IT Infrastructure Qualification and System Validation: IT Vendor Perspectives 2

IT vendors must view regulatory compliance as a critical lifeline in successful execution, management, and delivery of IT and business solutions and services to pharmaceutical companies. Of late, pharmaceutical companies have started evaluating and selecting IT vendors on the basis of their credentials in compliance services, which include focus, proven capability, and experience in compliance areas such as managing validation, qualification, and data privacy. They consider such elements as critical differentiators when awarding IT outsourcing contracts to vendors.
IT vendors and service providers also are being exposed to regulatory compliance pressures. FDA expects IT vendors that provide services to pharmaceutical companies from vendor sites to comply with regulations and prepare for future FDA audits. The intent is to increase the monitoring of project operations at vendor sites. Therefore, compliance is a critical requirement for vendor and service provider sites.
Vendors that develop and maintain IT systems for regulated companies from their sites must be aware of their responsibilities as prescribed in FDA's Compliance Policy Guide (CPG) on Vendor Responsibility, which makes vendors "liable, under the Food, Drug and Cosmetic (FD&C) Act, for any violation attributable to intrinsic defects in the hardware and software" (1). According to the guide, "Vendors may incur liability for validation, as well as hardware/software maintenance performed on behalf of users."
IT infrastructure qualification and system validation are among the most critical requirements in regulatory IT compliance. One of the most important challenges for a vendor is to manage its IT infrastructure and systems in a qualified and validated state to meet necessary regulatory requirements for software development and maintenance at vendor sites. Understanding applicable FDA regulations
FDA regulations, as published in documents such as Computerized Systems Used in Clinical Trials or the General Principles of Software Validation, dwell largely on software applications and do not directly mention IT infrastructure.
Title 21 of Code of Federal Regulations (CFR) Part 11 (Electronic Records and Electronic Signatures) is an umbrella regulation covering all predicate rules for good clinical practices, current good manufacturing practices, and good laboratory practices. Part 11 mentions computerized systems as well as software applications such that any computerized system in its entirety is subject to the regulation. FDA defines a computer system as: “a functional unit consisting of one or more computers and associated peripheral input and output devices, and associated software, that uses common storage for all or part of a program and also for all or part of the data necessary for the execution of the program; executes user-written or user-designated programs; performs user-designated data manipulation, including arithmetic operations and logic operations; and that can execute programs that modify themselves during their execution. A computer system may be a stand-alone unit or may consist of several interconnected units.”
A computerized system is defined as a unit that includes hardware, software, peripheral devices, personnel, and documentation such as manuals and standard operating procedures (SOPs). It is based on an infrastructure made up of data centers, servers, workstations, routers, switches, firewalls, applications, and protocols.
The 21 CFR Part 11 rule suggests that "any decision to validate computerized systems, and the extent of the validation, takes into account the impact the systems have on its ability to meet predicate rule requirements." The effect these systems may have on the accuracy, reliability, integrity, availability, and authenticity of required electronic records and signatures must be considered. Further, the rule states that "even if there is no predicate rule requirement to validate a system, in some instances it may still be important to validate the system." Although this rule does not seek to establish "legally enforceable responsibilities," the industry has witnessed a few cases in 2005 where FDA issued warnings to a regulated firm citing noncompliance to Electronic Records and Electronic Signatures (ER,ES) requirements (specifically, pointing out a lack of validation in a computer system as a grave risk).
Therefore, the entire IT infrastructure stands influenced by 21 CFR 11, thereby making it fall under the ambit of regulatory scrutiny. Qualification of IT infrastructure thus becomes essential to the validation of computerized systems. IT infrastructure houses and sustains validated systems; therefore, the sole purpose of infrastructure qualification is to guarantee and safeguard reliability, security, and business continuity. IT infrastructure, if not maintained in a demonstrable state of control and qualification, may affect the validated status of GxP applications or electronic record systems that depend on the infrastructure.