August 16, 2012

Recreating the Wheel

Posted in IT tagged , , , , , at 1:22 PM by Solutions2Projects, LLC

I love documentation and I won’t apologize for it.  Documentation saves time and leaves space to think through the tough issues. 

In IT, documentation is often a four letter word because documentation  isn’t as much fun as playing with technology.  I understand this. 

But, how often have you had to rethink a process or fumble through something that you haven’t done in a while?  How much time was spent on this that could have been reduced if there had been a specification document or work instruction?  What about when key personnel leave and they take their knowledge with them?

Recently I worked with a client on a system that I hadn’t touched in over two years.  Fortunately, I had documented the process and had a work instruction for it and was able to quickly answer the question and address the issue.  If I hadn’t, we would have had to contact support, wait on hold to get through two to three levels of support to get to the answer.  This was assuming it was during the right support hours. 

Another client is struggling to recreate processes performed by technical personnel who have left the company. And, because it was a small IT department, this person was solely responsible for performing some technical tasks and didn’t write anything down.  We are now in the process of starting from scratch to figure out how to get the work done with, of course, a very short timeline. 

The extra time it takes during an initial project implementation to document the system, configuration, and work instructions is less expensive and less time consuming in the long run and not nearly as painful as one might expect.  The documentation doesn’t  have to be formal or complicated; it just needs to impart the necessary information so that others do not have to recreate the wheel.

Advertisements

March 27, 2012

Know Your IT Systems Vendors

Posted in Cloud, Computer Validation, IT, Vendor Audits tagged , , , , , , , , , , , at 9:38 AM by Solutions2Projects, LLC

IT systems and infrastructure are critical to any organization.  This is especially true for life sciences companies selecting and implementing IT systems critical to the business functions supporting compliance functions. Regulatory bodies expect life sciences companies to demonstrate control over these elements regardless of whether they are the ones developing or maintaining the IT systems (infrastructure, software, etc.).

Companies cannot simply toss the responsibility over the fence to the vendors. Life sciences companies are still responsible for the integrity of the data and control over the systems.  They may delegate but only after verifying the vendor can meet the compliance and control requirements. 

This is where vendor audits come in to play. 

Vendor audits for software are not new.  Over the past decade I’ve seen the importance of vendor audits for software wax and wane and wax again.  In light of the increase in cloud and hosted solutions chosen by companies to decrease overall spend, the need for vendor audits is critical.

And, as biotechs become more virtual and more services are outsourced (CRO, CMO, data management, complaint handling, etc.), it is imperative that companies verify their vendors meet compliance requirements as well as their own procedural and process requirements.   The vendor’s IT systems and controls must meet the requirements as if they were hosted by your own company.  Not all vendors perceive the need to meet compliance requirements at the same level and you need to know before you enter any agreements.  Once you’ve signed the contracts, you’ve lost your leverage for process improvements and controls. 

Why conduct the audits? 

  • Gain high level of confidence that the computerized system will meet technical, commercial and regulatory requirements (GAMP 5)
  • Confirm the supplier builds quality and integrity into the software product during development
  • Leverage knowledge, experience and documentation of supplier (GAMP 5) to potentially reduce validation effort
  • Confirm processes and controls when  outsourcing IT / software functions (SaaS, PaaS, IaaS, hosted solutions, co-locations)

When should audits be performed?

  • For high risk systems / outsourced services
  • Before any contracts are signed!
  • Scheduled follow up audits based on
    • Audit results
    • External audit program
    • Risk assessment
    • Significant vendor business changes
    • When there are issues with the vendor

How are audits performed?

  • Similar to other vendor audits for CMOs or other critical suppliers
  • Plan for the audit and communicate expectations to the vendor
  • Conduct the on-site audit (for IT systems, Quality and IT representatives should participate)
  • Summarize findings with the vendor at the end of the audit
  • Document findings in an audit report and provide to the vendor for a response
  • Follow up on observations and document

The financial cost of, and risk associated with, software solutions has increased exponentially which means that it is imperative for organizations to understand what they are getting into before they sign on the dotted line.  The cost of a software or IT system blunder can be expensive in terms of resources, time and can make or break a life sciences company.  If you cannot demonstrate control, and therefore the integrity of your data, for systems supporting drug product administered to patients, a regulatory body may not grant approval for your product or could shut down manufacturing operations.  Your company owns the data and the responsibility even if it service is outsourced. 

Knowing your IT vendors gives you the knowledge to reduce the risks associated with the IT solutions in your life sciences company.  Without this knowledge, you are powerless to defend your risk assessment and risk mitigation strategy to regulatory agencies.

February 27, 2012

Know Your Team

Posted in Project Management tagged , , , , , , at 8:21 AM by Solutions2Projects, LLC

To get bored in IT project management is to give up.  No project is ever the same regardless of the technology being implemented.  Every project requires some form of a project team which means people are involved.  Even if you work with the same team over and over, there are always new inputs, influences and dynamics that make it a new situation requiring you to adapt as a project manager.

 This is perhaps the most challenging and rewarding part of project management that applies regardless of the industry and technology.  People’s lives are dynamic which means they are puzzles to be decoded on a regular basis throughout a project.  Just when you think you’ve got it figured out, someone has a baby, gets a new boss, is heartbroken, or finds a fabulous new hobby.  All of these things change the person’s priorities which means their interest and devotion to the project shifts and as project managers, we must respond accordingly to ensure that the project is successful. 

 It is important for me to get to know my project team members as people and not just as the resources on the project.  I like to get to know them as individuals and understand what is going on with them personally and professionally.  This provides me with a personal connection and a communication path to getting information regarding changes early in the process so as to better react in the event the changes impact the project.  This sounds manipulative but it’s not.  I am genuinely interested in the people on my projects.   This is evident in that I keep in touch with most project team members long after projects have ended regardless of how tough the project was. 

 And this is the challenge…as project managers we must be genuine in our interest in the resources on our project.  People can sense when you are only in it for the project or your own personal success.  The good news is that the investment in the time to get to know the resources on the project and understand their motivations and obstacles, is invaluable for all parties involved.  The team members feel heard and valued.  The project manager gathers information to effectively manage the team.  The project can move along towards success.    And that’s what it’s all about in the end.

January 31, 2012

IT Deviations: Tool for Improving Overall Performance

Posted in IT tagged , , , , , at 7:36 AM by Solutions2Projects, LLC

I am a firm believer in documenting deviations from performance expectations for IT systems.  This includes functional and procedural errors, both system and human.  Documenting deviations provides data for better management and control over IT systems.   The process for capturing and managing IT deviations should be simple to be most effective as we know most IT folks do not like cumbersome documentation tasks especially if they think they will be penalized as part of the process (which should not be the case, ever!). 

 A basic deviation has the following elements:

  • Deviation description
  • Date(s) of occurrence
  • Categorization for tracking purposes (planned, unplanned)
  • How it was discovered and by whom
  • Investigation into source of deviation
  • Recommended resolution or actions to be taken
  • Approvals of investigation and recommended resolution
  • Documented action taken to resolve issue
  • Approval of action taken

 Deviation examples include:

  • Backup failures
  • Failure to follow documented procedures
  • Unexpected system behaviors
  • Unplanned outages

By tracking and trending the deviations, you can see if there are recurring issues and answer the following questions to improve data integrity and reliability. 

  • Is additional training required?
  • Should work instructions be developed or be more detailed? 
  • Is there a technical issue that needs to be addressed due to a repeated failure? 
  • Is there a configuration issue that needs to be addressed?
  • Should the issues be addressed with a vendor? 
  • Does the system need to be replaced?

 IT personnel and business system owners gain visibility into issues and can track patterns if deviations are documented.  It is too easy to forget when something happened (let alone if it happened at all) and how it was resolved.  We have too much to keep track of these days.  Deviations are often seen as something that is bad rather than as a useful tool to gather information to improve overall performance.  For those of us in IT that like data, deviations should be seen as an effective tool to gather data to improve overall system performance.

January 30, 2012

IT Policies to Establish Control

Posted in IT tagged , , , , , at 7:33 AM by Solutions2Projects, LLC

When we at Solutions2Projects are brought into a biotech or medical device company to work for the first time, it is usually to provide selection or implementation services for the first big IT project.  The companies are usually positioning themselves for an IPO and need greater control over their financial transactions or are preparing for commercialization and therefore need a system for inventory management or manufacturing.  In both cases, the companies need policies and procedures for managing these systems once in place. 

 Over the years we have identified the following as the minimum policies that need to be in place once the system is released into production.  If the system is a GxP system and is being validated, the policies are verified as part of the validation process. 

  • Change control / change management
  • Operation and maintenance
  • Security
  • Passwords
  • Backup and restoration
  • Deviation management

 Having these policies in place (and adhering to them) provides IT personnel, affected system users, and business owners with a foundation for control.  For GxP systems, FDA has been known to hand out 483’s for GxP systems that were not controlled from inception.  Think about it.  If you are basing a submission on data from a system that was not under control from inception, how can you demonstrate data integrity and data reliability?  Getting the systems under control from the beginning reduces the system and data integrity risks. 

 Of course, the policies need to be followed.  There’s no point in creating policies and ignoring them.  IT needs to embrace these policies to be successful.  Getting IT involved in the generation and release of these policies increases the likelihood of adoption and success. And the policies need to be in a centralized location for all affected personnel to access (not just IT).  This is generally handled by Quality Assurance (QA) as they are used to document management.  If a training program is in place for GxP documents, these should be incorporated into the training program as well.  

 For each system, there will be procedures to define how the policy requirements are met.  A few examples include

  • the periodic review of users and access
  • instructions for performing test restorations and verifications
  • periodic maintenance activities for the system (technical, application)
  • periodic review of failed logins

 Each system will require different instructions for accessing the data or performing the tasks.  The procedures or work instructions allow the IT personnel to focus on the data or value-added activity and not struggle with how to get the data or perform the task.  This is especially true for activities that are performed infrequently, like annual restoration tests. 

 The policies and procedures can be expanded on over time.  Initially, enough details need to be included to meet compliance requirements and provide affected personnel with guidance to achieve the desired level of control. 

 I understand that ‘control’ is a four letter word to a lot of IT folks.  But, control reduces risk and increases data integrity and reliability, which is what IT is tasked with ensuring.  Compliance (SOX, GxP) mandates establishing control over these systems, and policies and procedures are one of the tools companies can use to satisfy the requirement.

January 18, 2012

Outsourcing to Save Our Sanity

Posted in Project Management tagged , , , , , , at 7:27 AM by Solutions2Projects, LLC

Recently I realized that I will not be the one to teach my children how to drive.  I realized this when my 10 year old was driving the golf cart while we played golf the other day.  It was quite stressful and we were only going 5 miles per hour and no other carts or pedestrians were in sight to run into or over.  Apparently my husband had already given thought to this and was in total agreement.  We have both realized that some things are better left to professionals to save our sanity, increase likelihood of success and reduce likelihood of bloodshed.   

 This got me thinking about my clients and the essential skill sets they need to have on site in their staff versus those that are needed on a periodic basis.  Most of my clients are only able to cover the basics like helpdesk, network, and if they are lucky, database.  Once enterprise or business specific systems are in place, a business analyst is pretty critical.  But IT project management?  The expertise is only really necessary when they are implementing a new system or upgrading and existing one.  This is a function that can be outsourced to experienced professionals. 

 When hiring an external IT project manager for a small company (less than 300 people) in the life sciences industry, compliance experience is key.  Without this experience, the projects can be seriously under planned as validation may not be considered.  Validation is a process that begins at the beginning with requirements definition and vendor selection and goes through system retirement.  Validation is not just documented testing and can add significant time to a project depending on system complexity and risk assessment. 

 Another key element is experience working in small organizations where a project manager has to get his or her hands dirty.  We don’t have the luxury of simply leading and guiding others as resources are generally limited and timelines short.  Therefore, IT project managers in this segment need to step in and act as business analysts, validation resources, and trainers in some cases. 

 Outsourcing IT project management makes sense as projects, by their very definition, have a defined beginning and end.  Once the project is over, it can be closed out and transitioned to on site personnel for ongoing support and your company does not need to retain additional headcount when the project is over.  If done properly, the project-specific knowledge gained by the IT project manager during the project, is transferred to the on site support personnel before the project is closed out. 

 As for drivers’ education, oursourcing makes sense for us personally.  Hopefully the training will be a short-term project beginning with a spin around the block with everyone coming back alive with no bloodshed and ending with a driver’s license.  At this point, as with system projects, once the project ends, or in case of my kids with their driver’s licenses, the real fun and headaches truly begin.