Static Analysis is increasingly recognized by the medical device industry as a fundamental tool for code inspection, bug detection, program understanding, and software life cycle management. In evaluating, selecting and using commercially available Static Analysis tool, the following considerations are given.

• Is white- box testing necessary?
• Is static analysis methodology fully implemented in the static analysis automation tools?
• How effective is a static analysis tool as measured by false negative rate?
• How efficient is a static analysis tool as measured by false positive rate?
• Can static analysis help design review?
• Can static analysis help verification and/or validation?
• Can static analysis help increase software development productivity and reduce software development cost?
• How critical is the usability of a static analysis tool in terms of reporting, tracking and customization?
• How important is the extensibility of a static analysis tool in terms of enforcing user specific rules/checkers?
• Should we care about performance? Why?
• How do we integrate a static analysis tool to development environment and configuration management system? Or shouldn’t we do it at all? Why not?
• Can a static analysis tool suite accommodate unit tests, standard compliance automation, architecture analysis, and software reliability metrics?
• How does static analysis promote best practices in software development and raise the bar of acceptable coding habits?
• What are the natural limitations of static analysis that we should be aware of?

I hope the discussion will be beneficial to our industrial practice toward developing safer and more reliable medical device products.

Attachment	Size
Chao09.pdf	169.26 KB