Using static analysis to diagnose & prevent failures in safety-critical device designs

David N. Kleidermacher

September 16, 2008

David N. KleidermacherSeptember 16, 2008

Software content has grown rapidly in all manner of safety-critical devices. Meanwhile, society has become increasingly dependent upon their safe operation. Unfortunately, our ability to develop safe and reliable software has not improved at the same rate, resulting in increasing reliability and safety vulnerabilities.

This increase in software vulnerability poses a serious threat to human safety and demands new approaches to safe software development. Static analysis has emerged as a promising technology for improving the safety of software in safety critical applications such as medical devices and systems (See Sidebar). Beyond defect prevention, static analysis is also finding a home in medical forensics labs, aiding scientists who must locate the cause of failures in recalled medical devices.

Static analysis tools analyze software to find defects that may go undetected using traditional techniques, such as compilers, human code reviews, and testing.

A number of limitations, however, have prevented widespread adoption in safety crtical applications such as medical device software development. Static analysis tools often take prohibitively long to execute and are not well integrated into the software development environment. This article discusses a number of techniques that address these barriers to adoption.

Metrics are provided to demonstrate how static analysis can be incorporated as a practical and effective quality tool for everyday medical device software development. In addition to traditional analysis, the paper also discusses how static analysis technology can be extended to enable detection of a new class of defects.

Static source code analyzers attempt to find code sequences that when executed could result in buffer overflows, resource leaks, or many other security and reliability problems. Static source code analyzers are effective at locating a significant class of flaws that are not detected by compilers during standard builds and often go undetected during run-time testing as well.

Earlier Is Better
A number of studies over the years have shown that the cost of detecting and correcting a software flaw increases dramatically as a project moves through the development, integration, quality assurance, and deployment cycle [1], as depicted in Figure 1 below.

Figure 1 - Cost of software flaws

This reality matches common sense: a software developer who finds his own bug soon after adding it has recent context in which to quickly understand and fix the problem. As a project enters integration and test phases, a flaw is often discovered by someone other than the developer who added it and often much later than the flaw was introduced.

This, of course, makes it more difficult to trace the flaw back to its source and for developers to infer the cause and determine the optimal solution to the problem. Once a product has been deployed, the cost of a serious flaw is bloated by customer service resource usage, patching protocols, recalls, litigation, and other potential downstream effects.

From a cost-benefit perspective, static analysis is one of the most powerful tools in the safety-critical device software developer's arsenal because it enables defects to be cheaply discovered and fixed well before even a single line of code is ever executed.

Software Complexity
Many of the problems relating to loss in quality and safety in software can be attributed to the growth of complexity that cannot be effectively managed [2]. For instance, commodity operating system code bases have been increasing at a staggering rate.

Microsoft Windows grew from six million lines of code in 1993, to 29 million in 2000, and 50 million in 2005. A Debian Linux distribution increased even more rapidly: from over 55 million lines in 2000 to 104 million in 2002, and 215 million in 2005 [3]. In the medical device field, radiotherapy treatment planning (RTP) systems have grown increasingly sophisticated, reaching millions of lines of code [4].

Incidence of security vulnerabilities acts as a bellwether for tracking the effects of software complexity. According to CERT statistics, the number of documented vulnerabilities has been increasing almost exponentially, from approximately 400 in 1999, to more than 4000 in 2002, and more than 8000 in 2006 [5]. Over the past five years, the CVE database [6] shows high severity software vulnerabilities growing at a robust rate (Figure 2 below).

Figure 2 - High Severity Software Vulnerabilities (CVE)

Complexity strains traditional reliability techniques, such as code reviews, and implies a growing necessity for automated static analysis tools.

< Previous
Page 1 of 4
Next >

Loading comments...

Most Commented