PEMS = Programmable Electrical Medical Systems (and the companion PESS = Programmable Electrical Subsystems).
So we're effectively talking about software validation. Validation of software goes beyond testing, you need to have the controls in place to demonstrate the software is built and maintained properly. Part of validation is demonstration (test) that the requirements are met. Beyond meeting requirements, though, will the software hold up to actual use?
I would suggest validation (these days) include:
- requirements verification (does it fulfill the requirements - and includes demonstration that software-implemented risk controls are effective)
- risk-based exploratory testing (if a user can do something they will... and how will the system react)
- cybersecurity analysis (which could include penetration testing, etc.)
- human factors assessment (does the software promote safe and effective use)
- low-level static analysis
- SOUP analysis
- configuration status accounting audit
- internal audit for compliance to a sound software development lifecycle* including post-market support (62304 is a good standard)
(*Everyone expects that the software lifecycle be defined, be 'state of the art,' and followed.)
That's just off the top of my head... and I'm only half-way into my coffee so there may be more.
