The Installation Qualification Operational Qualification (IQOQ) SKU is a valuable addition for life sciences customers, with approximately 2/3 of our customers having purchased it. The FDA has established validation principles for verifying equipment utilized in the production of medical products. This SKU is specifically designed to cover the estimated costs for incremental engineering efforts to provide an initial qualified customer environment and cumulative remediation time to maintain the environment annually. Additionally, the SKU includes the required commitments from ServiceNow to perform specific process steps and provide detailed documentation.

Customers can work with their Account Manager to acquire the IQOQ SKU, and then review the IQOQ reports in our Support portal.  The reports are made available via CHG tickets when the instance qualifications are performed.  IQOQ reports are provided when the instance is initially qualified, and when key instance hardware changes are identified.

The Database Encryption SKU is a popular choice among our life sciences customers, with almost all large and around half of our small to mid-sized customers utilizing it. While data in transit is encrypted, data at rest remains unencrypted unless the customer has database or full disk encryption. However, it is important to note that to access the unencrypted data, a bad actor must gain access to the hard drive or database within our facilities, which we have multiple controls in place to prevent. Nonetheless, quality departments often require the higher-level controls offered by database encryption.

The Database Encryption SKU provides software-based encryption for data-at-rest of all customer data stored in production and sub-production instances. For more information, customers can reference our encryption whitepaper and Trust microsite, as well as find additional SOPs and detailed documents in CORE.

To begin identifying which apps or modules need to be validated, it is recommended to start with Change Management as almost all customers will need to validate it due to its potential impact on the drug-making process. Additionally, any catalog items that provide access to a CI or app that directly affects the drug-making process will also require validation.

It may be helpful to create a simple table structure to organize this list and verify it with the Quality department to ensure all necessary apps/modules are identified and included in the validation process.

Validating software development in the context of GxP is about following best practices throughout the software development lifecycle (SDLC) and providing the necessary documentation for Quality approval. It is important to note that upgrades or modifications to the software may require additional validation activities.

To ensure compliance with GxP regulations, it is recommended to adopt a structured approach to SDLC, such as the waterfall or agile methodologies. Both methodologies have their own set of advantages and disadvantages, so it is important to choose the one that best suits the organization's needs and ensures that GxP requirements are met.

During the SDLC, it is important to follow established procedures for design, coding, testing, and documentation. The development team should create and follow a project plan that includes detailed testing procedures and documentation of all testing results.

Any changes to the software, including upgrades, modifications, or bug fixes, must be carefully documented, tested, and validated to ensure that they do not negatively impact the safety or effectiveness of the product. This includes conducting impact assessments and creating change control documentation to ensure that all changes are tracked and approved by Quality.

It is essential to work proactively with Quality to define the specific validation activities required for the organization. This collaboration should occur throughout the SDLC, from planning to post-release activities. By following best practices in the SDLC and collaborating with Quality, organizations can ensure that their software development processes are compliant with GxP regulations.

Defining change types is an important step in ensuring that appropriate validation activities are performed. It is essential to work closely with Quality to determine the appropriate definitions and validation requirements for your organization. Here are some possible definitions:

• Configuration: A change that can be made using ServiceNow's built-in tools and does not require modifying the underlying code. Examples include adding a new field, changing a form layout, or modifying a drop-down list. These changes can typically be made by an administrator or power user without requiring development expertise.
• Customization: A change that involves modifying the underlying code, either by creating new code or modifying existing code. Examples include creating a new business rule or modifying a client script. These changes typically require development expertise and may require formal testing and validation activities.

It is important to note that the definitions of configuration and customization may vary depending on your organization and its specific needs. By defining these terms clearly and working with Quality to determine appropriate validation activities, you can ensure that changes are made safely and efficiently within your GxP environment.

These are excellent recommendations for minimizing technical debt in ServiceNow:

1. Stay out of the box: Using out-of-the-box features as much as possible can reduce the amount of customization required and reduce technical debt. Customers should start with the per-version traceability matrix (available in CORE) and use it as the justification for staying out of the box.

2. Follow the Customer Success Playbook: Instance Performance and Maintenance. Customers can use the Health Scan offering to scan their instance and compare their configuration to best practices across product suites. This can help identify areas where improvements can be made to reduce technical debt.

3. Leverage partner solutions: Partners such as Bravium and Quality Clouds offer tools that can review and optimize code, identify customizations, and check fields. Investing in these tools and incorporating them into the SDLC process can help minimize technical debt.

To ensure that each validated app (such as a service catalog) meets Quality's requirements, it's important to determine the necessary testing for each type of change (configuration vs. customization) and whether it impacts validated or non-validated CI's. This includes unit testing, user verification, system integration testing (SIT), user acceptance testing (UAT), and any additional testing required with Quality.

• For validated and non-validated apps, unit testing requires the same level of documentation, such as documenting via Agile story traced back to incident/defect completed in Dev01 with screenshots and notes.
• User verification by the business owner may only be necessary for customization and workflow changes, adding documentation and an approval gate for sign-off.
• For configuration changes to catalog items associated with non-validated CI's, SIT and UAT may not be necessary, streamlining the change deployment process.

Our customer success team, specifically platform architects, can assist with this process and provide additional best practices or collaborate with your team to meet Quality's requirements. Additionally, USDM and other partners specializing in computer systems validation can support the platform and quality team.

To ensure a streamlined and efficient process for break-fix and enhancement, it's important to have a clear intake and triage process in place. This process should include the following steps:

1. Evaluate the issue: When a break-fix issue arises, the first step is to evaluate whether a code change is needed and which module is impacted.

2. Follow the testing process: Once the issue has been evaluated, it's important to follow the testing process outlined above to ensure that the change is properly validated.

3. Create a story: After the issue has been evaluated and tested, create a story in the appropriate tools to track the issue and ensure that everyone involved - developers, business owners, Quality, and the platform team - are on the same page.

By documenting and visualizing this process, you can ensure that all stakeholders understand the steps involved and can work together to quickly and efficiently resolve any issues that arise. This will help to minimize downtime and ensure that your systems are always operating at peak performance.