Project

Medical Device Verification and Validation Traceability Project

Biomedical engineering project for building a risk-based medical device V&V traceability package with requirements, evidence, deviations, uncertainty, residual risk, and release decision.

This project builds a medical device verification and validation traceability package. The goal is to connect intended use, design inputs, risk controls, test protocols, measurements, deviations, residual risk, and release decision into one reviewable engineering deliverable.

The project is educational and engineering-focused. It is not clinical advice, not regulatory advice, and not a substitute for the applicable quality system, risk management procedure, standards, professional review, or market-specific submission requirements.

Project Objective

Prepare a risk-based V&V traceability package for a connected patient monitoring accessory after a hardware revision, firmware update, and disposable accessory change. The final deliverable should answer:

  1. Which intended-use claims and safety functions are in scope?
  2. Which requirements, hazards, risk controls, and test methods cover each claim?
  3. Which verification tests prove that design outputs meet specified requirements?
  4. Which validation activities prove that the device supports realistic users, workflows, and environments?
  5. Which deviations remain open, justified, or blocking?
  6. Which evidence is strong enough to support release, and which evidence must be repeated?

The output is not only a traceability spreadsheet. It is a release package that lets an engineering review board see what was tested, why it was tested, what passed, what failed, what changed, and what residual risk remains.

Project Boundary

Use this simplified device boundary.

ItemProject value
Device typeconnected patient monitoring accessory
Intended engineering functionacquire physiological signals, display status, transmit records, and alert on defined fault states
Userstrained clinical staff and service technicians
Use environmentmonitored care area and biomedical engineering service bench
Hardware changeanalog front-end input protection changed
Firmware changealarm state machine and packet timestamping updated
Disposable changerevised lead-wire and sensor accessory supplier
Release decisionengineering release for controlled pilot deployment

The project scope includes design verification, simulated-use validation, service workflow checks, electrical safety evidence, measurement uncertainty, software timing, data integrity, usability-critical tasks, and risk-control verification. Clinical effectiveness, market authorization, purchasing decision, and production-scale validation are outside this simplified project.

Baseline Deliverables

Create these deliverables before the release review:

DeliverableRequired content
V&V traceability matrixintended-use claim, requirement, hazard, control, test method, result, owner, configuration
risk-control evidence maphazard, cause, control, verification, validation, residual risk and open action
protocol indexprotocol identifier, revision, device configuration, acceptance criteria and raw data location
deviation logdeviation, affected requirement, risk impact, disposition and retest decision
uncertainty and guard-band summarymeasurement method, uncertainty contributors and pass/fail decision rule
software and data-integrity evidenceversion, build, timestamp, packet loss, latency and fault recovery checks
usability validation summaryrepresentative tasks, critical tasks, observed use errors and mitigations
release decision memopassed items, conditional items, blockers, residual risk and release recommendation

The deliverables should be controlled documents with configuration identifiers. A passed test with an unknown firmware build, accessory lot, calibration state, or protocol revision is weak evidence.

Step 1: Build the Traceability Matrix

Start with a small but representative set of project claims and controls.

IDClaim or requirementHazard linkControlEvidence methodAcceptance basis
R1input signal remains within specified measurement errorwrong physiological trendcalibrated signal test and uncertainty budgetverificationguarded error limit
R2alarm state changes within required timedelayed response to faultfirmware state-machine test and timestamp logverificationlatency limit
R3leakage current remains below project limitelectrical exposureelectrical safety bench testverificationcurrent limit
R4critical setup task is completed correctly by usersincorrect setupsimulated-use validation and labeling checkvalidationcritical-task success criterion
R5disposable accessory change does not reduce signal qualitywrong or noisy measurementaccessory equivalence testverificationSNR and artifact limits
R6service technician can confirm configuration before releasewrong version in serviceservice workflow validationvalidationconfiguration confirmation without critical error

Each row should identify the exact configuration covered by the evidence. If the firmware, disposable accessory, cable, calibration method, or user workflow differs from the released configuration, the row needs a gap assessment.

Engineering Comment

The matrix is useful only when it connects engineering evidence to risk. A requirement without a hazard link may still be important, but safety-critical claims need visible risk-control evidence. A test without a requirement may be interesting but difficult to use for release.

Step 2: Calculate Traceability Closure

The project starts with the following traceability review.

Traceability stateCount
claim linked to requirement, hazard, risk control and evidence38
claim linked to requirement and evidence but missing hazard link7
claim linked to requirement but missing approved evidence5
claim listed in labeling but not yet in controlled requirements2

Total claims:

N=38+7+5+2=52

Full closure rate:

\displaystyle C=\frac{38}{52}\times100=73.1\%

Open or incomplete claims:

N_{open}=7+5+2=14

Open fraction:

\displaystyle \frac{14}{52}\times100=26.9\%

Engineering Comment

A closure rate of 73.1\% is not release-ready for a controlled pilot. The five claims missing approved evidence are direct blockers. The two labeling claims outside controlled requirements are also blockers because the released product would make claims that the design file does not control. The seven rows missing hazard links require risk review: some may be low-risk performance claims, but some may hide safety-critical controls.

Step 3: Rank Risk-Control Evidence

Use RPN as a prioritization aid, not as proof of safety. The project has three open risk-control items.

ItemSeverityOccurrenceDetectionExisting RPNPlanned control
delayed alarm state83496timestamped state-machine test and watchdog fault injection
accessory connector misfit64372keying inspection, simulated-use setup validation and supplier lot check
noisy input after disposable change554100accessory equivalence test and SNR guard band

After planned controls, engineering estimates:

ItemSeverityOccurrenceDetectionRevised RPN
delayed alarm state82232
accessory connector misfit62224
noisy input after disposable change52220

For the alarm item:

RPN_0=8\times3\times4=96
RPN_1=8\times2\times2=32

Relative reduction:

\displaystyle \frac{96-32}{96}\times100=66.7\%

Engineering Comment

The alarm item still has high severity. Lower RPN does not close the risk by itself. The release package must show that the state-machine test used the released firmware, that fault injection covered credible fault states, that timestamps were synchronized, and that any residual delay is acceptable in the risk file.

Step 4: Define Protocols and Acceptance Criteria

Convert traceability rows into protocols with pre-approved acceptance criteria.

ProtocolCoversRequired configurationAcceptance criterion
VVF-001signal error and SNRreleased analog front end, accessory supplier B, calibrated simulatorguarded error inside limit and SNR above requirement
VVF-002alarm latencyreleased firmware build, timestamp logger, fault injection harnessmaximum latency below project limit
VVF-003leakage currentfinal input protection and cable configurationmeasured current inside limit with calibration record
VAL-004critical setup tasksrepresentative users, production-intent accessory and instructionsno unmitigated critical task failure
VAL-005service release workflowservice technician, configuration tool and device labelcorrect configuration confirmed without critical error

Acceptance criteria must be written before execution. If a criterion is changed after results are known, the release memo should treat the row as a deviation and justify whether retesting is required.

Step 5: Apply an Uncertainty Guard Band

Protocol VVF-001 checks measurement error for an input signal. The project requirement is:

|E|\leq3.0\%

The measured error is:

E=-2.4\%

The uncertainty budget gives:

ContributorStandard uncertainty
signal simulator calibration0.20\%
fixture repeatability0.15\%
environmental drift0.10\%
analysis script rounding0.05\%
operator setup repeatability0.18\%

Combined standard uncertainty:

u_c=\sqrt{0.20^2+0.15^2+0.10^2+0.05^2+0.18^2}
u_c=0.326\%

With coverage factor:

k=2

expanded uncertainty is:

U=ku_c=2(0.326)=0.652\%

Guarded acceptance band:

A_g=3.0\%-0.652\%=2.348\%

The absolute measured error is:

|E|=2.4\%

Because:

2.4\%>2.348\%

the result fails the guarded decision rule even though it appears to pass the nominal 3.0\% limit.

Engineering Comment

This is exactly why the guard-band rule belongs in the protocol. A nominal pass near the limit can be too close to accept once measurement uncertainty is included. The correct action is not to hide the result. The project should improve the measurement method, improve the design margin, repeat the test with lower uncertainty, or revise the claim if justified.

Step 6: Check Software Timing Evidence

Protocol VVF-002 tests alarm latency from fault injection to displayed alarm state. The project limit is:

t_{alarm}<250\ \text{ms}

Ten recorded trials give maximum latency:

t_{max}=214\ \text{ms}

The timestamp logger uncertainty is:

U_t=8\ \text{ms}

Use a conservative upper-bound check:

t_{guarded}=t_{max}+U_t=214+8=222\ \text{ms}

Because:

222\ \text{ms}<250\ \text{ms}

the timing result passes the guarded limit.

Engineering Comment

The pass is valid only for the tested firmware build, fault injection method, logger synchronization, task load, communication path and display configuration. A later firmware optimization, packet retry change, or display update can invalidate the timing evidence even if the requirement text does not change.

Step 7: Interpret Reliability Exposure

The pilot readiness plan runs:

n=12\ \text{devices}

for:

t=240\ \text{h/device}

with no safety-critical firmware lockups. Total exposure:

T=nt=12(240)=2880\ \text{device-hours}

For a simplified exponential model with zero observed failures, a one-sided 90\% lower confidence bound for MTBF can be screened as:

\displaystyle MTBF_{90}\geq\frac{T}{-\ln(1-0.90)}

Since:

-\ln(0.10)=2.303

then:

\displaystyle MTBF_{90}\geq\frac{2880}{2.303}=1251\ \text{h}

Engineering Comment

This is a screening calculation, not a universal reliability claim. Zero failures in a short pilot does not prove field reliability across all users, accessories, environments, software states, cleaning cycles, service actions, and network conditions. The release memo should state the exposure covered and define post-release monitoring triggers.

Step 8: Disposition Deviations

The deviation log contains four items.

DeviationAffected evidenceRisk impactProposed disposition
VVF-001 guarded signal error failed by 0.052\%measurement accuracypossible trend biasrepeat with improved fixture and review design margin
VAL-004 one user skipped accessory confirmationsetup validationpossible wrong accessory userevise setup prompt and repeat critical task validation
VVF-002 logger file missing one noncritical metadata fieldalarm timingno timing data lossdocument and correct logger template before next run
service workflow used pre-release label artworkconfiguration confirmationpossible label mismatchrepeat service confirmation with production-intent label

Only the logger metadata issue may be document-only if the raw timing evidence remains intact and the quality procedure allows the disposition. The signal error, critical task failure and label mismatch affect release evidence and should be repeated or escalated.

Engineering Comment

A deviation is not automatically a failure, but it is also not automatically harmless. The decision should be based on affected requirement, affected configuration, risk control, measurement integrity, and whether the released product will match the tested condition.

Step 9: Make the Release Decision

Prepare the release decision summary.

AreaStatusRelease interpretation
traceability closurenot closed14 incomplete claims remain
signal accuracyfailed guarded ruleblocker until repeated or margin improved
alarm latencypassed guarded ruleacceptable for tested firmware and configuration
leakage currentpending calibrated recordblocker until objective evidence is attached
usability critical taskfailed one critical setup taskblocker until mitigation and repeat validation
service workflowrepeated label check requiredconditional blocker
reliability exposurescreening evidence onlyacceptable for pilot only with monitoring triggers

The release recommendation is:

Do not release the pilot configuration until signal accuracy, leakage current record, critical setup validation, label-based service confirmation and traceability gaps are closed. Alarm timing and preliminary reliability evidence may be retained for the tested configuration if configuration control confirms no relevant change.

Engineering Comment

This is the difference between a test summary and an engineering release package. The package does not ask whether some tests passed. It asks whether every claim and risk control needed for the intended release has objective evidence on the released configuration.

Final Deliverable Checklist

Before closing the project, verify that the package includes:

  1. intended-use boundary and release scope;
  2. controlled requirement list;
  3. risk-control evidence map;
  4. approved protocols and acceptance criteria;
  5. raw data and calculation records;
  6. measurement uncertainty and guard-band decisions;
  7. usability validation results for critical tasks;
  8. software build, hardware revision, accessory lot and calibration state;
  9. deviation log with engineering dispositions;
  10. residual-risk statement and release recommendation.

Common Failure Modes

Common V&V traceability failures include:

  • testing a prototype configuration but releasing a different configuration;
  • linking evidence to requirements but not to risk controls;
  • treating a passed verification test as validation of intended use;
  • ignoring measurement uncertainty near the acceptance limit;
  • closing a deviation without checking affected configuration and residual risk;
  • leaving labeling, service, training or accessory changes outside the traceability matrix;
  • using reliability exposure beyond the population and conditions actually tested.

Validation and Limitations

This project uses simplified requirements, small example counts and screening calculations. Real medical device engineering requires the applicable risk-management framework, standards, usability process, software lifecycle controls, cybersecurity review, electrical safety evidence, biological evaluation, sterilization evidence, manufacturing process controls, clinical evidence when needed, and independent quality review.

The project remains useful because the traceability logic is transferable: every claim should map to a requirement, every safety-relevant requirement should map to a risk control, every control should map to objective evidence, and every release decision should state the configuration and residual risk it actually covers.

REF

See also