Use Cases

By Mark Gunn

In previous issues we have discussed solid business requirements, a master test plan, and a defect tracking system. The next step in the process, and one which is often overlooked, is to create use cases or test conditions.

Before you can begin to write test cases, you will need to understand how the system is going to be used. The system design documents will reflect how the system will be accessed and how data can be entered. This will be evident in the design or layout of the application. The application users will be able to explain how they intend to use the application. Of course, that has all been worked out and documented by the Business Analyst when the new SOP’s were written that reflect how the new application will impact the work flow. To best reflect how the work flow will affect the application, use cases should be written.

The use case should be a straight forward step by step process for how the users of the application will enter and use information. In its simplest form, they will cover how to Add, Change, and Delete information. Based on the type of application, this will require more detail but these are the basic constructs for a use case.

Without use cases, the test cases may be testing work flows that will never happen or more importantly, overlooking work flows that will happen.

For example; if you didn’t know that an end user will not have all of the information for an application module the first time they begin a new record, then you might construct a test case that was testing a first time completed module. Since a first time completed module initially can not happen, you may overlook in your testing that the system does not allow the user to save a partial record. The use case will cover this scenario and your test cases will accurately reflect these test conditions.

When you have completed your use cases, test cases can now be written so that they will completely test all of the applications requirements, designs and work flows.

Next time….writing good test cases!

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

FDA Watch: Thinking like the FDA

By Mark Gunn
MGD Services

Those of us in an FDA regulated industry sometimes get caught up in all of the regulations and documentation and forget why the FDA is requiring us to create what seems like never ending documentation. At its core, the FDA has a very simple job, to assure quality.

The FDA is charged with assuring the quality of the products of the pharmaceutical industry. This can be manufacturing (GMP), laboratory (GLP), clinical trials (GCP), medical devices, etc. The FDA requires you to prove you have a quality process in place. They need to know the public can be assured that the products produced are safe and do what they were intended to do. The only way the FDA can be assured that quality is being met, is to demand that we prove it. And if you think about it, the FDA should not really be located in Washington DC. They should be located in Missouri, the “Show Me” state.

Thinking like an FDA auditor, no matter how scary that thought might be to you, is really very basic. They are much like a very inquisitive 5 year old. I don’t mean this to be demeaning any way. If you have ever explained a very complicated process to a 5 year old you know what I mean. After every statement you make the child follows it with “but why?” You then have to back your last statement up with another explanation. The FDA works much the same way. They really don’t have any choice.

For example:

FDA auditor: How do you know the data I am looking at is accurate and correct?

Client: We know who entered the data and we know that they are qualified to enter it.

FDA auditor: How do you know that they are qualified?

Client: We have their latest CV on file and it shows the training they have taken.

FDA auditor: How do you know they attended the training?

Client: We have a signed record of the class attendance.

FDA auditor: So you know that the person who entered the data is qualified to enter it. How do I know they are the ones that entered the data?

Client: We have done our Risk Assessment for 21CFR Part11 and we know we have to be compliant and we are…

And so the line of questioning will continue. But you get the idea.

If you think along these lines, you should be able to embrace what the FDA requires rather than avoiding it. Ask yourself these types of questions for any risk assessed task and you will understand why the FDA has the regulations and guidelines that they do.

The next time you have to make a change to a regulated process you have to be able to back up that change with all of the documentation necessary to prove what affect it will or will not have on your current validated process. For an auditor to assure quality, they must be able to prove that what they are observing is accurate. That is why the regulations and guidelines are in place, so that you can show them that you have a quality process.

And the Validation Library is the place where the FDA auditor starts to look. More on that next time…

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

In the News: Revlon Run/Walk for Women

by Gretchen Gunn

Created in 1993 through the committed and collective efforts of the Entertainment Industry Foundation, Lilly Tartikoff, Ronald O. Perelman, and The Davis Group, the Revlon Run/Walk For Women has grown to become one of the nation's largest 5K fundraising events. To date, the Run/Walks (NY/LA) have raised over 30 million dollars for cancer research, counseling, and outreach programs. Thanks in part to these funds, new treatments are being developed and lives are being saved.

Some of MGD Services, Inc. employees and friends are participating in this worthy cause. Team captain, Gretchen Gunn shares some of her thoughts on the event and why she is participating. We welcome anyone interested in joining us! Click here to join the team.

Running has been my way to maintain both a healthy body and soul. And now it is a vehicle that will allow me to support others. On April 30, 2005, I will be participating in the Revlon Run/Walk for Women. I have also convinced a group of my friends to join me. Our team is called the Band of Babes. What started as a way to do something I enjoy and help others, has moved me in ways I did not expect. I have learned that many of my friends have either felt the sorrow of losing someone to cancer or they have lived the terror of having cancer themselves. Please donate and help support research to find a cure for women's cancers. A donation from you would be gratefully appreciated. Thank you for joining the Band of Babe's efforts to find a cure!

Save a Life, Make a Pledge

It is estimated that one in eight American women will develop breast cancer at some point in her life. In 2004, 272,000 women will have died from cancer. Behind this staggering statistic is the face of a woman who needs your help - a mother, a wife, a sister, a friend. The need is great and that is why I would like to ask for your help.

Click here to make a pledge.

Master Test Plans

By Mark Gunn

Prior to writing test cases for your project testing, you must create a master test plan that encompasses the complete range of testing tasks to be accomplished. To continue the construction analogy from my previous article (I just finished building a game room in our basement so forgive me) you can’t construct a building without a blue print and the same applies for testing a system.

The Master Test Plan is the blue print for how you will conduct your testing for the entire project life cycle. This is the vehicle that will communicate the testing scope and strategy to the rest of the project team. Development, project management, the test team and the user community will review the plan to ensure that all aspects of the application are being properly quality assured.

The information that encompasses the Master Test Plan must be detailed and well thought out. Putting together the plan requires many hours of reviewing the system design documents, project scope, business requirements, and the release schedule from development. Part of developing the test plan will be ascertaining the proper staffing needs for the testing the application, how those resources will be utilized and when.

The following are the major areas that all Master Test Plans must cover:

1. System Overview – a description of what the application is intended accomplish.


2. Purpose and Scope – the purpose for what QA will accomplish and the scope of the effort the QA team will be making.


3. Assumptions and Risk Assessment – what are the assumptions QA will be making on the nature of the project and what risks QA will be taking.


4. The Strategy – the overall approach QA will use for the testing. An explanation of testing methods to be used.


5. Data Preparation – what type of preparation will be required to prepare data for testing. This could require database refresh or data refresh scripts to be written.


6. The Build Matrix – each phase of the testing Unit, Functional, System Integration, Volume and Stress, Data Conversion (if necessary) and UAT will be outlined as to what will be tested in each phase and each build within each phase.


7. Work Plan – the Work Breakdown Structure (WBS) for what resources will be used and how they will be applied to each phase of the project. Also included will be milestone and target dates and any environmental requirements (PC’s, Networking, software, etc.) the team will have.


8. Testing Procedures – consists of version control, change control, and defect tracking procedures that will be used for all project participants.


9. Sample Forms – this will include a sample test case, sample defect tracking document and any other relative documents QA will be using for the project.

Once your test plan is approved, NOW you can start to write test cases. It is still not time to start testing yet, more on this in the next issue.

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at mark@mgdservices.com

FDA Watch: Documented Training in a Qualified Network Environment

By Eric M. Stroud
GMPNetworks / Syvax Inc.

In order to complete the validation process for networks that require FDA Validation, one must provide evidence that training on network-related SOPs was conducted. A record of the training that was given for the network must be produced. This training record may be electronic or hardcopy.

Electronic training records are usually implemented at companies with a strong CBT program (computer-based training). After reading and possibly taking a short quiz, the electronic training record captures the name, date, topic, procedure #, score, employee ID #, and so on, as evidence of compliance.

More commonly, a training record is a simple form, which records the procedure title, trainer’s name, date, duration, and attendees.
Hint: Distribute the attendance list at the end of the training session!
The hardcopy training records must be maintained in a documentation repository.

If your company has a history of noncompliance with procedures (people not following SOPs consistently), taking attendance is not enough. It is good practice to implement a competency test following the training. This is typically a short quiz, not lasting more than 30 minutes. A threshold score is set, and all of the attendees meeting or exceeding the threshold score are allowed to perform a certain function. Those who fail the competency test must take the training again, and this highlights those colleagues that may need shadowing and observation.

In closing, “informal” training is not enough! Accurately record your training sessions, even if it is just one person in attendance. The creation of the training record is one of the key ingredients to show compliance with your own procedures.

Eric is an FDA Validation expert for GMPNetworks/Syvax Inc. Eric has over ten years experience with FDA validation for the pharmaceutical industry and has been specializing in validating IT data networks.
http://www.gmpnetworks.com

In the News: Firefox Web Browser

KEY BISCAYNE, Fla. Jan 24, 2005

By age 10, Blake Ross was designing Web pages on America Online. By 14, after mastering complex programming languages such as C++, he was fixing bugs in Netscape's Web browser from home, a hobby that landed him a job offer. "What, at the local store or something?" David Ross remembered thinking when his son told him. No, at Netscape Communications Corp.

Ross, now 19, a sophomore computer science major at Stanford University, has an even more impressive resume than most of his peers. Before graduating high school, he helped develop Firefox.

Colleagues who worked with Ross only online were surprised when they met him to find "a scrawny 15-year-old kid," recalled Chris Hofmann, engineering director at the Mozilla Foundation.

To take an internship at Netscape during the summer of 2001, Ross moved with his mother to a rented apartment near Netscape's offices in Mountain View, Calif. She drove him to work each morning.

He continued working on the browser on contract after returning to Florida to attend Gulliver Preparatory School. He breezed through computer classes, finishing projects in a day that took others two weeks, said Dean Morell, a former teacher and chairman of the school's computer science department.
Ross soon took on a much more demanding project.

America Online Inc., which bought Netscape in 1999, was trying to resurrect the once-mighty Netscape browser. AOL added features, but they bogged down the software and reduced performance, Ross said in recent interviews by e-mail and at his parents' condo in Key Biscayne, a Miami suburb.

At 17, Ross and another Netscape programmer, David Hyatt, started a side project that became Firefox. They wanted to strip down Netscape and the Mozilla suite on which it is based. By reducing the software to its browsing basics, they figured it would run more efficiently.

Ross and Hyatt created an early version of the browser. Because the project was open source, thousands of volunteers could examine the programming code and suggest ways to improve performance and fix bugs.

"I have fond memories of long nights spent at Netscape just poring over all the feedback people submitted about our programs," Ross said.

Hofmann, the Mozilla engineering director, said Ross dealt with the pressures of Silicon Valley quite well for his age.

"I don't think that he was intimidated or awe-struck at all," he said. "With open-source projects you rise to a level based on your skills. It is really a meritocracy. Anyone who has the skills rises quickly and Blake had all those skills."

AOL ultimately spun off the project and created the not-for-profit Mozilla Foundation to develop Firefox and related software.

Hyatt left to design Apple Computer Inc.'s Safari Web browser, but Ross stayed and helped fix Firefox bugs from college.

Firefox was officially released Nov. 9. It was used by 4.6 percent of Web surfers in early January, and that number could reach 10 percent by mid-2005, according to WebSideStory, which tracks browser use. Microsoft's Internet Explorer has dropped to 90.6 percent this month from 95.5 percent in June.
Security experts like Firefox, saying it isn't as vulnerable as Internet Explorer to viruses, spyware and other malicious programs.

Business Requirements – The Foundation

By Mark Gunn

Thorough, accurate, and well written business requirements are the foundation for software development projects. Many of those in the software development business would agree with this statement and would also agree they don’t follow it. Sometimes there is project pressure to “start coding now”. As if, that would get the project to market quicker. I have never quite understood this concept. Without a solid foundation on which to build your project, as with building a house, sooner or later the project will crumble. The time taken to produce solid business requirements will save the project time and expense by reducing the time and cost of having to redo code that does not meet our users/clients business needs. Coding without having solid, detailed business requirements means the developers will, in all likelihood, have to spend time re-coding to fix missed requirements. The QA team will have to write new test cases, new builds will have to be released and more testing will take place. So you can pay me now (pay the business analyst) or pay me later (pay for additional time for the Developers, DBA, QA).

The task of producing thorough, accurate, and well written business requirements is the other aspect that is often under estimated. Having subject matter experts (SME) write business requirements is not the best approach. SME’s are not trained in writing business requirements. They know their business, but do not necessarily know how to write solid business requirements. For example, I had this exchange once while reviewing business requirement written by a SME:

Analyst: “In this requirement you state that you always do this task.”

SME: “That is correct.”

Analyst: “So there are no circumstances under which you don’t do this task.”

SME: “That is right…….well there is the rare exception that we don’t but it hardly ever happens……… “

If this requirement had been given, as it was written, to development and QA this is how it would have been coded and tested. During User Acceptance Testing (UAT), at the end of the project timeline, the users would have discovered this oversight (at least we hope they would) and the project would now be behind schedule and additional person-hours (see also cost over-runs) would ensue to correct the over-sight.

In the end, having solid business requirements is the foundation for building a quality product. A quality product requires all project participants, during all phases of the project, to adhere to the constructs of Total Quality.

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

FDA Watch . . .FDA expectations for your IT Data Network

By Eric M. Stroud
GMPNetworks / Syvax Inc.

In most pharmaceutical companies, the Information Technology (IT) department often has a number of regulated customers: Manufacturing sites, laboratories, clinical operations, etc., each with its’ own section of predicate rules from the Food & Drug Administration (FDA) to follow, collectively called the “GXPs”, or “Good….Practices”. Manufacturing sites must be in compliance with the “GMPs” (21 CFR Parts 11, 210-211, 820 for medical devices); for laboratories, the “GLPs” (21 CFR Parts 11 and 58); and for Clinical Operations, the “GCPs” (21 CFR Parts 11, 50, 56, 312, 812).

While no predicate rule specifically spells out what the FDA expects for a data network, it is good practice to adopt the regulations from the GMPs, and apply them to the network. Think about who potentially would get audited the most in your organization: Manufacturing. A manufacturing division is a good example of an IT customer that would require documentation about the network, showing control, in order to show that its’ manufacturing sites, which use that network, are in compliance with the GMPs.

“The FDA ‘raised the bar’ on what they expected regarding control of data networks when it issued Pharmacia two warning letters…”
The data network used by the manufacturing, clinical, and laboratory operations must be qualified. Sounds extreme? Consider this: The FDA “raised the bar” on what they expected regarding control of data networks when it issued Pharmacia two warning letters during two inspections in 2000. Since then, larger pharmaceutical companies have implemented network quality programs, including Pfizer, Merck, and Schering-Plough.

The responsibility of a network quality program usually falls to the IT management or a quality role in the IT organization, and quality assurance. A complete network qualification package typically has the following components:

A policy on what will be controlled in the data network, specifying boundaries, responsibilities, and “core” procedures;
Standard Operating Procedures, particularly for those activities that are used to show compliance (change control, periodic review, monitoring, testing, training, document management, disaster recovery, etc.);
Documented Training on Standard Operating Procedures, which is checked in a periodic review;
A means of controlling documentation: A physical repository, an electronic document management system, or both, for maintaining diagrams, qualification documents, procedures, etc.
A methodology to specify, design, and test new devices or functionality; and,
An objective Quality Assurance role within the department, to manage the above items.

In Part 1 of this article, let’s discuss the use of the policy.

The policy document may originate from the IT organization. It’s most important purposes are to communicate the scope and responsibilities for maintaining control of the data network across the organization. The policy document is usually approved by a representative of each area of the IT organization, such as operations, architecture, deployment, and planning. The policy document should be implemented across the entire organization, and elaborates on the following.

What equipment will be under change control and qualification, such as layer-2 devices, wireless devices, MVX, video, etc.;
Where sites and regional/corporate groups divide their responsibility, such as at an “edge” layer-3 switch;
If there are documents which are shared by multiple sites, who will maintain those documents;
How will network documentation be approved and maintained; and,
The qualification approach for equipment.

Usually, the most difficult part about preparing an organization-wide policy is getting consensus. Many people maintain a data network, and often, the network may spread across the globe. Well-coordinated meetings with agendas, support from upper management, and a project team to ensure that the policy becomes practice are the essentials for success.

Getting a network control policy in place is often the hardest part of getting a new network quality program off the ground. Don’t despair! You have a lot of support and help out there! (hint!)

Eric is an FDA Validation expert for GMPNetworks/Syvax Inc. Eric has over ten years experience with FDA validation for the pharmaceutical industry and has been specializing in validating IT data networks.
www.gmpnetworks.com

In the News . . .TV star helps launch new website opposed to exporting jobs

Site features exclusive short film

Washington DC--TV star Jason Alexander has joined the offshore outsourcing debate on the side of U.S. workers by helping launch a new website called Outsource Outrage. "The outsourcing of American manufacturing and technical jobs has become ‘business as usual’ over the past few years. In my own industry, we must constantly fight the trend of taking American film work out of the United States. ... Men and women that I have known for over 20 years, craftspeople and technicians, camera operators and production managers, have all seen their livelihoods disappear due to this devastating trend," said Alexander.

The star teamed up with the Communications Workers of America, WashTech's parent union, in launching the site. Alexander is best known for his role as George Costanza on the mega hit series Seinfeld.

The site features a short film where Alexander asks school children which countries they want to work in when they grow up. "Our film satire, while done for humor, accurately depicts the situation. To claim the creation of jobs while knowing full well those jobs have been created for American firms in foreign countries is a horrific lie. And unlike our film it’s not particularly funny."

Besides the film, the site features information and ways for individuals to take political action on the issue.

Microsoft Files Suits Against 'Bulletproof' Web Hosts

Sep 24, 2004

Microsoft filed nine lawsuits against individuals and companies alleged to be involved in the distribution of spam, the company said Wednesday.

The suits, all filed in the last month, include eight against individuals alleged to be behind spam campaigns that offered e-mail users a variety of products including generic online drugs, tee-shirts, software, pornography and dating services. The ninth lawsuit is against a Web hosting company that catered to the spammer community by claiming to be "bulletproof," or incapable of being shut down, Microsoft said in a statement.

The lawsuits are just the latest salvo in a legal war on spammers by Microsoft, as well as Internet service providers like America Online and EarthLink. In June, Microsoft filed eight lawsuits against alleged spammers who used accounts at the company's Hotmail e-mail service and compromised PCs running its Windows software to send spam.

In the latest suits, Microsoft has also extended its reach to companies that sell services to spammers, according to the statement.

Microsoft filed suit against Levon Gillespie, who is described as a principal of "bulletproof" Web hosting company cheapbphosting.com, as well as "various John Doe" defendants who use Gillespie's services, the company said.

According to text Microsoft said was taken from the cheapbphosting.com site, Gillespie "cater(s) for both established bulk email experts and companies that have not used bulk email before," using "China-based" servers "to ensure no problems arise from complaints generated by mail you send."

In its statement, Microsoft claimed that spam that originated on servers on the cheapbphosting.com was routed through compromised computers in Korea, Japan, Israel and the U.K., as well as Brazil, Germany, Switzerland, Canada and the U.S.

The e-mail messages contained forged or "spoofed" header information to make them look as if they came from Microsoft MSN and Hotmail accounts, the company said.
Microsoft said it has filed 70 lawsuits in the U.S., including the latest group, and is continuing to target spammers and those that support spamming.

In the News . . .Microsoft to Open Research Center in India

Dec 1, 2004

Microsoft Corp. is further expanding its presence in India with plans to open a research center in Bangalore.

The latest Microsoft Research campus will open in January 2005, the Redmond, Wash.-based software giant said Tuesday. The researchers in India will focus on ways to create, store and search information in multiple languages, as well as technology for use in emerging markets and other specialties.

Microsoft already operates research campuses in Beijing; Cambridge, England; Redmond; San Francisco and Silicon Valley.

The company decided to add an Indian campus to take advantage of promising computer science students coming out of universities there, said Rick Rashid, a vice president in charge of Microsoft Research. The company hopes to hire a couple dozen researchers over the next year, he said.

The Microsoft Research campuses, modeled after academic research facilities, do work that is relevant to Microsoft's product lineup, such as security or search technology. Products including the TabletPC have come out of the research arm.

But researchers also are encouraged to work on far-flung ideas that may never turn into profitable products, like tools for developing HIV vaccines.

The new center will be headed by P. Anandan, previously a senior researcher at Microsoft's Redmond campus. Anandan, a native of India, said in a statement that the country's many languages, plus the fact that most of its more than 1 billion residents have no Internet access, make it a good backdrop for researching some of computer science's most challenging problems.

The announcement comes just two weeks after Microsoft opened an office in Hyderabad, India, 340 miles north of Bangalore, and stepped up plans to hire more programmers in India. The new Hyderabad campus, its largest outside the United States, will eventually employ 3,000 programmers.

Microsoft already has offices in Bangalore for functions such as product support and sales, Rashid said.

Microsoft is one of dozens of American technology companies to set up facilities in India, taking advantage of its vast pool of skilled workers who can be hired for a fraction of the cost of those in the United States.

FDA Watch . . .Part 2: Network Standard Operating Procedures

By Eric M. Stroud
GMPNetworks, Syvax Inc.

In Part 1 of this article, we described the purpose of the Policy document and its role in setting network qualification into practice in an organization. But, the policy alone does not give complete evidence of control - Standard Operating Procedures (SOPs) are used as one way (a very good way!) to provide this evidence.

SOPs in the network realm can exist on two levels: The organization, and the devices.

Organization SOPs are often written for a regional center or a site, in order to align quality practices in that organization (consistency). These SOPs typically include:

Change Control - The process for managing changes to the network;
Monitoring - The workflow for monitoring network conditions and health, reporting metrics, and resolving problems;
Documentation - A workflow for new network documentation, edits, approvals, and how they are managed (electronically, hardcopy, or both);
Testing - The process of identifying, applying, and testing patches, upgrades, and hardware changes on a simulated network before deployment;
Periodic Review - The process of inspecting diagrams, documents, change controls, etc., over a period of time to ensure continued compliance; and,
Disaster Recovery - The activities to be followed during a disaster recovery exercise.

These SOPs should be prepared by the network organization. The approvals of these SOPs must have a quality assurance (QA) signatory, preferably, a QA role in the network organization. The training process on these SOPs (documenting, refreshers), would be the same as your other SOP processes. An admin or quality coordinator should be watching for new hires, and refresher training dates, new SOPs, and revisions to SOPs. Remember that last point - If you revise and re-issue the SOP, you need to retrain on it.

A common question is "why not just include the network in the scope of the site's regular change control". As long as there is a quality assurance role in the network's organization, it is a good practice for the network operations groups to maintain their own change control process. It is often streamlined, or may be an electronic tracking system, whereas a site's change control process may involve the use of review boards, or simply just more time for review. Network operations demand an efficient review and documentation process, sometimes, in the matter of hours, or during maintenance windows.

Data network devices warrant their own operational procedures once they are deployed. Device/Functional SOPs include: Startup/Shutdown - The specific process for the startup and shutdown of a network device Firmware Upgrades - Often model or series-specific, the process of applying and verifying an upgrade to a network device

The list of possibilities is endless here. You may wish to proceduralize the cascading of switches, 3rd party vendor management (fiber, long lines, etc.), and so on. The best practice in any SOP writing is to be concise and accurate. Always keep in mind the fast-paced nature of the business and the consequences of network outages and downtime, and the effects a procedure might have when resolving those problems.

Eric is an FDA Validation expert for GMPNetworks/Syvax Inc. Eric has over ten years experience with FDA validation for the pharmaceutical industry and has been specializing in validating IT data networks.
http://www.gmpnetworks.com

Defect Tracking – A must for IT Projects

By Mark Gunn

Ok, your IT project has a testing group and they have good solid requirements from which to work. That is a great start! When testing begins how are you going to communicate the problems (see also defects) to the system development team? Having a good defect tracking system for your IT projects is a must. Many good defect tracking applications are on the market today and most do the job needed. Ideally, a defect tracking system must have features which allow the ability to enter the following:

¨ a description of the defect
¨ the detailed steps by which the defect was created
¨ the application module(s) affected
¨ the build in which it was found
¨ a rating system for the defects and the severity of each defect
¨ a process by which to route the defect and track the defect status,
¨ and the ability to attach screen prints of the defect.

Your defect tracking system must have these capabilities and it should also have the capability to produce statistical results as well.

A defect is the vehicle which you are using to communicate found problems. A clear understanding of the defect is important for the developer for resolution and the QA team for retesting a corrected problem. The QA manager should review all defects for repeatability and to avoid duplication before routing them to the Development manager.

The Development manager, in turn, should review all defects, have a good understanding of the problem by communicating with the QA manager, and route the defect to the developers for resolution. The defect tracking application is an invaluable project tool, not only for QA and Development, but for the Project manager as well.
Defect tracking is a way to communicate to project management how the project is doing. The Project manager uses the statistical results, with defined measurements, from the defect tracking system to determine the status of the project. From a good defect tracking system, the Project manager can determine if the project is on schedule, if more resources are needed to meet the scheduled deadline, and how well development and QA are doing their jobs. By viewing the defects on a daily/weekly basis, the Project manager can determine where most defects are being found, how many are being entered, and the degree of difficulty or severity for these defects. The Project manager can then manage the project accordingly and the resources associated to the project.

Finally, the results associated with the defects can demonstrate what QA’s worth is to the project and to the organization. Many times the value that QA brings to the IT project is overlooked. Having a defect tracking system that has a reporting capability that shows a defined measurement of the testing status demonstrates the value of QA to the project.

You have solid business requirements and now you have selected a good defect tracking application. You are on your way to start testing…………well not just yet. More on this in the next article.

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

MGDServices website has a New Look

MGDServices has an updated look and feel on the website. “The look of the website better reflects our technical position in the marketplace” said Donna Herman, of MGD Services.

Please visit www.mgdservices.com for more information.

In this Issue:

Defect Tracking - A must for all IT Projects
by Mark Gunn

FDA Watch - Part 2: Network Standard Operating Procedures
by Eric M. Stroud; GMPNetworks / Syvax Inc.

In the News -
Microsoft to Open Research Center in India

In the News: J.P. Morgan Cancels IBM Outsourcing Deal

Wed Sep 15, 2004 09:25 AM ET

WASHINGTON (Reuters) - J.P. Morgan Chase & Co. (JPM.N: Quote, Profile, Research) said on Wednesday it was canceling a $5 billion outsourcing deal with IBM Corp., (IBM.N: Quote, Profile, Research) and planned to rehire about 4,000 workers who had been transferred to IBM under the pact.

IBM said in a U.S. Securities and Exchange Commission filing that the cancellation of its biggest financial services outsourcing deal would help its 2005 earnings per share, and would have no impact on its full-year model.

J.P. Morgan, the No. 2 U.S. bank, said following its recent merger with Bank One, it could better manage its own technology and infrastructure. It also said there will be no material impact from the cancellation.

IBM said the cancellation would improve earnings because it was still in the early stages of deployment on the contract. It also said its backlog of services will be revised when it announces its third-quarter earnings. IBM estimated a $118 billion services backlog at the end of the second quarter.

Under the seven-year deal announced in December 2002, IBM was to take over the global computing operations for J.P Morgan in a wide range of areas including retail banking, trading and securities processing, offering the bank an opportunity to cut its own spending on technology.

The 4,000 workers transferred to IBM from J.P. Morgan in early 2003.

J.P. Morgan said IBM would remain one of the largest technology partners for J.P Morgan, but the companies did not elaborate on their relationship going forward. (With additional reporting by Chris Sanders)
© Reuters 2004. All Rights Reserved.

FDA Watch : Commissioning - A Risk-based Approach

An excerpt from Institute of Validation Technology.

The Institute of Validation Technology indicates that the Commissioning of systems and equipment within the pharmaceutical industry is quickly becoming a stable endeavor. While the intent of the practice was to cut the cost associated with validation, it has quickly become entangled in the web of Risk Assessment and Management.

Every system and piece of equipment utilized in the pharmaceutical and medical device industries is subject to a commissioning exercise. Commissioning using a risk assessment approach is best applied to new equipment and system installations.

Commissioning is now being viewed as an active part of the qualification process. It is imperative that it be performed in a structured, analytical and compliant way. Current FDA regulations do not mandate that commissioning or risk assessments be performed, but it is the trend and the latter may be the justification for the prior.

Many questions arise when one considers the application of risk assessment when conducting Commissioning. Among these are:

• When do we apply risk assessment?
• What thinking and planning are involved?
• What tools might be available to conduct this activity?
• Will the FDA care?
• What does it do for me or my project?
• How are risk assessment and commissioning related?
• What is the current thinking of the FDA regarding Commissioning and Risk Assessment?
• Where do we start with risk assessment?
• How do these concepts affect the final outcome of qualification and validation?

Let’s Begin with the Basics . . .

By Mark Gunn

The inherent philosophy of Quality Assurance for software systems development projects is to ensure that the system meets or exceeds the agreed upon requirements of the end-users; thus creating a high-quality, fully functional and user-friendly application. This philosophy applies to all system development projects and includes mainframe, client server, and web based applications.

“Quality Assurance is more than just testing”
Quality Assurance is more than just testing. Quality Assurance is involved throughout a project’s lifecycle.

• The Quality Assurance effort begins with the analysis phase of the project, continues through the design and execution phases and proceeds until the application is in production and beyond.

• Introducing solid quality assurance concepts and methods into the system development life cycle early on and maintaining them throughout the Software Development Life cycle (SDLC) is the key to the overall success and total quality of the project.

Quality Assurance is a commitment to the Total Quality of the Project

• This commitment to the philosophy of Total Quality requires all team members to adhere to the guidelines and methods that will ensure the excellence of the system being developed.

This philosophy is the backbone for the Software Development Life cycle. As our IT industry matures we find that having sound development and quality assurance methodologies ensures that applications or application enhancements are delivered to our customers on time and with no production problems. When this process breaks down, and this can be for many, many reasons, we find that the product we deliver can be less than what was agreed upon.


Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

Welcome to the MGDServices Quality Assurance Newsletter

Welcome to the first issue of the MGDServices Quality Assurance Methods and Practices Newsletter. Periodically we will be providing you with industry trends, developments and news that affect Quality Assurance, FDA Validation, and our IT family of professionals.

We are confident you will find this information a valuable resource for your day to day activities.

MGDServices Has a New LocationMGDServices has relocated to a new location in Hunterdon County, NJ. Gretchen Gunn states “Our new location keeps us close to our clients while adding the additional office space needed for our staff.” The new address and phone numbers are:

143 Rosemont-Ringoes Road
Stockton, NJ 08859
877-MGD-TEST
Fax 609-397-3967

About MGD Services

Product / Service Information

MGD Services, Inc. is a woman owned business that supplies consulting professionals to corporate IS departments in support of computer systems development projects. We supply well-trained, seasoned personnel to perform all tasks involved in the entire project life cycle for computer systems development.

MGD Services provides our clients with candidates that have been carefully screened, interviewed, references checked, and matched to our clients needs for their projects. MGD has many years of experience in IT systems development and we know how to separate the good candidates from the poor candidates.

We at MGD Services pride ourselves on the consistent quality of the candidates we present to our clients. We provide qualified candidates that do not waste our client’s time on unwarranted interviews. When we send a candidate to a client, they can be confident that the candidate meets or exceeds their project needs.

We supply our clients with candidates for all phases of the project life cycle development process.

Our personnel include:

§ Project Managers § Application Developers
§ FDA CSV Auditors § Testers
§ Business Analysts § Database Architects
§ QA Managers § Automation Test Specialists
§ System Designers § FDA Validation Analysts
§ QA Analysts § DBA’s
§ Network Specialists § Technical Writers

These personnel are involved in computer systems development projects from inception through the project lifecycle into production and on into system maintenance and enhancements. They work closely with both the system development staff and the end user community to provide a system that meets the client needs and the project requirements.
MGD Services understands the benefit of having the best in testing technology for today's enterprise needs. MGD Services partners with Mercury Interactive and Compuware. MGD Services has both Mercury and Compuware Certified QA analysts and test specialists who can provide quality assurance automated testing expertise for our client’s software development projects. We can support our clients in reviewing and understanding all automated testing products.