable verification method and that verifying RCMs with unit tests is not 'meeting the intent of the standard'. I have a hard itme accepting that - for me we're verifying that the RCM is present in the unit and I choose to do that by 1st, testing and 2nd, inspection (but only if I have to, i.e. I cannot test for it).

Am I on the money or really going against the 'intent of the standard'?

Thanks in advance......

Andy
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
In general, I would agree that some requirements can only be verified through unit test (weak) or code inspection (weakest).

For risk controls, though, the expectation is that you demonstrate the control is available and effective at the time of need. It's clear that in some cases, demonstration could only be shown via unit-level testing. I would have a hard time defending verification of a risk control via code inspection - I don't think you could defend the effectiveness of the control.

Can you share a scenario where ONLY code inspection could verify a risk control?
 
A

andypatkinson

#3
Hi Yodon

Thanks for the reply.

The issue seems to be that because the example given in the standard talks about 'code', that the expected method of verifying this is via a code inspection, rather than testing. I agree that testing is a better method and is my preference.

Given that the standard talks about verifying risk control measures and traceability of requirements to tests, I don't see the point of section 5.5.3 and the focus on checking that a risk control measure had been implemented (if we're going to test for it before releasing the software, e.g. all verification will be completed before release).

Perhaps this is another example of a 62304 clause that if poorly written and simply causes confusion / misinterpretation.

Any further advice appreciated, Yodon

Regards, Andy
 

yodon

Staff member
Super Moderator
#4
I can't argue for the merits of the verbiage in the standard. :) But maybe some discussion can clarify what I believe the intent is (at least I can express my opinion).

5.5.2 is where you define how you establish verification methods for the units. Note that it's limited to class B and C (potential for patient injury). Note also that they explicitly indicate that there are other methods besides test for unit verification. For some units; e.g., those that are on one side of an interface, maybe you do some testing with a debugger to confirm the unit properly handles all data passed - both valid and invalid (something that should not be possible in normal operations).

5.5.3 establishes unit acceptance criteria and again only required for class B and C. If you have units that implement risk controls, the expectation, as I read, is that you do a code inspection to verify the implementation of the control. This is NOT requirements verification; this is how you accept the UNIT. This is a very low-level acceptance gate. The examples are quite appropriate for such a low-level verification: did you write the code per your standards, did you conform to the interface defined, etc.

So for class B and C software, if you have risk controls implemented in software, you're effectively saying that you are ensuring patients aren't harmed (or worse) via these controls and so the expectation is that you take extraordinary measures to ensure it's done right.

If you consider the 'V' model, you would have a low-level confirmation at the implementation level to confirm (via code inspection) that the risk control was implemented properly. (There's merit to this given testing can't or won't necessarily test every possible scenario.) Then moving up the food chain, once you get to the requirements level, you would have some type of functional testing to formally verify the risk control is effective.

Keep separate unit acceptance from requirements verification. Hope that makes sense.
 
Thread starter Similar threads Forum Replies Date
C Software Unit Acceptance Criteria (5.5.4) IEC 62304 - Medical Device Software Life Cycle Processes 3
I IEC 62304:2006 Definitions - Software System, a Software Element and Software Unit IEC 62304 - Medical Device Software Life Cycle Processes 13
C 7.6 for a Software Company - Calibrating Unit Testing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
S Examples of FDA acceptable Software Design Specification (SDS) Medical Device and FDA Regulations and Standards News 6
D Integrated Management System Software Quality Manager and Management Related Issues 2
B Sampling strategies/techniques for software QA Software Quality Assurance 2
K MDCG-2020-3 (about the software of UI) EU Medical Device Regulations 3
D PFMEA Software search IATF 16949 - Automotive Quality Systems Standard 6
C MDR software classification EU Medical Device Regulations 12
H Class II a vs "software safety class A" IEC 62304 - Medical Device Software Life Cycle Processes 3
Z Software for design control ISO 13485:2016 - Medical Device Quality Management Systems 3
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
Aymaneh UDI-PI Software CE Marking (Conformité Européene) / CB Scheme 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
Y Software updates considered servicing (7.5.4) ISO 13485:2016 - Medical Device Quality Management Systems 4
S How to perform verification of the Statistical Analysis Software? Qualification and Validation (including 21 CFR Part 11) 7
I Document Control Software Document Control Systems, Procedures, Forms and Templates 2
E Software maintenance Process Software maintenance Process to IEC 6204? IEC 62304 - Medical Device Software Life Cycle Processes 3
L Micro-Vu InSpec Software Program Qualification and Validation (including 21 CFR Part 11) 6
A For software change - New Channel of interoperability CE Marking (Conformité Européene) / CB Scheme 5
T IVDR Medical device software CE Marking (Conformité Européene) / CB Scheme 8
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
C SharePoint Contract Management Software General Information Resources 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
V Software as medical device (SaMD) replicated for multiple clients through APIs IEC 62304 - Medical Device Software Life Cycle Processes 5
U API Spec Q1 - 5.6.1.2 C (3) - Design software Oil and Gas Industry Standards and Regulations 3
B Complaint Records - Accessing records on Easy Track Software Records and Data - Quality, Legal and Other Evidence 3
GreatNate Master Control QMS software Quality Tools, Improvement and Analysis 0
GreatNate Anyone using the Intellect QMS software? Quality Assurance and Compliance Software Tools and Solutions 1
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 2
H Software Validation for FFS Packaging Machine Qualification and Validation (including 21 CFR Part 11) 1
E Any sample of a full software life cycle IEC 62304 report ( any class )? IEC 62304 - Medical Device Software Life Cycle Processes 1
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
M ERP / QMS related software standards for Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
D Safety data sheets software REACH and RoHS Conversations 2
N What are the software audit and control steps Reliability Analysis - Predictions, Testing and Standards 2
N Validating Software before getting approved as Class 2 device US Food and Drug Administration (FDA) 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Missing 1m visual alarm signal in case of software/display failure, mitigation? ISO 14971 - Medical Device Risk Management 3
B Software service provider as critical supplier ISO 13485:2016 - Medical Device Quality Management Systems 5
S Asterisk in DOE minitab software Using Minitab Software 23
M Surgical angle measurement guide device with an application software Medical Device and FDA Regulations and Standards News 1
M Advice needed for SEH Compliance Software and ISNETWord Compatabiliy Occupational Health & Safety Management Standards 2
bruceian Software Quality Metrics Software Quality Assurance 11
optomist1 How Secure Are Our Software Systems Software Quality Assurance 7
M 'Active' device? Software/laptop with attached camera 'looking' at passive metal probe EU Medical Device Regulations 3
D Software validation team Misc. Quality Assurance and Business Systems Related Topics 3

Similar threads

Top Bottom