Approaches for Auditing Software Vendors

Similar documents
Sparta Systems TrackWise Digital Solution

Sparta Systems TrackWise Solution

Sparta Systems Stratas Solution

Agilent Response to 21CFR Part11 requirements for the Agilent ChemStation Plus

Automated Cloud Compliance. GxP and 21 CFR Part 11 Compliance

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

University Information Technology Data Backup and Recovery Policy

Touchstone Technologies, Inc. Course Catalog February 2017

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Quality Assurance and IT Risk Management

Certified Information Systems Auditor (CISA)

18-642: Software Development Processes

Agile Accessibility. Presenters: Ensuring accessibility throughout the Agile development process

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

21 CFR Part 11 LIMS Requirements Electronic signatures and records

Adopting Agile Practices

Leveraging ALCOA+ Principles to Establish a Data Lifecycle Approach for the Validation and Remediation of Data Integrity. Bradford Allen Genentech

Topic 01. Software Engineering, Web Engineering, agile methodologies.

Improved Database Development using SQL Compare

Data Integrity and the FDA AFDO Education Conference

Version v November 2015

Introduction To IS Auditing

Compliance Matrix for 21 CFR Part 11: Electronic Records

Protecting Information Assets - Week 11 - Application Development Security. MIS 5206 Protecting Information Assets

SUPPLEMENTAL TERMS FOR LIFE SCIENCES SOLUTION SUITE PUBLIC CLOUD NOVEMBER 2016

How Can a Tester Cope With the Fast Paced Iterative/Incremental Process?

Maintain Data Control and Work Productivity

(Complete Package) We are ready to serve Latest Testing Trends, Are you ready to learn? New Batches Info

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

CAPABILITY STATEMENT

Industry Guidelines for Computerized Systems Validation (GAMP, PDA Technical Reports)

When ITIL met Agile What can your ITIL implementation project learn from agile principles?

Application Lifecycle Management on Softwareas-a-Service

Statement of 21 CFR Part 11 Validation Results

21 CFR Part 11 FAQ (Frequently Asked Questions)

I-9 AND E-VERIFY VENDOR DUE DILIGENCE

Managed Security Services - Endpoint Managed Security on Cloud

emarketeer Information Security Policy

Testing in the Agile World

SECURITY & PRIVACY DOCUMENTATION

REPORT 2015/149 INTERNAL AUDIT DIVISION

Recommendations for Implementing an Information Security Framework for Life Science Organizations

BYTEGRIDR. in the GxP Context. Presentation to the FDA Cloud Working Group. Copyright 2014 ByteGrid. All Rights Reserved.

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

Application Lifecycle Management Solutions using Microsoft Visual Studio 2013

AT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant

SE420 - Software Quality Assurance

DevOps Agility in the Evolving Cloud Services Landscape

Business Continuity Management Standards A Side-by-Side Comparison

Selling Improved Testing

McAfee Product Security Practices

Version v November 2015

WHITE PAPER- Managed Services Security Practices

Accelerate Your Enterprise Private Cloud Initiative

EU Annex 11 Compliance Regulatory Conformity of eve

Veritas SaaS Backup for Office 365

Struggling to Integrate Selenium into Your Ice Age Test Management Tools?

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

NASCIO Recognition Award Nomination. Title: Central Issuance of State Drivers Licenses. Category: Digital Government Government to Citizen

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

SDA COMPLIANCE SOFTWARE For Agilent ICP-MS MassHunter Software

Agile Manifesto & XP. Topics. Rapid software development. Agile methods. Chapter ) What is Agile trying to do?

Adapt your tes-ng approach for Agile

CMMI Version 1.2. Josh Silverman Northrop Grumman

Curriculum Catalog

Data Governance Quick Start

Veritas SaaS Backup for Salesforce

HCL GRC IT AUDIT & ASSURANCE SERVICES

System Development Life Cycle Methods/Approaches/Models

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

DATA BACKUP AND RECOVERY POLICY

Use Guide STANDARD JIRA CLIENT. (Practical Case)

Requirements and Design Overview

Cloud solution consultant

Veritas System Recovery 18 Management Solution Administrator's Guide

Wipro s Endur Test Automation Framework (W-ETAF) Reduces time and effort for the implementation and maintenance of an automated test solution.

What is JIRA? software development tool. planning and tracking the projects progress and supporting the team collaboration

Business continuity management and cyber resiliency

GXP, E-RAW DATA AND E-ARCHIVE QA PERSPECTIVE

Skyhook designs and deploys high performance mobile location solutions, and exists to make location faster, more precise and practical.

Electronic Records and Signatures with the Sievers M9 TOC Analyzer and DataPro2 Software

Software Testing

Optimisation drives digital transformation

CIP Cyber Security Recovery Plans for BES Cyber Systems

Will your application be secure enough when Robots produce code for you?

Testing in an Agile Environment Understanding Testing role and techniques in an Agile development environment. Just enough, just in time!

Brooke Roecker, Kristen Ward, Chris Mickle, Sarah Wright & Shauna McKellar

BCS Level 3 Certificate in Software Development Context and Methodologies Syllabus QAN 603/1191/5

Practicing Agile As a BA

A company built on security

Level 5 Diploma in Computing

Systems Analysis and Design in a Changing World, Fourth Edition

SpiraTeam Feature Comparison

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Solutions Technology, Inc. (STI) Corporate Capability Brief

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

Veritas System Recovery 16 Management Solution Administrator's Guide

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

HIPAA Compliance and OBS Online Backup

INFORMATION. Guidance on the use of the SM1000 and SM2000 Videographic Recorders for Electronic Record Keeping in FDA Approved Processes

Transcription:

Approaches for Auditing Software Vendors Chris Wubbolt, QACV Consulting, LLC IVT Validation Week October 20, 2016 10/20/2016 www.qacvconsulting.com 1

Objectives Understanding impact of vendor processes on validation Review of Agile SDLC processes New approaches to auditing software vendors Understanding how SDLC and test tools are used by vendors How SaaS vendors impact your company s validation approaches and data integrity controls. 10/20/2016 www.qacvconsulting.com 2

Impact of Vendor Practices on Validation Internal Validation vs. SaaS-based Internal Validation Vendor Validation Plan User Requirements Functional Specifications Configuration Specification Installation Qualification System Testing User Acceptance Testing Traceability Matrix Validation Summary Report Standard Operating Procedures SDLC Deliverables Software 10/20/2016 www.qacvconsulting.com 3

Saas-based vs. Internal Validation SaaS Validation Vendor Validation Plan User Requirements Functional User Acceptance Specifications Testing Configuration Traceability Matrix Specification Installation Validation Summary Qualification Report System Standard Testing Operating Procedures User Quality Acceptance Agreement Testing Traceability Matrix Validation Summary Report Standard Operating Procedures Software SDLC Deliverables Functional Specifications Configuration Specification Installation Qualification System Testing Traceability Matrix SOPs Release Management 10/20/2016 www.qacvconsulting.com 4

Software Vendor Truisms Software vendors develop and maintain software. All software vendors are software developers. Quality software development is essential to the validation of a system. 21 CFR Part 11.10 (a): Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. 10/20/2016 www.qacvconsulting.com 5

Software Quality Truisms Quality cannot be tested into a system. Quality must be designed into a system. 10/20/2016 www.qacvconsulting.com 6

Software Development Software Development Life Cycle (SDLC) The set of activities that constitute the processes that are mandatory for the development and maintenance of software. The management and support processes that continue throughout the entire life cycle, as well as all aspects of the software life cycle from concept exploration through retirement, are covered. Utilization of the processes and their component activities maximizes the benefits to the user when the use of this standard is initiated early in the software life cycle. (1) (1) IEEE Standard for Developing Software Life Cycle Processes, 1992 10/20/2016 www.qacvconsulting.com 7

SDLC Methodologies Waterfall Prototyping Incremental Development Spiral Rapid Application Development Agile Code and Fix (Cowboy Coding) 10/20/2016 www.qacvconsulting.com 8

Elements of an SDLC Design Testing (unit, module, system, etc.) Bug Fixes Requirements Configuration Management SQA Testing Release Management Maintenance (Customer Support) 10/20/2016 www.qacvconsulting.com 9

Vendor Quality System Elements Quality Manual Document Management Training Program Quality Assurance Supplier Management CAPAs / Investigations SDLC Procedures Customer Support 10/20/2016 www.qacvconsulting.com 10

Waterfall Methodology Requirements Analysis Requirements Analysis Design Design Implementation Implementation Verification / Verification / Testing Testing Operation / Operation / Maintenance Maintenance 10/20/2016 www.qacvconsulting.com 11

SDLC Agile Methodology 10/20/2016 www.qacvconsulting.com 12

SDLC Agile Methodology 10/20/2016 www.qacvconsulting.com 13

SDLC Agile Methodology Focus on short iterations of development Delivery of minimum viable product within short periods of time (2-3 weeks) Collaboration between end user and development team Continuous end user involvement is critical 10/20/2016 www.qacvconsulting.com 14

Agile - Scrum An iterative and incremental agile development framework. A flexible, holistic strategy where a development team works as a unit to reach a common goal. Enables teams to self-organize by encouraging physical co-location or close online collaboration and daily face-to-face communication among all team members and disciplines in the project. 10/20/2016 www.qacvconsulting.com 15

Agile - Scrum A key recognition is that during end users can change their minds about the system requirements. Scrum adopts an approach to deliver quickly and respond to emerging requirements. 10/20/2016 www.qacvconsulting.com 16

Software Vendor Truisms All software vendors are software developers. The software development life cycle methodology is arguably the most important process for a software vendor. Requirements Backlog User Stories Design/Development Unit Testing SQA Testing Release Management Code Reviews Design Documents 10/20/2016 www.qacvconsulting.com 17

Why is this important? Requirements Backlog User Stories Design/Development SQA Testing Unit Testing Code Reviews Design Documents Release Management 1. The vendors SDLC determines the quality of the software. 2. For SaaS vendors, the SDLC documentation may also be used as validation deliverables. 3. The SDLC documentation is likely to be maintained within vendor SDLC tools. 10/20/2016 www.qacvconsulting.com 18

Use of SDLC and Test Tools Requirements Backlog User Stories Design/Development SQA Testing Release Management Creation and Management of Requirements & User Stories Documentation of Unit Testing, Code Reviews & Design Documentation SQA Test Documentation Often used as validation tests. Configuration / Source Code Management Management of Bugs and Customer Support Tickets 10/20/2016 www.qacvconsulting.com 19

SDLC/Vendor Tools Requirements Management Source Code Management Configuration Management Code Review and Unit Testing Testing including automated testing Issue Management Customer Support Document Management 10/20/2016 www.qacvconsulting.com 20

SDLC/Vendor Tools - Examples Team Foundation Server (TFS) HP Quality Center HP Load Runner Altassian (Jira) Subversion Test Stuff Test Track CoSign SharePoint Wiki Pages Salesforce.com 10/20/2016 www.qacvconsulting.com 21

SDLC Tools Team Foundation Server (TFS) Requirements Management Use Cases User Stories Design Code Review Unit Testing Traceability Testing Approvals Release Management 10/20/2016 www.qacvconsulting.com 22

SDLC Tools Questions to ask What do the tools do? Do the tools impact software quality? Do the vendor s procedures reflect the use of these tools? Are the tools controlled, qualified, or validated? How are the records maintained by the tools managed and controlled? How are records approved? 10/20/2016 www.qacvconsulting.com 23

SDLC Tools What can go wrong? Issue Management Vendor used a cloud hosted version of Jira, which was used for issue management and change control. The license was not renewed and all records were lost. Electronic Approval Vendor used a local implementation of CoSign for approval of records. When license expired the electronic signatures applied previously could not be validated. 10/20/2016 www.qacvconsulting.com 24

SDLC Tools What can go wrong? Document Management Vendor used SharePoint workflow for approval of quality documents. The SharePoint configuration was setup to delete workflows after 90 days. All workflows (and subsequent document approvals) were deleted for all quality documents. Testing Test Stuff testing records could not be located for SQA testing. 10/20/2016 www.qacvconsulting.com 25

SDLC Tools What can go wrong? Automated Testing Automated test tools passed failing results. Test tools were not qualified. Tool Upgrades / Replacements Inability to migrate records from legacy tools. Records Unable to present records of SDLC activities, including test results. 10/20/2016 www.qacvconsulting.com 26

Computerized Systems GxP Electronic Recordkeeping Program Standard Operating Procedures Trained Personnel (including IT) Qualified Infrastructure Validated Applications Data Integrity Data Availability Data Retention 10/20/2016 www.qacvconsulting.com 27

The Old Days Software Applications QMS LIMS 10/20/2016 www.qacvconsulting.com 28

The Old Days Software Applications QMS LIMS 10/20/2016 www.qacvconsulting.com 29

The Old Days Pharma AData Center Inc STILL NEED GxPElectronic Recordkeeping Controls Qualified Infrastructure Standard Operating Procedures Trained Personnel (including IT) Validated Applications 10/20/2016 www.qacvconsulting.com 30

Software as a Service Saas Provider Software Applications QMS LIMS Data Center Fail Over Site 10/20/2016 www.qacvconsulting.com 31

Software Software as a Service Vendor Provider Software Vendor Quality System Quality System SDLC Processes SDLC Processes Customer Support Customer Validation Support Data Integrity Controls Hosted Environment Typically Hosted Environment not directly regulated is used for a inspected direct GxPfunction by regulatory (record agencies. keeping) Audited and is more by clients likely to for be adherence inspected to by standards. regulatory agencies. Quality Audited of by SLC clients Documentation, for adherence Testing, to standards etc. varies (GxP, considerably Part 11). for each vendor. Quality of SDLC Documentation, Testing, etc. varies considerably for Sponsor each vendor. responsible for installation, validation, and electronic recordkeeping SaaS provider responsible controls at sponsor for some location. aspects of installation, validation, and electronic recordkeeping controls. 10/20/2016 www.qacvconsulting.com 32

SaaS Vendor Responsibilities Validation (with Pharma Company) Change Control Incident Management Maintenance Security (Physical and Logical) Electronic recordkeeping Backup and Restore Disaster Recovery 10/20/2016 www.qacvconsulting.com 33

Vendor Audit Observations - Considerations Specifications Not complete Not updated periodically after changes Test Records No pre-approved Test Plans Results not reviewed by second person Integrity of test results No approved summary reports Release Management 10/20/2016 www.qacvconsulting.com 34

Vendor Audit Observations Considerations Test Record Integrity Results and signatures/initials typed into Word document or Excel spreadsheet No failures documented Test dates and times do not correlate 10/20/2016 www.qacvconsulting.com 35

Vendor Audit Observations Record Integrity Considerations Lack of records to demonstrate successful backup Failed backups Lack of documentation of disaster recovery testing 10/20/2016 www.qacvconsulting.com 36

Summary Reviewed impact of vendor processes on validation Review of Agile SDLC processes Discussed new approaches to auditing software vendors Reviewed how SDLC and test tools are used by vendors Discussed ow SaaS vendors impact your company s validation approaches and data integrity controls. 10/20/2016 www.qacvconsulting.com 37

Questions Chris Wubbolt QACV Consulting, LLC Telephone: 610-442-2250 E-mail: chris.wubbolt@qacvconsulting.com www.qacvconsulting.com 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback