This document outlines a 10-step plan for medical device software validation and verification presented by Ginsbourg.com. It discusses past issues with inadequate medical device software testing, like the Therac-25 radiotherapy accident that killed patients. The FDA regulates medical mobile apps and other software as medical devices based on risk. The plan involves performing risk analysis, documenting requirements and design, developing a test plan, and maintaining records of testing and releases.

1. Ginsbourg.com
Plan for
Medical Device
Software
Validation and
Verification
2014-2015
Ginsbourg.com MD SW V&V 2014-2015 July 24, 2014 1

2. Ginsbourg.com
July 24, 2014
• Formerly QA Manager of LoadRunner at Mercury Interactive
• M.Sc. cum laude in Bio-Medical Engineering
• M.Sc. in Mechanical Engineering
2Ginsbourg.com MD SW V&V 2014-2015

3. Ginsbourg.com
July 24, 2014 3Ginsbourg.com MD SW V&V 2014-2015

4. Ginsbourg.com
1. Coding finished
2. Run a few tests
3. System approved
4. Release
Result: Disaster !
 Inadequate design or
poor coding produces many
time bombs in the system!
← High Risk Approach
July 24, 2014 4Ginsbourg.com MD SW V&V 2014-2015

5. Ginsbourg.com
Therac-25 medical accelerator (1985-1987)
• Therac-25 was a therapy system that delivered two different kinds of radiation:
either a low-power electron beam or X-rays.
• The Therac-25's X-rays were generated by smashing high-power electrons into a
metal target positioned between the electron gun and the patient.
• An electromechanical safety interlock was replaced by a software control, because
software was perceived to be more reliable.
• The OS was compiled by a programmer with no formal training.
• Because of a “race condition” bug, the operator could accidentally configure the
Therac-25 so the electron beam would fire in high-power mode, but with the metal
X-ray target out of position.
• At least five patients died; others were seriously injured.
Catastrophic software failure
July 24, 2014 5Ginsbourg.com MD SW V&V 2014-2015

6. Ginsbourg.com
July 24, 2014 6Ginsbourg.com MD SW V&V 2014-2015
"I can’t tell you how many manufacturers I have seen that have tried to
present their risk management system by simply presenting a FMEA.
That is NOT a risk management system."
Kimberly A. Trautman, QSR Expert, CDRH, FDA

7. Ginsbourg.com
QC → Products
QA → Processes
ISO 13485:2003 Medical devices - Quality management
systems - Requirements for regulatory purposes
July 24, 2014 7Ginsbourg.com MD SW V&V 2014-2015

8. Ginsbourg.com
← Low Risk Approach
1.SW Lifecycle
2.Documentation
3.Risk Analysis
4.Specifications (functional, performance, usability, etc.)
5.Requirements (marketing, technical, user expectations, etc.)
6.Code Review (manual, automatic)
7.Code Freeze
8.Version Management
9.Bug Base
10.Validation & Verification
July 24, 2014 8Ginsbourg.com MD SW V&V 2014-2015

9. Ginsbourg.com
July 24, 2014 9Ginsbourg.com MD SW V&V 2014-2015

10. Ginsbourg.com
July 24, 2014 10Ginsbourg.com MD SW V&V 2014-2015

11. Ginsbourg.com
July 24, 2014
What are mobile medical apps?
Mobile apps are software programs that run on
smartphones and other mobile communication
devices.
How will the FDA regulate mobile medical apps?
The FDA will apply the same risk-based approach the
agency uses to assure safety and effectiveness for
other medical devices.
Last Updated: 10/22/2013
11Ginsbourg.com MD SW V&V 2014-2015

12. Ginsbourg.com
July 24, 2014
When is a mobile app classed as a medical device?
12Ginsbourg.com MD SW V&V 2014-2015

13. Ginsbourg.com
July 24, 2014
• Currently available for iOS devices.
• Helps doctors calculate the percentage of a
patient’s body surface area that is burned.
• Calculates the amount of fluid to be
administered in the 24-hour period that
follows the burn injury.
13Ginsbourg.com MD SW V&V 2014-2015

14. Ginsbourg.com
July 24, 2014 14Ginsbourg.com MD SW V&V 2014-2015

15. Ginsbourg.com
July 24, 2014 15Ginsbourg.com MD SW V&V 2014-2015

16. Ginsbourg.com
July 24, 2014 16Ginsbourg.com MD SW V&V 2014-2015

17. Ginsbourg.com
July 24, 2014 17Ginsbourg.com MD SW V&V 2014-2015
10-step plan for medical device software validation and verification:
1. Perform risk analysis
2. Determine level of concern
3. Describe the software
4. Formulate requirements specifications
5. Develop design specifications inc. architecture design chart
6. Craft a software development environment summary document
7. Document validation and verification testing
8. Perform a traceability analysis
9. Determine unresolved anomalies
10.Maintain a log of revision and release numbers

18. Ginsbourg.com
July 24, 2014 18Ginsbourg.com MD SW V&V 2014-2015

19. Ginsbourg.com
July 24, 2014
http://www.ibm.com
19Ginsbourg.com MD SW V&V 2014-2015

20. Ginsbourg.com
July 24, 2014 20Ginsbourg.com MD SW V&V 2014-2015

21. Ginsbourg.com
July 24, 2014 21Ginsbourg.com MD SW V&V 2014-2015