02 | Validation Reimagined: From Paper Binders to Agentic AI, with Bryan Ennis

03 | Rethinking the Fence: Data, Standards, and the New Energy in Regulatory — with Crystal Allard

ABOUT THE GUEST Crystal Allard [https://www.linkedin.com/in/crystal-allard-40087764] is Senior Director of Government Strategy at Veeva Systems [https://www.veeva.com/], where she works with regulators and industry to shape the future of the submissions ecosystem and increase speed to market. Crystal spent roughly 15 years at the FDA [https://www.fda.gov/] across innovation and technology roles — including time working for the agency's Chief Data Officer and at the Center for Tobacco Products [https://www.fda.gov/tobacco-products], plus stints as an FDA consultant. She also worked in regulatory operations before joining the agency, giving her a rare full-circle view of how submissions are built, reviewed, and inspected. She recently co-authored published commentary on the joint FDA–EMA Guiding Principles of Good AI Practice in Drug Development [https://www.fda.gov/about-fda/center-drug-evaluation-and-research-cder/artificial-intelligence-drug-development] (January 2026) and is a speaker at the Veeva R&D and Quality Summit [https://www.veeva.com/eu/events/rd-summit/]. KEY TOPICS A new wave of energy. After years of stasis, health authorities are increasingly open to modern, data-driven technology. Crystal's read: it feels inevitable now in a way it simply didn't two years ago. Standards bodies in flux. Standards like CDISC [https://www.cdisc.org/] have been in place for essentially Crystal's whole career — but new leadership at CDISC, HL7 [https://www.hl7.org/], and its Vulcan FHIR Accelerator [https://www.hl7.org/vulcan/] is creating real willingness to revisit old assumptions. HL7 groups already use AI to draft standards, data models, APIs, and implementation guides, compressing timelines with far fewer resources. The new bottleneck: the testing, voting, and adoption infrastructure, still geared to a three-years-ago cadence. The lasting lesson of COVID. Rolling reviews proved faster review is possible — but regulators did it the hard way, because data wasn't in the format they needed. The insight: standardization doesn't always equal usability, or even validity. Data needs to be accessible and analyzable. The goal now is to keep the speed but build the "easy button." Global convergence — and its limits. At DIA [https://www.diaglobal.org/] Europe, multiple health authorities discussed reliance and the "inevitability" of a shared submission process, while staying cagey on technology. Standards organizations are quietly driving convergence — ICH [https://www.ich.org/] guidelines like M4Q(R2) now publish in a common format across many countries. Missed opportunities remain, notably the lack of shared data-security requirements and a separate ICH Module 1 per country. Rethinking the submission "fence." Today's model is over-the-fence: build a package, toss it across. Crystal floats a reframe — what if the space between sponsor and regulator isn't just a transfer point but a shared storage and viewing space? APIs and direct connections could enable continuous, "live" review. It's a different paradigm than eCTD [https://www.fda.gov/drugs/electronic-regulatory-submission-and-review/electronic-common-technical-document-ectd] and even eCTD v4.0, which Crystal frames as both a globalization attempt and a missed opportunity at better exchange technology. Security, IP, and who owns the data. Centralization cuts both ways — a single shared space is either a bigger target or a better-defended fortress. In the US, submission data is owned by the sponsor; FDA only stewards it — so sponsors can do more with their own data, and their own FDA letters, than they realize. Meanwhile FDA wants earlier access to sponsor data but can't share its review memos across authorities — a catch-22 that may take legislation to resolve. The RIM blind spot — and the special-format mistake. Many at health authorities have never built a submission, so they underestimate the data management, QC, and validation work behind one — and were often unaware of regulatory information management (RIM) systems at all. Crystal shares a candid "learning experience" from her Center for Tobacco Products [https://www.fda.gov/tobacco-products] days: special submission formats (a PDF-backbone structure, and later eSTAR [https://www.fda.gov/medical-devices/premarket-submissions-selecting-and-preparing-correct-submission/electronic-submission-template-medical-device-premarket-submissions] and other e-submitter formats) were designed to be easier — but modern AI tooling is now so good at standard formats like eCTD that the special ones cost more time and money. The reviewer disconnect. Many format rules exist not because a reviewer wants to read a document, but because review software needs specific data sets for automated analyses. Yet reviewers are rarely in the room when those tools or the guidance are built — "a massive disconnect." See the endless bookmark-and-hyperlink debate, and an industry that fears a technical rejection [https://www.fda.gov/drugs/electronic-regulatory-submission-and-review/electronic-common-technical-document-ectd] that, inside FDA, is barely a blip. The future of Reg Ops and review. Both roles are converging on a hybrid: regulatory or scientific expertise, plus the ability to move data, separate signal from noise, and prompt effectively. Less document-and-business-process, more data-and-structure. A shared vision, freely given. As a public benefit corporation [https://www.veeva.com/], Veeva balances commercial interest with contributing to the wider ecosystem — and Crystal argues data standards, and possibly exchange platforms, must be freely available for true interoperability. The bigger gap: ICH-style groups have reviewers, health authorities, and industry, but are missing the "third leg of the stool" — technologists. NOTABLE QUOTES > "EMA is writing it down. FDA is saying it out loud." — on regulators and APIs > "Standardization doesn't always equate to use and usability, or even validity." > "[They] want to keep doing it, but maybe make it the easy button." — on COVID-era rolling reviews > "It takes more effort and time and money to create these special sources that we thought were easier." > "What if we just rethink the fence?" > "You can leave the FDA, but you never leave the public health mission behind." WHO THIS EPISODE IS FOR Regulatory operations and regulatory affairs leaders; data standards and submissions professionals (CDISC, HL7, ICH); clinical operations and R&D IT teams; health authority and policy professionals tracking modernization; and anyone interested in how AI and data standards are reshaping regulatory review. REFERENCES, PEOPLE & RESOURCES Guest & Company * Crystal Allard [https://www.linkedin.com/in/crystal-allard-40087764] — Senior Director, Government Strategy, Veeva Systems * Veeva Systems [https://www.veeva.com/] and the Veeva R&D and Quality Summit [https://www.veeva.com/eu/events/rd-summit/] Regulators & Standards Organizations * U.S. FDA [https://www.fda.gov/] and the Center for Tobacco Products [https://www.fda.gov/tobacco-products] * European Medicines Agency (EMA) [https://www.ema.europa.eu/] * CDISC [https://www.cdisc.org/], HL7 [https://www.hl7.org/], the HL7 Vulcan FHIR Accelerator [https://www.hl7.org/vulcan/], and ICH [https://www.ich.org/] Submission Standards, Formats & AI Guidance * eCTD [https://www.fda.gov/drugs/electronic-regulatory-submission-and-review/electronic-common-technical-document-ectd] — including eCTD v4.0 and the Technical Rejection Criteria * eSTAR — Electronic Submission Template for Medical Device Premarket Submissions [https://www.fda.gov/medical-devices/premarket-submissions-selecting-and-preparing-correct-submission/electronic-submission-template-medical-device-premarket-submissions] * FDA–EMA Guiding Principles of Good AI Practice in Drug Development [https://www.fda.gov/about-fda/center-drug-evaluation-and-research-cder/artificial-intelligence-drug-development] (January 2026) * Microsoft Copilot [https://copilot.microsoft.com/] and Google Gemini [https://gemini.google.com/] Events & Concepts Referenced * DIA (Drug Information Association) [https://www.diaglobal.org/] and DIA Europe * Regulatory reliance; "live review"; RIM systems; Meaningful Use (cited as a legislation-driven data-sharing precedent) Operations Utopia - Where Regops, Innovation, Technology, and Execution Meet. Disclaimer: This podcast reflects only the opinion of the podcaster and guests and does not reflect those of their organizations, system vendors, or service provider Original show theme "Little Sammy" by Matt Neal

02 | Validation Reimagined: From Paper Binders to Agentic AI, with Bryan Ennis

Executive Summary Computer system validation in life sciences is at the most significant inflection point of the last 25 years. In this conversation, Matt Neal sits down with Bryan Ennis — co-founder of Sware [https://www.sware.com/] and a 27-year veteran of regulated systems work at Genzyme [https://www.sanofi.com/] and Veeva [https://www.veeva.com/] — to trace how validation evolved from rooms full of IBM testers writing scripts against floppy-disk installs, through the cloud era's shift of responsibility to vendors, and into today's reality of agentic AI and vibe coding. KEY TOPICS Why validation exists in the first place Validation's purpose is common sense — proving that a manufacturing line stamping 100,000 pills an hour, a heart-rate-monitoring device, or a clinical trial data pipeline actually works the way it was designed. Patient safety, product quality, data integrity, and signature legitimacy are the real targets; everything else is overhead. The on-prem era (late 1990s–2000s) Bryan recalls 35 IBM [https://www.ibm.com/] testers in a room writing scripts for a Siemens e-clinical system. Companies built their own machines (this predates ordering a Dell or Gateway through the mail), installed software from 25-disk floppy sets, and rewrote their own GxP applications. Validation made sense because everything was bespoke and error-prone — but it meant nobody changed software for three to five years. Risk-based validation, pre-CSA Bryan was doing risk-based validation at Genzyme [https://www.sanofi.com/] starting in 2005, guided by ISPE's GAMP framework [https://ispe.org/publications/guidance-documents/gamp-5-guide-2nd-edition]. The principles were already there; the industry just wasn't following them. The cloud transition and the Veeva [https://www.veeva.com/] era Cloud vendors began delivering validation evidence with the platform — but also pushed three to four releases per year. Installation got easier; maintenance got harder. Companies went from validating once every three to five years to validating thousands of releases annually. FDA's CSA guidance — rebrand or revolution? The Computer Software Assurance guidance [https://www.federalregister.gov/documents/2025/09/24/2025-18468/computer-software-assurance-for-production-and-quality-system-software-guidance-for-industry-and] flips CSV's document-heavy default into a critical-thinking, risk-based exercise. For practitioners who'd been advocating this for a decade, it felt like rebranding — but it's a clear signal from the agency to redesign the process around patient safety, product quality, and data integrity rather than testing every field. Why the change has been slow Many sponsors externalized validation to billable-hour consultancies whose business model rewards more testing, not less. Internal common-sense streamlining is the only way to break the pattern, but companies often default to "if it ain't broke, don't fix it" until they swap a vendor entirely. Vendor responsibility is now table stakes You cannot sell GxP software in life sciences today without ISO [https://www.iso.org/] and SOC [https://www.aicpa-cima.com/] certifications, a validation package, and ongoing maintenance services. Veeva [https://www.veeva.com/] helped normalize this; the entire vendor ecosystem has caught up. The AI inflection — vibe coding hits regulated software "You can't fund a software company right now unless AI is core to your narrative." Vendors are using Claude Code [https://www.anthropic.com/claude-code] and similar tools internally. Sware itself runs Claude Code agents end-to-end. Requirements are no longer drafted up front — they emerge from the system, which interestingly mirrors the old waterfall model from the on-prem era. The "SaaS-pocalypse" and analysis paralysis Foundations are shifting under buyers in real time. This may be the slowest growth year ever for SaaS in the space as customers reevaluate roadmaps and vendors reinvent themselves on AI-native architectures. Agentic validation and the MCP connect layer Nearly every software company Bryan has spoken to in recent months has a Model Context Protocol [https://modelcontextprotocol.io/] connect layer on its roadmap. AI agents inside one platform can talk to agents like Salesforce Agentforce [https://www.salesforce.com/agentforce/], crawl audit trails and configuration logs, and signal a validation platform to auto-generate requirements, draft test scripts, and execute them. This is what cracks the "final mile" problem that brittle automated testing scripts could never solve. Real-time, continuous validation The future state: every release re-validates the entire system. Paper records become end-state artifacts that emerge from the data, not the foundation of the effort. Quarterly release cadences and 18-to-24-month migrations give way to something closer to real time. The trust question Customers have already trusted vendors with disaster recovery, the cloud, and their data. The next layer of trust is validation itself — and the rumblings around Salesforce [https://www.salesforce.com/] reportedly monetizing customer data are a cautionary signal that this trust isn't unconditional. What doesn't change "AI self-validation is only going to go so far." There's still a human component — domain expertise, judgment, and the responsibility for patient safety — that doesn't go away just because agents are doing the grunt work. NOTABLE QUOTES * "Paper validation is just dead in that model. There's no way it scales to an AI company that's going to do 3,000, 5,000, 10,000, 20,000 releases a year." * "I used to have stacks of paper in my office. They were so tall I created a maze so that nobody could see me at my desk." * "We're in a very similar position with AI as we were at the cloud right now." * "There's no CIO at any pharma of any size who's going to say, 'Yeah, we're not going to do AI because the validation team told me they don't want to.'" * "By this time next year, I think we're in a completely different spot." PEOPLE, COMPANIES & RESOURCES MENTIONED Guest & Company * Bryan Ennis [https://www.linkedin.com/in/bryan-ennis/] — Co-Founder & Chief Quality Officer * Sware [https://www.sware.com/] — Digital validation platform; validates Salesforce [https://www.salesforce.com/], Box [https://www.box.com/], Blue Mountain, TrackWise, and 40+ other GxP systems Bryan's Career Background * Genzyme [https://www.sanofi.com/] (acquired by Sanofi) — early risk-based validation work starting 2005 * Veeva Systems [https://www.veeva.com/] — early cloud-era validation Regulatory & Standards * FDA Computer Software Assurance (CSA) Guidance [https://www.fda.gov/regulatory-information/search-fda-guidance-documents/computer-software-assurance-production-and-quality-system-software] * FDA Center for Devices and Radiological Health (CDRH) [https://www.fda.gov/about-fda/fda-organization/center-devices-and-radiological-health] * ISPE GAMP 5 Framework [https://ispe.org/publications/guidance-documents/gamp-5-guide-2nd-edition] * ISO certifications [https://www.iso.org/] and SOC reports [https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2] Software & Vendors Discussed * Salesforce [https://www.salesforce.com/] and Agentforce [https://www.salesforce.com/agentforce/] * Box [https://www.box.com/] * Veeva [https://www.veeva.com/] * MasterControl [https://www.mastercontrol.com/] — cited as an early vendor with embedded GxP validation capability * TrackWise (now part of Honeywell Sparta Systems [https://www.honeywell.com/us/en/sparta-systems]) * Blue Mountain (RAM) * IBM [https://www.ibm.com/] — referenced for the early Siemens e-clinical engagement AI & Developer Tooling * Anthropic [https://www.anthropic.com/] and Claude Code [https://www.anthropic.com/claude-code] * OpenAI [https://openai.com/] * Model Context Protocol (MCP) [https://modelcontextprotocol.io/] * Atlassian Jira [https://www.atlassian.com/software/jira] * Playwright [https://playwright.dev/] Transcript provided by Otter.ai [https://otter.ai/]. Operations Utopia - Where Regops, Innovation, Technology, and Execution Meet. Disclaimer: This podcast reflects only the opinion of the podcaster and guests and does not reflect those of their organizations, system vendors, or service provider Original show theme "Little Sammy" by Matt Neal

01 | Why Biopharma Operating Models Collapse Under Scale

WHY BIOPHARMA OPERATING MODELS COLLAPSE UNDER SCALE WHAT REGULATORY OPERATIONS AND R&D PLATFORMS REVEAL ABOUT HOW ORGANIZATIONS ACTUALLY FUNCTION Most life sciences organizations don’t struggle because of regulation—they struggle because of how they interpret it. From the vantage point of Global Regulatory and R&D information systems, this episode examines why modern platforms like Veeva promise leverage but often deliver friction. The issue isn’t technology—it’s how operating models distribute ownership across IT, Quality, and the business, and how risk is interpreted at scale. This conversation explores how over-validation, misaligned incentives, and legacy thinking slow execution, fragment systems of record, and ultimately increase risk. This is not a technology discussion. It is a systems-level diagnosis. This episode is based on a fireside chat with Fritz Stolp at an industry session hosted by Implement Consulting Group, exploring real-world experiences with Veeva Systems platforms in regulatory and R&D environments. Key Themes 1. The Expectation Gap Organizations expect a connected operating system but configure fragmented tools. Platforms designed to unify data and workflows become siloed and underutilized. 2. Misaligned Ownership Across Functions * IT optimizes for requirements and infrastructure * Quality applies legacy validation models * The business often lacks visibility into what’s possible Result: No single group owns the outcome. 3. Over-Validation as Risk Creation Validation is necessary—but often misapplied. When simple changes take weeks or months: * Work moves into spreadsheets and email * Systems of record are bypassed * Traceability decreases Risk doesn’t go away. It moves. 4. Decision Latency at Scale Governance structures intended to reduce risk often increase it by slowing execution and diffusing accountability. Simple configuration changes become prolonged processes, creating friction across the organization. 5. SaaS Reality vs Legacy Thinking Modern platforms evolve continuously. Organizations that resist change fall behind the very capabilities designed to improve them. In no other industry do customers ask technology providers to stop innovating. 6. The User Adaptability Myth A major interface change introduced no disruption in practice. Users adapt quickly. Organizations assume they won’t. This gap reinforces unnecessary controls and slows adoption. 7. Trust as an Operating Requirement Execution speed depends on trust: * Between internal teams * Between organizations and vendors Reducing redundant validation and enabling faster deployment requires explicit risk ownership. 8. Patient Time as the Ultimate Constraint Operational delay is not abstract. In some cases, time spent in internal processes directly impacts patient outcomes. Efficiency is not just a business concern—it is an ethical obligation. Key Quotes “Most organizations don’t fail because of technology—they fail because no one owns how it’s supposed to work.” “Over-validation doesn’t reduce risk—it pushes work out of the system of record.” “If a simple change takes months, the system has already failed.” “We don’t need less regulation—we need better interpretation.” Who Should Listen * CEOs and COOs in life sciences * Heads of Regulatory, Quality, and Operations * CIOs and Digital leaders * Regulatory and policy stakeholders What This Episode Is Not * Not a Veeva implementation guide * Not a validation methodology tutorial * Not a vendor perspective * Not a “digital transformation” narrative This is a diagnosis of how operating models behave under scale and constraint. Closing Thought Regulatory operations don’t just execute the operating model. They expose it. Information Mentioned in this Episode: * Frits Stulp [https://www.linkedin.com/in/fritsstulp/] * Implement Consulting Group [https://implementconsultinggroup.com/what-we-do/life-science] * Veeva RIM System [https://www.veeva.com/products/veeva-rim/] * Unleash RIM [https://www.linkedin.com/pulse/unleash-rim-matt-neal/] Summaries and show notes created from transcript using ChatGPT w/ some light editing - let me know if you find anything crazy that needs to change. Operations Utopia - Where Regops, Innovation, Technology, and Execution Meet. Disclaimer: This podcast reflects only the opinion of the podcaster and guests and does not reflect those of their organizations, system vendors, or service provider Original show theme "Little Sammy" by Matt Neal