IT Infrastructure Qualification and System Validation: IT Vendor Perspectives 4

The following are a few questions that prospective clients generally ask vendors in requests for information or while on due diligence visits:

• Does your company have a defined infrastructure qualification and system validation policy? Can you develop and maintain our systems to meet validation requirements?
• Is the infrastructure (data centers, servers, routers, switches, operating systems, databases) at the vendor site qualified?
• Do you have SOPs for predicate rules, data privacy, change management, physical and logical security, and business continuity planning?
• Do you have compliance audit mechanisms?

Excerpts from FDA Warning Letters

IT services companies that are ISO- or CMM Level 5–certified have well-defined and documented IT processes and procedures for software development and infrastructure management and maintenance. Their lack of tailoring procedures and guidelines for meeting GxP-critical FDA compliance requirements, however, may pose a problem. Many IT vendors do not have defined processes for computer system validation and infrastructure qualification. There could be inadequacies in computer system validation and IT infrastructure qualification documentation, and certain specific processes required for validation and qualification may not be that well enforced. During prospect engagement discussions, vendors should be ready to answer questions about qualification and validation. They must be conscious of the importance of such investment in making their IT infrastructure qualified and systems validated, which may call for some business decisions. In the long run, such investments will yield good results for vendors in terms of repeat business from customers and ensuring competitive business advantage. It will also help vendors showcase regulatory compliance prowess to pharmaceutical clients. Chief information officers and chief financial officers of vendor companies will have to plan for such investments in IT quality, particularly for drug-regulated industries. The ideal solution for vendors to meet compliance requirements in a cost-effective way would be to adopt a risk-based approach. This would call for a risk assessment, gap analysis, and remediation plan. The risk-based assessment must map to FDA regulations about software validation and predicate rules on GxP and 21 CFR Part 11.
Risk-based qualification of IT infrastructure
Qualification traditionally has been a time-consuming, document-intensive, and costly process for pharmaceutical companies as well as IT vendors. Of late, the pharmaceutical industry has begun to approach qualification from a risk-based perspective, with the sole objective of cutting non–value-adding processes that do no impact system reliability, quality, or data integrity in any way.
A risk-based approach to qualification and validation processes involves implementing a validation regime based on risks posed to systems. It also helps in right-sizing the level and effort required for qualification and validation purely based on risks, criticality, and potential business and regulatory impact. Risk-based qualification involves identifying, understanding, evaluating, controlling, and monitoring risks that IT infrastructure poses to software applications that support the drug development process or a business process supporting product development. Such risks associated with the IT infrastructure could directly or indirectly affect product quality, safety, data, information, business process, and so forth. Size and complexity of the IT infrastructure and influence on quality or business process are important elements in such a risk assessment. Vendor companies should publish policies about qualification that identify which methods would be undertaken to qualify IT infrastructure, facilities, and equipment such as data centers, networks, servers, platforms and desktops.
Risk-based qualification and validation help manufacturers determine the coverage, level, and effort on the basis of elements, including but not limited to:

• the complexity of the IT infrastructure;
• the type of the equipment and assets it supports (e.g., custom-built, off the shelf);
• the effect and risk to applications that are involved in pharmaceutical product development;
• the impact on business processes;
• the impact on product quality, data and records integrity, and safety;
• elements such as data privacy and intellectual property.