← Back to portfolio
Assessed 2026-07-09

ARVADOS

Processing & Analytics · CSCoE / DDC / Exploratory Disease
Lead
Moritz Gilsdorf
SMEs
Moritz Gilsdorf
Provider org
CSCoE / DDC / Exploratory Disease

Overall coverage

Modern
84% 115 / 140 points
Coverage = unweighted mean of the 10 dimension coverages (not points ÷ max)

Maturity distribution

Modern 9Transitional 1Tech Debt 0
Headline finding
Adopt Arvados as a Reliability, Resilience, and Recovery blueprint for other critical applications. Replicate its good practice of defining clear RTO and RPO targets, ensuring each application has documented recovery expectations aligned to business criticality, SLAs, and SLOs, and that these targets are validated through regular recovery testing.
Primary modernization lever: Architecture & Interoperability

Coverage vs. portfolio

app vs. avg (dashed)

Score vs. gap by dimension

Prioritized remediation

Map each existing SLA and SLO to clearly defined SLIs, document how they are calculated, and publish them in stakeholder-facing dashboards with assigned ownership and regular review cadence.
Reliability Impact Medium Effort Low
Define and maintain Level 1 Support SLAs and SLOs for all critical services, covering incident intake, prioritization, initial response, resolution where applicable, and escalation to higher support tiers.
Reliability Impact Medium Effort Low

Per-question assessment

click a dimension to expand · colored answer chips
FAIR & Discoverability 1 gap 90%
The dataset or system is findable in a searchable catalog or inventory (e.g., ).
Yes
A named data owner or steward is formally assigned and documented.
Yes
Access and usage conditions, including legal and compliance constraints, are documented and available to users.
Partial
What is the percentage of the data uses standardized terminologies such as RTiS.
>90%
Data lineage is captured for key data flows and is maintained over time.
Automated
IAM, Privacy & Security 3 gaps 67%
The system uses the approved corporate identity provider for user authentication (e.g., Roche SSO via PingFederate, OAuth 2.0, OpenID Connect).
Yes
Data is encrypted in transit.
Yes
Data is encrypted at rest.
Partial
Secrets are managed in an approved central vault (e.g., HashiCorp Vault or AWS Secrets Manager).
Yes
Access rights and permissions are reviewed and formally certified at defined intervals.
Partial
No shared or generic privileged accounts exist in the production environment.
No
Platform / Hosting / Infrastructure 0 gaps 100%
Infrastructure is provisioned declaratively using Infrastructure as Code.
Yes
The system uses approved shared internal platforms or Golden Paths, where applicable. (e.g., Minerva Application Blueprint)
Yes
Architecture & Interoperability 2 gaps 62%
Can we swap in and out components without modifying the system.
Partial
All application services are exposed through clear and defined interfaces.
Yes
Data contracts are documented and governed.
Yes
API lifecycle management is actively implemented using Gravitee.
No
Reliability 1 gap 67%
All critical services have defined SLAs and SLOs.
Yes
Major incidents are followed by systematic postmortems, and resulting corrective actions are tracked to closure in the backlog.
Yes
SLIs are defined and calculated for all established SLAs and SLOs, and are visible to stakeholders and system owners.
No
Scalability & Performance 1 gap 75%
The system supports automated vertical and horizontal scaling based on real-time demand, where applicable.
Partial
Load and performance testing are performed routinely and included in major release cycles.
Yes
Deployment Automation 0 gaps 100%
Core workloads are supported by a complete CI/CD pipeline.
Yes
Builds, tests, and deployments are executed through fully automated processes.
Yes
Automated quality gates are enforced before production deployment. (e.g., SonarQube)
Yes
Production rollback or deployment occurs regularly and within the last 6 months.
Yes
Build artifacts and dependencies are managed in a traceable and controlled manner.
Yes
Observability 0 gaps 100%
All critical services generate standard telemetry, including logs, metrics, and traces.
Yes
Observability data is available through approved central monitoring and observability tools.
Yes
Incident analysis can be performed across upstream and downstream dependencies.
Yes
Resilience & Recovery 0 gaps 100%
Critical services and data have defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.
Yes
Backup, restore, and recovery procedures, including assigned roles and responsibilities, are documented and tested.
Yes
Cost Transparency & FinOps 1 gap 75%
Cost visibility is available at component, system, product family, or domain level.
System
Cost is reviewed regularly together with usage and business value by the owning team.
Yes
Architectural decisions explicitly consider cost as a primary decision variable.
Partial