“Most software teams know the SDLC exists. Very few can tell you exactly who does what at each phase — and that gap is the single most expensive knowledge deficit in the industry.”
Every year, organizations across healthcare, banking, retail, telecom, and construction invest billions in software development. Most of them follow some version of the Software Development Life Cycle. A significant portion of them still ship late, blow the budget, and deliver something the business didn’t actually need.
The SDLC isn’t the problem. The problem is that most teams treat it as a technical framework when it’s fundamentally a collaboration framework. The phases are sequential on paper. In reality, they’re a continuous conversation between Business Analysts, Product Owners, developers, QA engineers, architects, and business stakeholders — all of whom have different priorities, different vocabularies, and different definitions of “done.”
This post breaks the SDLC down completely. Every phase, every role, every handoff — with real examples from industries where the stakes are high and the cost of a missed requirement is measured in regulatory fines, patient safety, or lost customers. Whether you’re a mid-level BA trying to improve your requirements process or a senior delivery manager looking for a framework to share with your team, this is the reference you’ve been missing.
What the SDLC Actually Is (And Why It’s Not Just for Developers)
The Software Development Life Cycle (SDLC) is a structured process that defines how software is planned, built, tested, deployed, and maintained. It’s not a single methodology — it’s a framework that underlies every methodology, from Waterfall to Agile to SAFe to DevOps.
The six core phases are consistent across almost every implementation: Planning, Requirements Analysis, System Design, Development, Testing, and Deployment/Maintenance. What varies is how those phases are sequenced (linear vs. iterative), how long each phase takes, and critically — who owns what.
That last variable — role ownership — is where most teams fail. In a Waterfall project, requirements are handed off to design, which hands off to development, which hands off to QA. Each handoff introduces interpretation gaps. In an Agile sprint, all of those functions run concurrently, which eliminates some gaps but creates new ones if role boundaries aren’t clear.
The SDLC is not a developer’s framework. It’s a business delivery framework. The BA drives it from the front. The PO shapes it through prioritization. QA validates it at every phase. Developers and architects implement it. And the business stakeholders — the people who will actually use the software — are the ultimate judges of whether it worked.
The Six SDLC Phases: What Happens and Who Owns It
| Phase | Primary Owner | Key Participants | Main Deliverable | Quality Gate |
|---|---|---|---|---|
| 1. Planning | Project Manager / PO | BA, Stakeholders, Architect | Project charter, feasibility study | Stakeholder sign-off on scope |
| 2. Requirements | Business Analyst | PO, SMEs, End Users, QA | BRD, user stories, acceptance criteria | BA + PO review and approval |
| 3. Design | Solution Architect | Dev Lead, BA, DBA, UX | System design doc, data models, wireframes | Architecture review board |
| 4. Development | Dev Lead / Developers | BA (clarification), QA (review) | Working code, unit tests | Code review, CI/CD pipeline |
| 5. Testing | QA Lead / BA | Dev, PO, Business Users | Test results, defect reports, BAT sign-off | PO acceptance, go/no-go decision |
| 6. Deployment & Maintenance | DevOps / Release Manager | Dev, QA, BA, Operations | Deployed system, release notes, monitoring | Production sign-off, SLA compliance |
These six phases describe what happens. What they don’t describe is the friction that lives between each one — the handoff gaps where requirements get misinterpreted, designs get built without user context, and testing uncovers problems that should have been caught in requirements. That friction is where the SDLC either earns its value or fails to deliver it.
Every Role in the SDLC: What They Actually Do
Here’s the honest breakdown of each role — not the job description version, but the real version that tells you what each person is responsible for when a project is running well versus what happens when they’re absent or unclear on their accountabilities.
The Requirements Architect
- Elicits and documents business requirements
- Writes user stories and acceptance criteria
- Facilitates 3 Amigos and stakeholder workshops
- Bridges business and technical teams
- Reviews test cases for business alignment
- Leads BAT execution and sign-off
- Active across ALL six SDLC phases
The Value Prioritizer
- Owns and maintains the product backlog
- Sets business value and feature priority
- Defines “done” at the story and epic level
- Formally accepts or rejects sprint output
- Makes go/no-go release decisions
- Manages stakeholder expectations throughout
- Aligns product roadmap to business goals
The Quality Guardian
- Creates and executes test plans and scripts
- Automates regression test coverage
- Logs, tracks, and triages defects
- Reviews requirements for testability
- Supports BA in BAT script development
- Owns test environment health
- Reports quality metrics to the team
The Builder
- Translates requirements into working code
- Writes unit and integration tests
- Participates in design and 3 Amigos sessions
- Resolves defects raised during testing
- Manages technical debt
- Advises on technical feasibility
- Supports deployment and post-release monitoring
The System Planner
- Designs high-level system architecture
- Defines integration patterns and APIs
- Evaluates build vs. buy decisions
- Sets technical standards for the team
- Reviews designs for scalability and security
- Manages technical risk across the program
The Process Facilitator
- Facilitates all Scrum ceremonies
- Removes team blockers and impediments
- Coaches team on Agile practices
- Protects the team from scope creep
- Tracks team velocity and sprint metrics
- Escalates organizational impediments
For the full deep-dives, see the guides on what a Business Analyst does, the Product Owner role, QA in modern software delivery, and the Scrum framework.
Phase-by-Phase: What Great Execution Looks Like
Phase 1 – Planning: Where Projects Are Won or Lost
Planning is the phase that most teams rush and most post-mortems identify as the root cause of failure. It’s not about building Gantt charts. It’s about establishing three things with absolute clarity: what the software needs to do, whether it’s feasible to build it in the available timeframe and budget, and who is accountable for each component of delivery.
At a major regional bank, a digital lending platform project was launched with a 9-month timeline and a $4.2M budget. The planning phase produced a 12-page project charter and a high-level scope statement. What it didn’t produce was a clear answer to this question: who owns the regulatory compliance requirements? Eighteen months and $7.8M later, the project delivered a system that had to be retrofitted with compliance controls that should have been in the original scope. The planning gap cost them $3.6M and an 18-month delay.
What good planning produces: a project charter with named role accountabilities, a feasibility study that includes technical and regulatory risk, a preliminary scope statement with documented out-of-scope items, and a stakeholder map that identifies who has decision-making authority at each phase gate.
Phase 2 – Requirements Analysis: The Most Undervalued Phase in the Entire SDLC
Requirements analysis is where the BA earns their value — or fails to. This phase determines what the software must do, what constraints it must operate within, and what success looks like. Every defect found in production, every missed deadline, every stakeholder who says “this isn’t what I asked for” traces back to a requirement that was ambiguous, missing, or misunderstood.
In healthcare, the stakes are highest. A hospital system implementing an electronic prior authorization platform discovered — during UAT — that the system wasn’t capturing the specific drug tier codes required by three of its top five payer contracts. The BA had elicited general prior authorization requirements. Nobody had asked specifically about payer-specific code structures. The fix required a redesign of the data model and a six-week delay in a system that was already contracted to go live. The requirements gap cost the health system $890,000 in delayed reimbursements and consulting fees.
Good requirements analysis in Phase 2 is not about writing long documents. It’s about asking the questions that nobody else is asking — the edge cases, the regulatory constraints, the integration dependencies, the business rules that only three people in the organization know. It’s about translating what stakeholders say they want into what they actually need, documented with enough precision that a developer in a different time zone can build it correctly without a follow-up call.
BABOK v3 elicitation techniques for Phase 2: stakeholder interviews, focus groups, observation, document analysis, prototyping, workshops, and surveys. The BA doesn’t use all of them on every project — they select the right combination based on stakeholder availability, requirement complexity, and regulatory constraints.
Phase 3 – System Design: Architecture Decisions That Haunt You for Years
Design is where requirements become architecture. The Solution Architect takes the what (from the BA) and designs the how — the system components, data flows, integration patterns, security model, and scalability approach. Developers contribute technical feasibility input. The BA validates that the design actually supports the business requirements. UX designers shape the user experience layer.
In retail, Target’s 2013 data breach — one of the most studied failures in enterprise security — involved an HVAC vendor’s network credentials providing access to the payment system. The security architecture hadn’t adequately separated third-party vendor access from sensitive payment infrastructure. That was a design-phase decision with catastrophic production consequences. Architecture decisions made in Phase 3 don’t announce themselves as problems until months or years later, and by then they’re significantly more expensive to fix.
For a telecommunications company rolling out a 5G network management platform, the design phase produced 14 separate microservices with clearly defined API contracts, a data model supporting real-time network telemetry from 40,000 towers, and a security architecture meeting NIST 800-53 controls. That design took 11 weeks. It saved an estimated 34 weeks of rework during development and testing.
Phase 4 – Development: Where Requirements Meet Reality
Development is the phase most people associate with the SDLC — and the one that’s least often where the real problems originate. By the time a story reaches a developer, the hard work should already be done. Requirements should be precise. Acceptance criteria should be BDD-structured. The design should be clear. If those things are true, development is execution. If they’re not, development becomes improvisation.
The BA’s role in Phase 4 is not passive. They’re available for clarification throughout the sprint, ensuring that mid-development questions get answered with business context rather than best-guess interpretation. Every time a developer answers a requirements question themselves — without checking with the BA — there’s a defect waiting to be found in testing.
In construction technology, a project management software vendor was building a subcontractor payment tracking module. Midway through development, a developer realized the spec didn’t address partial payments — situations where a subcontractor completes 60% of a job and invoices accordingly. The developer implemented a workaround that made sense technically but violated the client’s accounting rules. The BA wasn’t looped in. The workaround made it through code review, passed QA functional testing, and was caught in BAT by a construction accountant who immediately flagged it as a GAAP compliance issue. A four-hour requirements clarification in Phase 4 would have prevented a two-week rework cycle.
Phase 5 – Testing: More Than QA Running Scripts
Testing in the SDLC is not a single event — it’s a layered process that runs from unit testing in Phase 4 all the way through business acceptance testing at the end of Phase 5. Understanding the Software Testing Life Cycle (STLC) is fundamental to running this phase well.
| Test Type | Who Executes | What It Validates | Industry Example |
|---|---|---|---|
| Unit Testing | Developer | Individual functions and components | Banking: verifies interest calculation formula |
| Integration Testing | Dev / QA | API contracts and data flows between systems | Healthcare: HL7 message routing between EHR and pharmacy |
| System Testing | QA Team | End-to-end application behavior | Retail: full order-to-fulfillment workflow |
| Performance Testing | QA / Dev | Load capacity and response times under stress | Telecom: 50,000 concurrent API calls during peak hours |
| Security Testing | Security QA / Pen Testers | Vulnerability exposure and access control | Finance: PCI-DSS compliance for payment processing |
| Regression Testing | QA (automated) | No new defects in existing functionality | Transportation: freight routing rules unchanged after update |
| Business Acceptance Testing | BA + PO + Business Users | Business requirements fully met | Construction: subcontractor payment rules match contract |
For a complete breakdown of every testing type and when to apply them, see the guide on types of software testing and the full STLC breakdown.
Phase 6 – Deployment and Maintenance: The Phase That Never Actually Ends
Deployment is not the finish line. It’s the beginning of the maintenance lifecycle, which — depending on the system — can run for 5, 10, or 20 years. Every production system accumulates technical debt, regulatory updates, integration changes, and user-driven enhancement requests. The SDLC doesn’t end at release; it cycles back to Phase 1 for every change request that follows.
In transportation, a freight management platform deployed for a mid-size logistics company ran into a production issue within 48 hours of launch: a routing algorithm that worked perfectly in the test environment began producing suboptimal routes under real-world traffic data conditions the test environment hadn’t replicated. The QA team had tested with synthetic data. Production used live traffic feeds. The defect wasn’t a development error — it was a test environment gap that should have been identified in Phase 5. The fix took 72 hours and cost the company approximately $140,000 in freight inefficiencies.
Good deployment and maintenance practice includes: blue-green deployment strategies that allow instant rollback, feature flags that let teams turn functionality on and off without redeployment, comprehensive monitoring and alerting from day one, and a clear process for handling production defects that involves the BA for business severity assessment.
SDLC Models Compared: Which One Does Your Team Actually Run?
The phrase “we’re Agile” covers a wide range of actual practices. Some teams are running true Scrum with disciplined sprint ceremonies. Others are running “Wagile” — waterfall requirements handed off to Agile development sprints, which produces the worst of both models. Here’s how the major SDLC models compare in practice.
| Model | Structure | Best For | BA Role | Risk Profile |
|---|---|---|---|---|
| Waterfall | Sequential phases, formal handoffs | Fixed-scope regulated projects (defense, compliance) | Heavy upfront requirements; limited post-handoff involvement | High — defects discovered late are expensive |
| Agile / Scrum | Iterative sprints, continuous delivery | Products with evolving requirements | Embedded throughout; continuous refinement | Lower — defects caught early in short cycles |
| SAFe | Agile at scale; PI planning cadence | Large enterprise, multi-team programs | Team-level BA + program-level business architect | Managed — structured governance with Agile flexibility |
| Kanban | Continuous flow; work-in-progress limits | Maintenance, support, ops-heavy teams | On-demand requirements; rapid response | Low structural risk; high if flow limits ignored |
| Spiral | Risk-driven iterations with prototyping | High-risk, complex systems (aerospace, medical devices) | Risk analysis and iterative requirements refinement | Low — risk is systematically evaluated each cycle |
“Wagile” — the unofficial sixth model — is what happens when leadership mandates Agile ceremonies but still expects a full requirements specification before development starts and a formal sign-off process that takes longer than the sprint. It’s the worst of both worlds: the rigidity of Waterfall without the predictability, and the velocity pressure of Agile without the flexibility. If your team is in this model, the first fix is not a new tool or framework — it’s a direct conversation about what Agile actually means for your organization’s delivery model.
The SDLC Across Industries: Where the Stakes Are Highest
The SDLC framework is universal, but its application varies significantly by industry. Regulatory environment, risk tolerance, compliance requirements, and organizational structure all shape how each phase is executed. Here’s what that looks like in practice across eight industries.
| Industry | SDLC Model Typical | Critical Phase | Regulatory Driver | Real Consequence of SDLC Failure |
|---|---|---|---|---|
| Healthcare | Waterfall / Hybrid | Requirements + Testing | HIPAA, HL7, FHIR, FDA 21 CFR Part 11 | Misrouted patient data; delayed treatments; OCR fines up to $1.9M per violation |
| Banking | Waterfall / SAFe | Requirements + Security Testing | OCC, FFIEC, Basel III, Dodd-Frank | Incorrect interest calculations; regulatory consent orders; customer remediation costs |
| Retail | Agile / Scrum | Design + Performance Testing | PCI-DSS, CCPA, state consumer laws | Checkout failures during peak sales events; lost revenue; cart abandonment |
| Finance | Waterfall / Hybrid | Requirements + UAT | SEC, FINRA, SOX, MiFID II | Incorrect trade calculations; audit findings; enforcement actions |
| Technology | Agile / DevOps | Development + CI/CD | SOC 2, ISO 27001, GDPR | Security breaches; SLA violations; customer churn |
| Telecom | SAFe / Agile | Design + Performance | FCC, CPNI, NET Act | Network outages; billing errors affecting millions of accounts |
| Construction | Waterfall / Hybrid | Requirements + UAT | AIA contracts, OSHA, local building codes | Billing errors; contract disputes; safety reporting gaps |
| Transportation | Agile / Kanban | Testing + Deployment | DOT, FMCSA, ELD mandate | Route inefficiencies; compliance violations; fleet management gaps |
The pattern across all eight industries is consistent: the industries with the highest regulatory burden tend to have the most rigorous requirements phases and the most formalized testing — because the cost of getting it wrong is measured in regulatory sanctions, customer harm, or both. Organizations that treat requirements as a checkbox rather than a discipline pay for that decision at every phase that follows.
Role Activity Matrix: Who’s Active in Each SDLC Phase
This matrix maps each role to each SDLC phase, showing their level of involvement. “Leads” means primary ownership. “Active” means regular, substantive participation. “Consults” means available for specific input. “Monitors” means periodic oversight. Blank means no typical involvement.
| Role | Planning | Requirements | Design | Development | Testing | Deployment |
|---|---|---|---|---|---|---|
| Business Analyst | Active | Leads | Active | Consults | Leads BAT | Monitors |
| Product Owner | Leads | Active | Consults | Active | Accepts | Decides |
| QA Analyst | — | Consults | Consults | Active | Leads | Supports |
| Developer | Consults | Consults | Active | Leads | Supports | Active |
| Solution Architect | Consults | Consults | Leads | Active | Monitors | Consults |
| Scrum Master | Active | Facilitates | Facilitates | Leads | Facilitates | Supports |
| Project Manager | Leads | Monitors | Monitors | Monitors | Monitors | Active |
| Business Stakeholder | Approves | Active | Reviews | — | BAT/UAT | Signs off |
Where SDLC Handoffs Break Down – and How to Fix Them
The majority of SDLC failures don’t happen within a phase. They happen at the boundaries between phases — the handoffs where information transfers from one team to another, carrying assumptions, gaps, and misinterpretations along with it.
The handoff gap rule: Every time a deliverable moves from one role to another without a structured review conversation, the receiving team is forced to make assumptions. Every assumption is a potential defect. Every defect found in testing costs 4-6x what it would cost to fix in requirements. Every defect found in production costs 10-100x.
| Handoff Point | Common Failure Mode | Industry Example | Structural Fix |
|---|---|---|---|
| Requirements → Design | Architect makes design decisions based on incomplete requirements | Banking: payment system designed without considering real-time settlement rules | BA walks architect through requirements; architect confirms coverage before design starts |
| Design → Development | Developers interpret design specs differently than the architect intended | Retail: API contract designed for synchronous calls; devs built asynchronous — broke checkout flow | Design walkthrough with dev team before sprint 1; dev lead signs off on interpretation |
| Development → QA | QA receives code that hasn’t been unit tested; test environment not ready | Telecom: billing module reached QA with 23 known unit test failures still open | Definition of Done includes passing unit tests and environment readiness check |
| QA → BAT | BA not involved in QA; BAT re-discovers defects QA already knew about | Healthcare: BA found 12 defects in BAT that were in QA’s known issues log for two weeks | Weekly BA/QA sync during testing phase; shared defect tracking with business severity field |
| BAT → Deployment | Open P2 defects deployed without explicit PO sign-off | Finance: trading platform went live with unresolved rounding error in P&L calculation | Go/no-go gate: every open defect above P3 requires explicit PO sign-off to proceed |
| Deployment → Maintenance | No handoff to operations; monitoring gaps; BA not available for production defect triage | Transportation: freight platform launched with no on-call BA; route logic defect misdiagnosed as infrastructure issue | Runbook created by BA + dev; BA on-call for first 72 hours post-deployment |
SDLC vs. STLC: Understanding the Relationship
The SDLC and the Software Testing Life Cycle (STLC) are related but distinct. The SDLC is the macro framework for the entire delivery process. The STLC is the structured process within Phase 5 — the testing phase — that governs how testing is planned, executed, and reported.
| Dimension | SDLC | STLC |
|---|---|---|
| Scope | Full delivery lifecycle from idea to production | Testing lifecycle from test planning to closure |
| Primary Owner | Project Manager / PO | QA Lead / BA |
| Phases | Planning, Requirements, Design, Dev, Testing, Deployment | Test Planning, Test Case Design, Environment Setup, Execution, Defect Reporting, Closure |
| Relationship | Contains the STLC as a subprocess of Phase 5 | Runs within the SDLC testing phase |
| Entry Criteria | Approved project charter and business case | Completed development, approved requirements, test environment available |
A common mistake is treating the STLC as synonymous with QA testing. It’s not. The STLC includes business acceptance testing — the phase where the BA validates that everything built and technically tested actually meets the business requirements. For a complete breakdown of all testing types and how they map to the STLC, see the dedicated guides.
10 SDLC Best Practices That Separate High-Performing Teams
These aren’t theoretical frameworks. They’re operational habits observed in teams that consistently deliver on time, within budget, and to stakeholder satisfaction across high-stakes industries.
- BA stays embedded through all six phases. Not just in requirements. The BA who disappears after Phase 2 guarantees a BAT cycle full of surprises.
- Requirements are baselined before design begins. Every assumption made in design without a baselined requirement is a defect that hasn’t been discovered yet.
- QA participates in requirements review. If QA can’t write a test case for an acceptance criterion, that criterion isn’t ready.
- Architecture reviews include the BA. The architect designs the how. The BA confirms the design still supports the what. Both perspectives are required.
- 3 Amigos sessions are non-negotiable for complex stories. BA + QA + Dev alignment before development starts eliminates the most expensive category of mid-sprint defect.
- Definition of Done includes BAT sign-off. A story is not done until the BA has confirmed the business requirements are met — not just when the code compiles and the tests pass.
- Defect severity is assessed by business impact, not technical complexity. The BA and PO own this assessment. QA and dev own the technical severity — but business priority is a separate decision.
- Test environments match production as closely as possible. The transportation routing defect example above is a direct consequence of synthetic test data that didn’t reflect production conditions.
- Every phase gate has named accountabilities. “The team reviews” is not an accountability. “The BA signs off on requirements completeness by sprint planning” is an accountability.
- Retrospectives address SDLC process, not just team dynamics. Which phase produced the most defects this sprint? Which handoff created the most rework? Those are SDLC process questions that most retrospectives never ask.
The SDLC Is a People Framework. Treat It That Way.
Every SDLC failure — in every industry, at every scale — has a people component. A requirement that wasn’t asked. A design decision made without stakeholder input. A defect triaged by someone who didn’t have the business context to assess its real impact. A deployment that went live without anyone checking whether the BA had signed off.
The six phases don’t deliver software. The people in those phases do — if their roles are clear, their accountabilities are explicit, and their handoffs are structured conversations rather than document drops.
The BA is the connective tissue of the entire SDLC. Not because they own every phase, but because they carry the business intent — the original reason the software is being built — from Phase 1 all the way through to production sign-off. When the BA is present, informed, and embedded, every other role performs better. When the BA exits early or operates in a silo, the gap fills with assumptions. And assumptions are just defects that haven’t been discovered yet.
Build the process. Define the roles. Close the handoff gaps. The software will follow.
For the complete role and framework context referenced throughout this post, explore the guides on Business Analysis, Product Ownership, Quality Assurance, Scrum, types of testing, the Software Testing Life Cycle, and the full SDLC guide at TechFitFlow.