These companies are using tools to automate development and documentation processes. That documentation can then be audited to detail who has accessed code and what changes have been made. It can also be used to track what testing and quality assurance have been done when building applications or changing existing ones that fall under the act's scope. Some companies are finding that these compliance efforts are yielding additional rewards, like reducing costly rework by automating the change management aspects of programming.
Israel-based Teva Pharmaceutical Industries Ltd., which generates 91 percent of its revenue from sales in the U.S. and Europe, has replaced its paper-based application development workflow with change management and code-change tools from MKS Inc. over the past year. In addition to helping Teva meet regulatory requirements, the tools have allowed the company to attach electronic signatures to software change requests as required by the U.S. Food and Drug Administration. Teva has also been able to virtually eliminate its rework requests by using the tools to verify that changes are meeting business user requests, says Tom Loane, vice president and CIO of Teva North America.
Teva's old paper-based process for requesting development work centered around a seven-page form that had to circulate among employees in the U.S. and Israel to get four required sign-offs -- from the user requesting the change, the programmer, the tester and the quality assurance employee -- for the 1,000 software changes the company makes annually. Teva is replacing that process with MKS Integrity Manager, which prescribes the process and manages the workflow associated with code changes. The tool creates a document trail that records all activity, from the time a request for a change is made to when the code is moved into production. A workflow engine sends e-mail notifications to team members when work is requested, performed or completed, or when requirements have changed. Because Teva has combined Integrity Manager with MKS's Source Integrity software configuration management tool, programmers can check out the source code needed for the change request. All the changes are also recorded and compared against the details in the request for the change. As a result, Teva can "freeze" an activity during the development process to see what changes were made before or after that point.
"We're controlling things seven time zones away, [and] this rolls out a clean pattern of what the heck happened in any situation," Loane says. "It is not hard to prove what you did."
But automating the process had its challenges. First, Teva tried to replicate the paper process in the tool, which Loane says amounted to "automating a bad process and making it worse." Then the company took several months to devise a new process that treated all development as change, including new development and changes to existing systems, he says. In addition, the company began using the MKS tools to provide authorization for user access that required approval from a manager.