FDA's Use of CodeSonar® Detailed in Embedded Systems Design

April 7, 2008

Embedded Systems Design today published an article co-authored by Raoul Jetley of the FDA and GrammaTech's Paul Anderson, titled "Using static analysis to evaluate software in medical devices." An excerpt appears below, with a link to the full article.

Using static analysis to evaluate software in medical devices

By Raoul Jetley and Paul Anderson

The Center for Devices and Radiological Health (CDRH) at the FDA is responsible for post-market surveillance of medical devices. If a device failure resulting in actual or potential serious injury or death is reported, the manufacturer of the medical device is required to investigate, determine the root cause and contributory factors, develop appropriate corrective actions, and report their findings to CDRH.

In cases where the adequacy of the manufacturer's investigation or corrective action is in question, CDRH may conduct an independent investigation. Commensurate with the threat to public health, CDRH can unilaterally take a range of actions, including issuing public health notifications or mandating a product recall.

Performing a post-market investigation, however, is not an easy task. This is particularly true in the case of software, where the execution is often user-driven and system-specific. To further complicate matters, device software is usually event-driven, resulting in failures that are often unpredictable and may not be easily reproducible. In such cases, the only way to trace the software flaws has historically been to manually review the source code itself. Given the complexity of modern medical-device software, this is a very difficult and time-consuming task for a third-party investigator with no prior knowledge of the software.

Recently the CDRH's Office of Science and Engineering Laboratories (OSEL) has been investigating the use of static analysis technology to assist in this task. This article gives a brief introduction to static analysis and explains how we used this technique to detect flaws.

Click here to see the full article on the Embedded Systems Design website.

About GrammaTech:
GrammaTech's static-analysis tools are used worldwide by startups, Fortune 500 companies, educational institutions, and government agencies. The staff includes fourteen researchers with PhDs in programming languages and program analysis.

Previous Article
Static Analysis and IEC 62304
Static Analysis and IEC 62304

INTRODUCTION: The IEC/ISO 62304 standard defines a risk and quality driven software development...

No More Articles