Compliance with FDA Standards

Using an automated static analysis tool such as GrammaTech´s CodeSonar during the development of safety-critical medical device software can not only help assure the quality and reliability of the software, but also save time and money in compliance with industry standards.

The FDA´s coding guidelines for validation of medical device software, General Principles of Software Validation, classifies CodeSonar as a software verification tool. As stated in section 3.4, "Software validation can increase the usability and reliability of the device, resulting in decreased failure rates, fewer recalls and corrective actions, less risk to patients and users, and reduced liability to device manufacturers."

The General Principles of Software Validation covers all aspects of software development. The areas that can be addressed with CodeSonar are outlined below.

FDA Guidance Sections Addressed by CodeSonar

3.1.2 Verification and Validation

"Software verification looks for consistency, completeness, and correctness of the software and its supporting documentation."

CodeSonar is an automated static analysis tool for the detection of bugs and vulnerabilities. In addition to bug-finding, CodeSonar provides useful metrics, reporting tools, and an award-winning software architecture visualization system. Including CodeSonar in the verification process provides the benefits as discussed in this section of the guidance.

4.2 Defect Prevention

"Software quality assurance needs to focus on preventing the introduction of defects into the software development process and not on trying to test quality into the software code after it is written."

Using CodeSonar throughout the software development process allows you to detect bugs early and remove them early, without allowing them to filter into the later stages of development or quality assurance. Workflow automation features also help large teams work with warning reports in a streamlined and coordinated way.

4.7 Software Validation After A Change

"Whenever software is changed, a validation analysis should be conducted not just for validation of the individual change, but also to determine the extent and impact of that change on the entire software system."

Automated static analysis makes this process painless. Using CodeSonar allows you to analyze the code quickly and more efficiently. In particular, CodeSonar´s incremental analysis can save significant time, in which only those parts of the internal representation affected by changes in the code base are rebuilt and reanalyzed.

4.8 Validation Coverage

"Validation coverage should be based on the software´s complexity and safety risk - not on firm size or resource constraints."

The benefit of using CodeSonar is that, as a static analysis tool, it always analyzes all paths.

4.9 Independence of Review

"Self-validation is extremely difficult. When possible, an independent evaluation is always better, especially for higher risk applications."

CodeSonar´s automated analysis is intrinsically independent, providing an automated review of your source code. Workplace integration features help provide extra assurance of interpretation independence, for instance, by assigning a peer to evaluate or fix reports on your own code.

5.2.4 Construction or Coding

"Source code should be evaluated to verify its compliance with specified coding guidelines... regarding clarity, style, complexity management, and commenting. Source code evaluations are often implemented as code inspections and code walkthroughs. Such static analyses provide a very effective means to detect errors before execution of the code."

CodeSonar´s support with coding standards and initiatives provides efficient compliance of coding guidelines. Customization, built-in checks, and extension capabilities allow many architecture problems to be flagged automatically. Standard complexity metrics and any custom metrics you have defined are computed at the project, file, and function levels, allowing designers to easily identify problem areas.

5.2.5 Testing by the Software Developer

"Code-based testing... identifies test cases based on knowledge obtained from the source code, detailed design specification, and other development documents... Structural testing can identify dead code that is never executed when the program is run."

Static analysis is a complement to testing. CodeSonar´s analysis can be used to inform test case development and help resolve questions arising from test coverage analysis. The included architecture visualization feature allows reviewers to inspect structural properties of the software at a number of levels of detail.

5.2.7 Maintenance and Software Changes

"When changes are made to a software system, either during initial development or during post release maintenance, sufficient regression analysis and testing should be conducted to demonstrate that portions of the software not involved in the change were not adversely impacted."

Using CodeSonar can offer substantial time savings when analyzing large projects. CodeSonar´s incremental analysis capability allows for only those parts affected by changes in the code base to be rebuilt and reanalyzed. The CodeSonar hub database also provides a historical record of analyses for a software project and the warnings issued by the analyses.

6.3 Validation of Off-The-Shelf Software and Automated Equipment

"...the device manufacturer should consider auditing the vendor´s design and development methodologies used in the construction of the OTS software and should assess the development and validation documentation generated for the OTS software."

CodeSonar provides several methods for analyzing 3rd party software components. If source code is provided, it can be analyzed by CodeSonar. If only binary code is available, it can be analyzed directly with CodeSonar´s binary analysis, or it can be analyzed with one of the thousands of models shipped with CodeSonar. Or you can write your own model.