CDRH Software Forensic Lab Upgrade
MedSun: Newsletter #19, December 2007

In consultation with other federal agencies involved with software integrity issues (e.g., Department of Defense, FBI, National Institute of Standards and Technology, NASA), the CDRH Software Forensic Laboratory has leveraged the latest academic research to implement a state-of-the-art software forensic capability, according to the 2006 CDRH Annual Report. This technology is currently employed in the automotive and aeronautical industries. In an interview in Medical Devices Today, Brian Fitzgerald, the Deputy Director of OSEL’s Division of Electrical and Software Engineering, discusses the benefits of the recently upgraded “software forensics lab.”

Traditionally, in order to minimize risk, FDA has relied on validating the software design processes in the pre-market approval process. Fitzgerald explains that this approach is good but means that sometimes software errors do not become evident until after the device has been FDA approved and is in use. The recent upgrade to the forensic lab however, now makes it possible to automate the search for coding vulnerabilities in complex software. As stated in the CDRH 2006 Annual Report, this method, called “static analysis,” may be used in any phase of the product life cycle, but is particularly valuable in understanding the root causes of adverse events due to software failures. The report also notes that this new capability was used to the great benefit of CDRH in several recent high-profile compliance cases.

But static analysis remains a resource-intensive process and Fitzgerald explains that “Only cases that present an imminent public health threat warrant the level of effort required to do the analysis.” His hope is that in the future manufacturers will invest in this technology and provide “static analysis” before a product is submitted to FDA for pre-market approval.

Additional Information:

Read this article in full at

MedSun Newsletters are available at