IEC 62304 compliance - Code reviews as part of verification strategy

KrishQA

Starting to get Involved
#1
Hello All,

I have been introduced to a product under development. It is a Class C Medical device as per 62304.

The team has already performed some verification (System tests). Now, the verification strategy consists of a combination of the following testing levels:
  1. Code review
  2. Unit
  3. Integration
  4. Software system
What this resulted in, is that some software requirements are only tested by code review or unit testing and have no explicit system tests associated.

Is this considered okay, or does each and every software requirement need to be tested (not including code review and unit tests)

Looking forward to the answers. TIA
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
Depends on the (software) requirement. Some likely cannot be verified at a system level (may need a debugger for error injection, for example). If you have a requirement that (and I'm carrying it to an extreme) a variable be named "Bob" then a code review is the only way to verify. Some may need a combination of the above to fully verify.
 

Tidge

Quite Involved in Discussions
#3
First, the homily: System testing should be the LAST level of verification testing. It is not uncommon that developers do "system testing" and discover that one or more requirements was not tested (or unable to be tested); this is evidence of an incomplete development process. It appears that the ordinal numbering of the verification strategy in the original post recognizes this at some level.

Now to answer the question

...does each and every software requirement need to be tested (not including code review and unit tests)
Every requirement must be tested. Generally it is not a good idea to write (system) requirements that cannot be tested at the system level. IEC 62304 does not mandate that requirements be written at such a low level that code reviews and/or unit tests are the only mechanisms for testing requirements. It is encouraged that developers perform code reviews and unit tests to provide some evidence that compiled code will work prior to moving to integration testing. A simple example:

Code may be developed for a device that will display units of a patient medicine dose in units of 1 mg (REQ 1), but the device is to signal if the dose exceeds 10 mg (REQ 2). The code review (for the part of signal system monitoring the dose) could examine the dose variable in smaller units, such as 0.1 mg and the unit test could explore the behavior at the boundary 10 +- 0.1 mg, even though the system display might only be 9, 10, 11 mg. In this case the code review and the unit test is providing evidence that the signal system is behaving, but I would still expect system level testing for each requirement as written.

Some developers prefer to write requirements that prescribe design solutions, but this is a bad practice. In such cases: if the design solution changes, those developers will find themselves returning to a much earlier part of the design process which makes everything more difficult.
 

KrishQA

Starting to get Involved
#4
Depends on the (software) requirement. Some likely cannot be verified at a system level (may need a debugger for error injection, for example). If you have a requirement that (and I'm carrying it to an extreme) a variable be named "Bob" then a code review is the only way to verify. Some may need a combination of the above to fully verify.
That does make sense. Also to add, I did some more digging and some of the software requirements will be tested as part of the whole system testing (mapping the system requirements to tests).

So what I read is that under specific conditions it might be okay to rely only on Code review/Unit testing as long as a justifiable explanation is provided.
 

KrishQA

Starting to get Involved
#5
First, the homily: System testing should be the LAST level of verification testing. It is not uncommon that developers do "system testing" and discover that one or more requirements was not tested (or unable to be tested); this is evidence of an incomplete development process. It appears that the ordinal numbering of the verification strategy in the original post recognizes this at some level.
Yes, software system testing is indeed the last step of the software verification process. However, some software requirements are only verified by code review/unit testing. I see that it might be okay under certain conditions, however the software requirements themselves have to be written in a testable way (which is mentioned in 62304), which would mean it should be possible to perform system testing for all of them.
 

yodon

Staff member
Super Moderator
#6
Some developers prefer to write requirements that prescribe design solutions, but this is a bad practice. In such cases: if the design solution changes, those developers will find themselves returning to a much earlier part of the design process which makes everything more difficult.
Amen!
 
Thread starter Similar threads Forum Replies Date
D Required Checklist Showing Compliance to IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 11
C Software for Medical Devices - Requirements Content for compliance with IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 1
K IEC 62304 - Compliance steps IEC 62304 - Medical Device Software Life Cycle Processes 5
R IEC 62304 Compliance - How is compliance to IEC 62304 verified? IEC 62304 - Medical Device Software Life Cycle Processes 18
M IEC 62304 Compliance Status - Is it mandatory for IVD device? IEC 62304 - Medical Device Software Life Cycle Processes 7
W IEC 62304 compliance status - Is it mandatory for 510(k) submittal? IEC 62304 - Medical Device Software Life Cycle Processes 4
K IEC 62304 - Testing Independance IEC 62304 - Medical Device Software Life Cycle Processes 5
K IEC 62304 - Functional and performance requirements for SOUP items IEC 62304 - Medical Device Software Life Cycle Processes 2
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
M IEC 62304 Class A Project IEC 62304 - Medical Device Software Life Cycle Processes 15
B Clause 5.1.12 of Technical Standard IEC 62304/A1 IEC 62304 - Medical Device Software Life Cycle Processes 5
P IEC 62304 - evaluation of integration and system testing IEC 62304 - Medical Device Software Life Cycle Processes 4
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
P Proposed revision of IEC 62304 - 2019 IEC 62304 - Medical Device Software Life Cycle Processes 6
S Relationship between IEC 62304 problem resolution and ISO 13485 IEC 62304 - Medical Device Software Life Cycle Processes 8
P IEC 62304:2006 A1:2015 - Software from the early 1990s IEC 62304 - Medical Device Software Life Cycle Processes 4
B IEC 62304:2015 vs IEC 62304:2006 + AMD1 IEC 62304 - Medical Device Software Life Cycle Processes 4
F IEC 62304 - Segregation and communication between software items IEC 62304 - Medical Device Software Life Cycle Processes 1
B Class IIB Device - IEC 62304 Software Classification IEC 62304 - Medical Device Software Life Cycle Processes 13
B IEC 62304 - Update Checklist IEC 62304 - Medical Device Software Life Cycle Processes 2
L Connection between IEC 62304 and Chapter 14 of IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
M IEC 62304 - Develop an Architecture for the Interfaces of Software Items IEC 62304 - Medical Device Software Life Cycle Processes 8
S Does IEC 62304 require documenting unresolved anomalies for all safety classes? IEC 62304 - Medical Device Software Life Cycle Processes 4
A SOP for software validation of software in medical device IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 5
T I need to make test reports according IEC 62304 & IEC 62366 IEC 62366 - Medical Device Usability Engineering 2
D Changing software classification via software - IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 3
D Software as risk control - Confused on one aspect of IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 20
K Trying to figure out what satisfies a few aspects of IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 2
Y IEC 62304 Section 4.3(a) - 100% probability of failure IEC 62304 - Medical Device Software Life Cycle Processes 3
Y Application of IEC/EN 62304 at an advanced stage of software development IEC 62304 - Medical Device Software Life Cycle Processes 4
T Is there any requirement to be compliant with IEC 62304 while implementing ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
L Documentation Planning - IEC 62304 Clause 5.1.8 IEC 62304 - Medical Device Software Life Cycle Processes 2
W CPU BIST IEC 62304 - Embedded code has CPU instruction tests IEC 62304 - Medical Device Software Life Cycle Processes 2
K IEC 62304 Amd 1 2015 - Figure 3 – Assigning Software Safety Classification IEC 62304 - Medical Device Software Life Cycle Processes 11
K Risk Reduction by Risk Control: IEC:62304-Class C ISO 14971 - Medical Device Risk Management 15
C Per IEC 62304, are DHF documents Configuration Items? IEC 62304 - Medical Device Software Life Cycle Processes 5
P IEC 62304 AMD1:2015: What's new vs.the 2006 Edition? IEC 62304 - Medical Device Software Life Cycle Processes 4
F FDA PMK 510(k) - IEC 62304 Software Components Segregation Other US Medical Device Regulations 3
M IEC 62304 Applicability - GUI Control Software IEC 62304 - Medical Device Software Life Cycle Processes 3
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
D A desperate call for help - IEC 62304 software IEC 62304 - Medical Device Software Life Cycle Processes 5
B IEC 62304:2006/AMD1:2015 Changes for Class A Software IEC 62304 - Medical Device Software Life Cycle Processes 3
M IEC 62304, ISO 14971 and FDA Medical Device SW Guidance 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K ISO 14971 and IEC 62304 - Medical Device Software House ISO 14971 - Medical Device Risk Management 9
S Software Test Report including IEC 62304 classification IEC 62304 - Medical Device Software Life Cycle Processes 4
A Mapping of IEC 62304 artefacts (SRS, SAD, etc) to the 820.30 phases IEC 62304 - Medical Device Software Life Cycle Processes 5
W IEC 62304 vs. IMDRF SaMD Guideline Risk Class IEC 62304 - Medical Device Software Life Cycle Processes 5

Similar threads

Top Bottom