Over the past 10 years, the software industry has experienced radical changes. Enterprise applications deployed in the cloud, the Internet of Things (IoT), mobile applications, robotics, artificial intelligence, X-as-a-Service, agile development, cybersecurity challenges and other technology trends force us to rethink strategies for ensuring software quality. For over 40 years, validation practices have not changed very much. Surprisingly, many companies still conduct computer systems validation using paper-based processes. However, the trends outlined above challenge some of the current assumptions about validation. I sometimes hear people say “… since I am in the cloud, I don’t have to conduct an IQ…” or they will say, “… well my cloud provider is handling that…”
Issues related to responsibility and testing are changing based on deployment models and development lifecycles. Validation is designed to confirm that a system meets its intended use. However, how can we certify that a system meets its intended use if it is left vulnerable to cyber threats? How can we maintain the validated state over time in production if the cloud environment is constantly changing the validated state? How can we adequately test computer systems if users can download an “app” from the App Store to integrate with a validated system? How can we ensure that we are following proper controls for 21 CFR Part 11 if our cloud vendor is not adhering to CSA cloud controls? How can we test IoT devices connected to validated systems to ensure that they work safely and in accordance with regulatory standards?
You will not find the answers to any of these questions in any regulatory guidance documents. Technology is moving at the speed of thought yet our validation processes are struggling to keep up.
These questions have led me to conclude that validation as we know it is DEAD. The challenges imposed by the latest technological advances in agile software development, enterprise cloud applications, IoT, mobility, data integrity, privacy and cybersecurity are forcing validation engineers to rethink current processes.
Gartner group recently announced that firms using IoT grew from 29% in 2015 to 43 % in 2016. They project that by the year 2020, over 26 billion devices will be IoT-devices. it should be noted that Microsoft’s Azure platform includes a suite of applications for remote monitoring, predictive maintenance and connected factory monitoring for industrial devices. Current guidance has not kept pace with ever-changing technology yet the need for quality in software applications remains a consistent imperative.
So how should validation engineers change processes to address these challenges?
First, consider how your systems are developed and deployed. The V-model assumes a waterfall approach yet most software today is developed using Agile methodologies. It is important to take this into consideration in your methodologies.
Secondly, I strongly recommend adding two SOPs to your quality procedures – a Cybersecurity SOP for validated computer systems and a Cloud SOP for validated systems. You will need these two procedures to provide governance for your cloud processes. (If you do not have a cloud or cybersecurity SOP please contact me and I will send you both SOPs.)
Third, I believe you should incorporate cybersecurity qualification (CyQ) into your testing strategy. In addition to IQ/OQ/PQ, you should be conducting a CyQ readiness assessment for all validated systems. A CyQ is an assessment to confirm and document your readiness to protect validated systems against a cyber attack. It also includes testing to validate current protections for your validated systems. It is important to note that regulators will judge you on your PROACTIVE approach to compliance. This is an important step in that direction.
Forth, you should adopt lean validation methodologies. Lean validation practices are designed to eliminate waste and inefficiency throughout the validation process while ensuring sustained compliance.
Finally, the time has come for automation. To keep pace with the changes in current technology as discussed above, you MUST include automation for requirements management, validation testing, incident management and validation quality assurance (CAPA, NC, audit management, training, et al). I recommend consideration of an Enterprise Validation Management system such as ValidationMaster™ to support the full lifecycle of computer systems validation. ValidationMaster™ allows you to build a re-usable test script library and represents a “SINGLE SOURCE OF TRUTH” for all of your validation projects. Automation of the validation process is no longer a luxury but a necessity.
Advanced technology is moving fast. The time is now to rethink your validation strategies for the 21st century. Validation as we know it is dead. Lean, agile validation processes are demanded to keep pace with rapidly changing technology. As you embrace the latest cloud, mobile and IoT technologies, you will quickly find that the old ways of validation are no longer sufficient. Cyber criminals are not going away but you need to be ready. Step into LEAN and embrace the future!