Parasoft Proprietary and Confidential 1
2014-10-09
Static Analysis andthe FDA Guidance for
Medical Device SoftwareInvestigating the Application of MISRA
Jason Schadewald, Product Manager
Parasoft Proprietary and Confidential 2Parasoft Proprietary and Confidential 2
About ParasoftAbout Parasoft
World Renowned for Automated Defect Prevention
27 Yrs Founded in 1987
HighlyFocused
Privately heldNo debt, No VCs
>2,500 Customers worldwide
27 Years of profitable growthYears of innovation and customer value
Patents associated with software quality28
Parasoft Proprietary and Confidential 3Parasoft Proprietary and Confidential 3
FDA Compliance
General Principles of Software Validation; Guidance for Industry and FDA Staff http://www.fda.gov/RegulatoryInformation/Guida
nces/ucm126954.htm 8% of medical device recalls due to software
failures 80% caused by defects introduced following
changes Compliance with FDA becoming increasingly
rigorous
Parasoft Proprietary and Confidential 4Parasoft Proprietary and Confidential 4
FDA Software Development Guidelines
FDA guidelines cover well understood software development best practices
FDA guidelines define principles and practices that should be performed but not specific requirements
• FDA defines ‘what’ not ‘how’• “Least burdensome approach”
Processes are defined by the Company and must follow the guidelines
• Every company has it’s own defined processes
FDA Approves process and Audits compliance to process
• Process cannot change (without re-approval by the FDA)
Archived reports for future Audits are critical
Parasoft Proprietary and Confidential 5Parasoft Proprietary and Confidential 5
Core FDA Concepts
Requirements must be defined
Software Validation and Defect Prevention
Traceability• from Requirements to Tests• from Requirements to Source Code
Defined procedures for validation of definitions• Requirements, Design and Test
Procedure for managing the project lifecycle
Parasoft Proprietary and Confidential 6Parasoft Proprietary and Confidential 6
FDA on Static Analysis
3.1.2 “Software testing is one of many verification activities intended to confirm that software development output meets its input requirements. Other verification activities include various static and dynamic analyses, code and document inspections, walkthroughs, and other techniques.”
5.2.4 “Source code should be evaluated to verify its compliance with specified coding guidelines.”
Parasoft Proprietary and Confidential 7Parasoft Proprietary and Confidential 7
MISRAMISRA
Mission Statement:“To provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software.”
Parasoft Proprietary and Confidential 8Parasoft Proprietary and Confidential 8
Why MISRA for Medical?
Coding Standards Well-defined Updated Flexible
Deviation Strategy Auditable Why not?
Parasoft Proprietary and Confidential 9Parasoft Proprietary and Confidential 9
Valuable MISRA FeaturesValuable MISRA Features
Accounting for language versions (C90 vs C99)
Directives and Rules classification
Decidability and Scope
Mandatory, Required, and Advisory categories
Parasoft Proprietary and Confidential 10Parasoft Proprietary and Confidential 10
Deviate ResponsiblyDeviate Responsibly
“A Specific Deviation is used when a MISRA C guideline is deviated for a single instance in a single file.” – Section 5.4
Which guideline Scope Justification Safety assurance Consequences and
Mitigations
Parasoft Proprietary and Confidential 11Parasoft Proprietary and Confidential 11
Deviations Done RightDeviations Done Right
Rule 16.3 - “An unconditional break statement shall terminate every switch clause”
Guideline deviated
Scope Justification andSafety Assurance
Consequences, Mitigations,Additional Details
Parasoft Proprietary and Confidential 12Parasoft Proprietary and Confidential 12
FDA/MISRA Alignment
FDA Guideline MISRA Capability
“Least burdensome approach” Lightweight and flexible
Company defines standards Proven standards pre-packaged
Work must be traceable Provides traceability methodology
Process must be auditable Defines auditable reports