May 17, 2013

Biennial Checkup: Is NetSuite Ready for Life Sciences Companies Yet?

Posted in Cloud tagged , , , , , , at 2:24 AM by Solutions2Projects, LLC

The number of ERP/MRP systems available to my SMB life sciences companies is pretty limited especially if they require process manufacturing functionality.  With more biotech companies choosing to be virtual and outsourcing to contract manufacturers (CMOs) and third party logistics companies (3PLs), the process manufacturing piece becomes less important so long as there is light recipe functionality to provide traceability when converting from one item (i.e. API) to another (i.e. bulk product).  This includes providing lot data such as expiration dates and lot statuses as well as electronic records and electronic signatures compliant with 21 CFR Part 11.

I had the opportunity to take a look at the latest offering by NetSuite at SuiteWorld in San Jose this past week.  It’s hard to avoid the billboards on 101 and the CFOs who hear about it and think they must have it for their respective companies.  Even a local, high-flying biotech was tempted but realized quickly that it didn’t meet the requirements.   I last looked at it two years ago and quickly realized then that not only was it not appropriate for most of my clients, but it was barely compliant with Sarbanes-Oxley requirements as well.

Some very smart and generous gentlemen at ERP Guru ( not only showed me the software but talked through how it could handle some of the processes that are typical for my clients.  I scratched out a typical product flow along with data requirements and within the manufacturing offering, it appears that the assembly functionality could potentially be used.

Where it fell apart was with the lot control functionality.  Fields can be created to support the lot control elements but custom scripts would need to be written to perform such critical functionality as to ensure expired product wasn’t allocated to a manufacturing run.  There were other similar examples that led me to the conclusion that it’s just not there yet for life sciences.  Once custom scripts have to be written to meet basic, critical functionality, not only are we into a different GAMP5 software categorization from a documentation and validation perspective (which requires greater rigor and effort that my clients really can’t support or afford), but you begin to introduce complexity in ensuring the custom functionality actually makes good business sense.

Just as when I reviewed Microsoft Dynamics SL for a small biotech company and discovered within 20 minutes that the lot functionality was not there, it was the same with NetSuite.  Once I saw what wasn’t there, I stopped looking at the product.

This isn’t to say that NetSuite isn’t interested in working on meeting the requirements.  I met with an account executive and reviewed some of the basic requirements and what we typically look for when selecting ERP/MRP systems.  She seemed genuinely interested and I’ve committed to providing requirements and some case studies from other ERP/MRP implementations to help her put a case together for improved functionality in future releases.

Although I am generally opposed to cloud-based solutions for
critical systems such as financial, SCM, manufacturing, among others from a control perspective, it’s not something that can be ignored.  My clients have small or outsourced IT departments and really aren’t interested in hosting things in house which means they need externally hosted or SaaS solutions.

My hope is that NetSuite is interested in the SMB life sciences vertical and enhances their product not this year, but by the time I go back to SuiteWorld in another two years.

March 27, 2012

Know Your IT Systems Vendors

Posted in Cloud, Computer Validation, IT, Vendor Audits tagged , , , , , , , , , , , at 9:38 AM by Solutions2Projects, LLC

IT systems and infrastructure are critical to any organization.  This is especially true for life sciences companies selecting and implementing IT systems critical to the business functions supporting compliance functions. Regulatory bodies expect life sciences companies to demonstrate control over these elements regardless of whether they are the ones developing or maintaining the IT systems (infrastructure, software, etc.).

Companies cannot simply toss the responsibility over the fence to the vendors. Life sciences companies are still responsible for the integrity of the data and control over the systems.  They may delegate but only after verifying the vendor can meet the compliance and control requirements. 

This is where vendor audits come in to play. 

Vendor audits for software are not new.  Over the past decade I’ve seen the importance of vendor audits for software wax and wane and wax again.  In light of the increase in cloud and hosted solutions chosen by companies to decrease overall spend, the need for vendor audits is critical.

And, as biotechs become more virtual and more services are outsourced (CRO, CMO, data management, complaint handling, etc.), it is imperative that companies verify their vendors meet compliance requirements as well as their own procedural and process requirements.   The vendor’s IT systems and controls must meet the requirements as if they were hosted by your own company.  Not all vendors perceive the need to meet compliance requirements at the same level and you need to know before you enter any agreements.  Once you’ve signed the contracts, you’ve lost your leverage for process improvements and controls. 

Why conduct the audits? 

  • Gain high level of confidence that the computerized system will meet technical, commercial and regulatory requirements (GAMP 5)
  • Confirm the supplier builds quality and integrity into the software product during development
  • Leverage knowledge, experience and documentation of supplier (GAMP 5) to potentially reduce validation effort
  • Confirm processes and controls when  outsourcing IT / software functions (SaaS, PaaS, IaaS, hosted solutions, co-locations)

When should audits be performed?

  • For high risk systems / outsourced services
  • Before any contracts are signed!
  • Scheduled follow up audits based on
    • Audit results
    • External audit program
    • Risk assessment
    • Significant vendor business changes
    • When there are issues with the vendor

How are audits performed?

  • Similar to other vendor audits for CMOs or other critical suppliers
  • Plan for the audit and communicate expectations to the vendor
  • Conduct the on-site audit (for IT systems, Quality and IT representatives should participate)
  • Summarize findings with the vendor at the end of the audit
  • Document findings in an audit report and provide to the vendor for a response
  • Follow up on observations and document

The financial cost of, and risk associated with, software solutions has increased exponentially which means that it is imperative for organizations to understand what they are getting into before they sign on the dotted line.  The cost of a software or IT system blunder can be expensive in terms of resources, time and can make or break a life sciences company.  If you cannot demonstrate control, and therefore the integrity of your data, for systems supporting drug product administered to patients, a regulatory body may not grant approval for your product or could shut down manufacturing operations.  Your company owns the data and the responsibility even if it service is outsourced. 

Knowing your IT vendors gives you the knowledge to reduce the risks associated with the IT solutions in your life sciences company.  Without this knowledge, you are powerless to defend your risk assessment and risk mitigation strategy to regulatory agencies.

June 28, 2011

Cloud Computing in Life Sciences

Posted in Cloud at 9:08 PM by Solutions2Projects, LLC

This will be the first of what I expect to be several blogs on this topic as this is the direction technology is headed in.  There’s no denying it.  IT as we know it is changing.  The real question for those of us in life sciences is how and when do we embrace this new technology.  

There are three layers of the Cloud to be considered.

  1. Infrastructure as a Service (IaaS) (Amazon Web Services)
  2. Platform as a Service (PaaS) (Google App Engine)
  3. Software as a Service (SaaS) (

In life sciences, the easiest one to embrace would be IasS  to outsource a company’s IT infrastructure.  Who wouldn’t love to get rid of the headache of managing servers supporting an organization and the crazy technical guys and gals doing it.  Cloud offers you  a ‘pay as you go’ model which allows you to take advantage of significant computing resources, when you need them (not all of the time) without hosting it yourself.  Cloud vendors provide you with access to these resources and maintain them in what you would need to verify to be a secure and controlled fashion.  One definite benefit here is that these vendors can hire more experts to stay abreast of specific technology issues than most companies can in their own IT departments.  It is definitely appears to be more efficient. 

As far as Software as a Service, I have real trouble with this in life sciences.  While it sounds grand to be able to get rid of all of your IT headaches, how can you outsource the business know-how associated with how your organization needs to use the applications?  The efficiencies to be gained in Cloud computing is having everyone do things the same way.   I remember how this wasn’t done well back in the ASP days and can’t imagine it working well now.  And, no, I am not a fan of hosted solutions either.  Not all organizations run their business the same way so forcing organizations down that path as it appears organizations like NetSuite do is not what I would advocate for my clients.  It sounds good and seems economical but the price you pay is not just financial.  You give up control. 

And this is where it gets tricky for life sciences companies: qualification and control.  We can’t simply toss it over the fence and let the vendor take care of the infrastructure , servers and applications.  Life sciences companies need to demonstrate control over their infrastructure and systems to be able to defend the integrity of their data to the FDA and other governing bodies. 

Internally, our organizations need to establish minimums in terms of policies and procedures, and if we outsource, verify the vendor has similar policies and procedures and that they do in fact adhere to them.  It’s no different from outsourcing API manufacturing to a CMO.  The cloud vendor becomes part of the approved supplier process and is subject to similar audits and monitoring.   On site audits need to be performed prior to signing any agreements and specific service and control requirements need to be in place from a contractual perspective.  I know of some organizations that have specialized agreements to be included with Cloud vendor contracts covering this very thing. 

I know Cloud is the way of the future but I am not ready to advocate this for life sciences as I believe that the model has not matured to the point where we can comfortably eliminate the technical staff  or business analysts within our IT departments.  The market is still immature and growing so rapidly that the controls are not in place to adequately meet compliance requirements that are inherent to life sciences organizations.   This isn’t to say they won’t get there; it’s just going to be a while.