On Tuesday the 28th of June Odyssey VC hosted the second part of our 4-part 2022 webinar series “Possibilities and Practicalities of Cloud Adoption in Life Sciences”.
In Part 2, titled “The importance of QMS & ISMS in governing and controlling regulatory compliance of cloud technology” we explored how robust QMS & ISMS systems can be best utilised to provide evidence of good governance practises of cloud technology development and deployment frameworks. Throughout two presentations and a Panel Discussion we investigated how the implementation of such quality and security systems can potentially change some traditional ways of demonstrating compliance.
The webinar featured presentations from Head of Business Solutions and Co-founder Fionnán Friel and Head of Technology Mark Healy as well as contributions from Odyssey VC CEO & Co-founder Oisín Curran and Associate QA and Regulatory Compliance Specialist Amrutha Prakash, hosted and facilitated by Product Manager Pauline O’ Riordan.
Many fresh insights were shared during the session. Whether you were in attendance or not (you can receive videos of the entire event as well as news about Part 3 and the rest of the series by registering here), here are four key takeaways from the webinar.
Quality Agreements are the main tool to establish a working relationship between cloud providers and regulated companies.
Odyssey VC Head of Business Solutions & Co-founder Fionnán Friel delivered the first presentation of the webinar. Titled “Compliance in Cloud Technology – MS (Management Systems) processes & agreements”, Fionnán’s presentation focused on QMS processes and agreements that facilitate the ongoing compliance of cloud technology.
In his presentation Fionnán covered Quality Agreements. Quality Agreements allow both parties – the cloud provider and the regulated company – to “acknowledge and accept their responsibilities in order to accomplish quality objectives which can be measured via agreed-upon quality metrics and KPIs”, according to Fionnán.
“You can also include commitments to improve processes as you move forward in the relationship, to allow for even greater trust and even greater confidence and maybe even outsource further aspects of your quality obligations to your supplier – if you find that right supplier,” he went on. “From your supplier assessment, you should know how much you can trust your supplier and how much you can outsource to that supplier”.
Both parties are responsible – in different ways.
But who is responsible for what when a Quality Agreement is involved? Fionnán broke it down; the cloud provider is responsible for delivering a quality solution following industry and good engineering best practices “to make sure they’re delivering the right system that falls in line with the quality agreement as agreed between them”.
Meanwhile, GxP requirements accountability resides with the regulated company. “This will never change,” Fionnán said, “for good reason – companies need to recognize and acknowledge this. You can outsource jobs, but the ultimate responsibility can never be outsourced.”
Compliant DevOps is the future of DevOps, specifically designed for Life Sciences
Head of Technology Mark Healy appeared in his first Odyssey VC webinar to cover the software development lifecycle, ISMS, best practices for compliant infrastructure, and the introduction of Compliant DevOps as a method to satisfy new CSA guidelines and as part of your ISMS/QMS.
In his presentation “Delivering continuously compliant SaaS solutions for Life Science”, the simple description of DevOps was “automating everything that happens after someone writes some code” or, as Mark himself put it, “engineering yourself out of a job”.
“If you see something you do on a repeated basis, find a way to automate it and don’t do it again” he said in summary.
Compliant DevOps is an extension of DevOps, specifically designed for Life Sciences. Mark acknowledged that “a common problem in IT over the years has been the misalignment of teams,” pointing to Compliant DevOps as a way of eliminating these issues; “Anyone, technical or non-technical, can look at those BBD (Behaviour-Driven Development) stories and understand exactly what tests are going to be run and what the expected outcomes are going to be,” he said.
At Odyssey VC we offer solutions for Compliant DevOps, using a framework designed to adapt the DevOps model to fully incorporate GxP regulatory requirements. Our framework ensures the infrastructure requirements are fulfilled as intended and the infrastructure functions as expected, and it supports the maintenance of the validated state of validated applications. Let Odyssey VC support you in the continuous and compliant delivery of high-quality software releases; click here to learn more about our Compliant DevOps solution.
DevOps and GxP can actually work together
In Mark’s presentation, he emphasized that DevOps and GxP can seem mutually exclusive. DevOps supports a “fail fast” approach with short, iterative cycles and limited documentation, while GxP focuses on defined outputs and controlled change.
However, by combining them in the right way, we could actually get the best of both worlds, Mark said. “We can implement change very safely, control it very well, and do it very quickly” with a “much smaller scope for any nonconformances”. “Our evidence collection goes from being a point-in-time completion of a document to continuous system-driven data collection,” he went on, “which allows us to scale much quicker, identify issues much earlier, and really just take all the benefits that initiatives like DevOps have brought to IT in the last 20 years”.
Part 2 of Possibilities and Practicalities of Cloud Adoption in Life Sciences took place on the 28th of June 2022. Part 3 will be announced soon. To watch the webinar and to receive exclusive news about Part 3, click here to register to our webinar series mailing list.