Recently I was part of the FDA 21 Code of Federal Regulations Part 11 (Part 11) audit of one of our custom software development projects. Part 11 audit is mandatory for any pharmaceutical system that uses electronic records and signatures in lieu of paper records. Our audit went surprisingly smoothly, and overall a positive experience for the team, reaffirming my beliefs about the benefits of established development processes and tools. This post briefly covers what contributed to the success of this audit.

Part 11 requires a software development process to be defined and followed. The process should have specific requirements, such as reviews of all the key milestones (e.g. System Requirements), and a well defined Validation phase (functional testing).

One of our internal product development processes was a good starting point for the definition of the process required for this customer project. As all our processes are stored in IRIS Process Author (IPA) in a reusable form, at the outset of the project, we were able to easily make the required adjustments to the selected base process to better suit the project. The process was then shared with the project team in a published form—in the project portal. During the audit, the external auditors carefully reviewed the details of this process and were fully satisfied with its coverage.

I was also required to demonstrate to the external auditors that our team was aware and followed the process. We use Microsoft Visual Studio Team Foundation Server (VSTS) as the development tool. IPA can generate VSTS process templates. In doing so, each activity of the process becomes a work item. In addition, all the process information such as description, steps, and roles, are captured as work items ensuring that every member of the team has access to process information when they need it. Hence the project team was steeped in the process being enacted. This showed the external auditors that the process was fully internalized by the project team and would not be abandoned at times of stress.

VSTS was also used for planning and managing issues, risks, and tasks, a single repository for all project artifacts. As VSTS is tightly integrated with MS Project, project managers were able to generate schedules and track the team’s progress.

In one of my sessions with the auditors, I did not have printouts for all issues and defects with me. When the auditors asked for evidence for certain scenarios, I was able to use VSTS (through web interface), and generate excel spreadsheet for the requested scenarios on the spot. This drove home for me the importance of having a central repository that instantly provide access to all project artifacts, which can be used as direct evidence during the audit process.

I believe process and tools are like two wings of a bird. To fly this bird needs both. Having a well-defined process in place is a great first step but unless the team has the tools that seamlessly incorporate the process into their daily work, the process is not internalized. High performance teams such as ours value being process-centric and disciplined, as long as processes are not a drag on their daily work. The integration of processes with tools not only helps with a positive audit experience, it also results in a motivated and disciplined development organization.