The use of modern static analysis has brought long-term best practices to medical software development.
More than half of existing medical devices depend on software in one form or another, either as an embedded system in the finished device or during its manufacture. While software drives advances in medical technology, it also creates risk, especially as it becomes increasingly complex. There is a strong correlation between code complexity and the number of defects in software. The safety-critical nature of medical devices requires that a variety of testing methods be employed to ensure that defects don’t slip through development and end up causing harm.
Since 2006, the use of static analysis to test code within traditional software verification and validation processes has seen a dramatic rise. Modern static analysis can discover complex defects in code by simulating every possible execution path of the program. Additionally, by focusing on run-time defects, new static analysis technologies evaluate more of the intricate interactions within code bases. A simple example of this is tracking the values of variables as they are manipulated down a path through the code, or the relationship between the treatment of functional parameters and the corresponding return values. To analyse code at this level of sophistication, mature solutions combine path-flow and interprocedural analysis to evaluate what happens when the flow of control passes from one function to another within a given software system. The entire analysis is automated and does not require substantial modification to the existing development process.
The use of static analysis has given rise to long-term best practices in the development process for medical software. A good governance, risk and compliance policy that builds on the strengths of automated code testing with static analysis can make medical devices safer and the development process more efficient. Such policies allow development organisations to define and test code against compliance and regulatory requirements and manage development risk throughout the development process. It also enables taking a prescriptive approach in controlling the quality and safety of the software and associated devices.
The rapid evolution of devices further increases the importance of bug-free software not only to improve device efficiency but also to reduce security threats. The question of security is critical as more devices incorporate features that require connectivity for control, reporting and monitoring.
An article published in the June 2, 2012, issue of the Economist, “When Code Can Kill or Cure,” raises the possibility of reprogramming an implantable cardioverter defibrillator either to withdraw therapy or produce unnecessary shocks. “Many manufacturers do not have the expertise or the willingness to utilise new tools being developed in computer science,” Kevin Fu, a computer science professor at the University of Massachusetts, told the Economist.
Fortunately, development testing solutions aligned with best practices can prevent security breaches and ensure the integrity of safety-critical code bases.
is Senior Manager, Worldwide Customer Advocacy and Communications, at Coverity, Quatro House, Lyon Way, Camberley, Surrey GU16 7ER, UK
tel. +44 1276 804 790