May 17, 2013

Biennial Checkup: Is NetSuite Ready for Life Sciences Companies Yet?

Posted in Cloud tagged , , , , , , at 2:24 AM by Solutions2Projects, LLC

The number of ERP/MRP systems available to my SMB life sciences companies is pretty limited especially if they require process manufacturing functionality.  With more biotech companies choosing to be virtual and outsourcing to contract manufacturers (CMOs) and third party logistics companies (3PLs), the process manufacturing piece becomes less important so long as there is light recipe functionality to provide traceability when converting from one item (i.e. API) to another (i.e. bulk product).  This includes providing lot data such as expiration dates and lot statuses as well as electronic records and electronic signatures compliant with 21 CFR Part 11.

I had the opportunity to take a look at the latest offering by NetSuite at SuiteWorld in San Jose this past week.  It’s hard to avoid the billboards on 101 and the CFOs who hear about it and think they must have it for their respective companies.  Even a local, high-flying biotech was tempted but realized quickly that it didn’t meet the requirements.   I last looked at it two years ago and quickly realized then that not only was it not appropriate for most of my clients, but it was barely compliant with Sarbanes-Oxley requirements as well.

Some very smart and generous gentlemen at ERP Guru ( not only showed me the software but talked through how it could handle some of the processes that are typical for my clients.  I scratched out a typical product flow along with data requirements and within the manufacturing offering, it appears that the assembly functionality could potentially be used.

Where it fell apart was with the lot control functionality.  Fields can be created to support the lot control elements but custom scripts would need to be written to perform such critical functionality as to ensure expired product wasn’t allocated to a manufacturing run.  There were other similar examples that led me to the conclusion that it’s just not there yet for life sciences.  Once custom scripts have to be written to meet basic, critical functionality, not only are we into a different GAMP5 software categorization from a documentation and validation perspective (which requires greater rigor and effort that my clients really can’t support or afford), but you begin to introduce complexity in ensuring the custom functionality actually makes good business sense.

Just as when I reviewed Microsoft Dynamics SL for a small biotech company and discovered within 20 minutes that the lot functionality was not there, it was the same with NetSuite.  Once I saw what wasn’t there, I stopped looking at the product.

This isn’t to say that NetSuite isn’t interested in working on meeting the requirements.  I met with an account executive and reviewed some of the basic requirements and what we typically look for when selecting ERP/MRP systems.  She seemed genuinely interested and I’ve committed to providing requirements and some case studies from other ERP/MRP implementations to help her put a case together for improved functionality in future releases.

Although I am generally opposed to cloud-based solutions for
critical systems such as financial, SCM, manufacturing, among others from a control perspective, it’s not something that can be ignored.  My clients have small or outsourced IT departments and really aren’t interested in hosting things in house which means they need externally hosted or SaaS solutions.

My hope is that NetSuite is interested in the SMB life sciences vertical and enhances their product not this year, but by the time I go back to SuiteWorld in another two years.


March 27, 2012

Know Your IT Systems Vendors

Posted in Cloud, Computer Validation, IT, Vendor Audits tagged , , , , , , , , , , , at 9:38 AM by Solutions2Projects, LLC

IT systems and infrastructure are critical to any organization.  This is especially true for life sciences companies selecting and implementing IT systems critical to the business functions supporting compliance functions. Regulatory bodies expect life sciences companies to demonstrate control over these elements regardless of whether they are the ones developing or maintaining the IT systems (infrastructure, software, etc.).

Companies cannot simply toss the responsibility over the fence to the vendors. Life sciences companies are still responsible for the integrity of the data and control over the systems.  They may delegate but only after verifying the vendor can meet the compliance and control requirements. 

This is where vendor audits come in to play. 

Vendor audits for software are not new.  Over the past decade I’ve seen the importance of vendor audits for software wax and wane and wax again.  In light of the increase in cloud and hosted solutions chosen by companies to decrease overall spend, the need for vendor audits is critical.

And, as biotechs become more virtual and more services are outsourced (CRO, CMO, data management, complaint handling, etc.), it is imperative that companies verify their vendors meet compliance requirements as well as their own procedural and process requirements.   The vendor’s IT systems and controls must meet the requirements as if they were hosted by your own company.  Not all vendors perceive the need to meet compliance requirements at the same level and you need to know before you enter any agreements.  Once you’ve signed the contracts, you’ve lost your leverage for process improvements and controls. 

Why conduct the audits? 

  • Gain high level of confidence that the computerized system will meet technical, commercial and regulatory requirements (GAMP 5)
  • Confirm the supplier builds quality and integrity into the software product during development
  • Leverage knowledge, experience and documentation of supplier (GAMP 5) to potentially reduce validation effort
  • Confirm processes and controls when  outsourcing IT / software functions (SaaS, PaaS, IaaS, hosted solutions, co-locations)

When should audits be performed?

  • For high risk systems / outsourced services
  • Before any contracts are signed!
  • Scheduled follow up audits based on
    • Audit results
    • External audit program
    • Risk assessment
    • Significant vendor business changes
    • When there are issues with the vendor

How are audits performed?

  • Similar to other vendor audits for CMOs or other critical suppliers
  • Plan for the audit and communicate expectations to the vendor
  • Conduct the on-site audit (for IT systems, Quality and IT representatives should participate)
  • Summarize findings with the vendor at the end of the audit
  • Document findings in an audit report and provide to the vendor for a response
  • Follow up on observations and document

The financial cost of, and risk associated with, software solutions has increased exponentially which means that it is imperative for organizations to understand what they are getting into before they sign on the dotted line.  The cost of a software or IT system blunder can be expensive in terms of resources, time and can make or break a life sciences company.  If you cannot demonstrate control, and therefore the integrity of your data, for systems supporting drug product administered to patients, a regulatory body may not grant approval for your product or could shut down manufacturing operations.  Your company owns the data and the responsibility even if it service is outsourced. 

Knowing your IT vendors gives you the knowledge to reduce the risks associated with the IT solutions in your life sciences company.  Without this knowledge, you are powerless to defend your risk assessment and risk mitigation strategy to regulatory agencies.

January 18, 2012

Outsourcing to Save Our Sanity

Posted in Project Management tagged , , , , , , at 7:27 AM by Solutions2Projects, LLC

Recently I realized that I will not be the one to teach my children how to drive.  I realized this when my 10 year old was driving the golf cart while we played golf the other day.  It was quite stressful and we were only going 5 miles per hour and no other carts or pedestrians were in sight to run into or over.  Apparently my husband had already given thought to this and was in total agreement.  We have both realized that some things are better left to professionals to save our sanity, increase likelihood of success and reduce likelihood of bloodshed.   

 This got me thinking about my clients and the essential skill sets they need to have on site in their staff versus those that are needed on a periodic basis.  Most of my clients are only able to cover the basics like helpdesk, network, and if they are lucky, database.  Once enterprise or business specific systems are in place, a business analyst is pretty critical.  But IT project management?  The expertise is only really necessary when they are implementing a new system or upgrading and existing one.  This is a function that can be outsourced to experienced professionals. 

 When hiring an external IT project manager for a small company (less than 300 people) in the life sciences industry, compliance experience is key.  Without this experience, the projects can be seriously under planned as validation may not be considered.  Validation is a process that begins at the beginning with requirements definition and vendor selection and goes through system retirement.  Validation is not just documented testing and can add significant time to a project depending on system complexity and risk assessment. 

 Another key element is experience working in small organizations where a project manager has to get his or her hands dirty.  We don’t have the luxury of simply leading and guiding others as resources are generally limited and timelines short.  Therefore, IT project managers in this segment need to step in and act as business analysts, validation resources, and trainers in some cases. 

 Outsourcing IT project management makes sense as projects, by their very definition, have a defined beginning and end.  Once the project is over, it can be closed out and transitioned to on site personnel for ongoing support and your company does not need to retain additional headcount when the project is over.  If done properly, the project-specific knowledge gained by the IT project manager during the project, is transferred to the on site support personnel before the project is closed out. 

 As for drivers’ education, oursourcing makes sense for us personally.  Hopefully the training will be a short-term project beginning with a spin around the block with everyone coming back alive with no bloodshed and ending with a driver’s license.  At this point, as with system projects, once the project ends, or in case of my kids with their driver’s licenses, the real fun and headaches truly begin.