Software testing: meeting the requirements of IEC 62304 and FDA

Software testing is part of software verification alongside code reviews. Laws and standards place requirements on the type and scope of software testing.

1. Software testing: the basics

a) Software testing as part of software quality assurance

The objective of testing software is to find errors in the software. Software testing is, therefore, part of analytical quality assurance (see Fig. 1).

Constructive quality assurance includes

1. processes, e.g. development processes
2. methods and procedures, e.g., requirements engineering, modeling with UML, and deriving test cases with equivalence classes
3. tools such as ALM tools, development environments, modeling, and testing tools

At the meta-level, there are laws and standards as well as training and further training programs that relate to the three aspects mentioned above, among others.

Analytical quality assurance attempts to find defects in various test objects using various processes, methods, and tools. A distinction is made between:

• Audits: The aim here is to find errors in processes.
• Reviews: search for errors in documents such as specifications or code (code reviews)
• (Software) tests: search for errors in test objects, for example, in the form of unit tests, integration tests, and software system tests

b) Taxonomy of software testing methods

Software tests can be sorted according to many criteria (see Fig. 2).

IEC 62304 divides its requirements according to the life-cycle phases (see Fig. 3).

2. Regulatory requirements

a) Europe

MDR, IVDR

The MDR and IVDR require state-of-the-art software life-cycle processes (see MDR, Annex I, Section 17.2) and documentation of the “verification and validation of the software” (see Annex II, Section 6.1.b).

IEC 62304

The harmonized standard IEC 62304 for these EU regulations requires software testing in the following chapters:

• 5.5: Software unit verification (incl. unit tests)
• 5.6: Software integration tests
• 5.7: Software system tests

During software release (Chapter 5.8), manufacturers must review whether the software tests have been carried out as described in the software development plan.

The standard allows exceptions for legacy software.

IEC 82304

Software validation does not fall within the scope of IEC 62304 but rather that of IEC 82304-1, although its requirements are very unspecific.

Essential methods for validating software are clinical evaluation and usability validation, typically as a summative evaluation or a usability test.

b) FDA

The FDA acknowledges IEC 62304 as a “recognized standard”. However, the authority formulates the most relevant requirements for the software architecture in its guideline General Principles of Software Validation.

The guideline Content of the premarket submission specifies which documents manufacturers must submit. In it, the FDA also sets out requirements for software testing.

c) Other

Manufacturers that comply with FDA and EU requirements for software testing are also likely to comply with requirements in other markets largely.

Sometimes, it helps to consider other standards. These include:

• IEC 62443-4-1 and ISO/IEC 15408 on IT security
• ISO 299119-6 on software testing in agile projects
• ISO 29119-11 for software testing of AI-based applications

3. Seven tips for software testing

Tip 1: Also test the units during unit tests

Developers understand unit testing differently from auditors: For the former, unit tests are the tests of granular units, e.g., methods and classes. In contrast, from a regulatory perspective, unit tests must test the software units that can represent larger components.

Read more in this article.

Tip 2: Choose the right methods

Depending on the test objective, manufacturers should choose the appropriate methods. A fuzz test has a different objective than a penetration test.

Benefit from black-box test procedures. This allows you to systematically determine the test cases with the highest probability of finding errors, which is not only applicable to software system tests.

Tip 3: Quantify the test coverage

Tests can only find errors if the test code runs through the software to be tested. Tools can be used to determine the code coverage automatically. Manufacturers should define this metric for themselves.

Tip 4: Use all tests as regression tests

Each additional test increases the probability of errors being found and eliminated in time. This is why it is a good idea to repeat all tests as regression tests after changes have been made. Not only during development but also during software maintenance.

Tip 5: Do not only test during development

If manufacturers allow users to customize the software (for example, by parameterizing the software or writing their own scripts), then these customizations should also be reviewed through software tests.

Tip 6: Be careful with beta tests

Beta tests aim to make a product (in this case, software) available to a selected group of users before the official release to obtain feedback on the device.

Medical device manufacturers must be aware that such a beta test may already constitute illegal placing the device on the market.

Tip 7: Ensure competence

Software testing is a competence that manufacturers must define and guarantee. ISO 13485, among others, obliges them to do this specifically for each development project.