Operations Utopia: Striving for Practical Excellence in Life Sciences Operations

02 | Validation Reimagined: From Paper Binders to Agentic AI, with Bryan Ennis

Executive Summary Computer system validation in life sciences is at the most significant inflection point of the last 25 years. In this conversation, Matt Neal sits down with Bryan Ennis — co-founder of Sware [https://www.sware.com/] and a 27-year veteran of regulated systems work at Genzyme [https://www.sanofi.com/] and Veeva [https://www.veeva.com/] — to trace how validation evolved from rooms full of IBM testers writing scripts against floppy-disk installs, through the cloud era's shift of responsibility to vendors, and into today's reality of agentic AI and vibe coding. KEY TOPICS Why validation exists in the first place Validation's purpose is common sense — proving that a manufacturing line stamping 100,000 pills an hour, a heart-rate-monitoring device, or a clinical trial data pipeline actually works the way it was designed. Patient safety, product quality, data integrity, and signature legitimacy are the real targets; everything else is overhead. The on-prem era (late 1990s–2000s) Bryan recalls 35 IBM [https://www.ibm.com/] testers in a room writing scripts for a Siemens e-clinical system. Companies built their own machines (this predates ordering a Dell or Gateway through the mail), installed software from 25-disk floppy sets, and rewrote their own GxP applications. Validation made sense because everything was bespoke and error-prone — but it meant nobody changed software for three to five years. Risk-based validation, pre-CSA Bryan was doing risk-based validation at Genzyme [https://www.sanofi.com/] starting in 2005, guided by ISPE's GAMP framework [https://ispe.org/publications/guidance-documents/gamp-5-guide-2nd-edition]. The principles were already there; the industry just wasn't following them. The cloud transition and the Veeva [https://www.veeva.com/] era Cloud vendors began delivering validation evidence with the platform — but also pushed three to four releases per year. Installation got easier; maintenance got harder. Companies went from validating once every three to five years to validating thousands of releases annually. FDA's CSA guidance — rebrand or revolution? The Computer Software Assurance guidance [https://www.federalregister.gov/documents/2025/09/24/2025-18468/computer-software-assurance-for-production-and-quality-system-software-guidance-for-industry-and] flips CSV's document-heavy default into a critical-thinking, risk-based exercise. For practitioners who'd been advocating this for a decade, it felt like rebranding — but it's a clear signal from the agency to redesign the process around patient safety, product quality, and data integrity rather than testing every field. Why the change has been slow Many sponsors externalized validation to billable-hour consultancies whose business model rewards more testing, not less. Internal common-sense streamlining is the only way to break the pattern, but companies often default to "if it ain't broke, don't fix it" until they swap a vendor entirely. Vendor responsibility is now table stakes You cannot sell GxP software in life sciences today without ISO [https://www.iso.org/] and SOC [https://www.aicpa-cima.com/] certifications, a validation package, and ongoing maintenance services. Veeva [https://www.veeva.com/] helped normalize this; the entire vendor ecosystem has caught up. The AI inflection — vibe coding hits regulated software "You can't fund a software company right now unless AI is core to your narrative." Vendors are using Claude Code [https://www.anthropic.com/claude-code] and similar tools internally. Sware itself runs Claude Code agents end-to-end. Requirements are no longer drafted up front — they emerge from the system, which interestingly mirrors the old waterfall model from the on-prem era. The "SaaS-pocalypse" and analysis paralysis Foundations are shifting under buyers in real time. This may be the slowest growth year ever for SaaS in the space as customers reevaluate roadmaps and vendors reinvent themselves on AI-native architectures. Agentic validation and the MCP connect layer Nearly every software company Bryan has spoken to in recent months has a Model Context Protocol [https://modelcontextprotocol.io/] connect layer on its roadmap. AI agents inside one platform can talk to agents like Salesforce Agentforce [https://www.salesforce.com/agentforce/], crawl audit trails and configuration logs, and signal a validation platform to auto-generate requirements, draft test scripts, and execute them. This is what cracks the "final mile" problem that brittle automated testing scripts could never solve. Real-time, continuous validation The future state: every release re-validates the entire system. Paper records become end-state artifacts that emerge from the data, not the foundation of the effort. Quarterly release cadences and 18-to-24-month migrations give way to something closer to real time. The trust question Customers have already trusted vendors with disaster recovery, the cloud, and their data. The next layer of trust is validation itself — and the rumblings around Salesforce [https://www.salesforce.com/] reportedly monetizing customer data are a cautionary signal that this trust isn't unconditional. What doesn't change "AI self-validation is only going to go so far." There's still a human component — domain expertise, judgment, and the responsibility for patient safety — that doesn't go away just because agents are doing the grunt work. NOTABLE QUOTES * "Paper validation is just dead in that model. There's no way it scales to an AI company that's going to do 3,000, 5,000, 10,000, 20,000 releases a year." * "I used to have stacks of paper in my office. They were so tall I created a maze so that nobody could see me at my desk." * "We're in a very similar position with AI as we were at the cloud right now." * "There's no CIO at any pharma of any size who's going to say, 'Yeah, we're not going to do AI because the validation team told me they don't want to.'" * "By this time next year, I think we're in a completely different spot." PEOPLE, COMPANIES & RESOURCES MENTIONED Guest & Company * Bryan Ennis [https://www.linkedin.com/in/bryan-ennis/] — Co-Founder & Chief Quality Officer * Sware [https://www.sware.com/] — Digital validation platform; validates Salesforce [https://www.salesforce.com/], Box [https://www.box.com/], Blue Mountain, TrackWise, and 40+ other GxP systems Bryan's Career Background * Genzyme [https://www.sanofi.com/] (acquired by Sanofi) — early risk-based validation work starting 2005 * Veeva Systems [https://www.veeva.com/] — early cloud-era validation Regulatory & Standards * FDA Computer Software Assurance (CSA) Guidance [https://www.fda.gov/regulatory-information/search-fda-guidance-documents/computer-software-assurance-production-and-quality-system-software] * FDA Center for Devices and Radiological Health (CDRH) [https://www.fda.gov/about-fda/fda-organization/center-devices-and-radiological-health] * ISPE GAMP 5 Framework [https://ispe.org/publications/guidance-documents/gamp-5-guide-2nd-edition] * ISO certifications [https://www.iso.org/] and SOC reports [https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2] Software & Vendors Discussed * Salesforce [https://www.salesforce.com/] and Agentforce [https://www.salesforce.com/agentforce/] * Box [https://www.box.com/] * Veeva [https://www.veeva.com/] * MasterControl [https://www.mastercontrol.com/] — cited as an early vendor with embedded GxP validation capability * TrackWise (now part of Honeywell Sparta Systems [https://www.honeywell.com/us/en/sparta-systems]) * Blue Mountain (RAM) * IBM [https://www.ibm.com/] — referenced for the early Siemens e-clinical engagement AI & Developer Tooling * Anthropic [https://www.anthropic.com/] and Claude Code [https://www.anthropic.com/claude-code] * OpenAI [https://openai.com/] * Model Context Protocol (MCP) [https://modelcontextprotocol.io/] * Atlassian Jira [https://www.atlassian.com/software/jira] * Playwright [https://playwright.dev/] Transcript provided by Otter.ai [https://otter.ai/]. Operations Utopia - Where Regops, Innovation, Technology, and Execution Meet. Disclaimer: This podcast reflects only the opinion of the podcaster and guests and does not reflect those of their organizations, system vendors, or service provider Original show theme "Little Sammy" by Matt Neal

01 | Why Biopharma Operating Models Collapse Under Scale

WHY BIOPHARMA OPERATING MODELS COLLAPSE UNDER SCALE WHAT REGULATORY OPERATIONS AND R&D PLATFORMS REVEAL ABOUT HOW ORGANIZATIONS ACTUALLY FUNCTION Most life sciences organizations don’t struggle because of regulation—they struggle because of how they interpret it. From the vantage point of Global Regulatory and R&D information systems, this episode examines why modern platforms like Veeva promise leverage but often deliver friction. The issue isn’t technology—it’s how operating models distribute ownership across IT, Quality, and the business, and how risk is interpreted at scale. This conversation explores how over-validation, misaligned incentives, and legacy thinking slow execution, fragment systems of record, and ultimately increase risk. This is not a technology discussion. It is a systems-level diagnosis. This episode is based on a fireside chat with Fritz Stolp at an industry session hosted by Implement Consulting Group, exploring real-world experiences with Veeva Systems platforms in regulatory and R&D environments. Key Themes 1. The Expectation Gap Organizations expect a connected operating system but configure fragmented tools. Platforms designed to unify data and workflows become siloed and underutilized. 2. Misaligned Ownership Across Functions * IT optimizes for requirements and infrastructure * Quality applies legacy validation models * The business often lacks visibility into what’s possible Result: No single group owns the outcome. 3. Over-Validation as Risk Creation Validation is necessary—but often misapplied. When simple changes take weeks or months: * Work moves into spreadsheets and email * Systems of record are bypassed * Traceability decreases Risk doesn’t go away. It moves. 4. Decision Latency at Scale Governance structures intended to reduce risk often increase it by slowing execution and diffusing accountability. Simple configuration changes become prolonged processes, creating friction across the organization. 5. SaaS Reality vs Legacy Thinking Modern platforms evolve continuously. Organizations that resist change fall behind the very capabilities designed to improve them. In no other industry do customers ask technology providers to stop innovating. 6. The User Adaptability Myth A major interface change introduced no disruption in practice. Users adapt quickly. Organizations assume they won’t. This gap reinforces unnecessary controls and slows adoption. 7. Trust as an Operating Requirement Execution speed depends on trust: * Between internal teams * Between organizations and vendors Reducing redundant validation and enabling faster deployment requires explicit risk ownership. 8. Patient Time as the Ultimate Constraint Operational delay is not abstract. In some cases, time spent in internal processes directly impacts patient outcomes. Efficiency is not just a business concern—it is an ethical obligation. Key Quotes “Most organizations don’t fail because of technology—they fail because no one owns how it’s supposed to work.” “Over-validation doesn’t reduce risk—it pushes work out of the system of record.” “If a simple change takes months, the system has already failed.” “We don’t need less regulation—we need better interpretation.” Who Should Listen * CEOs and COOs in life sciences * Heads of Regulatory, Quality, and Operations * CIOs and Digital leaders * Regulatory and policy stakeholders What This Episode Is Not * Not a Veeva implementation guide * Not a validation methodology tutorial * Not a vendor perspective * Not a “digital transformation” narrative This is a diagnosis of how operating models behave under scale and constraint. Closing Thought Regulatory operations don’t just execute the operating model. They expose it. Information Mentioned in this Episode: * Frits Stulp [https://www.linkedin.com/in/fritsstulp/] * Implement Consulting Group [https://implementconsultinggroup.com/what-we-do/life-science] * Veeva RIM System [https://www.veeva.com/products/veeva-rim/] * Unleash RIM [https://www.linkedin.com/pulse/unleash-rim-matt-neal/] Summaries and show notes created from transcript using ChatGPT w/ some light editing - let me know if you find anything crazy that needs to change. Operations Utopia - Where Regops, Innovation, Technology, and Execution Meet. Disclaimer: This podcast reflects only the opinion of the podcaster and guests and does not reflect those of their organizations, system vendors, or service provider Original show theme "Little Sammy" by Matt Neal