Development and validation of low-/no-code applications in GXP

Low-/no-code is a development trend that is expected to grow at a double-digit number in the coming years. In contrast to traditional software development, it aims to accelerate product cycles, achieve greater flexibility and reduce development resources, thereby lowering the development costs.

Although the concept is not new, low-/no-code has been considered as a disruptive technology in recent years due to the ability to use, for example, graphical modelling to create mobile and web applications having to use only some or no coding (hence “low-/no-code”). In principle, a business user with basic computer skills could design a digital workflow to replace a paper-based one and run it on a smart tablet. Of course, it’s not as easy and simple like that. As the term low-code implies, there is some code involved, especially as a number of the low-/no-code platforms either allow new source code to be imported or can be modified in such a way that the predefined modelling and configuration part is circumvented. This not only requires more than just basic skills in programming, but also a specialist low code developer. Another constraint is that a business user, stuck in daily (firefighting) operations, will struggle to find the capacity to program an application himself.

However, the majority of the use cases for deploying a low-/no-code application will come from business operations. Some examples of where low-/no-code development projects can be deployed are:

• Replacement of a paper-based process with an electronic workflow
• Replacement of an outdated application (e.g. access database)
• Aggregate data from multiple sources into a dashboard, trend graphs or status reports that can be accessed on mobile devices
• Use of semantic data models to standardise, share and analyse data across the organisation
• Building a B2B platform to interact with partners on the same data set
• Create rapid user interfaces and platforms to integrate cloud and external services
• Extend the functionalities of an ERP or CRM system

1. Select the right platform provider

Beside the large providers, there are dozens of others, all with their advantages and disadvantages depending on the use case. For example, some platforms are suited for visualizing data, some are better at building workflows, some only work best on mobile devices. There will always be a trade-off, especially if a combination of different features (for example workflow and visual data reporting) is required.

2. Do you already have a low-/no-code platform?

Your company may have already implemented a low-/no-code platform which may or may not suit your use case. And only the largest organisations may be willing to invest in a second low-/no-code platform provider.

3. The platform should be suitable for your GxP application

Since with all probability most of the built applications are non-GxP, it may be difficult to adapt it for GxP requirements.

4. Third-party modules

There may be third-party modules that could be used for your application, however, then getting a software of an unknown provenance (SOUP) verified for a GxP application can be a lengthy process. The other option is to develop the feature yourself which will involve extensive testing.

5. Find the right low-/no-code and UI specialists that build the application

Although this may seem counter-intuitive to the low-/no-code concept, it will be one of the key success factors to build a productive application that will be accepted by the business users.

6. Have a decent service level agreement

Low-/no-code providers offer the advantage that crucial support processes are running at the platform level, including incident management, back up and disaster recovery. However, this means that you need to have a decent service level agreement with the platform provider, so that in the event of an application incident that cannot be resolved internally, they will respond within a defined timeframe.

7. Is there an integrating restriction from the supplier?

Be aware that you build your application with the provider’s proprietary technology. The provider could prevent you from integrating other business logic that could increase the level of technical dept of the application in future.

8. Establish a good communication channel with the platform provider

The platform is subject to periodic updates and releases, so the knowledge of the moment and scope of a new patch or release that is being deployed is crucial to performing the risk and impact assessment for your GxP application in advance.

1. It should be planned as the usual platform / application validation approach

2. It should be established that the platform is already in a validated or qualified state and that the quality management and supporting processes are defined.

3. The validation concept should leverage the processes of the validated/qualified platform as much as it is feasibly compliant.

4. The validation strategy must be aligned with the development method (waterfall, agile, DevOps or hybrid) and needs to be aligned with the CSV framework.

5. The platform features should be assessed with increased scrutiny to determine if they meet GxP relevant requirements. If the platform is only partially meeting the GxP requirements, then the features need to be developed and tested on application level. This can, of course, significantly extend the build and validation time.

6. It is crucial to get the QA or CSV responsible person on board early on. As low-/no-code is a different development approach, there might be some resistance encountered whether it is safe and compliant to use. These concerns need to be addressed and it is obviously better to do it up front rather than at a later stage in the project.

In summary, developing applications on low-/no-code basis provides a number of benefits compared to traditional coding work. However, great care must be taken to ensure that the relevant regulatory requirements are met. On contrast, the shorter development cycles lead to a bigger involvement by the business SMEs, who will witness and contribute to the implementation of the business requirements from a minimum viable product to a fully functional application.

*In biotech, pharmaceutical, medical device and related industries, Computer System Validation (CSV), or short “validation” encompasses all the activities verifying that a software is fit for its intended use, and is compliant to external regulations, thus providing a high degree of assurance that risks to patients, product quality and data integrity are minimized.