- Does your company have a defined infrastructure qualification and system validation policy? Can you develop and maintain our systems to meet validation requirements?
- Is the infrastructure (data centers, servers, routers, switches, operating systems, databases) at the vendor site qualified?
- Do you have SOPs for predicate rules, data privacy, change management, physical and logical security, and business continuity planning?
- Do you have compliance audit mechanisms?
Risk-based qualification of IT infrastructure
Qualification traditionally has been a time-consuming, document-intensive, and costly process for pharmaceutical companies as well as IT vendors. Of late, the pharmaceutical industry has begun to approach qualification from a risk-based perspective, with the sole objective of cutting non–value-adding processes that do no impact system reliability, quality, or data integrity in any way.
A risk-based approach to qualification and validation processes involves implementing a validation regime based on risks posed to systems. It also helps in right-sizing the level and effort required for qualification and validation purely based on risks, criticality, and potential business and regulatory impact. Risk-based qualification involves identifying, understanding, evaluating, controlling, and monitoring risks that IT infrastructure poses to software applications that support the drug development process or a business process supporting product development. Such risks associated with the IT infrastructure could directly or indirectly affect product quality, safety, data, information, business process, and so forth. Size and complexity of the IT infrastructure and influence on quality or business process are important elements in such a risk assessment. Vendor companies should publish policies about qualification that identify which methods would be undertaken to qualify IT infrastructure, facilities, and equipment such as data centers, networks, servers, platforms and desktops.
Risk-based qualification and validation help manufacturers determine the coverage, level, and effort on the basis of elements, including but not limited to:
- the complexity of the IT infrastructure;
- the type of the equipment and assets it supports (e.g., custom-built, off the shelf);
- the effect and risk to applications that are involved in pharmaceutical product development;
- the impact on business processes;
- the impact on product quality, data and records integrity, and safety;
- elements such as data privacy and intellectual property.