PVS-Studio - additional insurance for medical software

PVS-Studio спешит на помощь Errors in the software can lead not only to material losses, but also damage to human health. For example, artists on the stage of a theater may be injured if suddenly one of the sets starts to fall on the stage at the wrong time. However, the relationship between code errors and health hazards in medical software is more apparent. Let's talk about this topic.

After my publication " To increase the reliability and security of banking software, use PVS-Studio “Our list of clients has been replenished with several companies creating the appropriate software. The article unexpectedly turned out to be successful and effective. Neither my colleagues nor I expected that it would have such a return. Apparently the articles act much stronger when I talk not about mistakes at all, but I say about a certain class of software. Now I am forced to write articles covering other areas of software.
This article is aimed at teams of developers creating programs for medical equipment. I hope they do not remain indifferent and test their code using PVS-Studio. I also hope that a number of them will then replenish the list of our clients in the direction of "Medicine".

Клиенты, медицина, PVS-Studio


Let us recall two well-known cases when errors in programs related to medicine became the cause for sad news.

Therac-25

Firstly, this is a series of tragic events that led to errors in the Therac-25 radiation therapy apparatus. From June 1985 to January 1987, this device caused at least six overdoses of radiation, some patients received doses of tens of thousands of rad. At least two died directly from overdoses. The cause of the tragedy was errors in the device’s software, and the fundamental problem was the wrong security strategy.

МРТ

Secondly, errors in the software can cause harm and indirectly. For example , bugs in software for MRI scanners cast doubt on 40,000 scientific studies. For several decades, neurobiologists and cognitive psychologists used the statistical programs AFNI, SPM and FSL to analyze fMRI data . As it turned out, due to incorrect algorithms, these programs can return up to 70% of false positive results instead of the expected 5%.

As you can see, errors in the code can lead not only to troubles, such as program crashes or data loss, but also to much more serious consequences, on which the life and health of many people will depend for years.

Moreover, the developer is responsible not only for their own code, but also for the code of the libraries used. The situation is very real when, due to an error in the third-party library, artifacts will arise when creating an image / video and this will be confusing when making a diagnosis.

This is not an abstract theoretical problem. I myself was faced with a situation when, when porting a program to a 64-bit system, an error began to appear, leading to incorrect processing of MRI data. Fortunately, the error manifested itself very clearly: there was a large fragment of the image. However, the error may not be so noticeable and consist in the incorrect display of some small details, and it will be much more difficult to detect it.

МРТ

I wrote in more detail about this error in the article " How the PVS-Studio Project Began 10 Years Ago ". It was this and some other 64-bit errors that formed the basis for creating the Viva64 tool, which then turned into a PVS-Studio static code analyzer.

It is impossible to predict where and what mistakes can lead to trouble. An error may not be complicated and spoil your life, hiding in the algorithm for processing and displaying data. I can imagine a situation where, due to an error in the comparison function, the data of the wrong patient will be selected for processing, or the program will not notice any differences in the structure of the data describing the state of the patient.

operator ==


I am a dreamer, and only students in term papers make such mistakes? Ha! Please take a little time and read my article " Evil lives in comparison functions ." After her, you will begin to share my concern.

I invite all readers to start using the PVS-Studio static code analyzer. Yes, this analyzer, like any other tool, does not guarantee the absence of errors in programs. However, it will become an additional line of defense on the battlefield with bugs. It will help to detect a large number of errors at the very early stages of development and, possibly, will help to maintain someone's health.

As I wrote above, the developer of critical software is responsible not only for the quality of its code, but also for the libraries used. The PVS-Studio analyzer will help you find errors in third-party libraries, and will also help you evaluate the quality of third-party libraries. Perhaps if someone sees the extremely low quality of the library code, then he will make a decision in time to refuse to use it and find a better alternative.

And the last question I will answer. Why didn’t I write this article right after the article on banking software security? The development of program code for the medical field is often the programming of various microcontrollers. I was waiting for our analyzer to be adapted to code analysis for embedded devices. And now I have a reason: " The PVS-Studio 6.22 static code analyzer is adapted for ARM compilers (Keil, IAR) . "
Thank you all for your attention and suggest downloading and starting to use the PVS-Studio code analyzer. Useful links:

  1. Download PVS-Studio for Windows
  2. Download PVS-Studio for Linux
  3. Note: PVS-Studio for macOS will be available soon
  4. Documentation. How to run PVS-Studio on Linux
  5. Examples of checking various open projects
  6. Write to us in support for any questions, we will respond quickly and help you configure the analyzer to check your projects



If you want to share this article with an English-speaking audience, then please use the link to the translation: Andrey Karpov. PVS-Studio: the Additional Insurance of the Medical Software .