Upload
igate-corporation
View
516
Download
1
Embed Size (px)
Citation preview
May 3, 2023 Proprietary and Confidential - 1 -
IT Compliance in 2015Beyond the “V” Model
Arik GorbanJuly 23, 2015
May 3, 2023 Proprietary and Confidential - 2 -
Today’s Speaker Veteran on Computer Systems compliance with over 25
years of experience in strategic regulatory compliance consulting, applicationlife cycle management, and quality system implementation for the Life Sciences industry.
Has led IT compliance projects for many Life Science and technology companies besides consulting major companies on global quality system harmonization.
An international authority on risk-based approach to computer validation and regulatory compliance management. Frequent lecturer at professional conferences, user group meeting, and events on IT compliance, validation, and Part 11 topics.
Leads the development of IGATE Life Sciences’ Quality & Compliance practices and IGATE’s compliance solutions and services for Cloud Computing and Mobility.
Leads client initiatives to integrate and harmonize IT-related compliance strategies, methodologies, and tools across the organization and across the regulatory landscape (e.g., FDA, SOX, and EU Annex 11).
Arik GorbanAssociate Vice PresidentConsulting & SolutionsIGATE, Life Sciences
May 3, 2023 Proprietary and Confidential - 3 -
Today’s Agenda IT Compliance issues facing Life Sciences industry Background – the industry today New challenges Lean, risk-based CSV Real-life case study Next steps
May 3, 2023 Proprietary and Confidential - 4 -
Objective We’ll take a fresh look at CSV and risk management approach
that is effective, efficient, and enables the adoption of new technologies, methodologies, and service models with external providers.
A validation process that: Supports a true risk-based approach that is flexible and feasible
with new technologies (cloud, mobility, IoT), new system lifecycle approaches (Agile), and new service models (SaaS).
Ensures the quality of the validated system. Reduces business and operational risks. Increases the level of regulatory compliance. Reduces compliance costs.
May 3, 2023 Proprietary and Confidential - 5 -
Issues that often bother Life Sciences executives
I feel frustrated with the cost and effort associated with the Computer System Validation (CSV).
My vendor tells me that they validated the system that we want to implement but QA tells me that we still need to validate it.
We have detailed procedures and extensive training but still inadequate results.
Repeated review cycles of validation documentation is causing costly project delays.
We are under pressure to reduce IT costs and adopt new technologies and methodologies, but our validation process prevents us from doing that.
My projects suffer from long debates and re-work due to different opinions on CSV related activities.
Our risk-based approach takes longer and costs us more than our old process.
May 3, 2023 Proprietary and Confidential - 6 -
Issues & Opportunities in IT Compliance
HighLow
Cost
High
Opp
ortu
niti
es t
o re
duce
cos
ts a
nd
redu
ce r
isks
5%
65%5%
Quadrant II:High risk
Lack of CSV understandingOver-spend
Still not-compliant
Quadrant I:High riskUnder-spendNon-compliant
Low
20%
5%“In compliance”
and“Budget-right”
Quadrant IV:Highly-compliantUnder-spendNot attainable
Risk
Quadrant III:Inefficient, ineffective
CSVOver-spend on
marginalvalue add activities
Highly compliant
May 3, 2023 Proprietary and Confidential - 7 -
Background – Industry Today Validation principles did not change in the last two decades. Part 11 added some requirements for electronic records and
signature but did not impose new validation requirements. Attempts to implement harmonized and consistent risk-
based CSV as an effective way to optimize the validation process often result in more cumbersome and costly validation.
Validation planning discussions are typically focused on the V-Model’s system lifecycle (SLC) phases and deliverables.
SLC artifacts are the focus, not system quality and risk mitigation.
Risk assessments focus on testing to determine how much IQ, OQ, and PQ are necessary.
May 3, 2023 Proprietary and Confidential - 8 -
Background – Industry Today Risk assessments often neglect to address risk areas, such
as:– User account management, system availability, data
protection, user competency, system support, data ownership, non-traditional software development and technologies
The right technical, business, and regulatory experts don’t always participate
The industry needs to address new challenges:– Cloud Computing– Mobility and IoT – Technology and Application– SaaS – Software as a Service Delivery Model– Agile Software Development Methodology
May 3, 2023 Proprietary and Confidential - 9 -
Risks in Today’s Environment Evolving technologies and service models Evolving expectations and practices Lack of transparency (actual providers, locations, support,
quality practices...) Use of open source Rapid software development approaches Security gaps and exposure Availability of system and data (short term and long term) Quality and compliance gaps It’s new. We don’t know what we don’t know.
May 3, 2023 Proprietary and Confidential - 10 -May 3, 2023 Proprietary and Confidential - 10 -
Lean Risk-Based CSV
May 3, 2023 Proprietary and Confidential - 11 -
“V” Model
User Requirements Specification
FunctionalSpecification
Architecture Design
Specification
User Acceptance Testing (PQ)
Validation Report
Validation Plan
VERIFIES
VERIFIES
VERIFIES
Installation Qualification (IQ)
Software Design Specification/Buil
d
DevelopmentTesting
(Unit, System)
Functional Testing (OQ)
May 3, 2023 Proprietary and Confidential - 12 -
Risk Assessment Types
System Categorization
Based on type of system: custom development, configured product (COTS), turnkey COTS, layered product, embedded software, smart devices, etc.
Determine which validation process applies (validation / qualification / verification)
Risk Profile(High-Level)
Based on the regulatory, operational and business risks associated with the system (e.g., GxP applicability, privacy requirements, SOX applicability, and business complexity and criticality)
Define the overall validation strategy and required deliverables
Functional Risk Assessment
Based on operational and regulatory risk
Determine requirements for negative and boundary testing in OQDetermine which processes to test in PQ
The table below describes the three levels of categorization and risk assessment that should be followed for computer system applications.
May 3, 2023 Proprietary and Confidential - 13 -
Data modificationRegulatory un-preparedness
Data loss
Lack of traceability
Mis-use of systemData accuracy
Incorrect process - system
Incorrect process - people
Data falsification
System unavailability
Risk Priority-before Revised Risk-after mitigation
Lowest risk at outer edgeHighest in the center
System Risk Profile
May 3, 2023 Proprietary and Confidential - 14 -
Lean Risk-Based CSV
Avoid the mechanical and rigid CSV. Lean, risk-based CSV should be supported by the appropriate organization, people, methodology, process, execution, and tools. Organization – clear governance, roles, responsibilities, and
authorities; that facilitates a true risk based approach and ensures consistent interpretation of regulatory requirements.
People – fully trained competent individuals with uniform interpretation throughout the corporation and trained business owners.
Methodology – single, fully matured set of standards with integrated risk analysis and enhanced risk-based approach that goes beyond functional risk evaluation.
Process / Execution – flexible process that follows a risk-based plan.
Tools – templates, guidance documents and quality reviews are consistent and targeted to drive value.
May 3, 2023 Proprietary and Confidential - 15 -May 3, 2023 Proprietary and Confidential - 15 -
Case Study
May 3, 2023 Proprietary and Confidential - 16 -
Real Life Scenario – the Problem A company planned a move to a new location. They planned to move the whole infrastructure as is. There will be no new equipment, software, or configuration,
besides new network layouts inside the building and new connections to the outside (e.g., power, network, and phone lines).
Initial validation discussions focused on how much IQ, OQ, and PQ.
Some insisted that all are required; some felt that PQ (user acceptance) is not required; and some suggested partial IQ, OQ, and PQ.
The discussions focused on standard validation phases and deliverables, rather than risks and mitigations.
The team was focused on the artifacts, not on quality objectives.
May 3, 2023 Proprietary and Confidential - 17 -
Real Life Scenario – the Approach Shifted the focus from artifacts to risk management Created a list of bullets that describe what can go wrong
with the data center move– incorrect assembly– hardware components break or get lost– faulty network wiring– wireless network unreliable– incorrect network configuration– unstable power supply– physical security issues– other transport, assembly, and location-related risks
May 3, 2023 Proprietary and Confidential - 18 -
Real Life Scenario – the Approach Identified risk mitigation actions
– reduce the impact– reduce the likelihood– or allow early detection
Mitigation actions included– configuration documentation activities– inventory of parts– labeling wires and components– writing assembly scripts– testing connectivity– verifying that systems and applications start correctly– printing– verifying power supply
May 3, 2023 Proprietary and Confidential - 19 -
Real Life Scenario – the Approach The proposed activities were focused on risk mitigation
and quality and compliance objectives, not driven by a list of deliverables.
The last step was mapping the activities and documentation to applicable system lifecycle phases and deliverables.
May 3, 2023 Proprietary and Confidential - 20 -
Benefits Clarity on how to manage risk Effective Data Center Move Quality Plan Mitigation to reduce potential operational,
regulatory, and business risks Quality Plan ensured that activities and
documentation met applicable company standards
Management was able to evaluate real risks and actions
The approach did not cut corners and sacrifice quality, but increased quality and compliance
Avoided allocating costly resources to low-value tasks
May 3, 2023 Proprietary and Confidential - 21 -
Next Steps
Start with an overall strategy that takes into consideration short term and long term investments, risks, required controls, and benefits.
The plan and investment in a compliant environment must consider an evolutionary process which will allow the technology, controls, validation approaches, and training to be tested and refined.
Create a list of “risks” for your new environment. Identify which of the “risks” are: True risks to the integrity, quality, reliability, or
availability of the data Compliance risks Gaps from current expectations, but not risks
May 3, 2023 Proprietary and Confidential - 22 -
Next Steps
Adjust your Quality System, including system lifecycle and computer system validation policies, procedures, work instruction, guidelines, and templates to ensure that they can be followed when systems are implemented in a new environment.
Work with Compliance Subject Matter Experts to drive a true risk-based approach.
Work with your internal stakeholders to ensure that the approach is acceptable and defendable.
Follow Life Sciences industry trends with regard to utilizing new technologies in regulated environments. Monitor agency activities, statements, and regulatory actions in order to understand their interpretation and expectations.
May 3, 2023 Proprietary and Confidential - 23 -
Conclusion Taking a fresh look at a risk-based approach to CSV
would be very useful in dealing with today’s dynamics due to new technologies, software and service delivery models, and frequent organizational changes.
May 3, 2023 Proprietary and Confidential - 24 -
THANK YOU!
www.igate.com
For additional information or questions, please contact us by [email protected]