• Close menu
  • Home
  • Consulting
    • Technical Documentation
      • Software (IEC 62304, FDA)
      • Risk Management (ISO 14971)
      • Clinical Evaluation
    • Quality Management (QM)
      • QM System (ISO 13485)
      • Mock Audits & Inspections
      • Quality Representative
    • Services
      • Human Factors Engineering
      • Regulatory Affairs
  • E-Learning
    • Training videos
      • Market your medical device
      • Content
      • Premium Version
      • Watch training videos
  • Training Seminars
    • Medical Device Regulation
    • CPMS Seminar
    • Medical Device Software
    • Human Factors Engineering
    • Risk Management Seminar
    • Inhouse Seminars
    • Medical Device Regulatory Affairs
  • Articles
    • Regulatory Affairs
      • Medical Device Regulation
      • IVD Regulation (IVDR)
      • Medical Device Directive
      • Classification
      • CE Marking
      • Conformity Assessment
      • Harmonized Standards
      • MEDDEV 2.7/1
      • FDA
        • Breakthrough Devices
      • And more ...
        • Accessories
        • Essential Requirements
        • EUDAMED
        • MDR Rule 11 (Software)
        • MEDDEV Documents
        • Post-Market Surveillance
        • Notified Bodies
        • Premarket Approval (510k)
        • Technical File versus DHF
        • Unique Device Identification
        • Harmonized Standards
        • GDPR
        • 21 CFR Part 11
        • Design input
        • Declaration of Conformity
        • Systems & Procedure Packs
        • Laboratory Developed Tests
        • Free Sales Certificates
        • Physiological processes
    • QM System & ISO 13485
      • ISO 13485:2016
      • Quality Policy & Objectives
      • Process Validation
      • Audits
      • Unannounced Audit
      • MDSAP
      • CSV
    • Software & IEC 62304
      • Software Lifecycle
        • Agile Software Development
        • Software Requirements
        • Software Architecture
        • Code Reviews
        • Coding Guidelines
        • Software Testing
      • Safety Classes & Level of Concern
      • SOUP and OTS
      • Medical Apps
      • IT-Security
      • Artificial Intelligence
      • And more...
        • Parameterization
    • Artificial Intelligence in Medicine
    • Risk Management & ISO 14971
      • Life Cycle Risk Management
      • Update 14971:2012
      • Harm and Severity
      • Hazard and Hazardous Situation
      • Risk Acceptance
      • Risk Mitigation
      • Risk Analysis
      • Software Specifics
    • Usability & IEC 62366
      • Main Operating Functions
      • ISO 9241
      • User stories
      • Usability Validation
    • Product Development
      • Intended Use Description
      • System Architecture
      • Verification versus Validation
      • Clinical Evaluation
  • Login
  • Logout
  • Contact Us
  • About us
Search
+1 (301) 244-6335

info@johner-institute.com
  • LoginI
  • Contact UsI
  • About us
Search
Logo Johner Institut
  • Display menu
  • Close menu
  • Home
  • Consulting
    Technical Documentation
    • Software (IEC 62304, FDA)
    • Risk Management (ISO 14971)
    • Clinical Evaluation
    Quality Management (QM)
    • QM System (ISO 13485)
    • Mock Audits & Inspections
    • Quality Representative
    Services
    • Human Factors Engineering
    • Regulatory Affairs
  • E-Learning
    Training videos
    • Market your medical device
    • Content
    • Premium Version
    • Watch training videos
  • Training Seminars
    Medical Device Regulation
    CPMS Seminar
    Medical Device Software
    Human Factors Engineering
    Risk Management Seminar
    Inhouse Seminars
    Medical Device Regulatory Affairs
  • Articles
    Regulatory Affairs
    • Medical Device Regulation
    • IVD Regulation (IVDR)
    • Medical Device Directive
    • Classification
    • CE Marking
    • Conformity Assessment
    • Harmonized Standards
    • MEDDEV 2.7/1
    • FDA
    • And more ...
    QM System & ISO 13485
    • ISO 13485:2016
    • Quality Policy & Objectives
    • Process Validation
    • Audits
    • Unannounced Audit
    • MDSAP
    • CSV
    Software & IEC 62304
    • Software Lifecycle
    • Safety Classes & Level of Concern
    • SOUP and OTS
    • Medical Apps
    • IT-Security
    • Artificial Intelligence
    • And more...
    Artificial Intelligence in Medicine
    Risk Management & ISO 14971
    • Life Cycle Risk Management
    • Update 14971:2012
    • Harm and Severity
    • Hazard and Hazardous Situation
    • Risk Acceptance
    • Risk Mitigation
    • Risk Analysis
    • Software Specifics
    Usability & IEC 62366
    • Main Operating Functions
    • ISO 9241
    • User stories
    • Usability Validation
    Product Development
    • Intended Use Description
    • System Architecture
    • Verification versus Validation
    • Clinical Evaluation
  • Regulatory Affairs
    • Medical Device Regulation
    • IVD Regulation (IVDR)
    • Medical Device Directive
    • Classification
    • CE Marking
    • Conformity Assessment
    • Harmonized Standards
    • MEDDEV 2.7/1
    • FDA
    • And more ...
  • QM System & ISO 13485
    • ISO 13485:2016
    • Quality Policy & Objectives
    • Process Validation
    • Audits
    • Unannounced Audit
    • MDSAP
    • CSV
  • Software & IEC 62304
    • Software Lifecycle
      • Agile Software Development
      • Software Requirements
      • Software Architecture
      • Code Reviews
      • Coding Guidelines
      • Software Testing
    • Safety Classes & Level of Concern
    • SOUP and OTS
    • Medical Apps
    • IT-Security
    • Artificial Intelligence
    • And more...
  • Artificial Intelligence in Medicine
  • Risk Management & ISO 14971
    • Life Cycle Risk Management
    • Update 14971:2012
    • Harm and Severity
    • Hazard and Hazardous Situation
    • Risk Acceptance
    • Risk Mitigation
    • Risk Analysis
    • Software Specifics
  • Usability & IEC 62366
    • Main Operating Functions
    • ISO 9241
    • User stories
    • Usability Validation
  • Product Development
    • Intended Use Description
    • System Architecture
    • Verification versus Validation
    • Clinical Evaluation

Code Review

Tuesday, April 14th, 2015 by Christian Johner

We understand the term code review as the checking of the non-compiled source code by other people, for example in the context of inspections or walkthroughs.

Regulatory requirements for code reviews

The IEC 62304 does not require explicit code reviews. But it does see code reviews as a way to test software units. However, written test criteria for code reviews must be available and the code review should be documented in writing as well.

The FDA does not require code reviews, but writes the following in the Software Validation Guidance Document:

Source code should also be evaluated to verify its compliance with the corresponding detailed design specification. […]  Source code evaluations are often implemented as code inspections and code walkthroughs. Such static analyses provide a very effective means to detect errors before execution of the code. They allow for examination of each error in isolation and can also help in focusing later dynamic testing of the software. […] Source code evaluations should be extended to verification of internal linkages between modules and layers (horizontal and vertical interfaces), and compliance with their design specifications. Documentation of the procedures used and the results of source code evaluations should be maintained as part of design verification.

Whoever develops software for medical devices without having code reviews carried out, should be asking whether he/she is in the correct industry and if software development is right for him/her. Renouncing code reviews has nothing to do with professional programming.

Tips for practical implementation

General rules for code reviews

One of the most important ways to have a significant breakdown in the error rate within my team was with code reviews. In fact, it was consistent with all the code. But that only works if you do it properly and comply to a few rules:

  1. A code review should not take longer than 30 minutes.
  2. A code review should examine the code based on predetermined and possibly programming-specific criteria, including compliance with previously (automatically) determined metrics and coding guidelines.
  3. A code review should take into account the test code (including code coverage).
  4. A code review should be documented. More on that in a moment.
  5. A code review can also be performed in reverse. More on that in a moment.

Reverse Code Review

During the reverse code review, the author does not explain his code to his reviewer, but vice versa. The reviewer explains what he believes he understands. This has great advantages:

  1. The reviewer is focused, because he has to explain the code to the author. 
  2. The author is soon tired of the alleged slowness of the reviewer and writes code in the future that even the reviewer will understand. This leads to an understandable and maintainable code. 
  3. The boss can be sure that there is a second person who also understands the code. This reduces dependence on a developer.

Four eyes see more than two. You should also do code reviews. It’s best to do them in reverse!

Documentation of code reviews

Document all code reviews but make it very concise. Either use a tool like TFS or MedPack or if you have a form (a sheet with front and back-side), which is included on every desk or in a drawer of every developer. During the review, the reviewer fills out the form. Once a week the developer throws the completed forms in the tray of the quality manager. Done. The overhead for the formalities should be in the range of a few seconds!

Checklists for code reviews

For premium members in the auditgarant, a proven code review checklist is available for download. All auditgarant members can view the associated training videos.

Watch training videos auditgarant

Formal 

Code Reviews: Does the FDA require a signature? From whom? 

"Who needs to sign a code review, according to the FDA? Only one person, for example, the reviewer, or the moderator, or everyone involved, so the developer, reviewer and moderator? 

To answer this question, we must briefly highlight the concept of code review: There is no such thing as "the" code review, but a lot of different methods of static testing of the source code. For example 

  • the walkthrough, 
  • the technical review, 
  • informal review and 
  • the inspection.

The FDA notes these processes partially in the software validation guide, without explicitly demanding one of them. The methods also differ by the people who are to be involved. A moderator does not exist, for example, at an informal review.

The statutory requirement for reviews can be found in 21 CFR part 820. Here, too, no specific method is named.

This, then, gives us the answer: You describe, as a manufacturer, in your 820-compliant quality management system, what kind of reviews you will make. And according to that, you need to document what people are involved - by signature.

Next Article: Coding Guidelines

Company

  • About us
  • Contact
  • About Prof. Dr. Johner
  • Our customers
  • Imprint
  • Privacy Policy

Links

  • Consulting
  • Login Auditgarant
  • Trainings
  • Articles

Products

  • Auditgarant (E-Learning)
  • CPMS Seminar
  • Usability Seminar

Free offers

  • Starter-Kit
  • Ask an expert
  • SSRS-Checklist
ISO 13485:2016
Logo Johner Institut

This site uses cookies. By using this website, you agree to the use of cookies.

For more information see our Privacy Policy