How Static Analysis Reduces the Burden of Pharmaceutical Industry Regulatory Compliance
January 19, 2012
3 min read
Since 1961, IMA has been designing and producing implants and equipment for packaging in the food and pharmaceutical industries. By adopting static analysis into the software development process, IMA is reducing the time and cost of regulatory compliance.
IMA products are characterized by a high level of personalization to meet the client’s specific needs—in both single packaging machines and complete production plants. In 2011, IMA celebrated its 50th year of business. Today, it has over 3400 employees; 22 production plants spread throughout Italy, Germany, U. K., U.S.A., India, and China; and a large network of agents and affiliates spanning virtually the entire globe.
By working with Parasoft , IMA significantly increased the efficiency and auditability of the strict quality process they adopted to comply with pharmaceutical industry regulations.
The Challenge: Reducing the Burden of Complying with Pharmaceutical Industry Standards
In order to develop solutions for the pharmaceutical market, a company must not only follow very strict requirements, but also demonstrate that they actually satisfied these rigorous expectations. To achieve this, they must provide evidence that the system is designed, constructed, and tested according to best practices implemented throughout the various phases of the lifecycle. These demands apply to software—which is becoming an increasingly critical and complex component of such systems—as well as system hardware.
To reduce the burden of complying with these strict guidelines, IMA started to research products that could help them manage the software development lifecycle—especially the testing and verification of the software that drives IMA machinery functionality. Specifically, they were looking to streamline the complementary processes of a) writing code according to predefined standards and b) verifying whether the code successfully follows those standards.
Beni Fricano, IMA Quality Assurance Manager, explained, “This is a process that, if done manually, would be arduous, expensive, difficult to document, and produce contestable results. After all, how can we demonstrate and document that among thousands of lines of code, not one line of dead code has escaped checking? These challenges are exacerbated by the fact that the manual processes used to achieve compliance on the software for one registered machine cannot readily be reused to check the software for another machine.”
The Solution: Static Code Analysis with a Robust, Easily-Configurable Flexible Rule Set
To tackle this challenge, IMA turned to Parasoft. Years ago, they started using Parasoft CodeWizard, a static analysis product that is the predecessor of the current Parasoft C/C++test product. The product shipped with a preconfigured set of rules that could be easily customized to suit the needs of a given project and/or industry.
They liked how simple it was to use and configure the tool in order to check the guidelines that were important for them. Fricano noted that “the icing on the cake” was the RuleWizard tool, which allowed them to modify the built-in rules as well as graphically define additional rules for any custom coding guidelines they decided to check. This tool was instrumental in enabling IMA to automate checking of the specialized set of standards they needed to follow for compliance purposes.
Since then, IMA has migrated to Parasoft C/C++test, which extends the basic Parasoft CodeWizard coding standard checking with comprehensive static analysis (static code analysis, flow analysis, metrics), peer code review, unit testing, and runtime error detection.
Faster, Easier, and Better-Documented Compliance Efforts
According to Fricano, the solution delivered value immediately. “Right away, previously arduous, boring and difficult-to-document tasks were transformed into tasks that we could perform systematically—in an automated and rapid manner. Parasoft’s reports can be attached to the documentation supplied to the client to prove that a task was completed. This is definitely less contestable than a manually-created report.”
As soon as they started working with Parasoft’s static analysis, the developers appreciated having an easy-to-use tool that provided many features (static analysis as well as code review and rich dynamic analysis capabilities introduced by Parasoft C/C++test) in a single integrated environment. They could apply it as required for compliance—with virtually no extra effort.