IT Compliance in 2015 - Beyond the “v” model

August 5, 2015 Proprietary and Confidential - 1 -
IT Compliance in 2015
Beyond the “V” Model
Arik Gorban
July 23, 2015

Today’s Speaker
 Veteran on Computer Systems compliance with over 25 years of
experience in strategic regulatory compliance consulting, application
life cycle management, and quality system implementation for the
Life Sciences industry.
 Has led IT compliance projects for many Life Science and technology
companies besides consulting major companies on global quality system
harmonization.
 An international authority on risk-based approach to computer
validation and regulatory compliance management. Frequent lecturer
at professional conferences, user group meeting, and events on IT
compliance, validation, and Part 11 topics.
 Leads the development of IGATE Life Sciences’ Quality & Compliance
practices and IGATE’s compliance solutions and services for Cloud
Computing and Mobility.
 Leads client initiatives to integrate and harmonize IT-related compliance
strategies, methodologies, and tools across the organization and across
the regulatory landscape (e.g., FDA, SOX, and EU Annex 11).
Arik Gorban
Associate Vice President
Consulting & Solutions
IGATE, Life Sciences

Today’s Agenda
 IT Compliance issues facing Life Sciences industry
 Background – the industry today
 New challenges
 Lean, risk-based CSV
 Real-life case study
 Next steps

Objective
 We’ll take a fresh look at CSV and risk management approach that is
effective, efficient, and enables the adoption of new technologies,
methodologies, and service models with external providers.
 A validation process that:
 Supports a true risk-based approach that is flexible and feasible with new
technologies (cloud, mobility, IoT), new system lifecycle approaches (Agile),
and new service models (SaaS).
 Ensures the quality of the validated system.
 Reduces business and operational risks.
 Increases the level of regulatory compliance.
 Reduces compliance costs.

Issues that often bother Life Sciences executives
I feel frustrated with the
cost and effort
associated with the
Computer System
Validation (CSV).
My vendor tells me that
they validated the
system that we want to
implement but QA tells
me that we still need to
validate it.
We have detailed
procedures and
extensive training but
still inadequate results.
Repeated review cycles
of validation
documentation is
causing costly project
delays.
We are under pressure
to reduce IT costs and
adopt new technologies
and methodologies, but
our validation process
prevents us from doing
that.
My projects suffer from
long debates and re-
work due to different
opinions on CSV related
activities.
Our risk-based approach
takes longer and costs us
more than our old
process.

Issues & Opportunities in IT Compliance
High
Low
Cost
High
Opportunitiestoreducecostsandreducerisks
5%
65%5%
Quadrant II:
High risk
Lack of CSV understanding
Over-spend
Still not-compliant
Quadrant I:
High risk
Under-spend
Non-compliant
Low
20%
5%
“In compliance”
and
“Budget-right”
Quadrant IV:
Highly-compliant
Under-spend
Not attainable
Risk
Quadrant III:
Inefficient, ineffective CSV
Over-spend on marginal
value add activities
Highly compliant

Background – Industry Today
 Validation principles did not change in the last two decades.
 Part 11 added some requirements for electronic records and signature
but did not impose new validation requirements.
 Attempts to implement harmonized and consistent risk-based CSV as an
effective way to optimize the validation process often result in more
cumbersome and costly validation.
 Validation planning discussions are typically focused on the V-Model’s
system lifecycle (SLC) phases and deliverables.
 SLC artifacts are the focus, not system quality and risk mitigation.
 Risk assessments focus on testing to determine how much IQ, OQ, and
PQ are necessary.

Background – Industry Today
 Risk assessments often neglect to address risk areas, such as:
– User account management, system availability, data protection, user
competency, system support, data ownership, non-traditional software
development and technologies
 The right technical, business, and regulatory experts don’t always
participate
 The industry needs to address new challenges:
– Cloud Computing
– Mobility and IoT – Technology and Application
– SaaS – Software as a Service Delivery Model
– Agile Software Development Methodology

Risks in Today’s Environment
 Evolving technologies and service models
 Evolving expectations and practices
 Lack of transparency (actual providers, locations, support, quality
practices...)
 Use of open source
 Rapid software development approaches
 Security gaps and exposure
 Availability of system and data (short term and long term)
 Quality and compliance gaps
 It’s new. We don’t know what we don’t know.

August 5, 2015 Proprietary and Confidential - 10 -August 5, 2015 Proprietary and Confidential - 10 -
Lean Risk-Based CSV

“V” Model
User Requirements
Specification
Functional
Specification
Architecture Design
Specification
User Acceptance
Testing (PQ)
Validation
Report
Validation
Plan
VERIFIES
VERIFIES
VERIFIES
Installation
Qualification (IQ)
Software Design
Specification/Build
Development
Testing
(Unit, System)
Functional Testing
(OQ)

Risk Assessment Types
System
Categorization
Based on type of system: custom
development, configured product
(COTS), turnkey COTS, layered
product, embedded software, smart
devices, etc.
Determine which validation
process applies (validation /
qualification / verification)
Risk Profile
(High-Level)
Based on the regulatory, operational
and business risks associated with the
system (e.g., GxP applicability, privacy
requirements, SOX applicability, and
business complexity and criticality)
Define the overall validation
strategy and required
deliverables
Functional Risk
Assessment
Based on operational and regulatory
risk
Determine requirements for
negative and boundary testing in
OQ
Determine which processes to
test in PQ
The table below describes the three levels of categorization and risk
assessment that should be followed for computer system applications.

Data modification
Regulatory un-preparedness
Data loss
Lack of traceability
Mis-use of system
Data accuracy
Incorrect process - system
Incorrect process - people
Data falsification
System unavailability
Risk Priority-before Revised Risk-after mitigation
Lowest risk at outer edge
Highest in the center
System Risk Profile

Lean Risk-Based CSV
Avoid the mechanical and rigid CSV. Lean, risk-based CSV should be
supported by the appropriate organization, people, methodology,
process, execution, and tools.
 Organization – clear governance, roles, responsibilities, and authorities;
that facilitates a true risk based approach and ensures consistent
interpretation of regulatory requirements.
 People – fully trained competent individuals with uniform interpretation
throughout the corporation and trained business owners.
 Methodology – single, fully matured set of standards with integrated risk
analysis and enhanced risk-based approach that goes beyond functional
risk evaluation.
 Process / Execution – flexible process that follows a risk-based plan.
 Tools – templates, guidance documents and quality reviews are consistent
and targeted to drive value.

August 5, 2015 Proprietary and Confidential - 15 -August 5, 2015 Proprietary and Confidential - 15 -
Case Study

Real Life Scenario – the Problem
 A company planned a move to a new location.
 They planned to move the whole infrastructure as is.
 There will be no new equipment, software, or configuration, besides
new network layouts inside the building and new connections to the
outside (e.g., power, network, and phone lines).
 Initial validation discussions focused on how much IQ, OQ, and PQ.
 Some insisted that all are required; some felt that PQ (user acceptance)
is not required; and some suggested partial IQ, OQ, and PQ.
 The discussions focused on standard validation phases and deliverables,
rather than risks and mitigations.
 The team was focused on the artifacts, not on quality objectives.

Real Life Scenario – the Approach
 Shifted the focus from artifacts to risk management
 Created a list of bullets that describe what can go wrong with the
data center move
– incorrect assembly
– hardware components break or get lost
– faulty network wiring
– wireless network unreliable
– incorrect network configuration
– unstable power supply
– physical security issues
– other transport, assembly, and location-related risks

 Identified risk mitigation actions
– reduce the impact
– reduce the likelihood
– or allow early detection
 Mitigation actions included
– configuration documentation activities
– inventory of parts
– labeling wires and components
– writing assembly scripts
– testing connectivity
– verifying that systems and applications start correctly
– printing
– verifying power supply

 The proposed activities were focused on risk mitigation and
quality and compliance objectives, not driven by a list of
deliverables.
 The last step was mapping the activities and documentation to
applicable system lifecycle phases and deliverables.

Benefits
 Clarity on how to manage risk
 Effective Data Center Move Quality Plan
 Mitigation to reduce potential operational, regulatory,
and business risks
 Quality Plan ensured that activities and documentation
met applicable company standards
 Management was able to evaluate real risks and actions
 The approach did not cut corners and sacrifice quality,
but increased quality and compliance
 Avoided allocating costly resources to low-value tasks

Next Steps
 Start with an overall strategy that takes into consideration
short term and long term investments, risks, required controls,
and benefits.
 The plan and investment in a compliant environment must
consider an evolutionary process which will allow the
technology, controls, validation approaches, and training to be
tested and refined.
 Create a list of “risks” for your new environment. Identify
which of the “risks” are:
 True risks to the integrity, quality, reliability, or availability
of the data
 Compliance risks
 Gaps from current expectations, but not risks

Next Steps
 Adjust your Quality System, including system lifecycle and
computer system validation policies, procedures, work
instruction, guidelines, and templates to ensure that they can
be followed when systems are implemented in a new
environment.
 Work with Compliance Subject Matter Experts to drive a true
risk-based approach.
 Work with your internal stakeholders to ensure that the
approach is acceptable and defendable.
 Follow Life Sciences industry trends with
regard to utilizing new technologies in regulated
environments. Monitor agency activities, statements, and
regulatory actions in order to understand their interpretation
and expectations.

Conclusion
 Taking a fresh look at a risk-based approach to CSV would be
very useful in dealing with today’s dynamics due to new
technologies, software and service delivery models, and
frequent organizational changes.

THANK YOU!
www.igate.com
For additional information or questions, please contact us by email
arik.gorban@igate.com

IT Compliance in 2015 - Beyond the “v” model

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie IT Compliance in 2015 - Beyond the “v” model

Ähnlich wie IT Compliance in 2015 - Beyond the “v” model (20)

Mehr von IGATE Corporation

Mehr von IGATE Corporation (7)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

IT Compliance in 2015 - Beyond the “v” model