System Life Cycle Development approach makes use of the SDLC methodology and includes a series of phases (“cradle to grave”) including, system conception and strategy, system development, system testing and validation, system operations and maintenance, system governance and system retirement.
SDLC: System Conception and Strategy
Once a system is selected, a strategic approach should be developed for testing and validating it such as an overall company approach, what rationale to be used to demonstrate the system is fully tested and validated to meet FDA compliance?, Who will be involved in the validation process? How will the documentation and approvals be completed? How will training be incorporated into the project? How will organizational change management be handled? Having completed a validation strategy, it is necessary to develop a very specific validation plan, which includes what SDLC phases and steps are required for this system, and how specifically will they be determined and rationalized? Who is going to do specific tasks? What level of testing is required? What will the project management schedule look like?
Risk-based Approach to SDLC
A risk-based approach to validating computer systems regulated by FDA has become an industry best practice. FDA does not have adequate staffing to inspect every system in every company visited. FDA expects companies to categorize their regulated systems based on risk, and prepare a risk profile that includes probability, severity and mitigation components. A standard risk approach should be developed for the company and used consistently.
Functional Requirements for SDLC
Detailed functional requirements must address all system functionality. Users must define and approve functional requirements. Every requirement must be “unique” and “testable.” Requirements should be maintained as current (“living” document). Care should be taken to include only those requirements that represent functionality that will be used, as each will require specific testing, which can become time-consuming. Detailed functional specifications must address all defined functional requirements: Users must sign off on them. Design specifications should be maintained as current (“living” document). In the case of a COTS (computer off-the-shelf software), the design will be replaced with a configuration specification. When implementing a system, there is often an opportunity to modify one or more current business processes to reflect more efficient and effective ways of operating. Current business processes should be adequately documented. Workshops can be used to engage users and identify opportunities for process improvement. Process changes should be those that are feasible, given the system’s functionality.
Testing in SDLC System Implementation
Testing is one of the most critical steps required before placing a system in production. Installation Qualification (IQ) should be performed on hardware, operating software and applications. Operational Qualification (OQ) should be performed on any code (unit and integration testing). Performance Qualification (PQ) should be specific to the way the system will be used and must be executed by the users. Develop a detailed test plan, including test scenarios and scripts. Include positive and negative scenarios, and boundary and stress testing. Segregation of duties should be followed. The RTM connects functional requirements, design specifications and test results. There must be one or more design elements for each functional requirement. This is one of the most critical documents to be available during an FDA inspection. For any successful system implementation, careful planning must be done to ensure users are ready to fully embrace and use it. A detailed Training Plan should be completed that addresses content, delivery, audience, timing and challenges. Training should be carefully timed. All training should be documented and available online for refresher and new employee training. An organizational change management plan should be developed to detail how progress will be communicated.
SDLC: System Operations and Maintenance
Operational and support manuals and scripts should be developed prior to moving a system into production. There should be manuals that detail the system configuration, maintenance requirements and schedules, and operational procedures for day-to-day activities, including logs to record these. Backup and archival are key aspects of operational support. Environmental requirements must be considered. The procedures should be followed to the letter and logs should be maintained to demonstrate the system is operating within control limits to assure data accuracy, quality, integrity and accessibility.