Static Analysis for FDA: What’s Involved?

In last week’s post, we introduced how static analysis is just one piece of the FDA compliance puzzle. In the next posts, we’ll explore this issue in more detail. We’ll start at the beginning: with an overview of what static analysis involves and how it’s applied in medical device software development processes.

Static code analysis monitors whether code meets expectations for security, reliability, performance, and maintainability. Static analysis typically includes:

• Static code analysis: Ensures that code meets uniform expectations around security, reliability, performance, and maintainability. This enables easy, early, and comprehensive detection of code patterns that lead to difficult-to-find yet potentially crash-causing defects.
• Data flow static analysis: Exposes runtime errors without requiring code execution. This technology simulates execution paths across multiple units, components, and files and identifies paths that could lead to critical errors. The result is early and effortless detection of defects that might otherwise take weeks to find.
• Metrics analysis: Calculates industry-standard metrics and/or identifies specific pieces of code that exceed industry-standard or customized metrics thresholds. This exposes brittle or overly-complex code that could be difficult or dangerous to reuse, extend, or maintain.

To ensure that static analysis becomes a sustainable, minimally-disruptive part of your process, you want to establish a continuous process that ensures static analysis scanning and remediation tasks are not only deployed across the SDLC, but also ingrained into the team’s workflow.

Managers set their expectations by defining a code compliance policy (e.g., through pre-configured FDA compliance templates).

Then, a daily static analysis process automatically monitors policy compliance at all layers of the application stack, identifies non-compliant code, and collects process metrics. Management gains real-time visibility into overall code compliance status and processes, which allows teams to document improvements as well as determine what additional actions may be needed to ensure medical device software safety and reliability.

Developers simply respond to the tasks reported from the automated scan. They can also perform interactive static analysis directly from their IDE to validate code before adding it to the main code base.

To promote rapid remediation, each static analysis issue detected should be prioritized, automatically assigned to the developer who introduced it, then distributed to his or her IDE with direct links to the problematic code and an explanation of how to fix it.

***

Photo credit: Myxi