Business Requirements – The Foundation

By Mark Gunn

Thorough, accurate, and well written business requirements are the foundation for software development projects. Many of those in the software development business would agree with this statement and would also agree they don’t follow it. Sometimes there is project pressure to “start coding now”. As if, that would get the project to market quicker. I have never quite understood this concept. Without a solid foundation on which to build your project, as with building a house, sooner or later the project will crumble. The time taken to produce solid business requirements will save the project time and expense by reducing the time and cost of having to redo code that does not meet our users/clients business needs. Coding without having solid, detailed business requirements means the developers will, in all likelihood, have to spend time re-coding to fix missed requirements. The QA team will have to write new test cases, new builds will have to be released and more testing will take place. So you can pay me now (pay the business analyst) or pay me later (pay for additional time for the Developers, DBA, QA).

The task of producing thorough, accurate, and well written business requirements is the other aspect that is often under estimated. Having subject matter experts (SME) write business requirements is not the best approach. SME’s are not trained in writing business requirements. They know their business, but do not necessarily know how to write solid business requirements. For example, I had this exchange once while reviewing business requirement written by a SME:

Analyst: “In this requirement you state that you always do this task.”

SME: “That is correct.”

Analyst: “So there are no circumstances under which you don’t do this task.”

SME: “That is right…….well there is the rare exception that we don’t but it hardly ever happens……… “

If this requirement had been given, as it was written, to development and QA this is how it would have been coded and tested. During User Acceptance Testing (UAT), at the end of the project timeline, the users would have discovered this oversight (at least we hope they would) and the project would now be behind schedule and additional person-hours (see also cost over-runs) would ensue to correct the over-sight.

In the end, having solid business requirements is the foundation for building a quality product. A quality product requires all project participants, during all phases of the project, to adhere to the constructs of Total Quality.

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

FDA Watch . . .FDA expectations for your IT Data Network

By Eric M. Stroud
GMPNetworks / Syvax Inc.

In most pharmaceutical companies, the Information Technology (IT) department often has a number of regulated customers: Manufacturing sites, laboratories, clinical operations, etc., each with its’ own section of predicate rules from the Food & Drug Administration (FDA) to follow, collectively called the “GXPs”, or “Good….Practices”. Manufacturing sites must be in compliance with the “GMPs” (21 CFR Parts 11, 210-211, 820 for medical devices); for laboratories, the “GLPs” (21 CFR Parts 11 and 58); and for Clinical Operations, the “GCPs” (21 CFR Parts 11, 50, 56, 312, 812).

While no predicate rule specifically spells out what the FDA expects for a data network, it is good practice to adopt the regulations from the GMPs, and apply them to the network. Think about who potentially would get audited the most in your organization: Manufacturing. A manufacturing division is a good example of an IT customer that would require documentation about the network, showing control, in order to show that its’ manufacturing sites, which use that network, are in compliance with the GMPs.

“The FDA ‘raised the bar’ on what they expected regarding control of data networks when it issued Pharmacia two warning letters…”
The data network used by the manufacturing, clinical, and laboratory operations must be qualified. Sounds extreme? Consider this: The FDA “raised the bar” on what they expected regarding control of data networks when it issued Pharmacia two warning letters during two inspections in 2000. Since then, larger pharmaceutical companies have implemented network quality programs, including Pfizer, Merck, and Schering-Plough.

The responsibility of a network quality program usually falls to the IT management or a quality role in the IT organization, and quality assurance. A complete network qualification package typically has the following components:

A policy on what will be controlled in the data network, specifying boundaries, responsibilities, and “core” procedures;
Standard Operating Procedures, particularly for those activities that are used to show compliance (change control, periodic review, monitoring, testing, training, document management, disaster recovery, etc.);
Documented Training on Standard Operating Procedures, which is checked in a periodic review;
A means of controlling documentation: A physical repository, an electronic document management system, or both, for maintaining diagrams, qualification documents, procedures, etc.
A methodology to specify, design, and test new devices or functionality; and,
An objective Quality Assurance role within the department, to manage the above items.

In Part 1 of this article, let’s discuss the use of the policy.

The policy document may originate from the IT organization. It’s most important purposes are to communicate the scope and responsibilities for maintaining control of the data network across the organization. The policy document is usually approved by a representative of each area of the IT organization, such as operations, architecture, deployment, and planning. The policy document should be implemented across the entire organization, and elaborates on the following.

What equipment will be under change control and qualification, such as layer-2 devices, wireless devices, MVX, video, etc.;
Where sites and regional/corporate groups divide their responsibility, such as at an “edge” layer-3 switch;
If there are documents which are shared by multiple sites, who will maintain those documents;
How will network documentation be approved and maintained; and,
The qualification approach for equipment.

Usually, the most difficult part about preparing an organization-wide policy is getting consensus. Many people maintain a data network, and often, the network may spread across the globe. Well-coordinated meetings with agendas, support from upper management, and a project team to ensure that the policy becomes practice are the essentials for success.

Getting a network control policy in place is often the hardest part of getting a new network quality program off the ground. Don’t despair! You have a lot of support and help out there! (hint!)

Eric is an FDA Validation expert for GMPNetworks/Syvax Inc. Eric has over ten years experience with FDA validation for the pharmaceutical industry and has been specializing in validating IT data networks.
www.gmpnetworks.com

In the News . . .TV star helps launch new website opposed to exporting jobs

Site features exclusive short film

Washington DC--TV star Jason Alexander has joined the offshore outsourcing debate on the side of U.S. workers by helping launch a new website called Outsource Outrage. "The outsourcing of American manufacturing and technical jobs has become ‘business as usual’ over the past few years. In my own industry, we must constantly fight the trend of taking American film work out of the United States. ... Men and women that I have known for over 20 years, craftspeople and technicians, camera operators and production managers, have all seen their livelihoods disappear due to this devastating trend," said Alexander.

The star teamed up with the Communications Workers of America, WashTech's parent union, in launching the site. Alexander is best known for his role as George Costanza on the mega hit series Seinfeld.

The site features a short film where Alexander asks school children which countries they want to work in when they grow up. "Our film satire, while done for humor, accurately depicts the situation. To claim the creation of jobs while knowing full well those jobs have been created for American firms in foreign countries is a horrific lie. And unlike our film it’s not particularly funny."

Besides the film, the site features information and ways for individuals to take political action on the issue.

Microsoft Files Suits Against 'Bulletproof' Web Hosts

Sep 24, 2004

Microsoft filed nine lawsuits against individuals and companies alleged to be involved in the distribution of spam, the company said Wednesday.

The suits, all filed in the last month, include eight against individuals alleged to be behind spam campaigns that offered e-mail users a variety of products including generic online drugs, tee-shirts, software, pornography and dating services. The ninth lawsuit is against a Web hosting company that catered to the spammer community by claiming to be "bulletproof," or incapable of being shut down, Microsoft said in a statement.

The lawsuits are just the latest salvo in a legal war on spammers by Microsoft, as well as Internet service providers like America Online and EarthLink. In June, Microsoft filed eight lawsuits against alleged spammers who used accounts at the company's Hotmail e-mail service and compromised PCs running its Windows software to send spam.

In the latest suits, Microsoft has also extended its reach to companies that sell services to spammers, according to the statement.

Microsoft filed suit against Levon Gillespie, who is described as a principal of "bulletproof" Web hosting company cheapbphosting.com, as well as "various John Doe" defendants who use Gillespie's services, the company said.

According to text Microsoft said was taken from the cheapbphosting.com site, Gillespie "cater(s) for both established bulk email experts and companies that have not used bulk email before," using "China-based" servers "to ensure no problems arise from complaints generated by mail you send."

In its statement, Microsoft claimed that spam that originated on servers on the cheapbphosting.com was routed through compromised computers in Korea, Japan, Israel and the U.K., as well as Brazil, Germany, Switzerland, Canada and the U.S.

The e-mail messages contained forged or "spoofed" header information to make them look as if they came from Microsoft MSN and Hotmail accounts, the company said.
Microsoft said it has filed 70 lawsuits in the U.S., including the latest group, and is continuing to target spammers and those that support spamming.

In the News . . .Microsoft to Open Research Center in India

Dec 1, 2004

Microsoft Corp. is further expanding its presence in India with plans to open a research center in Bangalore.

The latest Microsoft Research campus will open in January 2005, the Redmond, Wash.-based software giant said Tuesday. The researchers in India will focus on ways to create, store and search information in multiple languages, as well as technology for use in emerging markets and other specialties.

Microsoft already operates research campuses in Beijing; Cambridge, England; Redmond; San Francisco and Silicon Valley.

The company decided to add an Indian campus to take advantage of promising computer science students coming out of universities there, said Rick Rashid, a vice president in charge of Microsoft Research. The company hopes to hire a couple dozen researchers over the next year, he said.

The Microsoft Research campuses, modeled after academic research facilities, do work that is relevant to Microsoft's product lineup, such as security or search technology. Products including the TabletPC have come out of the research arm.

But researchers also are encouraged to work on far-flung ideas that may never turn into profitable products, like tools for developing HIV vaccines.

The new center will be headed by P. Anandan, previously a senior researcher at Microsoft's Redmond campus. Anandan, a native of India, said in a statement that the country's many languages, plus the fact that most of its more than 1 billion residents have no Internet access, make it a good backdrop for researching some of computer science's most challenging problems.

The announcement comes just two weeks after Microsoft opened an office in Hyderabad, India, 340 miles north of Bangalore, and stepped up plans to hire more programmers in India. The new Hyderabad campus, its largest outside the United States, will eventually employ 3,000 programmers.

Microsoft already has offices in Bangalore for functions such as product support and sales, Rashid said.

Microsoft is one of dozens of American technology companies to set up facilities in India, taking advantage of its vast pool of skilled workers who can be hired for a fraction of the cost of those in the United States.

FDA Watch . . .Part 2: Network Standard Operating Procedures

By Eric M. Stroud
GMPNetworks, Syvax Inc.

In Part 1 of this article, we described the purpose of the Policy document and its role in setting network qualification into practice in an organization. But, the policy alone does not give complete evidence of control - Standard Operating Procedures (SOPs) are used as one way (a very good way!) to provide this evidence.

SOPs in the network realm can exist on two levels: The organization, and the devices.

Organization SOPs are often written for a regional center or a site, in order to align quality practices in that organization (consistency). These SOPs typically include:

Change Control - The process for managing changes to the network;
Monitoring - The workflow for monitoring network conditions and health, reporting metrics, and resolving problems;
Documentation - A workflow for new network documentation, edits, approvals, and how they are managed (electronically, hardcopy, or both);
Testing - The process of identifying, applying, and testing patches, upgrades, and hardware changes on a simulated network before deployment;
Periodic Review - The process of inspecting diagrams, documents, change controls, etc., over a period of time to ensure continued compliance; and,
Disaster Recovery - The activities to be followed during a disaster recovery exercise.

These SOPs should be prepared by the network organization. The approvals of these SOPs must have a quality assurance (QA) signatory, preferably, a QA role in the network organization. The training process on these SOPs (documenting, refreshers), would be the same as your other SOP processes. An admin or quality coordinator should be watching for new hires, and refresher training dates, new SOPs, and revisions to SOPs. Remember that last point - If you revise and re-issue the SOP, you need to retrain on it.

A common question is "why not just include the network in the scope of the site's regular change control". As long as there is a quality assurance role in the network's organization, it is a good practice for the network operations groups to maintain their own change control process. It is often streamlined, or may be an electronic tracking system, whereas a site's change control process may involve the use of review boards, or simply just more time for review. Network operations demand an efficient review and documentation process, sometimes, in the matter of hours, or during maintenance windows.

Data network devices warrant their own operational procedures once they are deployed. Device/Functional SOPs include: Startup/Shutdown - The specific process for the startup and shutdown of a network device Firmware Upgrades - Often model or series-specific, the process of applying and verifying an upgrade to a network device

The list of possibilities is endless here. You may wish to proceduralize the cascading of switches, 3rd party vendor management (fiber, long lines, etc.), and so on. The best practice in any SOP writing is to be concise and accurate. Always keep in mind the fast-paced nature of the business and the consequences of network outages and downtime, and the effects a procedure might have when resolving those problems.

Eric is an FDA Validation expert for GMPNetworks/Syvax Inc. Eric has over ten years experience with FDA validation for the pharmaceutical industry and has been specializing in validating IT data networks.
http://www.gmpnetworks.com

Defect Tracking – A must for IT Projects

By Mark Gunn

Ok, your IT project has a testing group and they have good solid requirements from which to work. That is a great start! When testing begins how are you going to communicate the problems (see also defects) to the system development team? Having a good defect tracking system for your IT projects is a must. Many good defect tracking applications are on the market today and most do the job needed. Ideally, a defect tracking system must have features which allow the ability to enter the following:

¨ a description of the defect
¨ the detailed steps by which the defect was created
¨ the application module(s) affected
¨ the build in which it was found
¨ a rating system for the defects and the severity of each defect
¨ a process by which to route the defect and track the defect status,
¨ and the ability to attach screen prints of the defect.

Your defect tracking system must have these capabilities and it should also have the capability to produce statistical results as well.

A defect is the vehicle which you are using to communicate found problems. A clear understanding of the defect is important for the developer for resolution and the QA team for retesting a corrected problem. The QA manager should review all defects for repeatability and to avoid duplication before routing them to the Development manager.

The Development manager, in turn, should review all defects, have a good understanding of the problem by communicating with the QA manager, and route the defect to the developers for resolution. The defect tracking application is an invaluable project tool, not only for QA and Development, but for the Project manager as well.
Defect tracking is a way to communicate to project management how the project is doing. The Project manager uses the statistical results, with defined measurements, from the defect tracking system to determine the status of the project. From a good defect tracking system, the Project manager can determine if the project is on schedule, if more resources are needed to meet the scheduled deadline, and how well development and QA are doing their jobs. By viewing the defects on a daily/weekly basis, the Project manager can determine where most defects are being found, how many are being entered, and the degree of difficulty or severity for these defects. The Project manager can then manage the project accordingly and the resources associated to the project.

Finally, the results associated with the defects can demonstrate what QA’s worth is to the project and to the organization. Many times the value that QA brings to the IT project is overlooked. Having a defect tracking system that has a reporting capability that shows a defined measurement of the testing status demonstrates the value of QA to the project.

You have solid business requirements and now you have selected a good defect tracking application. You are on your way to start testing…………well not just yet. More on this in the next article.

Mark Gunn has 25 years experience in the Quality Assurance and FDA validation fields. If you have any questions about these topics, please email Mark at Mark@mgdservices.com

MGDServices website has a New Look

MGDServices has an updated look and feel on the website. “The look of the website better reflects our technical position in the marketplace” said Donna Herman, of MGD Services.

Please visit www.mgdservices.com for more information.

In this Issue:

Defect Tracking - A must for all IT Projects
by Mark Gunn

FDA Watch - Part 2: Network Standard Operating Procedures
by Eric M. Stroud; GMPNetworks / Syvax Inc.

In the News -
Microsoft to Open Research Center in India