Guest Column | June 27, 2023

Agile Software Development In Bio/Pharma & Medical Devices, Part 1

By Allan Marinelli and Howard Mann


The pharmaceutical industry, under the FDA and other regulatory bodies, has been using computer software/systems validation testing methodologies to validate software within the GxP environment in alignment with the principles of good automated manufacturing practices (GAMP) since the first published guidance in 1994.1,2

In this article, which is part 1 of three, we will dive into the use of Agile methodology, including a discussion of practices toward alignment among the pharmaceutical, biopharmaceutical, vaccine, medical device, and cell/gene therapy industries, with a focus on the planning phase of a software development plan for a project.

In part 2, we will examine the following topics:

  • Team structure and collaboration phase
  • Defining requirements and product definition phase
  • Software architecture phase
  • Detailed design phase
  • Implementation and unit verification phase
  • Integration and integration testing phase

In part 3, we will discuss:

  • The rationale for the software system testing phase
  • Software release
  • Configuration management and change management
  • Corrective and preventive action

Aligning On Practices 3,4

Attempting to align Agile practices with regulatory goals, concepts, and practices entails accounting for the following elements prior to introducing any Agile approaches into your medical device quality management system (QMS). This can also be applied within the pharmaceutical, biopharmaceutical, cell & gene therapy, and vaccine industries.

Planning Phase (Software Development Plan For A Project)

Despite the fact that Agile may be construed as being too undisciplined to meet the planning requirements of the medical device industry, Agile is used to concentrate on assimilating and verifying as many plausible different testing scenarios/testing cases as possible. This is done to capture the widest potential software design output capabilities at the inception phase for every iteration (“sprint” or increment layer) in question, including capturing software bugs. Moreover, Agile relies on the concept of layers of planning (occurring as part of a story layer that are incremental, followed by corresponding release layers).

In the story layer, the focus is on a specific piece/item of functionality in question, while elaborating and implementing this functionality toward its intended uses.

In the increment layer, the focus is on ensuring that all potential and viable functionalities initially identified in the story layer can be boxed in or placed in a fixed time window to represent a reference standpoint of the build.

In the release layer, a combination of everything that was identified in the story and increment layers encapsulates the tasks and activities to finish the software development project, including factoring in the completed checklist. A current total number of tasks/functionalities to be executed is acquired and verified with observed comments for the intended release at question until releasing the first version to the users. In other words, all of the required tasks and functionalities, and known observations of potential anomalies, are to be rectified prior to the release of the first version of the software. By doing this, there will be fewer updates needed in the subsequent software version.

This iteration will continue to repeat the necessary increment layer cycle to reflect the next release version until the software project no longer needs additional release revisions upon entering the retirement phase.

Summary: As part of the medical product development endeavor, the regulatory requirements specified for the device industry is the benchmark standard to which the Agile methodology needs to adapt to ensure compliance and alignment.

It is important to note that an Agile team would need more than just backlog and release strategies since formal plans need to be set by factoring in the following:

  1. The testing methodologies and acceptance criteria at all levels
    1. The use of the story creation/backlog/increment/release management methodology coupled with its accompanied execution instruction. Plan for a final increment to complete the final tasks needed to produce shippable software.
    2. Agile uses the concept of a completed checklist, which is executed and verified through a continual feedback loop between the programmer and the stakeholders to arrive at a successful completion of the designated planned activity. Agile’s completed state is defined as when the “done” concept is in a ready state for creating a viable verification plan.
  2. Risk management, mitigation strategies, and integration strategies
    1. Risk management (see definition section)
    2. Mitigation strategies (see definition section)
    3. Integration strategies: During planning, a team must decide on an integration strategy. Agile’s focus on working software and continuous integration forms a very effective integration strategy.
    4. Agile focuses on "working software" in an “in progress state” and continuous integration practices.
  3. Software configuration management
  4. Required resources, schedules, and milestones

Thus, the combination of the above encompasses Agile as an intrinsic or embedded methodology within the QMS that can be amalgamated as part of the software development plan.


Risk Management: Risk management in the pharmaceutical, biopharmaceutical, vaccine, medical device, and cell/gene therapy industries is a critical process that ensures the safety and efficacy of the drugs, therapies, and devices. The goal of risk management is to identify, assess, control, and monitor risks to minimize the potential harm they may pose to patients, users, or the environment. The International Organization for Standardization (ISO) provides guidelines for risk management through ISO 14971:2019, ISO 14971:2019, ICH Q9, and GAMP 5, which are widely adopted in the industry. The following are the key steps involved in risk management.

Risk Identification: This step involves identifying potential hazards and hazardous situations associated with the medical device, drug, vaccine, or cell/gene therapies products. It includes considering all possible use scenarios, potential failures, and the harm that could result from those failures.

Risk Analysis: In this step, the identified risks are analyzed to determine the severity of harm and the likelihood of occurrence. This analysis helps prioritize risks and focus resources on the most significant ones.

Risk Evaluation: The analyzed risks are evaluated by comparing the estimated risk levels with predefined acceptability criteria. This step helps determine whether the risks are acceptable or if further risk control measures are necessary.

Risk Control: Risk control measures are implemented to mitigate or eliminate identified risks. This step involves designing and implementing safety features, conducting tests, using protective measures, or providing clear instructions for users.

Risk Reduction: Risk reduction measures aim to reduce the level of risk to an acceptable level. This can involve implementing design changes, adding safety features, or enhancing user training and instructions.

Residual Risk Evaluation: After implementing risk control and reduction measures, the remaining or residual risks are reevaluated to ensure they are within acceptable limits. If necessary, additional measures may be taken to further reduce the risks.

Risk Management Report: A comprehensive risk management report is created, documenting the entire risk management process. The report includes information about risk identification, analysis, evaluation, control measures, and residual risks. It serves as a reference for regulatory authorities and stakeholders.

Risk Monitoring: Once a medical device, drug, vaccine, or cell/gene therapy product is on the market, ongoing monitoring and surveillance are essential to identify and manage any new risks that may arise. This includes post-market surveillance, pharmacovigilance, feedback from users, and timely reporting of adverse events.

It's important to note that risk management is an iterative process. Manufacturers and regulatory authorities work together to ensure that risks are effectively managed, and that drugs, therapies, and devices meet the necessary safety and performance standards to protect patient and user safety.

Mitigation Strategies

Mitigation strategies refers to the measures taken to reduce or eliminate risks associated with the use of these devices, drugs, vaccines, and cell/gene therapies products. These strategies aim to minimize the potential harm to patients, users, or the environment. Here are some common mitigation strategies employed in development and use:

  1. Design Controls/Concept Phase: Incorporating design controls/concept phase into the development process helps ensure that potential risks are identified and addressed early on. These controls also involve implementing safety features, fail-safe mechanisms, engineering controls, or other safeguards to minimize risks.
  2. Safety Testing and Validation: Thorough testing and validation of medical devices, drugs, vaccines, and cell/gene therapies products are essential to identify and address potential risks. This includes various types of testing, such as operational testing, performance testing, electrical safety testing, biocompatibility testing, and software validation.
  3. User Training and Instructions: Providing comprehensive user training and clear instructions for intended uses is critical for risk mitigation.
  4. Quality Management Systems: Implementing robust QMSs is essential for ensuring safety and efficacy. QMS includes processes and procedures to manage risks, monitor product quality, and ensure compliance with applicable regulations and standards.
  5. Risk Assessment and Management: Conducting a comprehensive risk assessment throughout the product’s/device’s life cycle helps identify potential hazards, assess their severity and likelihood, and implement appropriate risk control measures. Risk management activities, such as risk analysis, evaluation, and monitoring, should be an ongoing process.
  6. Post-Market Surveillance: Collecting and analyzing data from the post-market use of products/devices is crucial for identifying any new or emerging risks. Manufacturers should have systems in place to monitor product/device performance, track adverse events, and promptly address any safety concerns that arise.
  7. Regulatory Compliance: Adhering to regulatory requirements and standards is essential for mitigating risks. Compliance with regulations ensures that products and devices meet minimum safety and operational/performance criteria, undergo proper testing and evaluation, and are subject to appropriate surveillance and reporting mechanisms.
  8. Feedback and Continuous Improvement: Establishing mechanisms for feedback from users, healthcare professionals, and other stakeholders helps identify potential risks and areas for improvement.

Integration Strategies

Integration strategies in products/devices involve the seamless incorporation of different technologies, systems, or components to enhance the overall functionality and effectiveness. Here are two common integration strategies used:

  1. Internet of Things (IoT) Integration: The IoT concept involves connecting devices or the manufacturing process of products with systems to enable data exchange and automation.
  2. Cloud Integration: Cloud computing can be leveraged to store, manage, and analyze large volumes of data during the manufacturing of products/devices. Integration with cloud platforms allows for centralized data storage, scalability, and accessibility from multiple locations. Cloud integration can enhance data security, facilitate data sharing, and enable advanced analytics or machine learning algorithms.


The very first step in any computerized system and information technology validation activities is to ensure that the planning phase of the software development plan for the project is carefully considered, while factoring in an understanding of the respective definitions.


  4. Guidance On The Use Of Agile Practices In The Development Of Medical Device Software,

About The Authors:

Allan Marinelli is the president of Quality Validation 360. He is a polymath and has more than 25 years of experience within the pharmaceutical, medical device (Class 3), vaccine, and food/beverage industries. His cGMP experience has cultivated expertise in quality assurance, compliance, quality systems, quality engineering, remediation, and validation roles controlled under FDA, EMA, and international regulations. His experience includes quality systems implementation, CAPA, change control, QA deviation, equipment, process, cleaning, and computer systems/infrastructure validation, as well as quality assurance program management, project management, and strategies using science/engineering risk-based approaches from ASTM-E2500, GAMP 5, and ICH Q9. Marinelli has contributed to ISPE baseline GAMP and engineering manuals.

Howard Mann is an independent consultant and/or contractor in the operational, regulatory, and quality assurance arenas. He has extensive experience in the healthcare industry and provides technical leadership guidance to the business development process, including the product development process in all areas of GxP compliance.