Software Assurance            Software Hardening            Autonomic Computing

Reducing the Risk of the Software Supply Chain in Medical Devices


Medical devices rely on third-party and in-house existing software as needed, to meet functionality, cost, and time-to-market concerns. Although software of unknown pedigree (SOUP) is a well-known concept and software supply chain risk management is already a reality in medical device software development, till recently risk management has often ignored the risk of third-party components, without sufficient technology to analyze and understand the impact of this software.

Of course, safety is the paramount concern, but security is becoming equally important, with cyber attacks being able to jeopardize safety, among other possible dangers. With this increased risk from outside software sources, it's important to leverage technologies developed to analyze and fix vulnerabilities in software. Static analysis can now provide insight into third-party code, even in binary form, lending a great aid to supply chain risk management.


Security as a New Risk Factor

Risk management of third-party software and other SOUP is already a required activity for FDA pre-market approval for medical devices. Note that software developed under proper documented processes (IEC 62304, for example) are not considered SOUP. When processes and documentation are not available, this is considered "unknown pedigree/provenance."

Security has become an increasingly important consideration and the FDA has addressed this with the recent guidance on the topic. Security design, coding, and testing often falls outside the expertise of managers and developers in embedded software, since it requires a unique set of skills. In addition, security is rarely top-of-mind when managing third-party code, which could be operating systems, libraries or open source software. Evaluating these outside sources of software is time-consuming and costly. Automated tools such as static analysis can alleviate this. 

Static Analysis for Assessing Third Party Code

Static analysis tools provide quality and security assessments of code without extensive hands-on testing or understanding of the code or source. Security vulnerabilities and serious bugs can be detected and analyzed for cause and effect. Detailed reports can be sent to software vendors or internal teams for reparation.

Of course, static analysis tools should also become part of the regular development cycle on newly-developed code. Combining the analyses from various sources provides a barometer of product quality and security. Recently-released binary code analysis technology from GrammaTech allows organizations to analyze binary code from third parties. This capability is a great addition to the quality toolset, empowering organizations to take control of software supply chain risk management.

Binary Code Analysis

GrammaTech's binary analysis technology is built into CodeSonar. It can evaluate object and library files for quality and security vulnerabilities, augmenting static source code analysis by detecting tool-chain induced errors and vulnerabilities. It can also be used to evaluate the correct use of library functions from the calling source into a binary object, making the combination of source and binary analysis a very powerful tool indeed.

Although the possibility of investigating and fixing issues found in third-party code is often limited, it does provide a bellwether of the quality and security of the code. Customers of commercial off-the-shelf (COTS) products can go back to technical support of the vendor and ask for confirmation and analysis of the discovered vulnerabilities. Key here is that the impact on risk management is better understood -- third-party software with a large number of vulnerabilities found using binary analysis must be dealt with appropriately in the risk management plan.

Medical Device Connectivity

Certified Tools and Trusted Vendors

GrammaTech has a long history of providing software tools to manufacturers of safety-critical products. GrammaTech CodeSonar is also a qualified tool under several safety-critical standards, which, although not specifically called out for by the FDA for software development, do provide assurance that due diligence was carried out by the software vendor.

Confidence is required in an automated tools’ results in order for them to be acceptable certification evidence for pre-market approval required by the FDA. Recognizing this need, GrammaTech CodeSonar is independently certified for use in the development of safety-critical software up to the highest safety integrity levels for ISO 26262, IEC 61508, and EN 50128. This certification means that developers can use the CodeSonar with confidence that the results produced will be acceptable to approval bodies during certification.


A manufacturer’s success in medical device manufacturing depends on smart decision making, including build-versus-buy decisions for software. Bringing in outside source and binary code has its risks, though, and proper management of risk in terms of safety and security is required in order to market the device. Combined with source-based static analysis, new binary code analysis technology provides a practical way to assess third-party binaries and libraries. To make good on the benefits of software re-use and to satisfy strict software supply chain risk management, static analysis reduces the risk and cost of leveraging existing software.