When outsourcing work to IT vendors, one of the foremost points that pharmaceutical companies look for is whether the vendor company has facilities that are capable of meeting FDA requirements for qualification and validation. Companies expect that infrastructure, third-party, or proprietary tools used in project execution are qualified and validated to meet prescribed FDA guidelines. And vendors are asked to demonstrate evidence that they can develop, operate, and maintain IT infrastructure and systems in a validated and qualified state.
In a GxP environment, qualification of IT infrastructure and validation of applications are required. Qualification ensures that desktops, platforms, servers, networks, routers, switches, and so forth are maintained with controlled and repeatable processes. In many cases, qualification extends beyond IT infrastructure such as networks to include processes, procedures, day-to-day operations, and personnel. Nonetheless, the level of effort required to qualify IT infrastructure should be proportional to the complexity and value of the information assets it supports and the risk it poses.
For drug-regulated systems such as software that generates toxicology study reports, validation is mandated, and IT infrastructure that supports such a software application must be qualified. Companies make a business decision to validate systems based on the risks that are attached to systems; these are risks that can affect product quality, data integrity and reliability, information security and other critical elements in the drug development business process. Many companies validate all systems and infrastructure thinking that this is a good business practice, the right thing to do, and that generates goodwill in the industry, restores confidence, and promotes faith with the regulatory agencies and inspectors besides fostering a culture of quality. This approach can lead to a benchmark in of itself and set high standards in the industry in addition to becoming a best practice that results in long-term tangible benefits for the company and its customers.
Validation applies to applications and software, whereas qualification applies to IT infrastructure such as platforms, operating systems, networks, and so forth. The primary goal of qualification is to ensure utmost quality in performance and operations of a system. Qualification processes are required to maintain qualified infrastructure, which will accommodate the operation of validated computer systems. The qualification for IT systems and infrastructure as determined by FDA are:
- installation qualification; that is, a system is installed and configured to specifications. This is the process of establishing documentary evidence that a respective system is installed and configured to the manufacturer's specifications.
- operational qualification; that is, a system performs according to specifications and requirements (intended use). This is the process of establishing documentary evidence that a respective system functions and operates according to a provider's (manufacturer, developer, or vendor) design intentions and throughout its intended operating range.
Controlling processes and systems is the key element in qualification and validation. Demonstrating evidence of such control in the form of current and approved documentation that is strictly followed is the key to success in meeting evaluation and success criteria.
Nonconformance may threaten data integrity. Compromising the integrity and security of clinical, health, and drug-related data that exists on systems could lead to bad decision-making that in turn could pose a serious risk to consumer and patient safety. Moreover, a lack of infrastructure qualification may lead to risks of unreliable data, data corruption, missing system controls, no control over risk factors, an inability to base anything on results, and disqualification and rejection of a system's regulated data during an inspection.
The sidebar "Excerpts from FDA Warning Letters" provides some insight into the areas that were closely examined during site audits in 2004.
Qualification: vendors must plan and invest
Blind adherence to mere checklists, misinterpretation of regulatory requirements, and poor and inadequate documentation can lead to a failure to meet compliance objectives effectively.