If you produce products in pharmaceuticals, nutraceuticals, or biotechnology, your organization must maintain system validation. The FDA defines this as
“establishing documented evidence that provides a high degree of assurance that a specific will consistently produce a product that meets its predetermined specifications and other quality attributes.” [General Principles of Software Validation | FDA]
According to FDA rules, systems that enable processes that could harm or kill humans if deployed incorrectly must be validated. This impartial review is known as Independent Verification and Validation or IV&V. Validation doesn’t mean that the solution deployed is free from any defects, but it should establish confidence that the solution is tested as reliable in its performance for those specific processes, which are also called significant processes. In short, system validation establishes what screens, functions, and user flows within the system enable these significant processes and then tests and documents that these aspects of the system will work reliably.
Five Things to Consider
As in many industries, healthcare and life science companies are moving their applications to the cloud. Here are five things to consider to help ensure the long-term success of any organization that requires a validated environment of their systems in a cloud environment:
- The Right Cloud Platform
- The Right ERP Solution
- An Agreeable Maintenance and Update Schedule
- The Right Services Provider/System Integrator
- The Right Strategy for Verification and Validation
1. The Right Cloud Platform
FDA-regulated organizations must ensure that their solution operates within a “closed” cloud data architecture, which means it has the data integrity and preventive controls to meet regulatory compliance (21 CFR Part 11, 21 CFR Part 820, and EU GMP Annex 11). This includes change control for data and configurations that support significant processes. In the old days, a closed system meant running your validated business applications on in-house servers and “closing” those servers off to be able to prove that the data could not have been tampered with or deprecated. Now that all modern business applications run in a cloud server environment, you are still responsible for ensuring the integrity of your data. To do so, you need to make sure that the cloud environment running your validated system is SOC 1 Type 2 and SOC 2 Type 2 audited and is certified according to ISO/IEC 27001 and ISO/IEC 27018 standards. This gives you the defensible position you need with the FDA to prove that your validated system runs in a “closed” system environment.
The right cloud platform also enables clear, delineated environments for Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ), along with Production, all with change controls. Make sure you can establish these multiple environments, using well-performing and tracked change control, in the cloud environment you choose for your validated systems.
The cloud platform should also enable your validated system to operate with all required capabilities to maintain GxP compliance. Independent Validation and Verification (IV&V), in accordance with FDA guidelines, provides documented evidence that a system performs according to its intended use. Finally, the platform can be enabled for initial and sustained re-validation in an iteratively updated cloud environment.
2. The Right ERP Solution
There is no shortage of accounting and manufacturing software in the market, but only a limited number will handle the controls and compliance needs of biotech and pharma organizations. Furthermore, you must take care not to underspend and end up with a business app that must be replaced as soon as your company requires additional processes or transaction volume. Nor do you want to overspend on a large and complex app that can theoretically do everything but will take an army to implement and maintain. It is imperative that the solution you choose meets Life Science manufacturing requirements, including both functional and IVV requirements.
Some of the most critical attributes to a strong solution include:
Proven Verification and Validation – What to Look For
- A history of passing validation and verification across IQ/OQ/PQ [installation qualification, operational qualification, performance qualification]
- A history of passing validation and verification of cyber performance
- IV&V automated tools and experience to enable efficient initial and ongoing system validation
Life Science-specific Functionality – Key Questions to Ask
- Does the lot and material control architecture to meet CFR 21 part 820 for quality management systems?
- Does it have the vendor and manufacturer criticality controls to meet GxP requirements?
- Do the labels management and controls enforce your material controls framework?
- Does it enable staging for sterilization, unpackaging, weighing and dispensing of raw materials for batch production?
- Does the solution plan and schedule resources, including rooms, equipment, and people considering their certifications and qualifications to perform significant processes?
- Does the solution allow for the electronic aggregation of batch production data to support electronic batch reporting?
- Does the solution support quality inspections, quality control, and quality assurance?
- Does the solution control incident capture, classification, and management through the investigation and resolution based on severity (including NCRs and CAPA management)?
- Does the solution support materials expiration management, stability, and re-testing?
- Does the solution support mobile device enablement while maintaining FDA compliance?
- Is the solution built on an architecture that supports business insights and low-code/no-code apps while maintaining FDA compliance?
3. An Agreeable Maintenance and Update Schedule
One of the challenges of today’s cloud-first world is the frequency of cloud updates. Even more challenging is maintaining a validated environment – with its unique requirements associated with software change control and assurance – in a situation where cloud updates may be “pushed” at any time. Maintaining the system in a validated state is a mandatory requirement for highly regulated system environments. Choosing a cloud platform and business solution that supports these environments is critical.
Find a solution in which the manufacturer has prioritized its focus on regulated industries establishing a release cadence that supports customers in Life Science. Assuming the organization can take two releases a year is feasible for most companies. Two updates a year minimize risk and reduces IV&V overhead. Keeping pace with the cadence of releases is essential and, with a bit of planning, once your company gets in a rhythm with each cadence, it will be manageable to keep pace.
Think through your strategy for acceptance and validation of cadence releases before committing to your cloud platform.
4. The Right Services Provider/System Integrator
Successfully moving to a cloud-based ERP solution in a validated environment requires working with experts in Life Science manufacturing. Ensure the provider you select:
- Understands the depth of compliance requirements across the supply chain and manufacturing processes for Life Science
- Understands and supports the critical triangle between IV&V, company, and provider who can help ensure you pass an FDA audit
- Understands the uniqueness’s a cloud platform brings to managing your systems.
5. The Right Strategy for Verification and Validation
Determining a smart, maintainable verification and validation process isn’t something companies have to do on their own. Organizations may choose to work with an independent verification and validation partner. Independent Validation and Verification (IV&V), in accordance with FDA guidelines, provides documented evidence that a system performs according to its intended use.
Validating cloud-based business applications requires a move to continuous software testing in your cloud environment. The goal is to eliminate waste throughout the validation lifecycle while improving efficiency and lowering costs.
IV&V is defined by three parameters: technical independence, managerial independence, and financial independence. The FDA wants to see an independent firm perform validation because it reduces concern for conflict of interest that could cause tradeoffs between controls and cost to perform controls. [IEEE 1012-2016 – IEEE Standard for System, Software, and Hardware Verification and Validation]
In selecting an IV&V partner, customers must look for:
- Experience working with the cloud platform
- Experience working with the selected or any? ERP application
- An ability to provide automated testing
- A list of validation documents that will be delivered
Your ERP provider should also be able to help guide you through this process to ensure the IV&V partner will provide the level of quality required to meet any future FDA inquiries or audits.
Even five years ago, life sciences companies were trepidatious about moving validated business systems into a cloud-based IT environment. With increased clarity by the FDA and the call to action taken up by responsible cloud infrastructure and apps providers, operating critical business systems in the cloud is now viewed as the smart move for FDA-regulated manufacturers. In addition to increased control and automation, FDA-regulated businesses can also enjoy the ability to grow in transactions unrestricted by operating in the right cloud environment.
If you’re thinking about making the move to the cloud for your biotech and pharma business applications and looking for guidance, we’re here to help. Contact us at www.meritsolutions.com.