The short version: Most automated equipment and systems in life sciences are supplied by third-party vendors and purchased off-the-shelf (OTS). Even when you buy software rather than build it, you remain responsible for proving it is fit for your intended GxP use. That means auditing the vendor's design, development, and validation methodologies — or, when the vendor won't share documentation, performing your own "black box" testing. This article breaks down how to qualify vendors and software, and the four elements every vendor audit should define: purpose, intended audience, scope, and approach and governance.
Why life sciences companies must qualify their vendors and software
Most of the automated equipment and systems used by life sciences companies are supplied by third party vendors and are purchased off-the-shelf (OTS). When possible, they should audit the vendor's design and development methodologies.
Life sciences companies are responsible for ensuring that the product development methodologies used by their selected OTS software developer are appropriate and sufficient for their intended use of that software. If the vendor can provide information about their system requirements, software requirements, validation process, and the results of their validation, the life sciences company can use that information as a starting point for their required validation documentation. However, such documentation is not always available, or the vendor may refuse to share their proprietary information.
Key principle: Buying software does not transfer your compliance obligation to the vendor. The life sciences company stays accountable for demonstrating that the software is appropriate and sufficient for its intended use — which makes disciplined third-party risk management a foundation of any qualification effort.
Auditing the vendor's methodologies
When auditing the vendor's methodologies, the life sciences company should assess the development and validation documentation for the software. Such audits can also be conducted by a qualified third party. Either way, the audit should demonstrate that the vendor's procedures for and results of the verification and validation activities are appropriate and sufficient for the safety and effectiveness required by the life sciences company.
When validation information is not available from the vendor, the life sciences company (or the qualified third party) will need to perform "black box" testing to establish that the software meets their intended uses. Depending upon product risk, the OTS software may or may not be appropriate, especially if there are suitable alternatives available. The life sciences company should also consider the implications of continued maintenance and support should the vendor terminate their support.
When the vendor won't open their validation records, the burden doesn't disappear — it shifts to you. Black box testing and a clear-eyed view of product risk become the proof that the software is fit for purpose.
USDM regularly conducts robust vendor audits. Four important elements of any audit are to define the purpose of the audit, specify your intended audience, establish the scope of the audit, and understand the approach and governance for software compliance.
The four elements of a vendor audit
Purpose
The purpose of the vendor assessment (audit) is to ensure compliance with applicable laws and regulations. The scope encompasses architectural, methodological, quality, and validation aspects to ensure that the methodology is robust enough to satisfy regulatory requirements and that it follows industry best practices. The procedures and controls put in place for the framework must be appropriate to the level of risk posed by its use in a GxP context.
Intended Audience
The life sciences industry consists of a wide array of organizations operating in various segments, including pharmaceuticals, biotechnology, medical device, clinical research, and veterinary medicine.
Scope
The products and services within the scope of the audit include the life sciences company's infrastructure and modules, which are limited to core, GxP, and critical functionality.
Approach and Governance
The standards for software compliance come from an array of regulatory sources and industry standards that are required in the life sciences industry and good business practice. The most common sources include, but are not limited to:
Vendor qualification doesn't end at go-live. Establishing controls for 21 CFR Part 11 compliance and protecting data integrity are ongoing obligations that follow the software for as long as it supports GxP processes.
Where USDM fits in
USDM has been helping our customers move their applications and business processes to the cloud for many years. With more than 200 customers trusting their vendor management to USDM's Cloud Assurance program, you can offload your cloud validation and continuous compliance workload with peace of mind. We also work with many vendors that have well established SaaS solutions ideal for GxP business needs. Whether you have a cloud vendor to manage or you need to select the right vendor, we can help.
As life sciences teams adopt AI-enabled vendors and tools, the same qualification discipline applies — which is why AI governance and compliance is becoming part of the vendor due diligence conversation.
FAQ: Qualifying Vendors and Software in Life Sciences
Who is responsible for validating off-the-shelf (OTS) software?
The life sciences company is responsible for ensuring that the development methodologies used by its selected OTS software developer are appropriate and sufficient for the intended use of that software. Buying software off the shelf does not move that obligation to the vendor.
What should a vendor audit assess?
When auditing a vendor's methodologies, the life sciences company should assess the development and validation documentation for the software. The audit — which can also be conducted by a qualified third party — should demonstrate that the vendor's verification and validation procedures and results are appropriate and sufficient for the safety and effectiveness the company requires.
What happens if the vendor won't share validation documentation?
When validation information is not available, the life sciences company or a qualified third party will need to perform "black box" testing to establish that the software meets its intended uses. Depending on product risk, the OTS software may or may not be appropriate, especially if suitable alternatives exist.
What are the four elements of a vendor audit?
Every vendor audit should define four elements: the purpose of the audit, the intended audience, the scope of the audit, and the approach and governance for software compliance.
Why does maintenance and support matter when qualifying a vendor?
The life sciences company should consider the implications of continued maintenance and support should the vendor terminate their support. A vendor's long-term viability and support model directly affect whether the software remains fit for GxP use over time.
Qualify the right vendors with confidence
Whether you need to audit a current cloud vendor or select the right partner from the start, USDM can help you build a defensible, risk-based qualification approach. Contact us to talk through your vendor and software qualification needs.
Additional Resources
On-demand webinar: Virtual Audits and Inspections
Blog: On Site & Remote Audit Best Practices
Checklist: Virtual Audits Checklist
Whitepaper: Automate Validation Across Your Tech Stack