How to validate Software Development tools used for GXP and MedDev?

Validating software development tools used for GxP and MedDev

Posted on Posted in Confluence, Electronic QMS, General, JIRA

Compliance is a key consideration when using software tools in the context of:

  1. Development of software applications which are used for good practice (GxP) purposes
  2. Development of software and hardware embedded on medical devices (MedDev).

Several standards and guidelines might be applied to the design of the software development lifecycle (SDLC) and the validation of software, like ISPE GAMP, ISO 12207, IEC 62304, CMMI and AAMI TIR45:2012.

The basic principles are common to all these approaches: Release management and requirements engineering, specifications and configuration management, risk assessment, project tasks, source code handling, testing including test automation, deployment and update processes including bug tracking.

The general framework for this process landscape should be covered by an overall Quality Management System (e.g. ISO 9001/CMMI). The SDLC processes practiced by an organization should ideally be based on a harmonized and consistent toolbox.

For example such a toolbox is provided by Atlassian with their Confluence, JIRA, and BitBucket applications. Working for the regulated industry would require a development company to map the regulatory requirements and guidelines to the internal processes and procedures supported by such tools. E.g. JIRA for project & issue management, Confluence as collaboration platform during requirements and design phase, and BitBucket for source control. Such tools can further extended to cover additional scope and requirements, as for example defined by CMMI process areas or ISO 12207 chapters.

In addition such tools can be aligned to map regulatory requirements like electronic signatures, audit trails, automated traceability matrix, electronic test evidence, exception reports and notifications (deviation, CA/PA). These function areas do not all come with the standard configuration and require special adaptions. The need to validate is not restricted to the system itself, but covers the entire work and operational processes. Hence it is better to say that you validate the process of e.g. requirements management rather than merely the tool.

Can quality processes using JIRA or other tools be validated?

The simple answer is YES. The key principles are to define what your process is and to demonstrate that the tools support this process. These are the basic steps to follow:

  • Define the SDLC processes (e.g. CMMI process areas) and reflect it as procedures;
  • Identify what are the features within the tools which will need to support the processes;
  • Analyse the processes to identify potential risks. Risk to a process represents what might go wrong and will impact negatively software quality or project delivery. For example, if 100 customer requirements were defined and there is no transparent method to ensure if all requirements were implement, then you might miss requirements;
  • Once all risks were identified see how you could mitigate them by procedural or technical strategies, e.g. by configuring the tool in a way to avoid or eliminate the risks;
  • Verify the correct configuration, installation, implementation and training of the tools and procedures;
  • Test that the actual processes work, report, analyze and fix any defects or incidents;
  • If all requirements are met, then approve and release the process and system into routine use;
  • Use the system as defined;
  • Listen and log feedback to improve your processes and systems.

Each iteration of improvement should follow the same cycle as described above. When done correctly you will end up with a coherent and efficient process enabling innovation, productivity, and compliance.

Like defined by the CMMI standard the capability and maturity levels define a strategic step-by-step approach to different target profiles or quality levels. It might be beneficial to start with a simple process first and gradually refine and extend the processes.

Interested to hear more? 

Consider attending our upcoming conference on ‘How to validate Software Development tools used for GXP and MedDev?’

We are aiming to align the tools with compliance frameworks and standards (best practice). Demystify the complexity and buzzwords like GMP, Part 11, Annex 11, GAMP5, CMMI, ISO, validation (DQ,IQ,OQ,PQ) and so on.