NNIT WHITEPAPER

NNIT Whitepaper

Adapt to the Changing

Validation Landscape in a
Cloud Environment
NNIT WHITEPAPER
 NNIT WHITEPAPER

Adapt to the Changing Validation Landscape

in a Cloud Environment
The life sciences technology landscape is currently going through
a dramatic shift with the introduction of cloud-based technology
offerings and the digital revolution, such as the introduction of Artificial
Intelligence, Robotic Process Automation, and Augmented Reality.

Meanwhile, Computer Systems Validation (CSV) is increasingly being

perceived as a “bottleneck” rather than an “enabler”, as CSV as a service
is not always able to keep up with the technological transformation. Most
organizations have a process-heavy CSV framework that significantly
undermines the efficiency and customer experience that could otherwise
be achieved by leveraging recent technological advancements.

At NNIT, we believe that it is indeed possible to improve end-user

experience and remain compliant by adopting a risk-based, leaner CSV
framework.

NNIT recently conducted a survey on computer system validation trends

with 43 Life Sciences companies. Our goal was to understand the current
market trends and challenges better. The following are some of the key
takeaways from the survey.

A move away from paper-based processes

Nearly 70% of the participants have fully digitized their CSV process, while
only 9% still rely heavily on paper-based processes.

The remaining 21% of organizations used a hybrid of paper and electronic

documentation and expressed a strong desire to go entirely paperless
within the next two years.
 NNIT WHITEPAPER

Cloud footprint is rapidly expanding

The participants’ Cloud portfolio of GxP systems is rapidly growing, as 60% of the
organizations currently have at least half of their GxP systems in the cloud, with
ambitions to transition even more systems to the cloud within the next couple of years.
The advancement of big data and analytics, especially in the R&D area has created an
immediate business case for increasing storage and processing powers, which is almost
impossible to achieve using in-house or on-premises options.

The agility of the cloud is often measured against the overburdening of

compliance processes
All cloud-based technologies now offer scalability and economies of scale in a matter of
seconds and also provide a transparent cost model using a “pay-per-use” policy.

CSV, on the other hand, is predominantly time-and-material based.

Therefore, business stakeholders and Senior IT executives often do not appreciate the
inherent value of CSV as a function as the output is highly subjective and not KPI or
output-driven.

Time to market and Customer Experience

The two top goals that any business leader has today are:

How can they deliver a better customer/end-user experience (both internally and
externally) and how fast can they bring a product to market ahead of their competitors?

CSV can play an integral part in making IT as a business enabler by adopting leaner
approaches that foster innovation and agility.

How do we solve this puzzle?

We applied the Pareto Principle to solve this problem. We see that almost 80% of the
validation challenges arise from 20% of the causes. We noticed that the following
aspects usually result in significant validation effort:

• Process inefficiencies
• Poor change management processes
• Unstructured configuration management
• Lack of preparedness for the unknowns (Business Continuity, Disaster Recovery,
Information Security).

We then looked at easy-win areas – aspects that could have a significant impact with
minimal to moderate investment and change management.
 NNIT WHITEPAPER

Eradicating Process Inefficiencies

1. Introduction of Tools
Start with a proof-of-concept to first streamline the “to-be” process. This approach tends to
be a cheaper, less time-consuming alternative, and at the same time helps the leadership
realize the real benefit of automation. This proof-of-concept also facilitates further process
streamlining in many cases.

2. Using robots instead of manual tasks

Explore the feasibility of implementing Robotic Process Automation (RPA) and SmartQA.
Identify systems that require extensive testing efforts for revalidation, identify workflows
within those systems that are more effort-intensive in nature and use them as first targets.

3. Leverage Supplier Documentation

Create a robust supplier assessment and procurement framework that identifies and
eliminates process gaps upfront and minimizes redundant change requests and duplicative
deliverables, and hence the cost and time of validation.

4. Lean Principles
Implement Kaizen boards, Lean principles; lessons learned sessions at the end of each
project to iteratively improve your CSV process. Based on the maturity-level, even consider
adopting a KPI-driven delivery or a Managed Services approach.

Well-managed changes can become a crucial business-driver

1. Understand the change process and frequency

While procuring a new vendor, formally document the expected frequency of changes and the
process around it; learn about the vendor’s upgrade strategies, communication protocols, and
expectations. This will aid budgeting, staffing, and result in better preparedness on both sides.

2. Reusable qualification protocols

Explore ways in which you can create reusable automation scripts that could be quickly
executed to revalidate the system after a significant enhancement/upgrade. This could
significantly reduce the revalidation cycle time.

3. Better CMDB
A comprehensive CMDB with closely-coupled upstream and downstream linkages can help
understand the impact of a change and associated testing efforts and enable quick decision
making at Change Advisory Board (CAB) meetings.

4. Vendor’s AM/CSM function

Collaborate with your vendor’s Account Manager/Customer Success Manager function to
better understand the product roadmap and impact of an upcoming change.

5. Plan alternatives
Understanding your vendor’s processes upfront will enable you to prepare for additional
documentation/deliverables not produced by the vendor.
 NNIT WHITEPAPER

Configuration Management
In today’s world, most software and infrastructure platforms are highly configurable, giving
more power to the end user. This scalability also gives birth to a significant validation
challenge, as establishing appropriate change management and an audit trail are essential
to maintaining the validated state of a system in production.
Configuration management in a cloud-based offering isn’t as transparent as their
on-premises counterparts. Each vendor will protect a certain level of intellectual property
for their interest, and hence the clients will only get access to a high-level overview of the
system configuration. It is essential to understand the format and structure of the base
configuration as well as fully comprehend how changes are applied and tracked while the
system is in production.

Business Continuity/Disaster Recovery/Information Security

Almost 70% of our survey respondents mentioned that Business Continuity and Disaster
Recovery are areas that are often ignored, with the perception that this is the cloud
vendor’s responsibility. This was evident as most of them do not have a process to conduct
end-to-end disaster recovery testing in collaboration with their cloud vendors.

Information security and data privacy create another bucket of unknowns that organi-
zations are not prepared for and, therefore, they do not address them as part of their
validation efforts.

All cloud-based software validation process should include:

1. Information Risk Assessment

This should be part of every release so that data privacy and information security experts
perform expert vetting. The GDPR and other similar laws pose significant penalties to the
data owning organizations; therefore, data privacy and information security should be
given utmost importance on an ongoing basis.

2. Disaster Recovery Testing

Conduct end-to-end disaster recovery involving your cloud vendor, based on the criticality
of the system/business process. This includes following the communication protocols/
SOPs that define the communication channels with the vendor.

3. Audit the Cloud Vendor

Have a strategy to audit your cloud vendors periodically to ensure that their policies and
procedures align with your organizations’ policies.

4. Vulnerability Testing
Incorporate vulnerability and penetration testing as part of your ongoing validation and
operation process. New vulnerabilities are reported almost daily, so there must be an
operational SOP defining this process for a system in production.
 NNIT WHITEPAPER

Summary
Technologies will continue to evolve, and so the risk factors that are prevalent today may
not stay relevant tomorrow. Therefore, every organization should invest in keeping the
CSV function and personnel up-to-date with new technologies and evolving business
models.

An agile CSV function, when built upon solid technology foundations and supported by
ongoing training and knowledge management, can deliver a sustainable compliant state
for an organization.

 NNIT WHITEPAPER

About NNIT

NNIT A/S is one of Denmark’s leading IT service providers and

consultancies. NNIT A/S offers a wide range of IT services and
solutions to its customers, primarily in the life sciences sector
in Denmark and internationally and to customers in the public,
healthcare, enterprise and finance sectors in Denmark.

www.nnit.com

NNIT A/S Østmarken 3A DK-2860 Søborg Tel: +45 7024 4242

NNIT Switzerland Bändliweg 20 CH-8048 Zurich Tel: +41 44 405 9090
NNIT Germany c/o Regus Herriotstrasse 1 DE-60528 Frankfurt am Main Tel: +49 69 66 36 98 73
NNIT Czech Republic Explora Jupiter Bucharova 2641/14 2.NP CZ-158 00 Prague 5 Tel: +420277020401
NNIT USA 4 Research Way Third Floor Princeton New Jersey 08540 Tel: +1 (609) 945 5650
NNIT China 20th floor, Building A, Jin Wan Mansion, 358 Nanjing Rd. CN-Tianjin 300100 Tel: +86 (22) 5885 6666
NNIT Philippines Inc. 10/F, 2251 IT Hub 2251 Chino Roces Avenue Makati City 1233​ Tel: +63 2 889 0999
NNIT United Kingdom c/o MoFo Notices Limited CityPoint One Ropemaker Street London