Professional Documents
Culture Documents
Sop 1705 SDLC Sop PDF
Sop 1705 SDLC Sop PDF
TABLE OF CONTENTS
1 OBJECTIVE .................................................................................................................. 3
2 SCOPE ........................................................................................................................ 3
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
3 DEFINITIONS ................................................................................................................ 4
3.1 Terms and Acronyms: .................................................................................................4
3.2 Role Descriptions......................................................................................................13
4 REFERENCES ............................................................................................................. 16
5 ACTIVITY PROCEDURE DESCRIPTION ........................................................................... 17
6 PROCESS OVERVIEW .................................................................................................. 17
6.1 Process Diagram ......................................................................................................18
7 SOFTWARE-AS-A-SERVICE (SAAS).............................................................................. 18
8 WATERFALL FRAMEWORK .......................................................................................... 19
8.1 Discovery & Initiate Phase ........................................................................................20
8.2 Requirements & Analysis Phase...............................................................................24
8.3 Architecture & Design Phase ....................................................................................25
8.4 Build Phase...............................................................................................................27
8.5 Test Phase................................................................................................................29
8.6 Release & Deploy Phase ..........................................................................................33
9 AGILE FRAMEWORK ................................................................................................... 36
9.1 Discovery & Initiate Phase ........................................................................................37
9.2 Plan & Readiness Phase ..........................................................................................41
9.3 Development & Test Phase ......................................................................................43
9.4 Sprint Review Phase.................................................................................................47
9.5 Release & Deploy Phase ..........................................................................................48
10 OPERATE PHASE – AGILE AND WATERFALL FRAMEWORKS ...................................... 52
11 ARCHIVE & RETIREMENT PHASE – AGILE AND WATERFALL FRAMEWORKS ................ 56
12 DOCUMENT HISTORY ............................................................................................. 60
12.1 Superseded Document(s) .........................................................................................60
12.2 Revision History ........................................................................................................60
1 Objective
The purpose of this procedure is to outline the Software Development Lifecycle (SDLC)
to be followed for software engineering projects. This procedure briefly outlines the
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Waterfall and Agile Frameworks, along with their respective phases and deliverables.
The applicability of deliverables may be Expected (must do) or Conditional (if applicable)
according to the type of project being carried out. The scope of project may be defined
by various projects parameters; such as whether the project is a configuration or
customization of Commercial Off-the-Shelf (COTS) software products, Software-as-a–
Service (SaaS) initiative, or new application development.
2 Scope
The SDLC is a framework for initiating, planning, creating, testing, deploying, operating
and decommissioning information systems and applications; including operations upon
go-live and archival and retirement when the application or system will be phased out to
complete the lifecycle. It outlines the activities that have to be performed with
associated deliverables to be compliant when developing, maintaining, replacing,
altering or enhancing specific software for a given software engineering project.
The structure of the procedure details two frameworks under SDLC which are supported;
the Waterfall Framework and the Agile Framework. It specifies the deliverables under
each phase based on the Entry Criteria, Tasks to be performed, Verification to be
executed and Exit Criteria/Deliverable expectations. The Roles and Responsibilities are
clearly defined by a RACIS matrix for each phase under the respective framework.
The a2 tool will score the applicability of the appropriate framework, Agile or Waterfall,
which should be used for the specific project.
The outputs of the SDLC are project deliverables, often electronic reports containing
signatures or project data captured in the tools utilized. Per sanctioned J&J policy, each
Operating Company shall abide by their local procedures for creating, updating,
reviewing, approving, developing and conducting training, releasing, conducting periodic
reviews and retiring these deliverables which are considered Quality System Documents
(QSD).
Out of Scope The following are not required to use this procedure:
! Mobile Medical Applications – mobile applications used a medical device
3 Definitions
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
i. Project Management
ii. Software Development Lifecycle
! Application Security Self-Assessment - Two-part self-assessment tool which is
completed by the IT project team in order to understand the risk and potential security
control gaps in projects where ISRM resources are not engaged to support IT in the risk
assessment and security requirements gathering process. The assessment:
! Business Impact Assessment (BIA) – Describes the business use and various
business risks of a business application as well as the requested Disaster Recovery
parameters: Recovery Time Objective (RTO) and Recovery Point Objective (RPO),
and/or the option to not have Disaster Recovery and accept that risk.
1
Use SDLC Infrastructure SOP for these projects.
! Code Review Record - Typically, code review focuses on ensuring that the code is
in accordance with the technical design and that it follows applicable coding
standards.
! Compliance Analysis (CA) - Identifies the compliance requirements for the software
being delivered. The results of this analysis establish the following:
i. Descriptive data for entry into the Configuration Management Database
(CMDB).
ii. Information to aid in determining detailed Compliance Requirements, which
will be captured in the User Requirements or User Stories and information to
aid in determining additional compliance deliverables, to be defined in the
Compliance Plan.
iii. Application categorization, to assist in further project planning and input for
identifying risks.
! Compliance Plan (CP) - Describes the activities that must be performed to provide
evidence that the software has been developed and installed as per predefined
specifications and operates as intended.
! Critical Success Factors (CSFs) - Critical factor or activity required for ensuring the
success of the software engineering product.
! CSV Risk Assessment Report – The objective of the risk assessment is to assess
GxP and business priority high/medium business requirements to determine the
recommended testing based on risk. In addition, the risk assessment will be used to
document multiple controls, as applicable.
! Data Flow Map - A visual representation of application components, users and the
transmission, processing and storage of data of different classifications (public,
confidential, restricted, highly restricted) between those components.
! Defect Form - Highlights conditions when the system in test does not function as
required. The purpose of a defect form is to state the problem as clearly as possible
so that developers can replicate the defect easily and resolve it. Corrective actions
that are to be taken to resolve the defect and close it are captured.
! GxP - An abbreviation that refers to all relevant regulations, including but not limited
to Good Laboratory Practice (GLP), current Good Manufacturing Practice (cGMP),
Good Clinical Practice (GCP) and Good Distribution Practice (GDP). GxP can refer
to one specific set of practices or to any combination of regulations.
! Happiness Metric – A tool utilized by the Scrum Team to help identify improvement
efforts in how they are working and what actions they will undertake to improve
Scrum Team engagement, autonomy and morale. .
! Hypercare Transition Plan – The document that identifies the roles, responsibilities,
readiness, timelines and acceptance criteria to transition operational support from
the sending organization to a receiving organization(s). This Transition plan will be
used as a formal agreement to align the sending and receiving organizations
functions during transition and provides a formal documented signoff by the leaders
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
of these respective organization(s). This includes the Service Level Agreement (SLA)
that has to be followed by the Operations team.
! JIRA – A tracking application which provides bug tracking, issue tracking, and
project management functions; such as capturing and tracking user stories or use
cases.
! Minimum Viable Product (MVP) – A release of a software system that has just
those core features that allows the product to be deployed, and no more. It is a
strategy targeted at avoiding building products that customers do not want, that
seeks to maximize the information learned about the customer per dollar spent.
! Potentially Shippable Increment (PSI) - Is the sum of all the Product Backlog Items
completed during a Sprint and all previous Sprints. At the end of a Sprint, the
increment must be complete, according to the Scrum Team's Definition of Done
(DoD), and in a usable condition regardless of whether the Product Owner decides to
actually release it.
! Project Case - Captures the reasoning for initiating a project or task, usually citing
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
benefits; such as the reduction of costs, early market entry, or process improvement.
! Release Plan - This plan includes how and when project releases will be delivered.
! Risk Calculator - An assessment tool based on input from the project team which
provides a high-level risk scoring based on a combination of compliance and
technical risk factors. The assessment is used by ISRM as a triage tool to assign
ISRM resources to the highest risk projects.
! SDLC Project Deliverables – The outputs of the SDLC process, usually electronic
reports containing signatures or the project contents captured in utilized tools.
2
RIM requires that all projects must consult with their Records Manager if engaged on the project. All others may be consulted as
the project requires.
3
Definition per the National Institute of Standards and Technology (NIST).
web browser (e.g., web-based email), or a program interface. The consumer does
not manage or control the underlying cloud infrastructure including network, servers,
operating systems, storage, or even individual application capabilities, with the
possible exception of limited user specific application configuration settings. The
customer licenses the use of SaaS vendor’s application service, built on the vendor’s
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
! Software Development Life Cycle (SDLC) - Describes the process for initiating,
planning, creating, testing, deploying, operating and retiring software.
! Sprint Backlog – Used to identify the scope of work in a sprint, including the user
stories to be developed and their associated tasks, success criteria and release
information.
! Sprint Planning - In preparation for the next Sprint, the Team revisits the Product
Backlog and adds any new User Stories identified during the Sprint or as a result of
the feedback.
! Sprint Retrospective - Is an opportunity for the Scrum Team to inspect itself at the
end of iteration (sprint) and create a plan for improvements to be enacted during the
next sprint. During the retrospective, the team reflects on what happened in the
iteration and identifies action for improvements going forward.
! Sprint Review - To close the Sprint, the Scrum Team presents the work done to the
Product Owner and other stakeholders to obtain acceptance and gather feedback
! Test Protocol - This document describes the overall test strategy and test approach
for project. The document’s main purpose is to:
test.
iii. Define a test approach for each test level, its entry and exit criteria, test types
and techniques to be used.
iv. Identifies timelines, time dependencies and test resource roles and
responsibilities needed to execute the test strategy.
v. Testing to provide objective evidence that the software can be used in its
operating environment for its intended purpose. Testing is documented in
such a manner as to allow independent verification of the day-to-day use of
the software, based on new or existing end-user procedures.
! Test Report – Final report that summarizes the outcome of Test Protocol
execution.
! Test Scripts – A set of instructions that will be performed on the system under
test to validate that the system functions as expected. There are various types of
tests to verify the application software; including but not limited to unit test, user
acceptance test, functional test, integration test, stress test and performance test.
The means for executing these test scripts are varied.
! User Acceptance Testing (UAT) - The last phase of the software testing
process where actual software users test the software to make sure it can handle
required tasks in real-world scenarios, according to specifications. Any
regression or end-to-end testing is included.
! Vendor Assessment – A formal assessment of the Vendor and their total quality
management system to ensure their policy, procedures and practices are robust
enough be compliant with J&J regulatory and other standards.
! Business Analyst (BA) – Is responsible for the interpretation of business rules and
requirements for the development of software. They are the primary interface with
the business stakeholders (Business Technology Leader, Project Manager/Scrum
Master, Business Owner, Business User SME) and Product Line Owners (PLO) to
analyze business needs and identify and prioritize requirements to achieve minimum
viable product. Ensures that all the business requirements are understood,
documented and met. BAs should be certified from the IT-AS rRDS team.
! Operations Owner – Responsible for the overall Service Operation Activities and
ensures that all day-to-day operational activities are carried out in a timely and
reliable way.
validation of developed code, before testing. This validation ensures that code
follows the appropriate coding standards.
! Privacy – Is responsible for ensuring privacy controls are built into new and existing
applications and systems, ensuring that personal data or personally identifiable
information (PII) is properly classified and protected based on corresponding IAPPs
and for providing advice on compliance with external privacy regulations, statutes,
contracts and internal policies.
! Product Line Owner (PLO) – The individual, who is the primary IT interface with the
business and is accountable for the development work getting done correctly.
! Project Manager (PM) - Is responsible for the planning, procurement and execution
of a project, in any domain of engineering. Project Managers should be certified in
PMx. PMs play different roles on whether they are supporting and Agile or Waterfall
project.
! Project Team – Comprised of the Q-CSV (for GxP projects), BUIT and IT-AS
(including SQA) software engineering personnel that have been assigned to a
software development and/or implementation project. Personnel may include
Business Analysts, Project Managers, Testers, Developers, Service Owners, Q-
CSV, SQA and other software engineering personnel needed to develop and
implement software solutions.
! Process Specialist (PS) (CPI) - Identifies the current state of processes, eliciting
their useful and harmful attributes, documenting models of the processes and
facilitating stakeholder groups to consensus regarding new business process
designs.
! Records and Information Management (RIM) - The organization responsible for all
Records and Information Management matters. Records and Information
Management refers to a set of activities required for systematically controlling the
creation, distribution, use, maintenance, and disposition of recorded information
! Release Manager (RM) - The person responsible for release management, which is
the process of managing, planning, scheduling and controlling software build through
different stages and environments; including testing and production.
! Scrum Team: Comprised of the Q-CSV (for GxP projects), BUIT and IT-AS
(including SQA) software engineering personnel that have been assigned to a
software development and/or implementation project. Personnel may include
Business Analysts, Product Owners, Testers, Scrum Masters, Developers, Q-CSV,
SQA and other software engineering personnel needed to develop and implement
software solutions,
! Service Owner – Responsible for the end-to-end delivery of the service (design,
engineering, deployment, and operations), ensures quality and timely delivery of
service to consumers, and determines functionality roadmap and milestones for the
provided service.
! Stage Gate Review Committee (SGRC)4 – Operates within the Records and
Information Management organization and provides additional support and guidance
4
Should not be confused with the SQA Stage Gates, which occur at key points during the SDLC process.
to strengthen existing data preservation safeguards across the J&J enterprise when
decommissioning, migrating, archiving, consolidating, and/or upgrading systems
containing data subject to record retention (including regulatory compliance) or legal
hold preservation requirements. The committee consists of select members from
Information Technology, Records and Information Management, the Law
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
! Support Team – Ensures that all service requests, incidents, problems, access
issues are addressed and resolved as per the service levels specified in the agreed
upon Service Level Agreement (SLA).
! Technical Lead – Responsible for ensuring that the technical environment setup
meets the design specification and adheres to development and testing best
practices.
! Test Team – Team responsible for validating software prior to UAT to provide
stakeholders with information about the quality of the product or service under test.
Software testing can also provide an objective, independent view of the software to
allow the business to appreciate and understand the risks of software
implementation. Test techniques include the process of executing a program or
application with the intent of finding software bugs (errors or other defects). Test
team may be a member of the Scrum team.
4 References
!
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Activities, or tasks, have been included in the Entry Task Validation eXit (ETVX) table
under the respective phases for Waterfall and Agile Frameworks.
Tools defined in the SDLC are not all inclusive. The SDLC only identifies tools available
enterprise-wide; tools utilized at local levels are not documented. Please see your CSV
representative or SQA analyst to confirm which local tools may be utilized for your
specific project.
6 Process Overview
This Standard Operating Procedure (SOP) describes Johnson & Johnson’s Software
Development Life Cycle (SDLC), including associated processes and requirements or
activities and deliverables. The SDLC is intended to ensure that computerized systems
are fit for intended use, meet business requirements and are compliant with applicable
regulations.
7 Software-as-a-Service (SaaS)
SaaS projects provide a different approach as the software is licensed or leased from a vendor
but the data is usually owned by the enterprise. To protect Johnson & Johnson projects, data
and applications the below depicts the validation process for a SaaS project.
8 Waterfall Framework
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
5
The following must perform a Business Process Analysis of the existing business process; 1) all Supply Chain projects and 2) those projects whose budget is $500,000 or greater.
6
If known at this point in time.
7
Required for all SaaS and COTS projects.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
8
The Compliance Analysis and Risk Calculator will determine if stakeholders, such as ISRM, Privacy and RIM, must be fully engaged in the project.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
9
Not required for digital projects
10
Risk Calculator does not require sign-off.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
7 Expected Project Case Prepare PMx Review PMx PMx Team PMx Team Use J&J PM PO N/A N/A N/A
Team Site Team Site Site Site Set-Up SDLC
Newly
Completed
Identified &
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
2 Expected Detailed Initiate Review Traceability Draft Use J&J BA PM CSV PO N/A
Requirement Traceability Traceability Matrix Traceability SDLC (rRDS (GxP)
s Matrix Matrix Template Matrix )
SQA
(GxP &
or
non-
HP-ALM GxP)
3 Expected Business Conduct N/A a2 tool (QP1) SQA Stage Use J&J SQA SQA Project PM N/A
Process SQA Stage Gate SDLC (GxP Team
and PO
Analysis Gate SQA Stage Assessment
non-
Document Assessment Gate Report
GxP)
Assessment
Detailed
Template
Requirement
s
Traceability
Matrix
Compliance
Plan
Risk
Assessment
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
Specification Template
Data
Conversion/
Migration
Design
Specification
Compliance
Plan
PMx Team
Site Setup
Draft
Traceability
Matrix
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
4 Expected Unit Tested Create Review Configuration Configuration Use J&J Project PM N/A N/A SQA
Code Configuration Configuration Control Control SDLC Team (non-
Control Control Document Document GxP &
Design GxP)
Document Document Template
Specification
PO
s Software
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
1 Expected Design Setup Test Review by Change Reviewed Vendor Test PM N/A PO TAO
Specification Environment Technical Management Test process Team
s Lead System Environment acceptable
Raise
Data Change Change Integration
Conversion/ Control Control development
Migration must use
Design SDLC
Specification
2 Expected Test Draft Test Review Draft Test Protocol Final Test Use J&J Test PM CSV PO SQA
Environment Protocol Test Protocol Template Protocol SDLC Team (GxP) (non-
GxP
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
3 Expected Compliance Create and Review Testing Suite Executed Vendor Test PM BA PM SQA
Plan Execute System Test – HP ALM System Test process Team (rRDS) (GxP
System Test Scripts Scripts acceptable &
Final Test or ISRM non-
Scripts
Protocol Reviewed Integration GxP)
Test Script
Create Business development
Detailed Template
Business Simulation projects must
Requirement
Simulation Defect Form Test Scripts use SDLC
s
Test
Reviewed
Scripts11
System and
Track Business
System Test Simulation
Defects Test Defects
4 Conditional Detailed Create Review Templates, Reviewed Use J&J Project PO/ N/A PM CSV
Requirement Conditional Conditional as applicable Conditional SDLC Team PLO12 (GxP
s Documentati Documentati Documentati )13
CSV
on (User on (as on (GxP) SQA
Manual, applicable) (GxP
SQA
Standard &
11
For SaaS and SAP projects only at this time. No template for Business Simulation Test since it is executed is more of ad-hoc testing in nature.
12
Depending on the document, this could either be the PO or the PLO.
13
CSV requires sign-off on the following conditional deliverables for GxP projects: SOPs, WIs, GDLs.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
Defect Form PO
Final Test
Protocol
6 Expected Executed Generate Review of Test Report Final Test Use J&J Test SQA N/A PM CSV
System Test Test Report Test Report Template Report SDLC Team (GxP & (GxP
Scripts non- )
Review of Final Post- GxP)
SQA
Executed Post Execution
CSV (non-
UAT Test Execution UAT Scripts (GxP)14 GxP)
Scripts UAT Scripts
Final Post- PO
Defect Review of Execution
14
CSV approves Data Conversion and UAT test scripts only.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
7 Expected System Test Update Review N/A Final Use J&J Test PO Project PM PO
Scripts Traceability Traceability Traceability SDLC Team Team
Updating the SQA CSV
Matrix Matrix Matrix (non- BA (GxP
UAT Test existing
GxP) (rRDS) )
Scripts document
CSV ISRM SQA
(GxP) (GxP
&
non-
GxP)
8 Expected Design Conduct N/A a2 tool (QP1) SQA Stage Use J&J SQA N/A Project PM/ N/A
Specification SQA Stage Gate SDLC (GxP Team PO
SQA Stage and
Gate Assessment
Code Review Gate non-
Assessment Report
Records Assessment GxP)
Template
System Test
Scripts
UAT Test
Scripts
Final Defect
Forms
Compliance
Plan
Draft Test
Protocol
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
PMx Team
Site
Draft Test
Report
Draft
Traceability
Matrix
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
Loaded SQA
Data in (GxP
production & non-
GxP)
Servic
e
Owner
PO
9 Agile Framework
The Agile framework is an approach for requirements and solutions to evolve through the
collaborative effort of self-organizing cross-functional teams. It promotes adaptive planning,
evolutionary development, early delivery, and continuous improvement, and it encourages rapid
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
15
The following must execute a Business Process Analysis of the existing business process; 1) all Supply Chain projects and 2) those projects whose budget is $500,000 or greater.
16
If known at this point in time.
17
Required for all SaaS and COTS projects.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
Process
CSV
Analysis (GxP
Enterprise
Document only)
JIRA
Project BA
Case Or (rRDS)
Newly
Requirement
Identified &
s
Impacted
Specification
System(s)/A
Template
pplication(s)
3 Expected Project Prepare PMx Review PMx PMx Team PMx Team Use J&J PM PO N/A N/A N/A
Case Team Site Team Site Site Site Setup SDLC
Completed
Newly
Identified &
Impacted
System(s)/A
pplication(s)
4 Expected Project Execute/ Review of a2 tool (Q2) Final Use J&J PO CSV ISRM PM/ Privac
Case Verify Compliance Compliance SDLC (GxP (SOX, SM y
or & non- DARM,
Compliance Analysis Analysis SQA ISRM
GxP) HIPAA,
Initial Analysis Compliance (GxP
PCI, RIM
Product Analysis IOT, &
Backlog Template Security) non- CSV
GxP)
Privacy RA (if
(if engag
engage) ed)
RIM Servic
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
e
RA (if Owner
engaged
) PO (as
author)
5a Expected Initial Execute/ Review Risk a2 tool – Risk Use J&J PO and PO ISRM PM PO
Product Verify Risk Assessment Risk Calculator SDLC ISRM
Backlog Assessment Calculator Results19
or Data Flow
Map
Risk
Calculator Application
Template18 Security Self-
Assessment
and
Data Flow
Map
Template
and
Application
Security Self-
Assessment
Tool
5b Conditional Initial Execute/ Review GxP CSV Risk CSV Risk Use J&J PO PO CSV PM CSV
Product Verify GxP Risk Assessment Assessment SDLC (GxP)
Backlog Risk Assessment Template Report SQA
18
Not required for digital projects.
19
Risk Calculator does not require sign-off.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
7 Expected Initial Create Review a2 tool (Q9) Final Use J&J CSV SQA RIM (if PM ISRM
Product Compliance Compliance Compliance SDLC (GxP) (non- engaged (if
or GxP) ) SM engag
Backlog Plan Plan Plan SQA ed)
Compliance (non- CSV Privacy
Compliance
Plan GXP) (GxP) (if Privac
Analysis engaged y (if
Template
Document ) engag
ed)
ISRM (if
engaged CSV
) (GxP)
PO SQA –
(GxP &
non-
GxP)
Servic
e
Owner
PO
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
3 Expected Detailed Draft Review of HP-ALM Draft Use J&J BA PO CSV PM N/A
Product Traceability Traceability Traceability SDLC (rRDS) (GxP)
or SM
Backlog Matrix Matrix Matrix SQA
Traceability (GxP &
Matrix non-
Template GxP)
4 Expected Compliance Conduct N/A a2 tool (QP1) SQA Stage Use J&J SQA SQA Scrum PO N/A
Analysis SQA Stage Gate SDLC (GxP & (GxP & Team
or non- non-
Gate Assessment PM
GxP) GxP)
Compliance Assessment SQA Stage Report
Plan SM
Gate
Assessment
Template
Detailed
Product &
Sprint
Backlog
Business
Process
Analysis
Documents
CSV Risk
Assessment
(GxP)
Draft
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
2 Expected Sprint Draft Test N/A Test Protocol Final Test Vendor Test PO CSV PM SQA
Backlog Protocol20 Template Protocol process Team (GxP
SM
(non-
acceptable UAT GxP
only) and
Integration GxP
SQA pre-
development (GxP &
must use UAT)
non-
SDLC GxP) CSV
(GxP
UAT)
3 Expected Design Setup Test Review by Change Reviewed Vendor Test TAO N/A PM TAO
Specification Environment Technical Management Test process Team
SM
Lead System Environment acceptable
Data Raise
Conversion/ Change Updated/ Integration
Migration Control New Code development
Design must use
Approved
Specification SDLC
Change
Control
4 Expected Reviewed Create and Review Unit Testing Suite Executed Vendor Scrum SQA ISRM PM N/A
Code Execute Unit Test Scripts – HP ALM Unit Test process Team (GxP & (if
non- engage SM
Test Scripts Scripts acceptable
Sprint or GxP) d)
Backlog Integration
Test Script PO
development
Template
must use
or SDLC
JIRA
20
For GxP projects, a separate Test Protocol must be created for UAT - see Computer System Validation Procedures for GxP Regulated Applications for details. For non-GxP projects, a single
Test Protocol may be developed covering both pre-UAT and UAT.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
5 Expected Sprint Create and Review Testing Suite Executed Vendor Test PO N/A PM/ SQA
Backlog Execute System – HP ALM System Test process Team SM (GxP &
System Test Tests Scripts acceptable22 non-
Unit Test or GxP)
Scripts
Scripts Reviewed Integration
Test Script
Create System and development
Final Test Template
Business BST Test must use
Protocol
Simulation Defect Form Defects SDLC
Compliance Test Scripts
21
Plan
Track
System Test
Defects
6 Conditional23 Sprint Create and Review UAT Testing Suite Executed Use J&J PO PO Test PM CSV
Backlog Execute UAT Tests – HP ALM UAT Test SDLC Team (GxP)
SM
Test Scripts Scripts SQA
Compliance or
(non-
Plan Track UAT Final Test
Test Script GxP)
Test Defects Protocol
Final Test Template PO
Protocol Reviewed
Defect Form
UAT Test
Defects
7 Expected Executed Create Test Review Test Test Report Final Test Use J&J Test PO ISRM PM PO
System Test Report24 Report Template Report SDLC Team
21
For SaaS and SAP projects only at this time. No template for Business Simulation Test since it is executed is more of ad-hoc testing in nature.
22
Vendor process is not applicable for Business Simulation Testing. (BST).BST must be executed within the J&J firewall.
23
UAT is Conditional to support projects where business resources cannot support every sprint. A UAT must be executed for the release if not executed in the sprint.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
Draft
Traceability
Matrix
9 Expected Tested Code Create Review Configuratio Configuratio Use J&J Scrum PO N/A PM SQA
Configuratio Configuratio n Control n Control SDLC Team (non-
SM GxP &
Data n Control n Control Document Document
GxP)
Conversion Document Document Template
or Migration PO
Software
Design
Configuratio
Specification
n
Management
24
For GxP projects, a separate Test Report must be created for UAT. For non-GxP projects, both System and UAT test results may be contained in a single Test Report.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
2 Expected Demo Conduct Review of Happiness Happiness Vendor Scrum PO N/A N/A SM
Feedback Sprint Happiness Metric Tool Metrics process Team
Retrospectiv Metrics acceptable PM
Confluence - Completed
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
25
SQA Stage Gate Assessment is not mandatory for every Sprint and is up to the SQA resource to determine which sprint should execute the assessment. Ideally a SQA Stage Gate Assessment
should occur every 3-4 sprints.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
26
CSV must sign-off on the following conditional deliverables for GxP projects: SOPs, WIs, GDLs.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
4 Expected Executed Generate Review of Test Report Final Post- Use J&J CSV PO N/A PM PO
UAT Test Test Test Report Template Execution SDLC (GxP)
SM CSV
Scripts Report27 UAT Scripts SQA (GxP)
(non- Test
Review of Final Test Team SQA
UAT
Post- Report GxP (non-
Execution and GxP)
UAT Scripts non-
GxP)
5 Expected PMx Team Create/ Review Hypercare Hypercare Vendor Scrum PO SQA PM RM
Site Update Hypercare Transition Transition process Team (GxP &
non- SM
Hypercare Transition Plan Plan acceptable
Test Report GxP) CSV
Transition Plan Template
Integration (GxP)
Final Defect Plan
development
Forms SQA
must use
(GxP &
SDLC non-
GxP)
7 Expected Release Conduct N/A a2 tool (QP1) SQA Stage Use J&J SQA SQA N/A PO N/A
27
The Test Report should be generated at this point-in-time if the UAT has been conducted in the Sprint.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
The purpose of this phase is to ensure that the Application Services team and specifically the Operations staff are equipped with the
information required to perform day-to-day operations and to respond to emergency situations or any event that effects the application
or system. The same process is applicable for both the Waterfall and Agile frameworks.
1 Expected Hypercare Report Service ISM Tools Service Vendor Suppor Operati N/A PLO Operati
Transition Against Managemen Managemen process t Team ons ons
Reporting Owner PO Owner
Plan Service t Reviews t Reporting acceptable
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
RFC/
Standard
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
7 Expected Completed Raise Review Change Approved Vendor Project CSV Suppor PO CSV
System Change Change Managemen Change process Team (GxP) t Team (GxP)
Assets Control (CC) Control (CC) t System Control (CC) acceptable Operati
ons
Owner
8 Conditional Service Continual As applicable As Service Vendor Suppor Operati N/A Team Operati
Reporting Service applicable Improvemen process t Team ons ons
Owner PO Owner
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
10 Expected Traceability Maintain Review N/A Final Use J&J Project CSV N/A PO CSV
Matrix Traceability Traceability Traceability SDLCv8 Team (GxP) (GxP)
Matrix28 Matrix Matrix SQA SQA
(non- (non-
GxP) GxP)
This phase addresses the process of archiving data and retiring the system once it has been decided to decommission the system. A
determination of Record Retention requirements and Legal Hold is completed.
The same process is applicable for both the Waterfall and Agile frameworks.
2 Conditional Decommi Perform Stage Stage Gate Standardize Stage Gate Use J&J TAO SGRC N/A OPCx SGRC
ssion Gate Review Review d Stage Review SDLC Cloud
28
Application Traceability Matrix should be reviewed quarterly to ensure requirements are in alignment with the product.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
3 Expected Stage Develop Review of Retirement Retirement Use J&J TAO PO Project OPCx PO
Gate Retirement Retirement Plan Plan SDLC Team Cloud
CSV Factory CSV
Review Plan Plan Template Verification (GxP) RIM Service (GxP)
Committe of Legal SQA s SQA
e (SGRC) Hold (non- Applica (non-
Authorizat GxP) tion GxP)
Verification if
ion Archive is Suppor RIM
t–
Required Archivi
ng
Service
s
4 Conditional Stage Develop Review Retirement Archive Use J&J TAO PO Project OPCx PO
Gate Archive Plan Archive Plan Plan Plan SDLC Team Cloud
Factory CSV
Review Template29 Service (GxP)
Committe s SQA
29
The Retirement Plan Template will be used to support the Archive Plan.
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
5 Conditional Archive Execute Data Completed/R IRIS Verified Vendor Applica CSV N/A OPCx CSV
Plan Archive eviewed Archived process tion (GxP) Cloud (GxP)
Data acceptable Suppor Factory
Change t– SQA Service SQA
Request Archivi (non- s (non-
ng GxP) GxP)
Post Service PO PO
Migration s
Verification
6 Expected Retiremen Execute Completed/R IRIS Decommissi Vendor OPCx TAO N/A Applica TAO
t Plan System eviewed oned process Cloud tion
System no System acceptable Factory Suppor
Decommission Change Service t–
Archive longer
Request Close Integration s Archivi
Plan available in ng
Decommissi development
network oning must use Service
Change
Change SDLC s
Control
Control (CC)
(CC)
Notification
to BUIT
SOFTWARE
SOP-1705 DEVELOPMENT LIFE Version 14.0
CYCLE
7 Expected Archive Verify Archive Review of Retirement Final Archive Vendor TAO CSV N/A N/A CSV
Plan Results Archive Report Report process (GxP) (GxP)
Report Template30 acceptable SQA SQA
Archived Create Archive (non- (non-
Integration
Data Report GxP) GxP)
development
must use PO PO
SDLCv8
8 Expected Retiremen Verify Review of Retirement Final Vendor TAO CSV RIM N/A CSV
t Plan Decommission Retirement Report Retirement process (GxP) (GxP)
Results Report Template Report acceptable SQA SQA
Decommi (non- (non-
Integration
ssioned Create GxP) GxP)
development
Software Retirement must use PO PO
Report SDLCv8
30
The Retirement Report Template will be used for the Archive Report.
12 Document History
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
14.0 17-Oct-2017 Deborah Added language to clarify that tools cited in Minor
Lang this document via the ETVX matrices are
not all inclusive, however, represent
enterprise-wide tools. Project Teams
should reach out to their CSV
representative or SQA analyst for guidance
on what tools may be utilized locally.
13.0 24-Apr-2017 Deborah Version 12.0 was never made public as a Major
Lang last minute correction from ISRM on their
new Risk Assessment deliverables and
signatories was required. Version 13.0
contains all the changes made in 12.0.
Changes:
Waterfall: 8.1 Discovery & Initiate –
broke out Risk Assessment task (Task 4)
into 2 parts (Task 4a and Task 4b) to
correct and clarify signatories on GxP and
non-GxP Risk Assessment deliverables.
Agile: 9.2 Discovery & Initiate - Broke
out Risk Assessment task (Task 5) into 2
parts (Task 5a and Task 5b) to correct and
clarify signatories on GxP and non-GxP
Risk Assessment deliverables.
12.0 19-Apr-2017 Deborah General: Major
Lang ! Corrected typos; verifed ETVX matrix
for consistent template names.
! Corrected and verified RACIs
throughout the document
! Added new colum in RACIs to include
signatories.
Updated Section 2: Scope to claify
mobile applications are included.
Changes to Section 3.1 Terms: and
Acronyms :
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
phases
Section 8 (Agile Framework)
• Described in detail with an ETVX
and RACI for all the 5 phases
Section 9 (Operate Phase – Agile and
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Waterfall Frameworks)
• ETVX and RACI matrix created
that is applicable for both Waterfall
and Agile Frameworks
Section 10 (Archive and Retirement
Phase – Waterfall and Agile
Frameworks)
• ETVX and RACI matrix created
that is applicable to both Waterfall
and Agile Frameworks
10.0 12-Nov-2015 Rathnakar General: Major
Raghunat • Changed “Systems Development
h Life Cycle” to “Software
Development Life Cycle” in the
term
• Renamed Application track to
Waterfall track
• Updated content across the
document to reflect removal of
infrastructure from SDLC
Section 2 (Scope):
• Updated Scope section to remove
infrastructure
Section 5.1 (SDLC Archtecture):
• Updated the Waterfall and Agile
phases in the SDLC Architecture
diagram
• Removed Project Management
track
• Removed Application category-
based tailoring section from the
diagram
Section 5.4 Tailoring
• Updated the section to make it
generic so that it applies to both
Waterfall and Agile implementation
tracks
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
scope.
• Clarified the concept of Mobile
Medical Applications (“mobile apps
that fall into the category of
Medical Device”).
Section 2.1 (SDLC Guidelines)
• Now clearly defines that:
− the Compliance / Validation
lead role is accountable for
the assessment of GxP
applicability and must be
assigned to Quality CSV / Q-
CSV CoE or it can be
delegated to IT Risk
Assurance when applicable.
− IT Risk Assurance is
accountable for the
assessment of SOx, Privacy
and DARM and for ensuring
the project team follows the
applicable compliance
requirements.
Section 4 (References)
• Added a new reference to the
document DS-STA-2018 (Mobile
Medical Applications).
Section 5.1 (SDLC Architecture)
• Updated the diagram to reflect
changes introduced by SDLC 7
Agile.
Section 5.5 (Development Phases of
SDLC)
• Updated the Agile phases.
8.0 07-May-2014 Rathnakar Section 2 Scope updated to Major
Raghunat ! Add Mobile Medical Applications
h under Out of Scope
! Revise in-scope and out of scope
for IT Infrastructure
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Section 2.1
! Statement in bullet # 2 rephrased
to clarify that the term “risk
management” is intended be an
activity and does not refer to a role
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
! Renamed ‘Compliance
Deliverables’ to ‘Deliverables’
! Moved the Acceptance Criteria
section after the Procedures To Be
Developed/Modified section
! Updated instructions in the
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Procedures to be
Developed/Modified section to
include examples of
topics/functions that should be
included in procedures. Updated
instructions to require listing
procedures that must be
modified/updated as part of the
project, as applicable.
! Section on Contingency Planning
has been deleted and added to the
Project Management Plan
template.
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Updated Appendix U: User Acceptance
Test Protocol to align with the System/UAT
Test Protocol template harmonization
changes. Removed references to
Installation activity.
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Appendix AI: Business Impact
Assessment. Created a new Appendix AH:
Business Continuity Assessment.
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Specifications as an input
Replaced the word Technology Roadmap
by "Architecture Standards and Strategies
(Refer to the link for more details
http://it.jnj.com/standards/Pages/Architectu
reStandardsStrategies.aspx)" in the step
"Develop Computerized System
Architecture"
Replaced the word "Deliverables of the
Architecture Design" to "Architecture
Design Document". Also removed the term
Quality Guidelines and replaced by
"document meets all the requirements of
Architecture Design needs"
Appendix F: Included User Requirement
Specification and Traceability as Inputs.
Also made Functional Specifications and
Architecture Design as optional by
mentioning as applicable.
Appendix H: Removed the word SOP and
replaced with "implementation Appendix J".
Appendix I: Added a sentence "The level of
details to be updated can be decided by
the Project Manager to his/her discretion".
Also removed the word Re-engineered.
Appendix J: Added a sentence "The level
of details to be updated can be decided by
the Project Manager to his/her discretion".
Appendix K: Replaced the role Technical
Lead by Project Manager for Release
Notes step.
Also removed the word Re-engineering.
Appendix M: Removed the word "not" from
the sentence "Development testing may
occur in a test environment and will not be
included in the validation documents".
Appendix N: Changed the Role from
Technical Lead to Project Manager for the
step Review Release Notes.
"Development Test Checklist" is added as
a step with the details as "The results of
Self Testing are recorded in the
Development Test Checklist as an output".
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
Appendix P: Removed the reference to
URS and retained only the data conversion
and migration details in the Update
Traceability Matrix activity.
Appendix R: Replaced the word Formal
with System Testing and UAT.
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use
Major/Minor
Version DD-MM-YYYY Author Change Summary Change
by removing the wording SMS verification.
Appendix AG: Changed the term from
Project Scaling to Project Classification for
the table. Updated the Classification table
with the latest one.
Changed the number from 90 to 91 in the
SOP-1705 ( Version 14.0) - EFFECTIVE - Check electronic version in eDMS before use