09. Software Supplier’s Role in Validation

auditors must look closely to determine whether the supplier does have a controlled Agile SDLC documented for its product or whether the supplier is just using the term Agile to mask an ad hoc, chaotic, and uncontrolled programming effort. (213) Writing software for regulated environments should be a creative discipline and not a creative art form. (216)


The classical “waterfall’ approach to a software development life cycle (SDLC) described a sequential workflow from start to finish for a software development project with each phase ending before the next started and with no recycling phases built in to address issues arising. Given the complexity of developing much of today’s software, the majority of commercial software companies have moved to a modified waterfall or an Agile methodology for their SDLC practices.

Instead of building a whole system in one giant effort, Agile or Iterative Design methods break up the work into manageable pieces based either on time or by design features. Software teams agree on what can be done in 2-4 week cycles of time or which design features can be done as a complete module. The idea behind Agile programming is that a defined testable unit of code will be produced to identified design requirements. This brings both smoke testing and regression testing much earlier into the SDLC process and strengthens the product by early detection and resolution of coding and design issues and by testing to ensure compatibility of modules and interacting functions at the time they are created.

Guidance from GAMP 5 states that “Each project should define the program coding standards, directory structure standards, and the file naming conventions to be followed.” These items provide the standard tools for the coding, but a Software Architecture Document (SAD) is also needed to describe the whole architecture of what is to be built.  In physical construction the structural design of a house is different from a bridge, or a shopping mall, or a skyscraper. The same is true for software construction and it is important that the project team has a overall view of the design, i.e., a set of plans for what it is building – a batch record system, an inventory control system, a lab automation system, a clinical database with remote data capture, a pharmacovigilance system, a document management system, etc.

Today, many Computer-Aided Software Engineering (CASE) tools are being used in development. These include software tools for bug tracking, code management, testing frameworks, project management and product configuration among others. It is important to formally describe this virtual SDLC environment and to qualify each component version prior to first use. Training on how to traverse and use this virtual SDLC world is key to staying in control of proper tool use and the quality of the software product developed.


Next Month: Quality Assurance and Quality Control Roles in Validation

This division of quality roles is often lacking in software suppliers who frequently do not have a separate QA role in the  company… sometimes they are confused by the common practice of calling their formal testing group a software quality assurance (SQA) function. In reality, the software testing group is actively involved in building quality into the product and operates as a software quality control (SQC) function. (264)