A practical guide to make a new technology purchase decision.
GxP vendor qualification is critical to your risk-reduction strategy. The software and cloud services you purchase from vendors should have sufficient evidence, e.g., documentation of standards to meet your intended use, of quality and compliance to support life science companies. If they don’t – that should be your first red flag.
The qualification process involves a thorough assessment of the vendor’s ability to meet your requirements, an evaluation of the product or services, and a plan for monitoring the performance of the vendor’s product or service.
Here are five things to consider before you make a new technology purchase decision.
Tip 1: Be clear on what the vendor will do and what is your responsibility
As you scale to the cloud, you need to make critical decisions about the vendor you partner with and understand what aspects of security and risk will be handled by your cloud provider. The right vendors will provide stable infrastructure, platforms, and applications and the evidence to demonstrate that stability. Security procedures should be formally documented. Document management, disaster recovery, and backup and restore systems must be in place. Before signing any agreement, make sure you are clear on what your internal IT and Quality teams need to do and what the technology vendor will do.
Tip 2: Leverage the Vendor activities
Once you are clear on the activities that your vendor will perform, leverage them. The FDA has continuously promoted leveraging vendor documentation to support a risk-based least burdensome approach to software quality. The FDA states that if vendor documentation is in place and of good quality, it can and should be leveraged as documented evidence in establishing that the software’s core functionality has been validated.
While life science companies remain responsible for ensuring that software meets their intended use, their focus should not be on re-creating documentation for documentation’s sake. Large amounts of testing and risk mitigation can trace directly to the vendor testing activities if they are performed according to documented and appropriate procedures and relate to elements the end users are not modifying. You should focus on ensuring the software works for your unique end-to-end intended use.
Tip 3: Cloud updates and vendor management can be overwhelming
Now that you know what the vendor is doing and what activities you can leverage to reduce duplicating efforts, you need to dig into how they manage their releases and cloud updates. How mature is their Software Development Life Cycle (SDLC)? How often are the software updates? Are the updates scheduled or random? Do they have a dedicated and segregated QA team? Do they offer validation testing, and do you have visibility to that testing? The more you know upfront, the less friction and buyer’s remorse you will have later.
Whenever software is changed, an analysis should be conducted not just to validate the individual change but also to determine the extent and impact of that change on the entire system. Consider how your team will manage all the cloud vendor changes, testing requirements, and reporting. Don’t underestimate the workload, or you could fall out of compliance.
Tip 4: Consider outsourcing vendor qualification and validation maintenance
Vendor qualification and release management can be accomplished in one of two ways. You can perform vendor audits to specify what you need and determine if the vendor can meet those needs. Or you can engage a company like USDM Life Sciences to do that work on your behalf. Similarly, you can manage the cloud releases internally, or you can manage them externally. Taking on the responsibility of vendor qualification and validation maintenance can be time-consuming and overwhelming.
While it is critical to your business, what is the opportunity cost of your team spending time on validation instead of innovative priorities that return greater value? Give that time back to your team and offload your cloud vendor qualification and maintenance to USDM. USDM’s Cloud Assurance managed service delivers end-to-end GxP compliance, including rapid implementation, validation, and maintenance to enable a continuously compliant tech stack. We can handle your continuous validation faster and cost-effectively, giving your team more capacity for other priorities.
Tip 5: Ensure the SLA meets your needs
A service level agreement (SLA) is a necessary document between the customer and vendor that spells out what you expect as the customer, the metrics you will use to measure their effectiveness, and penalties for service levels not achieved. What goes in the SLA is essential, and it needs to have an appropriate level of documentation, processes, and experience around infrastructure. Suitable qualifications, data centers, and security procedures must be formally documented and approved. Verify that there are redundancies, such as correct document management systems, disaster recovery systems, and backup systems. You can state in your SLA that the vendor must have these items in place to be considered in our vendor selection. Maintenance can also be built into a vendor’s responsibilities. Third-party release analysis and regression testing can be leveraged to ensure a stable environment persists. Before you commit to any vendor, be sure they are able to meet the requirements of your SLAs and check out their references.
Bonus Tip: Save time on auditing vendors
All technology vendors in the USDM Cloud Assurance ecosystem undergo an annual audit of their design, development, testing, qualification, and maintenance methodologies. The audit results are compiled into a Vendor Assurance Report – a comprehensive report and reference document. The report provides a summary of the audit, cites all source material reviewed as part of the audit activities, and provides direct links to all publicly available content. All Cloud Assurance subscribers are given this report to leverage as defensive evidence for the FDA.
USDM can help you with your vendor selection process, Request For Proposal (RFP) process, validation, and continuous compliance needs. We have over 300 life sciences customers subscribed to our Cloud Assurance services and are the trusted advisor who can help you fast-track your cloud compliance maturity.
Discover practical strategies for simplifying compliance by leveraging vendor activities in our latest white paper — click here to read it now.
Contact us to learn more.