5.5.3 - Software Unit Acceptance Criteria (Risk Control Measures)

A

andypatkinson

#1
Hi,

When it comes to verifying our software units that contain a RCM, we use unit tests to evaluate the RCM implementation (is it present and working as expected) and where we cannot test for it (for one resaon or another) we verify by code inspection.

Does anyone see any probem with this?

I have heard from other medical device SW developers ('around town') that because the example in the standard says:

NOTE Examples of acceptance criteria are:
? does the software code implement requirements including RISK CONTROL measures?


That code inspection / review is the only acceptable verification method and that verifying RCMs with unit tests is not 'meeting the intent of the standard'. I have a hard itme accepting that - for me we're verifying that the RCM is present in the unit and I choose to do that by 1st, testing and 2nd, inspection (but only if I have to, i.e. I cannot test for it).

Am I on the money or really going against the 'intent of the standard'?

Thanks in advance......

Andy
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
In general, I would agree that some requirements can only be verified through unit test (weak) or code inspection (weakest).

For risk controls, though, the expectation is that you demonstrate the control is available and effective at the time of need. It's clear that in some cases, demonstration could only be shown via unit-level testing. I would have a hard time defending verification of a risk control via code inspection - I don't think you could defend the effectiveness of the control.

Can you share a scenario where ONLY code inspection could verify a risk control?
 
A

andypatkinson

#3
Hi Yodon

Thanks for the reply.

The issue seems to be that because the example given in the standard talks about 'code', that the expected method of verifying this is via a code inspection, rather than testing. I agree that testing is a better method and is my preference.

Given that the standard talks about verifying risk control measures and traceability of requirements to tests, I don't see the point of section 5.5.3 and the focus on checking that a risk control measure had been implemented (if we're going to test for it before releasing the software, e.g. all verification will be completed before release).

Perhaps this is another example of a 62304 clause that if poorly written and simply causes confusion / misinterpretation.

Any further advice appreciated, Yodon

Regards, Andy
 

yodon

Staff member
Super Moderator
#4
I can't argue for the merits of the verbiage in the standard. :) But maybe some discussion can clarify what I believe the intent is (at least I can express my opinion).

5.5.2 is where you define how you establish verification methods for the units. Note that it's limited to class B and C (potential for patient injury). Note also that they explicitly indicate that there are other methods besides test for unit verification. For some units; e.g., those that are on one side of an interface, maybe you do some testing with a debugger to confirm the unit properly handles all data passed - both valid and invalid (something that should not be possible in normal operations).

5.5.3 establishes unit acceptance criteria and again only required for class B and C. If you have units that implement risk controls, the expectation, as I read, is that you do a code inspection to verify the implementation of the control. This is NOT requirements verification; this is how you accept the UNIT. This is a very low-level acceptance gate. The examples are quite appropriate for such a low-level verification: did you write the code per your standards, did you conform to the interface defined, etc.

So for class B and C software, if you have risk controls implemented in software, you're effectively saying that you are ensuring patients aren't harmed (or worse) via these controls and so the expectation is that you take extraordinary measures to ensure it's done right.

If you consider the 'V' model, you would have a low-level confirmation at the implementation level to confirm (via code inspection) that the risk control was implemented properly. (There's merit to this given testing can't or won't necessarily test every possible scenario.) Then moving up the food chain, once you get to the requirements level, you would have some type of functional testing to formally verify the risk control is effective.

Keep separate unit acceptance from requirements verification. Hope that makes sense.
 
Thread starter Similar threads Forum Replies Date
C Software Unit Acceptance Criteria (5.5.4) IEC 62304 - Medical Device Software Life Cycle Processes 3
F Configurator for a power unit - Software or other solution? Manufacturing and Related Processes 0
I IEC 62304:2006 Definitions - Software System, a Software Element and Software Unit IEC 62304 - Medical Device Software Life Cycle Processes 13
C 7.6 for a Software Company - Calibrating Unit Testing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Initial Importer/Distributor and Software Validation IEC 62304 - Medical Device Software Life Cycle Processes 0
D Test Management Software Software Quality Assurance 1
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
D Tracking software versions used with instruments ISO 13485:2016 - Medical Device Quality Management Systems 0
dgrainger Informational MHRA's Software and AI as a Medical Device Change Programme UK Medical Device Regulations 0
S Do you follow your QMS for non-device software features? Medical Information Technology, Medical Software and Health Informatics 4
J Can we register non-device clinical decision support software under draft guidance? Other US Medical Device Regulations 5
I Software (SaMD) mobile application verification testing: objective evidence Medical Information Technology, Medical Software and Health Informatics 2
J EU equivalent to Clinical Decision Support Software EU Medical Device Regulations 3
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13
S Recommended software to send Quality scorecards to suppliers (external providers) Supplier Quality Assurance and other Supplier Issues 3
J Software as a Medical Device - SaMD IEC 62304 - Medical Device Software Life Cycle Processes 3
BeaBea QMS/ Training Management Software Service Industry Specific Topics 4
shimonv Working with a software developer who is not setup for IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 9
R Debug mode in software/device validation IEC 62304 - Medical Device Software Life Cycle Processes 2
Q Gage calibration / tracking software General Measurement Device and Calibration Topics 5
M Software verification and validation AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
Y RT-qPCR Software result EU Medical Device Regulations 0
B A.I diagnostic software is considered as medical device in FDA? US Food and Drug Administration (FDA) 5
F WANTED Senior Software engineer Career and Occupation Discussions 2
P Blood establishment computer software EU classification EU Medical Device Regulations 0
S Examples of FDA acceptable Software Design Specification (SDS) Medical Device and FDA Regulations and Standards News 6
D Integrated Management System Software Quality Manager and Management Related Issues 2
B Sampling strategies/techniques for software QA Software Quality Assurance 3
K MDCG-2020-3 (about the software of UI) EU Medical Device Regulations 3
D PFMEA Software search IATF 16949 - Automotive Quality Systems Standard 7
C MDR software classification EU Medical Device Regulations 12
H Class II a vs "software safety class A" IEC 62304 - Medical Device Software Life Cycle Processes 4
Z Software for design control ISO 13485:2016 - Medical Device Quality Management Systems 5
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
Aymaneh UDI-PI Software CE Marking (Conformité Européene) / CB Scheme 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
Y Software updates considered servicing (7.5.4) ISO 13485:2016 - Medical Device Quality Management Systems 4
S How to perform verification of the Statistical Analysis Software? Qualification and Validation (including 21 CFR Part 11) 7
I Document Control Software Document Control Systems, Procedures, Forms and Templates 2
E Software maintenance Process Software maintenance Process to IEC 6204? IEC 62304 - Medical Device Software Life Cycle Processes 3
L Micro-Vu InSpec Software Program Qualification and Validation (including 21 CFR Part 11) 6
A For software change - New Channel of interoperability CE Marking (Conformité Européene) / CB Scheme 5
T IVDR Medical device software CE Marking (Conformité Européene) / CB Scheme 8
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
C SharePoint Contract Management Software General Information Resources 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
V Software as medical device (SaMD) replicated for multiple clients through APIs IEC 62304 - Medical Device Software Life Cycle Processes 5
U API Spec Q1 - 5.6.1.2 C (3) - Design software Oil and Gas Industry Standards and Regulations 3

Similar threads

Top Bottom