Initial Assessments: Part 2
Quality Assurance - CSV - Software Validation
This is the second one in a series of posts on general aspects of Computerized Systems Validation (CSV). In this post we will be looking at the process of selecting whose products and/or services you would like to buy. Together with the Impact Assessment, the Supplier Assessment should form one of the pillars of your risk based approach.
Size Doesn't Matter
If you are reading this article then the chance is big that you have already selected suppliers before based on technical and commercial aspects, looking at the size of the company, weighing off the price, the functionalities and the support options. However, from our experience working with various big IT companies and also smaller, medium-sized ones, if the people, who are going to work with you to implement the system, have no experience with CSV in a GxP environment, it is going to be a long cumbersome journey. We always recommend to have your own CSV specialist or an external consultant talk with the supplier's specialist to get an idea of their quality standards. A recurrent issue with bigger companies is also that they probably have a CSV specialist but the chance that you would be dealing with this person is rather on the low side. The size and geographical spreading of various teams, following various standards, if any, makes it even trickier to control where the quality and the compliance will be heading during and after the project.
Types of Audits
There are in general 3 types of audits and the type that you choose should be consistent with the impact and risks of using the system. For low risk systems, you can choose to do just a research on publicly available information. For medium risk systems, you can choose to send a postal questionnaire to be filled in by the quality responsible of the supplier. For high risk systems, an onsite audit would be required. Note that the criteria for determination of the audit type should be clearly defined in a supplier assessment SOP.
Software as a Service (SaaS) is becoming more and more the standard allowing life science companies to outsource the maintenance of their application so they can focus on their core business. On the other side, the SaaS provider probably relies on a big tech company like Amazon or Microsoft or Google as cloud service provider. The challenge here is to get a clear oversight of who is responsible for what. A supplier who has experience with CSV in a GxP environment will provide you with an overview of CSV activities and deliverables. A supplier who doesn't know about CSV and GxP will refer you to the cloud service provider hoping that you will trust that it is a big player in the field. While it might be true that these big tech companies have a whole library of every possible certificate for information security, there are, depending on the services that are being used, always additional aspects to consider. The amount of responsibilities the supplier will take is again proportional to the risk and you would want to increase assessment effort.
With the current pace of technological innovation, it also becomes more convenient to outsource IT services and solutions to focus on the own core business. The more responsibilities a supplier takes, the higher the risk of that supplier not complying with the own company's standards to achieve quality and compliance. The type of supplier assessment should be consistent with this risk and the criticality of the system. Contact us for a free first consultation session.