>
>
PVS-Studio: the Additional Insurance of…

Andrey Karpov
Articles: 674

PVS-Studio: the Additional Insurance of the Medical Software

Software bugs can lead not only to material losses, but also can damage human's health. For example, actors on the stage of a theatre can get injured if suddenly one of the scenery begins to go down on the stage at the wrong time. However, the connection between the errors in code and the health damage of medical software is more obvious. Let's talk about this topic.

After my publication "Use PVS-Studio to Increase the Reliability and Security of Financial Software", our client list was supplemented with the several companies that create the appropriate software. The article unexpectedly turned out to be successful and effective. Neither I nor my colleagues expected that it would be such a feedback. Apparently, the article is more workable when I don't generally speak about bugs, but when I speak about a certain class of software. Now I'm asked to write the articles covering other areas of the software.

This article focuses on the teams of developers who create the programs for a medical equipment. I hope they will not stay indifferent and will check their code, using PVS-Studio. I also hope that a number of them then will join the list of our clients in the "Medicine" section.

Let's recall two famous cases where errors in programs, related to medicine, became the reason for bad news.

Firstly, it is a series of tragic events caused by the errors in the Therac-25 device of radiation therapy. This device has caused at least six overdoses of radiation within the period from June 1985 to January 1987, some patients received doses of tens of thousands of rad. At least two people died directly from the radiation overdoses. Software bugs of the device were the reason of the tragedies and the main problem was the incorrect security strategy.

Secondly, the software bugs can also cause harm indirectly. For example, the bugs in the software for MRI-scanners raise the questions about the 40 000 researches. For several decades, neuroscientists and cognitive psychologists has used statistical programs AFNI, SPM and FSL to analyze fMRI data. As it turned out, because of the incorrect algorithms, these programs might return up to 70% of false positive results instead of the projected 5%.

As you can see, the code errors can lead not only to troubles, such as a crash or a loss of data, but also to much more serious consequences, which influence the life and the health of many people throughout many years.

Moreover, the developer is responsible not only for his own code, but for the code of the used libraries. This situation is completely real, when the artifacts appear when creating an image/video due to an error from a third-party library and this will lead to confusion when diagnosing.

This is not an abstract theoretical problem. I myself faced a situation, in which when porting programs to 64-bit system an error causing incorrect handling of MRI data began to reveal itself. Fortunately, the error showed itself very clearly: a large fragment of the image was absent. However, the error might not be that noticeable and consist in the incorrect displaying of some details and it'll be much harder to detect it.

More information about this error is available in the article "PVS-Studio project - 10 years of failures and successes". It is this and some other 64-bit errors that inspired the creation of the Viva64 tool, which then turned into a PVS-Studio static code analyzer.

It is impossible to predict where the errors can be and what errors can lead to trouble. The error can be complex and not necessarily spoil life, lurking in the algorithm of data processing and displaying. I can imagine a situation where because of an error in the comparison function, data of the wrong patient will be selected for processing, or the program, describing the condition of the patient, will not notice some differences in the data structure.

Am I a dreamer and such errors are made just by students in course-works? HA! Please, take some time and get familiar with my article "The Evil within the Comparison Functions". After that, you'll start to share my concern.

I invite all readers to start using the PVS-Studio static code analyzer. Yes, the analyzer, like any other tool, does not guarantee the absence of errors in your programs. However, it becomes an additional line of defense on the field of the battle against the bugs. It can help detect a lot of errors at the early stages of development and may help to save someone's health.

As I wrote above, a developer of a mission-critical software is responsible not only for the quality of his code, but also for the code used from libraries. The PVS-Studio analyzer will help you find bugs in third-party libraries, and also will enable you to make the evaluation of the quality of the third-party libraries. Perhaps, if someone sees the extremely low quality of the library code, then he will make a decision in time to avoid its using and find a better alternative.

Here comes the last question, which I will answer myself. Why have not I written this article immediately after the article about banking security? Code development for the medical sphere often represents programming of various microcontrollers. I was waiting until the moment when our analyzer is adapted to the analysis of code for embedded devices. Now I have a reason: "Static Code Analyzer PVS-Studio 6.22 Now Supports ARM Compilers (Keil, IAR)".

Thank you all for your attention and I suggest to download and start using the PVS-Studio code analyzer. Useful links: