Develop code to satisfy FDA software validation guidance

When building safety-critical medical device software, implementing early, rigorous detection of critical bugs and security vulnerabilities is a proven best practice for enhancing software reliability while reducing software validation costs. The FDA has issued guidance for proper validation of medical device software in its General Principles of Software Validation.

The guidance applies to any " used as components in medical devices, to software that is itself a medical device, and to software used in production of the device or in implementation of the device manufacturer's quality system."

The FDA guidance covers all aspects of software development - everything from requirements and design reviews to software maintenance and retirement. Klocwork addresses the following validation requirements as they relate to the software construction or coding phase:

FDA guidance

How Klocwork meets the FDA guidance

Software Verification

Software testing is one of many verification activities intended to confirm that software development output meets its input requirements. Other verification activities include various static and dynamic analyses, code and document inspections, walkthroughs and other techniques.

Klocwork is a leading static code analysis solution providing development teams:

  • Detection of critical bugs and security vulnerabilities
  • Software metrics analysis and trending
Defect Prevention

Software quality assurance needs to focus on preventing the introduction of defects into the software development process rather than trying to "test quality into" the software code after it is written. Software testing is limited in its ability to surface all latent defects in code. Software testing by itself is not sufficient to establish confidence that the software is fit for its intended use.

Static source code analysis technology allows development teams to find a wide range of defects prior to QA. With Continuous Desktop Analysis, developers find bugs at the desktop, prior to code check-in, enabling "in-phase bug containment," ensuring:

  • Bugs are not introduced into the code stream
  • Cleaner system builds
  • Fewer bugs are passed to QA
Software Validation after a Change

Due to the complexity of software, a seemingly small local change may have a significant global system impact. Whenever software is changed, a validation analysis should be conducted not just for validation of the individual change, but also to determine the extent and impact of that change on the entire software system.

Easily validate the impact of any changes:

Independence of Review

Self-validation is extremely difficult. When possible, an independent evaluation is always better, especially for higher risk applications.

Automated source code analysis provides an independent, automated review of source code. All reported bugs can be tracked each build through team reporting features, enabling prioritization of critical bugs for peer review.

Klocwork has a code review module to support peer review activities.

Construction or Coding
  • Source code should be evaluated to verify its compliance with specified coding guidelines. Such guidelines should include coding conventions regarding clarity, style, complexity management, and commenting.
  • Source code evaluations are often implemented as code inspections and code walkthroughs. Such static analyses provide a very effective means to detect errors before execution of the code.

Klocwork is used primarily during the coding or construction phase of the software lifecycle:

  • Klocwork provides support for a wide variety of coding style issues, including: out-of-the-box checks, use of Klocwork Extensibility (KAST), and software metrics analysis for McCabe Cyclomatic Complexity, Coupling, and 100+ other metrics.
  • Klocwork also offers a flowchart-based code review module to support code inspection activities.
Testing by the Software Developer

Code-based testing is also known as structural testing or "white-box" testing. Structural testing can identify "dead" code that is never executed when the program is run.

Klocwork Insight is designed to be used by the developer, at their desktop and supports the identification of multiple forms of dead code including unused code and unreachable code.

Learn more about Klocwork static source code analysis product page, or contact us today for a free trial.