IT Compliance in 2015 - Beyond the “v” model

May 3, 2023 Proprietary and Confidential - 1 -

IT Compliance in 2015Beyond the “V” Model

Arik GorbanJuly 23, 2015


Today’s Speaker Veteran on Computer Systems compliance with over 25

years of experience in strategic regulatory compliance consulting, applicationlife cycle management, and quality system implementation for the Life Sciences industry.

Has led IT compliance projects for many Life Science and technology companies besides consulting major companies on global quality system harmonization.

An international authority on risk-based approach to computer validation and regulatory compliance management. Frequent lecturer at professional conferences, user group meeting, and events on IT compliance, validation, and Part 11 topics.

Leads the development of IGATE Life Sciences’ Quality & Compliance practices and IGATE’s compliance solutions and services for Cloud Computing and Mobility.

Leads client initiatives to integrate and harmonize IT-related compliance strategies, methodologies, and tools across the organization and across the regulatory landscape (e.g., FDA, SOX, and EU Annex 11).

Arik GorbanAssociate Vice PresidentConsulting & SolutionsIGATE, Life Sciences


Today’s Agenda IT Compliance issues facing Life Sciences industry Background – the industry today New challenges Lean, risk-based CSV Real-life case study Next steps


Objective We’ll take a fresh look at CSV and risk management approach

that is effective, efficient, and enables the adoption of new technologies, methodologies, and service models with external providers.

A validation process that: Supports a true risk-based approach that is flexible and feasible

with new technologies (cloud, mobility, IoT), new system lifecycle approaches (Agile), and new service models (SaaS).

Ensures the quality of the validated system. Reduces business and operational risks. Increases the level of regulatory compliance. Reduces compliance costs.


Issues that often bother Life Sciences executives

I feel frustrated with the cost and effort associated with the Computer System Validation (CSV).

My vendor tells me that they validated the system that we want to implement but QA tells me that we still need to validate it.

We have detailed procedures and extensive training but still inadequate results.

Repeated review cycles of validation documentation is causing costly project delays.

We are under pressure to reduce IT costs and adopt new technologies and methodologies, but our validation process prevents us from doing that.

My projects suffer from long debates and re-work due to different opinions on CSV related activities.

Our risk-based approach takes longer and costs us more than our old process.


Issues & Opportunities in IT Compliance

HighLow

Cost

High

Opp

ortu

niti

es t

o re

duce

cos

ts a

nd

redu

ce r

isks

5%

65%5%

Quadrant II:High risk

Lack of CSV understandingOver-spend

Still not-compliant

Quadrant I:High riskUnder-spendNon-compliant

Low

20%

5%“In compliance”

and“Budget-right”

Quadrant IV:Highly-compliantUnder-spendNot attainable

Risk

Quadrant III:Inefficient, ineffective

CSVOver-spend on

marginalvalue add activities

Highly compliant


Background – Industry Today Validation principles did not change in the last two decades. Part 11 added some requirements for electronic records and

signature but did not impose new validation requirements. Attempts to implement harmonized and consistent risk-

based CSV as an effective way to optimize the validation process often result in more cumbersome and costly validation.

Validation planning discussions are typically focused on the V-Model’s system lifecycle (SLC) phases and deliverables.

SLC artifacts are the focus, not system quality and risk mitigation.

Risk assessments focus on testing to determine how much IQ, OQ, and PQ are necessary.


Background – Industry Today Risk assessments often neglect to address risk areas, such

as:– User account management, system availability, data

protection, user competency, system support, data ownership, non-traditional software development and technologies

The right technical, business, and regulatory experts don’t always participate

The industry needs to address new challenges:– Cloud Computing– Mobility and IoT – Technology and Application– SaaS – Software as a Service Delivery Model– Agile Software Development Methodology


Risks in Today’s Environment Evolving technologies and service models Evolving expectations and practices Lack of transparency (actual providers, locations, support,

quality practices...) Use of open source Rapid software development approaches Security gaps and exposure Availability of system and data (short term and long term) Quality and compliance gaps It’s new. We don’t know what we don’t know.

May 3, 2023 Proprietary and Confidential - 10 -May 3, 2023 Proprietary and Confidential - 10 -

Lean Risk-Based CSV


“V” Model

User Requirements Specification

FunctionalSpecification

Architecture Design

Specification

User Acceptance Testing (PQ)

Validation Report

Validation Plan

VERIFIES

VERIFIES

VERIFIES

Installation Qualification (IQ)

Software Design Specification/Buil

d

DevelopmentTesting

(Unit, System)

Functional Testing (OQ)


Risk Assessment Types

System Categorization

Based on type of system: custom development, configured product (COTS), turnkey COTS, layered product, embedded software, smart devices, etc.

Determine which validation process applies (validation / qualification / verification)

Risk Profile(High-Level)

Based on the regulatory, operational and business risks associated with the system (e.g., GxP applicability, privacy requirements, SOX applicability, and business complexity and criticality)

Define the overall validation strategy and required deliverables

Functional Risk Assessment

Based on operational and regulatory risk

Determine requirements for negative and boundary testing in OQDetermine which processes to test in PQ

The table below describes the three levels of categorization and risk assessment that should be followed for computer system applications.


Data modificationRegulatory un-preparedness

Data loss

Lack of traceability

Mis-use of systemData accuracy

Incorrect process - system

Incorrect process - people

Data falsification

System unavailability

Risk Priority-before Revised Risk-after mitigation

Lowest risk at outer edgeHighest in the center

System Risk Profile


Lean Risk-Based CSV

Avoid the mechanical and rigid CSV. Lean, risk-based CSV should be supported by the appropriate organization, people, methodology, process, execution, and tools. Organization – clear governance, roles, responsibilities, and

authorities; that facilitates a true risk based approach and ensures consistent interpretation of regulatory requirements.

People – fully trained competent individuals with uniform interpretation throughout the corporation and trained business owners.

Methodology – single, fully matured set of standards with integrated risk analysis and enhanced risk-based approach that goes beyond functional risk evaluation.

Process / Execution – flexible process that follows a risk-based plan.

Tools – templates, guidance documents and quality reviews are consistent and targeted to drive value.

May 3, 2023 Proprietary and Confidential - 15 -May 3, 2023 Proprietary and Confidential - 15 -

Case Study


Real Life Scenario – the Problem A company planned a move to a new location. They planned to move the whole infrastructure as is. There will be no new equipment, software, or configuration,

besides new network layouts inside the building and new connections to the outside (e.g., power, network, and phone lines).

Initial validation discussions focused on how much IQ, OQ, and PQ.

Some insisted that all are required; some felt that PQ (user acceptance) is not required; and some suggested partial IQ, OQ, and PQ.

The discussions focused on standard validation phases and deliverables, rather than risks and mitigations.

The team was focused on the artifacts, not on quality objectives.


Real Life Scenario – the Approach Shifted the focus from artifacts to risk management Created a list of bullets that describe what can go wrong

with the data center move– incorrect assembly– hardware components break or get lost– faulty network wiring– wireless network unreliable– incorrect network configuration– unstable power supply– physical security issues– other transport, assembly, and location-related risks


Real Life Scenario – the Approach Identified risk mitigation actions

– reduce the impact– reduce the likelihood– or allow early detection

Mitigation actions included– configuration documentation activities– inventory of parts– labeling wires and components– writing assembly scripts– testing connectivity– verifying that systems and applications start correctly– printing– verifying power supply


Real Life Scenario – the Approach The proposed activities were focused on risk mitigation

and quality and compliance objectives, not driven by a list of deliverables.

The last step was mapping the activities and documentation to applicable system lifecycle phases and deliverables.


Benefits Clarity on how to manage risk Effective Data Center Move Quality Plan Mitigation to reduce potential operational,

regulatory, and business risks Quality Plan ensured that activities and

documentation met applicable company standards

Management was able to evaluate real risks and actions

The approach did not cut corners and sacrifice quality, but increased quality and compliance

Avoided allocating costly resources to low-value tasks


Next Steps

Start with an overall strategy that takes into consideration short term and long term investments, risks, required controls, and benefits.

The plan and investment in a compliant environment must consider an evolutionary process which will allow the technology, controls, validation approaches, and training to be tested and refined.

Create a list of “risks” for your new environment. Identify which of the “risks” are: True risks to the integrity, quality, reliability, or

availability of the data Compliance risks Gaps from current expectations, but not risks


Next Steps

Adjust your Quality System, including system lifecycle and computer system validation policies, procedures, work instruction, guidelines, and templates to ensure that they can be followed when systems are implemented in a new environment.

Work with Compliance Subject Matter Experts to drive a true risk-based approach.

Work with your internal stakeholders to ensure that the approach is acceptable and defendable.

Follow Life Sciences industry trends with regard to utilizing new technologies in regulated environments. Monitor agency activities, statements, and regulatory actions in order to understand their interpretation and expectations.


Conclusion Taking a fresh look at a risk-based approach to CSV

would be very useful in dealing with today’s dynamics due to new technologies, software and service delivery models, and frequent organizational changes.


THANK YOU!

www.igate.com

For additional information or questions, please contact us by [email protected]

mailto:[email protected]

Services

IT Compliance in 2015 - Beyond the “v” model