March 27, 2012

Know Your IT Systems Vendors

Posted in Cloud, Computer Validation, IT, Vendor Audits tagged , , , , , , , , , , , at 9:38 AM by Solutions2Projects, LLC

IT systems and infrastructure are critical to any organization.  This is especially true for life sciences companies selecting and implementing IT systems critical to the business functions supporting compliance functions. Regulatory bodies expect life sciences companies to demonstrate control over these elements regardless of whether they are the ones developing or maintaining the IT systems (infrastructure, software, etc.).

Companies cannot simply toss the responsibility over the fence to the vendors. Life sciences companies are still responsible for the integrity of the data and control over the systems.  They may delegate but only after verifying the vendor can meet the compliance and control requirements. 

This is where vendor audits come in to play. 

Vendor audits for software are not new.  Over the past decade I’ve seen the importance of vendor audits for software wax and wane and wax again.  In light of the increase in cloud and hosted solutions chosen by companies to decrease overall spend, the need for vendor audits is critical.

And, as biotechs become more virtual and more services are outsourced (CRO, CMO, data management, complaint handling, etc.), it is imperative that companies verify their vendors meet compliance requirements as well as their own procedural and process requirements.   The vendor’s IT systems and controls must meet the requirements as if they were hosted by your own company.  Not all vendors perceive the need to meet compliance requirements at the same level and you need to know before you enter any agreements.  Once you’ve signed the contracts, you’ve lost your leverage for process improvements and controls. 

Why conduct the audits? 

  • Gain high level of confidence that the computerized system will meet technical, commercial and regulatory requirements (GAMP 5)
  • Confirm the supplier builds quality and integrity into the software product during development
  • Leverage knowledge, experience and documentation of supplier (GAMP 5) to potentially reduce validation effort
  • Confirm processes and controls when  outsourcing IT / software functions (SaaS, PaaS, IaaS, hosted solutions, co-locations)

When should audits be performed?

  • For high risk systems / outsourced services
  • Before any contracts are signed!
  • Scheduled follow up audits based on
    • Audit results
    • External audit program
    • Risk assessment
    • Significant vendor business changes
    • When there are issues with the vendor

How are audits performed?

  • Similar to other vendor audits for CMOs or other critical suppliers
  • Plan for the audit and communicate expectations to the vendor
  • Conduct the on-site audit (for IT systems, Quality and IT representatives should participate)
  • Summarize findings with the vendor at the end of the audit
  • Document findings in an audit report and provide to the vendor for a response
  • Follow up on observations and document

The financial cost of, and risk associated with, software solutions has increased exponentially which means that it is imperative for organizations to understand what they are getting into before they sign on the dotted line.  The cost of a software or IT system blunder can be expensive in terms of resources, time and can make or break a life sciences company.  If you cannot demonstrate control, and therefore the integrity of your data, for systems supporting drug product administered to patients, a regulatory body may not grant approval for your product or could shut down manufacturing operations.  Your company owns the data and the responsibility even if it service is outsourced. 

Knowing your IT vendors gives you the knowledge to reduce the risks associated with the IT solutions in your life sciences company.  Without this knowledge, you are powerless to defend your risk assessment and risk mitigation strategy to regulatory agencies.

Advertisements

February 2, 2012

Nail Down the Details Before Signing Any Agreements

Posted in IT, Project Management tagged , , , , , , at 10:47 AM by Solutions2Projects, LLC

Negotiating contracts with software vendors is always a challenge.  The vendors won’t commit to resources until contracts are signed but without knowing the resources and their qualifications and availability, how do you know you will get what you want?

Vendors also want to defer detailed planning until after the agreements are signed.  Once again this is at odds with best practices from a planning perspective.  During the planning, a lot of details come to light that affect the final buying decision and overall timeline and budget.  Signing before nailing down these details generally ends up being very costly from an expectation and overall resource perspective. 

 A number of years ago I was working for a biotech company and we were selecting an ERP system.  A big name player was interested in breaking into the small-midsized life sciences market and saw our company as an opportunity to make this happen. Our budget wasn’t in line with their typical installs and they were touting a turnkey solution for life sciences.  I was skeptical.  They claimed the implementation and validation could be performed within our budget.  After detailed planning and working through the resource assumptions, it became very clear that they were shifting the responsibility for significant documentation tasks to our team (which was limited) which resulted in the reduced consulting fees.  Once we shifted the responsibility for those tasks back to their consulting team (to meet our timeline), the cost went through the roof and was no longer feasible.  This was not a surprise to us.  What was surprising was that they thought they would slip it by us. 

 In other cases, I’ve been brought into manage projects after agreements have been signed and quickly realize that my client made a series of assumptions (not documented) that were not aligned with what the vendor planned to deliver.  This tends to put me in the awkward and uncomfortable position of renegotiating the contract without much leverage as my client has already committed.  It often requires significant diplomacy on my part in that I have to demonstrate what was overlooked by them during the selection process.  Since they tend to have to defend their decisions and actions internally (politics!) and the scope or budget or timeline changes once detailed planning is performed, it can get pretty hairy. 

 If you are able to work through the details before signing the agreement, a lot of this messiness can be avoided or minimized.  I recommend performing the detailed planning prior to signing contracts, working with the vendor to create detailed statements of work to minimize surprises, and generating a project charter capturing the project elements.  The project charter is an internal document but I generally have the vendor consultants read and sign as well in order to hold them accountable as members of the project team. 

 And one of thing greatest benefits of going through this process is that you can learn very quickly how committed the software vendor is to the success of your project and to your company.  If a vendor is completely resistant to investing the time to generate a detailed statement of work based on detailed planning, this is a major red flag.  I would seriously reconsider doing business with that particular vendor.  Detailed planning sets everyone up for success.