Agile in a Regulated World, kl. 12.00 – 12.45

Mikael May Yde, Senior Compliance Consultant, epista IT A/S

Speaker

Life Science since 2001, IT since 1987

epista IT A/S 2013 - present

• Inspection Readiness, IT Compliance Plan , IT QMS,

Validation of ERP, GxP IT

H. Lundbeck A/S 2001 - 2013

• Headed Global IT Compliance, 10+ years

– Corporate Validation of applications

– Global Qualification of IT infrastructure

– Global Service Management/ITIL processes

– Corporate Information Security

– Inspection coordinator for Corporate IT

– Lean in IT

Mikael May YdeSenior Compliance

Consultant

Don’t deny – embrace!

Objectives

• What is Agile anyway?

• Agile an option or challenge in Life Science?

• Pitfalls

• Track record

• epista IT’s take on Agile

• What do you think?

Agile Manifesto - 2001

Ways of explaining agile….

Agile methodologies

• Agile software development is a group of

software development methods in which

requirements and solutions evolve through

collaboration between self-organizing, cross-

functional teams.

• Agile promotes

– Adaptive planning

– Evolutionary development

– Early delivery

– Continuous improvement

– Rapid and flexible response to change

Is Agile an Option in Life Science?

• Individuals and interactions

- over processes and tools?

• Working software

- over comprehensive documentation?

• Customer collaboration

- over contract negotiation?

• Responding to change

- over following a plan?

Are you serious?!?

Regulated domains and AgileAgile methods were initially for non-critical software projects, excluding use in regulated domains such as medical devices and pharmaceutical.

However, there are numerous standards that may apply in regulated domains, including ISO 26262, ISO 9000, ISO 9001, and ISO/IEC 15504.

Key concerns in regulated domains which may conflict with the use of agile methods:

• Quality Assurance (QA): Systematic and inherent quality management underpinning a controlled professional process and reliability and correctness of product.

• Safety and Security: Formal planning and risk management to mitigate safety risks for users and securely protecting users from unintentional and malicious misuse.

• Traceability: Documentation providing auditable evidence of regulatory compliance and facilitating traceability and investigation of problems.

• Verification and Validation (V&V): Embedded throughout the software development process (e.g. user requirements specification, functional specification, design specification, code review, unit tests, integration tests, system tests).

The Scrum framework in particular has received considerable attention.

Two derived methods have been defined:

R-Scrum (Regulated Scrum)

SafeScrum

Predictable!

Value & Risk

The Business is King

Waterfall vs Agile - Constraints

Pitfalls

• “Freeze Up-front”

– Your requirements may be in conflict

– Requirements may be incomplete

– Hard to think of every possible hazard up front

– After risks & controls frozen, future changes defeat a control

• Agile neither Ad Hoc nor Freeze Up-front

– Not a compromise - better than ‘Freeze’

• Cut Requirements risks via

– Iterative customer involvement

– Revisit Hazards & Controls each iteration

– Idea: Software that cannot be tested

• Lack of metrics just shows

– "For those who believe, no proof is necessary; For those who do not believe, no proof is possible."

”Fragile” ? Don’t go there!

Agile needs to be mature

Agile & GAMP

Prototyping - and then - V-model

If Agile is so good why isn’t everyone using it?

Planning

Don’t deny – embrace!

Questions?

Mikael May YdeSenior Compliance Consultant

_____________

epista ITSlotsmarken 17

2970 Hørsholm

Denmark

M: +45 5369 4973E: my@epistait.com