Leveraging Agile Methods - Some Key Questions

I'm here in Vienna speaking at the IIR Conference on Computer System Validation. Today I'm speaking on the topic of Alternative Software Development Lifecycles (registered subscribers to the Business & Decision Client Hub can access copies of the slides via the Client Hub login pages - follow the links to 'Webcasts').

During the questions and answers session there were some really good questions raised / observations made.

The first was concerning the acceptability of Agile methods as far as the regulatory agencies are concerned. This is probably more acceptable from the perspective of the FDA, because their General Principles of Software Validation doesn't reference any specific lifecycle and leverages good software development practices. Of more concern are PIC/S inspectors, because the PI011-3 guidance document specifically references GAMP 4 and includes the old GAMP 4 'V' model, with no plans to update this guidance.

When asked I replied that the best way to handle the issue of regulatory inspectors who aren't experts in computer system validation and software development is to use the Validation (Master) Plan to:

• Reference relevant regulatory or industry guidance (e.g. FDA guidelines or GAMP 5)
• Clearly define (or reference) the SDLC that is being used and how the project controls and software quality activities meet regulatory expectations (which means careful project-by-project planning)

Of course, it's also important to demonstrate that the project did what they were supposed to do (see the slides for details)

The second point was around more frequent, smaller software releases, using techniques such as time-boxing. The point being made was that although you may get to initial software release (and ROI) faster, this also means that you need to plan on doing important activities such as preparing operational and maintenance processes / SOPs, performing user training etc earlier than might have been the case following a more traditional SDLC.

The final interesting question was around the extent of the change control impact assessment, risk assessment and regression analysis. These are even more important with more frequent software releases and the conclusion was that this burden would probably be higher using 'Agile' techniques. However, in most cases where Agile techniques are applicable the burden of impact assessment, risk assessment and regression analysis should be more than offset by the advantages to the business in terms of faster ROI, lower development costs and delivering better functionality.