SlideShare a Scribd company logo

SaaS System Validation, practical tips on getting validated for go-live and taking updates. Lennert Jansen, Serotonine

Steffan Stringer
Steffan Stringer

Validation is required for computerized systems used in regulated activities according to regulations like EMA Annex 11 and FDA 21 CFR Part 11. While traditional validation is project-based, agile development uses iterative sprints requiring a different validation approach. When using SaaS, the regulated company performs validation activities while leveraging documentation from the SaaS provider. Both parties should work together throughout product setup and testing to facilitate validation.

Health & Medicine
1 of 27
Downloaded 29 times
1
2
3
4
5
6
Most read
7
8
9
Most read
10
11
12
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
practical tips on getting validated for go-live and taking updates SaaS System Validation
Introduction • Computerised System Validation • eSource system change control • eSource system selection • On-site audit
Structure • Validation • Agile • SaaS • Combine!
Validation: Why Validate? EMA’s Annex 11 ‘Computerised Systems’ Principle This annex applies to all forms of computerised systems used as part of a GMP regulated activities. […]. The application should be validated; IT infrastructure should be qualified. FDA’s 21 CFR Part 11 Subpart B—Electronic Records § 11.10 Controls for closed systems. Persons who use closed systems […] shall employ procedures and controls […]. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
Validation: Why Validate? Business Impact (extract from Gamp 5 guideline, section 1.5 ‘Business Benefits): […] Specific benefits to both regulated companies and suppliers include:
 • early defect identification and resolution leading to reduced impact on cost and schedule • cost effective operation and maintenance • effective change management and continuous improvement • providing frameworks for user/supplier co-operation
 • assisting suppliers to produce required documentation
 • promotion of common system life cycle, language, and terminology • promoting pragmatic interpretation of regulations • […] GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008
Validation: What is System Validation ‘Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management ‘, ISPE, 2016
Validation: What is System Validation Traditional validation procedures describe • Project Phase or Initial system validation • An Assessment (Regulatory Applicability, System Risk, …) • Requirements & Specifications • Plan • Protocols which demonstrate ’fitness for intended use’ • Matrix, matching requirements to tests • Report • System Operation phase: • Change control • Periodic Review • Retirement phase: • System retirement
Agile System Software Development Product Backlog Sprint Backlog Sprint Daily Standup 24h 2-3 weeks Potentially shippable product Iteration Potential issue in the regulated industry
Agile System Software Development Fast Train: System Development Slow Train: System Validation, Training, .. Validation of version 1.0 V2.0 Sprint 1 V2.0 Sprint 2 V2.0 Sprint 3 Validation of version 2.0 V3.0 Sprint 1 V3.0 Sprint 2 V3.0 Sprint 3 Version 1.0 in production!
Agile Testing Quadrants • Testing is key in agile development • ‘Potentially shippable product’ • Product should be functionally tried and tested when sprint is finished Agile Testing = OQ?
SaaS – Software As A Service Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ What is SaaS and why is it confusing? “Some of the following factors are still confusing the discussions in the industry: the term “cloud” is used as though it is one homogeneous thing, without consideration that SaaS, PaaS, and IaaS are very different, for instance, and that deployment models vary. Also, some things described informally as cloud are not really cloud, if you recognize generally accepted definitions of the essential characteristics of cloud, and are really just flavours of outsourcing.”
SaaS – Software As A Service Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ Example: a consultancy firm resells software and hosts it on their own servers in a collocation data center (Infrastructure as a service, IAAS). An auditor enters the room, asks for the coverage on backup & recovery for their service, and the consultancy firm presents the ISO27001 or SOC certificate from the datacentre they’ve used.
SaaS – Software As A Service Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ This certificate might be useful to mitigate risks related to: • Physical security to the datacentre • Business continuity aspects like internet lines This certificate is completely irrelevant for ISO27001 aspects like: • Backup and recovery: the datacentre doesn’t care if you backup your data • Disaster recovery aspects: if that datacentre goes down; your servers too. It’s your duty to get a contract with another data center & ensure sufficient failover mechanisms • Business continuity aspects like server failure: they’re not the datacenter’s servers • Validation aspects, quality of software & services, SLA, …
Working with SaaS providers which create Software using an Agile methodology in a Regulated industry
Regulated Company versus SaaS Provider Extract from ‘Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management ‘, ISPE, 2016 1 Introduction In the evolving regulated IT environment there are many things to consider when thinking of turning to the cloud for a solution. […] While it is not universally true, SaaS providers delivering specialized support to regulatory business processes (e.g., Clinical Trails, Release Testing, AE reporting) tend to have a good understanding of the needs of regulated companies. Using a SaaS provider can be an excellent option for regulated companies, but doing appropriate research and identifying the company’s specific support needs are critical to making the right choice of SaaS provider. […]
Regulated Company versus SaaS Provider Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ Approaches to assessment and management of technology service providers must be flexible, practical, and pragmatic, and insisting on physical audits of all providers, regardless of type of service or level of risk, is unrealistic. The three key elements of regulated company management of technology service providers are: • Appropriate risk assessments (taking into account the nature of the process, the data, and in the case of cloud- based solutions, the service model and deployment model) • Supplier/provider assessments of the primary provider and the proposed solution (including their management of sub-suppliers) • Agreements/Contracts/SLAs in place to establish the controls that are managed by the service provider It is also unrealistic to insist that any service providers perform traditional and cumbersome paper-based qualification activities, rather than encouraging them to apply effective IT good practices supported by appropriate and modern tools and technologies.
Work together with the supplier • Maximize supplier involvement, as encouraged by GAMP5: 2.1.5 Leveraging Supplier Involvement Regulated companies should seek to maximize supplier involvement throughout the system life cycle in order to leverage knowledge, experience, and documentation, subject to satisfactory supplier assessment. For example, the supplier may assist with requirements gathering, risk assessments, the creation of functional and other specifications, system configuration, testing, support, and maintenance. Planning should determine how best to use supplier documentation, including existing test documentation, to avoid wasted effort and duplication. Justification for the use of supplier documentation should be provided by the satisfactory outcome of supplier assessments, which may include supplier audits. Documentation should be assessed for suitability, accuracy, and completeness. There should be flexibility regarding acceptable format, structure, and documentation practices. GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008
Work together with the supplier GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008
User Involvement We differentiate CSV Awareness & CSV participation: • CSV Awareness is the client becoming aware of all procedures on validation, to be able to: • Stand and defend the computerized system during client audits or inspections • Assess & even perform change control & periodic review • CSV Participation is the client having an active role during the validation: • Help Key Users, or Subject Matter Experts to understand applicable procedures • Guide Key Users, or Subject Matter Experts to write scenario’s & execute test scripts “Up-to-date software with up-to-date users”
Validation should not be seen as a big black box at the end of each software implementation process, but should be structured in such a way that parts of the validation can be performed during product setup, configuration or even proof of concept phase. CSV participation
CSV participation Speed up validation performing activities throughout the onboarding process!
eSource is audit sensitive! Auditors often have experience with eCRFs but not with eSource: source of confusion eCRF system: • Basic validation on system level • Extensive testing on study level, eCRF solutions are often building boxes, tools to create forms, edit checks, … eSource system: • Extensive system level validation. E.g. Volunteer database requiring overall validation towards HIPAA, European directive on data protection, interfaces to operational devices and external labs • Study setup verification according to a well-defined SOP A lot to explain, and as such a high need for proper validation documentation
Practical Tips • IQ: Limit to Installation Verification • OQ: leverage supplier activities for validation GAMP5 Agile Modules Epics User Requirements User Stories Functional Specifications Acceptance Criteria • CQ: Limit to configuration verification • PQ / UAT: Use key users to execute Scenario’s for each module to check business processes
Conclusions • Define internal validation SOP’s! Cfr. GAMP5’s defined business benefits: ‘promote pragmatic interpretation of rules’ • Validation effort helps to streamline your business processes • Hire validation consultants with care!
Conclusions • Leverage documentation of your SaaS vendor (without expecting it to be in the same form as the regulated company)
Conclusions • Perform on-site vendor audits to assess SDLC processes
Check applicable regulations! • 1996: Health Insurance Portability and Accountability Act, HIPAA • FDA: • 2003: FDA’s 21 CFR Part 11 on Electronic Records / Electronic Signatures for US • 2007: FDA: Guidance for Industry: Computerized Systems Used in Clinical Investigations. • 2010: FDA: Guidance for Industry: Electronic Source Documentation in Clinical Investigations. • 2011: FDA: Guidance for Industry: Oversight of Clinical Investigations – A Risk – Based Approach to Monitoring. • ISPE: • 2008: GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008 • 2016: Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management • 2006: CDISC: Leveraging the CDISC Standards to Facilitate the use of Electronic Source Data within Clinical Trials à includes a list of requirements for eSource systems. • 2011: EMA’s Annex 11 on computerized systems for EU • 2016: ICH / GCP for executing clinical studies: ICH HARMONISED TRIPARTITE GUIDELINE GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R1), step 4 • 2018: EU wide ‘Data Protection Directive’, streamlining processes for all eu countries

More Related Content

What's hot (20)

PDF
Top 5 reasons to implement a quality management system
Quality Management
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPTX
Document Control Procedure
Raden Frana Puja Kesuma
 
PPTX
10 key components of a document management system ppt
Discus Business Solutions
 
PPT
Iso 20000 presentation
Musibau Taiwo Lasisi
 
PDF
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
PPTX
Iso 27001 isms presentation
Midhun Nirmal
 
PPT
Document Management With Workflow Presentation
John Street
 
PPT
Document Management System(DMS)
Nishant Shah
 
PDF
IT Shared Services
Mousa Bawadi (IT Manager ,MA ,PMP , PMOC )
 
PPT
Proposal DMS
Media-Mosaic
 
PPT
MIS Support to Management
Maria Stella Solon
 
PPTX
Information System audit
Pratapchandra
 
PDF
Compliance Training: Key Strategies to Get Your Employees More Engaged. Webin...
BizLibrary
 
PPTX
Finance Reporting Offering
accenture
 
DOCX
Internal auditchecklistiso9001 2015
Dinesh Kumar
 
PPTX
Top 5 use cases of the document management system - DMS
Discus Business Solutions
 
PDF
Transaction Processing System (TPS)
Anvesh Sharma
 
PPTX
Managed Services Presentation
IISGL
 
PPTX
Service Transition Overview
sivashankar Balasubramanian
 
Top 5 reasons to implement a quality management system
Quality Management
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Document Control Procedure
Raden Frana Puja Kesuma
 
10 key components of a document management system ppt
Discus Business Solutions
 
Iso 20000 presentation
Musibau Taiwo Lasisi
 
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Iso 27001 isms presentation
Midhun Nirmal
 
Document Management With Workflow Presentation
John Street
 
Document Management System(DMS)
Nishant Shah
 
IT Shared Services
Mousa Bawadi (IT Manager ,MA ,PMP , PMOC )
 
Proposal DMS
Media-Mosaic
 
MIS Support to Management
Maria Stella Solon
 
Information System audit
Pratapchandra
 
Compliance Training: Key Strategies to Get Your Employees More Engaged. Webin...
BizLibrary
 
Finance Reporting Offering
accenture
 
Internal auditchecklistiso9001 2015
Dinesh Kumar
 
Top 5 use cases of the document management system - DMS
Discus Business Solutions
 
Transaction Processing System (TPS)
Anvesh Sharma
 
Managed Services Presentation
IISGL
 
Service Transition Overview
sivashankar Balasubramanian
 

Similar to SaaS System Validation, practical tips on getting validated for go-live and taking updates. Lennert Jansen, Serotonine (20)

PPTX
Webinar: How to Ace Your SaaS-based EDC System Validation for Sponsors and CROs
Statistics & Data Corporation
 
PDF
Quality at the speed of digital
rajni singh
 
PPTX
Ais development strategy
Rahat Chowdhury
 
PPT
Best Practices for Applications Performance Testing
Bhaskara Reddy Sannapureddy
 
PPTX
UNIT-1-INTRO.pptxsqa assurance testing sqa
charansai981583
 
DOC
Testing Process
maheshpadwal
 
PPTX
Quality Assurance and Testing services
Boston Technology Corporation
 
PPT
Software Processes
Usman Bin Saad
 
PPTX
Student-CSV-Presentation.pptx
mugimbasmith2
 
PPTX
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation
 
PDF
How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...
Perficient
 
PDF
Release and Enviromental Management
Salesforce Partners
 
PDF
Rethinking Test Automation: The Case for Moving Beyond the User Interface
Cognizant
 
PDF
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATION
KMSSolutionsMarketin
 
PPTX
Implement maintenance procedures Unit Two.pptx
ChalaBekele2
 
PDF
Middleware Soa Qualification Process Ver 2
David Stephenson
 
PDF
Continuous validation of office 365
Montrium
 
DOC
Sowmya resume
ThatipalliSowmya
 
PPTX
Testing throughout the software life cycle - Testing & Implementation
yogi syafrialdi
 
PPTX
Neev QA Offering
Neev Technologies
 
Webinar: How to Ace Your SaaS-based EDC System Validation for Sponsors and CROs
Statistics & Data Corporation
 
Quality at the speed of digital
rajni singh
 
Ais development strategy
Rahat Chowdhury
 
Best Practices for Applications Performance Testing
Bhaskara Reddy Sannapureddy
 
UNIT-1-INTRO.pptxsqa assurance testing sqa
charansai981583
 
Testing Process
maheshpadwal
 
Quality Assurance and Testing services
Boston Technology Corporation
 
Software Processes
Usman Bin Saad
 
Student-CSV-Presentation.pptx
mugimbasmith2
 
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation
 
How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...
Perficient
 
Release and Enviromental Management
Salesforce Partners
 
Rethinking Test Automation: The Case for Moving Beyond the User Interface
Cognizant
 
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATION
KMSSolutionsMarketin
 
Implement maintenance procedures Unit Two.pptx
ChalaBekele2
 
Middleware Soa Qualification Process Ver 2
David Stephenson
 
Continuous validation of office 365
Montrium
 
Sowmya resume
ThatipalliSowmya
 
Testing throughout the software life cycle - Testing & Implementation
yogi syafrialdi
 
Neev QA Offering
Neev Technologies
 
Ad

More from Steffan Stringer (11)

PDF
Enabling Healthcare Interoperability, Will Tesch, HealthLX
Steffan Stringer
 
PDF
Using database read replicas for ad hoc reporting, data visualisation and gen...
Steffan Stringer
 
PDF
Accelerating the production of safety summary and clinical safety reports - a...
Steffan Stringer
 
PDF
Strategies for success - volunteer recruitment & prevention of over-volunteer...
Steffan Stringer
 
PDF
The Key to Success in Managing High Volumes of Samples in the Processing Lab,...
Steffan Stringer
 
PDF
Why Data Management Needs To Be Involved In Study Design, Katrien Vermeiren, ...
Steffan Stringer
 
PDF
Study Design - testing and approval - how to do this efficiently and to keep...
Steffan Stringer
 
PDF
ECG Interoperability and Industry Trends, Dr Justin Mortara, Mortara Instrument
Steffan Stringer
 
PDF
Hardware Choices, Form Factors, and Medical Devices. What drove our choices? ...
Steffan Stringer
 
PDF
Choosing an eSource System, Daniel Selness, Spaulding Clinical Research
Steffan Stringer
 
PDF
Trends in Early Phase Clinical Research and how you can be ready for them, Dr...
Steffan Stringer
 
Enabling Healthcare Interoperability, Will Tesch, HealthLX
Steffan Stringer
 
Using database read replicas for ad hoc reporting, data visualisation and gen...
Steffan Stringer
 
Accelerating the production of safety summary and clinical safety reports - a...
Steffan Stringer
 
Strategies for success - volunteer recruitment & prevention of over-volunteer...
Steffan Stringer
 
The Key to Success in Managing High Volumes of Samples in the Processing Lab,...
Steffan Stringer
 
Why Data Management Needs To Be Involved In Study Design, Katrien Vermeiren, ...
Steffan Stringer
 
Study Design - testing and approval - how to do this efficiently and to keep...
Steffan Stringer
 
ECG Interoperability and Industry Trends, Dr Justin Mortara, Mortara Instrument
Steffan Stringer
 
Hardware Choices, Form Factors, and Medical Devices. What drove our choices? ...
Steffan Stringer
 
Choosing an eSource System, Daniel Selness, Spaulding Clinical Research
Steffan Stringer
 
Trends in Early Phase Clinical Research and how you can be ready for them, Dr...
Steffan Stringer
 
Ad

Recently uploaded (20)

PPTX
Therapeutic-Diet-PPT. for B.sc nursing 2nd sem
Rekhanjali Gupta
 
PPTX
4. Chest Trauma a topic of General Surgery .ppt..pptx
Bolan University of Medical and Health Sciences ,Quetta
 
PDF
Future Drug Development Approaches: A New Era with Artificial Intelligence
TRUSTLIFE
 
PPTX
COPD (Chronic Obstructive Pulmonary Disease) .pptx
Dr. Sukriti Silwal
 
PPTX
management of median nerve compression.pptx
donogolo
 
DOCX
Why Inflammation Markers Are Reshaping Heart Disease Risk Assessment
Ram Gopal Varma
 
PDF
BUCAS and DOH's 8 Health Priorities for 2028
pedrofamorca
 
PPTX
Epidemiology for Nursing by Dr.Ayan Ghosh.pptx
Ayan Ghosh
 
PDF
RGUHS BSc Nursing, Fundamentals of Nursing / Nursing Foundation Notes, All ty...
healthscedu
 
PPTX
Decoding the Optic Disc: A Beginner’s Guide to OCT Imaging & Analysis
KafrELShiekh University
 
PPTX
Rethinking Carpal Tunnel Syndrome Management: Hydrodissection with D5W as a S...
Daradia: The Pain Clinic
 
PDF
Cleft Lip and Palate: From Diagnosis to Multidisciplinary Management
drankitaatole
 
PPTX
Bill Faloon's Presentation Slides at RAADfest 2025
maximuspeto
 
PDF
ESC guidelines on heart failure 2025.pdf
KamruzzamanShawon4
 
PDF
Pathophysiology of Artherosclerosis PPT.pdf
Miss. Pratiksha Ghodake
 
PPTX
THE GLUTEAL REGION ANATOMY PRESENTATION -pptx
LucasMagembe1
 
PDF
SULCI, GYRI & FUNCTIONAL AREAS OF CEREBRUM-Prof.Dr.N.Mugunthan KMMC.pdf
Kanyakumari Medical Mission Research Center, Muttom
 
PPTX
Complete Drug Discovery Process, AI.pptx
sumitdevkar50
 
PPTX
MANAGEMENT OF EXTRATEMPORAL LOBE EPILEPSY.pptx
donogolo
 
PPTX
Materiovigilance and Medical Device Adverse Events: A Practical Guide
Shivankan Kakkar
 
Therapeutic-Diet-PPT. for B.sc nursing 2nd sem
Rekhanjali Gupta
 
4. Chest Trauma a topic of General Surgery .ppt..pptx
Bolan University of Medical and Health Sciences ,Quetta
 
Future Drug Development Approaches: A New Era with Artificial Intelligence
TRUSTLIFE
 
COPD (Chronic Obstructive Pulmonary Disease) .pptx
Dr. Sukriti Silwal
 
management of median nerve compression.pptx
donogolo
 
Why Inflammation Markers Are Reshaping Heart Disease Risk Assessment
Ram Gopal Varma
 
BUCAS and DOH's 8 Health Priorities for 2028
pedrofamorca
 
Epidemiology for Nursing by Dr.Ayan Ghosh.pptx
Ayan Ghosh
 
RGUHS BSc Nursing, Fundamentals of Nursing / Nursing Foundation Notes, All ty...
healthscedu
 
Decoding the Optic Disc: A Beginner’s Guide to OCT Imaging & Analysis
KafrELShiekh University
 
Rethinking Carpal Tunnel Syndrome Management: Hydrodissection with D5W as a S...
Daradia: The Pain Clinic
 
Cleft Lip and Palate: From Diagnosis to Multidisciplinary Management
drankitaatole
 
Bill Faloon's Presentation Slides at RAADfest 2025
maximuspeto
 
ESC guidelines on heart failure 2025.pdf
KamruzzamanShawon4
 
Pathophysiology of Artherosclerosis PPT.pdf
Miss. Pratiksha Ghodake
 
THE GLUTEAL REGION ANATOMY PRESENTATION -pptx
LucasMagembe1
 
SULCI, GYRI & FUNCTIONAL AREAS OF CEREBRUM-Prof.Dr.N.Mugunthan KMMC.pdf
Kanyakumari Medical Mission Research Center, Muttom
 
Complete Drug Discovery Process, AI.pptx
sumitdevkar50
 
MANAGEMENT OF EXTRATEMPORAL LOBE EPILEPSY.pptx
donogolo
 
Materiovigilance and Medical Device Adverse Events: A Practical Guide
Shivankan Kakkar
 

SaaS System Validation, practical tips on getting validated for go-live and taking updates. Lennert Jansen, Serotonine

  • 1. practical tips on getting validated for go-live and taking updates SaaS System Validation
  • 2. Introduction • Computerised System Validation • eSource system change control • eSource system selection • On-site audit
  • 4. Validation: Why Validate? EMA’s Annex 11 ‘Computerised Systems’ Principle This annex applies to all forms of computerised systems used as part of a GMP regulated activities. […]. The application should be validated; IT infrastructure should be qualified. FDA’s 21 CFR Part 11 Subpart B—Electronic Records § 11.10 Controls for closed systems. Persons who use closed systems […] shall employ procedures and controls […]. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
  • 5. Validation: Why Validate? Business Impact (extract from Gamp 5 guideline, section 1.5 ‘Business Benefits): […] Specific benefits to both regulated companies and suppliers include:
 • early defect identification and resolution leading to reduced impact on cost and schedule • cost effective operation and maintenance • effective change management and continuous improvement • providing frameworks for user/supplier co-operation
 • assisting suppliers to produce required documentation
 • promotion of common system life cycle, language, and terminology • promoting pragmatic interpretation of regulations • […] GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008
  • 6. Validation: What is System Validation ‘Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management ‘, ISPE, 2016
  • 7. Validation: What is System Validation Traditional validation procedures describe • Project Phase or Initial system validation • An Assessment (Regulatory Applicability, System Risk, …) • Requirements & Specifications • Plan • Protocols which demonstrate ’fitness for intended use’ • Matrix, matching requirements to tests • Report • System Operation phase: • Change control • Periodic Review • Retirement phase: • System retirement
  • 8. Agile System Software Development Product Backlog Sprint Backlog Sprint Daily Standup 24h 2-3 weeks Potentially shippable product Iteration Potential issue in the regulated industry
  • 9. Agile System Software Development Fast Train: System Development Slow Train: System Validation, Training, .. Validation of version 1.0 V2.0 Sprint 1 V2.0 Sprint 2 V2.0 Sprint 3 Validation of version 2.0 V3.0 Sprint 1 V3.0 Sprint 2 V3.0 Sprint 3 Version 1.0 in production!
  • 10. Agile Testing Quadrants • Testing is key in agile development • ‘Potentially shippable product’ • Product should be functionally tried and tested when sprint is finished Agile Testing = OQ?
  • 11. SaaS – Software As A Service Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ What is SaaS and why is it confusing? “Some of the following factors are still confusing the discussions in the industry: the term “cloud” is used as though it is one homogeneous thing, without consideration that SaaS, PaaS, and IaaS are very different, for instance, and that deployment models vary. Also, some things described informally as cloud are not really cloud, if you recognize generally accepted definitions of the essential characteristics of cloud, and are really just flavours of outsourcing.”
  • 12. SaaS – Software As A Service Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ Example: a consultancy firm resells software and hosts it on their own servers in a collocation data center (Infrastructure as a service, IAAS). An auditor enters the room, asks for the coverage on backup & recovery for their service, and the consultancy firm presents the ISO27001 or SOC certificate from the datacentre they’ve used.
  • 13. SaaS – Software As A Service Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ This certificate might be useful to mitigate risks related to: • Physical security to the datacentre • Business continuity aspects like internet lines This certificate is completely irrelevant for ISO27001 aspects like: • Backup and recovery: the datacentre doesn’t care if you backup your data • Disaster recovery aspects: if that datacentre goes down; your servers too. It’s your duty to get a contract with another data center & ensure sufficient failover mechanisms • Business continuity aspects like server failure: they’re not the datacenter’s servers • Validation aspects, quality of software & services, SLA, …
  • 14. Working with SaaS providers which create Software using an Agile methodology in a Regulated industry
  • 15. Regulated Company versus SaaS Provider Extract from ‘Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management ‘, ISPE, 2016 1 Introduction In the evolving regulated IT environment there are many things to consider when thinking of turning to the cloud for a solution. […] While it is not universally true, SaaS providers delivering specialized support to regulatory business processes (e.g., Clinical Trails, Release Testing, AE reporting) tend to have a good understanding of the needs of regulated companies. Using a SaaS provider can be an excellent option for regulated companies, but doing appropriate research and identifying the company’s specific support needs are critical to making the right choice of SaaS provider. […]
  • 16. Regulated Company versus SaaS Provider Blog post of Sion Wyn (ISPE, Conformity LTD) : on ‘Cloud Computing Solutions & Providers Assessment & Management’ Approaches to assessment and management of technology service providers must be flexible, practical, and pragmatic, and insisting on physical audits of all providers, regardless of type of service or level of risk, is unrealistic. The three key elements of regulated company management of technology service providers are: • Appropriate risk assessments (taking into account the nature of the process, the data, and in the case of cloud- based solutions, the service model and deployment model) • Supplier/provider assessments of the primary provider and the proposed solution (including their management of sub-suppliers) • Agreements/Contracts/SLAs in place to establish the controls that are managed by the service provider It is also unrealistic to insist that any service providers perform traditional and cumbersome paper-based qualification activities, rather than encouraging them to apply effective IT good practices supported by appropriate and modern tools and technologies.
  • 17. Work together with the supplier • Maximize supplier involvement, as encouraged by GAMP5: 2.1.5 Leveraging Supplier Involvement Regulated companies should seek to maximize supplier involvement throughout the system life cycle in order to leverage knowledge, experience, and documentation, subject to satisfactory supplier assessment. For example, the supplier may assist with requirements gathering, risk assessments, the creation of functional and other specifications, system configuration, testing, support, and maintenance. Planning should determine how best to use supplier documentation, including existing test documentation, to avoid wasted effort and duplication. Justification for the use of supplier documentation should be provided by the satisfactory outcome of supplier assessments, which may include supplier audits. Documentation should be assessed for suitability, accuracy, and completeness. There should be flexibility regarding acceptable format, structure, and documentation practices. GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008
  • 18. Work together with the supplier GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008
  • 19. User Involvement We differentiate CSV Awareness & CSV participation: • CSV Awareness is the client becoming aware of all procedures on validation, to be able to: • Stand and defend the computerized system during client audits or inspections • Assess & even perform change control & periodic review • CSV Participation is the client having an active role during the validation: • Help Key Users, or Subject Matter Experts to understand applicable procedures • Guide Key Users, or Subject Matter Experts to write scenario’s & execute test scripts “Up-to-date software with up-to-date users”
  • 20. Validation should not be seen as a big black box at the end of each software implementation process, but should be structured in such a way that parts of the validation can be performed during product setup, configuration or even proof of concept phase. CSV participation
  • 21. CSV participation Speed up validation performing activities throughout the onboarding process!
  • 22. eSource is audit sensitive! Auditors often have experience with eCRFs but not with eSource: source of confusion eCRF system: • Basic validation on system level • Extensive testing on study level, eCRF solutions are often building boxes, tools to create forms, edit checks, … eSource system: • Extensive system level validation. E.g. Volunteer database requiring overall validation towards HIPAA, European directive on data protection, interfaces to operational devices and external labs • Study setup verification according to a well-defined SOP A lot to explain, and as such a high need for proper validation documentation
  • 23. Practical Tips • IQ: Limit to Installation Verification • OQ: leverage supplier activities for validation GAMP5 Agile Modules Epics User Requirements User Stories Functional Specifications Acceptance Criteria • CQ: Limit to configuration verification • PQ / UAT: Use key users to execute Scenario’s for each module to check business processes
  • 24. Conclusions • Define internal validation SOP’s! Cfr. GAMP5’s defined business benefits: ‘promote pragmatic interpretation of rules’ • Validation effort helps to streamline your business processes • Hire validation consultants with care!
  • 25. Conclusions • Leverage documentation of your SaaS vendor (without expecting it to be in the same form as the regulated company)
  • 26. Conclusions • Perform on-site vendor audits to assess SDLC processes
  • 27. Check applicable regulations! • 1996: Health Insurance Portability and Accountability Act, HIPAA • FDA: • 2003: FDA’s 21 CFR Part 11 on Electronic Records / Electronic Signatures for US • 2007: FDA: Guidance for Industry: Computerized Systems Used in Clinical Investigations. • 2010: FDA: Guidance for Industry: Electronic Source Documentation in Clinical Investigations. • 2011: FDA: Guidance for Industry: Oversight of Clinical Investigations – A Risk – Based Approach to Monitoring. • ISPE: • 2008: GAMP 5, A Risk – Base Approach to Compliant GxP Computerized Systems’, ISPE, 2008 • 2016: Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management • 2006: CDISC: Leveraging the CDISC Standards to Facilitate the use of Electronic Source Data within Clinical Trials à includes a list of requirements for eSource systems. • 2011: EMA’s Annex 11 on computerized systems for EU • 2016: ICH / GCP for executing clinical studies: ICH HARMONISED TRIPARTITE GUIDELINE GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R1), step 4 • 2018: EU wide ‘Data Protection Directive’, streamlining processes for all eu countries