SharePoint Validation: Quality and Compliance Portals

I am often asked the question… “can SharePoint be validated?”  The short answer is YES but it often requires customization to achieve deliver compliance objectives.  The longer response requires further examination as to why people ask the question and the nature of SharePoint as a content management system.  With the release of Office 365® reaching over 100 million active users per month and more companies moving toward the cloud, we are witnessing the maturation of SharePoint for both regulated and non-regulated content management.

SharePoint has undergone many changes over the past decade that have increased its adoption within the life sciences industry.  New features of SharePoint from Microsoft and its robust technology partner community include, but are not limited to:

  • Synchronization with OneDrive For Business®
  • New SharePoint Communication Sites With Pre-Built Layouts
  • Integration of SharePoint and Microsoft Team
  • New Integration with DocuSign® For Electronic Signatures
  • Enhanced Integration For Graphical Workflows From Nintex®
  • SharePoint-aware PowerApps and Flow
  • Updated Page Layouts and Web Part Enhancements
  • Improved SharePoint Administration
  • Enhanced Document Version Control

Within the life sciences community, the resistance to SharePoint focused on security and the lack of “out-of-the-box” features for life sciences validation.  What are some of the key application that life sciences companies require from a regulatory SharePoint enterprise content management system?  A partial list of document and records management features such as:

  • Intelligent Document Creation Tools
  • Automated Document Change Control
  • Configurable Document Types With Pre-Assigned Document Workflows (based on the type of document, workflows are automatically launched)
  • 21 CFR PART 11 support (electronic or digital signatures, audit trails, et al)
  • Ability to print a Signature Page with Each Signed Document
  • Ability to Establish Pre-defined Automated Document Lifecycle Workflows
  • Support for and designation of Controlled and Uncontrolled Content
  • Controlled Document Management Features Should include Configurable watermarks and overlays
  • Markup tools for document review
  • Ability to classify documents for records management capabilities
  • Ability to assign/tag documents with metadata
  • Content Rendering (when documents are checked in, they are automatically rendered in PDF format for document review.)
  • Custom Document Numbering (the ability to automatically assign alphanumeric document numbers to content)
  • Enforcement of the use of Standard Document Templates Codified Within SOPs
  • Version tracking with major and minor version control, version history
  • Ability to support regulatory submissions and publishing (this is a big one)
  • System MUST BE VALIDATABLE

As you can see from the partial list above, there are many features required by regulatory companies that are not standard in SharePoint out of the box.  However, SharePoint offers rich capabilities and features that have significantly enhanced the ability to deliver such as solution with the features listed above with minimal effort.

As a former Documentum and Qumas executive, I know first hand the challenges of developing such as system from scratch as my former employers did.  However, leveraging the power of SharePoint, OnShore Technology Group’s ValidationMaster™ Quality and Risk Management portal for example, is SharePoint-based and includes all of the features listed above.  The level of effort required to deliver such as solution was substantially lower due to the SharePoint application framework and development tools.

The ability to manage regulatory submissions and publishing is one of the features for which SharePoint may be more challenged.  In the Documentum world, there was such a thing as a “Virtual Document”.  A Virtual Document was a document that contained components or child documents.  A Virtual Document may represent a section of a regulatory dossier where the header represented the section of the dossier and there may be several child documents that are individual documents in that section.  Documentum was an object-oriented system and thus allowed the ability to have a single document comprised of multiple ACTUAL documents with early and late binding ability.  Since each component of a Virtual Document is its own document that can be checked in/check out and routed individually from other components, it makes them ideal for regulatory submission management which has very specific guidelines for publishing and pagination.   I have not seen a parallel yet for this in SharePoint.

Document management systems use to cost millions of dollars for acquisition, implementation and deployment.  These systems are now somewhat “commoditized” and the price points are significantly lower.  Many life sciences companies are using SharePoint for non-regulated documentation.  However, an increasing number of them are abandoning their higher cost rivals and moving to SharePoint as the foundation for controlled and uncontrolled documentation.  SharePoint can be in a hosted Office 365 environment or established in an on-premise environment.  Check out my cloud validation posts for more information on validating SharePoint and other applications in a cloud environment.  Either way, the system can and should be validated if used for regulatory content management.

It is recommended that you establish a clear set of user requirements for SharePoint.  SharePoint has powerful capabilities much beyond those articulated in this blog post.  There are many SharePoint partners that deliver effective, ready-to-use integrations with SharePoint such as Nintex® and DocuSign®.   Use these partner solutions to help minimize the validation effort.

If you have not already done so, it is worth a second look for regulated content depending on your application.  One thing is for sure, the day of the multi-million dollar content management solution is over for most companies.

Cybersecurity Qualification (CyQ)

One topic that has been top of mine for many validation engineers, chief information officers, and executive management is that of Cybersecurity. You may be asking yourself the question why are we talking about Cybersecurity and validation? Recent headlines will inform you as to why this topic should be of great interest to every validation engineer. As validation engineers we spend a lot of time stressing about risk assessments, system security, and qualification of system environments. Our job is supposed to be to validate the system to ensure its readiness for production use. Let me ask a question… How can you ensure that a system is ready for production use if it is not cyber-ready?  This is why we are talking about Cybersecurity in the context of validated systems.

When it comes to computer systems in today’s highly networked environment, Cybersecurity is the elephant in the room. All networked systems may be vulnerable to cyber security threats. Businesses large and small may be subject to cyber-attacks and the exploitation of these vulnerabilities may present a risk to public health and safety if not properly addressed. Although we know these truths all too well, many validation engineers are not even discussing Cybersecurity as part of an overall validation strategy.

There is no company that can prevent all incidences of cyber-attacks but it is critically important that companies began to think seriously about how to protect themselves from persistent cyber criminals determined to inflict as much damage as possible on computer systems in either highly regulated or nonregulated environments. One thing we know about cyber criminals is they are equal opportunity offenders – everyone has a degree of vulnerability. To beat them at their game, you have to be one step ahead of them.

In the validation world, we often refer to validation testing as IQ/OQ/PQ testing.  I would like to submit for your review and consideration another type of enhanced validation testing that we should be doing which is Cybersecurity qualification or as I like to refer to it “CyQ”.  What is a CyQ?  It is confirmation of a system’s protection controls and readiness to prevent a cyber-attack.  In one of my recent blog posts, I declared that …”computer systems validation as we know it is dead!…” Now of course I mean that tongue in cheek!  What I was referring to is that it is time to rethink our validation strategy based on the fact that we need to address the vulnerabilities of today’s cloud-based and on-premise systems with respect to the Cybersecurity risk imposed. We can no longer look at systems the way we did in the 1980s. Many life sciences companies are deploying cloud-based technologies, mobile systems, the Internet of things (IoT) and many other advanced technologies in the pursuit of innovation that may drive greater risk profiles in validated systems.  Incorporating CyQ in your overall validation strategy is one way to address these challenges.

The national Institute of standards and technology (NIST) introduced as cyber security framework. The five elements of the framework are shown in the figure below.

NIST-cybersecurity-framework

As a validation engineer I have studied this framework for its applicability to validated systems.  Each element of the strategy addresses a dimension of your cybersecurity profile.  To conduct a CyQ assessment, you need to examine each element of the cybersecurity framework to determine your readiness in each respective category.  I have developed a CyQ Excel Spreadsheet which examines each element of the framework and allows you to summarize your readiness to prevent a cyber-attack. (if you would like a copy of the CyQ Excel Spreadsheet, please contact me using the contact form and I will happily send it to you).

 

Remember, for validated systems, if it is not documented, it did not happen! Cybersecurity Qualification analysis must be documented.  You must be ready to explain to regulators when it comes to data integrity and systems integrity, what controls you have in place to protect both the data and the systems under your management.

Another consideration in the management of cyber threats is EDUCATION.  The biggest cyber breach may come from the person in the cubicle next to you! You must educate (and document) cyber training and do it on a frequent basis to keep pace.

For your next validation project, address the elephant in the room explicitly.   Cyber threats are not diminishing, they are increasing.  It is important to understand their origin and seriously consider how they can and will impact validated systems.  We can no longer think that IQ/OQ/PQ is sufficient.  While it has served its purpose in times past, we need a more effective strategy to address today’s clear and present danger to validated systems – the next cyber-attack.  It could be YOUR SYSTEM.  Deal with it!

Validation Testing: Understanding The Why and How

For today’s on-premise and cloud-based systems, validation testing is a required process to ensure that systems are of sufficient quality and operate according to their intended use.  Validation testing is typically done at the end of the development process after all verification has been completed.  IEEE defines validation as the process of evaluating software to determine whether it satisfies the specific defined requirements.  Therefore validation testing must be traced to pre-defined requirements.

The goals of validation are pretty clear:

  • Discover errors/anomalies in software prior to production
  • Confirm that system meet their intended use
  • Confirm that regulatory requirements in the software are met
  • Provide due diligence (documented evidence) for regulators
  • Deliver justification for use of a system

I have had the priviledge of working with many life sciences companies over the years and I have seen it all – from ad hoc testing processes to those that are well-defined and mature in their optimization and effectiveness.  Most testing processes are at level one where the processes are chaotic and not well-defined.

testing cmmi

Automated validation testing processes are essential in today’s life sciences companies where we all are being asked to do more with less.  It is essential that we establish automated processes to accelerate productivity, eliminate waste and ensure greater to ensure software quality.

The less time spent on the mechanics of test script development, the more time can be dedicated to ensuring software quality.

The software testing capability maturity model should be on your radar.  Establishing automated testing should be a goal for every validation engineer.  It is important to understand how to achieve Level 5 and what it takes from a process perspective to achieve greater testing governance and sustained compliance.

ESTABLISHING A REUSABLE TEST SCRIPT LIBRARY

When conducting validation, the most laborious part of the process is testing.  Validating today’s COTS software applications involves testing the same “out-of-the-box” features over and over again.  Many validation engineers continue to draft test scripts again and again to support this process.  What if you could establish a “reusable test script library” for your validation projects that would allow you to conduct regression testing quickly and easily without major rewrite for your applications?  What if you could centrally store this repository for all of your applications so you had a single source of truth for all of your validation projects?  What if you could ensure that your validation test library was “auditable” and could be shared with regulators during audits as part of your objective evidence requirements?  What if each test script had its own audit trail and was traced to its respective requirements for automatic traceability?

The ability to effective establish and manage a reusable test script library and a single source of truth for all of your validation projects is made possible with the ValidationMaster™ Enterprise Validation Management system.

The system allows you to create, track and manage a reusable test script library quickly and easily.  All of your validation assets are in a single location for reference and reuse.  Intelligence can be quickly gleaned from the system to drive continuous improvement and compliance.  For fully automated scripts that require no human intervention to run, the system has the ability to automate test script execution and reporting of actual results.  This helps to facilitate continuous testing in the cloud and ensure that your systems are maintained in a validated state.

Validation testing is here to stay.  AUTOMATION IS THE KEY!  It is a necessity not a luxury to automate your validation processes.  Join us for one of our Automated Testing  online web briefings to learn more.

How Vulnerable Is Your Validated System Environment?

If you are a validation engineer reading this post, I have a simple question to ask you.. “How vulnerable is your validated systems environment?”  Has anyone ever asked you this question?  How often do you think about the impact of a cyber threat against your validated computer system?  I know… you may be thinking that this is the IT departments responsibility and you don’t have to worry about it.  THINK AGAIN!

If you have picked up in a newspaper lately you will see cyber threats coming from all directions. The White House has been hacked, all companies big and small have been hacked into and from the hacker’s perspective there seems to be no distinction between small medium or large enterprises. In summary, everyone is vulnerable.  The definition of cyber security is the possibility of a malicious attempt to damage or disrupt a computer network or system.

Network applications continue to create new business opportunities and power the enterprise. A recent report suggested that the impact and scale of cyber-attacks is increasing dramatically. The recent leak of government developed malware has given cyber criminals greater capabilities than they had before. IT is struggling to keep pace with the flow of important software security patches and updates and the continuous adoption of new technologies like the Internet of things (IOT) that are creating new vulnerabilities to contend with.

A recent study in 2017 by CSO highlighted the fact that 61% of corporate boards still seasick security as an IT issue rather than a corporate governance issue. This is only one part of the problem. It is not even on the radar of most validation engineers.  You cannot begin to confirm that a system meets its intended use without dealing with the concept of cyber security and its impact on validated systems.

Validated computer systems house GMP and quality information as well as the data required by regulators thus particular scrutiny must be paid to these systems.  Compromise of a validated system may lead to adulterated product and issues which may affect the products quality efficacy and other critical quality attributes of marketed product. Therefore, attention must be paid to validated systems with respect to their unique vulnerability.

As part of the validation lifecycle process we conduct IQ, OQ, and PQ testing as well as user acceptance testing to confirm a system’s readiness for intended use.  I am suggesting that another type of testing be added to the domain of validation testing which is called cyber security qualification or CyQ.

Cyber security qualification is confirmation of a system’s readiness to protect against a cyber attack.

cyq2

You should incorporate CyQ in your validation testing strategy.  It is imperative that your validated systems are protected against a cyber event.  You must document this as well to prove that you have conducted your due diligence.  Given all of the attention to cyber events in the news, you need a strategy to ensure sustained security and compliance.  Are you protecting your validated systems?  If not, you should.