Hi would anyone know how a code review is handled for an upgrade from a compliance standpoint. Is a code review required when an update is implemented.
Thank you.
Usually yes, what does your VP say in this regard.
Typically code review checks for:
Clear code
Commented Code
Deletion of old code
etc
Well I’m actually putting a plan together now and I was unclear in this area so I’m looking for expertise to understand what would be expected. There was an implemention about five years and ago and they likely have code review from that installation but with an upgrade even without new coding I would think that a review of the code would be required. Validation has been told that we don’t need a code review since there is no new code but wouldn’t it be required to check the current code being installed. Please let me know if you need more detail than what I’m adding here.
My understanding is that this upgrade does not involve code change, if this is through I personally would have no problem with not doing a code review as it has been completed with the original install.
I would tend to agree with validation in this regard, I dont think doing another code review would add extra value to the upgrade. As part of the validation I would check that the correct version of the code is installed and that to me would be fine.
Hope this helps
I appreciate your time.
Just to piggy-back off Graham a bit…
I agree that a code review - in the sense of reviewing the source code for bugs, clear documentation, compliance to standards, etc. - in this case doesn’t sound like a value-added effort.
What you might want to consider, though, is a review of the procedures that led up to the new release. You should be able to confirm that no changes were made (by comparing baselines), ensure that the build was done in a controlled environment (it’s quite likely that updated compilers were used & it’s possible the OS has changed), ensure the software configuration was properly baselined, etc. In short, ensure that a proper SDLC was followed. This will give you assurance that the configuration you have is controlled, known, and reproducible.
Five years is a pretty long time between releases. There’s a good possibility that things “under the covers” have changed. I would tend to be more conservative and suggest that a fairly robust requirements verification be performed (in addition to the version install info Graham mentioned).