Medical Device Software Traceability

  • Fergal Mc Caffery
  • Valentine Casey
  • M. S. Sivakumar
  • Gerry Coleman
  • Peter Donnelly
  • John Burton


Software traceability is central to medical device software development and essential for regulatory approval. In order to comply with the regulatory requirements of the medical device industry it is essential to have clear linkages and traceability from requirements – including risks – through the different stages of the software development and maintenance life cycles. The regulatory bodies request that medical device software development organizations clearly demonstrate how they follow a software development life cycle without mandating a particular life cycle. However, due to the traceability requirements of the industry most medical device companies adopt the V-model. Within this chapter we will discuss the importance of traceability to medical device software development, the current state of practice within the industry in relation to traceability and how we feel that traceability could be improved within the industry. The chapter also describes the development and implementation of a medical device traceability software process assessment method (Med-Trace) in two medical device software development organizations. We include these two case studies as one involved a medical device SME based in Ireland and the other a medical device SME based in the UK as we want to illustrate that Med-Trace can be applied within different countries.


Medical device standards Medical device software traceability Medical device software process assessment and improvement 


  1. AAMI TIR32:2004: Medical Device Software Risk Management. AAMI, Arlington (2005)Google Scholar
  2. ANSI/AAMI SW68:2001: Medical Device Software – Software Life Cycle Process. AAMI, Arlington (2001)Google Scholar
  3. ANSI/AAMI/IEC 62304:2006: Medical Device Software—Software Life Cycle Processes. AAMI, Arlington (2006)Google Scholar
  4. Automotive SIG Automotive SPICE Process Assessment Ver. 2.2. August 2005Google Scholar
  5. BS EN 60601-1-4:2000 Medical Electrical Equipment, Part 1 – General Requirements for Safety. BSI, London (2000)Google Scholar
  6. Burton, J., Mc Caffery, F., Richardson, I.: A risk management capability model for use in medical device companies. In: International Workshop on Software Quality (WoSQ ’06), Shanghai, China, May 2006. ACM, New York, NY, pp. 3–8Google Scholar
  7. Casey, V.: Virtual software team project management. J. Brazil. Comp. Soc. 16(2), 83–96 (2010)MathSciNetCrossRefGoogle Scholar
  8. CMMI Product Team: Capability Maturity Model® Integration for Development Version 1.2. Software Engineering Institute. Pittsburgh, PA (2006)Google Scholar
  9. Damian, D., Moitra, D.: Global software development: How far have we come? IEEE Softw. 23(5), 17–19 (2006)CrossRefGoogle Scholar
  10. de Leon, D., Alves-Foss, J.: Hidden implementation dependencies in high assurance and critical computing systems. IEEE Trans. Softw. Eng. 32(10), 790–811 (2006)CrossRefGoogle Scholar
  11. Denger, C., Feldmann, R., Host, M., Lindholm, C., Shull, F.: A snapshot of the state of practice in software development for medical devices. In: First International Symposium on Empirical Software Engineering and Measurement, Madrid, Spain, 2007, pp. 485–487Google Scholar
  12. DO-178B: Software Considerations in Airborne Systems and Equipment Certification. RTCA, USA, 1st Dec 1992Google Scholar
  13. Espinoza, A., Garbajosa, J.: A proposal for defining a set of basic items for project-specific traceability methodologies. In: Proceedings of the 32nd Annual IEEE Software Engineering Workshop, Kassandra, Greece, pp. 175–184 (2008)Google Scholar
  14. European Council: Council Directive 93/42/EEC Concerning Medical Devices. Official Journal of the European Communities, Luxembourg (1993)Google Scholar
  15. European Council: Council Directive 2000/70/EC (Amendment). Official Journal of the European Union, Luxembourg (2000)Google Scholar
  16. European Council: Council Directive 2001/104/EC (Amendment). Official Journal of the European Union, Luxembourg (2001)Google Scholar
  17. European Council: Council Directive 2003/32/EC (Amendment). Official Journal of the European Union, Luxembourg (2003)Google Scholar
  18. European Council: Council Directive 2007/47/EC (Amendment). Official Journal of the European Union, Luxembourg (2007)Google Scholar
  19. Feldmann, R.L., Shull, F., Denger, C., Host, M., Lindholm, C.: A survey of software engineering techniques in medical device development. In: Joint Workshop on High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability, Cambridge, MA, USA, 25th–27th June 2007, pp. 46–54Google Scholar
  20. GAMP 5:2008: A Risk-Based Approach to Compliant GxP Computerized System. ISPE, Florida (2008)Google Scholar
  21. Gotel, O., Finkelstein, A.: Extended Requirements Traceability: Results of an Industrial Case Study. In: Proceedings of the 3rd International Symposium on Requirements Engineering, Annapolis, MD, USA, 6th–10th Jan 1997, pp. 169–178Google Scholar
  22. Higgins, S.A., de Laat, M., Gieles, P.M.C., Geurts, E.M.: Managing requirements for medical IT products. IEEE Softw. 20(1), 26–33 (2003)CrossRefGoogle Scholar
  23. IEC 60812:2006: Analysis Technique for System Reliability – Procedure for Failure Modes and Effects Analysis (FMEA), 2nd edn. IEC, Geneva, Switzerland (2006)Google Scholar
  24. IEC 60880:2006: Nuclear Power Plants – Instrumentation and Control Systems Important to Safety – Software Aspects for Computer-Based Systems Performing Category A Functions. IEC, Geneva, Switzerland (2006)Google Scholar
  25. IEC 62366:2007: Medical Devices – Application of Usability Engineering to Medical Devices. IEC, Geneva, Switzerland (2007)Google Scholar
  26. IEC/TR 61508:2005: Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems. BSI, London (2005)Google Scholar
  27. IEC/TR 80002-1:2009: Medical Device Software Part 1: Guidance on the Application of ISO 14971 to Medical Device Software. BSI, London (2009)Google Scholar
  28. ISO 13485:2003: Medical Devices — Quality Management Systems — Requirements for Regulatory Purposes, 2nd edn. ISO, Geneva, Switzerland (2003)Google Scholar
  29. ISO 14971:2007: Medical Devices — Application of Risk Management to Medical Devices, 2nd edn. ISO, Geneva (2007)Google Scholar
  30. ISO/DIS 26262: Road Vehicles – Functional Safety. ISO, Geneva, Switzerland (2009)Google Scholar
  31. ISO/IEC 12207:1995: Information Technology — Software Life Cycle Processes. ISO, Geneva, Switzerland (1995)Google Scholar
  32. ISO/IEC 15504-5:2006: Information Technology — Process Assessment — Part 5: An Exemplar Process Assessment Model. ISO, Geneva, Switzerland (2006)Google Scholar
  33. Kannenberg, A., Saiedian, H.: Why software requirements traceability remains a challenge. Cross Talk: The Journal of Defense Software Engineering 22(5), 14–17 (2009)Google Scholar
  34. Lee, I., Pappas, G., Cleaveland, R., Hatcliff, J., Krogh, B., Lee, P., Rubin, H., Sha, L.: High-confidence medical device software and systems. Computer 39(4), 33–38 (2006)CrossRefGoogle Scholar
  35. Liao, L., Qu, Y., Leung, H.: A software process ontology and its application. In: Workshop on Semantic Web Enabled Software Engineering, Galway, Ireland, Nov 2005Google Scholar
  36. Mason, P.: On traceability for safety critical systems engineering. In: Proceedings of the 12th Asia-Pacific Software Engineering Conference, 2005, Taipei, Taiwan, 15th–17th Dec 2005Google Scholar
  37. Mc Caffery, F., Burton, J., Casey, V., Dorling, A.: Software process improvement in the medical device industry. In: Laplante, P. (ed.) Encyclopedia of Software Engineering, vol. 1. CRC Press Francis Taylor Group, New York, NY (2010a)Google Scholar
  38. Mc Caffery, F., Dorling, A.: Medi SPICE: An overview. In: International Conference on Software Process Improvement and Capability Determinations (SPICE), Turku, Finland, 2nd–4th June 2009, pp. 34–41Google Scholar
  39. Mc Caffery, F., Dorling, A., Casey, V.: Medi SPICE: An update. In: International Conference on Software Process Improvement and Capability Determinations (SPICE), Pisa, Italy, 18–20 May 2010. Edizioni ETS, pp. 195–198 (2010b)Google Scholar
  40. Mc Caffery, F., Taylor, P.S., Coleman, G.: Adept: A unified assessment method for small software companies. IEEE Software – Special Issue SE Challenges in Small Software Organization 24(1), 24–31 (2007)Google Scholar
  41. Medical & Radiation Emitting Device Recalls: FDA. Accessed 25 Nov 2010 (2010)
  42. Nuseibeh, B., Easterbrook, S.: Requirements engineering: A roadmap. In: International Conference on Software Engineering, Limerick, Ireland (2000), pp. 35–46Google Scholar
  43. Panesar-Walawege, R., Sabetzadeh, M., Briand, L., Coq, T.: Characterizing the chain of evidence for software safety cases: A conceptual model based on the IEC 61508 Standard. In: Third International Conference on Software Testing, Verification and Validation, Paris, 6th–10th Apr 2010, pp. 335–344Google Scholar
  44. Rakitin, R.: Coping with defective software in medical devices. Computer 39(4), 40–45 (2006)CrossRefGoogle Scholar
  45. Ramesh, B.: Factors influencing requirements traceability practice. Communications ACM 41(12), 37–44 (1998)CrossRefGoogle Scholar
  46. US FDA Center for Devices and Radiological Health: General Principles of Software Validation; Final Guidance for Industry and FDA Staff. CDRH, Rockville (2002)Google Scholar
  47. US FDA Center for Devices and Radiological Health: Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices. CDRH, Rockville (2005)Google Scholar
  48. US FDA Center for Devices and Radiological Health: Off-The-Shelf Software Use in Medical Devices; Guidance for Industry, Medical Device Reviewers and Compliance. CDRH, Rockville (1999)Google Scholar
  49. Wallace, D.R., Kuhn, D.R.: Failure modes in medical device software: An analysis of 15 years of recall data. Int. J. Reliability, Quality, Safety Eng. 8(4) (2001)Google Scholar

Copyright information

© Springer-Verlag London Limited 2012

Authors and Affiliations

  • Fergal Mc Caffery
    • 1
  • Valentine Casey
    • 1
  • M. S. Sivakumar
    • 1
  • Gerry Coleman
    • 1
  • Peter Donnelly
    • 1
  • John Burton
    • 2
  1. 1.Regulated Software Research Group, Lero, Dundalk Institute of TechnologyDundalkIreland
  2. 2.Vitalograph Ireland Ltd., EnnisIreland

Personalised recommendations