Posted inExperience / Information Technology / Investing

FDA Must Ban Agile and Mandate Static Source Analysis

seasoned_geek by seasoned_geek
FDA Logo

Yes, we have complete whack job in charge of HHS, and the FDA is lead by an anti-vax nutter, but, they could still do something that would greatly benefit mankind. They could ban the use of Agile in the medical device and software industry. They could also mandate full static source analysis for all medical device code. This means from the UI all the way down to the OS, not just a tiny portion underneath an un-safe UI.

Watered Down Quality Risks Lives

Most of you don’t make medical devices. When you go to a doctor’s office or hospital you ass-u-me whatever they use on you is safe and works properly. For devices from a small group of companies that refuse to use Agile or any of the Script-Kiddie languages in their products, this is correct. For everyone else, sadly, it’s a coin toss.

Stories like this one are far too common.

Why Ban Script-Kiddie Languages?

They are worthless for true quality. Not one of them is type safe. Since most of you aren’t coders here are some small examples.

#!/usr/bin/python

counter = 100          # An integer assignment
miles   = 1000.0       # A floating point
name    = "John"       # A string

print (counter)
print (miles)
print (name)

counter = "Mary had a little lamb"

print (counter)

print (counter / miles)

outputs

developer@i9-debian-dev:~/share$ python3 p1.py
100
1000.0
John
Mary had a little lamb
Traceback (most recent call last):
  File "/home/developer/share/p1.py", line 15, in <module>
    print (counter / miles)
           ~~~~~~~~^~~~~~~
TypeError: unsupported operand type(s) for /: 'str' and 'float'

It doesn’t take a techno-wizard to realize that a variable used for numbers and calculates shouldn’t allow text in it.

let x = 32;
console.log("x = " + x); // Outputs: x = 32
console.log("Some Math: " + 64 / x); // Outputs: Some Math: 2

x = "abc";
console.log("x = " + x); // Outputs: x = abc
console.log("Some Math: " + 64 / x); // Outputs: Some Math: NaN

JavaScript isn’t any better. By not hard failing invalid math via a stack dump the program will happily give you the wrong output. Quite critical if what it was calculating was your insulin dosage.

These things don’t fail until run-time. Depending on your execution paths, it could be years before they turn up in production and kill someone. QML is a layer on top of JavaScript and it is hard to be solid when standing on sand.

Static Source Code Analysis

With compiled type-safe languages, you find out at compile time. Before you get anywhere near ready to test even a tiny piece of code you have to compile and link it. Really stupid stuff that violates type-safety is caught up front, not by a dead patient years down the road.

Yes, a developer could do something truly brutal like this.

union BAD_UNION
{
   long number;
   char str[4];
} data;

For the non-coders in this crowd, the above union won’t work at all when your compiler aligns numeric variables on “efficient memory boundaries for the CPU” but packs raw character data on byte boundaries. You can do something like this but only if you really need to. If your peers don’t shit on your code review, static source code analysis definitely will.

The problem is the FDA only recommends static source code analysis. It must mandate static source code analysis. That will automatically eliminate Script-Kiddie languages because you cannot perform valid static analysis on an interpreted non-type-safe language. Your medical devices will be safer.

Why Ban Agile?

Despite all of the hype Agile is nothing more than hacking on the fly. Starting without a complete spec is no way to build a medical device or any other serious product. Just hacking at code until the money runs out and declaring it “done” them isn’t a plan. You have to have a definition of “done” other than “we’re out of money therefore it is done.”

At some point you have to produce a valid product people will purchase and use.

How many people would actually pay for Facebook, Twitter, etc.? Nobody. If it wasn’t free nobody would go there.

Agile has officially failed. I constantly hear of Agile debacles and the never-went-to-college-for-computer-science champions of Agile say “Oh that wasn’t real Agile!”

If you thought you heard that before, this sticker is why.

Leadership

Leadership is the big glaring hole in the Agile Manifesto. It is like trying to make concrete without water. Agile, via its daily stand-up (scrum) meeting tries to replace failed management with three questions.

  • What did you do yesterday?
  • What will you do today?
  • Are there any blockers?

That little list can only happen with a team of three while keeping it to a five minute meeting. I have been at client sites trying to do that with a team of 30+. No, it wasn’t done in five minutes. It’s really great when a company is stupid enough to have “festival seating” so you can’t even find the place your team is having the meeting.

With Waterfall SDLC we have a plan. We have it laid out in writing. If you don’t know what you are doing it is because you didn’t read the SDLC that was reviewed and signed off on. When you have delivered every item in the Software Specification Document, your project is done and ready for QA.

For more on the failure of Agile and the management teams relying on it you can read this book.

Summary

If the FDA really wants to save lives it will mandate static source code analysis. That will automatically eliminate Script-Kiddie languages because you cannot perform valid static analysis on an interpreted non-type-safe language. It will also pretty much mandate developers with a legitimate Computer Science degree doing development. Script-Kiddies ain’t got the patience for C/C++ and they sure as Hell don’t want anyone, especially a compiler, they did something wrong. That’s just a hostile workplace!

Besides being a false methodology, Agile is based on the premise of “not having all of the requirements” up front. We need to jettison this premise from the FDA regulated world. When a medical device is hooked up to me I want to know the manufacturer had a solid plan and they did static source code analysis.

The FDA has the power to mandate both of these things and bar any grandfathering of existing devices.

Your medical devices will be safer.

Roland Hughes started his IT career in the early 1980s. He quickly became a consultant and president of Logikal Solutions, a software consulting firm specializing in OpenVMS application and C++/Qt touchscreen/embedded Linux development. Early in his career he became involved in what is now called cross platform development. Given the dearth of useful books on the subject he ventured into the world of professional author in 1995 writing the first of the "Zinc It!" book series for John Gordon Burke Publisher, Inc.

A decade later he released a massive (nearly 800 pages) tome "The Minimum You Need to Know to Be an OpenVMS Application Developer" which tried to encapsulate the essential skills gained over what was nearly a 20 year career at that point. From there "The Minimum You Need to Know" book series was born.

Three years later he wrote his first novel "Infinite Exposure" which got much notice from people involved in the banking and financial security worlds. Some of the attacks predicted in that book have since come to pass. While it was not originally intended to be a trilogy, it became the first book of "The Earth That Was" trilogy:
Infinite Exposure
Lesedi - The Greatest Lie Ever Told
John Smith - Last Known Survivor of the Microsoft Wars

When he is not consulting Roland Hughes posts about technology and sometimes politics on his blog. He also has regularly scheduled Sunday posts appearing on the Interesting Authors blog.