It’s that time of year where we start to make resolutions and think about better ways to conduct our business with respect to validation. Now is a great time to start rethinking your validation strategy based on the pending guidance that is to come forth from the FDA regarding software assurance. You may have heard of software assurance discussed by consultants and the FDA. The Covid pandemic has delayed the release of strategic guidance for software assurance but it is coming.
Cloud technology, mobility, and artificial intelligence are real game changers when it comes to the strategy for computer systems validation. Couple that with the fact that most computer systems, whether they be in the cloud or on premise use an agile development strategy and not a waterfall strategy which traditionally has been the hallmark of many validation projects. So what should you be doing with respect to your new validation strategy?
With the new software assurance guidance, the key focus is on critical thinking versus building documentation that provides no value. We call this Lean Validation. The principles of Lean Validation focus on streamlining and optimizing the validation process, producing only those documents that provide value and only conducting those activities that are most important while also adding value to the overall validation process. As the new year begins, you should think about adopting the Lean Validation strategy as it directly complements the FDA’s new software assurance methodology.
For computer systems validation projects, there should be five key areas for your 2022 strategy that include:
- Agile development and validation.
- Software assurance.
- Provisioning and deployment.
Let’s take a look at governance and what we should be doing differently from previous validation exercises. Many validation engineers don’t really focus on validation strategy and metrics. For 2022 your new validation strategy should include key metrics for validation that help you understand where you’ve been and where you’re going. Metrics should include:
- Average test execution time.
- Average number of deviations per project.
- Average number of deviations per test script.
- Total number of incidents per release.
- Document cycle time per month, per project, per year.
- Average number of test failures.
- Average number of test script passes.
- Total risk exposure.
These are just some of the critical validation strategy and metrics that should be tracked.
Another area that is not being given much attention is cybersecurity qualification. This type of qualification was coined by OnShore Technology Group, Inc.. As we look at functional testing, unit testing, security testing, user acceptance testing and all other kinds of testing; it occurred to me that one of the things that we are not looking at that affects literally every single validated system is cybersecurity. Cybersecurity qualification is a readiness assessment. One cannot protect itself from every single cyber event since cyber activity is random and variable. However, what you can do is assess your readiness to protect, respond, recover, defend and identify cybersecurity events in accordance with the NIST Cybersecurity Framework Guidance. For 2022, it is recommended that you conduct a cybersecurity assessment to determine how vulnerable your validated systems are and take proactive measures and strategies to mitigate the risk for your organization. Every company’s risk profile is different. Therefore, you will have to have strategies to address this. A CyQ is an essential assessment to add to your 2022 validation strategy.
Of course, no governance strategy would be complete without adequate SOP’s and policies. The SOP’s and policies that I find many customers don’t have is a cybersecurity policy for validated systems in a cloud computing SOP for validated computer systems. Your cloud computing ESOP should provide governance for how you acquire and manage, commission and decommission cloud technologies. If you are using cloud applications such as Microsoft Dynamics 365® or Oracle Fusion Cloud®, you should have a cloud computing SOP that provides governance over the use of such technologies. This is often overlooked by many validation engineers but is a critical strategy and policy for each company to have. With respect to cyber security, it is strongly recommended that you develop a cybersecurity policy that follows the NIST framework, allowing you to detect, identify, respond and recover from cybersecurity events. You need to have governance over these policies because they directly impact validated computer systems.
From the requirements perspective, you need to be able to define user functional design and security requirements for all validated computer systems.
With respect to Agile Development, it is important for validation teams to understand that most software applications developed today do not follow a waterfall methodology, thus you may not have all of your requirements upfront. Requirements may be developed over time in accordance with the agile development strategy. You must have the ability to be able to adapt to an Agile Validation Methodology in parallel with the Agile Development Methodology.
Your software assurance strategy thus should focus on critical thinking. When the FDA developed a strategy, it was their understanding that many companies were producing documents for the sake of documents or because they always did it that way versus critically thinking about each application and what is important in that application; and, what should be documented versus what is not important to be documented. The software assurance process includes a risk assessment. What should you be thinking about in terms of critical thinking? You should be thinking about how this application impacts critical quality attributes. You should be thinking about how this application may impact your marketed product. You should be thinking about the risks associated with a particular application. You should be thinking about how to test the application to confirm software assurance or that a system meets its intended use. There are many things that critical thinking should focus on. However, critical thinking should drive the level of formal testing and the level of rigorous testing you do concerning your validation projects.
Your new 2022 strategy should include ad hoc testing in addition to formal testing for both performance and functional testing. In 2020 prior to the pandemic, many organizations that were adopting cloud technologies viewed software automation as a luxury and not a necessity. Many organizations thought because they could collect wet signatures in the office and it was relatively easy when we were all in the same office to route documents around for review and approval. When the pandemic hit and many validation teams dispersed to their home offices, it became clear that the old way of doing things just would not adequately serve validation projects. Thus we found that many companies started to look at validation automation as a necessity and not a luxury. In 2022, you should strongly look at enterprise validation management systems as a way to drive greater efficiency, compliance and software assurance for your validation projects. These technologies provide a well-rounded approach to validation, helping you to manage all of your validation assets and provide a single source of truth for validation. ValidationMaster™ is one of the leading global applications to provide such a system. You should really look at how technology can help drive greater efficiencies in 2022.
In the old days we used to talk about installation qualification as one of the critical tests for validation. In the deployment of cloud and mobile technologies, we actually provision those technologies and do not directly install software in many cases in a particular systems environment. In 2022, we need to change the terminology we are using for validation to more accurately fit what we are doing. Instead of calling it installation qualification, we call it system provisioning qualification and deployment. In 2022 you need to look at hardening your systems environment in the cloud or on your mobile devices for validation and you also need to look at the security within those environments, paying special attention to cyber security threats. You need to ensure for validated systems that data integrity is sound and that you are able to effectively manage your cloud-based data over time. Audit trails are critically important in maintaining those audit trails over time.
In a cloud environment you also need to look at the cadence strategy of each software developer. How are software companies managing their cadence releases in the cloud and how are they ensuring that you maintain the validated state? These are all critical considerations for 2022.
Artificial intelligence is a major game changer for validation. Using artificial intelligence will help you to develop test scripts that are not only fully automated but also our self-healing. These test scripts can help you lower your test debt – a metaphor for the buildup of testing requirements as a result of past projects, cadence releases, or sprints. It is a representation of the level of effort needed to identify and remediate software issues/defects that may remain in the code when software applications are released. Solving this dilemma is the key to your successful validation strategy in 2022, saving you both time and money. Artificial intelligence is a technology whose time has come.
In summary, it’s a brave new world! Just as technology is evolving at the speed of thought, validation strategies should change accordingly. How we manage effectively this strategy going forth will determine our ultimate success or failure in terms of optimizing and streamlining the validation process. This enables companies to adopt cloud and mobile technologies faster but in a more compliant manner. Forward thinking companies are using automated technology including artificial intelligence to effectively manage validation testing processes, conduct ad hoc testing, and move validation from a necessary evil to a legal best practice. How is your strategy coming for 2022? Are you ready?