The Software Development Lifecycle (SDLC) is a main component of GMP computer system validation (CSV). In the life sciences industry, regulators audit companies using the gamp 5 guidelines for gamp 5 validation alongside FDA 21 CFR part 11 requirements. Maintaining lifecycle documentation is critical in all phases of the software lifecycle (Production implementation, Routine maintenance, Long term support). Professionals that consult and maintain SDLC documentation and standards are called IT Business Analysts and IT System Owners (ITSO’s).

Computer system validation activities are gated in 4 phases. All items from the previous gate MUST be completed and APPROVED before moving to the next phase of activities. Lean Biologix follows a simple gated project plan to drive projects quickly to implementation in production. Scope of the testing activities is linked to GAMP 5 categories explained with the nuances noted in the table below.

Why is SDLC important to GMP computer system validation?

SDLC is the package of documentation that when reviewed in its entirety ensures and provides proof that an application has been implemented and is supported in a compliant way.

What is GAMP 5?

GAMP 5 is an ISPE industry standard for IT computer system validation.

What is ISPE?

International Society for Pharmaceutical Engineering leads scientific, technical, and regulatory advancement standards including the entire pharmaceutical software application lifecycle.

What are User Requirements specifications?

User requirements are core system requirements which the business provides to the IT application team to configure the application to support business operations.

What are functional specifications?

These requirements provide the specific system functionality that will be used to meet the business requirements. What exactly in the system functions can be used to do the daily work of the business user.

What is the requirements traceability matrix?

This document is the key document linking all requirements and testing information. This is an especially useful document for internal auditing for periodic review and for FDA inspection.

What are design specifications?

This is the next level of detail from the functional requirements. If the functional requirement says how the system will meet the user requirement, the design details will capture exactly how the application is configured to meet the business requirements.

In what stage of systems development are design specifications created?

Design specifications are created during the INITIATE or initial requirements gathering phase. A lean SDLC validation model will have the application team working on design specifics as the business team is working through how exactly the system will meet their daily use cases.

Below is the complete list of SDLC deliverables for IT systems. By reviewing this with clients we can get an accurate scope of work and identify any potential risk areas while executing the project.

SDLC / IT Project Deliverable

New IT System Implementation

Existing IT System Implementation / System Update

IT Enterprise System Periodic Review / System Remediation

Validation Plan

New IT systems require an overall plan approved by project team leaders on the deliverables required for the project.

Existing IT system functionality update or patching may require a validation plan depending on the size and risk profile of the project

During review, quality should ensure that all validation plan deliverables were met as the project moved through gated phases

Business Use Cases

Required

Required if new functionality is being introduced

If new functionality was added business use cases and URS should have been updated accordingly and mentioned in the IT change control.

IT System Assessment

Required

Updates may be required to system assessment if new functionality is introduced, especially if the functionality that impacts a different business area or if guidance documents are updated.

The IT system assessment classifies the system and decides whether or not GAMP 5 and FDA guidelines need to be adhered to for the particular IT system. The system assessment will often also inform data integrity, financial, patient saftey, and system criticality requirements.

Business User Requirements Document

Required

Required if new functionality is being introduced

If new functionality was added business use cases and requirements should have been updated accordingly and mentioned in the IT change control.

Requirements Risk Assessment (RA)

Required

Required if new functionality is being introduced or existing functionality is being updated

The risk assessment must be maintained which classifies each user requirement based on risk to drive GAMP 5 IT testing requirements.

Functional Requirements Document (FS)

Required

Required if new functionality is being introduced or existing functionality is being updated

If new functionality was added business use cases and requirements should have been updated accordingly and mentioned in the IT change control.

Design Requirements Document (DS)

Required

Required if new functionality is being introduced or existing functionality is being updated

If new functionality was added business use cases and requirements should have been updated accordingly and mentioned in the IT change control.

Requirements Traceability Matrix (RTM)

Required

Required if user requirements are being updated OR to map testing runs pre/post validation testing.

Ensure that for each change control the testing performed is linked to requirements on the Trace Matrix.

Test Plan (TP)

Required

For the particular updates of this change which requirements are impacted and how will all related testing be performed. This includes stage gates and complete scope and order of testing.

Ensure for each change control that the test plan was created if required and if required that it was followed with correct stage gates considered.

Test Scripts

Required

Required

Ensure all test scripts are linked to the test plan and trace matrix. Ensure testing was performed per GMP processes and that all test incidents were identified and resolved per company policy.

Validation & Test Report

Required

Required to summarize the test plan for higher risk changes.

Ensure that all test plan activities were completed as expected.

Data Migration Plan (DMP)

Required if the new IT system is replacing or utilizing data from existing IT systems.

Generally not required unless other systems are being retired and data is being combined into the target system for the change.

Ensure that proper data migration testing was performed. 

Data migration testing is often overlooked and may be included in other testing such as steps in operational (OQ) or User Acceptance (UAT) testing.

Backup and Restore Plan (BRP)

Required – Backup technologies and/or services should be based on business need. Backup scheduling should be consistent

with disaster Recovery Point Objective (RPO).

Backup and restore testing is usually not required outside of the annual testing window. Testing may be required if the system hardware is affected by the change. Typically this could be in the case of a hardware upgrade.

Is the system backed up? Is annual Backup and Restore testing being performed and documented for the system? Has infrastructure changed since last review?

Disaster Recovery Plan (DRP)

Required – Document the process to minimize the effects of a disaster, allowing the organization to either maintain or quickly resume critical functions. There should be a focus on disaster prevention using availability grouping and alternate host locations.

Updates usually not required outside of the annual testing window. Testing may be required if the system hardware is affected by the change. Typically this could be in the case of a hardware 

Has infrastructure changed since last review?

Business Continuity Plan (BCP)

Required – The business must have the  ability to continue to supply the public,

maintain safety, and to comply with the regulatory requirements.

This document guides organizations to respond, recover, resume, and restore operation.

Updates usually not required outside of the annual testing window. Testing may be required if the system hardware is affected by the change. Typically this could be in the case of a hardware 

Has infrastructure or business processes changed since last review?

Application Management SOP

Required – IT policy which outlines access levels and provides standard groups of change types for the application team to reference when performing changes.

Updates required potentially if access levels are affected by a change or new functionality is introduced. 

Needs to be periodically reviewed to ensure that the change level and access information is up to date and follows current company quality manual guidance.

Business Use SOPs

Required – Document(s) the typical use cases and include sections on proper system use from a business perspective.

If functionality has been added or modified, impacted business SOPs should be identified and updated.

Document exists and is being maintained by business users.