How to Leverage USDM’s Vendor Audit of Oracle Supply Chain Management Cloud

quality

From the General Principles of Software Validation (2002) to the draft guidance Computer Software Assurance for Manufacturing, Operations, and Quality System Software (expected 2022).

The FDA has continuously promoted leveraging vendor documentation to support a risk-based least burdensome approach to software quality. The FDA states if vendor documentation is in place and of good quality, it can and should be leveraged as documented evidence in establishing that the software core functionality has been validated.1

While life science companies remain responsible for ensuring that software meets their own intended use, their focus should not be on re-creating documentation for documentation’s sake. They should focus instead on ensuring the software works for their own end-to-end intended use.

Oracle Vendor Assurance Report

Annually, as a part of the USDM Cloud Assurance™ service, and to replace the need for individual audits, Oracle hosts USDM as an independent qualified third-party to audit their design, development, testing, qualification, and maintenance methodologies. The audit is specifically scoped to the Oracle Fusion infrastructure and Oracle Supply Chain Management (SCM) Cloud for compliance to FDA software compliance standards.

Results of the audit are compiled into the Oracle Vendor Assurance Report, a comprehensive report and reference document, which not only provides a summary of the audit, but also cites all source material reviewed as a part of the audit activities, and provides direct links to all publicly available content. Think of it as your own Dewey Decimal System for Oracle lifecycle and testing documentation.

Leveraging Vendor Documentation

Infrastructure, Back-Up, Disaster Recovery, and Installation Testing
Installation Qualification (IQ)

By qualifying the Fusion infrastructure, verifying the SCM application, and following their own procedures for items such as backup and recovery, access control, and the instance installation, Oracle has done much of this work for you. You can leverage the summary of documentation reviewed during the audit, and detailed in the Vendor Assurance Report, as your evidence.

  • Leverage Oracle’s core functionality testing. Reference the appropriate sections of the Vendor Assurance Report in your Traceability Matrix and include a copy of it as evidence to your Validation package.
  • Focus on qualifying the configuration; verify your instance has been configured for your intended use.

Functionality and Workflow Testing
Operational / Performance Qualification (O/PQ)

While testing of functionality will still be required from an intended use standpoint, certain aspects of the traditional O/PQ activities can be leveraged from the audits. The most prominent is a detailed review of Oracle’s functional testing activities – the overall SDLC, including unit, regression, integration, and boundary testing of the out-of-the-box (core) functionality. You can leverage the summary of test documentation reviewed during the audit and detailed in the Vendor Assurance Report, as your evidence.

  • Leverage Oracle’s core functionality testing. Reference the appropriate sections of the Vendor Assurance Report in your Traceability Matrix and include a copy of it as evidence to your Validation package.
  • Focus OQ testing on high-risk core and custom functionality that impacts product quality and patient safety.
  • Focus PQ testing on your use of the system. End-to-end workflow to establish confidence that your process operates as intended and is reproducible

USDM Cloud Assurance™

Whenever software is changed, an analysis should be conducted not just for validation of the individual change, but also to determine the extent and impact of that change on the entire system. As part of the Cloud Assurance™ core-level subscription for Oracle SCM Cloud service, USDM provides an impact assessment of upcoming releases that includes guidance on the required regression testing based on the high-risk areas of the system’s core functionality.

Additionally, you can upgrade to USDM’s premium-level Cloud AssuranceTM subscription, if you would also like for USDM provide a customer-specific analysis of Oracle’s SCM Cloud releases to ensure all aspects of your unique system configuration are tested according to your inherent risk – within your specific testing environment. Regression test scripts are executed for each release specific to each customer’s configuration.

Contact USDM to learn more about USDM Cloud Assurance ™ and discover the least burdensome approach for your needs.


[1] General Principles of Software Validation; Final Guidance for Industry and FDA Staff, FDA (2002).

 

Comments

There are no comments for this post, be the first one to start the conversation!

Resources that might interest you