How to apply IEC 62304 Problem Resolution Process for bugs discovered prior to release i.e. during initial development?

[Manasi]

As part of the software development phase prior to release, code-debug goes in parallel. My question is how to determine which bugs prior to release should be handled according to the problem resolution process described in clause 9 of the IEC 62304 standard? This means that there has to be a problem report documented followed by an investigation. This might become burdensome if it has to be done for each and every bug discovered during the initial software development phase.

 

[mihzago]

My typical approach, if it’s a bug identified during development, then no formal investigation is required, but if you’re using defect tracking tools like jira or bugzilla then I’d recommend keeping track of them there.
for defects identified during formal verification or validation activities, you should formally track the defect investigation and resolution.

depending on the defect severity and the company policy you may or may not have to stop the test effort or continue while resolving the fix. In either case this will likely affect other development activities and you’ll have to do some level of regression testing, or worse, redesign, so documentation is important.

 

[Tidge]

The 'best practice' I have seen used is that the defects identified during development transition into bugs accepted for release. That is:

• During development the project keeps track of all sorts of defects, including mistakes in design documents, conflicting requirements, bad implementations, failed tests, etc.

There is a wide variety of approaches that can be taken to this sort of issue tracking... including who can formally declare things to be issues. For medical device software, my preference is that the gatekeepers for these issues are the software technical lead and their quality partner. I don't object to developers having a 'ticket' (or 'todo') system, but my experience has been that relatively few of these sorts of things end up impacting the final product (in terms of performance against requirements, or compliance with regulations, or safety of the device).

• During the project, when the technical lead believes an issue to have been resolved, she consults with the quality partner to consider formal closure of the issue.

This is why I don't like the issue tracking system to be a vague 'todo' list. The technical lead may use a ticket system to track progress, but it is unnecessarily burdensome to involve the quality partner just to make sure people are doing their assigned jobs. YMMV, depending on how well structured the actual development effort is. If there is one developer flitting between different areas, perhaps a ticket system makes sense. This is more about discipline than quality, IMO.

• When the software release is scheduled to occur, the software technical lead and the quality partner review the list of open (unresolved) issues and make an assessment if the issues are to be closed (i.e. rework the solution and/or design documentation) or deferred.

There is nothing magical about this step, expect that it formalizes acceptance that there may be unmet requirements, or that there are defects of some type in the solution.

• The greater team (beyond the software development effort) meets with the software technical lead and the quality partner to formally decide on the issues (acceptable as deferred, or unacceptable). These extra players are usually always someone with direct accountability to patient safety and often include someone with business responsibility.

If issues are not to be resolved (that is, the deficiency will go uncorrected) then the defect is considered deferred and becomes part of the 'bug list' that accompanies the regulatory submission. Again, this is why I prefer that 'todo' and 'nice-to-have' items don't end up on the issue tracker... because it is quite annoying to have issues like 'so and so thinks refactoring this element is a good idea' are quite different than 'battery doesn't turn on when it is supposed to'.