Most of the automated equipment and systems used by life sciences companies are supplied by third party vendors and are purchased off-the-shelf (OTS). When possible, they should audit the vendor’s design and development methodologies.
Life sciences companies are responsible for ensuring that the product development methodologies used by their selected OTS software developer are appropriate and sufficient for their intended use of that software. If the vendor can provide information about their system requirements, software requirements, validation process, and the results of their validation, the life sciences company can use that information as a starting point for their required validation documentation. However, such documentation is not always available, or the vendor may refuse to share their proprietary information.
When auditing the vendor’s methodologies, the life sciences company should assess the development and validation documentation for the software. Such audits can also be conducted by a qualified third party. Either way, the audit should demonstrate that the vendor’s procedures for and results of the verification and validation activities are appropriate and sufficient for the safety and effectiveness required by the life sciences company.
When validation information is not available from the vendor, the life sciences company (or the qualified third party) will need to perform “black box” testing to establish that the software meets their intended uses. Depending upon product risk, the OTS software may or may not be appropriate, especially if there are suitable alternatives available. The life sciences company should also consider the implications of continued maintenance and support should the vendor terminate their support.
USDM regularly conducts robust vendor audits. Four important elements of any audit are to define the purpose of the audit, specify your intended audience, establish the scope of the audit, and understand the approach and governance for software compliance.
The purpose of the vendor assessment (audit) is to ensure compliance with applicable laws and regulations. The scope encompasses architectural, methodological, quality, and validation aspects to ensure that the methodology is robust enough to satisfy regulatory requirements and that it follows industry best practices. The procedures and controls put in place for the framework must be appropriate to the level of risk posed by its use in a GxP context.
The life sciences industry consists of a wide array of organizations operating in various segments, including pharmaceuticals, biotechnology, medical device, clinical research, and veterinary medicine.
The products and services within the scope of the audit include the life sciences company’s infrastructure and modules, which are limited to core, GxP, and critical functionality.
Approach and Governance
The standards for software compliance come from an array of regulatory sources and industry standards that are required in the life sciences industry and good business practice. The most common sources include, but are not limited to:
- 21 CFR Part 11, Electronic Records/Electronic Signatures
- FDA, Predicate rules
- FDA, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, 2002
USDM has been helping our customers move their applications and business processes to the cloud for many years. With more than 200 customers trusting their vendor management to USDM’s Cloud Assurance program, you can offload your cloud validation and continuous compliance workload with peace of mind. We also work with many vendors that have well established SaaS solutions ideal for GxP business needs. Whether you have a cloud vendor to manage or you need to select the right vendor, we can help.