SlideShare a Scribd company logo

Middleware Soa Qualification Process Ver 2

D
David Stephenson

This document discusses approaches to qualifying and validating middleware and service-oriented architectures. It begins by defining middleware and service-oriented architecture. It then explains that traditional validation approaches do not work for these complex technologies due to their interconnected nature. The document proposes a risk-based approach involving three questions to evaluate each service and determine the appropriate validation or qualification method. Based on the answers, services would fall into fundamental, medium, or advanced categories requiring different deliverables and levels of testing to ensure compliance. Following this methodology allows for a compliant yet pragmatic validation approach tailored to each service.

1 of 7
Downloaded 19 times
1
2
3
4
5
6
7
Qualification/Validation of Middleware and Service Oriented Architectures Companies in regulated Life Sciences Industries must ensure that all computer systems critical to product quality or patient safety are validated. For many years we have streamlined the processes for application validation and developed a methodology for ensuring the compliance of a single component of Infrastructure. This has all become quite commonplace, however when we approach the subject of Middleware and Service Oriented Architecture, the standard approach to validation or qualification becomes unusable due to the very complex nature of the technology. These items are defined as: Middleware Middleware is any software that allows other software to interact; it connects different parts of an application or a series of applications and provides a transparent means of accessing information between clients and servers. Think of it as a sort of glue that holds together a network and its connected computers Examples being: • Websphere • Integration Services (Architectures) • Active Directory • Oracle Fusion We have spent a great deal of time getting all of our applications and Infrastructure into compliance. We now need to look closely at what is left, to ensure our overall systems and architectures are compliant. Service Oriented Architecture (SOA) Is a new approach (which will eventually replace middleware) to connecting applications used as services rather than individual applications so that they can communicate with and take advantage of each other. This connection allows sharing of functions, typically business functions, in a widespread and flexible manner So now we know what we are dealing with, the question we must ask ourselves is... Do we Validate or Qualify? This is a key question to answer when referring to Middleware/SOA, due to the differing amount of effort required to perform both activities, and in the present environment of risk based assessment, it is important to expend an appropriate amount of effort to ensure the appropriate level of compliance.
If we approach Middleware/SOA as software items that facilitate certain functions, we can ask the question, “do we need to validate or qualify?” the answer to which will lead to a number of other questions relating to the software, such as: • What GAMP software category does the item belong to? • Does the item interface with GxP applications? • Is the transported data modified when passing through it? • Are standard Validation or Qualification methods applied? These questions would usually help us to think about the application of validation or qualification to each individual component, which at first appears to be an easy task. However Middleware/SOA may consist of many individual components, connected in multiple ways, resulting in a matrix of connections, and producing multiple paths through which the required information can pass between applications. For example the diagram below shows the many routes which information could travel to pass from application A to application B: From this, it becomes apparent that there is a potential for almost endless testing of every one of the possible pathways that exist between applications A and B in order to meet regulatory requirements. However if we approach the Middleware/SOA item as a service i.e. what business process does it support, we can test the functionality using that very process, the first step being the application of a riak based approach. A Risk Based Approach The first step towards attaining compliant Middleware/SOA, is to apply a risk based approach, incorporating risk management activities as we progress. This can be initiated by asking relevant questions concerning the service in question: • What is the nature of the particular service? • Does the service interface with other applications (GxP or otherwise)? • How configurable is the transport mechanism? • What is the GxP relevance of the data transported? • What risk are we prepared to take (based upon the amount of data verification performed by recipient applications)? • What is the extent to which the transmitted data is manipulated or transformed?
However, if we are to progress with our process of evaluation, we must provide a methodology that is both simple and easy to follow Therefore we could start our process by asking three simple questions of the middleware/SOA: Does the Service in question: 1. Exchange data with any other Regulatory or Business Critical applications? 2. Modify or encapsulate any Regulatory or Business Critical data? 3. Is the data transported, validated or verified by the recipient application? This can be described in the following flow chart These key questions can be interpreted as below: Question Meaning Does the service Does the service exchange data with any software exchange data with any application that has a specific user defined business other Regulatory or purpose which has either Regulatory or Business Critical Business Critical impact? applications Does the service Modify Does the service take regulatory or business critical data or encapsulate any from an application and change it in any way, (reformat, Regulatory or Business truncate, compile, convert etc.), so it leaves the service Critical data? differently to when it arrived Is the data transported, Is the data that is transported by the service validated or validated or verified by verified (checked for accuracy etc) by the applications the recipient providing the data and the applications receiving it applications?
Once this evaluation has been performed, we then have a starting point for our validation/qualification process flow for determining the method of compliance required on a case by case basis with any applicable service. From the previous process flow diagram, it can be seen that as we work through the evaluation questions above, we can determine the different type of testing required (Validation or Qualification) for each individual service. This breaks down into 3 different approaches: 1. Fundamental Service, with no modification or validation of data during transport 2. Medium Service, with non modified transport functionality, or with modified content validated by the application 3. Advanced Service, which modifies regulatory or business critical data and the data is not validated by the application Each of these three approaches can be further described by referring to the expanded flow diagram overleaf, which splits the original flowchart into 3 distinct processes, each with its own deliverables.
Service Qualification/Validation Process With Recommended Deliverables
The output from each of the three swim lanes describes what the expected deliverables are following the testing of each particular service line, these can be summarised as: Val/Qual Deliverable Service Type Service Type Service Type approach Fast Track • Configuration Item Specification Fundamental MEDIUM ADVANCED • IQ/OQ 1st Qualification • Requirements Specification (including of type traceability) • Systems Specification (Functional Spec, Design Spec, Technical Specification) • Qualification Plan • Risk Assessment • IQ/OQ • Qualification Report As in Basic Service plus: • Include Transactions in Functional Spec • Transaction Set Up • End to End Testing in OQ As in Medium service plus: • Include Unit Testing if Direct Coding Used • Validation Plan • User Requirements Spec • IQ, OQ, PQ • Validation Summary Report In conclusion, if we follow the previous methodology, we can achieve a compliant yet pragmatic approach to the testing and subsequent Qualification/Validation of our Middleware and Service Oriented Architectures, providing the relevant deliverables, as required by the regulatory authorities.
David. K. Stephenson Biography David Stephenson is a highly experienced Regulatory Compliance Principal Consultant, with detailed knowledge of Computer System Validation and particular expertise in IT Infrastructure. David has gained considerable consultancy expertise, working for a succession of blue-chip clients in Validation and IS compliance assignments. Roles have ranged from computer system validation of business and process solutions to qualification and testing of IT Infrastructure across multiple European sites and 21 CFR Part 11 assessment and procedural remediation. Most recently, he has been addressing issues with Validation of Pharmacovigilance systems and the introduction of an IS compliance strategy (including IS Security). David was a member of the GAMP Special Interest Group that was responsible for authoring the Good Practice Guide for Infrastructure Compliance and recently has performed Subject Matter Expert duties for the ISPE CPIP certification program. In addition to this strong industry experience and excellent consultancy track record, David has a very strong customer focus, and excellent communication skills, combined with man management of substantial teams. David is presently the Regulatory Compliance Services & Solutions Leader (SME) for Computer Task Group (CTG). Phone: +44 (0) 118 975 0877 Fax: +44 (0) 118 931 0249 Mobile: +44 (0) 7891 343814 E-Mail: David.stephenson@CTG.com

More Related Content

Similar to Middleware Soa Qualification Process Ver 2 (20)

PPT
Gamp Riskbased Approch To Validation
Rajendra Sadare
 
PPTX
Software engineering Unit 2(Updated)2.pptx
singhpriyansh0510
 
PDF
CISQ Introduction & Objectives - Dr. Bill Curtis
CISQ - Consortium for IT Software Quality
 
PPTX
Testing a service
Johan Hoberg
 
PDF
Blokland & Mengerink - Testing Cloud Services - EuroSTAR 2012
TEST Huddle
 
PDF
SaaS System Validation, practical tips on getting validated for go-live and t...
Steffan Stringer
 
PPT
Soa Test Methodology
Diwakar Venkata
 
PPSX
Verifying and Validating Requirements
Ravikanth-BA
 
PDF
Bli.it concepts-regarding-gamp-guide-en
BLI.IT
 
PPTX
How to Measure the the Quality of Service in Cloud Based Technology?
Madushi Rathnayake
 
PDF
High-flying Cloud Testing Techniques
TechWell
 
PPT
Validation ksd
uyyalamuralikrishna
 
PDF
IMTs testimonials: The case of IMAPS in the GR Public Sector
Yannis Charalabidis
 
PPT
Se lect9 btech
IIITA
 
PPTX
Quality & Reliability in Software Engineering
SivaRamaSundar Devasubramaniam
 
PPTX
Improving our Approach Towards Capturing Value in Requirements
Osama M. Khaled
 
PPTX
Testing Cloud Services - Kees Blokland and Jeroen Mengerink
Kees Blokland
 
PDF
A study on quality parameters of software and the metrics for evaluation
IAEME Publication
 
PDF
A study on quality parameters of software and the metrics
iaemedu
 
PDF
A study on quality parameters of software and the metrics
iaemedu
 
Gamp Riskbased Approch To Validation
Rajendra Sadare
 
Software engineering Unit 2(Updated)2.pptx
singhpriyansh0510
 
CISQ Introduction & Objectives - Dr. Bill Curtis
CISQ - Consortium for IT Software Quality
 
Testing a service
Johan Hoberg
 
Blokland & Mengerink - Testing Cloud Services - EuroSTAR 2012
TEST Huddle
 
SaaS System Validation, practical tips on getting validated for go-live and t...
Steffan Stringer
 
Soa Test Methodology
Diwakar Venkata
 
Verifying and Validating Requirements
Ravikanth-BA
 
Bli.it concepts-regarding-gamp-guide-en
BLI.IT
 
How to Measure the the Quality of Service in Cloud Based Technology?
Madushi Rathnayake
 
High-flying Cloud Testing Techniques
TechWell
 
Validation ksd
uyyalamuralikrishna
 
IMTs testimonials: The case of IMAPS in the GR Public Sector
Yannis Charalabidis
 
Se lect9 btech
IIITA
 
Quality & Reliability in Software Engineering
SivaRamaSundar Devasubramaniam
 
Improving our Approach Towards Capturing Value in Requirements
Osama M. Khaled
 
Testing Cloud Services - Kees Blokland and Jeroen Mengerink
Kees Blokland
 
A study on quality parameters of software and the metrics for evaluation
IAEME Publication
 
A study on quality parameters of software and the metrics
iaemedu
 
A study on quality parameters of software and the metrics
iaemedu
 

Middleware Soa Qualification Process Ver 2

  • 1. Qualification/Validation of Middleware and Service Oriented Architectures Companies in regulated Life Sciences Industries must ensure that all computer systems critical to product quality or patient safety are validated. For many years we have streamlined the processes for application validation and developed a methodology for ensuring the compliance of a single component of Infrastructure. This has all become quite commonplace, however when we approach the subject of Middleware and Service Oriented Architecture, the standard approach to validation or qualification becomes unusable due to the very complex nature of the technology. These items are defined as: Middleware Middleware is any software that allows other software to interact; it connects different parts of an application or a series of applications and provides a transparent means of accessing information between clients and servers. Think of it as a sort of glue that holds together a network and its connected computers Examples being: • Websphere • Integration Services (Architectures) • Active Directory • Oracle Fusion We have spent a great deal of time getting all of our applications and Infrastructure into compliance. We now need to look closely at what is left, to ensure our overall systems and architectures are compliant. Service Oriented Architecture (SOA) Is a new approach (which will eventually replace middleware) to connecting applications used as services rather than individual applications so that they can communicate with and take advantage of each other. This connection allows sharing of functions, typically business functions, in a widespread and flexible manner So now we know what we are dealing with, the question we must ask ourselves is... Do we Validate or Qualify? This is a key question to answer when referring to Middleware/SOA, due to the differing amount of effort required to perform both activities, and in the present environment of risk based assessment, it is important to expend an appropriate amount of effort to ensure the appropriate level of compliance.
  • 2. If we approach Middleware/SOA as software items that facilitate certain functions, we can ask the question, “do we need to validate or qualify?” the answer to which will lead to a number of other questions relating to the software, such as: • What GAMP software category does the item belong to? • Does the item interface with GxP applications? • Is the transported data modified when passing through it? • Are standard Validation or Qualification methods applied? These questions would usually help us to think about the application of validation or qualification to each individual component, which at first appears to be an easy task. However Middleware/SOA may consist of many individual components, connected in multiple ways, resulting in a matrix of connections, and producing multiple paths through which the required information can pass between applications. For example the diagram below shows the many routes which information could travel to pass from application A to application B: From this, it becomes apparent that there is a potential for almost endless testing of every one of the possible pathways that exist between applications A and B in order to meet regulatory requirements. However if we approach the Middleware/SOA item as a service i.e. what business process does it support, we can test the functionality using that very process, the first step being the application of a riak based approach. A Risk Based Approach The first step towards attaining compliant Middleware/SOA, is to apply a risk based approach, incorporating risk management activities as we progress. This can be initiated by asking relevant questions concerning the service in question: • What is the nature of the particular service? • Does the service interface with other applications (GxP or otherwise)? • How configurable is the transport mechanism? • What is the GxP relevance of the data transported? • What risk are we prepared to take (based upon the amount of data verification performed by recipient applications)? • What is the extent to which the transmitted data is manipulated or transformed?
  • 3. However, if we are to progress with our process of evaluation, we must provide a methodology that is both simple and easy to follow Therefore we could start our process by asking three simple questions of the middleware/SOA: Does the Service in question: 1. Exchange data with any other Regulatory or Business Critical applications? 2. Modify or encapsulate any Regulatory or Business Critical data? 3. Is the data transported, validated or verified by the recipient application? This can be described in the following flow chart These key questions can be interpreted as below: Question Meaning Does the service Does the service exchange data with any software exchange data with any application that has a specific user defined business other Regulatory or purpose which has either Regulatory or Business Critical Business Critical impact? applications Does the service Modify Does the service take regulatory or business critical data or encapsulate any from an application and change it in any way, (reformat, Regulatory or Business truncate, compile, convert etc.), so it leaves the service Critical data? differently to when it arrived Is the data transported, Is the data that is transported by the service validated or validated or verified by verified (checked for accuracy etc) by the applications the recipient providing the data and the applications receiving it applications?
  • 4. Once this evaluation has been performed, we then have a starting point for our validation/qualification process flow for determining the method of compliance required on a case by case basis with any applicable service. From the previous process flow diagram, it can be seen that as we work through the evaluation questions above, we can determine the different type of testing required (Validation or Qualification) for each individual service. This breaks down into 3 different approaches: 1. Fundamental Service, with no modification or validation of data during transport 2. Medium Service, with non modified transport functionality, or with modified content validated by the application 3. Advanced Service, which modifies regulatory or business critical data and the data is not validated by the application Each of these three approaches can be further described by referring to the expanded flow diagram overleaf, which splits the original flowchart into 3 distinct processes, each with its own deliverables.
  • 5. Service Qualification/Validation Process With Recommended Deliverables
  • 6. The output from each of the three swim lanes describes what the expected deliverables are following the testing of each particular service line, these can be summarised as: Val/Qual Deliverable Service Type Service Type Service Type approach Fast Track • Configuration Item Specification Fundamental MEDIUM ADVANCED • IQ/OQ 1st Qualification • Requirements Specification (including of type traceability) • Systems Specification (Functional Spec, Design Spec, Technical Specification) • Qualification Plan • Risk Assessment • IQ/OQ • Qualification Report As in Basic Service plus: • Include Transactions in Functional Spec • Transaction Set Up • End to End Testing in OQ As in Medium service plus: • Include Unit Testing if Direct Coding Used • Validation Plan • User Requirements Spec • IQ, OQ, PQ • Validation Summary Report In conclusion, if we follow the previous methodology, we can achieve a compliant yet pragmatic approach to the testing and subsequent Qualification/Validation of our Middleware and Service Oriented Architectures, providing the relevant deliverables, as required by the regulatory authorities.
  • 7. David. K. Stephenson Biography David Stephenson is a highly experienced Regulatory Compliance Principal Consultant, with detailed knowledge of Computer System Validation and particular expertise in IT Infrastructure. David has gained considerable consultancy expertise, working for a succession of blue-chip clients in Validation and IS compliance assignments. Roles have ranged from computer system validation of business and process solutions to qualification and testing of IT Infrastructure across multiple European sites and 21 CFR Part 11 assessment and procedural remediation. Most recently, he has been addressing issues with Validation of Pharmacovigilance systems and the introduction of an IS compliance strategy (including IS Security). David was a member of the GAMP Special Interest Group that was responsible for authoring the Good Practice Guide for Infrastructure Compliance and recently has performed Subject Matter Expert duties for the ISPE CPIP certification program. In addition to this strong industry experience and excellent consultancy track record, David has a very strong customer focus, and excellent communication skills, combined with man management of substantial teams. David is presently the Regulatory Compliance Services & Solutions Leader (SME) for Computer Task Group (CTG). Phone: +44 (0) 118 975 0877 Fax: +44 (0) 118 931 0249 Mobile: +44 (0) 7891 343814 E-Mail: [email protected]