Verification and Validation Plan
Summary
The Verification and Validation Plan is a comprehensive roadmap that outlines how you will prove your medical device meets its design specifications (verification) and fulfills its intended use (validation). This document serves as the master plan for all testing activities, ensuring systematic coverage of hardware, software, and integrated system components while demonstrating regulatory compliance.
Why is Verification and Validation Planning important?
Verification and validation planning exists because medical devices must demonstrate two critical aspects before market entry: that you built the device correctly according to specifications (verification) and that you built the right device for its intended use (validation). This systematic approach prevents costly redesigns, ensures patient safety, and provides regulators with confidence that your device performs as intended.
The planning phase is crucial because it establishes testing strategies early in development, allowing you to identify resource requirements, timeline dependencies, and potential technical challenges before they become critical path issues. Without proper V&V planning, you risk discovering fundamental design flaws late in development or failing to demonstrate essential performance characteristics required for regulatory approval.
Regulatory Context
Under 21 CFR Part 820.30 (Design Controls):
- Section 820.30(f) requires design verification to confirm design outputs meet design inputs
- Section 820.30(g) mandates design validation to ensure devices conform to defined user needs and intended uses
- FDA Guidance “Design Control Guidance for Medical Device Manufacturers” provides detailed V&V expectations
- Software devices must comply with FDA Guidance “General Principles of Software Validation”
Special attention required for:
- Software as Medical Device (SaMD) classification and corresponding validation rigor
- Predicate device comparison and substantial equivalence demonstration
- Clinical validation requirements for novel devices or new indications
- Cybersecurity validation per FDA premarket cybersecurity guidance
Under 21 CFR Part 820.30 (Design Controls):
- Section 820.30(f) requires design verification to confirm design outputs meet design inputs
- Section 820.30(g) mandates design validation to ensure devices conform to defined user needs and intended uses
- FDA Guidance “Design Control Guidance for Medical Device Manufacturers” provides detailed V&V expectations
- Software devices must comply with FDA Guidance “General Principles of Software Validation”
Special attention required for:
- Software as Medical Device (SaMD) classification and corresponding validation rigor
- Predicate device comparison and substantial equivalence demonstration
- Clinical validation requirements for novel devices or new indications
- Cybersecurity validation per FDA premarket cybersecurity guidance
Under EU MDR 2017/745:
- Annex II, Section 2 requires comprehensive verification and validation documentation
- Must comply with EN ISO 13485:2016 Section 7.3.6 for design verification and validation
- IEC 62304 mandatory for medical device software lifecycle processes
- IEC 62366-1 required for usability engineering and human factors validation
Special attention required for:
- Clinical evaluation requirements under Article 61 and Annex XIV
- Post-market clinical follow-up integration with validation activities
- Notified body assessment of V&V documentation completeness
- Essential requirements demonstration through verification and validation
Guide
Understanding Verification vs. Validation
Verification answers “Did we build the device right?” by confirming your design outputs meet design inputs. This includes testing that your software functions according to specifications, hardware meets performance requirements, and all subsystem requirements are satisfied.
Validation answers “Did we build the right device?” by confirming the complete device meets user needs and intended use requirements. This includes usability testing, clinical evaluation, and real-world performance assessment.
Planning Your V&V Strategy
Your V&V plan must address five core testing domains: performance verification, software verification, hardware verification (electrical, mechanical), biocompatibility evaluation, and usability validation. Each domain requires specific protocols, acceptance criteria, and documentation approaches.
Performance verification focuses on demonstrating your device meets its essential performance characteristics. Define measurable performance parameters from your system requirements and establish test methods that can objectively verify these parameters. Consider both normal operating conditions and edge cases that users might encounter.
Software verification requires systematic testing of software requirements through unit testing, integration testing, and system testing. Your plan should address how you will verify software requirements, validate software architecture decisions, and ensure Software of Unknown Provenance (SOUP) components are properly qualified.
Hardware verification encompasses electrical safety testing (IEC 60601 compliance), mechanical performance testing, and environmental testing. Plan for testing under various operating conditions, including temperature extremes, humidity, vibration, and electromagnetic interference.
Biocompatibility evaluation applies when your device contacts patients directly. Plan biological testing according to ISO 10993-1 based on contact type, duration, and tissue exposure. Consider whether existing biocompatibility data for materials can reduce testing requirements.
Usability validation ensures your device can be used safely and effectively by intended users. Plan human factors testing that addresses use-related risks identified in your risk management process.
Establishing Testing Protocols
Each testing domain requires detailed protocols that specify test methods, sample sizes, acceptance criteria, and statistical approaches. Your protocols should reference applicable standards (IEC 60601, ISO 10993, IEC 62304) and justify any deviations from standard methods.
Sample size determination should follow statistical principles outlined in your Statistical Methods SOP. Consider the risk level of requirements being tested, variability in your device population, and regulatory expectations for your device class.
Acceptance criteria must be objective, measurable, and traceable to design inputs. Avoid subjective criteria that could lead to interpretation disputes during regulatory review.
Managing Testing Dependencies
Your V&V plan must address testing sequence dependencies. Verification testing typically precedes validation testing, as you need confidence in individual components before testing the integrated system. However, some validation activities like usability testing can occur in parallel with verification activities.
Design freeze requirements should be clearly defined. Major verification testing should occur on design-frozen devices to avoid retesting costs. However, early verification testing on prototypes can identify design issues before significant development investment.
Outsourced testing coordination requires careful planning of testing laboratory schedules, sample preparation, and results integration. Plan for potential testing delays and have contingency approaches for critical path testing.
Documentation and Traceability
Your V&V plan establishes the documentation framework for all testing activities. Each test must be traceable to specific requirements, and test results must be documented in standardized reports that support regulatory submissions.
Traceability matrices should be planned to demonstrate complete coverage of user needs, system requirements, and subsystem requirements through verification and validation activities. Plan how you will maintain traceability as requirements evolve during development.
Change control integration ensures that requirement changes trigger appropriate V&V plan updates. Establish criteria for when requirement changes necessitate additional testing or protocol modifications.
Example
Scenario: You are developing a mobile health app that monitors heart rhythm using smartphone sensors. The app analyzes sensor data, detects potential arrhythmias, and provides users with rhythm assessments and recommendations for medical consultation.
Your V&V plan addresses software verification through automated testing of signal processing algorithms, user interface testing, and data security verification. Performance verification includes accuracy testing against reference ECG devices and timing validation for real-time processing. Usability validation involves testing with intended users to ensure they can properly position the device, interpret results correctly, and understand when to seek medical attention. Clinical validation demonstrates the app’s diagnostic accuracy compared to standard-of-care methods.
Verification and Validation Plan
Document ID: VVP-001
Version: 1.0
1. Purpose
This document outlines the verification and validation plan for the CardioMonitor mobile health application, ensuring the system meets design specifications and regulatory requirements for a Class II medical device software.
2. Scope
This V&V plan covers the complete CardioMonitor system including mobile application software, cloud-based analysis algorithms, and user interface components.
3. Verification Activities
3.1 Software Verification
- Unit Testing: Verify individual software modules meet functional requirements
- Integration Testing: Confirm proper data flow between app components and cloud services
- System Testing: Validate complete software system performance against system requirements
- SOUP Verification: Qualify third-party libraries for signal processing and data encryption
3.2 Performance Verification
- Signal Processing Accuracy: Test algorithm accuracy against reference ECG signals with known arrhythmias
- Real-time Performance: Verify processing latency meets <2 second requirement for rhythm analysis
- Data Security: Confirm encryption implementation meets HIPAA and GDPR requirements
3.3 Cybersecurity Verification
- Penetration Testing: Verify security controls against common attack vectors
- Data Integrity Testing: Confirm data cannot be modified during transmission or storage
4. Validation Activities
4.1 Usability Validation
- User Interface Testing: Validate users can correctly position smartphone and interpret results
- Use Error Testing: Confirm critical use errors are prevented or mitigated
- Training Effectiveness: Validate user instructions enable safe and effective use
4.2 Clinical Validation
- Diagnostic Accuracy Study: Compare app results to 12-lead ECG interpretations by cardiologists
- Real-world Performance: Validate app performance in typical use environments
5. Acceptance Criteria
- Software verification: All unit tests pass, integration testing demonstrates <1% data loss
- Performance verification: Sensitivity ≥95%, Specificity ≥90% for atrial fibrillation detection
- Usability validation: <5% critical use errors in simulated use testing
- Clinical validation: Diagnostic accuracy within 5% of predicate device performance
6. Testing Schedule
- Software verification: Weeks 1-4 of testing phase
- Performance verification: Weeks 3-6 (parallel with software verification)
- Usability validation: Weeks 5-8 (requires near-final software build)
- Clinical validation: Weeks 7-12 (requires completed verification testing)